From da87a4fca2ebf8ebd627c2305cecb2470d5d6c21 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Thu, 7 May 2026 16:32:17 +0800
Subject: [PATCH 01/25] fix(7686): username 'false' / 'malformed color: false'
 for legacy settings.json (#7688)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(7686): legacy padOptions.userName/userColor=false breaks pad

Settings.json files generated before December 2021 used `false` as the
default for these two string options (commit 8c857a85a switched the
template default to `null` and noted "this change has no effect due to
a bug in how pad options are processed; that bug will be fixed in a
future commit" — the follow-up never landed). pad.ts:getParams() then
runs `false.toString()`, the resulting string "false" passes the
`!== false` sentinel check at _afterHandshake, and notifyChangeName
ships USERINFO_UPDATE with name="false" and colorId="false" (clobbered
via clientVars.userColor). The server's hex regex rejects the colour
and throws `malformed color: false`; the user sees their name as
"false" and a white swatch.

Defense in depth:
- Server: Settings.ts::reloadSettings() coerces legacy boolean false
  to null for padOptions.userName / padOptions.userColor and warns the
  operator, matching the existing disableIPlogging shim pattern.
- Client: the pad.ts userName / userColor callbacks reject the
  literal "false" string so URL params (?userName=false) and any
  other path that surfaces the sentinel as a string are also no-ops.
- Backend regression test mirrors the shim and asserts it normalizes
  legacy false, leaves explicit values intact, leaves null untouched,
  does not coerce other padOptions keys, and does not coerce the
  string "false" (that path is the client guard's responsibility).

Closes #7686

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7686): guard padOptions shim against non-object config (Qodo)

Qodo flagged that storeSettings() will overwrite settings.padOptions
raw with whatever settings.json supplies — including null, primitives,
or arrays — which would make the new userName/userColor shim crash on
property access. Add a shape guard so the shim is a no-op for malformed
padOptions, and extend the regression test to cover null / primitive /
array shapes.

This doesn't change which configs work (Pad.ts also assumes padOptions
is an object and would already crash on a null padOptions when a pad
is opened) but it stops the shim from being the loud thing in the
stack trace if someone hits it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/node/utils/Settings.ts                    | 24 +++++
 src/static/js/pad.ts                          |  9 ++
 .../backend/specs/padOptionsLegacyDefaults.ts | 98 +++++++++++++++++++
 3 files changed, 131 insertions(+)
 create mode 100644 src/tests/backend/specs/padOptionsLegacyDefaults.ts

diff --git a/src/node/utils/Settings.ts b/src/node/utils/Settings.ts
index 71bb4dd1e7d..54840f03a7a 100644
--- a/src/node/utils/Settings.ts
+++ b/src/node/utils/Settings.ts
@@ -1087,6 +1087,30 @@ export const reloadSettings = () => {
       settings.privacyBanner.dismissal = 'dismissible';
     }
 
+    // Settings.json files generated before December 2021 used `false` as the
+    // default for these string options. The client treats the boolean `false`
+    // as a sentinel meaning "no enforced value", but the dispatch in
+    // pad.ts:getParams() coerces the boolean to the string "false" before
+    // applying it, which then propagates as the user's name and color and
+    // triggers `malformed color: false` on the server (#7686). Normalize
+    // legacy booleans to null at the boundary so downstream code sees the
+    // expected sentinel. Guard against a malformed padOptions (null, array,
+    // primitive) — storeSettings() will overwrite it raw if settings.json
+    // declares it as anything other than a plain object.
+    if (settings.padOptions != null
+        && typeof settings.padOptions === 'object'
+        && !Array.isArray(settings.padOptions)) {
+      for (const key of ['userName', 'userColor'] as const) {
+        if ((settings.padOptions as any)[key] === false) {
+          logger.warn(
+              `padOptions.${key}=false is a legacy default (pre-2021) and is ` +
+              `now treated as null. Update settings.json to use null instead ` +
+              `to silence this warning.`);
+          (settings.padOptions as any)[key] = null;
+        }
+      }
+    }
+
     // Init logging config
     settings.logconfig = defaultLogConfig(
       settings.loglevel ? settings.loglevel : defaultLogLevel,
diff --git a/src/static/js/pad.ts b/src/static/js/pad.ts
index 72364c26149..12406197ecf 100644
--- a/src/static/js/pad.ts
+++ b/src/static/js/pad.ts
@@ -136,6 +136,14 @@ const getParameters = [
     name: 'userName',
     checkVal: null,
     callback: (val) => {
+      // The default for globalUserName/globalUserColor is the boolean `false`
+      // (sentinel meaning "no enforced value"). Older settings.json files used
+      // boolean `false` for these options too, which getParams() coerces to
+      // the string "false" — that fooled the !== false sentinel checks at
+      // _afterHandshake and shipped the literal string "false" as the user's
+      // name and color (#7686). Reject the sentinel string here so URL
+      // parameters like ?userName=false also no-op.
+      if (!val || val === 'false') return;
       settings.globalUserName = val;
       clientVars.userName = val;
     },
@@ -144,6 +152,7 @@ const getParameters = [
     name: 'userColor',
     checkVal: null,
     callback: (val) => {
+      if (!val || val === 'false') return;
       settings.globalUserColor = val;
       clientVars.userColor = val;
     },
diff --git a/src/tests/backend/specs/padOptionsLegacyDefaults.ts b/src/tests/backend/specs/padOptionsLegacyDefaults.ts
new file mode 100644
index 00000000000..73d0a08d588
--- /dev/null
+++ b/src/tests/backend/specs/padOptionsLegacyDefaults.ts
@@ -0,0 +1,98 @@
+'use strict';
+
+import {strict as assert} from 'assert';
+
+describe(__filename, function () {
+  // Replicates the shim block from Settings.ts::reloadSettings so we can
+  // assert the mapping without rebooting the whole server in this spec.
+  // Keep this in lockstep with the production block — if you change the
+  // shim there, change it here too.
+  const applyShim = (padOptions: any) => {
+    if (padOptions != null && typeof padOptions === 'object' && !Array.isArray(padOptions)) {
+      for (const key of ['userName', 'userColor']) {
+        if (padOptions[key] === false) padOptions[key] = null;
+      }
+    }
+    return padOptions;
+  };
+
+  describe('legacy padOptions.userName/userColor=false → null shim', function () {
+    it('coerces userName=false to null', function () {
+      const out = applyShim({userName: false});
+      assert.strictEqual(out.userName, null);
+    });
+
+    it('coerces userColor=false to null', function () {
+      const out = applyShim({userColor: false});
+      assert.strictEqual(out.userColor, null);
+    });
+
+    it('coerces both legacy defaults in one pass', function () {
+      const out = applyShim({userName: false, userColor: false});
+      assert.strictEqual(out.userName, null);
+      assert.strictEqual(out.userColor, null);
+    });
+
+    it('leaves an explicit string userName intact', function () {
+      const out = applyShim({userName: 'Etherpad User'});
+      assert.strictEqual(out.userName, 'Etherpad User');
+    });
+
+    it('leaves an explicit hex userColor intact', function () {
+      const out = applyShim({userColor: '#ff9900'});
+      assert.strictEqual(out.userColor, '#ff9900');
+    });
+
+    it('leaves null values untouched', function () {
+      const out = applyShim({userName: null, userColor: null});
+      assert.strictEqual(out.userName, null);
+      assert.strictEqual(out.userColor, null);
+    });
+
+    it('does not affect other padOptions keys that legitimately use false', function () {
+      // showChat:false, rtl:false, etc. are real, meaningful values — only
+      // the two string options carry the legacy boolean sentinel.
+      const out = applyShim({
+        userName: false,
+        userColor: false,
+        showChat: false,
+        rtl: false,
+        useMonospaceFont: false,
+      });
+      assert.strictEqual(out.userName, null);
+      assert.strictEqual(out.userColor, null);
+      assert.strictEqual(out.showChat, false);
+      assert.strictEqual(out.rtl, false);
+      assert.strictEqual(out.useMonospaceFont, false);
+    });
+
+    it('does not coerce the string "false" — that is handled in the client guard', function () {
+      // The server-side shim only normalizes the boolean sentinel from
+      // legacy settings.json. URL-supplied or stringified "false" is
+      // rejected by pad.ts::getParameters.userName/userColor callbacks.
+      const out = applyShim({userName: 'false', userColor: 'false'});
+      assert.strictEqual(out.userName, 'false');
+      assert.strictEqual(out.userColor, 'false');
+    });
+
+    it('skips the shim if padOptions is null', function () {
+      // storeSettings() overwrites settings.padOptions raw if settings.json
+      // declares it as a non-object — the shim must not throw on that.
+      assert.doesNotThrow(() => applyShim(null));
+      assert.strictEqual(applyShim(null), null);
+    });
+
+    it('skips the shim if padOptions is a primitive', function () {
+      assert.doesNotThrow(() => applyShim(false));
+      assert.doesNotThrow(() => applyShim('not an object'));
+      assert.doesNotThrow(() => applyShim(42));
+    });
+
+    it('skips the shim if padOptions is an array', function () {
+      const arr: any = [false, false];
+      assert.doesNotThrow(() => applyShim(arr));
+      // Arrays pass through untouched — index 0/1 (numeric) are not coerced.
+      assert.deepEqual(applyShim(arr), [false, false]);
+    });
+  });
+});

From b751fd7b9e705c5d94592718d121f80e8db20b15 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Thu, 7 May 2026 17:01:04 +0800
Subject: [PATCH 02/25] feat(settings): enable Pad-wide Settings by default;
 fix misleading modal title (#7679)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat(settings): enable Pad-wide Settings by default; fix misleading modal title

The creator-owned Pad-wide Settings feature (#7545) shipped behind a flag that
defaulted to false. With the flag off the modal still rendered an H1 of
`pad.settings.padSettings` ("Pad-wide Settings") for *every* user, even though
no pad-wide controls were ever shown. Two readers in different browsers both
saw "Pad-wide Settings" as the modal title, which looked like a creator-gate
regression but was just a copy bug.

Two changes:

1. Flip the default of `enablePadWideSettings` to `true` (Settings.ts plus
   both settings templates). With the feature on, the creator (revision-0
   author) gets a real "Pad-wide Settings" section gated by
   `clientVars.canEditPadSettings`, while every other user sees only "User
   Settings" — matching the design intent of #7545. This is a behavior change,
   so the settings comments are expanded to describe what the toggle now does.

2. Drop the conditional H1 in `src/templates/pad.html` and always use
   `pad.settings.title` ("Settings"). Operators who explicitly disable the
   feature shouldn't see a label that lies about a section that isn't
   rendered.

Adds backend regression coverage in `tests/backend/specs/socketio.ts`:
- Different browsers (different cookie jars => different authorIDs): only the
  first joiner gets `canEditPadSettings: true`.
- Same browser, two tabs (shared HttpOnly token cookie => same authorID):
  both connections are the same identity, both correctly land on the creator
  path.

* test(settings): regression coverage for the settings modal H1

Asserts the rendered `/p/<id>` HTML always uses
`data-l10n-id="pad.settings.title"` for the modal heading, regardless of
`enablePadWideSettings`. Catches a re-introduction of the old conditional
that printed "Pad-wide Settings" for every user when the feature was off.

Action of Qodo review feedback on PR #7679.
---
 settings.json.docker                          |  7 ++-
 settings.json.template                        |  7 ++-
 src/node/utils/Settings.ts                    |  2 +-
 src/templates/pad.html                        |  4 --
 .../backend/specs/settingsModalHeading.ts     | 45 ++++++++++++++
 src/tests/backend/specs/socketio.ts           | 62 ++++++++++++++++++-
 6 files changed, 117 insertions(+), 10 deletions(-)
 create mode 100644 src/tests/backend/specs/settingsModalHeading.ts

diff --git a/settings.json.docker b/settings.json.docker
index 8755d99e3a9..d640536a817 100644
--- a/settings.json.docker
+++ b/settings.json.docker
@@ -247,9 +247,12 @@
 
   /**
   * Enable creator-owned Pad-wide Settings and new-pad default seeding from My View.
-  * Disabled by default to preserve the legacy single-settings behavior.
+  * The pad creator (revision-0 author) gets the "Pad-wide Settings" section,
+  * which lets them set defaults and optionally enforce them for other users.
+  * Other users see only "User Settings" (their own view options).
+  * Set to false to revert to the legacy single-settings behavior.
   **/
-  "enablePadWideSettings": "${ENABLE_PAD_WIDE_SETTINGS:false}",
+  "enablePadWideSettings": "${ENABLE_PAD_WIDE_SETTINGS:true}",
 
   /*
    * Optional privacy banner. See settings.json.template for full field docs.
diff --git a/settings.json.template b/settings.json.template
index 209b1721f39..61be12fbf73 100644
--- a/settings.json.template
+++ b/settings.json.template
@@ -733,9 +733,12 @@
 
     /**
     * Enable creator-owned Pad-wide Settings and new-pad default seeding from My View.
-    * Disabled by default to preserve the legacy single-settings behavior.
+    * The pad creator (revision-0 author) gets the "Pad-wide Settings" section,
+    * which lets them set defaults and optionally enforce them for other users.
+    * Other users see only "User Settings" (their own view options).
+    * Set to false to revert to the legacy single-settings behavior.
     **/
-    "enablePadWideSettings": "${ENABLE_PAD_WIDE_SETTINGS:false}",
+    "enablePadWideSettings": "${ENABLE_PAD_WIDE_SETTINGS:true}",
 
   /*
    * Optional privacy banner shown once the pad loads. Disabled by default.
diff --git a/src/node/utils/Settings.ts b/src/node/utils/Settings.ts
index 54840f03a7a..68f51da1fc6 100644
--- a/src/node/utils/Settings.ts
+++ b/src/node/utils/Settings.ts
@@ -369,7 +369,7 @@ const settings: SettingsType = {
   },
   updateServer: "https://static.etherpad.org",
   enableDarkMode: true,
-  enablePadWideSettings: false,
+  enablePadWideSettings: true,
   allowPadDeletionByAllUsers: false,
   privacyBanner: {
     enabled: false,
diff --git a/src/templates/pad.html b/src/templates/pad.html
index ecac35ad607..5212b004606 100644
--- a/src/templates/pad.html
+++ b/src/templates/pad.html
@@ -127,11 +127,7 @@
       <!------------------------------------------------------------->
 
       <div id="settings" class="popup" role="dialog" aria-modal="true" aria-labelledby="settings-title"><div class="popup-content">
-          <% if (settings.enablePadWideSettings) { %>
           <h1 id="settings-title" data-l10n-id="pad.settings.title">Settings</h1>
-          <% } else { %>
-          <h1 id="settings-title" data-l10n-id="pad.settings.padSettings">Pad Settings</h1>
-          <% } %>
           <div class="settings-sections">
             <div id="user-settings-section" class="settings-section">
             <% e.begin_block("mySettings"); %>
diff --git a/src/tests/backend/specs/settingsModalHeading.ts b/src/tests/backend/specs/settingsModalHeading.ts
new file mode 100644
index 00000000000..23aaa430689
--- /dev/null
+++ b/src/tests/backend/specs/settingsModalHeading.ts
@@ -0,0 +1,45 @@
+'use strict';
+
+import {MapArrayType} from '../../../node/types/MapType';
+import settings from '../../../node/utils/Settings';
+
+const assert = require('assert').strict;
+const common = require('../common');
+
+// Regression coverage for the settings modal title. With
+// `enablePadWideSettings: false` the template used to render
+// `data-l10n-id="pad.settings.padSettings"` ("Pad-wide Settings") for every
+// user, even though no pad-wide controls were rendered in that mode. The fix
+// removes the conditional and always uses `pad.settings.title` ("Settings").
+describe(__filename, function () {
+  this.timeout(30000);
+  let agent: any;
+  const backup: MapArrayType<any> = {};
+
+  before(async function () { agent = await common.init(); });
+
+  beforeEach(async function () {
+    backup.enablePadWideSettings = settings.enablePadWideSettings;
+  });
+
+  afterEach(async function () {
+    settings.enablePadWideSettings = backup.enablePadWideSettings;
+  });
+
+  const titleH1 = (html: string): string | null => {
+    const m = html.match(/<h1\s+id="settings-title"[^>]*data-l10n-id="([^"]+)"/);
+    return m ? m[1] : null;
+  };
+
+  it('uses pad.settings.title with the feature enabled', async function () {
+    settings.enablePadWideSettings = true;
+    const res = await agent.get('/p/headingTest').expect(200);
+    assert.equal(titleH1(res.text), 'pad.settings.title');
+  });
+
+  it('uses pad.settings.title with the feature disabled (no misleading "Pad-wide" label)', async function () {
+    settings.enablePadWideSettings = false;
+    const res = await agent.get('/p/headingTest').expect(200);
+    assert.equal(titleH1(res.text), 'pad.settings.title');
+  });
+});
diff --git a/src/tests/backend/specs/socketio.ts b/src/tests/backend/specs/socketio.ts
index fa7a7dd2723..43da20b15e2 100644
--- a/src/tests/backend/specs/socketio.ts
+++ b/src/tests/backend/specs/socketio.ts
@@ -34,7 +34,7 @@ describe(__filename, function () {
       plugins.hooks[hookName] = [];
     }
     backups.settings = {};
-    for (const setting of ['editOnly', 'requireAuthentication', 'requireAuthorization', 'users']) {
+    for (const setting of ['editOnly', 'requireAuthentication', 'requireAuthorization', 'users', 'enablePadWideSettings']) {
       // @ts-ignore
       backups.settings[setting] = settings[setting];
     }
@@ -432,6 +432,66 @@ describe(__filename, function () {
     });
   });
 
+  describe('Pad-wide settings creator gate', function () {
+    let socketA: any;
+    let socketB: any;
+
+    const removeIfExists = async (padId: string) => {
+      if (await padManager.doesPadExist(padId)) {
+        const p = await padManager.getPad(padId);
+        await p.remove();
+      }
+    };
+
+    beforeEach(async function () {
+      // @ts-ignore - test toggles a public setting
+      settings.enablePadWideSettings = true;
+      await removeIfExists('foo');
+    });
+
+    afterEach(async function () {
+      for (const s of [socketA, socketB]) if (s) s.close();
+      socketA = null;
+      socketB = null;
+      socket = null;
+      await removeIfExists('foo');
+    });
+
+    it('different browsers (separate cookie jars): only the creator gets canEditPadSettings', async function () {
+      const supertest = require('supertest');
+      const browserA = supertest(common.baseUrl);
+      const browserB = supertest(common.baseUrl);
+
+      const resA = await browserA.get('/p/foo').expect(200);
+      socketA = await common.connect(resA);
+      const cvA = await common.handshake(socketA, 'foo');
+      assert.equal(cvA.data.canEditPadSettings, true,
+          'first joiner (creator) should see Pad-wide Settings');
+
+      const resB = await browserB.get('/p/foo').expect(200);
+      socketB = await common.connect(resB);
+      const cvB = await common.handshake(socketB, 'foo');
+      assert.equal(cvB.data.canEditPadSettings, false,
+          'non-creator joiner must NOT see Pad-wide Settings');
+    });
+
+    it('same browser two tabs (shared cookie jar): BOTH get canEditPadSettings=true', async function () {
+      // Reusing the same response (and its set-cookie header) for both
+      // connects is the backend equivalent of two browser tabs sharing the
+      // same HttpOnly token cookie — same authorID, same creator.
+      const res = await agent.get('/p/foo').expect(200);
+
+      socketA = await common.connect(res);
+      const cvA = await common.handshake(socketA, 'foo');
+      assert.equal(cvA.data.canEditPadSettings, true);
+
+      socketB = await common.connect(res);
+      const cvB = await common.handshake(socketB, 'foo');
+      assert.equal(cvB.data.canEditPadSettings, true,
+          'same author across tabs is one identity, both are the creator');
+    });
+  });
+
   describe('SocketIORouter.js', function () {
     const Module = class {
       setSocketIO(io:any) {}

From fe9727b31e92640647441cde5af38f10dad902ea Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Thu, 7 May 2026 17:09:27 +0800
Subject: [PATCH 03/25] fix(docker): share corepack cache so etherpad user can
 resolve pnpm (#7689)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(docker): share corepack cache so etherpad user can resolve pnpm (#7687)

PR #7674 switched the Dockerfile from `npm install -g pnpm` to corepack
and `corepack prepare pnpm@${PnpmVersion} --activate`. The activate step
runs as root and writes its lastKnownGood pin into `$COREPACK_HOME`,
which defaults to `~/.cache/node/corepack` — i.e. a per-user path. The
Dockerfile then drops to `USER etherpad` and later runs
`bin/installLocalPlugins.sh`, which invokes `pnpm` as etherpad. With an
empty per-user corepack cache and no shared activation file, corepack
re-resolves pnpm and (for forks/configs without a `packageManager` pin
matching the activated version) can fall back to "latest" from the
registry — pulling `pnpm@10.33.4` instead of the requested 11.x and
failing the workspace's `engines.pnpm` check.

Pin `COREPACK_HOME=/opt/corepack` and chown it to etherpad after the
prepare step. Both root and etherpad now share the same lastKnownGood
file and tarball cache, so etherpad inherits the activated pnpm without
hitting the registry again.

Verified end-to-end:

- `docker build --target development --build-arg ETHERPAD_LOCAL_PLUGINS=ep_test`
  with a stub local plugin runs `installLocalPlugins.sh` cleanly:
  `Done in 16.6s using pnpm v11.0.6`.
- `docker run ... pnpm --version` as etherpad reports 11.0.6 from the
  shared cache — no "Unsupported environment" error.

Note: corepack still emits a one-time "about to download" line at
runtime because `corepack prepare pnpm@11.0.6` resolves to the highest
matching patch (11.0.8) at build time while the project's
`packageManager` field pins exactly 11.0.6. That's a follow-up — the
download succeeds non-interactively and the engine check passes.

Fixes #7687.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(docker): action Qodo PR review (#7687 follow-up)

- Replace hard-coded /opt/corepack with ${COREPACK_HOME} in mkdir/chown
  so the env var stays the single source of truth (Qodo: "COREPACK_HOME
  path duplication").

- Add a build-test-local-plugin job to .github/workflows/docker.yml that
  builds the development target with a stub ETHERPAD_LOCAL_PLUGINS so
  the original failure mode (corepack/pnpm cache invisible across the
  USER switch) cannot silently regress (Qodo: "COREPACK_HOME fix lacks
  test"). The job is small — `docker build` only, no run — and uses the
  shared GHA buildx cache.

Verified: same docker build + `docker run pnpm --version` flow on the
variable form gives identical output (pnpm 11.0.6 from the etherpad-owned
cache).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/docker.yml | 45 ++++++++++++++++++++++++++++++++++++
 Dockerfile                   | 11 ++++++++-
 2 files changed, 55 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 2d84cafd098..10fd325c67b 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -81,6 +81,51 @@ jobs:
           (cd src && pnpm run test-container)
           git clean -dxf .
 
+  build-test-local-plugin:
+    # Regression coverage for #7687: the Docker image's
+    # `bin/installLocalPlugins.sh` step runs as the `etherpad` user and
+    # invokes pnpm via the corepack shim. A previous corepack/cache bug
+    # made that path fail when ETHERPAD_LOCAL_PLUGINS was set. This job
+    # builds the development target with a stub local plugin so the
+    # regression cannot silently come back.
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      -
+        name: Check out
+        uses: actions/checkout@v6
+        with:
+          path: etherpad
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v4
+      -
+        name: Stub a local plugin
+        run: |
+          mkdir -p etherpad/local_plugins/ep_test_corepack
+          cat > etherpad/local_plugins/ep_test_corepack/package.json <<'EOF'
+          {
+            "name": "ep_test_corepack",
+            "version": "0.0.1",
+            "description": "regression-test stub for ether/etherpad#7687",
+            "main": "index.js"
+          }
+          EOF
+          cat > etherpad/local_plugins/ep_test_corepack/index.js <<'EOF'
+          exports.placeholder = true;
+          EOF
+      -
+        name: Build with ETHERPAD_LOCAL_PLUGINS (must succeed)
+        uses: docker/build-push-action@v7
+        with:
+          context: ./etherpad
+          target: development
+          load: false
+          build-args: |
+            ETHERPAD_LOCAL_PLUGINS=ep_test_corepack
+          cache-from: type=gha
+
   build-test-db-drivers:
     # Spinning up MySQL + Postgres + cross-driver smoke is expensive; only
     # run it on pushes to develop (and tagged release pushes), not on every
diff --git a/Dockerfile b/Dockerfile
index 0fee2f12e1e..d53107b415c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -99,12 +99,21 @@ RUN groupadd --system ${EP_GID:+--gid "${EP_GID}" --non-unique} etherpad && \
 ARG EP_DIR=/opt/etherpad-lite
 RUN mkdir -p "${EP_DIR}" && chown etherpad:etherpad "${EP_DIR}"
 
+# Share corepack's cache between root (which activates pnpm here) and
+# the `etherpad` user (which invokes pnpm later via the corepack shim).
+# $COREPACK_HOME defaults to ~/.cache/node/corepack and is per-user;
+# without this pin the etherpad user finds an empty cache, re-resolves
+# pnpm, and corepack can fall back to "latest" from the registry. See
+# https://github.com/ether/etherpad/issues/7687.
+ENV COREPACK_HOME=/opt/corepack
+
 # the mkdir is needed for configuration of openjdk-11-jre-headless, see
 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863199
 RUN  \
-    mkdir -p /usr/share/man/man1 && \
+    mkdir -p /usr/share/man/man1 "${COREPACK_HOME}" && \
     npm install -g corepack@latest && \
     corepack enable && corepack prepare pnpm@${PnpmVersion} --activate && \
+    chown -R etherpad:etherpad "${COREPACK_HOME}" && \
     rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx && \
     apk update && apk upgrade && \
     apk add --no-cache \

From ab0cff4d951f93d893eda253f07225fa95e187d3 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Thu, 7 May 2026 17:43:29 +0800
Subject: [PATCH 04/25] fix(7606): sync theme-color meta with client-side
 dark-mode switch (#7690)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(7606): sync theme-color meta with client-side dark-mode switch

PR #7636 emits <meta name="theme-color"> server-side from
settings.skinVariants. That covers operators who hard-code a dark
toolbar in settings.json, but not the runtime path: pad.ts auto-flips
the toolbar to super-dark when enableDarkMode is on, the browser
reports prefers-color-scheme: dark, and no localStorage white-mode
override is set, plus the user can flip it via #options-darkmode.
Both paths run skinVariants.updateSkinVariantsClasses(), which until
now never touched the meta — so dark-mode users kept the light
#ffffff baseline and saw a white address bar above a dark toolbar
(stffen on #7606 after 2.7.3).

Push the toolbar-color lookup into updateSkinVariantsClasses so the
meta tracks every class change: the auto-switch on init, the user
toggle, and the skinVariants builder. Mirrors the CSS-source-order
table from src/node/utils/SkinColors.ts (last matching *-toolbar
token wins). When no meta is present (non-colibris skin, server
omits it) the helper is a no-op.

Adds Playwright coverage for both paths under
colorScheme: 'light' (manual toggle) and 'dark' (auto-switch on
dark-OS clients — the case stffen reported).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(theme-color): action Qodo PR review

(1) Bug — duplicated toolbar→color table: extract the CSS-source-order
mapping and the default-color constant into src/static/js/skin_toolbar_colors,
re-imported by both src/node/utils/SkinColors.ts (server, EJS template
helper) and src/static/js/skin_variants.ts (client, runtime updates). Lives
under static/js so the browser bundle can resolve it; server-side imports
of static/js modules already exist (Changeset, AttributeMap, ImportHtml,
hooks). One source of truth means a future palette change can no longer
silently desync the server-rendered baseline meta from the client updates,
which was the exact regression that brought us here.

(2) Rule violation — 4-space continuation indentation in the new
Playwright spec: re-indent the themeColor helper and the multiline
test(...) call to the repo's 2-space rule (.editorconfig).

Existing backend coverage (configuredToolbarColor unit tests + the
specialpages server-render checks for both pad and timeslider) still
passes against the refactored helper, so it's regression-locked end to
end.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/node/utils/SkinColors.ts                  | 30 +++----------
 src/static/js/skin_toolbar_colors.ts          | 31 ++++++++++++++
 src/static/js/skin_variants.ts                | 20 +++++++++
 .../specs/theme_color_dark_mode.spec.ts       | 42 +++++++++++++++++++
 4 files changed, 99 insertions(+), 24 deletions(-)
 create mode 100644 src/static/js/skin_toolbar_colors.ts
 create mode 100644 src/tests/frontend-new/specs/theme_color_dark_mode.spec.ts

diff --git a/src/node/utils/SkinColors.ts b/src/node/utils/SkinColors.ts
index c599b4c3816..74b9bedbcfe 100644
--- a/src/node/utils/SkinColors.ts
+++ b/src/node/utils/SkinColors.ts
@@ -1,34 +1,16 @@
 'use strict';
 
-// Toolbar background colors that the colibris skin variants resolve to.
-// Mirrors --bg-color in src/static/skins/colibris/src/pad-variants.css. Only
-// the colibris skin has a known mapping; for any other skin we cannot derive
-// the toolbar color server-side and emit no theme-color meta.
-//
-// Order matters: when skinVariants contains multiple *-toolbar tokens the
-// CSS cascade picks the rule defined last in pad-variants.css, so iterate in
-// source order and let the last matching token win.
-const TOOLBAR_COLORS_IN_CSS_ORDER: Array<[string, string]> = [
-  ['super-light-toolbar', '#ffffff'],
-  ['light-toolbar', '#f2f3f4'],
-  ['super-dark-toolbar', '#485365'],
-  ['dark-toolbar', '#576273'],
-];
-
-const COLIBRIS_DEFAULT_TOOLBAR_COLOR = '#ffffff';
+import {toolbarColorForTokens} from '../../static/js/skin_toolbar_colors';
 
 // The toolbar color the user actually sees on first paint, derived from the
-// configured skin and skinVariants. Returns null when the skin is unknown so
-// callers can omit the meta rather than emit a misleading value.
+// configured skin and skinVariants. Only the colibris skin has a known
+// mapping (see src/static/js/skin_toolbar_colors). For any other skin we
+// cannot derive the toolbar color server-side and return null so callers can
+// omit the meta rather than emit a misleading value.
 export const configuredToolbarColor = (
   skinName: string | undefined | null,
   skinVariants: string | undefined | null,
 ): string | null => {
   if (skinName !== 'colibris') return null;
-  const tokens = new Set((skinVariants || '').split(/\s+/).filter(Boolean));
-  let color: string | null = null;
-  for (const [variant, c] of TOOLBAR_COLORS_IN_CSS_ORDER) {
-    if (tokens.has(variant)) color = c;
-  }
-  return color || COLIBRIS_DEFAULT_TOOLBAR_COLOR;
+  return toolbarColorForTokens((skinVariants || '').split(/\s+/).filter(Boolean));
 };
diff --git a/src/static/js/skin_toolbar_colors.ts b/src/static/js/skin_toolbar_colors.ts
new file mode 100644
index 00000000000..793b6f4b3de
--- /dev/null
+++ b/src/static/js/skin_toolbar_colors.ts
@@ -0,0 +1,31 @@
+'use strict';
+
+// Toolbar background colors that the colibris skin variants resolve to.
+// Mirrors --bg-color in src/static/skins/colibris/src/pad-variants.css. Lives
+// here (under static/js/) so both the browser bundle (skin_variants.ts) and
+// the server-side EJS helper (node/utils/SkinColors.ts) can import it without
+// duplication — a drift between client and server tables would silently
+// reintroduce the "address bar disagrees with toolbar" bug.
+//
+// Order matters: when skinVariants contains multiple *-toolbar tokens the
+// CSS cascade picks the rule defined last in pad-variants.css, so iterate in
+// source order and let the last matching token win.
+export const TOOLBAR_COLORS_IN_CSS_ORDER: ReadonlyArray<readonly [string, string]> = [
+  ['super-light-toolbar', '#ffffff'],
+  ['light-toolbar', '#f2f3f4'],
+  ['super-dark-toolbar', '#485365'],
+  ['dark-toolbar', '#576273'],
+];
+
+export const COLIBRIS_DEFAULT_TOOLBAR_COLOR = '#ffffff';
+
+// Resolve the toolbar color for a set of skin-variant tokens. Pure data: no
+// DOM, no Node APIs — safe to call from both server and client.
+export const toolbarColorForTokens = (tokens: Iterable<string>): string => {
+  const set = new Set(tokens);
+  let color = COLIBRIS_DEFAULT_TOOLBAR_COLOR;
+  for (const [variant, c] of TOOLBAR_COLORS_IN_CSS_ORDER) {
+    if (set.has(variant)) color = c;
+  }
+  return color;
+};
diff --git a/src/static/js/skin_variants.ts b/src/static/js/skin_variants.ts
index a10074384a8..99d6af3b6ec 100644
--- a/src/static/js/skin_variants.ts
+++ b/src/static/js/skin_variants.ts
@@ -1,9 +1,27 @@
 // @ts-nocheck
 'use strict';
 
+import {toolbarColorForTokens} from './skin_toolbar_colors';
+
 const containers = ['editor', 'background', 'toolbar'];
 const colors = ['super-light', 'light', 'dark', 'super-dark'];
 
+// Keep <meta name="theme-color"> in sync with the toolbar the user actually
+// sees. The server emits a baseline derived from settings.skinVariants, but
+// pad.ts may flip the toolbar to super-dark on first paint (enableDarkMode
+// + prefers-color-scheme:dark + no localStorage white-mode override) and
+// the user can toggle via #options-darkmode. Without this, dark-mode users
+// keep the light meta and see a white address bar above a dark toolbar
+// (issue #7606 follow-up). Color resolution lives in skin_toolbar_colors so
+// the server-rendered baseline and the client updates share one source of
+// truth — Qodo flagged the prior duplicated table as a drift hazard.
+const updateThemeColorMeta = (newClasses: string[]) => {
+  const meta = document.querySelector('meta[name="theme-color"]');
+  if (!meta) return;
+  meta.setAttribute('content',
+      toolbarColorForTokens(newClasses.join(' ').split(/\s+/).filter(Boolean)));
+};
+
 // add corresponding classes when config change
 const updateSkinVariantsClasses = (newClasses) => {
   const domsToUpdate = [
@@ -21,6 +39,8 @@ const updateSkinVariantsClasses = (newClasses) => {
   domsToUpdate.forEach((el) => { el.removeClass('full-width-editor'); });
 
   domsToUpdate.forEach((el) => { el.addClass(newClasses.join(' ')); });
+
+  updateThemeColorMeta(newClasses);
 };
 
 
diff --git a/src/tests/frontend-new/specs/theme_color_dark_mode.spec.ts b/src/tests/frontend-new/specs/theme_color_dark_mode.spec.ts
new file mode 100644
index 00000000000..0393b913bde
--- /dev/null
+++ b/src/tests/frontend-new/specs/theme_color_dark_mode.spec.ts
@@ -0,0 +1,42 @@
+import {expect, test, Page} from '@playwright/test';
+import {goToNewPad} from '../helper/padHelper';
+
+const themeColor = (page: Page) =>
+  page.locator('meta[name="theme-color"]').getAttribute('content');
+
+test.describe('light color scheme', () => {
+  test.use({colorScheme: 'light'});
+
+  test('theme-color meta tracks the dark-mode toggle', async ({page}) => {
+    await goToNewPad(page);
+    // Server emits the light baseline derived from settings.skinVariants.
+    expect(await themeColor(page)).toBe('#ffffff');
+
+    await page.locator('button[data-l10n-id="pad.toolbar.settings.title"]').click();
+    await expect(page.locator('#theme-toggle-row')).toBeVisible();
+
+    // Colibris styles the native checkbox via a sibling label; click the label
+    // so the toggle fires the real change event the production code listens on.
+    await page.locator('label[for="options-darkmode"]').click();
+    // pad.ts forces super-dark-toolbar (#485365) regardless of the configured
+    // light skinVariants, so the meta must follow the client-applied class.
+    await expect.poll(() => themeColor(page)).toBe('#485365');
+
+    await page.locator('label[for="options-darkmode"]').click();
+    await expect.poll(() => themeColor(page)).toBe('#ffffff');
+  });
+});
+
+test.describe('dark color scheme', () => {
+  test.use({colorScheme: 'dark'});
+
+  test('theme-color meta follows the auto dark-mode switch on dark-OS clients',
+    async ({page}) => {
+      await goToNewPad(page);
+      // pad.ts auto-switches to super-dark-toolbar when enableDarkMode is on,
+      // matchMedia(prefers-color-scheme:dark) matches, and no localStorage
+      // white-mode override is set. The meta must follow the applied class —
+      // this is the case stffen reported on issue #7606.
+      await expect.poll(() => themeColor(page)).toBe('#485365');
+    });
+});

From 90aafb115e43562a5b2b7eaa1077600928565e60 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Thu, 7 May 2026 18:12:23 +0800
Subject: [PATCH 05/25] feat(socialMeta): settings.socialMeta.description
 override (#7599 follow-up) (#7691)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Issue #7599 follow-up from @stffen: the OG description has no obvious
settings.json knob and the i18n catalog default is English, but most
preview crawlers (WhatsApp, Signal, Slack, Telegram, Facebook) don't
send Accept-Language and so always hit the English fallback regardless
of how many locale files translate `pad.social.description`.

Keep the i18n catalog as the default source — translatable strings
belong in locale files, per the original Qodo review on PR #7635 — but
add an explicit `socialMeta.description` setting that wins when set as
a non-empty string, regardless of negotiated language. This is the
lever that fixes the crawler case for non-English instances without
re-introducing per-language config in settings.json (operators who
want that still use customLocaleStrings).

- Empty/whitespace overrides are treated as unset (would otherwise
  silently blank the preview).
- Override is HTML-escaped via the same path as every other value.
- og:locale stays language-negotiated; only the description is forced.
- Documented next to publicURL in settings.json.template and
  settings.json.docker (env var SOCIAL_META_DESCRIPTION). The
  customLocaleStrings example now spells out pad.social.description so
  operators discover both routes.

5 new unit specs + 4 new integration specs cover override-wins,
null/missing fallback, blank-treated-as-unset, and HTML-escaping.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 ...0-issue-7599-open-graph-metadata-design.md | 35 ++++++++
 settings.json.docker                          | 13 +++
 settings.json.template                        | 34 +++++++-
 src/node/utils/Settings.ts                    | 21 +++++
 src/node/utils/socialMeta.ts                  | 29 ++++++-
 src/tests/backend/specs/socialMeta-unit.ts    | 83 +++++++++++++++++++
 src/tests/backend/specs/socialMeta.ts         | 45 ++++++++++
 7 files changed, 256 insertions(+), 4 deletions(-)

diff --git a/docs/superpowers/specs/2026-04-30-issue-7599-open-graph-metadata-design.md b/docs/superpowers/specs/2026-04-30-issue-7599-open-graph-metadata-design.md
index ba025584397..7f1d9771f50 100644
--- a/docs/superpowers/specs/2026-04-30-issue-7599-open-graph-metadata-design.md
+++ b/docs/superpowers/specs/2026-04-30-issue-7599-open-graph-metadata-design.md
@@ -144,3 +144,38 @@ The XSS escape test is the security-relevant one: pad IDs are user-controlled
 - A `padSocialMetadata` hook that lets plugins override the values.
 - Per-pad description (e.g. ep_pad_title integration).
 - Generated preview images (would require a rendering service).
+
+## Follow-up (2026-05-07): operator description override
+
+Issue #7599 follow-up comment from @stffen flagged two gaps in the shipped
+behaviour:
+
+1. The default description is in English and there is no obvious place in
+   `settings.json` to change it.
+2. The visitor's language is negotiated from `Accept-Language`, which most
+   link-preview crawlers (WhatsApp, Signal, Slack, Telegram, Facebook) do not
+   send — so non-English instances always serve the English fallback to
+   crawlers regardless of which locale files exist.
+
+Resolution: keep the i18n catalog as the default source (the original Qodo
+review still stands — translatable strings belong in locale files), but add
+an explicit `settings.socialMeta.description` override that wins when set:
+
+- `socialMeta.description: null` (default) → existing behaviour: i18n
+  catalog with `Accept-Language` negotiation, English fallback.
+- `socialMeta.description: "<text>"` → that string is used verbatim for
+  `og:description` / `twitter:description` regardless of the negotiated
+  language. This is the lever that fixes the crawler-no-Accept-Language
+  case.
+- Empty / whitespace-only override is treated as unset (would otherwise
+  blank out previews silently — a footgun).
+- The override is HTML-escaped via the same path as every other
+  interpolated value.
+- `og:locale` is unaffected; it continues to reflect the negotiated render
+  language. Operators who want fully localised descriptions still use
+  `customLocaleStrings` to override `pad.social.description` per-language.
+
+Documentation lives next to `publicURL` in both `settings.json.template`
+and `settings.json.docker` (mirrors how the original feature is
+configured), and the `customLocaleStrings` example now shows the
+`pad.social.description` key explicitly so operators can find both routes.
diff --git a/settings.json.docker b/settings.json.docker
index d640536a817..36becc015fd 100644
--- a/settings.json.docker
+++ b/settings.json.docker
@@ -125,6 +125,19 @@
    */
   "publicURL": "${PUBLIC_URL:null}",
 
+  /*
+   * Open Graph / Twitter Card metadata for link previews.
+   *
+   * SOCIAL_META_DESCRIPTION: when set, this exact text is used as
+   * og:description regardless of negotiated language. Most preview crawlers
+   * (WhatsApp, Signal, Slack, ...) don't send Accept-Language, so without an
+   * override they always hit the English fallback in the i18n catalog.
+   * Leave unset (null) to use the catalog (key `pad.social.description`).
+   */
+  "socialMeta": {
+    "description": "${SOCIAL_META_DESCRIPTION:null}"
+  },
+
   /*
    * Skin name.
    *
diff --git a/settings.json.template b/settings.json.template
index 61be12fbf73..7e6ab93aa6a 100644
--- a/settings.json.template
+++ b/settings.json.template
@@ -123,6 +123,26 @@
    */
   "publicURL": null,
 
+  /*
+   * Open Graph / Twitter Card metadata, served on the homepage, pad pages and
+   * timeslider for nicer previews when a pad URL is shared in chat apps
+   * (WhatsApp, Signal, Slack, ...).
+   *
+   * - description: when set to a non-empty string, this exact text is used as
+   *   og:description / twitter:description regardless of the visitor's
+   *   negotiated language. Most link-preview crawlers don't send an
+   *   Accept-Language header, so without an override they always see the
+   *   English fallback. Set this if your instance serves a non-English
+   *   audience and you want a fixed blurb in shared previews.
+   *
+   * Leave description as null to use Etherpad's i18n catalog (key
+   * `pad.social.description`), which honours Accept-Language and can be
+   * overridden per-language via `customLocaleStrings` further down.
+   */
+  "socialMeta": {
+    "description": null
+  },
+
   /*
    * Skin name.
    *
@@ -820,7 +840,19 @@
    */
    "logLayoutType": "colored",
 
-  /* Override any strings found in locale directories */
+  /*
+   * Override any strings found in locale directories.
+   *
+   * Format: { "<lang>": { "<key>": "<text>", ... }, ... }
+   * Example, per-language Open Graph description for link previews:
+   *   "customLocaleStrings": {
+   *     "en": { "pad.social.description": "Our team's collaborative pads." },
+   *     "de": { "pad.social.description": "Kollaborative Notizblöcke." }
+   *   }
+   * For a single description regardless of language, prefer
+   * `socialMeta.description` above — link-preview crawlers usually don't
+   * send Accept-Language and otherwise hit the English fallback.
+   */
   "customLocaleStrings": {},
 
   /* Disable Admin UI tests */
diff --git a/src/node/utils/Settings.ts b/src/node/utils/Settings.ts
index 68f51da1fc6..2e963f132db 100644
--- a/src/node/utils/Settings.ts
+++ b/src/node/utils/Settings.ts
@@ -165,6 +165,9 @@ export type SettingsType = {
   showRecentPads: boolean,
   favicon: string | null,
   publicURL: string | null,
+  socialMeta: {
+    description: string | null,
+  },
   ttl: {
     AccessToken: number,
     AuthorizationCode: number,
@@ -360,6 +363,24 @@ const settings: SettingsType = {
    * No trailing slash. Must include scheme.
    */
   publicURL: null,
+
+  /**
+   * Open Graph / Twitter Card metadata, served on the homepage, pad pages and
+   * timeslider for nicer previews when a pad URL is shared in chat apps.
+   *
+   * description: when non-null, this exact string is used as og:description /
+   *   twitter:description regardless of the visitor's negotiated language. Most
+   *   crawlers (WhatsApp, Signal, Telegram, Slack, Facebook) don't send an
+   *   Accept-Language header, so without an override they always see the
+   *   English fallback — set this if your instance serves a non-English
+   *   audience and you want a fixed blurb. Leave null to use Etherpad's
+   *   built-in i18n catalog (key `pad.social.description`), which honours the
+   *   visitor's Accept-Language and can be overridden per-language via the
+   *   standard `customLocaleStrings` mechanism below.
+   */
+  socialMeta: {
+    description: null,
+  },
   ttl: {
     AccessToken: 1 * 60 * 60, // 1 hour in seconds
     AuthorizationCode: 10 * 60, // 10 minutes in seconds
diff --git a/src/node/utils/socialMeta.ts b/src/node/utils/socialMeta.ts
index efdeb429d1c..caa6d76d334 100644
--- a/src/node/utils/socialMeta.ts
+++ b/src/node/utils/socialMeta.ts
@@ -9,8 +9,13 @@ import type {Request} from 'express';
  * XSS via crafted pad IDs.
  *
  * The description text is sourced from Etherpad's i18n catalog under the key
- * `pad.social.description`. Operators can override it per-language via the
- * standard `customLocaleStrings` mechanism in settings.json.
+ * `pad.social.description`. Operators have two ways to override it:
+ *   - `settings.socialMeta.description` — flat string used regardless of
+ *     negotiated language. Useful because most link-preview crawlers don't
+ *     send Accept-Language and would otherwise always hit the English fallback.
+ *   - `customLocaleStrings` — per-language override that participates in
+ *     normal Accept-Language negotiation.
+ * The flat setting wins over the i18n catalog when set.
  */
 
 const SOCIAL_DESCRIPTION_KEY = 'pad.social.description';
@@ -96,6 +101,9 @@ type SocialMetaSettings = {
   title?: string,
   favicon?: string | null,
   publicURL?: string | null,
+  socialMeta?: {
+    description?: string | null,
+  },
 };
 
 const negotiateRenderLang = (req: Request, availableLangs: AvailableLangs): string => {
@@ -153,10 +161,25 @@ export type RenderOpts = {
   padName?: string,
 };
 
+// Operator override wins, but only when it's a non-empty string. An empty
+// string from settings would silently blank out og:description / twitter:
+// description and break previews, so we treat empty/whitespace-only as unset
+// and fall back to the i18n catalog.
+const resolveDescriptionWithOverride = (
+  override: string | null | undefined,
+  locales: {[lang: string]: {[key: string]: string}} | undefined,
+  renderLang: string,
+): string => {
+  if (typeof override === 'string' && override.trim() !== '') return override;
+  return resolveDescription(locales, renderLang);
+};
+
 export const renderSocialMeta = (o: RenderOpts): string => {
   const renderLang = negotiateRenderLang(o.req, o.availableLangs);
   const siteName = o.settings.title || 'Etherpad';
-  const description = resolveDescription(o.locales, renderLang);
+  const description = resolveDescriptionWithOverride(
+      o.settings.socialMeta && o.settings.socialMeta.description,
+      o.locales, renderLang);
   const imageUrl = resolveImageUrl(o.req, o.settings.favicon, o.settings.publicURL);
   const imageAlt = `${siteName} logo`;
 
diff --git a/src/tests/backend/specs/socialMeta-unit.ts b/src/tests/backend/specs/socialMeta-unit.ts
index da86a194fbe..3cb9f0bf57b 100644
--- a/src/tests/backend/specs/socialMeta-unit.ts
+++ b/src/tests/backend/specs/socialMeta-unit.ts
@@ -168,6 +168,89 @@ describe(__filename, function () {
     });
   });
 
+  describe('renderSocialMeta — settings.socialMeta.description override', function () {
+    it('overrides i18n catalog regardless of negotiated language', function () {
+      // Crawler sends de, catalog has both en and de entries — operator
+      // override wins anyway. This is the crawler-no-Accept-Language case.
+      const html = renderSocialMeta({
+        req: fakeReq({acceptsLanguages: () => 'de'}),
+        settings: {
+          title: 'Etherpad', favicon: null,
+          socialMeta: {description: 'Operator-set blurb'},
+        },
+        availableLangs: {en: {}, de: {}},
+        locales: {
+          en: {'pad.social.description': 'En catalog'},
+          de: {'pad.social.description': 'De catalog'},
+        },
+        kind: 'pad', padName: 'P',
+      });
+      assert.equal(ogTag(html, 'og:description'), 'Operator-set blurb');
+      assert.equal(ogTag(html, 'twitter:description'), 'Operator-set blurb');
+    });
+
+    it('null override falls back to i18n catalog', function () {
+      const html = renderSocialMeta({
+        req: fakeReq({acceptsLanguages: () => 'de'}),
+        settings: {
+          title: 'Etherpad', favicon: null,
+          socialMeta: {description: null},
+        },
+        availableLangs: {en: {}, de: {}},
+        locales: {
+          en: {'pad.social.description': 'En'},
+          de: {'pad.social.description': 'De'},
+        },
+        kind: 'pad', padName: 'P',
+      });
+      assert.equal(ogTag(html, 'og:description'), 'De');
+    });
+
+    it('empty / whitespace override does NOT silence the description', function () {
+      // An accidental empty string in settings.json must not blank out the tag —
+      // we'd lose previews entirely. Treat it as unset.
+      for (const blank of ['', '   ', '\t\n']) {
+        const html = renderSocialMeta({
+          req: fakeReq({acceptsLanguages: () => 'en'}),
+          settings: {
+            title: 'Etherpad', favicon: null,
+            socialMeta: {description: blank},
+          },
+          availableLangs: {en: {}},
+          locales: {en: {'pad.social.description': 'Catalog wins'}},
+          kind: 'pad', padName: 'P',
+        });
+        assert.equal(ogTag(html, 'og:description'), 'Catalog wins',
+            `blank override (${JSON.stringify(blank)}) should fall back`);
+      }
+    });
+
+    it('HTML-escapes the override (it is operator-controlled but renders into HTML)', function () {
+      const html = renderSocialMeta({
+        req: fakeReq(),
+        settings: {
+          title: 'Etherpad', favicon: null,
+          socialMeta: {description: 'A & B "<C>"'},
+        },
+        availableLangs: {en: {}}, locales: enLocales,
+        kind: 'pad', padName: 'P',
+      });
+      assert.equal(ogTag(html, 'og:description'), 'A &amp; B &quot;&lt;C&gt;&quot;');
+    });
+
+    it('missing socialMeta block is treated as unset', function () {
+      // Older settings.json files won't have the socialMeta block at all.
+      const html = renderSocialMeta({
+        req: fakeReq({acceptsLanguages: () => 'en'}),
+        settings: {title: 'Etherpad', favicon: null},
+        availableLangs: {en: {}},
+        locales: {en: {'pad.social.description': 'Catalog'}},
+        kind: 'pad', padName: 'P',
+      });
+      assert.equal(ogTag(html, 'og:description'), 'Catalog');
+    });
+  });
+
   describe('renderSocialMeta — image URL', function () {
     it('builds absolute URL to /favicon.ico when settings.favicon is null', function () {
       const html = renderSocialMeta({
diff --git a/src/tests/backend/specs/socialMeta.ts b/src/tests/backend/specs/socialMeta.ts
index dbf24c04820..34596e87996 100644
--- a/src/tests/backend/specs/socialMeta.ts
+++ b/src/tests/backend/specs/socialMeta.ts
@@ -24,11 +24,15 @@ describe(__filename, function () {
   beforeEach(async function () {
     backup.title = settings.title;
     backup.favicon = settings.favicon;
+    backup.socialMeta = settings.socialMeta;
+    // Default shape — every test starts with no override.
+    settings.socialMeta = {description: null};
   });
 
   afterEach(async function () {
     settings.title = backup.title;
     settings.favicon = backup.favicon;
+    settings.socialMeta = backup.socialMeta;
   });
 
   describe('pad page', function () {
@@ -121,4 +125,45 @@ describe(__filename, function () {
       assert.equal(ogTag(res.text, 'og:title'), settings.title);
     });
   });
+
+  describe('settings.socialMeta.description override', function () {
+    it('overrides og:description and twitter:description', async function () {
+      settings.socialMeta = {description: 'Custom blurb for issue 7599'};
+      const res = await agent.get('/p/TestPad7599').expect(200);
+      assert.equal(ogTag(res.text, 'og:description'), 'Custom blurb for issue 7599');
+      assert.equal(ogTag(res.text, 'twitter:description'), 'Custom blurb for issue 7599');
+    });
+
+    it('override beats Accept-Language negotiation', async function () {
+      // Crawlers (WhatsApp/Signal/etc.) typically send no Accept-Language and
+      // would otherwise always hit the English fallback. Operator override
+      // wins regardless of the negotiated locale.
+      settings.socialMeta = {description: 'Operator wins'};
+      const res = await agent.get('/p/TestPad7599')
+          .set('Accept-Language', 'de').expect(200);
+      assert.equal(ogTag(res.text, 'og:description'), 'Operator wins');
+    });
+
+    it('blank override falls back to i18n catalog (does not silence preview)', async function () {
+      settings.socialMeta = {description: '   '};
+      const res = await agent.get('/p/TestPad7599')
+          .set('Accept-Language', 'en').expect(200);
+      const desc = ogTag(res.text, 'og:description');
+      assert.ok(desc && desc.length > 0,
+          'blank override should not blank out og:description');
+      assert.match(desc!, /collaborative/i);
+    });
+
+    it('HTML-escapes the override', async function () {
+      settings.socialMeta = {description: 'A & B <c> "d"'};
+      const res = await agent.get('/p/TestPad7599').expect(200);
+      // The HTML body contains the *escaped* form; the parsed attribute value
+      // (what ogTag returns) is the unescaped logical string the meta tag
+      // exposes — assert both: no raw <c> in the served HTML, and the logical
+      // value round-trips correctly.
+      assert.ok(!/content="[^"]*<c>/.test(res.text),
+          'raw "<c>" must not appear inside content="..."');
+      assert.equal(ogTag(res.text, 'og:description'), 'A &amp; B &lt;c&gt; &quot;d&quot;');
+    });
+  });
 });

From a35641425416587f9473d44b1d61896d3246265e Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Thu, 7 May 2026 18:38:17 +0800
Subject: [PATCH 06/25] fix(socialMeta): coerced numeric/boolean override
 silently dropped (#7692)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(socialMeta): coerced numeric/boolean override silently dropped

Qodo flagged on PR #7691: Settings.coerceValue() turns numeric-looking env
vars into numbers and "true"/"false" into booleans, so e.g.
SOCIAL_META_DESCRIPTION="2026" arrives at the resolver as the number 2026.
The previous resolver gated on `typeof override === 'string'`, so it
silently fell back to the i18n catalog with no warning — the operator's
docker config would appear broken.

Accept string|number|boolean and stringify before the empty-check; null /
undefined / unsupported types still fall through to the catalog. Two new
unit specs cover the numeric and boolean coercion paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(socialMeta): widen description type to match coerced runtime

Action Qodo bug-find: SettingsType.socialMeta.description and
SocialMetaSettings.description still claimed `string | null`, but
Settings.coerceValue() can produce number|boolean from env-var-driven
config — the previous resolver fix was correct at runtime but the type
mismatch forced `as unknown as string` casts in the new tests.

Widen both declared types to `string | number | boolean | null` to match
runtime reality, drop the typeof string|number|boolean guards in the
resolver (the union now narrows automatically) and remove the test casts.
Behaviour is unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/node/utils/Settings.ts                 |  8 +++++-
 src/node/utils/socialMeta.ts               | 23 +++++++++++-----
 src/tests/backend/specs/socialMeta-unit.ts | 32 ++++++++++++++++++++++
 3 files changed, 55 insertions(+), 8 deletions(-)

diff --git a/src/node/utils/Settings.ts b/src/node/utils/Settings.ts
index 2e963f132db..ff2e93ec8dd 100644
--- a/src/node/utils/Settings.ts
+++ b/src/node/utils/Settings.ts
@@ -166,7 +166,13 @@ export type SettingsType = {
   favicon: string | null,
   publicURL: string | null,
   socialMeta: {
-    description: string | null,
+    // Runtime type is wider than what an operator writes by hand: when
+    // `socialMeta.description` is sourced from an env var (e.g.
+    // `"${SOCIAL_META_DESCRIPTION:null}"` in settings.json.docker), the
+    // settings loader's `coerceValue()` turns numeric-looking strings into
+    // numbers and "true"/"false" into booleans. Downstream code stringifies
+    // before use; the wider type stops callers (and tests) needing casts.
+    description: string | number | boolean | null,
   },
   ttl: {
     AccessToken: number,
diff --git a/src/node/utils/socialMeta.ts b/src/node/utils/socialMeta.ts
index caa6d76d334..60fa285ee70 100644
--- a/src/node/utils/socialMeta.ts
+++ b/src/node/utils/socialMeta.ts
@@ -102,7 +102,11 @@ type SocialMetaSettings = {
   favicon?: string | null,
   publicURL?: string | null,
   socialMeta?: {
-    description?: string | null,
+    // Wider than the operator-facing type: env-var-driven settings get
+    // pre-coerced by Settings.coerceValue(), so we may receive number/boolean
+    // even though "the value an operator types" is a string. Stringified at
+    // resolve time.
+    description?: string | number | boolean | null,
   },
 };
 
@@ -161,16 +165,21 @@ export type RenderOpts = {
   padName?: string,
 };
 
-// Operator override wins, but only when it's a non-empty string. An empty
-// string from settings would silently blank out og:description / twitter:
-// description and break previews, so we treat empty/whitespace-only as unset
-// and fall back to the i18n catalog.
+// Operator override wins when set. Settings.ts coerces env-var strings to
+// their typed form (e.g. SOCIAL_META_DESCRIPTION="123" arrives as the number
+// 123 and ="true" as the boolean true), so we accept string | number | boolean
+// and stringify before comparing. Empty / whitespace-only values are treated
+// as unset — an accidental "" in settings would otherwise silently blank out
+// og:description and break previews entirely.
 const resolveDescriptionWithOverride = (
-  override: string | null | undefined,
+  override: string | number | boolean | null | undefined,
   locales: {[lang: string]: {[key: string]: string}} | undefined,
   renderLang: string,
 ): string => {
-  if (typeof override === 'string' && override.trim() !== '') return override;
+  if (override !== null && override !== undefined) {
+    const s = String(override);
+    if (s.trim() !== '') return s;
+  }
   return resolveDescription(locales, renderLang);
 };
 
diff --git a/src/tests/backend/specs/socialMeta-unit.ts b/src/tests/backend/specs/socialMeta-unit.ts
index 3cb9f0bf57b..63b39724eb4 100644
--- a/src/tests/backend/specs/socialMeta-unit.ts
+++ b/src/tests/backend/specs/socialMeta-unit.ts
@@ -249,6 +249,38 @@ describe(__filename, function () {
       });
       assert.equal(ogTag(html, 'og:description'), 'Catalog');
     });
+
+    it('numeric override is stringified (env-var coercion safety)', function () {
+      // Settings.ts coerceValue() turns numeric-looking env vars into numbers,
+      // so SOCIAL_META_DESCRIPTION="2026" arrives here as the number 2026.
+      // Without stringification the resolver would silently fall back to i18n.
+      const html = renderSocialMeta({
+        req: fakeReq(),
+        settings: {
+          title: 'Etherpad', favicon: null,
+          socialMeta: {description: 2026},
+        },
+        availableLangs: {en: {}}, locales: enLocales,
+        kind: 'pad', padName: 'P',
+      });
+      assert.equal(ogTag(html, 'og:description'), '2026');
+    });
+
+    it('boolean override is stringified (covers "true"/"false" env-var coercion)', function () {
+      // Less likely than the numeric case but possible: setting
+      // SOCIAL_META_DESCRIPTION="true" yields a boolean. Treat it like the
+      // operator wrote that literal string rather than silently dropping it.
+      const html = renderSocialMeta({
+        req: fakeReq(),
+        settings: {
+          title: 'Etherpad', favicon: null,
+          socialMeta: {description: true},
+        },
+        availableLangs: {en: {}}, locales: enLocales,
+        kind: 'pad', padName: 'P',
+      });
+      assert.equal(ogTag(html, 'og:description'), 'true');
+    });
   });
 
   describe('renderSocialMeta — image URL', function () {

From bcf5c91c155457a67a498661dc8e7bc88685c4d0 Mon Sep 17 00:00:00 2001
From: "translatewiki.net" <l10n-bot@translatewiki.net>
Date: Thu, 7 May 2026 14:03:09 +0200
Subject: [PATCH 07/25] Localisation updates from https://translatewiki.net.

---
 src/locales/gl.json      | 29 ++++++++++++++++++++++++++++-
 src/locales/ko.json      |  3 ++-
 src/locales/mk.json      |  3 +++
 src/locales/pms.json     |  5 +++--
 src/locales/zh-hans.json | 29 ++++++++++++++++++++++++++++-
 5 files changed, 64 insertions(+), 5 deletions(-)

diff --git a/src/locales/gl.json b/src/locales/gl.json
index 7096f45b0ed..f8beafd27aa 100644
--- a/src/locales/gl.json
+++ b/src/locales/gl.json
@@ -14,6 +14,8 @@
 	"admin_plugins.available_install.value": "Instalar",
 	"admin_plugins.available_search.placeholder": "Buscar complementos para instalar",
 	"admin_plugins.description": "Descrición",
+	"admin_plugins.disables.label": "Desactiva:",
+	"admin_plugins.disables.warning_title": "Este complemento elimina intencionadamente as funcionalidades de Etherpad listadas.",
 	"admin_plugins.installed": "Complementos instalados",
 	"admin_plugins.installed_fetching": "Obtendo os complementos instalados...",
 	"admin_plugins.installed_nothing": "Aínda non instalaches ningún complemento.",
@@ -39,6 +41,19 @@
 	"admin_settings.current_restart.value": "Reiniciar Etherpad",
 	"admin_settings.current_save.value": "Gardar axustes",
 	"admin_settings.page-title": "Axustes - Etherpad",
+	"update.banner.title": "Actualización dispoñible",
+	"update.banner.body": "Etherpad {{latest}} está dispoñible (estás a usar {{current}}).",
+	"update.banner.cta": "Ver a actualización",
+	"update.page.title": "Actualizacións de Etherpad",
+	"update.page.current": "Versión actual",
+	"update.page.latest": "Última versión",
+	"update.page.last_check": "Última comprobación",
+	"update.page.install_method": "Método de instalación",
+	"update.page.tier": "Actualizar o nivel",
+	"update.page.changelog": "Rexistro de cambios",
+	"update.page.up_to_date": "Estás a executar a última versión.",
+	"update.badge.severe": "Etherpad está moi desactualizado neste servidor. Informa á administración.",
+	"update.badge.vulnerable": "Etherpad está a executar neste servidor unha versión con problemas de seguranza. Informa á administración.",
 	"index.newPad": "Novo documento",
 	"index.settings": "Axustes",
 	"index.transferSessionTitle": "Transferir a sesión",
@@ -93,6 +108,7 @@
 	"pad.settings.stickychat": "Charla sempre visible",
 	"pad.settings.chatandusers": "Mostrar a charla e as usuarias",
 	"pad.settings.colorcheck": "Cores de identificación",
+	"pad.settings.fadeInactiveAuthorColors": "Esvaecer as cores dos autores inactivos",
 	"pad.settings.linenocheck": "Números de liña",
 	"pad.settings.rtlcheck": "Queres ler o contido da dereita á esquerda?",
 	"pad.settings.enforceSettings": "Aplicar os axustes aos demais usuarios",
@@ -102,6 +118,16 @@
 	"pad.settings.language": "Lingua:",
 	"pad.settings.deletePad": "Borrar o documento",
 	"pad.delete.confirm": "Queres borrar este documento?",
+	"pad.deletionToken.modalTitle": "Garda o teu token de eliminación do documento",
+	"pad.deletionToken.modalBody": "Este token é a única maneira de eliminar este documento se perdes a sesión do navegador ou cambias de dispositivo. Gárdao nun lugar seguro; aquí mostrarase exactamente unha vez.",
+	"pad.deletionToken.copy": "Copiar",
+	"pad.deletionToken.copied": "Copiado",
+	"pad.deletionToken.acknowledge": "Gardeino",
+	"pad.deletionToken.deleteWithToken": "Eliminar o documento cun token",
+	"pad.deletionToken.tokenFieldLabel": "Token de eliminación do documento",
+	"pad.deletionToken.tokenValueLabel": "O teu token de eliminación do documento (só lectura)",
+	"pad.deletionToken.invalid": "Ese token non é válido para este documento.",
+	"pad.deletionToken.notCreator": "Non es a persoa creadora deste documento, así que non podes eliminalo.",
 	"pad.settings.about": "Acerca de",
 	"pad.settings.poweredBy": "Grazas a",
 	"pad.importExport.import_export": "Importar/Exportar",
@@ -202,5 +228,6 @@
 	"pad.impexp.importfailed": "Fallou a importación",
 	"pad.impexp.copypaste": "Copie e pegue",
 	"pad.impexp.exportdisabled": "A exportación en formato {{type}} está desactivada. Póñase en contacto co administrador do sistema se quere máis detalles.",
-	"pad.impexp.maxFileSize": "Ficheiro demasiado granda. Contacta coa administración para aumentar o tamaño permitido para importacións"
+	"pad.impexp.maxFileSize": "Ficheiro demasiado granda. Contacta coa administración para aumentar o tamaño permitido para importacións",
+	"pad.social.description": "Un documento colaborativo que calquera pode editar en tempo real."
 }
diff --git a/src/locales/ko.json b/src/locales/ko.json
index 44f592488b4..e077201268f 100644
--- a/src/locales/ko.json
+++ b/src/locales/ko.json
@@ -9,6 +9,7 @@
 			"Revi",
 			"SeoJeongHo",
 			"Suleiman the Magnificent Television",
+			"Tensama0415",
 			"YeBoy371",
 			"Ykhwong",
 			"그냥기여자",
@@ -49,7 +50,7 @@
 	"admin_settings.current_save.value": "설정 저장",
 	"admin_settings.page-title": "설정 - 이더패드",
 	"index.newPad": "새 패드",
-	"index.createOpenPad": "또는 다음 이름으로 패드 만들기/열기:",
+	"index.createOpenPad": "이름으로 패드 열기",
 	"index.openPad": "이름으로 기존 패드 열기:",
 	"pad.toolbar.bold.title": "굵게 (Ctrl+B)",
 	"pad.toolbar.italic.title": "기울임꼴 (Ctrl+I)",
diff --git a/src/locales/mk.json b/src/locales/mk.json
index 88a3fc3642f..6d939c2de21 100644
--- a/src/locales/mk.json
+++ b/src/locales/mk.json
@@ -14,6 +14,8 @@
 	"admin_plugins.available_install.value": "Воспостави",
 	"admin_plugins.available_search.placeholder": "Пребарај приклучоци за воспоставка",
 	"admin_plugins.description": "Опис",
+	"admin_plugins.disables.label": "Оневозможува:",
+	"admin_plugins.disables.warning_title": "Овој приклучок намерно ги отстранува наведените функции на Etherpad.",
 	"admin_plugins.installed": "Воспоставени приклучоци",
 	"admin_plugins.installed_fetching": "Ги земам воспоставените приклучоци…",
 	"admin_plugins.installed_nothing": "Засега немате воспоставено ниеден приклучок.",
@@ -106,6 +108,7 @@
 	"pad.settings.stickychat": "Разговорите секогаш на екранот",
 	"pad.settings.chatandusers": "Прикажи разговор и корисници",
 	"pad.settings.colorcheck": "Авторски бои",
+	"pad.settings.fadeInactiveAuthorColors": "Избледувај ги боите на неактивните автоори",
 	"pad.settings.linenocheck": "Броеви на редовите",
 	"pad.settings.rtlcheck": "Содржините да се читаат од десно на лево?",
 	"pad.settings.enforceSettings": "Примени нагодувања за другите корисници",
diff --git a/src/locales/pms.json b/src/locales/pms.json
index 165d9d02b40..6574a45c08b 100644
--- a/src/locales/pms.json
+++ b/src/locales/pms.json
@@ -1,7 +1,8 @@
 {
 	"@metadata": {
 		"authors": [
-			"Borichèt"
+			"Borichèt",
+			"Dragonòt"
 		]
 	},
 	"admin.page-title": "Cruscòt d'aministrator - Etherpad",
@@ -161,7 +162,7 @@
 	"timeslider.month.february": "Fërvé",
 	"timeslider.month.march": "Mars",
 	"timeslider.month.april": "Avril",
-	"timeslider.month.may": "Maj",
+	"timeslider.month.may": "Magg",
 	"timeslider.month.june": "Giugn",
 	"timeslider.month.july": "Luj",
 	"timeslider.month.august": "Ost",
diff --git a/src/locales/zh-hans.json b/src/locales/zh-hans.json
index 47577707292..946490acd90 100644
--- a/src/locales/zh-hans.json
+++ b/src/locales/zh-hans.json
@@ -33,6 +33,8 @@
 	"admin_plugins.available_install.value": "安装",
 	"admin_plugins.available_search.placeholder": "搜索要安装的插件",
 	"admin_plugins.description": "描述",
+	"admin_plugins.disables.label": "禁用：",
+	"admin_plugins.disables.warning_title": "此插件意在移除所列出的Etherpad功能。",
 	"admin_plugins.installed": "已装插件",
 	"admin_plugins.installed_fetching": "正在获取已安装的插件…",
 	"admin_plugins.installed_nothing": "您尚未安装任何插件。",
@@ -58,6 +60,19 @@
 	"admin_settings.current_restart.value": "重启Etherpad",
 	"admin_settings.current_save.value": "保存设置",
 	"admin_settings.page-title": "设置 - Etherpad",
+	"update.banner.title": "更新可用",
+	"update.banner.body": "Etherpad {{latest}}可用（您正在运行{{current}}）。",
+	"update.banner.cta": "查看更新",
+	"update.page.title": "Etherpad更新",
+	"update.page.current": "当前版本",
+	"update.page.latest": "最新版本",
+	"update.page.last_check": "最后检查于",
+	"update.page.install_method": "安装方法",
+	"update.page.tier": "更新层级",
+	"update.page.changelog": "更新日志",
+	"update.page.up_to_date": "您目前运行的是最新版本。",
+	"update.badge.severe": "此服务器上的Etherpad版本严重过时。请告知您的管理员。",
+	"update.badge.vulnerable": "此服务器上运行的Etherpad版本存在已知安全问题。请告知您的管理员。",
 	"index.newPad": "新记事本",
 	"index.settings": "设置",
 	"index.transferSessionTitle": "转移会话",
@@ -112,6 +127,7 @@
 	"pad.settings.stickychat": "总是显示聊天屏幕",
 	"pad.settings.chatandusers": "显示聊天和用户",
 	"pad.settings.colorcheck": "作者颜色",
+	"pad.settings.fadeInactiveAuthorColors": "淡化非活跃作者颜色",
 	"pad.settings.linenocheck": "行号",
 	"pad.settings.rtlcheck": "从右到左阅读内容吗？",
 	"pad.settings.enforceSettings": "对其他用户的强制设置",
@@ -121,6 +137,16 @@
 	"pad.settings.language": "语言：",
 	"pad.settings.deletePad": "删除记事本",
 	"pad.delete.confirm": "您确定要删除此记事本吗？",
+	"pad.deletionToken.modalTitle": "保存您的记事本删除令牌",
+	"pad.deletionToken.modalBody": "如果您丢失浏览器会话或切换设备，此令牌是删除此记事本的唯一方法。请将其保存在安全的地方——它只会在此处显示一次。",
+	"pad.deletionToken.copy": "复制",
+	"pad.deletionToken.copied": "已复制",
+	"pad.deletionToken.acknowledge": "我已保存",
+	"pad.deletionToken.deleteWithToken": "使用令牌删除记事本",
+	"pad.deletionToken.tokenFieldLabel": "记事本删除令牌",
+	"pad.deletionToken.tokenValueLabel": "您的记事本删除令牌（只读）",
+	"pad.deletionToken.invalid": "该令牌对此记事本无效。",
+	"pad.deletionToken.notCreator": "您不是此笔记本的创建者，因此您无法删除它。",
 	"pad.settings.about": "关于",
 	"pad.settings.poweredBy": "技术支持来自",
 	"pad.importExport.import_export": "导入/导出",
@@ -221,5 +247,6 @@
 	"pad.impexp.importfailed": "导入失败",
 	"pad.impexp.copypaste": "请复制粘贴",
 	"pad.impexp.exportdisabled": "{{type}} 格式的导出被禁用。有关详情，请与您的系统管理员联系。",
-	"pad.impexp.maxFileSize": "文件太大。 请与您的站点管理员联系以增加允许导入的文件大小"
+	"pad.impexp.maxFileSize": "文件太大。 请与您的站点管理员联系以增加允许导入的文件大小",
+	"pad.social.description": "一份所有人都能实时编辑的协作文档。"
 }

From c7ac1cce6f165847094876f08f025824fef5265b Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Thu, 7 May 2026 23:28:01 +0800
Subject: [PATCH 08/25] fix(a11y): localized aria-label + title on export-as
 links (#7697)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(a11y): localized aria-label + title on export-as links

The six export anchors in the import/export dialog had no aria-label or
title; their accessible name relied on the inner icon span's translated
text (e.g. "Etherpad"). That announces just the format name with no
"export" verb context, and the icon span doubles as the visible glyph
which screen readers also pick up.

Add `data-l10n-id="pad.importExport.export<format>a.title"` to each
anchor — html10n populates both the `title` attribute and `aria-label`
from the same key, so screen readers announce e.g. "Export as Etherpad"
and sighted users get a tooltip. Mark the inner icon span
`aria-hidden="true"` so SR doesn't double-read the format name.

Strengthens the existing `a11y_dialogs.spec.ts` "export links" test to
assert aria-label/title are populated and inner spans are aria-hidden,
and only checks the three formats that are present without soffice.

* Address Qodo review

- Add rel="noopener" to each export anchor: closes the
  reverse-tabnabbing window-opener gap. Other target="_blank" links
  in pad.html (e.g. the "Powered by Etherpad" link) already follow
  this hardening pattern.
- Pin Playwright locale to en-US for the a11y_dialogs spec: this
  file already asserts specific English strings (e.g. "Close chat",
  "Active users on this pad"); without the pin, translatewiki
  updates would break those tests. Tighten the export-anchor
  assertions to exact-match the English aria-label/title now that
  the locale is stable, and assert rel="noopener" too.
---
 src/locales/en.json                           |  6 +++
 src/templates/pad.html                        | 24 +++++------
 .../frontend-new/specs/a11y_dialogs.spec.ts   | 41 +++++++++++--------
 3 files changed, 43 insertions(+), 28 deletions(-)

diff --git a/src/locales/en.json b/src/locales/en.json
index e33cdef8bbb..a8602ad35e0 100644
--- a/src/locales/en.json
+++ b/src/locales/en.json
@@ -141,6 +141,12 @@
   "pad.importExport.exportword": "Microsoft Word",
   "pad.importExport.exportpdf": "PDF",
   "pad.importExport.exportopen": "ODF (Open Document Format)",
+  "pad.importExport.exportetherpada.title": "Export as Etherpad",
+  "pad.importExport.exporthtmla.title": "Export as HTML",
+  "pad.importExport.exportplaina.title": "Export as plain text",
+  "pad.importExport.exportworda.title": "Export as Microsoft Word",
+  "pad.importExport.exportpdfa.title": "Export as PDF",
+  "pad.importExport.exportopena.title": "Export as ODF (Open Document Format)",
   "pad.importExport.noConverter.innerHTML": "You can only import from plain text or HTML formats. For more advanced import features, please <a href=\"https://github.com/ether/etherpad-lite/wiki/How-to-enable-importing-and-exporting-different-file-formats-with-AbiWord\">install LibreOffice</a>.",
 
   "pad.modals.connected": "Connected.",
diff --git a/src/templates/pad.html b/src/templates/pad.html
index 5212b004606..8a4e3ac3c80 100644
--- a/src/templates/pad.html
+++ b/src/templates/pad.html
@@ -323,23 +323,23 @@ <h2 data-l10n-id="pad.importExport.import"></h2>
           <div id="exportColumn">
               <h2 data-l10n-id="pad.importExport.export"></h2>
               <% e.begin_block("exportColumn"); %>
-              <a id="exportetherpada" target="_blank" class="exportlink">
-                <span class="exporttype buttonicon buttonicon-file-powerpoint" id="exportetherpad" data-l10n-id="pad.importExport.exportetherpad"></span>
+              <a id="exportetherpada" data-l10n-id="pad.importExport.exportetherpada.title" target="_blank" rel="noopener" class="exportlink">
+                <span class="exporttype buttonicon buttonicon-file-powerpoint" id="exportetherpad" data-l10n-id="pad.importExport.exportetherpad" aria-hidden="true"></span>
               </a>
-              <a id="exporthtmla" target="_blank" class="exportlink">
-                <span class="exporttype buttonicon buttonicon-file-code" id="exporthtml" data-l10n-id="pad.importExport.exporthtml"></span>
+              <a id="exporthtmla" data-l10n-id="pad.importExport.exporthtmla.title" target="_blank" rel="noopener" class="exportlink">
+                <span class="exporttype buttonicon buttonicon-file-code" id="exporthtml" data-l10n-id="pad.importExport.exporthtml" aria-hidden="true"></span>
               </a>
-              <a id="exportplaina" target="_blank" class="exportlink">
-                <span class="exporttype buttonicon buttonicon-file" id="exportplain" data-l10n-id="pad.importExport.exportplain"></span>
+              <a id="exportplaina" data-l10n-id="pad.importExport.exportplaina.title" target="_blank" rel="noopener" class="exportlink">
+                <span class="exporttype buttonicon buttonicon-file" id="exportplain" data-l10n-id="pad.importExport.exportplain" aria-hidden="true"></span>
               </a>
-              <a id="exportworda" target="_blank" class="exportlink">
-                <span class="exporttype buttonicon buttonicon-file-word" id="exportword" data-l10n-id="pad.importExport.exportword"></span>
+              <a id="exportworda" data-l10n-id="pad.importExport.exportworda.title" target="_blank" rel="noopener" class="exportlink">
+                <span class="exporttype buttonicon buttonicon-file-word" id="exportword" data-l10n-id="pad.importExport.exportword" aria-hidden="true"></span>
               </a>
-              <a id="exportpdfa" target="_blank" class="exportlink">
-                <span class="exporttype buttonicon buttonicon-file-pdf" id="exportpdf" data-l10n-id="pad.importExport.exportpdf"></span>
+              <a id="exportpdfa" data-l10n-id="pad.importExport.exportpdfa.title" target="_blank" rel="noopener" class="exportlink">
+                <span class="exporttype buttonicon buttonicon-file-pdf" id="exportpdf" data-l10n-id="pad.importExport.exportpdf" aria-hidden="true"></span>
               </a>
-              <a id="exportopena" target="_blank" class="exportlink">
-                <span class="exporttype buttonicon buttonicon-file-alt" id="exportopen" data-l10n-id="pad.importExport.exportopen"></span>
+              <a id="exportopena" data-l10n-id="pad.importExport.exportopena.title" target="_blank" rel="noopener" class="exportlink">
+                <span class="exporttype buttonicon buttonicon-file-alt" id="exportopen" data-l10n-id="pad.importExport.exportopen" aria-hidden="true"></span>
               </a>
               <% e.end_block(); %>
           </div>
diff --git a/src/tests/frontend-new/specs/a11y_dialogs.spec.ts b/src/tests/frontend-new/specs/a11y_dialogs.spec.ts
index c5891ae1f06..ec6406a3205 100644
--- a/src/tests/frontend-new/specs/a11y_dialogs.spec.ts
+++ b/src/tests/frontend-new/specs/a11y_dialogs.spec.ts
@@ -1,6 +1,12 @@
 import {expect, test} from '@playwright/test';
 import {goToNewPad} from '../helper/padHelper';
 
+// Pin browser locale so html10n picks the English bundle. Several
+// assertions in this file compare against specific English strings
+// (e.g. "Close chat", "Export as Etherpad"); without this, translatewiki
+// updates would localise those strings and break the suite.
+test.use({locale: 'en-US'});
+
 test.beforeEach(async ({page}) => {
   await goToNewPad(page);
 });
@@ -65,28 +71,31 @@ test('users popup closes on Escape even when focus is outside the popup', async
   await expect(dialog).not.toHaveClass(/popup-show/);
 });
 
-test('export links have an accessible name from their localized content', async ({page}) => {
+test('export links have a localized aria-label and matching title', async ({page}) => {
   await page.locator('button[data-l10n-id="pad.toolbar.import_export.title"]').click();
   // The Word/PDF/ODF export links are removed client-side by pad_impexp.ts
   // when soffice is not configured, so only assert on links that the
-  // environment actually renders. For the ones that are present, their
-  // accessible name comes from the localized child span (data-l10n-id
-  // pad.importExport.exportetherpad etc.), not a hard-coded English
-  // aria-label. Assert the visible text is non-empty, which is what a
-  // screen reader will announce.
-  const ids = [
-    '#exportetherpada',
-    '#exporthtmla',
-    '#exportplaina',
-    '#exportworda',
-    '#exportpdfa',
-    '#exportopena',
+  // environment actually renders. Each anchor carries
+  // data-l10n-id="pad.importExport.export<format>a.title", which html10n
+  // expands into both `title` and `aria-label` from the same translation
+  // (e.g. "Export as Etherpad"). The inner icon span is aria-hidden so a
+  // screen reader announces the anchor's label once, not twice.
+  const cases: Array<[string, string]> = [
+    ['#exportetherpada', 'Export as Etherpad'],
+    ['#exporthtmla', 'Export as HTML'],
+    ['#exportplaina', 'Export as plain text'],
+    ['#exportworda', 'Export as Microsoft Word'],
+    ['#exportpdfa', 'Export as PDF'],
+    ['#exportopena', 'Export as ODF (Open Document Format)'],
   ];
-  for (const id of ids) {
+  for (const [id, expected] of cases) {
     const locator = page.locator(id);
     if ((await locator.count()) === 0) continue;
-    const text = (await locator.innerText()).trim();
-    expect(text.length).toBeGreaterThan(0);
+    await expect(locator).toHaveAttribute('aria-label', expected);
+    await expect(locator).toHaveAttribute('title', expected);
+    await expect(locator).toHaveAttribute('rel', 'noopener');
+    const innerSpan = locator.locator('span.exporttype');
+    await expect(innerSpan).toHaveAttribute('aria-hidden', 'true');
   }
 });
 

From 85c941fe9505c525ee0957eb0d31745d0c141afb Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Fri, 8 May 2026 00:17:05 +0800
Subject: [PATCH 09/25] feat(padOptions): pass plugin-namespaced ep_* keys
 through applyPadSettings (#7698)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat(padOptions): pass plugin-namespaced ep_* keys through applyPadSettings

Native pad-wide settings ride a single padOptions object: the server seeds
clientVars.initialOptions, the client mutates via pad.changePadOption(), and
the existing padoptions COLLABROOM message broadcasts changes. Plugins can't
use the same rail today because applyPadSettings (client) and
normalizePadSettings (server) silently drop any key not in their hardcoded
whitelist.

Add a passthrough loop that preserves keys matching /^ep_[a-z0-9_]+$/ on both
sides. Plugins can now stash their pad-wide values under their own namespace
(e.g. pad.padOptions.ep_table_of_contents = {enabled: true}) and inherit the
existing broadcast, persistence, creator-only-write enforcement, and
enforceSettings semantics for free.

A new src/node/utils/PluginCapabilities module exposes
padOptionsPluginPassthrough = true so plugins can feature-detect via
require() and fall back to per-user behavior on older cores.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Address Qodo review on PR #7698

Four concerns raised by Qodo (qodo-free-for-open-source-projects):

1. Feature flag — AGENTS.MD §52 requires new features behind a flag,
   disabled by default. Add `enablePluginPadOptions` (default false) gating
   the passthrough on both server (normalizePadSettings) and client
   (applyPadSettings, via clientVars). Plugins detect the runtime state
   through clientVars.enablePluginPadOptions; the static
   PluginCapabilities flag stays as the "core can do this" signal.

2. Documentation — add a "Plugin-namespaced pad-wide options" section to
   doc/plugins.md covering capability detection, the runtime flag, the
   key namespace pattern, and the validation rules. Mirror the flag
   description in settings.json.template.

3. Unbounded payload — values for ep_* keys are persisted with the pad and
   broadcast to every connected client, so an unvalidated path was a
   reliability hazard. Validate every ep_* value:
     - Must round-trip through JSON.stringify (rejects functions, symbols,
       BigInt, circular refs).
     - Per-key serialized size capped at 64 KB.
     - Combined ep_* size capped at 256 KB per pad.
   Rejects drop the value with a console.warn line; the rest of the pad
   settings round-trip cleanly.

4. PadOption type — add `[k: \`ep_${string}\`]: unknown` index signature
   so the SocketIO message type matches runtime behavior; TS callers no
   longer need unsafe casts to read plugin-namespaced keys.

Also extends the backend test suite with cases covering the runtime flag
(off/on), JSON-serializability rejection, per-key cap, and total cap.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(snap-tests): assert_grep — use here-string to dodge pipefail SIGPIPE

`assert_grep` ran `printf '%s' "$out" | grep -q -F -- "$needle"` under
`set -o pipefail`. When grep matched early it closed its stdin, printf
got SIGPIPE on its next write (exit 141), and pipefail propagated the
broken-pipe failure to the pipeline — making `if` see non-zero and
falling into the FAIL branch even though grep itself succeeded.

Failure was timing-dependent: it only fired when `$out` was large enough
that printf hadn't flushed before grep exited. CI ubuntu-latest tipped
into the racy path on PR #7698 once `settings.json.template` grew by 11
lines (the new `enablePluginPadOptions` flag); the symptom was the
`Wrapper unit tests` step reporting `dbType rewritten to sqlite ✗` with
"got: /*…" output even though the seeded file did contain the needle.

Replace the pipe with a here-string so grep gets its input in one shot
with no pipe between processes — no SIGPIPE possible. The fail-message
`head -3` is converted to a here-string for the same reason.

Repro on a runner whose pipe-buffer flush is slower than grep's first
match would have hit the same flake on any PR; the bug isn't about
this particular template change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 doc/plugins.md                         | 71 ++++++++++++++++++
 settings.json.template                 | 11 +++
 snap/tests/lib.sh                      | 13 +++-
 src/node/db/Pad.ts                     | 61 +++++++++++++++-
 src/node/handler/PadMessageHandler.ts  |  1 +
 src/node/utils/PluginCapabilities.ts   | 18 +++++
 src/node/utils/Settings.ts             |  9 ++-
 src/static/js/pad.ts                   | 10 +++
 src/static/js/types/SocketIOMessage.ts |  7 +-
 src/tests/backend/specs/Pad.ts         | 99 ++++++++++++++++++++++++++
 10 files changed, 295 insertions(+), 5 deletions(-)
 create mode 100644 src/node/utils/PluginCapabilities.ts

diff --git a/doc/plugins.md b/doc/plugins.md
index 95fbb9c40f5..68637267d45 100644
--- a/doc/plugins.md
+++ b/doc/plugins.md
@@ -238,6 +238,77 @@ operations in `templates/`, in files of type ".ejs", since Etherpad uses EJS for
 HTML templating. See the following link for more information about EJS:
 <https://github.com/visionmedia/ejs>.
 
+## Plugin-namespaced pad-wide options
+
+Plugins can ride the existing `padoptions` COLLABROOM rail to store
+pad-wide settings — broadcast to every connected client, persisted with the
+pad, and honored by `enforceSettings` — instead of inventing their own
+message type and storage. The model matches how `enablePadWideSettings`
+works for native toggles like sticky chat or line numbers.
+
+### Capability detection
+
+```js
+let padOptionsPluginPassthrough = false;
+try {
+  // The require throws on Etherpad versions that predate this capability;
+  // plugins should degrade gracefully (typically falling back to a per-user
+  // cookie toggle) when the flag is missing.
+  padOptionsPluginPassthrough =
+      require('ep_etherpad-lite/node/utils/PluginCapabilities')
+          .padOptionsPluginPassthrough === true;
+} catch (_e) { /* older core */ }
+```
+
+The flag means the core has the passthrough patch *available*. Whether it
+is actually *enabled* at runtime is a separate per-instance setting — see
+below.
+
+### Runtime flag
+
+The passthrough is gated by `settings.enablePluginPadOptions`, default
+`false`. Operators must opt in via `settings.json`:
+
+```json
+{
+  "enablePluginPadOptions": true
+}
+```
+
+When enabled, the server reflects the value to every client via
+`clientVars.enablePluginPadOptions` so plugins can detect both *capable*
+(static) and *active* (per-pad request) at the same point.
+
+### Key namespace
+
+Plugins must use keys matching `/^ep_[a-z0-9_]+$/`. The recommended pattern
+is `ep_<plugin_name>` (e.g. `ep_table_of_contents`); compose multiple
+pad-wide settings under one key as a plain object:
+
+```js
+pad.changePadOption('ep_my_plugin', {enabled: true, depth: 3});
+```
+
+The server passes through any matching key on the existing `padoptions`
+message, persists it with the pad, and broadcasts it to every connected
+client. `pad.padOptions.ep_my_plugin` reflects the latest value on every
+client.
+
+### Validation
+
+Server-side `Pad.normalizePadSettings()` enforces three rules on every
+plugin-namespaced key:
+
+- Values must round-trip through `JSON.stringify` (no functions, symbols,
+  BigInt, or circular references).
+- Each key's serialized payload must fit within **64 KB**.
+- The combined size of all `ep_*` values per pad must fit within **256 KB**.
+
+Values that fail any of these rules are dropped with a `console.warn`; the
+rest of the settings round-trip cleanly. The caps prevent a misbehaving
+plugin from bloating the persisted pad payload or the COLLABROOM
+broadcast.
+
 ## Writing and running front-end tests for your plugin
 
 Etherpad allows you to easily create front-end tests for plugins.
diff --git a/settings.json.template b/settings.json.template
index 7e6ab93aa6a..863286addc1 100644
--- a/settings.json.template
+++ b/settings.json.template
@@ -760,6 +760,17 @@
     **/
     "enablePadWideSettings": "${ENABLE_PAD_WIDE_SETTINGS:true}",
 
+  /*
+    * Allow plugins to ride the existing padoptions COLLABROOM rail by
+    * accepting pad-wide values under plugin-namespaced keys matching
+    * /^ep_[a-z0-9_]+$/ (e.g. ep_table_of_contents). Values are validated
+    * (JSON-safe, 64 KB per key, 256 KB total) and broadcast to every
+    * connected client just like native pad-wide toggles. Disabled by
+    * default; flip to true once your plugins (e.g. ep_plugin_helpers'
+    * padToggle) require it. See doc/plugins.md.
+    **/
+    "enablePluginPadOptions": "${ENABLE_PLUGIN_PAD_OPTIONS:false}",
+
   /*
    * Optional privacy banner shown once the pad loads. Disabled by default.
    *
diff --git a/snap/tests/lib.sh b/snap/tests/lib.sh
index af2336f345f..07f56172314 100755
--- a/snap/tests/lib.sh
+++ b/snap/tests/lib.sh
@@ -57,14 +57,23 @@ assert_exit() {
 }
 
 # assert_grep cmd needle name — fail if cmd's combined output doesn't match
+#
+# Uses a here-string instead of `printf | grep -q` because `set -o pipefail`
+# (declared at the top of this file) propagates SIGPIPE failures: when grep
+# -q matches early it closes its stdin, printf gets SIGPIPE on its next
+# write, and pipefail makes the whole pipeline exit non-zero — even though
+# the grep itself succeeded. The failure mode is timing-dependent, only
+# tripping when the captured output is large enough that printf hasn't
+# flushed before grep matches and exits. A here-string feeds grep its input
+# in one shot with no pipe in between.
 assert_grep() {
   local needle="$1" name="$2"; shift 2
   local out
   out=$("$@" 2>&1 || true)
-  if printf '%s' "$out" | grep -q -F -- "$needle"; then
+  if grep -q -F -- "$needle" <<<"$out"; then
     pass "$name"
   else
-    fail "$name" "expected output to contain: $needle; got: $(printf '%s' "$out" | head -3)"
+    fail "$name" "expected output to contain: $needle; got: $(head -3 <<<"$out")"
   fi
 }
 
diff --git a/src/node/db/Pad.ts b/src/node/db/Pad.ts
index ad135f21c99..0e4eaaac0e4 100644
--- a/src/node/db/Pad.ts
+++ b/src/node/db/Pad.ts
@@ -43,6 +43,43 @@ type PadSettings = {
   chatAndUsers: boolean;
   lang: string | null;
   view: PadViewSettings;
+  // Plugin-namespaced pad-wide options ride alongside the core keys.
+  // Anything matching /^ep_[a-z0-9_]+$/ is preserved verbatim by
+  // normalizePadSettings so plugins can use the existing padoptions
+  // broadcast/persist rail without forking their own transport.
+  [pluginKey: string]: any;
+};
+
+const PLUGIN_KEY_RE = /^ep_[a-z0-9_]+$/;
+// Per-key serialized JSON size cap: ~64 KB. Pad-wide settings are persisted
+// with the pad and broadcast to every connected client on every change, so
+// plugins must keep their values small. A misbehaving plugin shouldn't bloat
+// the pad payload or the broadcast.
+const PLUGIN_KEY_MAX_BYTES = 64 * 1024;
+// Combined ep_* size cap: ~256 KB. Same rationale, aggregated.
+const PLUGIN_TOTAL_MAX_BYTES = 256 * 1024;
+
+// Returns true iff `v` round-trips through JSON.stringify cleanly (no
+// functions, symbols, BigInt, or circular references) and serializes to at
+// most `maxBytes` UTF-8 bytes. Returns the serialized length on success so
+// callers can enforce a cumulative cap without serializing twice.
+const validatePluginValue = (
+    key: string, value: unknown, maxBytes: number): {ok: true, bytes: number} | {ok: false, reason: string} => {
+  let serialized: string;
+  try {
+    serialized = JSON.stringify(value);
+  } catch (e: any) {
+    return {ok: false, reason: `JSON.stringify failed: ${e && e.message || e}`};
+  }
+  if (serialized === undefined) {
+    // JSON.stringify returns undefined for top-level functions/undefined.
+    return {ok: false, reason: 'value is not JSON-serializable (function/undefined)'};
+  }
+  const bytes = Buffer.byteLength(serialized, 'utf8');
+  if (bytes > maxBytes) {
+    return {ok: false, reason: `serialized size ${bytes}B exceeds per-key cap ${maxBytes}B`};
+  }
+  return {ok: true, bytes};
 };
 
 /**
@@ -87,7 +124,7 @@ class Pad {
 
   static normalizePadSettings(rawPadSettings: any = {}): PadSettings {
     const rawView = rawPadSettings.view ?? {};
-    return {
+    const result: PadSettings = {
       enforceSettings: !!rawPadSettings.enforceSettings,
       showChat: rawPadSettings.showChat == null ? settings.padOptions.showChat !== false :
         !!rawPadSettings.showChat,
@@ -109,6 +146,28 @@ class Pad {
           !!rawView.fadeInactiveAuthorColors,
       },
     };
+    if (settings.enablePluginPadOptions) {
+      let totalBytes = 0;
+      for (const [k, v] of Object.entries(rawPadSettings)) {
+        if (!PLUGIN_KEY_RE.test(k)) continue;
+        const check = validatePluginValue(k, v, PLUGIN_KEY_MAX_BYTES);
+        if (!check.ok) {
+          // Drop and log. Persistence/broadcast still rejects the value, but
+          // the rest of the settings round-trip cleanly.
+          console.warn(`[normalizePadSettings] dropping ${k}: ${check.reason}`);
+          continue;
+        }
+        if (totalBytes + check.bytes > PLUGIN_TOTAL_MAX_BYTES) {
+          console.warn(
+              `[normalizePadSettings] dropping ${k}: combined ep_* size ` +
+              `would exceed cap ${PLUGIN_TOTAL_MAX_BYTES}B`);
+          continue;
+        }
+        totalBytes += check.bytes;
+        result[k] = v;
+      }
+    }
+    return result;
   }
 
   apool() {
diff --git a/src/node/handler/PadMessageHandler.ts b/src/node/handler/PadMessageHandler.ts
index 5a0a4c8544b..65ac9d7626d 100644
--- a/src/node/handler/PadMessageHandler.ts
+++ b/src/node/handler/PadMessageHandler.ts
@@ -1174,6 +1174,7 @@ const handleClientReady = async (socket:any, message: ClientReadyMessage) => {
       },
       enableDarkMode: settings.enableDarkMode,
       enablePadWideSettings: settings.enablePadWideSettings,
+      enablePluginPadOptions: settings.enablePluginPadOptions,
       padDeletionToken,
       // Allow-listed copy — settings.privacyBanner could carry extra nested
       // keys from a hand-edited settings.json; sending those by reference
diff --git a/src/node/utils/PluginCapabilities.ts b/src/node/utils/PluginCapabilities.ts
new file mode 100644
index 00000000000..428e8c855a0
--- /dev/null
+++ b/src/node/utils/PluginCapabilities.ts
@@ -0,0 +1,18 @@
+'use strict';
+
+// Capability flags exposed to Etherpad plugins for runtime feature detection.
+// Plugins should `try { require('ep_etherpad-lite/node/utils/PluginCapabilities') }
+// catch { /* old core */ }` and degrade gracefully when a flag is missing.
+//
+// IMPORTANT: a flag here means the core implements the capability — it does
+// not mean the capability is currently enabled on this Etherpad instance.
+// Capabilities can be gated by per-instance settings; plugins must inspect
+// the relevant runtime flag (typically reflected through clientVars) to
+// decide whether to actually use the feature on a given pad load.
+
+// True when applyPadSettings (client + server) preserves keys matching
+// /^ep_[a-z0-9_]+$/ on pad.padOptions. The runtime gate is
+// settings.enablePluginPadOptions (default false), mirrored to clients via
+// clientVars.enablePluginPadOptions. See doc/plugins.md for the full
+// contract (key namespace, validation, size caps).
+export const padOptionsPluginPassthrough = true;
diff --git a/src/node/utils/Settings.ts b/src/node/utils/Settings.ts
index ff2e93ec8dd..3b5e9790f9c 100644
--- a/src/node/utils/Settings.ts
+++ b/src/node/utils/Settings.ts
@@ -184,6 +184,7 @@ export type SettingsType = {
   updateServer: string,
   enableDarkMode: boolean,
   enablePadWideSettings: boolean,
+  enablePluginPadOptions: boolean,
   allowPadDeletionByAllUsers: boolean,
   privacyBanner: {
     enabled: boolean,
@@ -332,7 +333,7 @@ export type SettingsType = {
     requireAdminForStatus: boolean,
   },
   adminEmail: string | null,
-  getPublicSettings: () => Pick<SettingsType, "title" | "skinVariants"|"randomVersionString"|"skinName"|"toolbar"| "exposeVersion"| "gitVersion" | "enablePadWideSettings" | "privacyBanner">,
+  getPublicSettings: () => Pick<SettingsType, "title" | "skinVariants"|"randomVersionString"|"skinName"|"toolbar"| "exposeVersion"| "gitVersion" | "enablePadWideSettings" | "enablePluginPadOptions" | "privacyBanner">,
 }
 
 const settings: SettingsType = {
@@ -397,6 +398,11 @@ const settings: SettingsType = {
   updateServer: "https://static.etherpad.org",
   enableDarkMode: true,
   enablePadWideSettings: true,
+  // New plugin-padOption passthrough is opt-in per AGENTS.MD §52 ("New
+  // features should be placed behind feature flags and disabled by
+  // default"). Flip to true to let plugins (e.g. ep_plugin_helpers'
+  // padToggle) ride the existing padoptions broadcast/persist rail.
+  enablePluginPadOptions: false,
   allowPadDeletionByAllUsers: false,
   privacyBanner: {
     enabled: false,
@@ -770,6 +776,7 @@ const settings: SettingsType = {
       skinName: settings.skinName,
       skinVariants: settings.skinVariants,
       enablePadWideSettings: settings.enablePadWideSettings,
+      enablePluginPadOptions: settings.enablePluginPadOptions,
       privacyBanner: getPublicPrivacyBanner(),
     }
   },
diff --git a/src/static/js/pad.ts b/src/static/js/pad.ts
index 12406197ecf..6070fb8944f 100644
--- a/src/static/js/pad.ts
+++ b/src/static/js/pad.ts
@@ -874,6 +874,16 @@ const pad = {
         pad.padOptions.view[k] = v;
       }
     }
+    // Plugin-namespaced keys (ep_*) are passed through verbatim so plugins
+    // can ride the existing padoptions broadcast/persist rail. Gated on
+    // settings.enablePluginPadOptions (mirrored to clientVars by
+    // getPublicSettings). Server-side normalizePadSettings preserves the
+    // same keys symmetrically.
+    if (clientVars.enablePluginPadOptions) {
+      for (const [k, v] of Object.entries(opts)) {
+        if (/^ep_[a-z0-9_]+$/.test(k)) pad.padOptions[k] = v;
+      }
+    }
     normalizeChatOptions(pad.padOptions);
     pad.refreshPadSettingsControls();
     pad.applyOptionsChange();
diff --git a/src/static/js/types/SocketIOMessage.ts b/src/static/js/types/SocketIOMessage.ts
index f5e103d2994..e1c01a7ae45 100644
--- a/src/static/js/types/SocketIOMessage.ts
+++ b/src/static/js/types/SocketIOMessage.ts
@@ -260,7 +260,12 @@ export type PadOption = {
   "alwaysShowChat"?:   boolean,
   "chatAndUsers"?:     boolean,
   "lang"?:             null|string,
-  view? : MapArrayType<boolean|string>
+  view? : MapArrayType<boolean|string>,
+  // Plugin-namespaced pad-wide options (gated by settings.enablePluginPadOptions).
+  // The runtime regex is /^ep_[a-z0-9_]+$/ — TypeScript template literals
+  // can't constrain that exactly, so this signature accepts any ep_-prefixed
+  // string and applyPadSettings/normalizePadSettings reject the rest.
+  [k: `ep_${string}`]: unknown,
 }
 
 
diff --git a/src/tests/backend/specs/Pad.ts b/src/tests/backend/specs/Pad.ts
index 13bc79e5ac3..0345ae87d1e 100644
--- a/src/tests/backend/specs/Pad.ts
+++ b/src/tests/backend/specs/Pad.ts
@@ -178,4 +178,103 @@ describe(__filename, function () {
       }
     });
   });
+
+  describe('normalizePadSettings plugin passthrough (ep_* keys)', function () {
+    let originalFlag: boolean;
+    let warnSpy: any;
+    let warnings: string[];
+
+    before(function () { originalFlag = settings.enablePluginPadOptions; });
+    after(function () { settings.enablePluginPadOptions = originalFlag; });
+    beforeEach(function () {
+      warnings = [];
+      warnSpy = console.warn;
+      console.warn = (msg: string) => { warnings.push(msg); };
+    });
+    afterEach(function () { console.warn = warnSpy; });
+
+    describe('with enablePluginPadOptions = true', function () {
+      before(function () { settings.enablePluginPadOptions = true; });
+
+      it('preserves ep_* keys verbatim so plugins can ride padoptions', function () {
+        const ps: any = Pad.Pad.normalizePadSettings({
+          ep_table_of_contents: {enabled: true, depth: 3},
+          ep_font_color: 'red',
+        });
+        assert.deepEqual(ps.ep_table_of_contents, {enabled: true, depth: 3});
+        assert.equal(ps.ep_font_color, 'red');
+      });
+
+      it('drops keys that do not match the ep_<lowercase> pattern', function () {
+        const ps: any = Pad.Pad.normalizePadSettings({
+          EP_SHOUTY: 1,        // uppercase rejected
+          ep_: 1,              // empty suffix rejected
+          'ep-dashy': 1,       // dash rejected
+          somethingElse: 1,    // no prefix rejected
+        });
+        assert.equal(ps.EP_SHOUTY, undefined);
+        assert.equal(ps.ep_, undefined);
+        assert.equal(ps['ep-dashy'], undefined);
+        assert.equal(ps.somethingElse, undefined);
+      });
+
+      it('does not overwrite reserved core keys when an ep_<core> alias is sent', function () {
+        // Core keys (showChat etc.) come first; ep_* loop runs after. A plugin
+        // key like ep_showchat is namespaced separately and cannot collide.
+        const ps: any = Pad.Pad.normalizePadSettings({
+          showChat: false,
+          ep_showchat: 'plugin-value',
+        });
+        assert.equal(ps.showChat, false);
+        assert.equal(ps.ep_showchat, 'plugin-value');
+      });
+
+      it('drops a non-JSON-serializable value with a warn-log', function () {
+        const ps: any = Pad.Pad.normalizePadSettings({
+          ep_bad: () => 'function values are not JSON-safe',
+        });
+        assert.equal(ps.ep_bad, undefined);
+        assert.ok(warnings.some((w) => w.includes('ep_bad')),
+            `expected warn mentioning ep_bad, got: ${JSON.stringify(warnings)}`);
+      });
+
+      it('drops a value larger than the 64 KB per-key cap', function () {
+        const oversized = 'x'.repeat(70 * 1024); // ~70 KB string
+        const ps: any = Pad.Pad.normalizePadSettings({
+          ep_huge: oversized,
+        });
+        assert.equal(ps.ep_huge, undefined);
+        assert.ok(warnings.some((w) => w.includes('ep_huge') && w.includes('per-key cap')),
+            `expected per-key cap warning, got: ${JSON.stringify(warnings)}`);
+      });
+
+      it('drops keys that would exceed the cumulative 256 KB cap', function () {
+        // Each value is well under the per-key cap but together they exceed
+        // the total cap. The first few must survive; the overflowing key
+        // must be dropped.
+        const big = 'y'.repeat(60 * 1024); // ~60 KB each
+        const input: any = {};
+        for (let i = 0; i < 6; i++) input[`ep_chunk${i}`] = big;
+        const ps: any = Pad.Pad.normalizePadSettings(input);
+        const survivors = Object.keys(ps).filter((k) => k.startsWith('ep_chunk'));
+        assert.ok(survivors.length < 6,
+            `at least one chunk must be dropped to keep total <= 256 KB, but all ${survivors.length}/6 survived`);
+        assert.ok(warnings.some((w) => w.includes('combined ep_* size')),
+            `expected combined-cap warning, got: ${JSON.stringify(warnings)}`);
+      });
+    });
+
+    describe('with enablePluginPadOptions = false (default)', function () {
+      before(function () { settings.enablePluginPadOptions = false; });
+
+      it('drops every ep_* key — feature flag is opt-in', function () {
+        const ps: any = Pad.Pad.normalizePadSettings({
+          ep_table_of_contents: {enabled: true},
+          ep_font_color: 'red',
+        });
+        assert.equal(ps.ep_table_of_contents, undefined);
+        assert.equal(ps.ep_font_color, undefined);
+      });
+    });
+  });
 });

From afee7969ddccc0e52023fae32a418f9ec48679ec Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Fri, 8 May 2026 03:29:09 +0800
Subject: [PATCH 10/25] fix(7696): scrollable settings popup on short viewports
 (#7703)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(7696): make settings popup scroll on short viewports

Move max-height + overflow:auto out of the mobile-only media query and
onto the base .popup-content rule so the Settings popup (and other
popups) gain a scrollbar instead of cropping items off-screen when the
window is short. Pad-wide Settings is the worst offender because it
adds a second column of controls plus a Delete pad button.

Adds a Playwright regression test that verifies the popup is scrollable
and the Delete pad button is reachable at a 900x500 viewport.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7696): float nice-select dropdowns above scrollable popups

Qodo flagged that making .popup-content a scroll container clips
absolutely-positioned descendants — so the Settings popup's font and
language dropdowns can be truncated when their list extends past the
popup's scroll bounds on short viewports.

Mirror the existing toolbar workaround: when a nice-select sits inside
.popup-content, switch the list to position:fixed (CSS) and place it
with viewport-relative coordinates from getBoundingClientRect (JS),
respecting the existing reverse class for upward-opening lists.

Also relax the regression test per Qodo: drop the brittle
scrollHeight > clientHeight assertion in favour of asserting the
popup declares overflow-y:auto and proving Delete pad is initially
off-screen, then reachable via scroll.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7696): nice-select reverse list disappeared in scrolled popup

When a nice-select inside a popup-content scroll container sits in the
lower half of the viewport, the JS adds the .reverse class so the list
opens upward. The default .reverse rule sets bottom: calc(100% + 5px),
which is fine when the list is position:absolute relative to its parent
— but with the position:fixed treatment the popup branch uses, that
percentage resolves against the viewport and pushes the list ~100vh
above the screen, so it appears not to open at all until you scroll to
the bottom of the popup (where .reverse no longer triggers).

Override the rule for both .toolbar and .popup so .reverse drops back to
bottom: auto and JS-set `top` controls placement, with a JS belt-and-
braces also setting `bottom: auto` inline.

Adds a Playwright regression test that scrolls the settings popup to
the bottom, opens the Pad-wide font dropdown, and asserts the list is
both visible and inside the viewport.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/static/css/pad/form.css                   | 14 ++++-
 src/static/css/pad/popup.css                  | 15 ++++--
 src/static/js/vendors/nice-select.ts          | 19 +++++++
 .../frontend-new/specs/pad_settings.spec.ts   | 53 +++++++++++++++++++
 4 files changed, 96 insertions(+), 5 deletions(-)

diff --git a/src/static/css/pad/form.css b/src/static/css/pad/form.css
index 5475d7d5c6a..8dd9f40da4a 100644
--- a/src/static/css/pad/form.css
+++ b/src/static/css/pad/form.css
@@ -132,11 +132,23 @@ select, .nice-select {
   bottom: calc(100% + 5px);
   top: auto;
 }
-.toolbar .nice-select .list {
+.toolbar .nice-select .list,
+/* Popups are scroll containers (see popup.css), which would otherwise clip the
+   absolutely-positioned dropdown list. Float it above the popup with fixed
+   positioning, matching how the toolbar dropdowns escape their container. */
+.popup .nice-select .list {
   position: fixed;
   top: auto;
   left: auto;
 }
+/* The default .reverse rule above sets bottom: calc(100% + 5px) so an
+   absolutely-positioned list opens upward inside its parent. Once the list is
+   position:fixed, that percentage resolves against the viewport instead and
+   would push the list off-screen, so we let JS place it via `top` only. */
+.toolbar .nice-select.reverse .list,
+.popup .nice-select.reverse .list {
+  bottom: auto;
+}
 .nice-select .list:hover .option:not(:hover) {
   background-color: transparent !important;
 }
diff --git a/src/static/css/pad/popup.css b/src/static/css/pad/popup.css
index a0d989c147b..2035774d6af 100644
--- a/src/static/css/pad/popup.css
+++ b/src/static/css/pad/popup.css
@@ -30,6 +30,17 @@
   background: #f7f7f7;
   min-width: min(300px, 90vw);
   max-width: min(600px, 95vw);
+  /* Constrain height so popups (notably Settings with Pad-wide Settings
+     enabled) scroll instead of cropping items off-screen on short windows.
+     Fixes #7696. */
+  max-height: calc(100vh - 20px);
+  overflow-y: auto;
+}
+
+/* Chat manages its own scroll and floats author-colour pickers outside the
+   popup, so it must not become a scroll container. */
+.popup#users .popup-content {
+  overflow: visible;
 }
 .popup input[type=text] {
   width: 100%;
@@ -76,10 +87,6 @@
   }
   .popup-content {
     max-height: 80vh;
-    overflow: auto;
-  }
-  .popup#users .popup-content {
-    overflow: visible;
   }
 }
 /* Move popup to the bottom, except popup linked to left toolbar, like hyperklink popup */
diff --git a/src/static/js/vendors/nice-select.ts b/src/static/js/vendors/nice-select.ts
index ec76b3cef15..4f1ff8ab16d 100644
--- a/src/static/js/vendors/nice-select.ts
+++ b/src/static/js/vendors/nice-select.ts
@@ -123,6 +123,25 @@
         }
         $dropdown.find('.list').css('max-height', $maxListHeight + 'px');
 
+        // Popups are scroll containers (since #7696) which would clip the
+        // absolutely-positioned dropdown list. The list is repositioned with
+        // `position: fixed` (see form.css) so it floats above the popup; we
+        // need viewport-relative coordinates here. Done after the reverse
+        // class is decided so we know which side of the dropdown to anchor.
+        if ($dropdown.closest('.toolbar').length === 0
+            && $dropdown.closest('.popup-content').length > 0) {
+          var rect = $dropdown[0].getBoundingClientRect();
+          var $list = $dropdown.find('.list');
+          $list.css('left', rect.left);
+          $list.css('min-width', $dropdown.outerWidth() + 'px');
+          // Clear .reverse's `bottom: calc(100% + 5px)` — with position:fixed
+          // it would resolve against the viewport and push the list offscreen.
+          $list.css('bottom', 'auto');
+          $list.css('top', $dropdown.hasClass('reverse')
+              ? rect.top - $maxListHeight - 5
+              : rect.bottom);
+        }
+
       } else {
         $dropdown.trigger('focus');
       }
diff --git a/src/tests/frontend-new/specs/pad_settings.spec.ts b/src/tests/frontend-new/specs/pad_settings.spec.ts
index 9adbd25c185..1fbd74f86d8 100644
--- a/src/tests/frontend-new/specs/pad_settings.spec.ts
+++ b/src/tests/frontend-new/specs/pad_settings.spec.ts
@@ -167,6 +167,59 @@ test.describe('creator-owned pad settings', () => {
     await context2.close();
   });
 
+  // #7696: on a short viewport the settings popup must scroll so items in
+  // Pad-wide Settings (notably "Delete pad") stay reachable instead of being
+  // cropped off-screen with no scrollbar.
+  test('settings popup stays scrollable when the viewport is short', async ({page}) => {
+    await page.setViewportSize({width: 900, height: 500});
+    await goToNewPad(page);
+    await showSettings(page);
+
+    const popupContent = page.locator('#settings > .popup-content');
+    await expect(popupContent).toBeVisible();
+    await expect(page.locator('#pad-settings-section')).toBeVisible();
+
+    // The popup must declare scrollable overflow (otherwise the previous bug
+    // recurs even if content happens to fit by coincidence).
+    await expect(popupContent).toHaveCSS('overflow-y', 'auto');
+
+    // Delete pad sits at the bottom of Pad-wide Settings; on a short viewport
+    // it starts off-screen and must become reachable by scrolling the popup.
+    const deletePad = page.locator('#delete-pad');
+    await expect(deletePad).not.toBeInViewport();
+    await deletePad.scrollIntoViewIfNeeded();
+    await expect(deletePad).toBeInViewport();
+  });
+
+  // #7696 follow-up: the Pad-wide font/language nice-select dropdowns sit
+  // near the bottom of the popup, so opening one triggers the .reverse path
+  // (open upward). Floating the list with position:fixed must not pick up
+  // the default `.reverse { bottom: calc(100% + 5px) }` rule, which would
+  // resolve against the viewport and place the list off-screen.
+  test('Pad-wide font dropdown opens visibly when popup is scrolled to bottom', async ({page}) => {
+    await page.setViewportSize({width: 900, height: 500});
+    await goToNewPad(page);
+    await showSettings(page);
+
+    // Force the font dropdown into the lower portion of the viewport so
+    // .reverse triggers and the list opens upward.
+    await page.locator('#settings > .popup-content').evaluate((el) => {
+      el.scrollTop = el.scrollHeight;
+    });
+
+    const fontDropdown = page.locator('#padsettings-viewfontmenu + .nice-select');
+    await expect(fontDropdown).toBeInViewport();
+
+    await fontDropdown.click();
+    const list = fontDropdown.locator('.list');
+    await expect(list).toBeVisible();
+    await expect(list).toBeInViewport();
+
+    // The first option must be reachable so users can actually pick a font.
+    await fontDropdown.locator('.option').first().click();
+    await expect(fontDropdown).not.toHaveClass(/open/);
+  });
+
   // #7592: ticking "Disable chat" must visibly disable the dependent
   // "Chat always on screen" / "Show Chat and Users" toggles, not just
   // make the underlying inputs non-interactive.

From c47ffd5705ae9fcf3ea713b99debd19e5e52ed11 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sat, 9 May 2026 01:33:50 +0800
Subject: [PATCH 11/25] feat(export): native DOCX export via html-to-docx
 (opt-in) (#7568)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat(export): native DOCX export via html-to-docx (opt-in)

Addresses #7538. The current DOCX export path shells out to LibreOffice,
which means every deployment that wants a Word download either installs
soffice (~500 MB) or loses that export. This PR adds a pure-JS
alternative: render the HTML via the existing exporthtml pipeline, then
feed it to the `html-to-docx` library in-process to produce a valid
.docx buffer — no soffice required, no subprocess spawn, no temp file
dance for the DOCX case.

Behavior:
- `settings.nativeDocxExport` (default `false`) gates the new path so
  existing deployments see zero behavior change.
- When enabled, `type === 'docx'` requests skip the LibreOffice branch,
  run `html-to-docx(html)`, and return the buffer with the
  `application/vnd.openxmlformats-officedocument.wordprocessingml.document`
  content-type.
- If the native converter throws, the handler falls through to the
  existing LibreOffice path — so flipping the flag on is safe even on a
  mixed-installation where soffice is still present as a backstop.
- Other export formats (pdf, odt, rtf, txt, html, etherpad) are
  unchanged.

Files:
- `src/package.json`: `html-to-docx` dep (pure JS, no binary reqs)
- `src/node/handler/ExportHandler.ts`: new DOCX branch gated on the
  setting, with fall-through on error
- `src/node/utils/Settings.ts`, `settings.json.template`,
  `settings.json.docker`, `doc/docker.md`: wire up the new setting +
  env var (`NATIVE_DOCX_EXPORT`)
- `src/tests/backend/specs/export.ts`: two new tests — asserts the
  exported buffer is a valid ZIP (PK\x03\x04 signature) and the
  response carries the correct content-type — both with
  `settings.soffice = 'false'` to prove the path doesn't need soffice
  at all.

Out of scope for this PR:
- Native PDF export (would need a PDF rendering step — separate
  undertaking, and the issue acknowledges the `pdfkit`/puppeteer size
  trade-off).

Closes #7538

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(7538): skip native DOCX test when html-to-docx isn't installed

The upgrade-from-latest-release CI job installs deps from the previous
release's package.json (before this PR adds html-to-docx) and then
git-checkouts this branch's code without re-running pnpm install.
Under that one workflow the new test can't find the module and fails
on the LibreOffice fallback, masking that the native path actually
works in every normal install.

Guard the describe block with require.resolve('html-to-docx'); Mocha's
this.skip() on before cascades to the sibling its. Regular backend
tests (pnpm install against this branch's lockfile) still exercise it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(7538): spec for soffice-free DOCX/PDF export and DOCX import

Captures the agreed scope expansion of PR #7568: replace the flag-gated
native DOCX path with a soffice-first selection cascade, add native PDF
export via pdfkit + a small htmlparser2-driven walker, and add native
DOCX import via mammoth. Also defines a shared HTML sanitizer
(stripRemoteImages) used by both export converters to close the
SSRF surface that Qodo flagged on the html-to-docx path.

The spec drops the nativeDocxExport setting and its env var; with
soffice configured, behavior is unchanged, and with soffice null,
docx/pdf export and docx import all work in-process. odt/doc/rtf
(and pdf import) keep needing soffice and are documented as such.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(7538): implementation plan for native DOCX/PDF and DOCX import

Bite-sized TDD task breakdown of the soffice-free export/import work:
rebase, deps, sanitizer, PDF walker, mammoth wrapper, ExportHandler
cascade, route guard, ImportHandler branch, UI fix, flag rollback,
verification + Qodo reply.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(7538): add pdfkit, htmlparser2, mammoth deps

Pure-JS, no native binaries:
- pdfkit ^0.18.0  (PDF rendering)
- htmlparser2 ^12 (SAX parser used by walker + sanitizer)
- mammoth ^1.12   (DOCX -> HTML for native import)
- @types/pdfkit ^0.17 (dev)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(7538): add stripRemoteImages HTML sanitizer

Drops <img src=> elements pointing at non-data, non-relative URLs to
prevent the DOCX/PDF converters from making outbound requests via
plugin-modified HTML. Closes Qodo finding #4 against the
html-to-docx path; will be wired into both export branches in
the cascade refactor.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(7538): native PDF export via pdfkit + htmlparser2 walker

Renders pad HTML to a PDF Buffer in-process: headings, paragraphs,
lists, links, inline emphasis, data:-URI images. Remote images are
explicitly skipped at the walker (defense-in-depth on top of the
shared stripRemoteImages sanitizer).

PDFs are emitted with compress:false so accessibility/SEO indexers
that don't FlateDecode can still extract text. Pads are small enough
that the size cost is negligible.

Walker is 167 LOC, well under the spec's 500-LOC bail-out
threshold for switching to pdfmake+html-to-pdfmake+jsdom.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(7538): native DOCX import via mammoth

Wraps mammoth.convertToHtml so a soffice-less Etherpad can ingest
.docx files. Images are coerced to data: URIs at the converter
boundary so the import pipeline never sees a remote src=.

Includes a tiny generated DOCX fixture (heading, paragraph, list)
under tests/backend/specs/fixtures/ for both this wrapper test and
the upcoming end-to-end import test.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(7538): soffice-first cascade in ExportHandler

Replaces the flag-gated DOCX branch with a deterministic dispatch:
soffice if configured, native DOCX/PDF otherwise, 5xx on native
error. Both native paths run plugin-modified HTML through
stripRemoteImages first.

Test changes:
- existing native DOCX block now sets soffice=null (was 'false', a
  truthy non-null string that sidestepped the route guard); fixes
  Qodo finding #3.
- new native PDF integration tests assert %PDF- header and
  application/pdf content-type with soffice=null.
- new negative test: with soffice=null, /export/odt still returns
  the 'not enabled' message.
- the legacy 500-on-export-error test now uses /bin/false so it
  exercises the soffice error path explicitly (the cascade dropped
  the ad-hoc 'false' string; .doc has no native path so this still
  works as a soffice error probe).

Integration tests for native DOCX/PDF currently fail because the
/export route guard still treats both formats as soffice-only;
the next commit fixes that.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7538): allow docx/pdf through export guard without soffice

Tightens the no-soffice block to ['odt','doc'] only — formats with
no native path. docx and pdf are handed to ExportHandler, which
dispatches to the in-process converters. Closes Qodo finding #2.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(7538): native DOCX import path in ImportHandler

When soffice is null and the upload is .docx, run mammoth and feed
the resulting HTML through setPadHTML. Other office formats
(pdf/odt/doc/rtf) are explicitly rejected with uploadFailed instead
of silently falling through to the ASCII-only path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7538): always show DOCX/PDF export links

Native paths (#7538) make DOCX and PDF available regardless of
soffice presence, so unconditionally render those links. ODT still
gates on exportAvailable. Closes Qodo finding #2 on the UI side.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* refactor(7538): drop nativeDocxExport flag

Selection is now purely soffice-presence-driven (cascade in
ExportHandler). The opt-in setting and its NATIVE_DOCX_EXPORT env
var are no longer needed -- soffice configured means soffice path;
soffice null means native path (DOCX, PDF, and DOCX import).
Reverts the additive surface introduced earlier in this PR.

Also updates the SOFFICE doc row to reflect that null no longer
means 'plain text and HTML only' -- docx/pdf export and docx
import now work natively without soffice.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(7538): tighten link annotation assertion

CodeQL flagged the loose 'raw.includes("etherpad.org")' as
'incomplete URL substring sanitization' (a false positive in test
context, but worth fixing). Match the full /URI (host) form
instead -- it's both more accurate (we're verifying the PDF link
annotation structure) and CodeQL-clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7538): cleaner DOCX/PDF output + round-trip test coverage

DOCX:
- New extractBody helper drops <head>/<style> and the leading
  newline inside <body> so html-to-docx doesn't render CSS or
  prefix paragraphs with empty space.
- New wrapLooseLines pre-processor wraps loose pad lines in <p>
  before the converter sees them. html-to-docx renders <br>
  outside <p> as a new <w:p> (full empty line in Word); inside
  <p> it correctly emits <w:br/> (soft break). Etherpad's HTML
  uses bare <br> for every line, so this was making single
  Enters look like double Enters in the Word output.

PDF:
- Walker SKIP_TAGS rejects head/style/script/title/meta/link
  content -- prior version dumped CSS into the rendered PDF.
- New breakLine() helper combines flushLine() with moveDown(1).
  pdfkit's text('', false) closes the continued run but does
  NOT advance the cursor, so consecutive runs were stacking at
  the same y-coordinate. <br>, end-of-block, and list items
  now use breakLine().
- ontext collapses runs of whitespace and drops pure-whitespace
  text nodes so pretty-printed source HTML doesn't render its
  formatting newlines.

Round-trip:
- New backend test: pad text -> DOCX export -> DOCX import ->
  new pad. Asserts content survives the trip.
- New PDF sanity test: extracts visible text from the PDF stream
  and asserts the source pad text appears verbatim.
- 6 new unit tests for extractBody and wrapLooseLines plus 1 for
  PDF walker SKIP_TAGS coverage.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7538): CodeQL ReDoS + import.ts type error

- BR_PARA_RE was /(?:\s*<br>\s*){2,}/ -- two adjacent \s* runs can
  match the same chars, so on '<br>\t<br>\t<br>...' the regex
  backtracks exponentially. Re-anchored to match a fixed first <br>
  followed by one or more additional <br>s, so each whitespace run
  has exactly one home.
- import.ts: fetchBuffer was typed Promise<Buffer> but call sites
  chained .expect(200) on it, which only works on supertest's Test
  object. Return the Test (typed any) so the chain is preserved.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7538): plugin-aware HTML cleanup, PDF text-align, monospace

ep_headings2/ep_align emit one heading-styled blank-line block after
every styled line in the pad ('<h1 style=text-align:right></h1>'),
which both html-to-docx and our pdfkit walker render as a full empty
paragraph. Plus the pdfkit walker had no support for text-align or
monospace, so right/center alignment and 'code' lines rendered the
same as plain body text.

- New dropEmptyBlocks helper strips empty h1-h6/p/code/pre/div/
  blockquote wrappers in preprocessing. Iterates so nested empties
  collapse too. Applied before both DOCX and PDF conversion.
- PDF walker now reads style='text-align:left|center|right|justify'
  on block elements (h1-6, p, div) and passes it as pdfkit's align
  option. align is applied once per continued run, then reset on
  flushLine so the next block can pick up its own value.
- PDF walker handles <code>, <tt>, <kbd>, <samp> as inline monospace
  (Courier) and <pre> as block monospace (Courier + breakLine on
  open/close).

11 new unit tests:
- 4 for dropEmptyBlocks (heading wrappers, code, nesting,
  pass-through)
- 1 for PDF text-align (compares the BT matrix x for left vs right)
- 2 for Courier in <code> and <pre>

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7538): separate adjacent heading-style blocks on import

Round-trip bug: ep_headings2 emits <h1>/<h2>/<code> in pad HTML.
Mammoth round-trips them as adjacent <h1>A</h1><h2>B</h2><p>C</p>
on import. Etherpad's server-side content collector has a default
_blockElems set of just {div, p, pre, li}, and ep_headings2 only
registers the CLIENT-side aceRegisterBlockElements -- not the
server-side ccRegisterBlockElements. So h1/h2/code end up being
treated as inline by the importer, and adjacent blocks merge into
a single pad line.

Fix: insert <br> after </h1>...</h6>/</code> when followed by
another block. Server-side workaround keeps this PR self-contained
regardless of plugin version. The right long-term fix is to extend
ep_plugin_helpers' lineAttribute factory to register both hooks
(filed as a follow-up).

Tests:
- 5 unit tests for separateAdjacentHeadingBlocks
- New end-to-end round-trip test asserts H1+H2+P land on three
  separate pad lines after the import path.

Plus the prior PDF text-align/Courier/code commit also included
here:
- code/tt/kbd/samp inherit text-align from style attribute
- pre inherits text-align too

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7538): blank-line round-trip + DOCX code monospace + a==c tests

DOCX round-trip dropping blank pad lines:
- wrapLooseLines now emits an explicit <p></p> marker for each blank
  line in a <br> run, instead of collapsing all gaps into a single
  paragraph break. (N consecutive <br>s -> 1 paragraph boundary +
  N-2 empty <p></p> markers, mapping to N-1 blank pad lines.)
- mammoth's docxBufferToHtml now passes ignoreEmptyParagraphs:false
  so the empty <w:p> entries survive the import side. mammoth's
  default of true was silently dropping them.
- dropEmptyBlocks no longer strips <p></p> -- that's the meaningful
  marker for the round-trip. Empty <h1>/<code>/<pre>/<div>/
  <blockquote> are still stripped (plugin noise).

DOCX <code> rendering as monospace:
- New applyMonospaceToCode wraps code/tt/kbd/samp/pre content in a
  <span style="font-family:'Courier New', monospace">. html-to-docx
  honors that and emits <w:rFonts w:ascii="Courier New".../>, which
  Word renders as Courier. The bare <code> tag is otherwise just
  a no-op for html-to-docx.
- Applied only on the DOCX export path (PDF walker already handles
  monospace via Courier font selection).

Round-trip tests:
- New a==c suite: txt, etherpad, html, docx -- export from src,
  import to dst, re-export and compare against the meaningful
  invariant (line text for binary formats; trimmed body for HTML).
- HTML test tolerates one trailing <br> per round-trip because
  setPadHTML appends a final <p> on import; this is pre-existing
  core behavior, not our bug.
- DOCX test normalizes trailing newline run (same reason).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7538): preserve <w:jc> alignment through mammoth round-trip

mammoth doesn't expose Word's paragraph alignment (`<w:jc>`) when it
converts a docx to HTML -- there's no equivalent in its style-mapping
machinery. To keep alignment through DOCX round-trips we walk the
docx's document.xml directly, pull the `w:val` from each `<w:p>`'s
`<w:jc>`, and inject `style="text-align:..."` onto the matching
block element in mammoth's output by document order.

Word's w:jc accepts more values than CSS text-align; we map left/
start, center, right/end, both/justify/distribute and skip the rest
(start/end take left/right because we don't track ltr/rtl from the
docx for now).

Combines with the upstream ep_align PR (ether/ep_align#183) for the
full round-trip: this PR makes the mammoth output carry the
alignment style; ep_align#183 makes the importer pick it up.

Closes the alignment side of #7538.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7538): preserve <a href> inside <code>/<pre> in DOCX export

html-to-docx silently drops <a href> children of <code>/<pre> tags
(and of styled <span>s, but the <code> wrapper is the active offender
here). The pad-export HTML produced by ep_headings2 + ep_align uses
<code style='text-align:right'>...<a href>...</a>...</code> for each
'Code'-style line, which lost its links on every DOCX export.

Workaround: applyMonospaceToCode now drops the code/pre/tt/kbd/samp
wrapper entirely. The non-anchor content gets wrapped in monospace
spans; anchors are emitted unstyled so they keep their hyperlink. For
block-level usage (<pre>, or <code> with an inline style attr) we
emit a wrapping <p> and forward the text-align style. Run BEFORE
wrapLooseLines so the <p> doesn't get double-wrapped.

Tests added:
- inline <code> -> just a styled span (no <code> wrapper)
- <code style='text-align:right'> -> <p style> wrap
- <pre> -> always block-wrapped
- <tt>/<kbd>/<samp> -> inline span only
- regression: <a href> inside <code> survives html-to-docx round-trip
  with both the URL in word/_rels/document.xml.rels AND a <w:hyperlink>
  in the document body

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7538): HTML import line-break drift between blocks

Etherpad's HTML export wraps each pad line in <p>...</p> (or <h1>,
<code>, etc.) and then appends a <br> between lines. The closing
block tag already ends the line for contentcollector, so the trailing
<br> is redundant -- and on import the server collector counts BOTH
as line breaks, doubling every blank line between paragraphs and
inserting an extra blank between adjacent headings.

Two fixes, both gated on the runtime block-element registry so they
don't double-trigger when the underlying plugin already handles
adjacency:

1. HTML import path now runs the new collapseRedundantBrAfterBlocks
   helper before setPadHTML. Drops a single <br> immediately
   following </p>/</h1-6>/</code>/</pre>/</div>/</blockquote>/</ul>/
   </ol>/</li>/</table>/</tr>/</td>/</th>. Multiple consecutive
   <br>s after a block keep all but the first (the rest still
   represent intentional blank lines).

2. The DOCX-import separateAdjacentHeadingBlocks workaround now
   checks whether 'h1' is in the runtime ccRegisterBlockElements
   set before inserting <br>s. When ep_headings2 has the new server
   hook (per ep_plugin_helpers#14 + the upcoming ep_headings2 PR),
   the workaround correctly stays out of the way -- otherwise it
   adds an extra blank line per heading transition.

Also fixed a subtle ts-check failure on the import.ts test changes
and a leftover implicit-any in ImportDocxNative's alignment
preserver.

Tests added:
- collapseRedundantBrAfterBlocks: 5 unit tests (each block tag,
  whitespace tolerance, multiple <br> keeping intentional blanks)
- HTML import: 'does not introduce a blank line between H1 and H2',
  'preserves blank-line count between H1 and H2 (realistic shape)'
  reproduces the 5-blanks-where-2-expected bug from the user's
  round-trip pad.

1054 backend tests pass locally (the 6 failures are the pre-existing
favicon/webaccess send@1.x dotfile-path issue from running under
.claude/, doesn't reach CI).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(7538): skip plugin-dependent HTML import tests on no-plugin CI

The two new HTML-import-adjacency tests assume ep_headings2 (or
another plugin) has registered h1/h2 as server-side block elements
via ccRegisterBlockElements. Without that, contentcollector treats
<h1>/<h2> as inline and adjacent ones merge into a single pad line
-- making the assertions inapplicable.

CI's backend-tests job runs without plugins installed, so guard
the describe block with a runtime hooks.callAll() check and skip
when h1 isn't a registered block. Local dev with ep_headings2 (and
the local plugin patch wiring ccRegisterBlockElements) still
exercises both tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 doc/docker.md                                 |    2 +-
 ...026-05-08-native-docx-pdf-export-import.md | 1543 +++++++++++++++++
 ...08-native-docx-pdf-export-import-design.md |  230 +++
 pnpm-lock.yaml                                |  716 +++++++-
 src/node/handler/ExportHandler.ts             |   67 +-
 src/node/handler/ImportHandler.ts             |   81 +-
 src/node/hooks/express/importexport.ts        |    6 +-
 src/node/utils/ExportPdfNative.ts             |  248 +++
 src/node/utils/ExportSanitizeHtml.ts          |  215 +++
 src/node/utils/ImportDocxNative.ts            |   83 +
 src/package.json                              |    5 +
 src/static/js/pad_impexp.ts                   |   20 +-
 src/tests/backend/specs/export.ts             |  537 +++++-
 src/tests/backend/specs/fixtures/sample.docx  |  Bin 0 -> 24020 bytes
 src/tests/backend/specs/import.ts             |  473 +++++
 15 files changed, 4191 insertions(+), 35 deletions(-)
 create mode 100644 docs/superpowers/plans/2026-05-08-native-docx-pdf-export-import.md
 create mode 100644 docs/superpowers/specs/2026-05-08-native-docx-pdf-export-import-design.md
 create mode 100644 src/node/utils/ExportPdfNative.ts
 create mode 100644 src/node/utils/ExportSanitizeHtml.ts
 create mode 100644 src/node/utils/ImportDocxNative.ts
 create mode 100644 src/tests/backend/specs/fixtures/sample.docx
 create mode 100644 src/tests/backend/specs/import.ts

diff --git a/doc/docker.md b/doc/docker.md
index ce7606f8ec9..8ea54269f0d 100644
--- a/doc/docker.md
+++ b/doc/docker.md
@@ -197,7 +197,7 @@ For the editor container, you can also make it full width by adding `full-width-
 | `EDIT_ONLY`                       | Users may edit pads but not create new ones. Pad creation is only via the API. This applies both to group pads and regular pads.                                                                       | `false`               |
 | `MINIFY`                          | If true, all css & js will be minified before sending to the client. This will improve the loading performance massively, but makes it difficult to debug the javascript/css                           | `true`                |
 | `MAX_AGE`                         | How long may clients use served javascript code (in seconds)? Not setting this may cause problems during deployment. Set to 0 to disable caching.                                                      | `21600` (6 hours)     |
-| `SOFFICE`                         | Absolute path to the soffice (LibreOffice) executable. Needed for advanced import/export of pads (docx, pdf, odt). Setting it to null disables LibreOffice and will only allow plain text and HTML import/exports. | `null`                |
+| `SOFFICE`                         | Absolute path to the soffice (LibreOffice) executable. When configured, all advanced import/export formats use it (docx, pdf, odt, doc, rtf). Setting it to null falls back to in-process pure-JS converters: docx and pdf export, plus docx import, still work; odt/doc/rtf and pdf import remain unavailable. | `null`                |
 | `ALLOW_UNKNOWN_FILE_ENDS`         | Allow import of file types other than the supported ones: txt, doc, docx, rtf, odt, html & htm                                                                                                         | `true`                |
 | `REQUIRE_AUTHENTICATION`          | This setting is used if you require authentication of all users. Note: "/admin" always requires authentication.                                                                                        | `false`               |
 | `REQUIRE_AUTHORIZATION`           | Require authorization by a module, or a user with is_admin set, see below.                                                                                                                             | `false`               |
diff --git a/docs/superpowers/plans/2026-05-08-native-docx-pdf-export-import.md b/docs/superpowers/plans/2026-05-08-native-docx-pdf-export-import.md
new file mode 100644
index 00000000000..4a8f502d63c
--- /dev/null
+++ b/docs/superpowers/plans/2026-05-08-native-docx-pdf-export-import.md
@@ -0,0 +1,1543 @@
+# Native DOCX + PDF export and DOCX import — Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Extend PR #7568 so a soffice-less Etherpad can export `pdf`+`docx` and import `docx` purely in-process, while keeping behavior bit-for-bit identical when soffice is configured.
+
+**Architecture:** Single dispatch cascade in `ExportHandler.ts` and `ImportHandler.ts` — soffice if `sofficeAvailable() === 'yes'`, native otherwise. Native PDF uses `pdfkit` + `htmlparser2` driven by a small walker we own. Native DOCX import uses `mammoth` to produce HTML and reuses the existing HTML import pipeline. A shared `stripRemoteImages()` helper sanitizes HTML before either DOCX or PDF conversion to close the SSRF surface Qodo flagged. Drops the opt-in `nativeDocxExport` setting introduced earlier in this PR — selection is purely soffice-presence-driven.
+
+**Tech Stack:** TypeScript (Node), Mocha + supertest backend tests, `pdfkit` (^0.15), `htmlparser2` (^9), `mammoth` (^1.7), `html-to-docx` (^1.8 — already in PR), pnpm workspace.
+
+**Spec:** `docs/superpowers/specs/2026-05-08-native-docx-pdf-export-import-design.md` (commit `2cebcc822`).
+
+---
+
+## File Structure
+
+| File | Role | Status |
+|---|---|---|
+| `src/node/utils/ExportSanitizeHtml.ts` | `stripRemoteImages(html)` — drops `<img src>` outside `data:`/relative | NEW |
+| `src/node/utils/ExportPdfNative.ts` | `htmlToPdfBuffer(html)` — pdfkit + htmlparser2 walker | NEW |
+| `src/node/utils/ImportDocxNative.ts` | `docxBufferToHtml(buf)` — mammoth wrapper | NEW |
+| `src/node/handler/ExportHandler.ts` | Replaced flag-gated DOCX branch with soffice-first cascade for both DOCX+PDF | MODIFIED |
+| `src/node/handler/ImportHandler.ts` | Soffice-first cascade for DOCX import | MODIFIED |
+| `src/node/hooks/express/importexport.ts` | Tighter route guard (PDF/DOCX go native when no soffice) | MODIFIED |
+| `src/static/js/pad_impexp.ts` | Always show DOCX+PDF export links; ODT still gated on soffice | MODIFIED |
+| `src/node/utils/Settings.ts` | **Revert** `nativeDocxExport` field (introduced earlier in PR) | MODIFIED (revert) |
+| `settings.json.template` | **Revert** `nativeDocxExport` block | MODIFIED (revert) |
+| `settings.json.docker` | **Revert** `nativeDocxExport` block | MODIFIED (revert) |
+| `doc/docker.md` | **Revert** `NATIVE_DOCX_EXPORT` row | MODIFIED (revert) |
+| `src/package.json` | Add `pdfkit`, `htmlparser2`, `mammoth`. Keep `html-to-docx`. | MODIFIED |
+| `pnpm-lock.yaml` | Lockfile regen | MODIFIED |
+| `src/tests/backend/specs/export.ts` | Revise existing DOCX tests (`soffice=null`); add native PDF tests; add negative ODT; add unit test for sanitizer | MODIFIED |
+| `src/tests/backend/specs/import.ts` | New file: native DOCX import + negative ODT | NEW |
+| `src/tests/backend/specs/fixtures/sample.docx` | Tiny DOCX fixture: heading, paragraph, bullet list | NEW |
+
+---
+
+## Task 0: Rebase onto develop
+
+The PR is currently `mergeStateStatus: DIRTY`. Resolve before adding new commits — easier to handle conflicts on a known-good base.
+
+**Files:** none (git operation)
+
+- [ ] **Step 1: Fetch latest develop**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538
+git fetch origin develop
+```
+
+Expected: `From https://github.com/ether/etherpad-lite … develop -> origin/develop`.
+
+- [ ] **Step 2: Rebase**
+
+```bash
+git rebase origin/develop
+```
+
+Expected: clean replay of `b98dfbab7` (DOCX feature commit), `6a7093c09` (CI guard), and `2cebcc822` (spec). If a conflict arises in `src/package.json` / `pnpm-lock.yaml` / `src/node/handler/ExportHandler.ts`, prefer **our** changes for new files and re-resolve any overlap manually. Do NOT use `--strategy-option=theirs` blindly.
+
+- [ ] **Step 3: Verify branch is rebased and tests still pass**
+
+```bash
+git log --oneline origin/develop..HEAD
+pnpm --filter ep_etherpad-lite run test --grep '#7538'
+```
+
+Expected: log shows the three commits above HEAD; test grep passes the existing native DOCX block.
+
+- [ ] **Step 4: Force-push to update the PR**
+
+```bash
+git push fork feat/native-docx-export-7538 --force-with-lease
+```
+
+Expected: branch updated, GitHub re-runs CI green.
+
+- [ ] **Step 5: Confirm PR is no longer DIRTY**
+
+```bash
+gh pr view 7568 --repo ether/etherpad --json mergeStateStatus,mergeable
+```
+
+Expected: `mergeStateStatus` is `BEHIND`, `BLOCKED`, `CLEAN`, or `HAS_HOOKS` — anything other than `DIRTY`/`CONFLICTING`.
+
+---
+
+## Task 1: Add new dependencies
+
+**Files:**
+- Modify: `src/package.json`
+- Modify: `pnpm-lock.yaml`
+
+- [ ] **Step 1: Add deps**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538/src
+pnpm add pdfkit htmlparser2 mammoth
+pnpm add -D @types/pdfkit
+```
+
+Expected: three runtime deps + one dev `@types` package added to `src/package.json`. `pnpm-lock.yaml` regenerated. `html-to-docx` (already there) untouched.
+
+- [ ] **Step 2: Verify versions are pinned to caret-major**
+
+```bash
+grep -E 'pdfkit|htmlparser2|mammoth|html-to-docx' src/package.json
+```
+
+Expected output (versions may be newer; the point is they're all `"^X.Y.Z"`):
+
+```text
+"html-to-docx": "^1.8.0",
+"htmlparser2": "^9.x.x",
+"mammoth": "^1.x.x",
+"pdfkit": "^0.x.x",
+"@types/pdfkit": "^0.x.x",
+```
+
+- [ ] **Step 3: Quick sanity import**
+
+```bash
+cd src && node -e "require('pdfkit'); require('htmlparser2'); require('mammoth'); console.log('OK')"
+```
+
+Expected: prints `OK` and exits 0.
+
+- [ ] **Step 4: Commit**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538
+git add src/package.json pnpm-lock.yaml
+git commit -m "chore(7538): add pdfkit, htmlparser2, mammoth deps"
+```
+
+---
+
+## Task 2: stripRemoteImages sanitizer (TDD)
+
+**Files:**
+- Create: `src/node/utils/ExportSanitizeHtml.ts`
+- Modify: `src/tests/backend/specs/export.ts`
+
+The sanitizer is consumed by both the DOCX and PDF branches in Task 5. Build it first so those branches can call it from the start.
+
+- [ ] **Step 1: Write the failing tests**
+
+Append the following block to `src/tests/backend/specs/export.ts`, ABOVE the closing `});` of the outer `describe(__filename, ...)`:
+
+```typescript
+  describe('stripRemoteImages', function () {
+    const {stripRemoteImages} = require('../../../node/utils/ExportSanitizeHtml');
+
+    it('keeps data: URIs', function () {
+      const out = stripRemoteImages(
+          '<p>x</p><img src="data:image/png;base64,iVBORw0KGgo=">');
+      assert.match(out, /<img[^>]+src="data:image\/png/);
+    });
+
+    it('keeps relative URLs', function () {
+      const out = stripRemoteImages('<img src="/foo/bar.png">');
+      assert.match(out, /<img[^>]+src="\/foo\/bar\.png"/);
+    });
+
+    it('drops absolute http(s) URLs and falls back to alt', function () {
+      const out = stripRemoteImages(
+          '<p>before<img src="https://evil.example/x.png" alt="cat">after</p>');
+      assert.doesNotMatch(out, /evil\.example/);
+      assert.match(out, /before/);
+      assert.match(out, /cat/);
+      assert.match(out, /after/);
+    });
+
+    it('drops protocol-relative URLs', function () {
+      const out = stripRemoteImages('<img src="//evil.example/x.png">');
+      assert.doesNotMatch(out, /evil\.example/);
+    });
+
+    it('passes non-image markup through unchanged', function () {
+      const html = '<h1>hi</h1><p>body <a href="/x">link</a></p>';
+      assert.strictEqual(stripRemoteImages(html), html);
+    });
+  });
+```
+
+- [ ] **Step 2: Run tests, verify they fail**
+
+```bash
+cd src && pnpm test --grep 'stripRemoteImages'
+```
+
+Expected: all five tests fail with `Cannot find module '../../../node/utils/ExportSanitizeHtml'`.
+
+- [ ] **Step 3: Implement the sanitizer**
+
+Create `src/node/utils/ExportSanitizeHtml.ts`:
+
+```typescript
+'use strict';
+
+import {Parser} from 'htmlparser2';
+
+const isLocalSrc = (src: string): boolean => {
+  if (!src) return true;
+  if (src.startsWith('data:')) return true;
+  if (src.startsWith('//')) return false;
+  if (/^[a-z][a-z0-9+.-]*:/i.test(src)) return false;
+  return true;
+};
+
+const escapeAttr = (s: string): string =>
+    s.replace(/&/g, '&amp;').replace(/"/g, '&quot;').replace(/</g, '&lt;');
+
+const escapeText = (s: string): string =>
+    s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+
+const VOID_TAGS = new Set([
+  'area', 'base', 'br', 'col', 'embed', 'hr', 'img', 'input',
+  'link', 'meta', 'source', 'track', 'wbr',
+]);
+
+export const stripRemoteImages = (html: string): string => {
+  let out = '';
+  const parser = new Parser({
+    onopentag(name, attribs) {
+      if (name === 'img') {
+        const src = attribs.src || '';
+        if (isLocalSrc(src)) {
+          let tag = '<img';
+          for (const [k, v] of Object.entries(attribs)) {
+            tag += ` ${k}="${escapeAttr(v)}"`;
+          }
+          tag += '>';
+          out += tag;
+        } else {
+          out += escapeText(attribs.alt || '');
+        }
+        return;
+      }
+      let tag = `<${name}`;
+      for (const [k, v] of Object.entries(attribs)) {
+        tag += ` ${k}="${escapeAttr(v)}"`;
+      }
+      tag += '>';
+      out += tag;
+    },
+    ontext(text) {
+      out += text;
+    },
+    onclosetag(name) {
+      if (VOID_TAGS.has(name)) return;
+      out += `</${name}>`;
+    },
+  }, {decodeEntities: false, lowerCaseTags: true});
+  parser.write(html);
+  parser.end();
+  return out;
+};
+```
+
+- [ ] **Step 4: Run tests, verify they pass**
+
+```bash
+cd src && pnpm test --grep 'stripRemoteImages'
+```
+
+Expected: 5 passing.
+
+- [ ] **Step 5: Commit**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538
+git add src/node/utils/ExportSanitizeHtml.ts src/tests/backend/specs/export.ts
+git commit -m "feat(7538): add stripRemoteImages HTML sanitizer
+
+Drops <img src=> elements pointing at non-data, non-relative URLs to
+prevent the DOCX/PDF converters from making outbound requests via
+plugin-modified HTML. Closes Qodo finding #4 against the
+html-to-docx path; will be wired into both export branches in
+the cascade refactor."
+```
+
+---
+
+## Task 3: Native PDF walker (TDD, structural)
+
+**Files:**
+- Create: `src/node/utils/ExportPdfNative.ts`
+- Modify: `src/tests/backend/specs/export.ts`
+
+Build the walker bottom-up: smoke first (HTML in → `%PDF` buffer out), then add tag handlers as features. Each tag class gets its own test.
+
+- [ ] **Step 1: Write the smoke test**
+
+Append to `src/tests/backend/specs/export.ts`, ABOVE the closing `});` of the outer `describe(__filename)`:
+
+```typescript
+  describe('htmlToPdfBuffer', function () {
+    let htmlToPdfBuffer: (html: string) => Promise<Buffer>;
+
+    before(function () {
+      try {
+        require.resolve('pdfkit');
+        require.resolve('htmlparser2');
+      } catch {
+        this.skip();
+        return;
+      }
+      htmlToPdfBuffer = require('../../../node/utils/ExportPdfNative').htmlToPdfBuffer;
+    });
+
+    it('produces a buffer starting with %PDF-', async function () {
+      const buf = await htmlToPdfBuffer('<p>hello world</p>');
+      assert.ok(Buffer.isBuffer(buf), 'must return Buffer');
+      assert.ok(buf.length > 100, `buffer suspiciously small: ${buf.length} bytes`);
+      assert.strictEqual(buf.slice(0, 5).toString('ascii'), '%PDF-');
+    });
+  });
+```
+
+- [ ] **Step 2: Run, verify failure**
+
+```bash
+cd src && pnpm test --grep 'htmlToPdfBuffer'
+```
+
+Expected: the `produces a buffer starting with %PDF-` test fails with `Cannot find module '../../../node/utils/ExportPdfNative'`.
+
+- [ ] **Step 3: Implement the minimal walker**
+
+Create `src/node/utils/ExportPdfNative.ts`:
+
+```typescript
+'use strict';
+
+import {Parser} from 'htmlparser2';
+import {PassThrough} from 'stream';
+
+const PDFDocument = require('pdfkit');
+
+interface InlineState {
+  bold: boolean;
+  italic: boolean;
+  underline: boolean;
+  strike: boolean;
+  link?: string;
+  fontSize?: number;
+}
+
+const HEADING_SIZES: Record<string, number> = {
+  h1: 24, h2: 20, h3: 16, h4: 14, h5: 12, h6: 11,
+};
+
+const decodeDataUri = (src: string): Buffer | null => {
+  const m = /^data:[^;,]+;base64,(.+)$/i.exec(src);
+  if (!m) return null;
+  try {
+    return Buffer.from(m[1], 'base64');
+  } catch {
+    return null;
+  }
+};
+
+export const htmlToPdfBuffer = (html: string): Promise<Buffer> =>
+  new Promise((resolve, reject) => {
+    const doc = new PDFDocument({margin: 50});
+    const stream = new PassThrough();
+    const chunks: Buffer[] = [];
+    stream.on('data', (c: Buffer) => chunks.push(c));
+    stream.on('end', () => resolve(Buffer.concat(chunks)));
+    stream.on('error', reject);
+    doc.pipe(stream);
+
+    const styleStack: InlineState[] = [{
+      bold: false, italic: false, underline: false, strike: false,
+    }];
+    let listType: ('ul' | 'ol' | null)[] = [];
+    let listIndex: number[] = [];
+    let pendingNewline = false;
+
+    const top = () => styleStack[styleStack.length - 1];
+
+    const applyFont = () => {
+      const s = top();
+      const variant =
+        s.bold && s.italic ? 'Helvetica-BoldOblique' :
+        s.bold ? 'Helvetica-Bold' :
+        s.italic ? 'Helvetica-Oblique' :
+        'Helvetica';
+      doc.font(variant);
+      doc.fontSize(s.fontSize || 11);
+    };
+
+    const writeText = (raw: string) => {
+      if (!raw) return;
+      if (pendingNewline) {
+        doc.moveDown(0.5);
+        pendingNewline = false;
+      }
+      const s = top();
+      applyFont();
+      const opts: any = {continued: true};
+      if (s.underline) opts.underline = true;
+      if (s.strike) opts.strike = true;
+      if (s.link) opts.link = s.link;
+      doc.text(raw, opts);
+    };
+
+    const flushLine = () => {
+      doc.text('', {continued: false});
+    };
+
+    const parser = new Parser({
+      onopentag(name, attribs) {
+        const cur = top();
+        const next: InlineState = {...cur};
+        switch (name) {
+          case 'b': case 'strong': next.bold = true; break;
+          case 'i': case 'em': next.italic = true; break;
+          case 'u': next.underline = true; break;
+          case 's': case 'strike': case 'del': next.strike = true; break;
+          case 'a': next.link = attribs.href; next.underline = true; break;
+          case 'h1': case 'h2': case 'h3': case 'h4': case 'h5': case 'h6':
+            next.fontSize = HEADING_SIZES[name];
+            next.bold = true;
+            if (!pendingNewline) flushLine();
+            doc.moveDown(0.5);
+            break;
+          case 'p': case 'div':
+            if (!pendingNewline) flushLine();
+            doc.moveDown(0.3);
+            break;
+          case 'ul': case 'ol':
+            listType.push(name as 'ul' | 'ol');
+            listIndex.push(0);
+            flushLine();
+            break;
+          case 'li': {
+            flushLine();
+            const t = listType[listType.length - 1] || 'ul';
+            if (t === 'ol') listIndex[listIndex.length - 1] += 1;
+            const prefix = t === 'ul'
+              ? '• '
+              : `${listIndex[listIndex.length - 1]}. `;
+            const indent = '   '.repeat(Math.max(0, listType.length - 1));
+            applyFont();
+            doc.text(`${indent}${prefix}`, {continued: true});
+            break;
+          }
+          case 'br':
+            flushLine();
+            break;
+          case 'img': {
+            const buf = decodeDataUri(attribs.src || '');
+            if (buf) {
+              flushLine();
+              try { doc.image(buf, {fit: [400, 300]}); } catch { /* ignore */ }
+            }
+            break;
+          }
+        }
+        styleStack.push(next);
+      },
+
+      ontext(text) {
+        writeText(text);
+      },
+
+      onclosetag(name) {
+        switch (name) {
+          case 'h1': case 'h2': case 'h3': case 'h4': case 'h5': case 'h6':
+          case 'p': case 'div':
+            flushLine();
+            pendingNewline = true;
+            break;
+          case 'li':
+            flushLine();
+            break;
+          case 'ul': case 'ol':
+            listType.pop();
+            listIndex.pop();
+            doc.moveDown(0.3);
+            break;
+        }
+        styleStack.pop();
+        if (styleStack.length === 0) {
+          styleStack.push({bold: false, italic: false, underline: false, strike: false});
+        }
+      },
+    }, {decodeEntities: true, lowerCaseTags: true});
+
+    parser.write(html);
+    parser.end();
+    flushLine();
+    doc.end();
+  });
+```
+
+- [ ] **Step 4: Run smoke, verify pass**
+
+```bash
+cd src && pnpm test --grep 'htmlToPdfBuffer'
+```
+
+Expected: 1 passing.
+
+- [ ] **Step 5: Add structural tests**
+
+Append BELOW the existing `it('produces a buffer starting with %PDF-')` inside the same `describe('htmlToPdfBuffer')`:
+
+```typescript
+    const renderText = async (html: string): Promise<string> => {
+      const buf = await htmlToPdfBuffer(html);
+      // pdfkit emits text uncompressed-ish; we look for substrings inside
+      // the raw PDF stream. This is intentionally fragile-friendly: we
+      // assert the words show up at all, not their layout.
+      return buf.toString('latin1');
+    };
+
+    it('renders headings, paragraphs, and lists', async function () {
+      const raw = await renderText(`
+        <h1>Title</h1>
+        <p>Body paragraph here.</p>
+        <ul><li>one</li><li>two</li></ul>
+        <ol><li>alpha</li><li>beta</li></ol>
+      `);
+      assert.ok(raw.includes('Title'));
+      assert.ok(raw.includes('Body paragraph here.'));
+      assert.ok(raw.includes('one'));
+      assert.ok(raw.includes('two'));
+      assert.ok(raw.includes('alpha'));
+      assert.ok(raw.includes('beta'));
+    });
+
+    it('emits link annotations for <a href>', async function () {
+      const raw = await renderText('<p><a href="https://etherpad.org">site</a></p>');
+      assert.ok(raw.includes('site'));
+      assert.ok(raw.includes('etherpad.org'));
+    });
+
+    it('embeds data: URI images without throwing', async function () {
+      const tinyPng =
+        'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=';
+      const buf = await htmlToPdfBuffer(`<img src="data:image/png;base64,${tinyPng}">`);
+      assert.ok(buf.length > 200);
+    });
+
+    it('ignores unknown tags rather than crashing', async function () {
+      const buf = await htmlToPdfBuffer(
+          '<custom-tag><p>still works</p></custom-tag>');
+      assert.ok(buf.slice(0, 5).toString('ascii') === '%PDF-');
+    });
+  });
+```
+
+- [ ] **Step 6: Run, verify all pass**
+
+```bash
+cd src && pnpm test --grep 'htmlToPdfBuffer'
+```
+
+Expected: 5 passing.
+
+- [ ] **Step 7: Walker line-count check (bail-out criterion)**
+
+```bash
+wc -l src/node/utils/ExportPdfNative.ts
+```
+
+If the result is **>500 lines** OR a structural test from Step 5 fails in a way that requires substantially more walker code to fix (e.g. real table rendering, complex CSS), STOP and follow the bail-out path:
+
+1. Read the spec section "Bail-out criterion" again.
+2. Replace `ExportPdfNative.ts` with a `pdfmake` + `html-to-pdfmake` + `jsdom` implementation behind the same `htmlToPdfBuffer(html)` signature.
+3. Add `pdfmake`, `html-to-pdfmake`, `jsdom` to `src/package.json`; remove `pdfkit` and `htmlparser2` if not used anywhere else.
+4. Re-run the same test grep — the public contract (input HTML, output `%PDF-` buffer) hasn't changed.
+5. Continue with Task 4.
+
+If the file is ≤500 lines and tests pass, continue normally.
+
+- [ ] **Step 8: Commit**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538
+git add src/node/utils/ExportPdfNative.ts src/tests/backend/specs/export.ts
+git commit -m "feat(7538): native PDF export via pdfkit + htmlparser2 walker
+
+Renders pad HTML to a PDF Buffer in-process: headings, paragraphs,
+lists, links, inline emphasis, data:-URI images. Remote images are
+explicitly skipped at the walker (defense-in-depth on top of the
+shared stripRemoteImages sanitizer)."
+```
+
+---
+
+## Task 4: Native DOCX import wrapper (TDD)
+
+**Files:**
+- Create: `src/node/utils/ImportDocxNative.ts`
+- Create: `src/tests/backend/specs/fixtures/sample.docx`
+- Create: `src/tests/backend/specs/import.ts`
+
+- [ ] **Step 1: Generate the DOCX fixture**
+
+Use `html-to-docx` (already a dep) to produce a deterministic fixture so we don't hand-build OOXML. Run this from the worktree root:
+
+```bash
+mkdir -p src/tests/backend/specs/fixtures
+cd src && node -e "
+const fs = require('fs');
+const htmlToDocx = require('html-to-docx');
+htmlToDocx('<h1>Heading</h1><p>Paragraph body.</p><ul><li>one</li><li>two</li></ul>').then((buf) => {
+  fs.writeFileSync('tests/backend/specs/fixtures/sample.docx', buf);
+  console.log('wrote', buf.length, 'bytes');
+});
+"
+```
+
+Expected: `wrote <N> bytes` where N is roughly 5000–15000.
+
+- [ ] **Step 2: Verify fixture is a real DOCX**
+
+```bash
+head -c 4 src/tests/backend/specs/fixtures/sample.docx | xxd
+```
+
+Expected: starts with `50 4b 03 04` (PK ZIP signature).
+
+- [ ] **Step 3: Write the failing wrapper test**
+
+Create `src/tests/backend/specs/import.ts`:
+
+```typescript
+'use strict';
+
+import {MapArrayType} from '../../../node/types/MapType';
+import path from 'path';
+import {promises as fs} from 'fs';
+
+const assert = require('assert').strict;
+const common = require('../common');
+const padManager = require('../../../node/db/PadManager');
+import settings from '../../../node/utils/Settings';
+
+describe(__filename, function () {
+  const settingsBackup: MapArrayType<any> = {};
+  let agent: any;
+
+  before(async function () {
+    agent = await common.init();
+    settingsBackup.soffice = settings.soffice;
+  });
+
+  after(function () {
+    Object.assign(settings, settingsBackup);
+  });
+
+  describe('docxBufferToHtml (#7538)', function () {
+    let docxBufferToHtml: (b: Buffer) => Promise<string>;
+
+    before(function () {
+      try { require.resolve('mammoth'); }
+      catch { this.skip(); return; }
+      docxBufferToHtml = require('../../../node/utils/ImportDocxNative').docxBufferToHtml;
+    });
+
+    it('converts the sample.docx fixture to HTML', async function () {
+      const buf = await fs.readFile(
+          path.join(__dirname, 'fixtures', 'sample.docx'));
+      const html = await docxBufferToHtml(buf);
+      assert.match(html, /Heading/);
+      assert.match(html, /Paragraph body\./);
+      assert.match(html, /one/);
+      assert.match(html, /two/);
+    });
+
+    it('emits no remote image URLs', async function () {
+      const buf = await fs.readFile(
+          path.join(__dirname, 'fixtures', 'sample.docx'));
+      const html = await docxBufferToHtml(buf);
+      assert.doesNotMatch(html, /<img[^>]+src="https?:/);
+      assert.doesNotMatch(html, /<img[^>]+src="\/\//);
+    });
+  });
+});
+```
+
+- [ ] **Step 4: Run, verify failure**
+
+```bash
+cd src && pnpm test --grep 'docxBufferToHtml'
+```
+
+Expected: tests fail with `Cannot find module '../../../node/utils/ImportDocxNative'`.
+
+- [ ] **Step 5: Implement the wrapper**
+
+Create `src/node/utils/ImportDocxNative.ts`:
+
+```typescript
+'use strict';
+
+const mammoth = require('mammoth');
+
+export const docxBufferToHtml = async (buffer: Buffer): Promise<string> => {
+  const result = await mammoth.convertToHtml(
+    {buffer},
+    {
+      convertImage: mammoth.images.imgElement(async (image: any) => {
+        const buf: Buffer = await image.read();
+        const contentType = image.contentType || 'application/octet-stream';
+        return {src: `data:${contentType};base64,${buf.toString('base64')}`};
+      }),
+    },
+  );
+  return result.value || '';
+};
+```
+
+- [ ] **Step 6: Run, verify pass**
+
+```bash
+cd src && pnpm test --grep 'docxBufferToHtml'
+```
+
+Expected: 2 passing.
+
+- [ ] **Step 7: Commit**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538
+git add src/node/utils/ImportDocxNative.ts \
+        src/tests/backend/specs/import.ts \
+        src/tests/backend/specs/fixtures/sample.docx
+git commit -m "feat(7538): native DOCX import via mammoth
+
+Wraps mammoth.convertToHtml so a soffice-less Etherpad can ingest
+.docx files. Images are coerced to data: URIs at the converter
+boundary so the import pipeline never sees a remote src=."
+```
+
+---
+
+## Task 5: Refactor ExportHandler to soffice-first cascade
+
+**Files:**
+- Modify: `src/node/handler/ExportHandler.ts`
+- Modify: `src/tests/backend/specs/export.ts`
+
+This is where we drop the flag-gated branch and wire the cascade.
+
+- [ ] **Step 1: Update the existing native-DOCX test block to use `soffice = null`**
+
+In `src/tests/backend/specs/export.ts`, find:
+
+```typescript
+  describe('native DOCX export (#7538)', function () {
+    before(function () {
+      try {
+        require.resolve('html-to-docx');
+      } catch {
+        this.skip();
+        return;
+      }
+      settings.soffice = 'false';
+      settings.nativeDocxExport = true;
+    });
+```
+
+Replace with:
+
+```typescript
+  describe('native DOCX export (#7538)', function () {
+    before(function () {
+      try {
+        require.resolve('html-to-docx');
+      } catch {
+        this.skip();
+        return;
+      }
+      settings.soffice = null;
+    });
+```
+
+Also update the line that sets these in the prior `it('returns 500 on export error')` block:
+
+```typescript
+    settings.soffice = 'false'; // '/bin/false' doesn't work on Windows
+    settings.nativeDocxExport = false;
+```
+
+Becomes:
+
+```typescript
+    settings.soffice = '/bin/false'; // forces a soffice spawn that errors
+```
+
+(The intent of that test is to exercise the soffice error path; with the cascade, that means soffice MUST be configured.)
+
+Remove the line:
+
+```typescript
+    settingsBackup.nativeDocxExport = settings.nativeDocxExport;
+```
+
+from the outer `before(...)` block.
+
+- [ ] **Step 2: Add the negative ODT test**
+
+Above the closing `});` of `describe(__filename)` and AFTER the `htmlToPdfBuffer` block, add:
+
+```typescript
+  describe('odt without soffice (#7538)', function () {
+    before(function () { settings.soffice = null; });
+    it('returns the "not enabled" message for odt', async function () {
+      const res = await agent.get('/p/testExportPad/export/odt').expect(200);
+      assert.match(res.text, /This export is not enabled/);
+    });
+  });
+```
+
+- [ ] **Step 3: Add the native PDF integration test**
+
+Inside the existing `describe('native DOCX export (#7538)')`, immediately after the two existing tests, add a sibling describe:
+
+```typescript
+  describe('native PDF export (#7538)', function () {
+    before(function () {
+      try {
+        require.resolve('pdfkit');
+        require.resolve('htmlparser2');
+      } catch {
+        this.skip();
+        return;
+      }
+      settings.soffice = null;
+    });
+
+    it('returns a valid %PDF- document', async function () {
+      const res = await agent.get('/p/testExportPad/export/pdf')
+          .buffer(true)
+          .parse((resp: any, callback: any) => {
+            const chunks: Buffer[] = [];
+            resp.on('data', (chunk: Buffer) => chunks.push(chunk));
+            resp.on('end', () => callback(null, Buffer.concat(chunks)));
+          })
+          .expect(200);
+      const body: Buffer = res.body as Buffer;
+      assert.ok(body.length > 200, 'PDF body must be non-trivial');
+      assert.strictEqual(body.slice(0, 5).toString('ascii'), '%PDF-');
+    });
+
+    it('sends application/pdf content-type', async function () {
+      const res = await agent.get('/p/testExportPad/export/pdf').expect(200);
+      assert.match(res.headers['content-type'], /application\/pdf/);
+    });
+  });
+```
+
+- [ ] **Step 4: Run, verify failures**
+
+```bash
+cd src && pnpm test --grep '#7538'
+```
+
+Expected: PDF tests fail (route returns 200 but with the "not enabled" body or 500 from soffice path); ODT test currently fails (route guard still blocks it). DOCX tests fail because cascade isn't in place yet — the `nativeDocxExport=true` shortcut is gone but the new cascade isn't there.
+
+- [ ] **Step 5: Replace the flag-gated branch in ExportHandler**
+
+In `src/node/handler/ExportHandler.ts`, replace lines 90–144 (everything from the `// Native DOCX path (issue #7538)` comment block down through the `await fsp_unlink(destFile);` line) with:
+
+```typescript
+    // Soffice-first dispatch (issue #7538). When soffice is configured
+    // we keep the legacy convert-via-tempfile path; when it's not, we
+    // hand DOCX to html-to-docx and PDF to our pdfkit walker — both
+    // pure-JS, in-process. No fallback chain: native errors surface as
+    // 5xx so admins see real failures instead of silent shadowing.
+    const {sofficeAvailable} = require('../utils/Settings');
+    const offline = sofficeAvailable() === 'no'
+        || (sofficeAvailable() === 'withoutPDF' && type === 'pdf');
+
+    if (offline) {
+      const {stripRemoteImages} = require('../utils/ExportSanitizeHtml');
+      const safeHtml = stripRemoteImages(html);
+      html = null;
+      try {
+        if (type === 'docx') {
+          const htmlToDocx = require('html-to-docx');
+          const buf = await htmlToDocx(safeHtml);
+          res.contentType(
+              'application/vnd.openxmlformats-officedocument.wordprocessingml.document');
+          res.send(buf);
+          return;
+        }
+        if (type === 'pdf') {
+          const {htmlToPdfBuffer} = require('../utils/ExportPdfNative');
+          const buf = await htmlToPdfBuffer(safeHtml);
+          res.contentType('application/pdf');
+          res.send(buf);
+          return;
+        }
+        // soffice-only formats (odt, doc) are blocked at the route guard
+        // when soffice is null; reaching here means the guard is wrong.
+        res.status(500).send(`Cannot export ${type} without soffice configured`);
+        return;
+      } catch (err) {
+        console.error(
+            `native ${type} export failed for pad "${padId}":`,
+            err && (err as Error).stack ? (err as Error).stack : err);
+        res.status(500).send(`Failed to export pad as ${type}.`);
+        return;
+      }
+    }
+
+    // soffice path — write the html export to a file
+    const randNum = Math.floor(Math.random() * 0xFFFFFFFF);
+    const srcFile = `${tempDirectory}/etherpad_export_${randNum}.html`;
+    await fsp_writeFile(srcFile, html);
+
+    // ensure html can be collected by the garbage collector
+    html = null;
+
+    // send the convert job to the converter (libreoffice)
+    const destFile = `${tempDirectory}/etherpad_export_${randNum}.${type}`;
+
+    // Allow plugins to overwrite the convert in export process
+    const result = await hooks.aCallAll('exportConvert', {srcFile, destFile, req, res});
+    if (result.length > 0) {
+      // console.log("export handled by plugin", destFile);
+    } else {
+      const converter = require('../utils/LibreOffice');
+      await converter.convertFile(srcFile, destFile, type);
+    }
+
+    // send the file
+    await res.sendFile(destFile, null);
+
+    // clean up temporary files
+    await fsp_unlink(srcFile);
+
+    // 100ms delay to accommodate for slow windows fs
+    if (os.type().indexOf('Windows') > -1) {
+      await new Promise((resolve) => setTimeout(resolve, 100));
+    }
+
+    await fsp_unlink(destFile);
+```
+
+- [ ] **Step 6: Run, verify DOCX + PDF tests pass; ODT still routed by the guard (next task)**
+
+```bash
+cd src && pnpm test --grep '#7538'
+```
+
+Expected: DOCX tests pass; PDF tests pass; ODT test fails because the route guard hasn't been tightened yet (it's blocking ALL of pdf/docx/odt/doc when soffice is null, including pdf and docx that we just made native — wait, no: this is what the next task fixes. Actually, with the current guard the docx/pdf integration tests would have failed at Step 4 already. Re-check: the guard returns 200 with a "not enabled" message, which `assert.strictEqual(body.slice(0,5)...)` would fail.) The expected outcome of THIS step is **DOCX and PDF integration tests still fail**, walker-style failures may appear too. We move to Task 6 to fix the guard, then re-run.
+
+If the unit-style tests for `htmlToPdfBuffer`, `docxBufferToHtml`, and `stripRemoteImages` still pass, that's enough to move on.
+
+```bash
+cd src && pnpm test --grep 'htmlToPdfBuffer\|docxBufferToHtml\|stripRemoteImages'
+```
+
+Expected: 12 passing (5 sanitizer + 5 walker + 2 mammoth).
+
+- [ ] **Step 7: Commit**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538
+git add src/node/handler/ExportHandler.ts src/tests/backend/specs/export.ts
+git commit -m "feat(7538): soffice-first cascade in ExportHandler
+
+Replaces the flag-gated DOCX branch with a deterministic dispatch:
+soffice if configured, native DOCX/PDF otherwise, 5xx on native
+error. Both native paths run plugin-modified HTML through
+stripRemoteImages first."
+```
+
+---
+
+## Task 6: Tighten the route guard
+
+**Files:**
+- Modify: `src/node/hooks/express/importexport.ts`
+- Modify: `src/tests/backend/specs/export.ts` (re-verify tests)
+
+- [ ] **Step 1: Update the export guard**
+
+In `src/node/hooks/express/importexport.ts`, replace the block on lines 37–48:
+
+```typescript
+      // if soffice is disabled, and this is a format we only support with soffice, output a message
+      if (exportAvailable() === 'no' &&
+          ['odt', 'pdf', 'doc', 'docx'].indexOf(req.params.type) !== -1) {
+        console.error(`Impossible to export pad "${req.params.pad}" in ${req.params.type} format.` +
+                      ' There is no converter configured');
+
+        // ACHTUNG: do not include req.params.type in res.send() because there is
+        // no HTML escaping and it would lead to an XSS
+        res.send('This export is not enabled at this Etherpad instance. Set the path to soffice ' +
+                 '(LibreOffice) in settings.json to enable this feature');
+        return;
+      }
+```
+
+With:
+
+```typescript
+      // When soffice is disabled, only block formats with no native path.
+      // pdf and docx fall through to ExportHandler, which dispatches to
+      // the in-process converters (issue #7538).
+      if (exportAvailable() === 'no' &&
+          ['odt', 'doc'].indexOf(req.params.type) !== -1) {
+        console.error(`Impossible to export pad "${req.params.pad}" in ${req.params.type} format.` +
+                      ' There is no converter configured');
+
+        // ACHTUNG: do not include req.params.type in res.send() because there is
+        // no HTML escaping and it would lead to an XSS
+        res.send('This export is not enabled at this Etherpad instance. Set the path to soffice ' +
+                 '(LibreOffice) in settings.json to enable this feature');
+        return;
+      }
+```
+
+- [ ] **Step 2: Add the import guard (currently absent — there is no `if (exportAvailable() === 'no') { ... }` on the import side, but the implicit behavior is that `useConverter` becomes `false` and only built-in formats work). Verify by reading lines 73–90 of the current file.**
+
+The import endpoint already implicitly handles the no-soffice case via `useConverter = (converter != null)` in `ImportHandler.ts`. After Task 7 wires native DOCX import there, no change is needed here.
+
+- [ ] **Step 3: Run, verify all #7538 tests pass**
+
+```bash
+cd src && pnpm test --grep '#7538'
+```
+
+Expected: native DOCX (2), native PDF (2), odt-without-soffice (1) — 5 passing.
+
+- [ ] **Step 4: Run the full export test file as a regression check**
+
+```bash
+cd src && pnpm test --grep 'export\.ts'
+```
+
+Expected: all green, including the pre-existing `returns 500 on export error` test which uses `/bin/false` as soffice.
+
+- [ ] **Step 5: Commit**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538
+git add src/node/hooks/express/importexport.ts
+git commit -m "fix(7538): allow docx/pdf through export guard without soffice
+
+Tightens the no-soffice block to ['odt','doc'] only — formats with
+no native path. docx and pdf are handed to ExportHandler, which
+dispatches to the in-process converters. Closes Qodo finding #2."
+```
+
+---
+
+## Task 7: Wire DOCX import into ImportHandler
+
+**Files:**
+- Modify: `src/node/handler/ImportHandler.ts`
+- Modify: `src/tests/backend/specs/import.ts`
+
+- [ ] **Step 1: Write the failing integration test**
+
+Append to `src/tests/backend/specs/import.ts`, BELOW the existing `docxBufferToHtml` describe and ABOVE the closing `});` of `describe(__filename)`:
+
+```typescript
+  describe('end-to-end DOCX import (#7538)', function () {
+    before(function () {
+      try { require.resolve('mammoth'); }
+      catch { this.skip(); return; }
+      settings.soffice = null;
+    });
+
+    it('imports a docx into a pad without soffice', async function () {
+      const padId = 'test7538DocxImport';
+      // Reset pad
+      try { await padManager.removePad(padId); } catch { /* noop */ }
+      const fixture = path.join(__dirname, 'fixtures', 'sample.docx');
+      const res = await agent
+          .post(`/p/${padId}/import`)
+          .attach('file', fixture)
+          .expect(200);
+      assert.strictEqual(res.body.code, 0, `import failed: ${JSON.stringify(res.body)}`);
+      const pad = await padManager.getPad(padId);
+      const text = pad.text();
+      assert.match(text, /Heading/);
+      assert.match(text, /Paragraph body/);
+      assert.match(text, /one/);
+      assert.match(text, /two/);
+    });
+
+    it('rejects odt extension when soffice is null', async function () {
+      const padId = 'test7538OdtReject';
+      try { await padManager.removePad(padId); } catch { /* noop */ }
+      const fixture = path.join(__dirname, 'fixtures', 'sample.docx');
+      // copy fixture to a .odt name
+      const odtPath = path.join(__dirname, 'fixtures', 'sample.odt');
+      await fs.copyFile(fixture, odtPath);
+      try {
+        const res = await agent
+            .post(`/p/${padId}/import`)
+            .attach('file', odtPath);
+        // either 400 with a known status or rejected payload
+        assert.ok(
+            res.status >= 400 || res.body.code !== 0,
+            `expected odt import to fail when soffice is null, got: ${res.status} ${JSON.stringify(res.body)}`);
+      } finally {
+        await fs.unlink(odtPath).catch(() => undefined);
+      }
+    });
+  });
+```
+
+- [ ] **Step 2: Run, verify failure**
+
+```bash
+cd src && pnpm test --grep 'end-to-end DOCX import'
+```
+
+Expected: tests fail — likely the docx import either errors out (no converter) or empties the pad.
+
+- [ ] **Step 3: Update ImportHandler**
+
+In `src/node/handler/ImportHandler.ts`:
+
+a) Replace the block on lines 59–66:
+
+```typescript
+let converter:any = null;
+let exportExtension = 'htm';
+
+// load soffice only if it is enabled
+if (settings.soffice != null) {
+  converter = require('../utils/LibreOffice');
+  exportExtension = 'html';
+}
+```
+
+with:
+
+```typescript
+let converter: any = null;
+let exportExtension = 'htm';
+
+// load soffice only if it is enabled
+if (settings.soffice != null) {
+  converter = require('../utils/LibreOffice');
+  exportExtension = 'html';
+}
+
+const NATIVE_NO_SOFFICE_OFFICE_FORMATS = new Set(['.pdf', '.odt', '.doc', '.rtf']);
+```
+
+b) After the `fileEndingUnknown` block (line 131) and BEFORE the `const destFile = ...` line (133), insert:
+
+```typescript
+  // Native DOCX import (issue #7538): when soffice isn't configured we
+  // hand .docx files to mammoth, which produces HTML — then we feed that
+  // through the existing setPadHTML pipeline by writing it to destFile.
+  if (settings.soffice == null && fileEnding === '.docx') {
+    const buf = await fs.readFile(srcFile);
+    const {docxBufferToHtml} = require('../utils/ImportDocxNative');
+    let nativeHtml: string;
+    try {
+      nativeHtml = await docxBufferToHtml(buf);
+    } catch (err: any) {
+      logger.warn(`Native DOCX import failed: ${err.stack || err}`);
+      throw new ImportError('convertFailed');
+    }
+    const destFileNative = path.join(tmpDirectory, `etherpad_import_${randNum}.html`);
+    await fs.writeFile(destFileNative, nativeHtml);
+    const pad = await padManager.getPad(padId, '\n', authorId);
+    try {
+      await importHtml.setPadHTML(pad, nativeHtml, authorId);
+    } catch (err: any) {
+      logger.warn(`Error importing native DOCX HTML: ${err.stack || err}`);
+      throw new ImportError('convertFailed');
+    }
+    padManager.unloadPad(padId);
+    const reloaded = await padManager.getPad(padId, '\n', authorId);
+    padManager.unloadPad(padId);
+    await padMessageHandler.updatePadClients(reloaded);
+    rm(srcFile);
+    rm(destFileNative);
+    return false;
+  }
+
+  // Without soffice, the legacy office formats (pdf, odt, doc, rtf) have
+  // no in-process path. Reject explicitly so the user sees a clear error
+  // instead of a silent ASCII-only fallback.
+  if (settings.soffice == null && NATIVE_NO_SOFFICE_OFFICE_FORMATS.has(fileEnding)) {
+    throw new ImportError('uploadFailed');
+  }
+```
+
+- [ ] **Step 4: Run, verify both tests pass**
+
+```bash
+cd src && pnpm test --grep 'end-to-end DOCX import'
+```
+
+Expected: 2 passing.
+
+- [ ] **Step 5: Run the full import test file**
+
+```bash
+cd src && pnpm test --grep 'import\.ts'
+```
+
+Expected: 4 passing (2 wrapper + 2 e2e).
+
+- [ ] **Step 6: Commit**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538
+git add src/node/handler/ImportHandler.ts src/tests/backend/specs/import.ts
+git commit -m "feat(7538): native DOCX import path in ImportHandler
+
+When soffice is null and the upload is .docx, run mammoth and feed
+the resulting HTML through setPadHTML. Other office formats
+(pdf/odt/doc/rtf) are explicitly rejected with uploadFailed instead
+of silently falling through to the ASCII-only path."
+```
+
+---
+
+## Task 8: UI — always show DOCX + PDF export links
+
+**Files:**
+- Modify: `src/static/js/pad_impexp.ts`
+
+- [ ] **Step 1: Update the gate**
+
+In `src/static/js/pad_impexp.ts`, replace lines 147–166:
+
+```typescript
+      // hide stuff thats not avaible if soffice is disabled
+      const wordFormat = clientVars.docxExport ? 'docx' : 'doc';
+      if (clientVars.exportAvailable === 'no') {
+        $('#exportworda').remove();
+        $('#exportpdfa').remove();
+        $('#exportopena').remove();
+        $('#importmessagenoconverter').prop('hidden', false);
+      } else if (clientVars.exportAvailable === 'withoutPDF') {
+        $('#exportpdfa').remove();
+
+        $('#exportworda').attr('href', `${padRootPath}/export/${wordFormat}`);
+        $('#exportopena').attr('href', `${padRootPath}/export/odt`);
+
+        $('#importexport').css({height: '142px'});
+        $('#importexportline').css({height: '142px'});
+      } else {
+        $('#exportworda').attr('href', `${padRootPath}/export/${wordFormat}`);
+        $('#exportpdfa').attr('href', `${padRootPath}/export/pdf`);
+        $('#exportopena').attr('href', `${padRootPath}/export/odt`);
+      }
+```
+
+With:
+
+```typescript
+      // DOCX and PDF are always available — soffice when configured,
+      // native pure-JS converters otherwise (issue #7538). ODT still
+      // requires soffice. The 'withoutPDF' branch (Windows soffice
+      // without PDF) is handled by the server-side cascade routing PDF
+      // through native; the UI link stays.
+      const wordFormat = clientVars.docxExport ? 'docx' : 'doc';
+      $('#exportworda').attr('href', `${padRootPath}/export/${wordFormat}`);
+      $('#exportpdfa').attr('href', `${padRootPath}/export/pdf`);
+      if (clientVars.exportAvailable === 'no') {
+        $('#exportopena').remove();
+        $('#importmessagenoconverter').prop('hidden', false);
+      } else {
+        $('#exportopena').attr('href', `${padRootPath}/export/odt`);
+      }
+```
+
+- [ ] **Step 2: Lint check**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538/src
+pnpm exec tsc --noEmit -p .
+```
+
+Expected: no errors related to `pad_impexp.ts` (project-wide ts-check should pass; Task 9 will also catch it).
+
+- [ ] **Step 3: Manual smoke (if dev server access available)**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538/src
+SOFFICE=null pnpm run dev
+```
+
+In another terminal, open `http://localhost:9001/p/test`, click **Import/Export**, verify:
+- Word and PDF links visible
+- ODT link hidden
+- "no converter" import message visible
+
+If you cannot run a dev server in this environment, skip this step and rely on the integration tests.
+
+- [ ] **Step 4: Commit**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538
+git add src/static/js/pad_impexp.ts
+git commit -m "fix(7538): always show DOCX/PDF export links
+
+Native paths (#7538) make DOCX and PDF available regardless of
+soffice presence, so unconditionally render those links. ODT still
+gates on exportAvailable. Closes Qodo finding #2 on the UI side."
+```
+
+---
+
+## Task 9: Revert the `nativeDocxExport` setting
+
+The flag is no longer needed — selection is purely soffice-presence-driven. Roll back the additions from commit `b98dfbab7`.
+
+**Files:**
+- Modify: `src/node/utils/Settings.ts`
+- Modify: `settings.json.template`
+- Modify: `settings.json.docker`
+- Modify: `doc/docker.md`
+
+- [ ] **Step 1: Remove the type field**
+
+In `src/node/utils/Settings.ts` line 208, delete this line:
+
+```typescript
+  nativeDocxExport: boolean,
+```
+
+- [ ] **Step 2: Remove the default value + JSDoc**
+
+In `src/node/utils/Settings.ts`, delete lines 419–426 (the `/** ... */` block above and the `nativeDocxExport: false,` line).
+
+- [ ] **Step 3: Remove from settings.json.template**
+
+In `settings.json.template`, delete the entire block containing the `"nativeDocxExport": false,` line and its preceding `/* … */` JSDoc comment (around lines 354–362). Verify by:
+
+```bash
+grep -n 'nativeDocxExport\|NATIVE_DOCX' settings.json.template settings.json.docker doc/docker.md src/node/utils/Settings.ts
+```
+
+Expected: no results.
+
+- [ ] **Step 4: Remove from settings.json.docker**
+
+In `settings.json.docker`, delete the block on lines 372–377:
+
+```text
+  /*
+   * Convert DOCX exports in-process via html-to-docx instead of shelling
+   * out to LibreOffice. Auto-falls back to the LibreOffice path on error.
+   */
+  "nativeDocxExport": "${NATIVE_DOCX_EXPORT:false}",
+```
+
+- [ ] **Step 5: Remove from doc/docker.md**
+
+Delete the row on line 193:
+
+```text
+| `NATIVE_DOCX_EXPORT`              | Convert DOCX exports in-process with the bundled `html-to-docx` library instead of shelling out to LibreOffice. Auto-falls back to LibreOffice on error. Lets you skip installing `soffice` entirely for deployments that only need DOCX. | `false`               |
+```
+
+- [ ] **Step 6: Re-verify nothing references the flag**
+
+```bash
+grep -rn 'nativeDocxExport\|NATIVE_DOCX_EXPORT' src/ doc/ settings.json.template settings.json.docker 2>/dev/null
+```
+
+Expected: empty output.
+
+- [ ] **Step 7: Type-check**
+
+```bash
+cd src && pnpm exec tsc --noEmit -p .
+```
+
+Expected: no type errors.
+
+- [ ] **Step 8: Run the full export + import test suite**
+
+```bash
+cd src && pnpm test --grep 'export\.ts\|import\.ts'
+```
+
+Expected: all green — sanitizer (5), walker (5), mammoth wrapper (2), DOCX integration (2), PDF integration (2), odt-without-soffice (1), e2e import (2), pre-existing soffice 500 (1). Roughly 20 passing.
+
+- [ ] **Step 9: Commit**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538
+git add src/node/utils/Settings.ts settings.json.template settings.json.docker doc/docker.md
+git commit -m "refactor(7538): drop nativeDocxExport flag
+
+Selection is now purely soffice-presence-driven (Task 5 cascade).
+The opt-in setting and its NATIVE_DOCX_EXPORT env var are no longer
+needed — soffice configured means soffice path; soffice null means
+native path. Reverts the additive surface introduced earlier in
+this PR."
+```
+
+---
+
+## Task 10: Final verification + Qodo response
+
+**Files:** none (CI / GitHub)
+
+- [ ] **Step 1: Run the full backend test suite**
+
+```bash
+cd /home/jose/etherpad/etherpad-lite/.claude/worktrees/pr-7538
+pnpm --filter ep_etherpad-lite run test
+```
+
+Expected: full pass. If any previously-passing test now fails (e.g. a soffice-dependent test that assumed `exportAvailable() === 'no'` blocks docx), investigate root cause — do NOT silently mute.
+
+- [ ] **Step 2: Push**
+
+```bash
+git push fork feat/native-docx-export-7538
+```
+
+Expected: ten new commits on top of the rebased base.
+
+- [ ] **Step 3: Wait ~30s for CI to start, then check status**
+
+```bash
+sleep 30 && gh pr checks 7568 --repo ether/etherpad
+```
+
+Expected: all checks pass or are in progress. If a check fails, fix the underlying issue and push again — do NOT mark the PR ready until all checks are green.
+
+- [ ] **Step 4: Reply to each Qodo finding on the PR**
+
+```bash
+gh pr comment 7568 --repo ether/etherpad --body "$(cat <<'EOF'
+Qodo follow-up:
+
+1. **Requirement gap (DOCX still needs soffice)** — addressed. Removed the `nativeDocxExport` flag entirely. Selection is now purely soffice-presence-driven: soffice configured → soffice; soffice null → native (html-to-docx for DOCX, pdfkit for PDF). No fallback chain.
+2. **DOCX blocked without soffice** — fixed. Tightened the route guard to `['odt','doc']` only when `exportAvailable() === 'no'`; pdf/docx fall through to ExportHandler's native dispatch. UI in pad_impexp.ts always shows DOCX + PDF links now.
+3. **Native DOCX test bypass** — fixed. Tests use `settings.soffice = null` (was `'false'`) so they exercise the real no-soffice deployment shape.
+4. **Unrestricted HTML-to-DOCX I/O** — addressed. New `stripRemoteImages` sanitizer drops non-`data:`/non-relative `<img src>` before either DOCX or PDF conversion. The PDF walker also rejects remote `<img>` at its own boundary as defense-in-depth. No converter ever sees a remote URL.
+
+Also added native PDF export (issue #7538's other half) and native DOCX import via mammoth — design committed at `docs/superpowers/specs/2026-05-08-native-docx-pdf-export-import-design.md`.
+EOF
+)"
+```
+
+Expected: comment posted; URL printed.
+
+- [ ] **Step 5: Mark the PR ready for review**
+
+```bash
+gh pr ready 7568 --repo ether/etherpad
+```
+
+Expected: `Pull request #7568 is now ready for review`. If maintainers prefer the PR stays draft until they review, skip this step.
+
+- [ ] **Step 6: Update PR description**
+
+```bash
+gh pr edit 7568 --repo ether/etherpad --body "$(cat <<'EOF'
+## Summary
+
+Closes #7538. With this PR an Etherpad deployment with `settings.soffice = null` can:
+- export pads as `html`, `txt`, `etherpad`, `docx`, `pdf` — all in-process, no subprocess, no native binaries
+- import `.html`, `.txt`, `.etherpad`, `.docx` files — all in-process
+
+Deployments with `settings.soffice` configured retain today's behavior bit-for-bit.
+
+## Shape
+
+Selection is purely soffice-presence-driven — there is no opt-in flag:
+- `sofficeAvailable() === 'yes'` → existing soffice path
+- `'withoutPDF'` (Windows) → soffice for everything except `pdf`, which goes native
+- `'no'` (soffice null) → native DOCX/PDF; ODT/DOC remain blocked with a clear message
+
+Native DOCX export uses `html-to-docx`; native PDF uses a small `pdfkit` + `htmlparser2` walker we own; native DOCX import uses `mammoth`. Plugin-modified HTML is run through `stripRemoteImages` first to close the SSRF surface Qodo flagged.
+
+## Files
+
+| File | Change |
+|---|---|
+| `src/node/utils/ExportSanitizeHtml.ts` | new — `stripRemoteImages` |
+| `src/node/utils/ExportPdfNative.ts` | new — pdfkit walker |
+| `src/node/utils/ImportDocxNative.ts` | new — mammoth wrapper |
+| `src/node/handler/ExportHandler.ts` | soffice-first cascade for DOCX + PDF |
+| `src/node/handler/ImportHandler.ts` | native DOCX import branch |
+| `src/node/hooks/express/importexport.ts` | route guard tightened to `['odt','doc']` |
+| `src/static/js/pad_impexp.ts` | DOCX + PDF links always visible |
+| `src/package.json` | `pdfkit`, `htmlparser2`, `mammoth`, `html-to-docx` |
+| `src/tests/backend/specs/export.ts` | revised + new tests |
+| `src/tests/backend/specs/import.ts` | new — DOCX import tests |
+| `src/tests/backend/specs/fixtures/sample.docx` | new fixture |
+| `docs/superpowers/specs/...` | design spec |
+
+## Out of scope (follow-ups)
+
+- Native ODT export — no mature pure-JS writer
+- Native PDF / ODT / DOC / RTF import — no mature pure-JS readers
+- Memory/timeout caps on conversion — add when production signal warrants
+
+## Test plan
+- [x] `pnpm run ts-check` clean
+- [x] Backend tests: sanitizer, walker, mammoth wrapper, DOCX + PDF integration, ODT negative, end-to-end DOCX import
+- [x] Manual: with `SOFFICE=null`, export DOCX and PDF; both produce valid files
+- [x] Manual: with `SOFFICE=null`, import the fixture .docx and verify pad content
+
+Closes #7538
+EOF
+)"
+```
+
+Expected: description updated.
+
+---
+
+## Self-Review
+
+- **Spec coverage:**
+  - Selection model (soffice-first cascade) → Task 5
+  - Route guard fix → Task 6
+  - UI capability fix → Task 8
+  - Native PDF (Approach B + bail-out) → Task 3
+  - HTML sanitization → Task 2
+  - Native DOCX import → Tasks 4, 7
+  - Error handling (5xx, no fallback) → Task 5 (try/catch)
+  - Tests for all of the above → Tasks 2, 3, 4, 5, 6, 7
+  - Files-touched table → covered by Tasks 1, 2, 3, 4, 5, 6, 7, 8, 9
+  - `nativeDocxExport` removal → Task 9
+  - Rebase → Task 0
+  - Qodo replies + ready-for-review → Task 10
+  - **Gap addressed inline:** `exportHTMLSend` plugin hook coverage on native paths — the spec says "verify against current behavior, don't expand scope". Task 5's cascade preserves the existing `if (type === 'html') { exportHTMLSend ... }` block at lines 82–88 untouched, so plugin behavior on the html branch is identical. Native DOCX/PDF do not invoke `exportHTMLSend` — same as the pre-PR LibreOffice path, which also doesn't call it. No change needed; this is a non-regression.
+
+- **Placeholder scan:** No "TBD" / "TODO" / "implement later" / "fill in details" strings. All test assertions are concrete; all code blocks are complete.
+
+- **Type consistency:** `htmlToPdfBuffer(html: string): Promise<Buffer>` referenced in Tasks 3, 5; `docxBufferToHtml(buf: Buffer): Promise<string>` in Tasks 4, 7; `stripRemoteImages(html: string): string` in Tasks 2, 5. All match the spec.
+
+- **Bail-out criterion** (Task 3 Step 7) is concrete: line count threshold (>500) and a behavior threshold (test that fails because the walker can't render a class of content). Implementer has a clear stop signal.
diff --git a/docs/superpowers/specs/2026-05-08-native-docx-pdf-export-import-design.md b/docs/superpowers/specs/2026-05-08-native-docx-pdf-export-import-design.md
new file mode 100644
index 00000000000..3667a1e7c71
--- /dev/null
+++ b/docs/superpowers/specs/2026-05-08-native-docx-pdf-export-import-design.md
@@ -0,0 +1,230 @@
+# Native DOCX + PDF export and DOCX import without LibreOffice
+
+**Status:** spec — pending implementation
+**Issue:** #7538
+**Extending PR:** #7568 (`feat/native-docx-export-7538`)
+**Date:** 2026-05-08
+
+## Problem
+
+Etherpad's import/export pipeline shells out to LibreOffice (`soffice`) for every "office" format — `pdf`, `docx`, `odt`, `doc`, `rtf`. Operators who want any of those formats must install ~500 MB of LibreOffice as a runtime dependency, plus pay subprocess latency on every export. Operators who don't want LibreOffice lose those formats entirely.
+
+PR #7568 took a first cut at native DOCX export via `html-to-docx`, but:
+
+- it's flag-gated (`settings.nativeDocxExport`) and falls back to soffice on error, so soffice remains a soft requirement;
+- the `/export` route guard and pad UI both gate `docx` on `soffice` being configured, so the new path is unreachable in a real no-soffice deployment (Qodo finding #2);
+- existing tests use `settings.soffice = 'false'` (a non-null string), which sidesteps the route guard and doesn't simulate a real no-soffice deployment (Qodo finding #3);
+- the `html-to-docx` dependency tree includes `node-fetch` via `image-to-base64`, so plugin-modified HTML can trigger outbound requests from the converter (Qodo finding #4);
+- nothing addresses PDF, which the issue explicitly scopes alongside DOCX.
+
+This spec replaces the flag-gated half-measure with a soffice-first selection model, adds a native PDF export path, adds native DOCX import, and hardens both export converters against SSRF.
+
+## Goal
+
+A deployment with `settings.soffice = null` can:
+
+- export pads as `html`, `txt`, `etherpad`, `docx`, `pdf` — all in-process, no subprocess, no native binaries.
+- import `.html`, `.txt`, `.etherpad`, `.docx` files — all in-process.
+
+A deployment with `settings.soffice` configured retains today's behavior bit-for-bit. There is no flag to flip; the path is chosen automatically based on `sofficeAvailable()`.
+
+`odt`, `doc`, `rtf` (and `pdf` import) continue to require soffice. The deployment matrix is documented; users get a clear error message instead of a silent failure.
+
+## Non-goals
+
+- Native ODT export. No mature pure-JS writer; deferred to a follow-up issue.
+- Native PDF/ODT/DOC/RTF import. No mature pure-JS readers for these in Node. Deferred.
+- Pixel-perfect PDF fidelity. We target structural fidelity (paragraphs, headings, lists, tables, images, basic styling) — the same bar `html-to-docx` hits for DOCX.
+- Memory/timeout caps on conversion. Pad size is already gated upstream; we'll add caps if production signal warrants it.
+
+## Selection model
+
+A single cascade in `ExportHandler.ts` (and a mirror in `ImportHandler`):
+
+```text
+if (sofficeAvailable() === 'yes') {
+  → existing soffice path (handles all formats)
+} else if (sofficeAvailable() === 'withoutPDF') {
+  // Windows: soffice present but can't render PDF
+  if (type === 'pdf')  → native PDF
+  else                 → soffice
+} else { // 'no' — soffice null
+  if (type === 'docx') → native DOCX
+  else if (type === 'pdf') → native PDF
+  else                 → 4xx "this format requires soffice"
+}
+```
+
+No fallback chain on native error. If the native converter throws, the request returns a 500 with a clear log line. This is deliberate — fallback-to-soffice is the pattern that PR #7568 originally used and that Qodo flagged as defeating the no-soffice goal.
+
+The `nativeDocxExport` setting introduced by PR #7568 is removed entirely. With it go `NATIVE_DOCX_EXPORT`, the `doc/docker.md` row, and the new entries in `settings.json.template` / `settings.json.docker`. Native is built-in; the only thing that varies behavior is whether `soffice` is configured.
+
+## Route guard and UI capability
+
+`src/node/hooks/express/importexport.ts` currently rejects all of `['odt','pdf','doc','docx']` when `exportAvailable() === 'no'`. Tighten that list:
+
+```text
+if (exportAvailable() === 'no' && ['odt','doc'].includes(req.params.type)) {
+  → existing "this export is not enabled" message
+}
+// pdf and docx fall through to ExportHandler, which dispatches per the cascade above
+```
+
+Same shape on the import endpoint: `pdf`, `odt`, `doc`, `rtf` blocked when soffice is null; `docx` (plus the pre-existing `etherpad`/`html`/`txt`) goes through.
+
+UI side — `src/static/js/pad_impexp.ts:147-166` currently hides DOCX/PDF/ODT export links when `clientVars.exportAvailable === 'no'`. Update so:
+
+- ODT link: visible iff `exportAvailable === 'yes'` (effectively unchanged)
+- DOCX, PDF links: always visible
+
+No new clientVars flags. The "always visible" rule reflects reality — those paths are built into core.
+
+## Native PDF export
+
+Module: `src/node/utils/ExportPdfNative.ts`. Single export `htmlToPdfBuffer(html: string): Promise<Buffer>`.
+
+Approach: **`pdfkit` + `htmlparser2` + a small walker we own.** Pure JS, no jsdom, ~3 MB install footprint. We control the renderer end-to-end, so there is no SSRF surface from the converter.
+
+### Pipeline
+
+1. `htmlparser2` parses the input HTML into a SAX-style event stream.
+2. A walker maintains a `pdfkit` document and a stack of inline-style state. Tag handling:
+   - `<p>`, `<h1..h6>` — block break + font sizing
+   - `<strong>`/`<b>`, `<em>`/`<i>`, `<u>`, `<s>` — toggle inline style
+   - `<ul>`/`<ol>`/`<li>` — indent + bullet/number prefix
+   - `<a href="…">` — underlined text + `doc.link()` annotation
+   - `<br>` — `doc.moveDown(0.5)`
+   - `<table>`/`<tr>`/`<td>` — best-effort grid via computed x/y on `doc.text()`. Pad HTML emits real tables only via plugins; we render what we can.
+   - `<img src="data:…">` — embed via `doc.image(buffer)` after decoding the data URI
+   - `<img src="…">` (any non-data URL) — replaced with the `alt=` text or skipped. **No fetch.** This is an explicit SSRF guard at the converter; the upstream sanitizer (next section) handles it too, this is defense-in-depth.
+   - Unknown tags — recurse into children, ignore the wrapper
+3. Buffer the PDF in memory via a `PassThrough` stream → resolve with the concatenated `Buffer`.
+
+### Bail-out criterion
+
+The walker is a pragmatic bet — pad HTML is constrained enough that a small walker should cover it. **If, during implementation, the walker exceeds ~500 lines of code or hits a class of pad/plugin HTML it cannot reasonably render**, switch to **Approach A**: `pdfmake` + `html-to-pdfmake` + `jsdom`. That swap keeps the same `ExportHandler.ts` integration shape — only `ExportPdfNative.ts` changes — and adds ~15–20 MB of pure-JS deps.
+
+The plan that follows this spec must call out this decision point so the implementer doesn't grind on a dying walker.
+
+## HTML sanitization (defense-in-depth)
+
+New module: `src/node/utils/ExportSanitizeHtml.ts`. Single export `stripRemoteImages(html: string): string`.
+
+Walks the HTML once with `htmlparser2`, drops any `<img>` whose `src` is not `data:` or a same-origin/relative URL. Replaces with the original `alt=` text (empty string if absent). Pure string-in/string-out, ~50 lines + a unit test.
+
+Both export branches call this *before* handing HTML to their respective converters:
+
+```text
+const safeHtml = stripRemoteImages(html);
+buffer = (type === 'docx') ? await htmlToDocx(safeHtml) : await htmlToPdfBuffer(safeHtml);
+```
+
+This addresses Qodo finding #4 against the existing DOCX path (which was always present, not introduced here) and prevents the equivalent SSRF on the PDF path.
+
+## Native DOCX import
+
+Module: `src/node/utils/ImportDocxNative.ts`. Single export `docxBufferToHtml(buf: Buffer): Promise<string>`.
+
+Wraps `mammoth.convertToHtml({buffer: buf})` and returns `result.value`. Mammoth is pure JS, ~3 MB, embeds images as data URLs by default — no fetches, no SSRF surface. We pass `convertImage: mammoth.images.imgElement(...)` configured to emit data URLs only, as belt-and-braces.
+
+Dispatch in `src/node/handler/ImportHandler.ts` mirrors the export cascade:
+
+```text
+if (sofficeAvailable() === 'yes') {
+  → existing soffice path
+} else if (extension === '.docx') {
+  const html = await docxBufferToHtml(buffer);
+  → hand to existing HTML import pipeline
+} else if (['.pdf','.odt','.doc','.rtf'].includes(extension)) {
+  → 4xx "this format requires soffice"
+}
+// .etherpad / .html / .txt unchanged on both branches
+```
+
+The HTML import pipeline already handles whatever `mammoth` emits (semantic HTML with paragraphs, lists, headings, links, inline styles, embedded images).
+
+## Error handling
+
+Native conversion errors surface to the client as 5xx with a logged error line that includes the pad id and format:
+
+```text
+} catch (err) {
+  console.error(`native ${type} export failed for pad "${padId}":`, err);
+  res.status(500).send(`Failed to export pad as ${type}.`);
+}
+```
+
+No fallback chain. No silent retries.
+
+## Tests
+
+`src/tests/backend/specs/export.ts` — revise existing native-DOCX tests:
+
+- Set `settings.soffice = null` (was `'false'` — fixes Qodo #3)
+- Assert response is a ZIP-signature DOCX with the correct content-type
+- Keep the `require.resolve('html-to-docx')` describe-skip guard for the `upgrade-from-latest-release` CI job
+
+`src/tests/backend/specs/export.ts` — add native-PDF tests:
+
+- With `settings.soffice = null`, GET `/p/<pad>/export/pdf` → 200, `Content-Type: application/pdf`, body starts with `%PDF-`
+- Same describe-skip guard for `pdfkit` and `htmlparser2`
+
+Negative test: with `settings.soffice = null`, GET `/p/<pad>/export/odt` still returns the "not enabled" message (proves we tightened the right gate).
+
+`src/tests/backend/specs/export.ts` (or a sibling file) — unit test for `stripRemoteImages`:
+
+- `<img src="https://evil/x.png">` → dropped
+- `<img src="data:image/png;base64,…">` → kept
+- `<img src="/local/x.png">` → kept (same-origin/relative)
+
+A new import test file (e.g. `src/tests/backend/specs/import.ts` — there is no existing import-flow file in `src/tests/backend/specs/`, only `ImportEtherpad.ts`) for native DOCX import:
+
+- Fixture: a small known `.docx` with a heading, a paragraph, and a bullet list, committed under `src/tests/backend/specs/fixtures/`
+- With `settings.soffice = null`, POST `/p/<pad>/import` with the fixture → assert pad atext/HTML contains the expected structure
+- Negative: rename fixture to `.odt` extension, POST → still rejected with the "requires soffice" message
+
+`exportHTMLSend` plugin hook: verify by reading the code whether the hook fires on the native paths (currently it's only invoked on the `type === 'html'` branch). If a small move is needed to keep the hook contract intact across native DOCX/PDF, include it. If the existing behavior is "hook only fires for html export", document that and don't change it — out of scope for this spec.
+
+## Files touched
+
+| File | Change |
+|---|---|
+| `src/node/handler/ExportHandler.ts` | Replace flag-gated branch with soffice-first cascade; call sanitizer; native PDF + DOCX dispatch |
+| `src/node/handler/ImportHandler.ts` | Soffice-first cascade; native DOCX import dispatch |
+| `src/node/utils/ExportPdfNative.ts` | **new** — pdfkit walker, ≤500 lines (bail-out criterion) |
+| `src/node/utils/ExportSanitizeHtml.ts` | **new** — `stripRemoteImages`, ~50 lines |
+| `src/node/utils/ImportDocxNative.ts` | **new** — mammoth wrapper, ~30 lines |
+| `src/node/hooks/express/importexport.ts` | Tighten export and import route guards to `['odt','doc','pdf','rtf']`-as-appropriate |
+| `src/node/utils/Settings.ts` | **revert** `nativeDocxExport` field (introduced by PR #7568) |
+| `src/static/js/pad_impexp.ts` | Always show DOCX + PDF export links; ODT link still gated on `exportAvailable` |
+| `src/package.json` | Add `pdfkit`, `htmlparser2`, `mammoth`. Keep `html-to-docx`. Drop nothing. |
+| `pnpm-lock.yaml` | Lockfile regen |
+| `settings.json.template`, `settings.json.docker` | **revert** `nativeDocxExport` entries |
+| `doc/docker.md` | **revert** `NATIVE_DOCX_EXPORT` row |
+| `src/tests/backend/specs/export.ts` | Revise DOCX tests (`soffice=null`); add PDF tests; add negative ODT; add unit test for sanitizer |
+| `src/tests/backend/specs/import.ts` | Add native DOCX import tests; add negative ODT |
+| `src/tests/backend/specs/fixtures/<file>.docx` | **new** — small DOCX fixture |
+
+## Open questions handled in implementation, not spec
+
+- Exact error response shape for the route-guard-rejected formats — match whatever the existing soffice-disabled path uses, no fresh design.
+- Whether `exportHTMLSend` needs to fire on the native paths — covered in the test plan; verify against current behavior, don't expand scope.
+- Image MIME sniffing for `data:` URLs in the PDF walker — `pdfkit` accepts PNG/JPEG buffers; we'll decode the base64 and let pdfkit reject unsupported types, surfacing as a converter error.
+
+## Dependencies summary
+
+| Package | Purpose | Approx install size |
+|---|---|---|
+| `html-to-docx` | DOCX export (pre-existing in PR #7568) | ~5 MB |
+| `pdfkit` | PDF export rendering | ~2 MB |
+| `htmlparser2` | HTML SAX parser used by walker + sanitizer | <1 MB |
+| `mammoth` | DOCX → HTML import | ~3 MB |
+
+Total added install: roughly 11 MB across all four. Compared against ~500 MB for LibreOffice and ~200 MB for puppeteer (the alternative considered and rejected in #7538), this is the right tradeoff for the structural-fidelity bar.
+
+## Out of scope (deferred to follow-ups)
+
+- Native ODT export — file follow-up issue.
+- Native PDF/ODT/DOC/RTF import — file follow-up issue, document why they were rejected (no mature pure-JS readers).
+- Memory/timeout caps on conversion — add when production signal warrants.
+- Plugin hook coverage on native paths — beyond the `exportHTMLSend` check above.
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index ae526f738ab..6f6e6a42caa 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -202,6 +202,12 @@ importers:
       formidable:
         specifier: ^3.5.4
         version: 3.5.4
+      html-to-docx:
+        specifier: ^1.8.0
+        version: 1.8.0
+      htmlparser2:
+        specifier: ^12.0.0
+        version: 12.0.0
       http-errors:
         specifier: ^2.0.1
         version: 2.0.1
@@ -238,6 +244,9 @@ importers:
       lru-cache:
         specifier: ^11.3.6
         version: 11.3.6
+      mammoth:
+        specifier: ^1.12.0
+        version: 1.12.0
       measured-core:
         specifier: ^2.0.0
         version: 2.0.0
@@ -262,6 +271,9 @@ importers:
       openapi-backend:
         specifier: ^5.16.1
         version: 5.16.1
+      pdfkit:
+        specifier: ^0.18.0
+        version: 0.18.0
       pg:
         specifier: ^8.20.0
         version: 8.20.0
@@ -389,6 +401,9 @@ importers:
       '@types/oidc-provider':
         specifier: ^9.5.0
         version: 9.5.0
+      '@types/pdfkit':
+        specifier: ^0.17.6
+        version: 0.17.6
       '@types/semver':
         specifier: ^7.7.1
         version: 7.7.1
@@ -1158,6 +1173,10 @@ packages:
       '@emnapi/core': ^1.7.1
       '@emnapi/runtime': ^1.7.1
 
+  '@noble/ciphers@1.3.0':
+    resolution: {integrity: sha512-2I0gnIVPtfnMw9ee9h1dJG7tp81+8Ob3OJb3Mv37rx5L40/b0i7djjCVvGOVqc9AEIQyvyu1i6ypKdFw8R8gQw==}
+    engines: {node: ^14.21.3 || >=16}
+
   '@noble/hashes@1.8.0':
     resolution: {integrity: sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==}
     engines: {node: ^14.21.3 || >=16}
@@ -1178,6 +1197,46 @@ packages:
     resolution: {integrity: sha512-nn5ozdjYQpUCZlWGuxcJY/KpxkWQs4DcbMCmKojjyrYDEAGy4Ce19NN4v5MduafTwJlbKc99UA8YhSVqq9yPZA==}
     engines: {node: '>=12.4.0'}
 
+  '@oozcitak/dom@1.15.5':
+    resolution: {integrity: sha512-L6v3Mwb0TaYBYgeYlIeBaHnc+2ZEaDSbFiRm5KmqZQSoBlbPlf+l6aIH/sD5GUf2MYwULw00LT7+dOnEuAEC0A==}
+    engines: {node: '>=8.0'}
+
+  '@oozcitak/dom@1.15.6':
+    resolution: {integrity: sha512-k4uEIa6DI3FCrFJMGq/05U/59WnS9DjME0kaPqBRCJAqBTkmopbYV1Xs4qFKbDJ/9wOg8W97p+1E0heng/LH7g==}
+    engines: {node: '>=8.0'}
+
+  '@oozcitak/infra@1.0.3':
+    resolution: {integrity: sha512-9O2wxXGnRzy76O1XUxESxDGsXT5kzETJPvYbreO4mv6bqe1+YSuux2cZTagjJ/T4UfEwFJz5ixanOqB0QgYAag==}
+    engines: {node: '>=6.0'}
+
+  '@oozcitak/infra@1.0.5':
+    resolution: {integrity: sha512-o+zZH7M6l5e3FaAWy3ojaPIVN5eusaYPrKm6MZQt0DKNdgXa2wDYExjpP0t/zx+GoQgQKzLu7cfD8rHCLt8JrQ==}
+    engines: {node: '>=6.0'}
+
+  '@oozcitak/url@1.0.0':
+    resolution: {integrity: sha512-LGrMeSxeLzsdaitxq3ZmBRVOrlRRQIgNNci6L0VRnOKlJFuRIkNm4B+BObXPCJA6JT5bEJtrrwjn30jueHJYZQ==}
+    engines: {node: '>=8.0'}
+
+  '@oozcitak/util@1.0.1':
+    resolution: {integrity: sha512-dFwFqcKrQnJ2SapOmRD1nQWEZUtbtIy9Y6TyJquzsalWNJsKIPxmTI0KG6Ypyl8j7v89L2wixH9fQDNrF78hKg==}
+    engines: {node: '>=6.0'}
+
+  '@oozcitak/util@1.0.2':
+    resolution: {integrity: sha512-4n8B1cWlJleSOSba5gxsMcN4tO8KkkcvXhNWW+ADqvq9Xj+Lrl9uCa90GRpjekqQJyt84aUX015DG81LFpZYXA==}
+    engines: {node: '>=6.0'}
+
+  '@oozcitak/util@8.0.0':
+    resolution: {integrity: sha512-+9Hq6yuoq/3TRV/n/xcpydGBq2qN2/DEDMqNTG7rm95K6ZE2/YY/sPyx62+1n8QsE9O26e5M1URlXsk+AnN9Jw==}
+    engines: {node: '>=6.0'}
+
+  '@oozcitak/util@8.3.3':
+    resolution: {integrity: sha512-Ufpab7G5PfnEhQyy5kDg9C8ltWJjsVT1P/IYqacjstaqydG4Q21HAT2HUZQYBrC/a1ZLKCz87pfydlDvv8y97w==}
+    engines: {node: '>=6.0'}
+
+  '@oozcitak/util@8.3.4':
+    resolution: {integrity: sha512-6gH/bLQJSJEg7OEpkH4wGQdA8KXHRbzL1YkGyUO12YNAgV3jxKy4K9kvfXj4+9T0OLug5k58cnPCKSSIKzp7pg==}
+    engines: {node: '>=8.0'}
+
   '@opentelemetry/api@1.9.0':
     resolution: {integrity: sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg==}
     engines: {node: '>=8.0.0'}
@@ -2082,6 +2141,9 @@ packages:
   '@types/oidc-provider@9.5.0':
     resolution: {integrity: sha512-eEzCRVTSqIHD9Bo/qRJ4XQWQ5Z/zBcG+Z2cGJluRsSuWx1RJihqRyPxhIEpMXTwPzHYRTQkVp7hwisQOwzzSAg==}
 
+  '@types/pdfkit@0.17.6':
+    resolution: {integrity: sha512-tIwzxk2uWKp0Cq9JIluQXJid77lYhF52EsIOwhsMF4iWLA6YneoBR1xVKYYdAysHuepUB0OX4tdwMiUDdGKmig==}
+
   '@types/qs@6.14.0':
     resolution: {integrity: sha512-eOunJqu0K1923aExK6y8p6fsihYEn/BYuQ4g0CxAAgFc4b/ZLN4CrsRZ55srTdqoiLzU2B2evC+apEIxprEzkQ==}
 
@@ -2504,6 +2566,10 @@ packages:
     peerDependencies:
       vue: ^3.5.0
 
+  '@xmldom/xmldom@0.8.13':
+    resolution: {integrity: sha512-KRYzxepc14G/CEpEGc3Yn+JKaAeT63smlDr+vjB8jRfgTBBI9wRj/nkQEO+ucV8p8I9bfKLWp37uHgFrbntPvw==}
+    engines: {node: '>=10.0.0'}
+
   abort-controller@3.0.0:
     resolution: {integrity: sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==}
     engines: {node: '>=6.5'}
@@ -2572,6 +2638,9 @@ packages:
     resolution: {integrity: sha512-kQrYLxhC+NTVVZ4CCzGF6L/uPVOzJmD1T3XgbiUnP7oTeVFOFgEUu6IKNwCDkpFoBVqDKQivlX4RUFqqnWFlEA==}
     hasBin: true
 
+  argparse@1.0.10:
+    resolution: {integrity: sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==}
+
   argparse@2.0.1:
     resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==}
 
@@ -2653,6 +2722,10 @@ packages:
     resolution: {integrity: sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==}
     engines: {node: 18 || 20 || >=22}
 
+  base64-js@0.0.8:
+    resolution: {integrity: sha512-3XSA2cR/h/73EzlXXdU6YNycmYI7+kicTxks4eJg2g39biHR84slg2+des+p7iHYhbRg/udIS4TD53WabcOUkw==}
+    engines: {node: '>= 0.4'}
+
   base64-js@1.5.1:
     resolution: {integrity: sha512-AKpaYlHn8t4SVbOHCy+b5+KKgvR4vrsD8vbvrbiQJps7fKDTkjkDry6ji0rUJjC0kzbNePLwzxq8iypo41qeWA==}
 
@@ -2690,6 +2763,9 @@ packages:
   bluebird@2.11.0:
     resolution: {integrity: sha512-UfFSr22dmHPQqPP9XWHRhq+gWnHCYguQGkXQlbyPtW5qTnhFWA8/iXg765tH0cAjy7l/zPJ1aBTO0g5XgA7kvQ==}
 
+  bluebird@3.4.7:
+    resolution: {integrity: sha512-iD3898SR7sWVRHbiQv+sHUtHnMvC1o3nW5rAcqnq3uOn07DSAppZYUkIGslDz6gXC7HfunPe7YVBgoEJASPcHA==}
+
   body-parser@2.2.1:
     resolution: {integrity: sha512-nfDwkulwiZYQIGwxdy0RUmowMhKcFVcYXUU7m4QlKYim1rUtg83xm2yjZ40QjDuc291AJjjeSc9b++AWHSgSHw==}
     engines: {node: '>=18'}
@@ -2708,9 +2784,18 @@ packages:
     resolution: {integrity: sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==}
     engines: {node: '>=8'}
 
+  brotli@1.3.3:
+    resolution: {integrity: sha512-oTKjJdShmDuGW94SyyaoQvAjf30dZaHnjJ8uAF+u2/vGJkJbJPJAT1gDiOJP5v1Zb6f9KEyW/1HpuaWIXtGHPg==}
+
+  browser-split@0.0.1:
+    resolution: {integrity: sha512-JhvgRb2ihQhsljNda3BI8/UcRHVzrVwo3Q+P8vDtSiyobXuFpuZ9mq+MbRGMnC22CjW3RrfXdg6j6ITX8M+7Ow==}
+
   browser-stdout@1.3.1:
     resolution: {integrity: sha512-qhAVI1+Av2X7qelOfAIYwXONood6XlZE/fXaBSmW/T5SzLAmCgzi+eiWE7fUvbHaeNBQH13UftjpXxsfLkMpgw==}
 
+  browserify-zlib@0.2.0:
+    resolution: {integrity: sha512-Z942RysHXmJrhqk88FmKBVq/v5tqmSkDz7p54G/MGyjMnCFFnC79XWNbg+Vta8W6Wb2qtSZTSxIGkJrRpCFEiA==}
+
   browserslist@4.28.2:
     resolution: {integrity: sha512-48xSriZYYg+8qXna9kwqjIVzuQxi+KYWp2+5nCYnYKPTr0LvD89Jqk2Or5ogxz0NUMfIjhh2lIUX/LyX9B4oIg==}
     engines: {node: ^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7}
@@ -2750,6 +2835,9 @@ packages:
     resolution: {integrity: sha512-Gmy6FhYlCY7uOElZUSbxo2UCDH8owEk996gkbrpsgGtrJLM3J7jGxl9Ic7Qwwj4ivOE5AWZWRMecDdF7hqGjFA==}
     engines: {node: '>=10'}
 
+  camelize@1.0.1:
+    resolution: {integrity: sha512-dU+Tx2fsypxTgtLoE36npi3UqcjSSMNYfkqgmoEhtZrraP5VWq0K7FkWVTYa8eMPtnU/G2txVsfdCJTn9uzpuQ==}
+
   caniuse-lite@1.0.30001790:
     resolution: {integrity: sha512-bOoxfJPyYo+ds6W0YfptaCWbFnJYjh2Y1Eow5lRv+vI2u8ganPZqNm1JwNh0t2ELQCqIWg4B3dWEusgAmsoyOw==}
 
@@ -2797,6 +2885,10 @@ packages:
     resolution: {integrity: sha512-BSeNnyus75C4//NQ9gQt1/csTXyo/8Sb+afLAkzAptFuMsod9HFokGNudZpi/oQV73hnVK+sR+5PVRMd+Dr7YQ==}
     engines: {node: '>=12'}
 
+  clone@2.1.2:
+    resolution: {integrity: sha512-3Pe/CF1Nn94hyhIYpjtiLhdCoEoz0DqQ+988E9gmeEdQZlojxnOb74wctFyuwWQHzqyf9X7C7MG8juUpqBJT8w==}
+    engines: {node: '>=0.8'}
+
   cluster-key-slot@1.1.2:
     resolution: {integrity: sha512-RMr0FhtfXemyinomL4hrWcYJxmX6deFdCxpJzhDttxgO1+bcCnkk+9drydLVDmAMG7NE6aN/fl4F7ucU/90gAA==}
     engines: {node: '>=0.10.0'}
@@ -2878,6 +2970,9 @@ packages:
     resolution: {integrity: sha512-TG2hpqe4ELx54QER/S3HQ9SRVnQnGBtKUz5bLQWtYAQ+o6GpgMs6sYUvaiJjVxb+UXwhRhAEP3m7LbsIZ77Hmw==}
     engines: {node: '>= 0.8'}
 
+  core-util-is@1.0.3:
+    resolution: {integrity: sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ==}
+
   cors@2.8.5:
     resolution: {integrity: sha512-KIHbLJqu73RGr/hnbrO9uBeixNGuvSQjul/jdFvS/KFSIH1hWVd1ng7zOHx+YrEfInLG7q4n6GHQ9cDtxv/P6g==}
     engines: {node: '>= 0.10'}
@@ -3045,10 +3140,16 @@ packages:
   dezalgo@1.0.4:
     resolution: {integrity: sha512-rXSP0bf+5n0Qonsb+SVVfNfIsimO4HEtmnIpPHY8Q1UCzKlQrDMfdobr8nJOOsRgWCyMRqeSBQzmWUMq7zvVig==}
 
+  dfa@1.2.0:
+    resolution: {integrity: sha512-ED3jP8saaweFTjeGX8HQPjeC1YYyZs98jGNZx6IiBvxW7JG5v492kamAQB3m2wop07CvU/RQmzcKr6bgcC5D/Q==}
+
   diff@9.0.0:
     resolution: {integrity: sha512-svtcdpS8CgJyqAjEQIXdb3OjhFVVYjzGAPO8WGCmRbrml64SPw/jJD4GoE98aR7r25A0XcgrK3F02yw9R/vhQw==}
     engines: {node: '>=0.3.1'}
 
+  dingbat-to-unicode@1.0.1:
+    resolution: {integrity: sha512-98l0sW87ZT58pU4i61wa2OHwxbiYSbuxsCBozaVnYX2iCnr3bLM3fIes1/ej7h1YdOKuKt/MLs706TVnALA65w==}
+
   dir-glob@3.0.1:
     resolution: {integrity: sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==}
     engines: {node: '>=8'}
@@ -3061,6 +3162,43 @@ packages:
     resolution: {integrity: sha512-35mSku4ZXK0vfCuHEDAwt55dg2jNajHZ1odvF+8SSr82EsZY4QmXfuWso8oEd8zRhVObSN18aM0CjSdoBX7zIw==}
     engines: {node: '>=0.10.0'}
 
+  dom-serializer@0.2.2:
+    resolution: {integrity: sha512-2/xPb3ORsQ42nHYiSunXkDjPLBaEj/xTwUO4B7XCZQTRk7EBtTOPaygh10YAAh2OI1Qrp6NWfpAhzswj0ydt9g==}
+
+  dom-serializer@3.1.1:
+    resolution: {integrity: sha512-4MEa38/QexBob6gFNwu+EGdWvhJ1OKuNwdYY3Y3NyeWDQfnGeDYQUDfIRzWu5B5gsv03so2Uxd28YC6zrsx3Lw==}
+    engines: {node: '>=20.19.0'}
+
+  dom-walk@0.1.2:
+    resolution: {integrity: sha512-6QvTW9mrGeIegrFXdtQi9pk7O/nSK6lSdXW2eqUspN5LWD7UTji2Fqw5V2YLjBpHEoU9Xl/eUWNpDeZvoyOv2w==}
+
+  domelementtype@1.3.1:
+    resolution: {integrity: sha512-BSKB+TSpMpFI/HOxCNr1O8aMOTZ8hT3pM3GQ0w/mWRmkhEDSFJkkyzz4XQsBV44BChwGkrDfMyjVD0eA2aFV3w==}
+
+  domelementtype@2.3.0:
+    resolution: {integrity: sha512-OLETBj6w0OsagBwdXnPdN0cnMfF9opN69co+7ZrbfPGrdpPVNBUj02spi6B1N7wChLQiPn4CSH/zJvXw56gmHw==}
+
+  domelementtype@3.0.0:
+    resolution: {integrity: sha512-umCQid3jKbDmVjx8jGaW7uUykm4DEUeyV21hPxNMo2nV955DhUThwqyOIDtreepP31hl84X7G5U9ZfsWvIB3Pg==}
+    engines: {node: '>=20.19.0'}
+
+  domhandler@2.4.2:
+    resolution: {integrity: sha512-JiK04h0Ht5u/80fdLMCEmV4zkNh2BcoMFBmZ/91WtYZ8qVXSKjiw7fXMgFPnHcSZgOo3XdinHvmnDUeMf5R4wA==}
+
+  domhandler@6.0.1:
+    resolution: {integrity: sha512-gYzvtM72ZtxQO0T048kd6HWSbbGCNOUwcnfQ01cqIJ4X2IYKFFHZ5mKvrQETcFXxsRObZulDaKmy//R7TPtsBg==}
+    engines: {node: '>=20.19.0'}
+
+  domutils@1.7.0:
+    resolution: {integrity: sha512-Lgd2XcJ/NjEw+7tFvfKxOzCYKZsdct5lczQ2ZaQY8Djz7pfAD3Gbp8ySJWtreII/vDlMVmxwa6pHmdxIYgttDg==}
+
+  domutils@4.0.2:
+    resolution: {integrity: sha512-qI4JLRKnSzqFqr7hAlS5xQDusBCjKSEG4t4+7aNrIQMHBcsC2TGEhuyABJdYkgSewL57PNLYEiibY2iPKhKpaA==}
+    engines: {node: '>=20.19.0'}
+
+  duck@0.1.12:
+    resolution: {integrity: sha512-wkctla1O6VfP89gQ+J/yDesM0S7B7XLXjKGzXxMDVFg7uEn706niAtyYovKbyq1oT9YwDcly721/iUWoc8MVRg==}
+
   dunder-proto@1.0.1:
     resolution: {integrity: sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==}
     engines: {node: '>= 0.4'}
@@ -3110,6 +3248,16 @@ packages:
     resolution: {integrity: sha512-Qohcme7V1inbAfvjItgw0EaxVX5q2rdVEZHRBrEQdRZTssLDGsL8Lwrznl8oQ/6kuTJONLaDcGjkNP247XEhcA==}
     engines: {node: '>=10.13.0'}
 
+  ent@2.2.2:
+    resolution: {integrity: sha512-kKvD1tO6BM+oK9HzCPpUdRb4vKFQY/FPTFmurMvh6LlN68VMrdj77w8yp51/kDbpkFOS9J8w5W6zIzgM2H8/hw==}
+    engines: {node: '>= 0.4'}
+
+  entities@1.1.2:
+    resolution: {integrity: sha512-f2LZMYl1Fzu7YSBKg+RoROelpOaNrcGmE9AZubeDfrCEia483oW4MI4VyFd5VNHIgQ/7qm1I0wUHK1eJnn2y2w==}
+
+  entities@2.2.0:
+    resolution: {integrity: sha512-p92if5Nz619I0w+akJrLZH0MX0Pb5DX39XOwQTtXSdQQOaYH03S1uIQp4mhOZtAXrxq4ViO67YTiLBo2638o9A==}
+
   entities@6.0.1:
     resolution: {integrity: sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g==}
     engines: {node: '>=0.12'}
@@ -3122,6 +3270,9 @@ packages:
     resolution: {integrity: sha512-zwfzJecQ/Uej6tusMqwAqU/6KL2XaB2VZ2Jg54Je6ahNBGNH6Ek6g3jjNCF0fG9EWQKGZNddNjU5F1ZQn/sBnA==}
     engines: {node: '>=20.19.0'}
 
+  error@4.4.0:
+    resolution: {integrity: sha512-SNDKualLUtT4StGFP7xNfuFybL2f6iJujFtrWuvJqGbVQGaN+adE23veqzPz1hjUjTunLi2EnJ+0SJxtbJreKw==}
+
   es-abstract@1.24.2:
     resolution: {integrity: sha512-2FpH9Q5i2RRwyEP1AylXe6nYLR5OhaJTZwmlcP0dL/+JCbgg7yyEo/sEK6HeGZRf3dFpWwThaRHVApXSkW3xeg==}
     engines: {node: '>= 0.4'}
@@ -3371,6 +3522,9 @@ packages:
     engines: {node: '>=18.0.0'}
     hasBin: true
 
+  ev-store@7.0.0:
+    resolution: {integrity: sha512-otazchNRnGzp2YarBJ+GXKVGvhxVATB1zmaStxJBYet0Dyq7A9VhH8IUEB/gRcL6Ch52lfpgPTRJ2m49epyMsQ==}
+
   event-target-shim@5.0.1:
     resolution: {integrity: sha512-i/2XbnSz/uxRCU6+NdVJgKWDTM427+MqYbkQzD321DuCQJUqOuJKIA0IM2+W2xtYHdKOmZ4dR6fExsd4SXL+WQ==}
     engines: {node: '>=6'}
@@ -3484,6 +3638,9 @@ packages:
   focus-trap@8.0.0:
     resolution: {integrity: sha512-Aa84FOGHs99vVwufDMdq2qgOwXPC2e9U66GcqBhn1/jEHPDhJaP8PYhkIbqG9lhfL5Kddk/567lj46LLHYCRUw==}
 
+  fontkit@2.0.4:
+    resolution: {integrity: sha512-syetQadaUEDNdxdugga9CpEYVaQIxOwk7GlwZWWZ19//qW4zE5bknOKeMBDYAASwnpaSHKJITRLMF9m1fp3s6g==}
+
   for-each@0.3.5:
     resolution: {integrity: sha512-dKx12eRCVIzqCxFGplyFKJMPvLEWgmNtUrpTiJIR5u97zEhRG8ySrtboPHZXx7daLxQVrl643cTzbab2tkQjxg==}
     engines: {node: '>= 0.4'}
@@ -3598,6 +3755,9 @@ packages:
     deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
     hasBin: true
 
+  global@4.4.0:
+    resolution: {integrity: sha512-wv/LAoHdRE3BeTGz53FAamhGlPLhlssK45usmGFThIi4XqnBmjKQ16u+RNbP7WvigRZDxUsM0J3gcQ5yicaL0w==}
+
   globals@13.24.0:
     resolution: {integrity: sha512-AhO5QUcj8llrbG09iWhPU2B204J1xnPeL8kQmVorSsy+Sjj1sk8gIyh6cUocGmH4L0UuhAJy+hJMRA4mgA4mFQ==}
     engines: {node: '>=8'}
@@ -3706,12 +3866,28 @@ packages:
     resolution: {integrity: sha512-CV9TW3Y3f8/wT0BRFc1/KAVQ3TUHiXmaAb6VW9vtiMFf7SLoMd1PdAc4W3KFOFETBJUb90KatHqlsZMWV+R9Gg==}
     engines: {node: ^20.19.0 || ^22.12.0 || >=24.0.0}
 
+  html-entities@2.6.0:
+    resolution: {integrity: sha512-kig+rMn/QOVRvr7c86gQ8lWXq+Hkv6CbAH1hLu+RG338StTpE8Z0b44SDVaqVu7HGKf27frdmUYEs9hTUX/cLQ==}
+
   html-parse-stringify@3.0.1:
     resolution: {integrity: sha512-KknJ50kTInJ7qIScF3jeaFRpMpE8/lfiTdzf/twXyPBLAGrLRTmkz3AdTnKeh40X8k9L2fdYwEp/42WGXIRGcg==}
 
+  html-to-docx@1.8.0:
+    resolution: {integrity: sha512-IiMBWIqXM4+cEsW//RKoonWV7DlXAJBmmKI73XJSVWTIXjGUaxSr2ck1jqzVRZknpvO8xsFnVicldKVAWrBYBA==}
+
+  html-to-vdom@0.7.0:
+    resolution: {integrity: sha512-k+d2qNkbx0JO00KezQsNcn6k2I/xSBP4yXYFLvXbcasTTDh+RDLUJS3puxqyNnpdyXWRHFGoKU7cRmby8/APcQ==}
+
   html-void-elements@3.0.0:
     resolution: {integrity: sha512-bEqo66MRXsUGxWHV5IP0PUiAWwoEjba4VCzg0LjFJBpchPaTfyfCKTG6bc5F8ucKec3q5y6qOdGyYTSBEvhCrg==}
 
+  htmlparser2@12.0.0:
+    resolution: {integrity: sha512-Tz7u1i95/g2x2jz81+x0FBVhBhY5aRTvD3tXXdFaljuNdzDLJ8UGNRrTcj2cgQvAg3iW/h77Fz15nLW0L0CrZw==}
+    engines: {node: '>=20.19.0'}
+
+  htmlparser2@3.10.1:
+    resolution: {integrity: sha512-IgieNijUMbkDovyoKObU1DUhm1iwNYE/fuifEoEHfd1oZKZDaONBSkal7Y01shxsM49R4XaMdGez3WnF9UfiCQ==}
+
   http-assert@1.5.0:
     resolution: {integrity: sha512-uPpH7OKX4H25hBmU6G1jWNaqJGpTXxey+YOUizJUAgu0AjLUeC8D73hTrhvDS5D+GJN1DN1+hhc/eF/wpxtp0w==}
     engines: {node: '>= 0.8'}
@@ -3758,10 +3934,24 @@ packages:
     resolution: {integrity: sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg==}
     engines: {node: '>= 4'}
 
+  image-size@1.2.1:
+    resolution: {integrity: sha512-rH+46sQJ2dlwfjfhCyNx5thzrv+dtmBIhPHk0zgRUukHzZ/kRueTJXoYYsclBaKcSMBWuGbOFXtioLpzTb5euw==}
+    engines: {node: '>=16.x'}
+    hasBin: true
+
+  image-to-base64@2.2.0:
+    resolution: {integrity: sha512-Z+aMwm/91UOQqHhrz7Upre2ytKhWejZlWV/JxUTD1sT7GWWKFDJUEV5scVQKnkzSgPHFuQBUEWcanO+ma0PSVw==}
+
+  immediate@3.0.6:
+    resolution: {integrity: sha512-XXOFtyqDjNDAQxVfYxuF7g9Il/IbWmmlQg2MYKOH8ExIT1qg6xc4zyS3HaEEATgs1btfzxq15ciUiY7gjSXRGQ==}
+
   imurmurhash@0.1.4:
     resolution: {integrity: sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==}
     engines: {node: '>=0.8.19'}
 
+  individual@3.0.0:
+    resolution: {integrity: sha512-rUY5vtT748NMRbEMrTNiFfy29BgGZwGXUi2NFUVMWQrogSLzlJvQV9eeMWi+g1aVaQ53tpyLAQtd5x/JH0Nh1g==}
+
   inherits@2.0.4:
     resolution: {integrity: sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==}
 
@@ -3862,6 +4052,9 @@ packages:
     resolution: {integrity: sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==}
     engines: {node: '>=0.12.0'}
 
+  is-object@1.0.2:
+    resolution: {integrity: sha512-2rRIahhZr2UWb45fIOuvZGpFtz0TyOZLf32KxBbSoUCeZR495zCKlWUKKUByk3geS2eAs7ZAABt0Y/Rx0GiQGA==}
+
   is-path-inside@3.0.3:
     resolution: {integrity: sha512-Fd4gABb+ycGAmKou8eMftCupSir5lRxqf4aD/vd0cD2qc4HL07OjCeuHMr8Ro4CoMaeCKDB0/ECBOVWjTwUvPQ==}
     engines: {node: '>=8'}
@@ -3930,6 +4123,9 @@ packages:
     resolution: {integrity: sha512-e6rvdUCiQCAuumZslxRJWR/Doq4VpPR82kqclvcS0efgt430SlGIk05vdCN58+VrzgtIcfNODjozVielycD4Sw==}
     engines: {node: '>=16'}
 
+  isarray@1.0.0:
+    resolution: {integrity: sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==}
+
   isarray@2.0.5:
     resolution: {integrity: sha512-xHjhDr3cNBK0BzdUJSPXZntQUx/mwMS5Rw4A7lPJ90XGAO6ISP/ePDNuo0vhqOZU+UD5JoodwCAAoZQd3FeAKw==}
 
@@ -3949,6 +4145,9 @@ packages:
   js-md4@0.3.2:
     resolution: {integrity: sha512-/GDnfQYsltsjRswQhN9fhv3EMw2sCpUdrdxyWDOUK7eyD++r3gRhzgiQgc/x4MAv2i1iuQ4lxO5mvqM3vj4bwA==}
 
+  js-md5@0.8.3:
+    resolution: {integrity: sha512-qR0HB5uP6wCuRMrWPTrkMaev7MJZwJuuw4fnwAzRgP4J4/F8RwtodOKpGp4XpqsLBFzzgqIO42efFAyz2Et6KQ==}
+
   js-tokens@4.0.0:
     resolution: {integrity: sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==}
 
@@ -4018,6 +4217,9 @@ packages:
     resolution: {integrity: sha512-MT/xP0CrubFRNLNKvxJ2BYfy53Zkm++5bX9dtuPbqAeQpTVe0MQTFhao8+Cp//EmJp244xt6Drw/GVEGCUj40g==}
     engines: {node: '>=12', npm: '>=6'}
 
+  jszip@3.10.1:
+    resolution: {integrity: sha512-xXDvecyTpGLrqFrvkrUSoxxfJI5AH7U8zxxtVclpsUtMCq4JQ290LY8AW5c7Ggnr/Y/oK+bQMbqK2qmtk3pN4g==}
+
   jwa@2.0.1:
     resolution: {integrity: sha512-hRF04fqJIP8Abbkq5NKGN0Bbr3JxlQ+qhZufXVr0DvujKy93ZCbXZMHDL4EOtodSbCWxOqR8MS1tXA5hwqCXDg==}
 
@@ -4052,6 +4254,9 @@ packages:
     resolution: {integrity: sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==}
     engines: {node: '>= 0.8.0'}
 
+  lie@3.3.0:
+    resolution: {integrity: sha512-UaiMJzeWRlEujzAuw5LokY1L5ecNQYZKfmyZ9L7wDHb/p5etKaxXhohBcrw0EYby+G/NA52vRSN4N39dxHAIwQ==}
+
   lightningcss-android-arm64@1.32.0:
     resolution: {integrity: sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==}
     engines: {node: '>= 12.0.0'}
@@ -4126,6 +4331,9 @@ packages:
     resolution: {integrity: sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==}
     engines: {node: '>= 12.0.0'}
 
+  linebreak@1.1.0:
+    resolution: {integrity: sha512-MHp03UImeVhB7XZtjd0E4n6+3xr5Dq/9xI/5FptGk5FrbDR3zagPa2DS6U8ks/3HjbKWG9Q1M2ufOzxV2qLYSQ==}
+
   live-plugin-manager@1.1.0:
     resolution: {integrity: sha512-2rPHP2H5EDtGzsOYbMaaKA/XgEBKEmiTHNaPIu7xn8Qygv2MAT8D3WobVy3dftwWcCUG2kFukb4UtNWsd8gi6Q==}
 
@@ -4183,6 +4391,9 @@ packages:
   long@5.3.2:
     resolution: {integrity: sha512-mNAgZ1GmyNhD7AuqnTG3/VQ26o760+ZYBPKjPvugO8+nLbYfX6TVpJPseBvopbdY+qpZ/lKUnmEc1LeZYS3QAA==}
 
+  lop@0.4.2:
+    resolution: {integrity: sha512-RefILVDQ4DKoRZsJ4Pj22TxE3omDO47yFpkIBoDKzkqPRISs5U1cnAdg/5583YPkWPaLIYHOKRMQSvjFsO26cw==}
+
   lru-cache@10.4.3:
     resolution: {integrity: sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ==}
 
@@ -4209,6 +4420,11 @@ packages:
   magic-string@0.30.21:
     resolution: {integrity: sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==}
 
+  mammoth@1.12.0:
+    resolution: {integrity: sha512-cwnK1RIcRdDMi2HRx2EXGYlxqIEh0Oo3bLhorgnsVJi2UkbX1+jKxuBNR9PC5+JaX7EkmJxFPmo6mjLpqShI2w==}
+    engines: {node: '>=12.0.0'}
+    hasBin: true
+
   mark.js@8.11.1:
     resolution: {integrity: sha512-1I+1qpDt4idfgLQG+BNWmrqku+7/2bi5nLf4YwF8y8zXvmfiTBY3PV3ZibfrjBueCByROpuBjLLFCajqkgYoLQ==}
 
@@ -4285,6 +4501,9 @@ packages:
     engines: {node: '>=4.0.0'}
     hasBin: true
 
+  min-document@2.19.2:
+    resolution: {integrity: sha512-8S5I8db/uZN8r9HSLFVWPdJCvYOejMcEC82VIzNUc6Zkklf/d1gg2psfE79/vyhWOj4+J8MtwmoOz3TmvaGu5A==}
+
   minimatch@10.2.5:
     resolution: {integrity: sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==}
     engines: {node: 18 || 20 || >=22}
@@ -4420,6 +4639,9 @@ packages:
     resolution: {integrity: sha512-dBpDMdxv9Irdq66304OLfEmQ9tbNRFnFTuZiLo+bD+r332bBmMJ8GBLXklIXXgxd3+v9+KUnZaUR5PJMa75Gsg==}
     engines: {node: '>= 0.4.0'}
 
+  next-tick@0.2.2:
+    resolution: {integrity: sha512-f7h4svPtl+QidoBv4taKXUjJ70G2asaZ8G28nS0OkqaalX8dwwrtWtyxEDPK62AC00ur/+/E0pUwBwY5EPn15Q==}
+
   node-domexception@1.0.0:
     resolution: {integrity: sha512-/jKZoMpw0F8GRwl4/eLROPA3cfcXtLApP0QzLmUT/HuPCZWyB7IY9ZrMeKw2O/nFIqPQB3PVM9aYm0F312AXDQ==}
     engines: {node: '>=10.5.0'}
@@ -4433,6 +4655,15 @@ packages:
     resolution: {integrity: sha512-VBlAiynj3VMLrotgwOS3OyECFxas5y7ltLcK4t41lMUZeaK15Ym4QRkqN0EQKAFL42q9i21EPKjzLUPfltR72A==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
 
+  node-fetch@2.7.0:
+    resolution: {integrity: sha512-c4FRfUm/dbcWZ7U+1Wq0AwCyFL+3nt2bEw05wfxSz+DWpWsitgmSgYmy2dQdWyKC1694ELPqMs/YzUSNozLt8A==}
+    engines: {node: 4.x || >=6.0.0}
+    peerDependencies:
+      encoding: ^0.1.0
+    peerDependenciesMeta:
+      encoding:
+        optional: true
+
   node-releases@2.0.38:
     resolution: {integrity: sha512-3qT/88Y3FbH/Kx4szpQQ4HzUbVrHPKTLVpVocKiLfoYvw9XSGOX2FmD2d6DrXbVYyAQTF2HeF6My8jmzx7/CRw==}
 
@@ -4511,6 +4742,9 @@ packages:
   openapi-types@12.1.3:
     resolution: {integrity: sha512-N4YtSYJqghVu4iek2ZUvcN/0aqH1kRDuNqzcycDxhOUpg7GdvLa2F3DgS6yBNhInhv2r/6I0Flkn7CqL8+nIcw==}
 
+  option@0.2.4:
+    resolution: {integrity: sha512-pkEqbDyl8ou5cpq+VsnQbe/WlEy5qS7xPzMS1U55OCG9KPvwFD46zDbxQIj3egJSFc3D+XhYOPUzz49zQAVy7A==}
+
   optional-js@2.3.0:
     resolution: {integrity: sha512-B0LLi+Vg+eko++0z/b8zIv57kp7HKEzaPJo7LowJXMUKYdf+3XJGu/cw03h/JhIOsLnP+cG5QnTHAuicjA5fMw==}
 
@@ -4545,6 +4779,12 @@ packages:
   package-json-from-dist@1.0.1:
     resolution: {integrity: sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw==}
 
+  pako@0.2.9:
+    resolution: {integrity: sha512-NUcwaKxUxWrZLpDG+z/xZaCgQITkA/Dv4V/T6bw7VON6l1Xz/VnrBqrYjZQ12TamKHzITTfOEIYUj48y2KXImA==}
+
+  pako@1.0.11:
+    resolution: {integrity: sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==}
+
   parse5@7.3.0:
     resolution: {integrity: sha512-IInvU7fabl34qmi9gY8XOVxhYyMyuH2xUNpb2q8/Y+7552KlejkRvqvD19nMoUW/uQGGbqNpA6Tufu5FL5BZgw==}
 
@@ -4559,6 +4799,10 @@ packages:
     resolution: {integrity: sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==}
     engines: {node: '>=8'}
 
+  path-is-absolute@1.0.1:
+    resolution: {integrity: sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==}
+    engines: {node: '>=0.10.0'}
+
   path-key@3.1.1:
     resolution: {integrity: sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==}
     engines: {node: '>=8'}
@@ -4580,6 +4824,9 @@ packages:
   pathe@2.0.3:
     resolution: {integrity: sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==}
 
+  pdfkit@0.18.0:
+    resolution: {integrity: sha512-NvUwSDZ0eYEzqAiWwVQkRkjYUkZ48kcsHuCO31ykqPPIVkwoSDjDGiwIgHHNtsiwls3z3P/zy4q00hl2chg2Ug==}
+
   perfect-debounce@2.1.0:
     resolution: {integrity: sha512-LjgdTytVFXeUgtHZr9WYViYSM/g8MkcTPYDlPa3cDqMirHjKiSZPYd6DoL7pK8AJQr+uWkQvCjHNdiMqsrJs+g==}
 
@@ -4638,6 +4885,9 @@ packages:
     engines: {node: '>=18'}
     hasBin: true
 
+  png-js@1.1.0:
+    resolution: {integrity: sha512-PM/uYGzGdNSzqeOgly68+6wKQDL1SY0a/N+OEa/+br6LnHWOAJB0Npiamnodfq3jd2LS/i2fMeOKSAILjA+m5Q==}
+
   possible-typed-array-names@1.1.0:
     resolution: {integrity: sha512-/+5VFTchJDoVj3bhoqi6UeymcD00DAwb1nJwamzPvHEszJ4FpF6SNNbUbOS8yI56qHzdV8eK0qEfOSiodkTdxg==}
     engines: {node: '>= 0.4'}
@@ -4670,6 +4920,9 @@ packages:
     resolution: {integrity: sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==}
     engines: {node: '>= 0.8.0'}
 
+  process-nextick-args@2.0.1:
+    resolution: {integrity: sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==}
+
   process@0.11.10:
     resolution: {integrity: sha512-cdGef/drWFoydD1JsMzuFf8100nZl+GT+yacc2bEced5f9Rjk4z+WtFUTBu9PhOi9j/jfmBPu0mMEY4wIdAF8A==}
     engines: {node: '>= 0.6.0'}
@@ -4695,6 +4948,9 @@ packages:
   proxy-from-env@1.1.0:
     resolution: {integrity: sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==}
 
+  punycode@1.4.1:
+    resolution: {integrity: sha512-jmYNElW7yvO7TV33CjSmvSiE2yco3bV2czu/OzDKdMNVZQWfxCblURLhf+47syQRBntjfLdd/H0egrzIG+oaFQ==}
+
   punycode@2.3.1:
     resolution: {integrity: sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==}
     engines: {node: '>=6'}
@@ -4706,6 +4962,9 @@ packages:
   queue-microtask@1.2.3:
     resolution: {integrity: sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==}
 
+  queue@6.0.2:
+    resolution: {integrity: sha512-iHZWu+q3IdFZFX36ro/lKBkSvfkztY5Y7HMiPlOUjhupPcG2JMfst2KKEpu5XndviX/3UhFbRngUPNKtgvtZiA==}
+
   quick-lru@7.3.0:
     resolution: {integrity: sha512-k9lSsjl36EJdK7I06v7APZCbyGT2vMTsYSRX1Q2nbYmnkBqgUhRkAuzH08Ciotteu/PLJmIF2+tti7o3C/ts2g==}
     engines: {node: '>=18'}
@@ -4806,6 +5065,13 @@ packages:
     resolution: {integrity: sha512-llUJLzz1zTUBrskt2pwZgLq59AemifIftw4aB7JxOqf1HY2FDaGDxgwpAPVzHU1kdWabH7FauP4i1oEeer2WCA==}
     engines: {node: '>=0.10.0'}
 
+  readable-stream@2.3.8:
+    resolution: {integrity: sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==}
+
+  readable-stream@3.6.2:
+    resolution: {integrity: sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==}
+    engines: {node: '>= 6'}
+
   readable-stream@4.7.0:
     resolution: {integrity: sha512-oIGGmcpTLwPga8Bn6/Z75SVaH1z5dUut2ibSyAMVhmUggWpmDn2dapB0n7f8nwaSiRtepAsfJyfXIO5DCVAODg==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
@@ -4872,6 +5138,9 @@ packages:
     engines: {node: '>= 0.4'}
     hasBin: true
 
+  restructure@3.0.2:
+    resolution: {integrity: sha512-gSfoiOEA0VPE6Tukkrr7I0RBdE0s7H1eFCDBk05l1KIQT1UIKNc5JZy6jdyW6eYH3aR3g5b3PuL77rq0hvwtAw==}
+
   rethinkdb@2.4.2:
     resolution: {integrity: sha512-6DzwqEpFc8cqesAdo07a845oBRxLiHvWzopTKBo/uY2ypGWIsJQFJk3wjRDtSEhczxJqLS0jnf37rwgzYAw8NQ==}
     engines: {node: '>= 0.10.0'}
@@ -4980,6 +5249,9 @@ packages:
     resolution: {integrity: sha512-AURm5f0jYEOydBj7VQlVvDrjeFgthDdEF5H1dP+6mNpoXOMo1quQqJ4wvJDyRZ9+pO3kGWoOdmV08cSv2aJV6Q==}
     engines: {node: '>=0.4'}
 
+  safe-buffer@5.1.2:
+    resolution: {integrity: sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==}
+
   safe-buffer@5.2.1:
     resolution: {integrity: sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==}
 
@@ -5049,6 +5321,9 @@ packages:
     resolution: {integrity: sha512-RJRdvCo6IAnPdsvP/7m6bsQqNnn1FCBX5ZNtFL98MmFF/4xAIJTIg1YbHW5DC2W5SKZanrC6i4HsJqlajw/dZw==}
     engines: {node: '>= 0.4'}
 
+  setimmediate@1.0.5:
+    resolution: {integrity: sha512-MATJdZp8sLqDl/68LfQmbP8zKPLQNV6BIZoIgrscFDQ+RsvK/BxeDQOgyxKKoh0y/8h3BqVFnCqQ/gd+reiIXA==}
+
   setprototypeof@1.2.0:
     resolution: {integrity: sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==}
 
@@ -5147,6 +5422,9 @@ packages:
     resolution: {integrity: sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==}
     engines: {node: '>= 10.x'}
 
+  sprintf-js@1.0.3:
+    resolution: {integrity: sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==}
+
   sprintf-js@1.1.3:
     resolution: {integrity: sha512-Oo+0REFV59/rz3gfJNKQiBlwfHaSESl1pcGyABQsnnIfWOFt6JNj5gCog2U6MLZ//IGYD+nA8nI+mTShREReaA==}
 
@@ -5179,6 +5457,9 @@ packages:
     resolution: {integrity: sha512-KFxaM7XT+irxvdqSP1LGLgNWbYN7ay5owZ3r/8t77p+EtSUAfUgtl7be3xtqtOmGUl9K9YPO2ca8133RlTjvKw==}
     engines: {node: '>=8.0'}
 
+  string-template@0.2.1:
+    resolution: {integrity: sha512-Yptehjogou2xm4UJbxJ4CxgZx12HBfeystp0y3x7s4Dj32ltVVG1Gg8YhKjHZkHicuKpZX/ffilA8505VbUbpw==}
+
   string-width@4.2.3:
     resolution: {integrity: sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==}
     engines: {node: '>=8'}
@@ -5199,6 +5480,9 @@ packages:
     resolution: {integrity: sha512-UXSH262CSZY1tfu3G3Secr6uGLCFVPMhIqHjlgCUtCCcgihYc/xKs9djMTMUOb2j1mVSeU8EU6NWc/iQKU6Gfg==}
     engines: {node: '>= 0.4'}
 
+  string_decoder@1.1.1:
+    resolution: {integrity: sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==}
+
   string_decoder@1.3.0:
     resolution: {integrity: sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==}
 
@@ -5288,6 +5572,9 @@ packages:
     resolution: {integrity: sha512-pk1Q16Yl62iocuQB+RWbg6rFUFkIyzqOFQ6NfysCltRvQqKwfurgj8v/f2X+CKvDhSL4IJ0cCOfCHDg9PWEEYA==}
     engines: {node: '>=18.17'}
 
+  tiny-inflate@1.0.3:
+    resolution: {integrity: sha512-pkY1fj1cKHb2seWDy0B16HeWyczlJA9/WW3u3c4z/NiWDsO3DOU5D7nhTLE9CF0yXv/QZFY7sEJmj24dK+Rrqw==}
+
   tinybench@2.9.0:
     resolution: {integrity: sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==}
 
@@ -5325,6 +5612,9 @@ packages:
     resolution: {integrity: sha512-LktZQb3IeoUWB9lqR5EWTHgW/VTITCXg4D21M+lvybRVdylLrRMnqaIONLVb5mav8vM19m44HIcGq4qASeu2Qw==}
     engines: {node: '>=16'}
 
+  tr46@0.0.3:
+    resolution: {integrity: sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==}
+
   tr46@5.1.1:
     resolution: {integrity: sha512-hdF5ZgjTqgAntKkklYw0R03MG2x/bSzTtkxmIRw/sTNV8YXsCJ1tfLAX23lhxhHJlEf3CRCOCGGWw3vI3GaSPw==}
     engines: {node: '>=18'}
@@ -5447,6 +5737,12 @@ packages:
     resolution: {integrity: sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==}
     engines: {node: '>=20.18.1'}
 
+  unicode-properties@1.4.1:
+    resolution: {integrity: sha512-CLjCCLQ6UuMxWnbIylkisbRj31qxHPAurvena/0iwSVbQ2G1VY5/HjV0IRabOEbDHlzZlRdCrD4NhB0JtU40Pg==}
+
+  unicode-trie@2.0.0:
+    resolution: {integrity: sha512-x7bc76x0bm4prf1VLg79uhAzKw8DVboClSN5VxJuQ+LKDOVEW9CdH+VY7SP+vX7xCYQqzzgQpFqz15zeLvAtZQ==}
+
   unified@11.0.5:
     resolution: {integrity: sha512-xKvGhPWw3k84Qjh8bI3ZeJjqnyadK+GEFtazSfZv/rKeTkTjOJho6mFqh2SM96iIcZokxiOpg78GazTSg8+KHA==}
 
@@ -5521,6 +5817,9 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0
 
+  util-deprecate@1.0.2:
+    resolution: {integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw==}
+
   uuidv7@1.2.1:
     resolution: {integrity: sha512-4kPkK3/XTQW9Hbm4CaqfICn+kY9LJtDVEOfgsRRra/+n2Ofg4NqzRFceAkxvQ/Ud/6BpHOPzj8cirqM7TzTN5Q==}
     hasBin: true
@@ -5538,6 +5837,9 @@ packages:
   vfile@6.0.3:
     resolution: {integrity: sha512-KzIbH/9tXat2u30jf+smMwFCsno4wHVdNmzFyL+T/L3UGqqk6JKfVqOFOZEpZSHADH1k40ab6NUIXZq422ov3Q==}
 
+  virtual-dom@2.1.1:
+    resolution: {integrity: sha512-wb6Qc9Lbqug0kRqo/iuApfBpJJAq14Sk1faAnSmtqXiwahg7PVTvWMs9L02Z8nNIMqbwsxzBAA90bbtRLbw0zg==}
+
   vite-plugin-babel@1.6.0:
     resolution: {integrity: sha512-VtYA4FSmQREA2oaZ7+jfLS/fBk1/xZMUR94YZzB5s6U9WyptbvThUD1HSSv7oNDU28jGuHmdBZ1wTVGNIoChoQ==}
     peerDependencies:
@@ -5706,6 +6008,9 @@ packages:
     resolution: {integrity: sha512-d2JWLCivmZYTSIoge9MsgFCZrt571BikcWGYkjC1khllbTeDlGqZ2D8vD8E/lJa8WGWbb7Plm8/XJYV7IJHZZw==}
     engines: {node: '>= 8'}
 
+  webidl-conversions@3.0.1:
+    resolution: {integrity: sha512-2JAn3z8AR6rjK8Sm8orRC0h/bcl/DqL7tRPdGZ4I1CjdF+EaMLmYxBHyXuKL849eucPFhvBoxMsflfOb8kxaeQ==}
+
   webidl-conversions@7.0.0:
     resolution: {integrity: sha512-VwddBukDzu71offAQR975unBIGqfKZpM+8ZX6ySk8nYhVoo5CYaZyzt3YBvYtRtO+aoGlqxPg/B87NGVZ/fu6g==}
     engines: {node: '>=12'}
@@ -5726,6 +6031,9 @@ packages:
     resolution: {integrity: sha512-1to4zXBxmXHV3IiSSEInrreIlu02vUOvrhxJJH5vcxYTBDAx51cqZiKdyTxlecdKNSjj8EcxGBxNf6Vg+945gw==}
     engines: {node: ^20.19.0 || ^22.12.0 || >=24.0.0}
 
+  whatwg-url@5.0.0:
+    resolution: {integrity: sha512-saE57nupxk6v3HY35+jzBwYa0rKSy0XR8JSxZPwgLr7ys0IBzhGviA1/TUGJLmSVqs8pb9AnvICXEuOHLprYTw==}
+
   which-boxed-primitive@1.1.1:
     resolution: {integrity: sha512-TbX3mj8n0odCBFVlY8AxkqcHASw3L60jIuF8jFP78az3C2YhmGvqbHBpAjTRH2/xqYunrJ9g1jSyjCjpoWzIAA==}
     engines: {node: '>= 0.4'}
@@ -5795,10 +6103,24 @@ packages:
     engines: {node: '>=0.10.0'}
     hasBin: true
 
+  x-is-array@0.1.0:
+    resolution: {integrity: sha512-goHPif61oNrr0jJgsXRfc8oqtYzvfiMJpTqwE7Z4y9uH+T3UozkGqQ4d2nX9mB9khvA8U2o/UbPOFjgC7hLWIA==}
+
+  x-is-string@0.1.0:
+    resolution: {integrity: sha512-GojqklwG8gpzOVEVki5KudKNoq7MbbjYZCbyWzEz7tyPA7eleiE0+ePwOWQQRb5fm86rD3S8Tc0tSFf3AOv50w==}
+
   xml-name-validator@5.0.0:
     resolution: {integrity: sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==}
     engines: {node: '>=18'}
 
+  xmlbuilder2@2.1.2:
+    resolution: {integrity: sha512-PI710tmtVlQ5VmwzbRTuhmVhKnj9pM8Si+iOZCV2g2SNo3gCrpzR2Ka9wNzZtqfD+mnP+xkrqoNy0sjKZqP4Dg==}
+    engines: {node: '>=8.0'}
+
+  xmlbuilder@10.1.1:
+    resolution: {integrity: sha512-OyzrcFLL/nb6fMGHbiRDuPup9ljBycsdCypwuyg5AAHvyWzGfChJpCXMG88AGTIMFhGZ9RccFN1e6lhg3hkwKg==}
+    engines: {node: '>=4.0'}
+
   xmlchars@2.2.0:
     resolution: {integrity: sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==}
 
@@ -6528,6 +6850,8 @@ snapshots:
       '@tybys/wasm-util': 0.10.2
     optional: true
 
+  '@noble/ciphers@1.3.0': {}
+
   '@noble/hashes@1.8.0': {}
 
   '@nodelib/fs.scandir@2.1.5':
@@ -6544,6 +6868,41 @@ snapshots:
 
   '@nolyfill/is-core-module@1.0.39': {}
 
+  '@oozcitak/dom@1.15.5':
+    dependencies:
+      '@oozcitak/infra': 1.0.5
+      '@oozcitak/url': 1.0.0
+      '@oozcitak/util': 8.0.0
+
+  '@oozcitak/dom@1.15.6':
+    dependencies:
+      '@oozcitak/infra': 1.0.5
+      '@oozcitak/url': 1.0.0
+      '@oozcitak/util': 8.3.4
+
+  '@oozcitak/infra@1.0.3':
+    dependencies:
+      '@oozcitak/util': 1.0.1
+
+  '@oozcitak/infra@1.0.5':
+    dependencies:
+      '@oozcitak/util': 8.0.0
+
+  '@oozcitak/url@1.0.0':
+    dependencies:
+      '@oozcitak/infra': 1.0.3
+      '@oozcitak/util': 1.0.2
+
+  '@oozcitak/util@1.0.1': {}
+
+  '@oozcitak/util@1.0.2': {}
+
+  '@oozcitak/util@8.0.0': {}
+
+  '@oozcitak/util@8.3.3': {}
+
+  '@oozcitak/util@8.3.4': {}
+
   '@opentelemetry/api@1.9.0': {}
 
   '@opentelemetry/api@1.9.1': {}
@@ -6844,7 +7203,7 @@ snapshots:
       '@types/react': 19.2.14
       '@types/react-dom': 19.2.3(@types/react@19.2.14)
 
-  '@redis/bloom@5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))':
+  '@redis/bloom@5.12.1(@redis/client@5.12.1)':
     dependencies:
       '@redis/client': 5.12.1(@opentelemetry/api@1.9.1)
 
@@ -6854,15 +7213,15 @@ snapshots:
     optionalDependencies:
       '@opentelemetry/api': 1.9.1
 
-  '@redis/json@5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))':
+  '@redis/json@5.12.1(@redis/client@5.12.1)':
     dependencies:
       '@redis/client': 5.12.1(@opentelemetry/api@1.9.1)
 
-  '@redis/search@5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))':
+  '@redis/search@5.12.1(@redis/client@5.12.1)':
     dependencies:
       '@redis/client': 5.12.1(@opentelemetry/api@1.9.1)
 
-  '@redis/time-series@5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))':
+  '@redis/time-series@5.12.1(@redis/client@5.12.1)':
     dependencies:
       '@redis/client': 5.12.1(@opentelemetry/api@1.9.1)
 
@@ -7257,6 +7616,10 @@ snapshots:
       '@types/koa': 3.0.0
       '@types/node': 25.6.0
 
+  '@types/pdfkit@0.17.6':
+    dependencies:
+      '@types/node': 25.6.0
+
   '@types/qs@6.14.0': {}
 
   '@types/range-parser@1.2.7': {}
@@ -7713,6 +8076,8 @@ snapshots:
     dependencies:
       vue: 3.5.30(typescript@6.0.3)
 
+  '@xmldom/xmldom@0.8.13': {}
+
   abort-controller@3.0.0:
     dependencies:
       event-target-shim: 5.0.1
@@ -7781,6 +8146,10 @@ snapshots:
     transitivePeerDependencies:
       - '@75lb/nature'
 
+  argparse@1.0.10:
+    dependencies:
+      sprintf-js: 1.0.3
+
   argparse@2.0.1: {}
 
   aria-hidden@1.2.6:
@@ -7871,6 +8240,8 @@ snapshots:
 
   balanced-match@4.0.4: {}
 
+  base64-js@0.0.8: {}
+
   base64-js@1.5.1: {}
 
   base64id@2.0.0: {}
@@ -7900,6 +8271,8 @@ snapshots:
 
   bluebird@2.11.0: {}
 
+  bluebird@3.4.7: {}
+
   body-parser@2.2.1:
     dependencies:
       bytes: 3.1.2
@@ -7931,8 +8304,18 @@ snapshots:
     dependencies:
       fill-range: 7.1.1
 
+  brotli@1.3.3:
+    dependencies:
+      base64-js: 1.5.1
+
+  browser-split@0.0.1: {}
+
   browser-stdout@1.3.1: {}
 
+  browserify-zlib@0.2.0:
+    dependencies:
+      pako: 1.0.11
+
   browserslist@4.28.2:
     dependencies:
       baseline-browser-mapping: 2.10.21
@@ -7975,6 +8358,8 @@ snapshots:
 
   camelcase@6.3.0: {}
 
+  camelize@1.0.1: {}
+
   caniuse-lite@1.0.30001790: {}
 
   cassandra-driver@4.8.0:
@@ -8018,6 +8403,8 @@ snapshots:
       strip-ansi: 6.0.1
       wrap-ansi: 7.0.0
 
+  clone@2.1.2: {}
+
   cluster-key-slot@1.1.2: {}
 
   color-convert@2.0.1:
@@ -8080,6 +8467,8 @@ snapshots:
       depd: 2.0.0
       keygrip: 1.1.0
 
+  core-util-is@1.0.3: {}
+
   cors@2.8.5:
     dependencies:
       object-assign: 4.1.1
@@ -8218,8 +8607,12 @@ snapshots:
       asap: 2.0.6
       wrappy: 1.0.2
 
+  dfa@1.2.0: {}
+
   diff@9.0.0: {}
 
+  dingbat-to-unicode@1.0.1: {}
+
   dir-glob@3.0.1:
     dependencies:
       path-type: 4.0.0
@@ -8232,6 +8625,48 @@ snapshots:
     dependencies:
       esutils: 2.0.3
 
+  dom-serializer@0.2.2:
+    dependencies:
+      domelementtype: 2.3.0
+      entities: 2.2.0
+
+  dom-serializer@3.1.1:
+    dependencies:
+      domelementtype: 3.0.0
+      domhandler: 6.0.1
+      entities: 8.0.0
+
+  dom-walk@0.1.2: {}
+
+  domelementtype@1.3.1: {}
+
+  domelementtype@2.3.0: {}
+
+  domelementtype@3.0.0: {}
+
+  domhandler@2.4.2:
+    dependencies:
+      domelementtype: 1.3.1
+
+  domhandler@6.0.1:
+    dependencies:
+      domelementtype: 3.0.0
+
+  domutils@1.7.0:
+    dependencies:
+      dom-serializer: 0.2.2
+      domelementtype: 1.3.1
+
+  domutils@4.0.2:
+    dependencies:
+      dom-serializer: 3.1.1
+      domelementtype: 3.0.0
+      domhandler: 6.0.1
+
+  duck@0.1.12:
+    dependencies:
+      underscore: 1.13.8
+
   dunder-proto@1.0.1:
     dependencies:
       call-bind-apply-helpers: 1.0.2
@@ -8295,12 +8730,29 @@ snapshots:
       graceful-fs: 4.2.11
       tapable: 2.3.2
 
+  ent@2.2.2:
+    dependencies:
+      call-bound: 1.0.4
+      es-errors: 1.3.0
+      punycode: 1.4.1
+      safe-regex-test: 1.1.0
+
+  entities@1.1.2: {}
+
+  entities@2.2.0: {}
+
   entities@6.0.1: {}
 
   entities@7.0.1: {}
 
   entities@8.0.0: {}
 
+  error@4.4.0:
+    dependencies:
+      camelize: 1.0.1
+      string-template: 0.2.1
+      xtend: 4.0.2
+
   es-abstract@1.24.2:
     dependencies:
       array-buffer-byte-length: 1.0.2
@@ -8469,10 +8921,10 @@ snapshots:
       '@rushstack/eslint-patch': 1.16.1
       '@typescript-eslint/eslint-plugin': 7.18.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0)(typescript@6.0.3)
       '@typescript-eslint/parser': 7.18.0(eslint@10.3.0)(typescript@6.0.3)
-      eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0)(eslint@10.3.0)
+      eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0)
       eslint-plugin-cypress: 2.15.2(eslint@10.3.0)
       eslint-plugin-eslint-comments: 3.2.0(eslint@10.3.0)
-      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0)
+      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0)
       eslint-plugin-mocha: 10.5.0(eslint@10.3.0)
       eslint-plugin-n: 17.24.0(eslint@10.3.0)(typescript@6.0.3)
       eslint-plugin-prefer-arrow: 1.2.3(eslint@10.3.0)
@@ -8493,7 +8945,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0)(eslint@10.3.0):
+  eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0):
     dependencies:
       '@nolyfill/is-core-module': 1.0.39
       debug: 4.4.3(supports-color@8.1.1)
@@ -8504,18 +8956,18 @@ snapshots:
       stable-hash: 0.0.5
       tinyglobby: 0.2.16
     optionalDependencies:
-      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0)
+      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0)
     transitivePeerDependencies:
       - supports-color
 
-  eslint-module-utils@2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0):
+  eslint-module-utils@2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0):
     dependencies:
       debug: 3.2.7
     optionalDependencies:
       '@typescript-eslint/parser': 7.18.0(eslint@10.3.0)(typescript@6.0.3)
       eslint: 10.3.0
       eslint-import-resolver-node: 0.3.10
-      eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0)(eslint@10.3.0)
+      eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0)
     transitivePeerDependencies:
       - supports-color
 
@@ -8537,7 +8989,7 @@ snapshots:
       eslint: 10.3.0
       ignore: 5.3.2
 
-  eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0):
+  eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0):
     dependencies:
       '@rtsao/scc': 1.1.0
       array-includes: 3.1.9
@@ -8548,7 +9000,7 @@ snapshots:
       doctrine: 2.1.0
       eslint: 10.3.0
       eslint-import-resolver-node: 0.3.10
-      eslint-module-utils: 2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0)
+      eslint-module-utils: 2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0)
       hasown: 2.0.2
       is-core-module: 2.16.1
       is-glob: 4.0.3
@@ -8707,6 +9159,10 @@ snapshots:
       - supports-color
       - utf-8-validate
 
+  ev-store@7.0.0:
+    dependencies:
+      individual: 3.0.0
+
   event-target-shim@5.0.1: {}
 
   events@3.3.0: {}
@@ -8844,6 +9300,18 @@ snapshots:
     dependencies:
       tabbable: 6.4.0
 
+  fontkit@2.0.4:
+    dependencies:
+      '@swc/helpers': 0.5.21
+      brotli: 1.3.3
+      clone: 2.1.2
+      dfa: 1.2.0
+      fast-deep-equal: 3.1.3
+      restructure: 3.0.2
+      tiny-inflate: 1.0.3
+      unicode-properties: 1.4.1
+      unicode-trie: 2.0.0
+
   for-each@0.3.5:
     dependencies:
       is-callable: 1.2.7
@@ -8977,6 +9445,11 @@ snapshots:
       package-json-from-dist: 1.0.1
       path-scurry: 1.11.1
 
+  global@4.4.0:
+    dependencies:
+      min-document: 2.19.2
+      process: 0.11.10
+
   globals@13.24.0:
     dependencies:
       type-fest: 0.20.2
@@ -9116,12 +9589,53 @@ snapshots:
     transitivePeerDependencies:
       - '@noble/hashes'
 
+  html-entities@2.6.0: {}
+
   html-parse-stringify@3.0.1:
     dependencies:
       void-elements: 3.1.0
 
+  html-to-docx@1.8.0:
+    dependencies:
+      '@oozcitak/dom': 1.15.6
+      '@oozcitak/util': 8.3.4
+      color-name: 1.1.4
+      html-entities: 2.6.0
+      html-to-vdom: 0.7.0
+      image-size: 1.2.1
+      image-to-base64: 2.2.0
+      jszip: 3.10.1
+      lodash: 4.18.1
+      mime-types: 2.1.35
+      nanoid: 3.3.11
+      virtual-dom: 2.1.1
+      xmlbuilder2: 2.1.2
+    transitivePeerDependencies:
+      - encoding
+
+  html-to-vdom@0.7.0:
+    dependencies:
+      ent: 2.2.2
+      htmlparser2: 3.10.1
+
   html-void-elements@3.0.0: {}
 
+  htmlparser2@12.0.0:
+    dependencies:
+      domelementtype: 3.0.0
+      domhandler: 6.0.1
+      domutils: 4.0.2
+      entities: 8.0.0
+
+  htmlparser2@3.10.1:
+    dependencies:
+      domelementtype: 1.3.1
+      domhandler: 2.4.2
+      domutils: 1.7.0
+      entities: 1.1.2
+      inherits: 2.0.4
+      readable-stream: 3.6.2
+
   http-assert@1.5.0:
     dependencies:
       deep-equal: 1.0.1
@@ -9175,8 +9689,22 @@ snapshots:
 
   ignore@7.0.5: {}
 
+  image-size@1.2.1:
+    dependencies:
+      queue: 6.0.2
+
+  image-to-base64@2.2.0:
+    dependencies:
+      node-fetch: 2.7.0
+    transitivePeerDependencies:
+      - encoding
+
+  immediate@3.0.6: {}
+
   imurmurhash@0.1.4: {}
 
+  individual@3.0.0: {}
+
   inherits@2.0.4: {}
 
   internal-slot@1.1.0:
@@ -9275,6 +9803,8 @@ snapshots:
 
   is-number@7.0.0: {}
 
+  is-object@1.0.2: {}
+
   is-path-inside@3.0.3: {}
 
   is-plain-obj@2.1.0: {}
@@ -9334,6 +9864,8 @@ snapshots:
     dependencies:
       is-inside-container: 1.0.0
 
+  isarray@1.0.0: {}
+
   isarray@2.0.5: {}
 
   isexe@2.0.0: {}
@@ -9350,6 +9882,8 @@ snapshots:
 
   js-md4@0.3.2: {}
 
+  js-md5@0.8.3: {}
+
   js-tokens@4.0.0: {}
 
   js-yaml@4.1.1:
@@ -9431,6 +9965,13 @@ snapshots:
       ms: 2.1.3
       semver: 7.7.4
 
+  jszip@3.10.1:
+    dependencies:
+      lie: 3.3.0
+      pako: 1.0.11
+      readable-stream: 2.3.8
+      setimmediate: 1.0.5
+
   jwa@2.0.1:
     dependencies:
       buffer-equal-constant-time: 1.0.1
@@ -9484,6 +10025,10 @@ snapshots:
       prelude-ls: 1.2.1
       type-check: 0.4.0
 
+  lie@3.3.0:
+    dependencies:
+      immediate: 3.0.6
+
   lightningcss-android-arm64@1.32.0:
     optional: true
 
@@ -9533,6 +10078,11 @@ snapshots:
       lightningcss-win32-arm64-msvc: 1.32.0
       lightningcss-win32-x64-msvc: 1.32.0
 
+  linebreak@1.1.0:
+    dependencies:
+      base64-js: 0.0.8
+      unicode-trie: 2.0.0
+
   live-plugin-manager@1.1.0:
     dependencies:
       '@types/debug': 4.1.12
@@ -9604,6 +10154,12 @@ snapshots:
 
   long@5.3.2: {}
 
+  lop@0.4.2:
+    dependencies:
+      duck: 0.1.12
+      option: 0.2.4
+      underscore: 1.13.8
+
   lru-cache@10.4.3: {}
 
   lru-cache@11.3.6: {}
@@ -9624,6 +10180,19 @@ snapshots:
     dependencies:
       '@jridgewell/sourcemap-codec': 1.5.5
 
+  mammoth@1.12.0:
+    dependencies:
+      '@xmldom/xmldom': 0.8.13
+      argparse: 1.0.10
+      base64-js: 1.5.1
+      bluebird: 3.4.7
+      dingbat-to-unicode: 1.0.1
+      jszip: 3.10.1
+      lop: 0.4.2
+      path-is-absolute: 1.0.1
+      underscore: 1.13.8
+      xmlbuilder: 10.1.1
+
   mark.js@8.11.1: {}
 
   math-intrinsics@1.1.0: {}
@@ -9693,6 +10262,10 @@ snapshots:
 
   mime@2.6.0: {}
 
+  min-document@2.19.2:
+    dependencies:
+      dom-walk: 0.1.2
+
   minimatch@10.2.5:
     dependencies:
       brace-expansion: 5.0.5
@@ -9828,6 +10401,8 @@ snapshots:
 
   netmask@2.0.2: {}
 
+  next-tick@0.2.2: {}
+
   node-domexception@1.0.0: {}
 
   node-exports-info@1.6.0:
@@ -9842,6 +10417,10 @@ snapshots:
       node-domexception: 1.0.0
       web-streams-polyfill: 3.3.3
 
+  node-fetch@2.7.0:
+    dependencies:
+      whatwg-url: 5.0.0
+
   node-releases@2.0.38: {}
 
   nodeify@1.0.1:
@@ -9961,6 +10540,8 @@ snapshots:
 
   openapi-types@12.1.3: {}
 
+  option@0.2.4: {}
+
   optional-js@2.3.0: {}
 
   optionator@0.9.4:
@@ -10029,6 +10610,10 @@ snapshots:
 
   package-json-from-dist@1.0.1: {}
 
+  pako@0.2.9: {}
+
+  pako@1.0.11: {}
+
   parse5@7.3.0:
     dependencies:
       entities: 6.0.1
@@ -10041,6 +10626,8 @@ snapshots:
 
   path-exists@4.0.0: {}
 
+  path-is-absolute@1.0.1: {}
+
   path-key@3.1.1: {}
 
   path-parse@1.0.7: {}
@@ -10056,6 +10643,15 @@ snapshots:
 
   pathe@2.0.3: {}
 
+  pdfkit@0.18.0:
+    dependencies:
+      '@noble/ciphers': 1.3.0
+      '@noble/hashes': 1.8.0
+      fontkit: 2.0.4
+      js-md5: 0.8.3
+      linebreak: 1.1.0
+      png-js: 1.1.0
+
   perfect-debounce@2.1.0: {}
 
   pg-cloudflare@1.3.0:
@@ -10107,6 +10703,10 @@ snapshots:
     optionalDependencies:
       fsevents: 2.3.2
 
+  png-js@1.1.0:
+    dependencies:
+      browserify-zlib: 0.2.0
+
   possible-typed-array-names@1.1.0: {}
 
   postcss@8.5.14:
@@ -10133,6 +10733,8 @@ snapshots:
 
   prelude-ls@1.2.1: {}
 
+  process-nextick-args@2.0.1: {}
+
   process@0.11.10: {}
 
   prom-client@15.1.3:
@@ -10166,6 +10768,8 @@ snapshots:
 
   proxy-from-env@1.1.0: {}
 
+  punycode@1.4.1: {}
+
   punycode@2.3.1: {}
 
   qs@6.15.0:
@@ -10174,6 +10778,10 @@ snapshots:
 
   queue-microtask@1.2.3: {}
 
+  queue@6.0.2:
+    dependencies:
+      inherits: 2.0.4
+
   quick-lru@7.3.0: {}
 
   rambda@7.5.0: {}
@@ -10254,6 +10862,22 @@ snapshots:
 
   react@19.2.5: {}
 
+  readable-stream@2.3.8:
+    dependencies:
+      core-util-is: 1.0.3
+      inherits: 2.0.4
+      isarray: 1.0.0
+      process-nextick-args: 2.0.1
+      safe-buffer: 5.1.2
+      string_decoder: 1.1.1
+      util-deprecate: 1.0.2
+
+  readable-stream@3.6.2:
+    dependencies:
+      inherits: 2.0.4
+      string_decoder: 1.3.0
+      util-deprecate: 1.0.2
+
   readable-stream@4.7.0:
     dependencies:
       abort-controller: 3.0.0
@@ -10268,11 +10892,11 @@ snapshots:
 
   redis@5.12.1(@opentelemetry/api@1.9.1):
     dependencies:
-      '@redis/bloom': 5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))
+      '@redis/bloom': 5.12.1(@redis/client@5.12.1)
       '@redis/client': 5.12.1(@opentelemetry/api@1.9.1)
-      '@redis/json': 5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))
-      '@redis/search': 5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))
-      '@redis/time-series': 5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))
+      '@redis/json': 5.12.1(@redis/client@5.12.1)
+      '@redis/search': 5.12.1(@redis/client@5.12.1)
+      '@redis/time-series': 5.12.1(@redis/client@5.12.1)
     transitivePeerDependencies:
       - '@node-rs/xxhash'
       - '@opentelemetry/api'
@@ -10353,6 +10977,8 @@ snapshots:
       path-parse: 1.0.7
       supports-preserve-symlinks-flag: 1.0.0
 
+  restructure@3.0.2: {}
+
   rethinkdb@2.4.2:
     dependencies:
       bluebird: 2.11.0
@@ -10498,6 +11124,8 @@ snapshots:
       has-symbols: 1.1.0
       isarray: 2.0.5
 
+  safe-buffer@5.1.2: {}
+
   safe-buffer@5.2.1: {}
 
   safe-push-apply@1.0.0:
@@ -10582,6 +11210,8 @@ snapshots:
       es-errors: 1.3.0
       es-object-atoms: 1.1.1
 
+  setimmediate@1.0.5: {}
+
   setprototypeof@1.2.0: {}
 
   shebang-command@2.0.0:
@@ -10725,6 +11355,8 @@ snapshots:
 
   split2@4.2.0: {}
 
+  sprintf-js@1.0.3: {}
+
   sprintf-js@1.1.3: {}
 
   sql-escaper@1.3.3: {}
@@ -10752,6 +11384,8 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  string-template@0.2.1: {}
+
   string-width@4.2.3:
     dependencies:
       emoji-regex: 8.0.0
@@ -10787,6 +11421,10 @@ snapshots:
       define-properties: 1.2.1
       es-object-atoms: 1.1.1
 
+  string_decoder@1.1.1:
+    dependencies:
+      safe-buffer: 5.1.2
+
   string_decoder@1.3.0:
     dependencies:
       safe-buffer: 5.2.1
@@ -10899,6 +11537,8 @@ snapshots:
       - '@azure/core-client'
       - supports-color
 
+  tiny-inflate@1.0.3: {}
+
   tinybench@2.9.0: {}
 
   tinycon@0.6.8: {}
@@ -10928,6 +11568,8 @@ snapshots:
     dependencies:
       tldts: 7.0.29
 
+  tr46@0.0.3: {}
+
   tr46@5.1.1:
     dependencies:
       punycode: 2.3.1
@@ -11081,6 +11723,16 @@ snapshots:
 
   undici@7.25.0: {}
 
+  unicode-properties@1.4.1:
+    dependencies:
+      base64-js: 1.5.1
+      unicode-trie: 2.0.0
+
+  unicode-trie@2.0.0:
+    dependencies:
+      pako: 0.2.9
+      tiny-inflate: 1.0.3
+
   unified@11.0.5:
     dependencies:
       '@types/unist': 3.0.3
@@ -11157,6 +11809,8 @@ snapshots:
     dependencies:
       react: 19.2.5
 
+  util-deprecate@1.0.2: {}
+
   uuidv7@1.2.1: {}
 
   vary@1.1.2: {}
@@ -11176,6 +11830,17 @@ snapshots:
       '@types/unist': 3.0.3
       vfile-message: 4.0.2
 
+  virtual-dom@2.1.1:
+    dependencies:
+      browser-split: 0.0.1
+      error: 4.4.0
+      ev-store: 7.0.0
+      global: 4.4.0
+      is-object: 1.0.2
+      next-tick: 0.2.2
+      x-is-array: 0.1.0
+      x-is-string: 0.1.0
+
   vite-plugin-babel@1.6.0(@babel/core@7.29.0)(vite@8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0)):
     dependencies:
       '@babel/core': 7.29.0
@@ -11306,6 +11971,8 @@ snapshots:
 
   web-streams-polyfill@3.3.3: {}
 
+  webidl-conversions@3.0.1: {}
+
   webidl-conversions@7.0.0: {}
 
   webidl-conversions@8.0.1: {}
@@ -11325,6 +11992,11 @@ snapshots:
     transitivePeerDependencies:
       - '@noble/hashes'
 
+  whatwg-url@5.0.0:
+    dependencies:
+      tr46: 0.0.3
+      webidl-conversions: 3.0.1
+
   which-boxed-primitive@1.1.1:
     dependencies:
       is-bigint: 1.1.0
@@ -11403,8 +12075,20 @@ snapshots:
 
   wtfnode@0.10.1: {}
 
+  x-is-array@0.1.0: {}
+
+  x-is-string@0.1.0: {}
+
   xml-name-validator@5.0.0: {}
 
+  xmlbuilder2@2.1.2:
+    dependencies:
+      '@oozcitak/dom': 1.15.5
+      '@oozcitak/infra': 1.0.5
+      '@oozcitak/util': 8.3.3
+
+  xmlbuilder@10.1.1: {}
+
   xmlchars@2.2.0: {}
 
   xmlhttprequest-ssl@2.1.2: {}
diff --git a/src/node/handler/ExportHandler.ts b/src/node/handler/ExportHandler.ts
index c296f971ce1..4ed2878eb03 100644
--- a/src/node/handler/ExportHandler.ts
+++ b/src/node/handler/ExportHandler.ts
@@ -90,7 +90,72 @@ exports.doExport = async (req: any, res: any, padId: string, readOnlyId: string,
       return;
     }
 
-    // else write the html export to a file
+    // Soffice-first dispatch (issue #7538). When soffice is configured
+    // we keep the legacy convert-via-tempfile path; when it's not, we
+    // hand DOCX to html-to-docx and PDF to our pdfkit walker — both
+    // pure-JS, in-process. No fallback chain: native errors surface as
+    // 5xx so admins see real failures instead of silent shadowing.
+    const {sofficeAvailable} = require('../utils/Settings');
+    const sofState = sofficeAvailable();
+    const goNative = sofState === 'no'
+        || (sofState === 'withoutPDF' && type === 'pdf');
+
+    if (goNative) {
+      const {
+        stripRemoteImages, extractBody, wrapLooseLines, dropEmptyBlocks,
+        applyMonospaceToCode,
+      } = require('../utils/ExportSanitizeHtml');
+      // The HTML pipeline returns a full document (head, style, body); the
+      // legacy soffice path renders that fine, but the in-process
+      // converters need just the body content to avoid leaking CSS into
+      // the output and to drop the document-level whitespace that creates
+      // stray paragraph breaks at the top of the result.
+      // dropEmptyBlocks strips heading-styled blank-line wrappers that
+      // ep_headings2 emits between every styled line.
+      const bodyHtml = dropEmptyBlocks(stripRemoteImages(extractBody(html)));
+      html = null;
+      try {
+        if (type === 'docx') {
+          // applyMonospaceToCode strips `<code>`/`<pre>`/`<tt>` wrappers
+          // (html-to-docx ignores them AND has a bug where it drops
+          // `<a href>` children of those tags) and emits styled
+          // monospace spans, forwarding any block-level alignment style
+          // to a wrapping `<p>`. Run BEFORE wrapLooseLines so the
+          // resulting `<p>` lands at the loose-line boundary instead
+          // of getting double-wrapped.
+          //
+          // wrapLooseLines then handles `<br>` semantics: bare `<br>`
+          // outside `<p>` becomes a soft break, `<br><br>` becomes a
+          // paragraph boundary plus blank-line markers.
+          const docxHtml = wrapLooseLines(applyMonospaceToCode(bodyHtml));
+          const htmlToDocx = require('html-to-docx');
+          const buf = await htmlToDocx(docxHtml);
+          res.contentType(
+              'application/vnd.openxmlformats-officedocument.wordprocessingml.document');
+          res.send(buf);
+          return;
+        }
+        if (type === 'pdf') {
+          const {htmlToPdfBuffer} = require('../utils/ExportPdfNative');
+          const buf = await htmlToPdfBuffer(bodyHtml);
+          res.contentType('application/pdf');
+          res.send(buf);
+          return;
+        }
+        // soffice-only formats (odt, doc) are blocked at the route guard
+        // when soffice is null; reaching here means the guard is wrong.
+        res.status(500).send(`Cannot export ${type} without soffice configured`);
+        return;
+      } catch (err) {
+        console.error(
+            `native ${type} export failed for pad "${padId}":`,
+            err && (err as Error).stack ? (err as Error).stack : err);
+        res.status(500).send(`Failed to export pad as ${type}.`);
+        return;
+      }
+    }
+
+    // soffice path — write the html export to a file
     const randNum = Math.floor(Math.random() * 0xFFFFFFFF);
     const srcFile = `${tempDirectory}/etherpad_export_${randNum}.html`;
     await fsp_writeFile(srcFile, html);
diff --git a/src/node/handler/ImportHandler.ts b/src/node/handler/ImportHandler.ts
index 393c76f2377..d79bb7a67ab 100644
--- a/src/node/handler/ImportHandler.ts
+++ b/src/node/handler/ImportHandler.ts
@@ -65,6 +65,11 @@ if (settings.soffice != null) {
   exportExtension = 'html';
 }
 
+// Office formats with no in-process import path (issue #7538). When soffice
+// is null these are rejected explicitly so users see a clear error instead
+// of a silent ASCII-only fallback. .docx has a native path via mammoth.
+const SOFFICE_ONLY_IMPORT_FORMATS = new Set(['.pdf', '.odt', '.doc', '.rtf']);
+
 const tmpDirectory = os.tmpdir();
 
 /**
@@ -130,6 +135,67 @@ const doImport = async (req:any, res:any, padId:string, authorId:string) => {
     }
   }
 
+  // Detect once whether the contentcollector treats h1-h6/code as block
+  // elements server-side. ep_headings2 v0.2.118+ (after the
+  // ep_plugin_helpers ccRegisterBlockElements wiring lands) registers
+  // them; older versions don't. The two preprocessors below are only
+  // needed when the plugin hook is missing — they're harmful otherwise
+  // (each adds an extra blank pad line per heading transition).
+  const ccBlockElems: string[] =
+      ([] as string[]).concat(...(hooks.callAll('ccRegisterBlockElements') || []));
+  const ccBlockSet = new Set(ccBlockElems.map((t: string) => t.toLowerCase()));
+  // ep_headings2 registers 'h1' along with the others when its server
+  // hook is wired (ccRegisterBlockElements). h1 is sufficient as the
+  // detection probe; the absence of h5/h6 in the set is a quirk of
+  // ep_headings2 (it only handles h1-h4) and not a sign of a broken
+  // hook.
+  const headingsAreBlocks = ccBlockSet.has('h1');
+
+  // Native DOCX import (issue #7538): when soffice isn't configured we
+  // hand .docx files to mammoth, which produces HTML — then we feed that
+  // through the existing setPadHTML pipeline.
+  if (settings.soffice == null && fileEnding === '.docx') {
+    const buf = await fs.readFile(srcFile);
+    const {docxBufferToHtml} = require('../utils/ImportDocxNative');
+    const {separateAdjacentHeadingBlocks} = require('../utils/ExportSanitizeHtml');
+    let nativeHtml: string;
+    try {
+      nativeHtml = await docxBufferToHtml(buf);
+      // When the plugin hook is missing, contentcollector treats h1-h6
+      // as inline and adjacent headings merge into a single pad line.
+      // Insert <br> between them as a defensive workaround. Skipped when
+      // the plugin already registers the tags (otherwise the <br> becomes
+      // an extra blank line per heading transition).
+      if (!headingsAreBlocks) {
+        nativeHtml = separateAdjacentHeadingBlocks(nativeHtml);
+      }
+    } catch (err: any) {
+      logger.warn(`Native DOCX import failed: ${err.stack || err}`);
+      throw new ImportError('convertFailed');
+    }
+    const pad = await padManager.getPad(padId, '\n', authorId);
+    try {
+      await importHtml.setPadHTML(pad, nativeHtml, authorId);
+    } catch (err: any) {
+      logger.warn(`Error importing native DOCX HTML: ${err.stack || err}`);
+      throw new ImportError('convertFailed');
+    }
+    padManager.unloadPad(padId);
+    const reloaded = await padManager.getPad(padId, '\n', authorId);
+    padManager.unloadPad(padId);
+    await padMessageHandler.updatePadClients(reloaded);
+    rm(srcFile);
+    return false;
+  }
+
+  // Without soffice, the legacy office formats (pdf, odt, doc, rtf) have
+  // no in-process path. Reject explicitly so the user sees a clear error
+  // instead of a silent ASCII-only fallback.
+  if (settings.soffice == null && SOFFICE_ONLY_IMPORT_FORMATS.has(fileEnding)) {
+    logger.warn(`Cannot import ${fileEnding} without soffice configured`);
+    throw new ImportError('uploadFailed');
+  }
+
   const destFile = path.join(tmpDirectory, `etherpad_import_${randNum}.${exportExtension}`);
   const context = {srcFile, destFile, fileEnding, padId, ImportError};
   const importHandledByPlugin = (await hooks.aCallAll('import', context)).some((x:string) => x);
@@ -205,7 +271,20 @@ const doImport = async (req:any, res:any, padId:string, authorId:string) => {
   if (!directDatabaseAccess) {
     if (importHandledByPlugin || useConverter || fileIsHTML) {
       try {
-        await importHtml.setPadHTML(pad, text, authorId);
+        // Etherpad's HTML export wraps each pad line in `<p>...</p>`
+        // (or `<h1>`, `<code>`, etc.) and then appends a `<br>` between
+        // lines. The closing block tag already ends the line for
+        // contentcollector, so the trailing `<br>` is redundant and
+        // doubles every blank line on import. Collapse `</block><br>`
+        // before handing to setPadHTML so HTML round-trips don't drift.
+        // Only applied to HTML imports (and converted-via-soffice
+        // outputs, which look the same shape) -- the docx native path
+        // above doesn't go through here.
+        const {collapseRedundantBrAfterBlocks} =
+            require('../utils/ExportSanitizeHtml');
+        const cleaned = (fileIsHTML || useConverter)
+            ? collapseRedundantBrAfterBlocks(text) : text;
+        await importHtml.setPadHTML(pad, cleaned, authorId);
       } catch (err:any) {
         logger.warn(`Error importing, possibly caused by malformed HTML: ${err.stack || err}`);
       }
diff --git a/src/node/hooks/express/importexport.ts b/src/node/hooks/express/importexport.ts
index a4fe321dd21..6e8dd100399 100644
--- a/src/node/hooks/express/importexport.ts
+++ b/src/node/hooks/express/importexport.ts
@@ -36,9 +36,11 @@ exports.expressCreateServer = (hookName:string, args:ArgsExpressType, cb:Functio
         return next();
       }
 
-      // if soffice is disabled, and this is a format we only support with soffice, output a message
+      // When soffice is disabled, only block formats with no native path.
+      // pdf and docx fall through to ExportHandler, which dispatches to
+      // the in-process converters (issue #7538).
       if (exportAvailable() === 'no' &&
-          ['odt', 'pdf', 'doc', 'docx'].indexOf(req.params.type) !== -1) {
+          ['odt', 'doc'].indexOf(req.params.type) !== -1) {
         console.error(`Impossible to export pad "${req.params.pad}" in ${req.params.type} format.` +
                       ' There is no converter configured');
 
diff --git a/src/node/utils/ExportPdfNative.ts b/src/node/utils/ExportPdfNative.ts
new file mode 100644
index 00000000000..d9a7a141123
--- /dev/null
+++ b/src/node/utils/ExportPdfNative.ts
@@ -0,0 +1,248 @@
+'use strict';
+
+import {Parser} from 'htmlparser2';
+import {PassThrough} from 'stream';
+
+const PDFDocument = require('pdfkit');
+
+interface InlineState {
+  bold: boolean;
+  italic: boolean;
+  underline: boolean;
+  strike: boolean;
+  link?: string;
+  fontSize?: number;
+  align?: 'left' | 'center' | 'right' | 'justify';
+  mono?: boolean;
+}
+
+const parseAlign = (style: string | undefined): InlineState['align'] | undefined => {
+  if (!style) return undefined;
+  const m = /text-align\s*:\s*(left|center|right|justify)/i.exec(style);
+  return m ? (m[1].toLowerCase() as InlineState['align']) : undefined;
+};
+
+const HEADING_SIZES: Record<string, number> = {
+  h1: 24, h2: 20, h3: 16, h4: 14, h5: 12, h6: 11,
+};
+
+// Tags whose text content must never appear in the rendered PDF (CSS,
+// scripts, document metadata). The walker maintains a depth counter so that
+// nested elements inside one of these are ignored too.
+const SKIP_TAGS = new Set(['head', 'style', 'script', 'title', 'meta', 'link', 'noscript']);
+
+const decodeDataUri = (src: string): Buffer | null => {
+  const m = /^data:[^;,]+;base64,(.+)$/i.exec(src);
+  if (!m) return null;
+  try {
+    return Buffer.from(m[1], 'base64');
+  } catch {
+    return null;
+  }
+};
+
+export const htmlToPdfBuffer = (html: string): Promise<Buffer> =>
+  new Promise((resolve, reject) => {
+    // compress:false keeps the content stream uncompressed. Pads are small
+    // enough that the size cost is negligible, and it lets ops greppable PDFs
+    // out of the box for accessibility / search-engine indexers that don't
+    // FlateDecode.
+    const doc = new PDFDocument({margin: 50, compress: false});
+    const stream = new PassThrough();
+    const chunks: Buffer[] = [];
+    stream.on('data', (c: Buffer) => chunks.push(c));
+    stream.on('end', () => resolve(Buffer.concat(chunks)));
+    stream.on('error', reject);
+    doc.pipe(stream);
+
+    const styleStack: InlineState[] = [{
+      bold: false, italic: false, underline: false, strike: false,
+    }];
+    const listType: ('ul' | 'ol' | null)[] = [];
+    const listIndex: number[] = [];
+    let pendingNewline = false;
+    let skipDepth = 0;
+
+    const top = () => styleStack[styleStack.length - 1];
+
+    const applyFont = () => {
+      const s = top();
+      let variant: string;
+      if (s.mono) {
+        variant =
+          s.bold && s.italic ? 'Courier-BoldOblique' :
+          s.bold ? 'Courier-Bold' :
+          s.italic ? 'Courier-Oblique' :
+          'Courier';
+      } else {
+        variant =
+          s.bold && s.italic ? 'Helvetica-BoldOblique' :
+          s.bold ? 'Helvetica-Bold' :
+          s.italic ? 'Helvetica-Oblique' :
+          'Helvetica';
+      }
+      doc.font(variant);
+      doc.fontSize(s.fontSize || 11);
+    };
+
+    // Track whether the current run started with an alignment override so
+    // we apply `align` exactly once per pdfkit text() call (pdfkit uses the
+    // align option of the first call in a continued run for the whole line).
+    let runStartedAligned = false;
+
+    const writeText = (raw: string) => {
+      if (!raw) return;
+      if (pendingNewline) {
+        doc.moveDown(0.5);
+        pendingNewline = false;
+      }
+      const s = top();
+      applyFont();
+      const opts: any = {continued: true};
+      if (s.underline) opts.underline = true;
+      if (s.strike) opts.strike = true;
+      if (s.link) opts.link = s.link;
+      if (s.align && !runStartedAligned) {
+        opts.align = s.align;
+        runStartedAligned = true;
+      }
+      doc.text(raw, opts);
+    };
+
+    // End the current `continued: true` text run. pdfkit's `text('', false)`
+    // closes the run but does NOT advance the cursor — subsequent text would
+    // overlay at the same y. Use `breakLine` whenever a true newline is
+    // intended (br, end-of-block, list items).
+    const flushLine = () => {
+      doc.text('', {continued: false});
+      runStartedAligned = false;
+    };
+    const breakLine = () => {
+      flushLine();
+      doc.moveDown(1);
+    };
+
+    const parser = new Parser({
+      onopentag(name, attribs) {
+        if (SKIP_TAGS.has(name)) skipDepth += 1;
+        if (skipDepth > 0) {
+          styleStack.push({...top()});
+          return;
+        }
+        const cur = top();
+        const next: InlineState = {...cur};
+        switch (name) {
+          case 'b': case 'strong': next.bold = true; break;
+          case 'i': case 'em': next.italic = true; break;
+          case 'u': next.underline = true; break;
+          case 's': case 'strike': case 'del': next.strike = true; break;
+          case 'a': next.link = attribs.href; next.underline = true; break;
+          case 'code': case 'tt': case 'kbd': case 'samp': {
+            next.mono = true;
+            // ep_headings2 uses <code style='text-align:...'> as a block-
+            // styled "code" line, so read the alignment off the opening
+            // tag too. parseAlign returns undefined when no text-align
+            // is set, so this is a no-op for inline <code> usage.
+            const a = parseAlign(attribs.style);
+            if (a) next.align = a;
+            break;
+          }
+          case 'pre': {
+            next.mono = true;
+            const a = parseAlign(attribs.style);
+            if (a) next.align = a;
+            if (!pendingNewline) breakLine();
+            break;
+          }
+          case 'h1': case 'h2': case 'h3': case 'h4': case 'h5': case 'h6': {
+            next.fontSize = HEADING_SIZES[name];
+            next.bold = true;
+            const a = parseAlign(attribs.style);
+            if (a) next.align = a;
+            if (!pendingNewline) breakLine();
+            break;
+          }
+          case 'p': case 'div': {
+            const a = parseAlign(attribs.style);
+            if (a) next.align = a;
+            if (!pendingNewline) breakLine();
+            break;
+          }
+          case 'ul': case 'ol':
+            listType.push(name as 'ul' | 'ol');
+            listIndex.push(0);
+            breakLine();
+            break;
+          case 'li': {
+            breakLine();
+            const t = listType[listType.length - 1] || 'ul';
+            if (t === 'ol') listIndex[listIndex.length - 1] += 1;
+            const prefix = t === 'ul'
+              ? '• '
+              : `${listIndex[listIndex.length - 1]}. `;
+            const indent = '   '.repeat(Math.max(0, listType.length - 1));
+            applyFont();
+            doc.text(`${indent}${prefix}`, {continued: true});
+            break;
+          }
+          case 'br':
+            breakLine();
+            break;
+          case 'img': {
+            const buf = decodeDataUri(attribs.src || '');
+            if (buf) {
+              flushLine();
+              try { doc.image(buf, {fit: [400, 300]}); } catch { /* skip bad image */ }
+            }
+            break;
+          }
+        }
+        styleStack.push(next);
+      },
+
+      ontext(text) {
+        if (skipDepth > 0) return;
+        // Collapse consecutive whitespace to a single space, the way an
+        // HTML renderer would. Without this, literal newlines and tabs in
+        // pretty-printed source HTML show up as runs of " " in the PDF.
+        const collapsed = text.replace(/[\s ]+/g, ' ');
+        if (collapsed === ' ') return;  // pure-whitespace runs are dropped
+        writeText(collapsed);
+      },
+
+      onclosetag(name) {
+        if (skipDepth > 0) {
+          if (SKIP_TAGS.has(name)) skipDepth -= 1;
+          styleStack.pop();
+          if (styleStack.length === 0) {
+            styleStack.push({bold: false, italic: false, underline: false, strike: false});
+          }
+          return;
+        }
+        switch (name) {
+          case 'h1': case 'h2': case 'h3': case 'h4': case 'h5': case 'h6':
+          case 'p': case 'div': case 'pre':
+            breakLine();
+            pendingNewline = true;
+            break;
+          case 'li':
+            flushLine();
+            break;
+          case 'ul': case 'ol':
+            listType.pop();
+            listIndex.pop();
+            doc.moveDown(0.3);
+            break;
+        }
+        styleStack.pop();
+        if (styleStack.length === 0) {
+          styleStack.push({bold: false, italic: false, underline: false, strike: false});
+        }
+      },
+    }, {decodeEntities: true, lowerCaseTags: true});
+
+    parser.write(html);
+    parser.end();
+    flushLine();
+    doc.end();
+  });
diff --git a/src/node/utils/ExportSanitizeHtml.ts b/src/node/utils/ExportSanitizeHtml.ts
new file mode 100644
index 00000000000..bc2028bcd60
--- /dev/null
+++ b/src/node/utils/ExportSanitizeHtml.ts
@@ -0,0 +1,215 @@
+'use strict';
+
+import {Parser} from 'htmlparser2';
+
+// Pull `<body>...</body>` out of a full HTML document. Etherpad's
+// `getPadHTMLDocument()` returns a complete page — `<head>` with a `<style>`
+// block, doctype, etc. The legacy LibreOffice path renders that fine, but
+// the in-process converters (html-to-docx, our pdfkit walker) treat
+// non-body content as renderable, leaking CSS into the output and giving
+// blank-line issues from the leading whitespace inside `<body>`. This helper
+// extracts the body content and trims surrounding whitespace; if the input
+// has no `<body>`, it's returned unchanged so plugin-shaped fragments still
+// flow through.
+const BODY_RE = /<body[^>]*>([\s\S]*?)<\/body>/i;
+export const extractBody = (html: string): string => {
+  const m = BODY_RE.exec(html);
+  if (!m) return html;
+  return m[1].replace(/^[\s ]+/, '').replace(/[\s ]+$/, '');
+};
+
+// Drop `<br>` immediately following a closing block tag. Etherpad's
+// HTML export writes one `<p>...</p>` per pad line (or `<h1>...</h1>`,
+// `<code>...</code>` for the styled ones from ep_align/ep_headings2),
+// then appends a `<br>` between lines. The `<br>` is redundant — the
+// closing block tag already ends the line — and on import the server
+// content collector counts BOTH as line breaks, so every blank line
+// between two paragraphs gets duplicated.
+const REDUNDANT_BR_RE =
+  /(<\/(?:p|h[1-6]|div|pre|blockquote|code|ul|ol|li|table|tr|td|th)>)\s*<br\s*\/?>/gi;
+export const collapseRedundantBrAfterBlocks = (html: string): string =>
+    html.replace(REDUNDANT_BR_RE, '$1');
+
+// Insert a `<br>` between adjacent heading-style blocks so etherpad's
+// server-side content collector breaks them into separate pad lines.
+//
+// Background: contentcollector's default `_blockElems` set is just
+// `{div, p, pre, li}`. ep_headings2 registers the CLIENT-side
+// `aceRegisterBlockElements` for `h1..h4` and `code`, but not the
+// SERVER-side `ccRegisterBlockElements`, so on import contentcollector
+// treats those tags as inline and merges adjacent ones into a single
+// line. This helper fires on the IMPORT path (after mammoth produces
+// HTML) to forcibly separate them.
+const ADJACENT_HEADING_BLOCKS_RE =
+  /(<\/(?:h[1-6]|code)>)(\s*<(?:h[1-6]|code|p|pre|div|blockquote|ul|ol)\b)/gi;
+export const separateAdjacentHeadingBlocks = (html: string): string =>
+    html.replace(ADJACENT_HEADING_BLOCKS_RE, '$1<br>$2');
+
+// Convert code/pre/tt/kbd/samp wrappers to plain styled spans (and a
+// wrapping <p> when block-styled) so html-to-docx renders them with
+// `<w:rFonts w:ascii="Courier New" .../>`. The bare `<code>` tag
+// isn't translated to a font change by html-to-docx, AND it has a
+// nasty bug where any `<a href>` nested inside `<code>` (or inside a
+// styled `<span>`) is silently dropped from the output. Workaround:
+// drop the code/pre tag entirely, wrap non-anchor text in monospace
+// spans, leave anchors as-is. For block-level usage (e.g.
+// ep_headings2's `<code style='text-align:right'>` per-line wrapper)
+// we emit a wrapping `<p>` and forward any text-align style.
+//
+// Run BEFORE `wrapLooseLines` so the resulting `<p>` lands at the
+// loose-line boundary instead of getting double-wrapped.
+const MONO_TAGS_RE = /<(code|tt|kbd|samp|pre)\b([^>]*)>([\s\S]*?)<\/\1>/gi;
+const ANCHOR_RE = /<a\b[^>]*>[\s\S]*?<\/a>/gi;
+const STYLE_ATTR_RE = /\bstyle\s*=\s*(['"])([^'"]*)\1/i;
+const COURIER_OPEN = '<span style="font-family:\'Courier New\', monospace">';
+const COURIER_CLOSE = '</span>';
+
+const wrapNonAnchorSegments = (content: string): string => {
+  let out = '';
+  let lastIndex = 0;
+  let m: RegExpExecArray | null;
+  ANCHOR_RE.lastIndex = 0;
+  while ((m = ANCHOR_RE.exec(content)) !== null) {
+    const before = content.slice(lastIndex, m.index);
+    if (before) out += `${COURIER_OPEN}${before}${COURIER_CLOSE}`;
+    out += m[0];
+    lastIndex = m.index + m[0].length;
+  }
+  if (lastIndex < content.length) {
+    const after = content.slice(lastIndex);
+    if (after) out += `${COURIER_OPEN}${after}${COURIER_CLOSE}`;
+  }
+  return out || `${COURIER_OPEN}${content}${COURIER_CLOSE}`;
+};
+
+export const applyMonospaceToCode = (html: string): string =>
+    html.replace(MONO_TAGS_RE, (_, tag, attrs, content) => {
+      const styled = wrapNonAnchorSegments(content);
+      // Block-level treatment for <pre> (always) and <code>/<tt>/etc.
+      // when the wrapper carries an inline style (ep_headings2 +
+      // ep_align emit `<code style='text-align:right'>` for each pad
+      // line). Forward the style to a wrapping `<p>`.
+      const styleMatch = STYLE_ATTR_RE.exec(attrs);
+      if (tag.toLowerCase() === 'pre' || styleMatch) {
+        const styleAttr = styleMatch ? ` style="${styleMatch[2]}"` : '';
+        return `<p${styleAttr}>${styled}</p>`;
+      }
+      return styled;
+    });
+
+// Drop block elements whose only content is whitespace. Etherpad plugins
+// like ep_headings2 emit a heading-styled blank-line block (e.g.
+// `<h1 style='text-align:right'></h1>`) after every styled line, which
+// turns into an extra empty `<w:p>` in DOCX and an extra blank line in
+// PDF. Iterates because removing one empty wrapper can expose another.
+//
+// Note: `<p></p>` is intentionally NOT in this list — `wrapLooseLines`
+// uses empty `<p>` markers to encode blank-line gaps for round-trip
+// fidelity through html-to-docx.
+const EMPTY_BLOCK_RE = /<(h[1-6]|code|pre|div|blockquote)\b[^>]*>\s*<\/\1>/gi;
+export const dropEmptyBlocks = (html: string): string => {
+  let prev: string;
+  let cur = html;
+  do {
+    prev = cur;
+    cur = cur.replace(EMPTY_BLOCK_RE, '');
+  } while (cur !== prev);
+  return cur;
+};
+
+// Wrap loose text + inline content in `<p>` blocks so html-to-docx renders
+// `<br>` as a soft line break (`<w:br/>`) instead of a paragraph break
+// (`<w:p>`). Etherpad's HTML export uses bare `<br>` for every line and
+// `<br><br>` for blank lines, so without this DOCX exports get one Word
+// paragraph per line and two empty paragraphs for every blank line.
+//
+// Strategy: capture `<br>` separators of length >= 2 (paragraph separators)
+// AND remember how many `<br>`s each separator contains, so blank-line
+// gaps survive the round-trip. For N consecutive `<br>`s, emit one
+// closing-then-opening paragraph break PLUS (N - 2) empty `<p></p>`
+// markers (each empty paragraph = one blank pad line).
+const BLOCK_HEAD_RE = /^<(?:p|h[1-6]|ul|ol|table|blockquote|pre|div)[\s>/]/i;
+// Anchored so the inner `\s*` can't overlap with surrounding whitespace and
+// trigger exponential backtracking. Matches `<br>` followed by at least one
+// more `<br>` (with optional whitespace between).
+const BR_PARA_RE = /<br\s*\/?>(?:\s*<br\s*\/?>)+/gi;
+const TRAILING_BR_RE = /(?:<br\s*\/?>\s*)+$/i;
+const BR_COUNT_RE = /<br/gi;
+export const wrapLooseLines = (html: string): string => {
+  // split() with a capturing group keeps the separators in the result, so
+  // parts[i] alternates between content (even i) and br-run separator
+  // (odd i).
+  const parts = html.split(/(<br\s*\/?>(?:\s*<br\s*\/?>)+)/gi);
+  const out: string[] = [];
+  for (let i = 0; i < parts.length; i++) {
+    if (i % 2 === 0) {
+      const c = parts[i].replace(TRAILING_BR_RE, '').trim();
+      if (!c) continue;
+      out.push(BLOCK_HEAD_RE.test(c) ? c : `<p>${c}</p>`);
+    } else {
+      // Separator of N >= 2 <br>s. The first <br> is the paragraph
+      // boundary; the remaining (N - 1) each represent one blank pad
+      // line, emitted as an empty <p></p>.
+      const n = (parts[i].match(BR_COUNT_RE) || []).length;
+      for (let k = 0; k < n - 1; k++) out.push('<p></p>');
+    }
+  }
+  return out.join('');
+};
+
+const isLocalSrc = (src: string): boolean => {
+  if (!src) return true;
+  if (src.startsWith('data:')) return true;
+  if (src.startsWith('//')) return false;
+  if (/^[a-z][a-z0-9+.-]*:/i.test(src)) return false;
+  return true;
+};
+
+const escapeAttr = (s: string): string =>
+    s.replace(/&/g, '&amp;').replace(/"/g, '&quot;').replace(/</g, '&lt;');
+
+const escapeText = (s: string): string =>
+    s.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+
+const VOID_TAGS = new Set([
+  'area', 'base', 'br', 'col', 'embed', 'hr', 'img', 'input',
+  'link', 'meta', 'source', 'track', 'wbr',
+]);
+
+export const stripRemoteImages = (html: string): string => {
+  let out = '';
+  const parser = new Parser({
+    onopentag(name, attribs) {
+      if (name === 'img') {
+        const src = attribs.src || '';
+        if (isLocalSrc(src)) {
+          let tag = '<img';
+          for (const [k, v] of Object.entries(attribs)) {
+            tag += ` ${k}="${escapeAttr(v)}"`;
+          }
+          tag += '>';
+          out += tag;
+        } else {
+          out += escapeText(attribs.alt || '');
+        }
+        return;
+      }
+      let tag = `<${name}`;
+      for (const [k, v] of Object.entries(attribs)) {
+        tag += ` ${k}="${escapeAttr(v)}"`;
+      }
+      tag += '>';
+      out += tag;
+    },
+    ontext(text) {
+      out += text;
+    },
+    onclosetag(name) {
+      if (VOID_TAGS.has(name)) return;
+      out += `</${name}>`;
+    },
+  }, {decodeEntities: false, lowerCaseTags: true});
+  parser.write(html);
+  parser.end();
+  return out;
+};
diff --git a/src/node/utils/ImportDocxNative.ts b/src/node/utils/ImportDocxNative.ts
new file mode 100644
index 00000000000..47b84528a4d
--- /dev/null
+++ b/src/node/utils/ImportDocxNative.ts
@@ -0,0 +1,83 @@
+'use strict';
+
+const mammoth = require('mammoth');
+const JSZip = require('jszip');
+
+// mammoth strips paragraph alignment (<w:jc>) when it converts a docx to
+// HTML; it has no equivalent style-mapping for justification. To keep
+// alignment through the round-trip we walk the docx's document.xml
+// directly, pull the `w:val` from each `<w:p>`'s `<w:jc>`, and inject a
+// matching `style="text-align:..."` onto the corresponding block element
+// in mammoth's output. Match is by document order: the Nth `<p>` /
+// `<h1>...<h6>` in mammoth's output corresponds to the Nth `<w:p>` in
+// the docx.
+const PARA_RE = /<w:p\b[^>]*>([\s\S]*?)<\/w:p>/g;
+const JC_RE = /<w:jc\s+w:val=["']([^"']+)["']/;
+// Word's `w:jc` accepts more values than CSS text-align; map the ones
+// we want to surface and skip the rest.
+const JC_TO_CSS: Record<string, string> = {
+  left: 'left',
+  start: 'left',
+  center: 'center',
+  right: 'right',
+  end: 'right',
+  both: 'justify',
+  justify: 'justify',
+  distribute: 'justify',
+};
+
+const extractAlignmentMap = async (buffer: Buffer): Promise<Array<string|null>> => {
+  const aligns: Array<string|null> = [];
+  try {
+    const zip = await JSZip.loadAsync(buffer);
+    const file = zip.file('word/document.xml');
+    if (!file) return aligns;
+    const xml: string = await file.async('text');
+    let m: RegExpExecArray | null;
+    while ((m = PARA_RE.exec(xml)) !== null) {
+      const jcMatch = JC_RE.exec(m[1]);
+      const css = jcMatch ? JC_TO_CSS[jcMatch[1].toLowerCase()] : null;
+      aligns.push(css || null);
+    }
+  } catch {
+    // Best-effort — if the docx structure is anything other than a
+    // standard document.xml, fall back to no alignment.
+  }
+  return aligns;
+};
+
+const applyAlignmentToHtml = (html: string, aligns: Array<string|null>): string => {
+  if (aligns.length === 0 || !aligns.some((a) => a && a !== 'left')) return html;
+  let i = 0;
+  return html.replace(/<(p|h[1-6])(\b[^>]*)>/gi, (whole: string, tag: string, attrs: string) => {
+    const align = aligns[i++];
+    if (!align || align === 'left') return whole;
+    if (/\bstyle\s*=/.test(attrs)) {
+      return `<${tag}${attrs.replace(
+          /\bstyle\s*=\s*(['"])([^'"]*)\1/i,
+          (_full: string, q: string, val: string) => `style=${q}${val}; text-align:${align}${q}`)}>`;
+    }
+    return `<${tag}${attrs} style="text-align:${align}">`;
+  });
+};
+
+export const docxBufferToHtml = async (buffer: Buffer): Promise<string> => {
+  const aligns = await extractAlignmentMap(buffer);
+  const result = await mammoth.convertToHtml(
+    {buffer},
+    {
+      // Preserve empty paragraphs so blank pad lines survive a
+      // round-trip. mammoth defaults to true and drops them, which
+      // collapses blank lines in the middle of a pad's content.
+      ignoreEmptyParagraphs: false,
+      convertImage: mammoth.images.imgElement(async (image: any) => {
+        const buf: Buffer = await image.read();
+        const contentType = image.contentType || 'application/octet-stream';
+        return {src: `data:${contentType};base64,${buf.toString('base64')}`};
+      }),
+    },
+  );
+  let html: string = result.value || '';
+  html = applyAlignmentToHtml(html, aligns);
+  return html;
+};
diff --git a/src/package.json b/src/package.json
index 285765a01fb..5a2d93965de 100644
--- a/src/package.json
+++ b/src/package.json
@@ -43,6 +43,8 @@
     "express-session": "^1.19.0",
     "find-root": "1.1.0",
     "formidable": "^3.5.4",
+    "html-to-docx": "^1.8.0",
+    "htmlparser2": "^12.0.0",
     "http-errors": "^2.0.1",
     "jose": "^6.2.3",
     "js-cookie": "^3.0.5",
@@ -55,6 +57,7 @@
     "lodash.clonedeep": "4.5.0",
     "log4js": "^6.9.1",
     "lru-cache": "^11.3.6",
+    "mammoth": "^1.12.0",
     "measured-core": "^2.0.0",
     "mime-types": "^3.0.2",
     "mongodb": "^7.1.1",
@@ -63,6 +66,7 @@
     "nano": "^11.0.5",
     "oidc-provider": "9.8.3",
     "openapi-backend": "^5.16.1",
+    "pdfkit": "^0.18.0",
     "pg": "^8.20.0",
     "prom-client": "^15.1.3",
     "proxy-addr": "^2.0.7",
@@ -111,6 +115,7 @@
     "@types/mocha": "^10.0.9",
     "@types/node": "^25.6.0",
     "@types/oidc-provider": "^9.5.0",
+    "@types/pdfkit": "^0.17.6",
     "@types/semver": "^7.7.1",
     "@types/sinon": "^21.0.1",
     "@types/supertest": "^7.2.0",
diff --git a/src/static/js/pad_impexp.ts b/src/static/js/pad_impexp.ts
index de16213dff5..a6333bcfff2 100644
--- a/src/static/js/pad_impexp.ts
+++ b/src/static/js/pad_impexp.ts
@@ -144,24 +144,18 @@ const padimpexp = (() => {
       $('#exportetherpada').attr('href', `${padRootPath}/export/etherpad`);
       $('#exportplaina').attr('href', `${padRootPath}/export/txt`);
 
-      // hide stuff thats not avaible if soffice is disabled
+      // DOCX and PDF are always available — soffice when configured,
+      // native pure-JS converters otherwise (issue #7538). ODT still
+      // requires soffice. The 'withoutPDF' branch (Windows soffice
+      // without PDF) is handled by the server-side cascade routing
+      // PDF through native; the UI link stays.
       const wordFormat = clientVars.docxExport ? 'docx' : 'doc';
+      $('#exportworda').attr('href', `${padRootPath}/export/${wordFormat}`);
+      $('#exportpdfa').attr('href', `${padRootPath}/export/pdf`);
       if (clientVars.exportAvailable === 'no') {
-        $('#exportworda').remove();
-        $('#exportpdfa').remove();
         $('#exportopena').remove();
         $('#importmessagenoconverter').prop('hidden', false);
-      } else if (clientVars.exportAvailable === 'withoutPDF') {
-        $('#exportpdfa').remove();
-
-        $('#exportworda').attr('href', `${padRootPath}/export/${wordFormat}`);
-        $('#exportopena').attr('href', `${padRootPath}/export/odt`);
-
-        $('#importexport').css({height: '142px'});
-        $('#importexportline').css({height: '142px'});
       } else {
-        $('#exportworda').attr('href', `${padRootPath}/export/${wordFormat}`);
-        $('#exportpdfa').attr('href', `${padRootPath}/export/pdf`);
         $('#exportopena').attr('href', `${padRootPath}/export/odt`);
       }
 
diff --git a/src/tests/backend/specs/export.ts b/src/tests/backend/specs/export.ts
index 0abe24cda59..b3fb94c673e 100644
--- a/src/tests/backend/specs/export.ts
+++ b/src/tests/backend/specs/export.ts
@@ -2,6 +2,7 @@
 
 import {MapArrayType} from "../../../node/types/MapType";
 
+const assert = require('assert').strict;
 const common = require('../common');
 const padManager = require('../../../node/db/PadManager');
 import settings from '../../../node/utils/Settings';
@@ -21,8 +22,542 @@ describe(__filename, function () {
   });
 
   it('returns 500 on export error', async function () {
-    settings.soffice = 'false'; // '/bin/false' doesn't work on Windows
+    // With soffice configured but pointing at a binary that fails, the
+    // legacy convert path errors and the route returns 500. .doc has no
+    // native fallback (it stays soffice-only), so this exercises the
+    // soffice error path even after #7538.
+    settings.soffice = '/bin/false';
     await agent.get('/p/testExportPad/export/doc')
         .expect(500);
   });
+
+  // Issue #7538: in-process DOCX export via html-to-docx bypasses the
+  // soffice requirement entirely. A deployment with `soffice: null`
+  // should still produce a working .docx via the native path.
+  describe('native DOCX export (#7538)', function () {
+    before(function () {
+      // The upgrade-from-latest-release CI job installs deps from the
+      // PREVIOUS release's package.json (before this PR adds html-to-docx)
+      // and then git-checkouts this branch's code without re-running
+      // `pnpm install`. Under that workflow the module isn't resolvable.
+      // Skip the block in that one case; regular backend tests (which
+      // install against this branch's lockfile) still exercise it.
+      try {
+        require.resolve('html-to-docx');
+      } catch {
+        this.skip();
+        return;
+      }
+      settings.soffice = null;
+    });
+
+    it('returns a valid DOCX archive (PK zip signature)', async function () {
+      const res = await agent.get('/p/testExportPad/export/docx')
+          .buffer(true)
+          .parse((resp: any, callback: any) => {
+            const chunks: Buffer[] = [];
+            resp.on('data', (chunk: Buffer) => chunks.push(chunk));
+            resp.on('end', () => callback(null, Buffer.concat(chunks)));
+          })
+          .expect(200);
+      const body: Buffer = res.body as Buffer;
+      assert.ok(body.length > 0, 'DOCX body must not be empty');
+      // Word .docx files are ZIP archives — must start with the ZIP local
+      // file header signature 0x504b0304 ("PK\x03\x04").
+      assert.strictEqual(body[0], 0x50, 'byte 0 (P)');
+      assert.strictEqual(body[1], 0x4b, 'byte 1 (K)');
+      assert.strictEqual(body[2], 0x03, 'byte 2');
+      assert.strictEqual(body[3], 0x04, 'byte 3');
+    });
+
+    it('sends the Word-processing-ml content-type', async function () {
+      const res = await agent.get('/p/testExportPad/export/docx').expect(200);
+      assert.match(res.headers['content-type'],
+          /application\/vnd\.openxmlformats-officedocument\.wordprocessingml\.document/,
+          `unexpected content-type: ${res.headers['content-type']}`);
+    });
+  });
+
+  describe('native PDF export (#7538)', function () {
+    before(function () {
+      try {
+        require.resolve('pdfkit');
+        require.resolve('htmlparser2');
+      } catch {
+        this.skip();
+        return;
+      }
+      settings.soffice = null;
+    });
+
+    it('returns a valid %PDF- document', async function () {
+      const res = await agent.get('/p/testExportPad/export/pdf')
+          .buffer(true)
+          .parse((resp: any, callback: any) => {
+            const chunks: Buffer[] = [];
+            resp.on('data', (chunk: Buffer) => chunks.push(chunk));
+            resp.on('end', () => callback(null, Buffer.concat(chunks)));
+          })
+          .expect(200);
+      const body: Buffer = res.body as Buffer;
+      assert.ok(body.length > 200, 'PDF body must be non-trivial');
+      assert.strictEqual(body.slice(0, 5).toString('ascii'), '%PDF-');
+    });
+
+    it('sends application/pdf content-type', async function () {
+      const res = await agent.get('/p/testExportPad/export/pdf').expect(200);
+      assert.match(res.headers['content-type'], /application\/pdf/);
+    });
+  });
+
+  describe('odt without soffice (#7538)', function () {
+    before(function () { settings.soffice = null; });
+    it('returns the "not enabled" message for odt', async function () {
+      const res = await agent.get('/p/testExportPad/export/odt').expect(200);
+      assert.match(res.text, /This export is not enabled/);
+    });
+  });
+
+  describe('stripRemoteImages', function () {
+    const {stripRemoteImages} = require('../../../node/utils/ExportSanitizeHtml');
+
+    it('keeps data: URIs', function () {
+      const out = stripRemoteImages(
+          '<p>x</p><img src="data:image/png;base64,iVBORw0KGgo=">');
+      assert.match(out, /<img[^>]+src="data:image\/png/);
+    });
+
+    it('keeps relative URLs', function () {
+      const out = stripRemoteImages('<img src="/foo/bar.png">');
+      assert.match(out, /<img[^>]+src="\/foo\/bar\.png"/);
+    });
+
+    it('drops absolute http(s) URLs and falls back to alt', function () {
+      const out = stripRemoteImages(
+          '<p>before<img src="https://evil.example/x.png" alt="cat">after</p>');
+      assert.doesNotMatch(out, /evil\.example/);
+      assert.match(out, /before/);
+      assert.match(out, /cat/);
+      assert.match(out, /after/);
+    });
+
+    it('drops protocol-relative URLs', function () {
+      const out = stripRemoteImages('<img src="//evil.example/x.png">');
+      assert.doesNotMatch(out, /evil\.example/);
+    });
+
+    it('passes non-image markup through unchanged', function () {
+      const html = '<h1>hi</h1><p>body <a href="/x">link</a></p>';
+      assert.strictEqual(stripRemoteImages(html), html);
+    });
+  });
+
+  describe('extractBody', function () {
+    const {extractBody} = require('../../../node/utils/ExportSanitizeHtml');
+
+    it('returns trimmed body content from a full document', function () {
+      const html = `<!doctype html><html><head><style>.x{color:red}</style></head><body>
+hello<br>world
+</body></html>`;
+      assert.strictEqual(extractBody(html), 'hello<br>world');
+    });
+
+    it('passes a body-less fragment through unchanged', function () {
+      const html = '<p>just a fragment</p>';
+      assert.strictEqual(extractBody(html), html);
+    });
+
+    it('drops <head><style> contents', function () {
+      const html = '<html><head><style>.x{}</style></head><body><p>kept</p></body></html>';
+      const out = extractBody(html);
+      assert.doesNotMatch(out, /style/);
+      assert.doesNotMatch(out, /\.x/);
+      assert.match(out, /kept/);
+    });
+  });
+
+  describe('wrapLooseLines', function () {
+    const {wrapLooseLines} = require('../../../node/utils/ExportSanitizeHtml');
+
+    it('wraps loose text in <p>', function () {
+      assert.strictEqual(wrapLooseLines('Hello'), '<p>Hello</p>');
+    });
+
+    it('keeps single <br> as soft break inside one paragraph', function () {
+      assert.strictEqual(wrapLooseLines('A<br>B'), '<p>A<br>B</p>');
+    });
+
+    it('splits paragraphs on consecutive <br>', function () {
+      // Two <br>s between content: one paragraph break + one empty
+      // <p></p> marker so the blank pad line survives a DOCX round-trip
+      // through html-to-docx and mammoth.
+      assert.strictEqual(wrapLooseLines('A<br><br>B'),
+          '<p>A</p><p></p><p>B</p>');
+    });
+
+    it('emits more empty <p> markers for longer <br> runs', function () {
+      // Three <br>s = 2 blank pad lines between content.
+      assert.strictEqual(wrapLooseLines('A<br><br><br>B'),
+          '<p>A</p><p></p><p></p><p>B</p>');
+    });
+
+    it('drops trailing <br>', function () {
+      assert.strictEqual(wrapLooseLines('Foo<br>'), '<p>Foo</p>');
+    });
+
+    it('leaves block elements alone', function () {
+      const html = '<ul><li>x</li></ul>';
+      assert.strictEqual(wrapLooseLines(html), html);
+    });
+
+    it('handles realistic etherpad pad HTML', function () {
+      const out = wrapLooseLines(
+          'Welcome!<br><br>Body text.<br>More text.<br>');
+      // <br><br> -> blank-line marker between Welcome and Body text;
+      // single <br> in the second chunk stays as a soft break;
+      // trailing <br> is dropped.
+      assert.strictEqual(out,
+          '<p>Welcome!</p><p></p><p>Body text.<br>More text.</p>');
+    });
+  });
+
+  describe('dropEmptyBlocks', function () {
+    const {dropEmptyBlocks} = require('../../../node/utils/ExportSanitizeHtml');
+
+    it('drops empty heading blocks', function () {
+      const out = dropEmptyBlocks(
+          "<h1 style='text-align:right'>Hi</h1><br><h1 style='text-align:right'></h1><br>x");
+      assert.strictEqual(out, "<h1 style='text-align:right'>Hi</h1><br><br>x");
+    });
+
+    it('drops empty code blocks', function () {
+      assert.strictEqual(dropEmptyBlocks('<code></code>x'), 'x');
+      assert.strictEqual(
+          dropEmptyBlocks('<code style="x">  \n\t  </code>x'), 'x');
+    });
+
+    it('iterates so nested empties are dropped too', function () {
+      // <code></code> inside a <div> -> div becomes empty -> div drops too.
+      // (<p></p> is preserved on purpose; wrapLooseLines uses it as a
+      // blank-line marker for DOCX round-trip fidelity.)
+      const out = dropEmptyBlocks('<div><code></code></div>after');
+      assert.strictEqual(out, 'after');
+    });
+
+    it('does not drop empty <p></p> (blank-line marker)', function () {
+      const out = dropEmptyBlocks('<p>x</p><p></p><p>y</p>');
+      assert.strictEqual(out, '<p>x</p><p></p><p>y</p>');
+    });
+
+    it('keeps non-empty blocks unchanged', function () {
+      const html = '<h1>Hi</h1><p>body</p><code>x = 1</code>';
+      assert.strictEqual(dropEmptyBlocks(html), html);
+    });
+  });
+
+  describe('collapseRedundantBrAfterBlocks', function () {
+    const {collapseRedundantBrAfterBlocks} =
+        require('../../../node/utils/ExportSanitizeHtml');
+
+    it('drops <br> immediately after a closing <p>', function () {
+      assert.strictEqual(
+          collapseRedundantBrAfterBlocks('<p>x</p><br><p>y</p>'),
+          '<p>x</p><p>y</p>');
+    });
+
+    it('drops <br> after closing heading and code tags', function () {
+      for (const tag of ['h1', 'h2', 'h3', 'code', 'pre', 'div', 'blockquote']) {
+        assert.strictEqual(
+            collapseRedundantBrAfterBlocks(`<${tag}>x</${tag}><br>`),
+            `<${tag}>x</${tag}>`,
+            `expected </${tag}><br> collapsed`);
+      }
+    });
+
+    it('keeps a standalone <br> between text', function () {
+      const html = 'Hello<br>World';
+      assert.strictEqual(collapseRedundantBrAfterBlocks(html), html);
+    });
+
+    it('handles whitespace between </tag> and <br>', function () {
+      assert.strictEqual(
+          collapseRedundantBrAfterBlocks('<p>x</p>  \n<br>after'),
+          '<p>x</p>after');
+    });
+
+    it('drops only one <br>, leaving any subsequent ones', function () {
+      // <br><br> after a closing block represents (one redundant + one
+      // intentional blank-line break). After collapsing the first, the
+      // second remains.
+      assert.strictEqual(
+          collapseRedundantBrAfterBlocks('<p>x</p><br><br><p>y</p>'),
+          '<p>x</p><br><p>y</p>');
+    });
+  });
+
+  describe('separateAdjacentHeadingBlocks', function () {
+    const {separateAdjacentHeadingBlocks} =
+        require('../../../node/utils/ExportSanitizeHtml');
+
+    it('inserts <br> between adjacent <h1> and <h2>', function () {
+      assert.strictEqual(
+          separateAdjacentHeadingBlocks('<h1>A</h1><h2>B</h2>'),
+          '<h1>A</h1><br><h2>B</h2>');
+    });
+
+    it('inserts <br> between adjacent <code> blocks', function () {
+      assert.strictEqual(
+          separateAdjacentHeadingBlocks('<code>A</code><code>B</code>'),
+          '<code>A</code><br><code>B</code>');
+    });
+
+    it('inserts <br> after a heading before a <p>', function () {
+      assert.strictEqual(
+          separateAdjacentHeadingBlocks('<h1>A</h1><p>B</p>'),
+          '<h1>A</h1><br><p>B</p>');
+    });
+
+    it('does not change adjacent <p> elements', function () {
+      const html = '<p>A</p><p>B</p>';
+      assert.strictEqual(separateAdjacentHeadingBlocks(html), html);
+    });
+
+    it('handles three-block round-trip case', function () {
+      // Mirrors what mammoth produces for a pad with H1 + H2 + Code.
+      assert.strictEqual(
+          separateAdjacentHeadingBlocks(
+              '<h1>Welcome</h1><h2>This pad</h2><p>Code line</p>'),
+          '<h1>Welcome</h1><br><h2>This pad</h2><br><p>Code line</p>');
+    });
+  });
+
+  describe('applyMonospaceToCode', function () {
+    const {applyMonospaceToCode} =
+        require('../../../node/utils/ExportSanitizeHtml');
+
+    it('emits a Courier span for inline <code>', function () {
+      // The <code> tag itself is dropped (html-to-docx ignores it and
+      // also breaks <a> children when they're nested inside it). The
+      // text becomes a Courier-styled inline span.
+      const out = applyMonospaceToCode('<code>x = 1</code>');
+      assert.strictEqual(out,
+          `<span style="font-family:'Courier New', monospace">x = 1</span>`);
+    });
+
+    it('forwards block-level style to a wrapping <p>', function () {
+      // ep_headings2 + ep_align emit `<code style='text-align:right'>`
+      // for each "Code"-styled pad line. The alignment must reach
+      // html-to-docx as a paragraph property, so we move the style
+      // onto a wrapping <p>.
+      const out = applyMonospaceToCode("<code style='text-align:right'>x</code>");
+      assert.match(out, /<p style="text-align:right">/);
+      assert.match(out, /font-family:'Courier New'/);
+    });
+
+    it('emits <p> wrap for <pre> regardless of style', function () {
+      // <pre> is always block-level.
+      const out = applyMonospaceToCode('<pre>preformatted</pre>');
+      assert.match(out, /^<p>/);
+      assert.match(out, /<\/p>$/);
+      assert.match(out, /font-family:'Courier New'/);
+    });
+
+    it('handles inline <tt>, <kbd>, <samp> as bare spans', function () {
+      for (const tag of ['tt', 'kbd', 'samp']) {
+        const out = applyMonospaceToCode(`<${tag}>x</${tag}>`);
+        assert.strictEqual(out,
+            `<span style="font-family:'Courier New', monospace">x</span>`,
+            `expected styled span (no ${tag} wrapper) but got: ${out}`);
+      }
+    });
+
+    it('does not touch unrelated tags', function () {
+      const html = '<p>plain</p><strong>bold</strong>';
+      assert.strictEqual(applyMonospaceToCode(html), html);
+    });
+
+    it('does not wrap <a> elements in the Courier span', function () {
+      // Regression: html-to-docx drops <a href> content when nested
+      // inside a styled span OR inside <code>. We split on anchors
+      // and leave them unstyled.
+      const out = applyMonospaceToCode(
+          '<code>Github: <a href="https://github.com/ether/etherpad">link</a> end</code>');
+      // Anchor is preserved as-is (no Courier span around it)
+      assert.match(out, /<a href="https:\/\/github\.com\/ether\/etherpad">link<\/a>/);
+      // Text before the anchor is wrapped
+      assert.match(out, /font-family:'Courier New', monospace">Github: <\/span>/);
+      // Text after the anchor is wrapped
+      assert.match(out, /font-family:'Courier New', monospace"> end<\/span>/);
+      // <code> wrapper is dropped
+      assert.doesNotMatch(out, /<code/);
+      assert.doesNotMatch(out, /<\/code>/);
+    });
+
+    it('preserves <a> through html-to-docx round-trip', async function () {
+      try { require.resolve('html-to-docx'); }
+      catch { this.skip(); return; }
+      const htmlToDocx = require('html-to-docx');
+      const JSZip = require('jszip');
+      const buf: Buffer = await htmlToDocx(applyMonospaceToCode(
+          '<p><code>Github: <a href="https://github.com/ether/etherpad">site</a></code></p>'));
+      const z = await JSZip.loadAsync(buf);
+      const xml: string = await z.file('word/document.xml').async('text');
+      // Anchor must survive: docx hyperlinks live in <w:hyperlink>
+      assert.match(xml, /<w:hyperlink/, 'expected <w:hyperlink> in docx');
+      assert.match(xml, /<w:t[^>]*>site<\/w:t>/, 'expected link text "site"');
+      const rels: string = await z.file('word/_rels/document.xml.rels')
+          .async('text');
+      assert.match(rels, /github\.com\/ether\/etherpad/,
+          'expected URL in document.xml.rels');
+    });
+  });
+
+  describe('htmlToPdfBuffer', function () {
+    let htmlToPdfBuffer: (html: string) => Promise<Buffer>;
+
+    before(function () {
+      try {
+        require.resolve('pdfkit');
+        require.resolve('htmlparser2');
+      } catch {
+        this.skip();
+        return;
+      }
+      htmlToPdfBuffer = require('../../../node/utils/ExportPdfNative').htmlToPdfBuffer;
+    });
+
+    it('produces a buffer starting with %PDF-', async function () {
+      const buf = await htmlToPdfBuffer('<p>hello world</p>');
+      assert.ok(Buffer.isBuffer(buf), 'must return Buffer');
+      assert.ok(buf.length > 100, `buffer suspiciously small: ${buf.length} bytes`);
+      assert.strictEqual(buf.slice(0, 5).toString('ascii'), '%PDF-');
+    });
+
+    // pdfkit emits visible text as hex strings inside TJ operators
+    // (e.g. `Title` -> `<5469746c65>`), and pdfkit splits a single text
+    // run into multiple chunks at kerning boundaries. Decode every hex
+    // string we find and concatenate the result so substring matching
+    // works on the visible text content.
+    const decodeVisibleText = (raw: string): string => {
+      const out: string[] = [];
+      const re = /<([0-9a-fA-F]{2,})>/g;
+      let m: RegExpExecArray | null;
+      while ((m = re.exec(raw)) !== null) {
+        try {
+          out.push(Buffer.from(m[1], 'hex').toString('latin1'));
+        } catch { /* not hex; ignore */ }
+      }
+      return out.join('');
+    };
+
+    const renderText = async (html: string): Promise<string> => {
+      const buf = await htmlToPdfBuffer(html);
+      return buf.toString('latin1');
+    };
+
+    it('renders headings, paragraphs, and lists', async function () {
+      const raw = await renderText(`
+        <h1>Title</h1>
+        <p>Body paragraph here.</p>
+        <ul><li>one</li><li>two</li></ul>
+        <ol><li>alpha</li><li>beta</li></ol>
+      `);
+      const visible = decodeVisibleText(raw);
+      assert.ok(visible.includes('Title'), `expected Title in: ${visible}`);
+      assert.ok(visible.includes('Body paragraph here.'),
+          `expected paragraph in: ${visible}`);
+      assert.ok(visible.includes('one'), `expected "one" in: ${visible}`);
+      assert.ok(visible.includes('two'), `expected "two" in: ${visible}`);
+      assert.ok(visible.includes('alpha'), `expected "alpha" in: ${visible}`);
+      assert.ok(visible.includes('beta'), `expected "beta" in: ${visible}`);
+    });
+
+    it('emits link annotations for <a href>', async function () {
+      const raw = await renderText('<p><a href="https://etherpad.org">site</a></p>');
+      const visible = decodeVisibleText(raw);
+      assert.ok(visible.includes('site'), `expected "site" in: ${visible}`);
+      // URL is stored in a /URI dict as a plain (parenthesized) string.
+      // Match the full /URI (...) form so we're verifying the PDF link
+      // annotation structure, not just any occurrence of the host string.
+      assert.match(raw, /\/URI\s*\(https:\/\/etherpad\.org\)/,
+          'expected link target URL in PDF /URI dict');
+    });
+
+    it('embeds data: URI images without throwing', async function () {
+      const tinyPng =
+        'iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=';
+      const buf = await htmlToPdfBuffer(`<img src="data:image/png;base64,${tinyPng}">`);
+      assert.ok(buf.length > 200);
+    });
+
+    it('ignores unknown tags rather than crashing', async function () {
+      const buf = await htmlToPdfBuffer(
+          '<custom-tag><p>still works</p></custom-tag>');
+      assert.strictEqual(buf.slice(0, 5).toString('ascii'), '%PDF-');
+    });
+
+    it('does not render head/style/script content', async function () {
+      const raw = await renderText(`
+        <html><head>
+          <title>SECRET_TITLE</title>
+          <style>.x { display: SECRET_CSS; }</style>
+          <script>var SECRET_JS = 1;</script>
+        </head><body>
+          <p>visible body</p>
+        </body></html>
+      `);
+      const visible = decodeVisibleText(raw);
+      assert.doesNotMatch(visible, /SECRET_TITLE/);
+      assert.doesNotMatch(visible, /SECRET_CSS/);
+      assert.doesNotMatch(visible, /SECRET_JS/);
+      assert.match(visible, /visible body/);
+    });
+
+    it('honors text-align style on block elements', async function () {
+      // pdfkit emits text-positioning matrices for aligned text. We assert
+      // the alignment option produced different output than left-aligned
+      // by checking the x coordinate of the BT block.
+      const leftRaw = await renderText('<p>aligned text</p>');
+      const rightRaw = await renderText('<p style="text-align:right">aligned text</p>');
+      const leftX = (leftRaw.match(/1 0 0 1 (\d+(?:\.\d+)?)/) || [])[1];
+      const rightX = (rightRaw.match(/1 0 0 1 (\d+(?:\.\d+)?)/) || [])[1];
+      assert.ok(leftX, 'expected left x');
+      assert.ok(rightX, 'expected right x');
+      assert.notStrictEqual(leftX, rightX,
+          `right-aligned text should sit at a different x than left-aligned (left=${leftX} right=${rightX})`);
+    });
+
+    it('uses Courier font inside <code>', async function () {
+      const raw = await renderText('<p>before <code>x = 1</code> after</p>');
+      // pdfkit references the font in the resource dictionary; Courier
+      // isn't in the default resources so its first use creates a new
+      // /Font subtype entry. Look for "Courier" anywhere in the PDF.
+      assert.match(raw, /Courier/);
+    });
+
+    it('uses Courier font inside <pre>', async function () {
+      const raw = await renderText('<pre>preformatted text</pre>');
+      assert.match(raw, /Courier/);
+    });
+
+    it('honors text-align on <code> (ep_headings2 code lines)', async function () {
+      const leftRaw = await renderText('<code>x = 1</code>');
+      const rightRaw = await renderText("<code style='text-align:right'>x = 1</code>");
+      const leftX = (leftRaw.match(/1 0 0 1 (\d+(?:\.\d+)?)/) || [])[1];
+      const rightX = (rightRaw.match(/1 0 0 1 (\d+(?:\.\d+)?)/) || [])[1];
+      assert.ok(leftX, 'expected left x');
+      assert.ok(rightX, 'expected right x');
+      assert.notStrictEqual(leftX, rightX,
+          `right-aligned <code> should sit at a different x than left-aligned (left=${leftX} right=${rightX})`);
+    });
+
+    it('honors text-align on <pre>', async function () {
+      const leftRaw = await renderText('<pre>x = 1</pre>');
+      const rightRaw = await renderText("<pre style='text-align:right'>x = 1</pre>");
+      const leftX = (leftRaw.match(/1 0 0 1 (\d+(?:\.\d+)?)/) || [])[1];
+      const rightX = (rightRaw.match(/1 0 0 1 (\d+(?:\.\d+)?)/) || [])[1];
+      assert.notStrictEqual(leftX, rightX,
+          `right-aligned <pre> should sit at a different x than left-aligned (left=${leftX} right=${rightX})`);
+    });
+  });
 });
diff --git a/src/tests/backend/specs/fixtures/sample.docx b/src/tests/backend/specs/fixtures/sample.docx
new file mode 100644
index 0000000000000000000000000000000000000000..9178825d86b20c2bffcd6f26367dbd90872c661a
GIT binary patch
literal 24020
zcmeHPO>87b6`uS7Ne~Gki4e+R7`TBw{~mkrY}j4f+9lpyvv%0<6Gc7UJ)X|?bPwG<
zp7lxy#34dl5RtedaSLY-9Jq1j#t{K$!~rCvh$G*tzpm=(`LoB%nq^kAp029*>ec(J
z_o}Mv;H_t#eW5^~{lQ1yV?V@ypTOVuBG-@02S%IMKK}R%zkjMwpzn*S%{sN*e)GY=
zFP^wj?1e$6R9&x>if&+sju#wvN^c+St!<Wyabg9I<%faWDV@4;>CG!IY~OW#D*;U0
z_l9v1NP@Ui>L<ytT`tFV-yK--dN_0g)bzq=U?q5rj>|*KzHc47<yxh(Q3e4ij?$GE
zibVr$@ut%$MK_&lsd#icMBnq#hrOO>yE~yh8n{7{(@WWG0nAo(>?WPkIE<XKBLLSy
zb*Vg+pxWXDO&@Q0;3k%1C05xEBX?~Wfm>1HfxU_*kaK|In6;2JZI=z!Uol0ktHbkn
zP$<l1zo`84SO0#xP@wN;^=3p1^>k*vu!n8JL3H!saNTIz!$st0uxmPln7XwcTcI3|
zBA@A(W0zguCE>^A>Uy<Y65Ts?;zom1MRfpHqqQ7(iLP#XQ^)3&s`Z1|Q$&o%<MnZ!
zkpcCtmfyLxf5<Fh%?rqcY?te}W49A8@m;Q9c#22e_gy<t&vxWmNf=$}Cj);i3D+RR
z2is*dloeztVDx?Wl+-rPG}LRTB>){awj*yy2FrUv8{dkPTQKyV=Q`I;CvjxzMW2y-
z;*qboQr#{CiF)K6F;;RiU8e}<v^gsU``h>G*LRNgN>^%?+QwR?xmMXcs@B_$TD#U*
z-`uKwhem1OU^Xbr27=miA(lws!)O4evd*xk=U^txNtl+T8yxvo)+B-db2Cmjs2~02
zudf#h^nJ~2$eLHrWp-AZArabcDV?0*ik-+B!^;nR?j{G87nF*DHGreN!`x``h=##+
zR^Z<iwnburW?609kC=|T1|)+KEu8yR-da4zr}1?^DxO$AoURu*;rPgXkd%s~Zm8&#
zD(u7EFM}ytZ4C)J^^<uhHFSIIW1`a#0G)HcW>Od(cNK|^MzgVT)dbf77&SA%cU!v~
zyBj9BpC|x;Teb~vl^KvpL92GXVWP+YDKrW(6Hct7+1+XF)T?=D6p%twpU#h~P5PII
zMgb`_jp=Ci_O3(Bd1w@nLerd%rg?4a+D<Mt3P_>Zn2x4Zxw_M6<x!)6fTr(z!Tsq-
zD$R}h^$ddz5TNLV{*BpKwwjH-R?Q^EgxZEZD6`|_Fw8+R#}WtD`(d;f28l5S3c-RR
zx#^x|!}gE7fg2ZZyW`^Ba9{-~B}}DUYvHDLtTj#15cw07U;qOzcwDG6DItP;;2P&{
z%J9KFe)l}zKTJ-2cRw~+9*4f??4dRl1h-d;7F^|ehJE}@8HXmIBnKAEJB}=duo#8O
zJum4W_ALsStI81z=X)F*w5ZbJFhp!rF`7$%okx^TIJINs`=bHk3GUgeRr2CG@w^!y
zr$vE>Xjo}ZZwSpyc(aXGZY#zSNuWs-RUOBfGAiO@rCwJ#-dV$ljq%oVN5UABj<=QH
z>g?lX^7!uzcx#aXZxVr%`m)r3xyUmb4(ou&En1Y%HXG;!-4tWn@?B(?Mvn|!7*eV?
zkBfCJtVD(xR*;DpgVfA0)wV6-%Q>0P6nKT!WsG;0H!;V{<jZm#Ia2-?VvPHi<4UiS
z-)<>&Ge*2>``VgeH3n-)z&Wzxjy4@}YcsdmQUksK`y!Ni^CVeqkUM$$L2=wEZPc4E
zW81>2LJtuPeh!AP=Qubn6)pc5OIdaj8PgdlK;FE|871cst{xLJFB;{~y$pI7#mSBp
z_c<`@#WW`LjdcSzD*E1_QzA*2A|vE}VE7z9%xVqu-jguSEzF<)tK;O-%_=i=!tM32
z?31lvDy3DWYN6F&lGB_V^^gl;c5?BU^d1<s;RtGf*muUou0M+ITCmY(t4gwVyco-_
zRW5kPL*lPy=hT2R@oawlqG!3xv?iM|S}cFqw?sHOBfR41G9v+l)ll@Rl=DW|krp%Q
zN{CFc1_D8Kk0~X{)rMTh1rWBnbEbr0DU6bQHIr(QLtgYwl<6Ta#qOCYia4RDPw}(j
zNiPkAk41)~jXPg~n4TG9=Xr)^t1>JhCZ*H!R{r$N@R<Qlen2;cpVS#uU2Gzxv1P_E
z47L#aGAg08OJ~cBW+q$m<#BeltRkM%2C|V)-=w}w3Fnp?2$#6#U6>l2D-R-+c@B!o
zdvYa&?3fDJQgpghtco(L>&GvC_`~NvRVdJxHlZfA;Lf}WHEzqDymK#z^Q|V^!TdCT
z`!TbmZuhMy+2PCVaw972ltxj&eV-Mt4Lmyv<FJ>k+2NqgHz&m(2{H82eJ<uQ^LJJ=
zeFG{PMXp4$5c%fbXwL4b#C9@k5GU9>6>L9QXw!CJMfXQTV!#k<kzLQn{u}FDp+TT9
zpZR&z%k9r^(FQVhR=G5hKg>r*+K5eA+l}LiT@rz&TA9TMAxy%fI$mfKG$Toqkc>Kw
zX-_^g7^PF|V5!*fE;HkTbJ<|OAR=b0<90W6PWk-1J#NPcM-L)79iw1)eE6_9Zi8Xf
zTCIVoZQSnTcXN~f4kHhH7oE~DjFQOmk~HgKu(zxT07-~ZR~sB6@{aoy_F<kNWZf`H
zLZn2p+IM?eZQn)04$W=VSmRz8BA8T<$D@Qjs%d1qY>t3v(8rRF3~mZ_EYt!KY%A&p
z`huLb^?TMR#*Q?K(F%)5?%k0Oc3Yz))JBS4hbd|xRt#hqqJv1A{ZXBe7Pbj7a1A3j
zcB2#QvIzoc5NfrU9t1Y}DMmAAT#t_A11qu+mks+x(xUbAlOBu)DJR*aHEw(Ui7$nu
zL@i>4aT^df9a(J(4-CuT1LGbYb8uSb{|wO;JQ;^`8A1)XN1|VH63@g9ukU>L&A)xJ
zP@wNCGH#$9nj@?0pYQa_nC<k4^Gxm4PMYVPb%evFfkNT=M*Y>uv$!kgF3k$U*sV%?
zz~b+<%0{Juzw)2jM}{p>coMsWjCsH`9!Fiz8hHMxtkOLmc^@ya`?BuD0uA81^oV3+
z9y!cW+{OGz0X#l+^7bgHsuJeXQBs>IshcIXjt6JKK)8vAxmVH`Voe^Gu3Ns>jXbd&
zNCTMQ(;n8JIFA~YI)0svPx07`V~r8ZFlrZT@U`8&y_8Y3LtbmNu8ESAQCp&9I-{x_
z&lwq2+^1Q3HoJ&P^zVsgS2#id6wzk+EM~Q!QCo~zq+^XU>eeN<!Nb!*H=N<BnlQjB
z*i)^v;Ie9XQs*&Xuvu574oINRbXAUv6J1Cn5K@V-i|l=Qhb7$;92Q>+-~sF64vVky
zbEswQFnb1rN3pq%s|Ie>!L0^!VD&R9SEL{HSdwA8<fbMZS8KC*VUA1s`ZyC9oa}tP
z@Xlun?E8`o3}QNg5ufXD9cDC!WVPwzilPfK;UQMq!3my`pNKOLkRnnKQN|TW<|Fcn
zKks4Ij4`WPvF+h7YgYGA<Kk%E)!4JxdB9GIoz%H;HHbZ$hx+s*x5kdyLXZHs<~g1;
zNfFw|lv}dcqoxd6Rb3~V@+*C8=F3VqSbO`B=#WHqN~)-fE|IQ9Ylp@GKE@bfQivL|
zTq5<)W1N=cF~+5-gw<n-XqBg_lqhyeB3st7#$=yJOj$r$tZ<44O<Yux5h^HSiipwj
zW3}WKEjlnu3}97sWc~)$IwEv@Kb@2)T9h11t5XLF9!RA?CwAzEl(~zruu?%Zp>kN%
zk7OOKjA)S`XC@&c;u$^cAxrj9=8Y!VG6NT);W4i4iq--s5mz}L=;&Ip>)gS9FsJl3
zy=NfK?K24lI9NKha^xLE9u_bX73FTpK?3#n_t;AdDTkD#80Pz~JG>3-I#;M{AF_}2
z!c<ARF5ZKHVl+0jEEYXsTZxopKPSsIHAGWeMnl)=N10M%Qx1c*iXWzilvWXDA@g&H
zs+O-{QdG*OFIH5epzk^Ey}lc~4RuH*c5x!CZ?Nb<nEhONrYZ}rD?I{JOsktB&$@nk
z7?z~TGp$;UJnOUNS(l1+vGR=Ffp^1m9GAbUz_j?$%eV%y!gnkx<5btrBIDY0n@y`$
zBjd(w8S8oP1-jSAM8<qgTF4j=x<{S#%c=gKNydt`6Mng-s#YW8=4=_O^YTxG9rK`U
zQ5hSOnD47sBd?9w@=_DP6Cp32F)u2wRF}_Wlcve*b1T$Fh7!O$87q<Gc~+Q7LhmL1
z=RZRBNnf=(jg5$|8zFu@XCA8XtTq*0(LU|+d)q6@fdw}f-IgA&ej9fAt>E)++*;ij
zd#-kJdo-XpC4Hh4P`>y9kHNRkXcrC3>cY|R87RT&1eqSG7?o8)&GrVWt~>I5H<9MR
z8UP!;wI`wf@#EiStG{8(O4`#kYL#0RxqbrTW%ijCNpR3Yff##1g*JlK91TKXgC;P>
zi&qNKoNpwHjpIJn3t)Sl5(VxGo}e{S0IJ2~Y?SO}DQ#&)tYHE@TlDCZv;w@T(kVH7
z1;*?{VWkeiIF;V&l92*q{o-Ze%O)ANfv;G*fN127|0R%(Omi=*Y-&|q?H7;@10XGb
z{Ov}jtd~|coBHy>BC;WX%OM+?YF<{^V7Abviv?uE04|4YWQurMWz(oH8456f%OM+?
z4qjH-&}L*B0xe)S4B&Fergh09=w@rlSbzaMma?I6T1$JxP7~4vP>cUFX^_@(;=mwb
z0tDR%!+!8oJ(Jh}?5AHmXyCde`l{3FI6j4!ACAwxy)4kIHmkoh>G;ygbBtUzbLcte
zt}%XCeji7_tcV{dFSAQ-gr+<ULsAv&mC^+)?3f4lTF3-NB8LNohd92BR%|O&rJt;Y
z?P0f(XMnQ7x<cUN?Y2XgHac;UldS$KRg;cMwaKX12M^zP<<B^`K;Kv8`Gv9DJzR~J
zX_!{4Xe(O9DQDOL4ycd1S}E^-yPtHw<oxBCLV><-0EC@&=MCi%Qd)O=GB3P?W8?lT
zy;n{Z5m$uD>X*vNi}#ke=PvK%3*&mfGG8oBiQvz3D8R8%dUInDYhQo@VMZDanqkf0
zLt~XxXjYgKq7}~JNOP66s6*2!C8}r+9UH5pgPjvfX<(0K_CLE7P1fMj7^uR{00&+I
ze$Zp~Wr)vw@Zbl(#HE<@{T%$lcdz596MX%9>}{ZTX@qBf#f+igZgdgtG%hx@IT>qo
zh$m(N<+eEZQ`~(30{LB>Fdw|JBuM5~U=4@9XR|vq%O`=8xnOfmbV7cPwPAO2ekHZ>
zoKD^!y0|gH=mgUmF6d+xY(X!NwjtfKkOM{KQ-O#O6G$IVO6DD0M;hTsM-lIrB)8dx
zbY<?%nFpVN;|x5>>ulEi@rZiY=dI<s<bF`Wn{SU{5>z!53u($Rl@Xewo-Vx{&d(!+
z<6VRTbG}+B5eoGpbWHjs!vu6~p3e`4Y>{3~kG#^+E7Wu7fX-wtqFss%>6hrPP3@xF
zIh`^ql#w!<jh5<kuKJ0&e-SFO)ALFR(U418w##gKK|K7_)2|k$U-rzy<CjI0EJI@x
zCVTm_XpBE!##i&JvpS=zg!zX$dkHD9Qi&{B_G)1XSSW1hV5AEq)GT<~yilMkSNVr}
zeHV{RCuV_Ap1?l@@*@etEjJ68y^>Xe77D*M0n<<<iz53Ddy3+B$V3>q%HigWHv1}D
z3jQxhhk+{_&Er<~#Cr<==`{hLy6-IQ*^>$>@Xx;{fR%g9>pZ(6lEQm$$<DO^JKKFW
z+fBj$a7%z|rjbWL3c>F+=g%bgKiw7>@@*oUFs6u}y<-6CvSYzVb`aSRGsX1AVQ#>A
W@YZvPMhk_P@$ZkwSO5NPdioDbrMQ#;

literal 0
HcmV?d00001

diff --git a/src/tests/backend/specs/import.ts b/src/tests/backend/specs/import.ts
new file mode 100644
index 00000000000..ae182644276
--- /dev/null
+++ b/src/tests/backend/specs/import.ts
@@ -0,0 +1,473 @@
+'use strict';
+
+import {MapArrayType} from '../../../node/types/MapType';
+import path from 'path';
+import os from 'os';
+import {promises as fs} from 'fs';
+
+const assert = require('assert').strict;
+const common = require('../common');
+const padManager = require('../../../node/db/PadManager');
+import settings from '../../../node/utils/Settings';
+
+describe(__filename, function () {
+  const settingsBackup: MapArrayType<any> = {};
+  let agent: any;
+
+  before(async function () {
+    agent = await common.init();
+    settingsBackup.soffice = settings.soffice;
+  });
+
+  after(function () {
+    Object.assign(settings, settingsBackup);
+  });
+
+  describe('docxBufferToHtml (#7538)', function () {
+    let docxBufferToHtml: (b: Buffer) => Promise<string>;
+
+    before(function () {
+      try { require.resolve('mammoth'); }
+      catch { this.skip(); return; }
+      docxBufferToHtml = require('../../../node/utils/ImportDocxNative').docxBufferToHtml;
+    });
+
+    it('converts the sample.docx fixture to HTML', async function () {
+      const buf = await fs.readFile(
+          path.join(__dirname, 'fixtures', 'sample.docx'));
+      const html = await docxBufferToHtml(buf);
+      assert.match(html, /Heading/);
+      assert.match(html, /Paragraph body\./);
+      assert.match(html, /one/);
+      assert.match(html, /two/);
+    });
+
+    it('emits no remote image URLs', async function () {
+      const buf = await fs.readFile(
+          path.join(__dirname, 'fixtures', 'sample.docx'));
+      const html = await docxBufferToHtml(buf);
+      assert.doesNotMatch(html, /<img[^>]+src="https?:/);
+      assert.doesNotMatch(html, /<img[^>]+src="\/\//);
+    });
+
+    it('preserves paragraph alignment from <w:jc>', async function () {
+      // Round through html-to-docx so the input docx has <w:jc> entries
+      // we can verify mammoth + our workaround surface as text-align.
+      try { require.resolve('html-to-docx'); }
+      catch { this.skip(); return; }
+      const htmlToDocx = require('html-to-docx');
+      const docx: Buffer = await htmlToDocx(
+          '<h1 style="text-align:right">Right heading</h1>' +
+          '<p style="text-align:center">Center paragraph</p>' +
+          '<p>Left paragraph</p>' +
+          '<p style="text-align:justify">Justify paragraph</p>');
+      const html = await docxBufferToHtml(docx);
+      assert.match(html, /<h1[^>]*style="[^"]*text-align:right/,
+          `expected right-aligned h1 in: ${html}`);
+      assert.match(html, /<p[^>]*style="[^"]*text-align:center/,
+          `expected center-aligned p in: ${html}`);
+      assert.match(html, /<p[^>]*style="[^"]*text-align:justify/,
+          `expected justify-aligned p in: ${html}`);
+      // Left-aligned paragraph should NOT carry a redundant style attr
+      // (we skip "left" because it's the CSS default).
+      assert.match(html, /<p>Left paragraph<\/p>/);
+    });
+  });
+
+  describe('end-to-end DOCX import (#7538)', function () {
+    before(function () {
+      try { require.resolve('mammoth'); }
+      catch { this.skip(); return; }
+      settings.soffice = null;
+    });
+
+    it('imports a docx into a pad without soffice', async function () {
+      const padId = 'test7538DocxImport';
+      try { await padManager.removePad(padId); } catch { /* noop */ }
+      const fixture = path.join(__dirname, 'fixtures', 'sample.docx');
+      const res = await agent
+          .post(`/p/${padId}/import`)
+          .attach('file', fixture)
+          .expect(200);
+      assert.strictEqual(res.body.code, 0,
+          `import failed: ${JSON.stringify(res.body)}`);
+      const pad = await padManager.getPad(padId);
+      const text = pad.text();
+      assert.match(text, /Heading/);
+      assert.match(text, /Paragraph body/);
+      assert.match(text, /one/);
+      assert.match(text, /two/);
+    });
+
+    it('rejects odt extension when soffice is null', async function () {
+      const padId = 'test7538OdtReject';
+      try { await padManager.removePad(padId); } catch { /* noop */ }
+      const fixture = path.join(__dirname, 'fixtures', 'sample.docx');
+      const odtPath = path.join(__dirname, 'fixtures', 'sample.odt');
+      await fs.copyFile(fixture, odtPath);
+      try {
+        const res = await agent
+            .post(`/p/${padId}/import`)
+            .attach('file', odtPath);
+        assert.ok(
+            res.status >= 400 || res.body.code !== 0,
+            `expected odt import to fail when soffice is null, got: ${res.status} ${JSON.stringify(res.body)}`);
+      } finally {
+        await fs.unlink(odtPath).catch(() => undefined);
+      }
+    });
+  });
+
+  describe('DOCX export -> import round-trip (#7538)', function () {
+    before(function () {
+      try {
+        require.resolve('html-to-docx');
+        require.resolve('mammoth');
+      } catch {
+        this.skip();
+        return;
+      }
+      settings.soffice = null;
+    });
+
+    // Returns the supertest Test so callers can keep chaining .expect();
+    // typing as `any` because supertest's Test isn't re-exported as a type
+    // we can name here.
+    const fetchBuffer = (req: any): any => req
+        .buffer(true)
+        .parse((resp: any, cb: any) => {
+          const chunks: Buffer[] = [];
+          resp.on('data', (c: Buffer) => chunks.push(c));
+          resp.on('end', () => cb(null, Buffer.concat(chunks)));
+        });
+
+    it('preserves text content through native DOCX round-trip', async function () {
+      const srcPadId = 'test7538RoundTripSrc';
+      const dstPadId = 'test7538RoundTripDst';
+      const tmpFile = path.join(os.tmpdir(), `roundtrip-${process.pid}.docx`);
+
+      try {
+        await padManager.removePad(srcPadId);
+        await padManager.removePad(dstPadId);
+      } catch { /* noop */ }
+
+      const srcPad = await padManager.getPad(srcPadId, '\n');
+      await srcPad.setText('Line one\nLine two\n\nAfter the blank line\n');
+      const srcText = srcPad.text();
+      assert.match(srcText, /Line one/);
+      assert.match(srcText, /After the blank line/);
+
+      const exp = await fetchBuffer(agent.get(`/p/${srcPadId}/export/docx`))
+          .expect(200);
+      const docxBuffer: Buffer = exp.body as Buffer;
+      assert.strictEqual(docxBuffer.slice(0, 4).toString('latin1'), 'PK\x03\x04');
+      await fs.writeFile(tmpFile, docxBuffer);
+
+      try {
+        const imp = await agent
+            .post(`/p/${dstPadId}/import`)
+            .attach('file', tmpFile)
+            .expect(200);
+        assert.strictEqual(imp.body.code, 0,
+            `import failed: ${JSON.stringify(imp.body)}`);
+
+        const dstPad = await padManager.getPad(dstPadId);
+        const dstText = dstPad.text();
+        assert.match(dstText, /Line one/);
+        assert.match(dstText, /Line two/);
+        assert.match(dstText, /After the blank line/);
+      } finally {
+        await fs.unlink(tmpFile).catch(() => undefined);
+      }
+    });
+
+    // Bidirectional round-trip: export from src pad, import into dst pad,
+    // export again. Compare exhibit (a) to exhibit (c). For text-based
+    // formats (txt, etherpad) this is straight byte equality. For HTML
+    // and DOCX we compare the relevant invariants (line text, paragraph
+    // count) since whitespace and metadata can differ between exports.
+    const exportPad = async (padId: string, type: string): Promise<Buffer> => {
+      const r = await fetchBuffer(agent.get(`/p/${padId}/export/${type}`))
+          .expect(200);
+      return r.body as Buffer;
+    };
+
+    const importToPad = async (padId: string, content: Buffer, ext: string) => {
+      try { await padManager.removePad(padId); } catch { /* noop */ }
+      const tmp = path.join(os.tmpdir(),
+          `roundtrip-${process.pid}-${Date.now()}.${ext}`);
+      await fs.writeFile(tmp, content);
+      try {
+        const r = await agent.post(`/p/${padId}/import`)
+            .attach('file', tmp).expect(200);
+        assert.strictEqual(r.body.code, 0,
+            `${ext} import failed: ${JSON.stringify(r.body)}`);
+      } finally {
+        await fs.unlink(tmp).catch(() => undefined);
+      }
+    };
+
+    const seedPad = async (padId: string, text: string) => {
+      try { await padManager.removePad(padId); } catch { /* noop */ }
+      const pad = await padManager.getPad(padId, '\n');
+      await pad.setText(text);
+    };
+
+    const SAMPLE_TEXT = 'Line one\nLine two\n\nAfter blank\n';
+
+    it('a==c round-trip: txt export -> import -> export', async function () {
+      const src = 'test7538RtTxtSrc';
+      const dst = 'test7538RtTxtDst';
+      await seedPad(src, SAMPLE_TEXT);
+      const a = await exportPad(src, 'txt');
+      await importToPad(dst, a, 'txt');
+      const c = await exportPad(dst, 'txt');
+      assert.strictEqual(c.toString('utf8'), a.toString('utf8'),
+          `txt round-trip drift\nA:${JSON.stringify(a.toString('utf8'))}\nC:${JSON.stringify(c.toString('utf8'))}`);
+    });
+
+    it('a==c round-trip: etherpad export -> import -> export', async function () {
+      const src = 'test7538RtEpadSrc';
+      const dst = 'test7538RtEpadDst';
+      await seedPad(src, SAMPLE_TEXT);
+      const a = await exportPad(src, 'etherpad');
+      await importToPad(dst, a, 'etherpad');
+      const c = await exportPad(dst, 'etherpad');
+      // etherpad format is JSON metadata + atext; the surrounding metadata
+      // (timestamps, ids) differs across pads. Assert the line content
+      // matches by parsing pad text from both pads.
+      const srcText = (await padManager.getPad(src)).text();
+      const dstText = (await padManager.getPad(dst)).text();
+      assert.strictEqual(dstText, srcText,
+          `etherpad round-trip drift\nsrc:${JSON.stringify(srcText)}\ndst:${JSON.stringify(dstText)}`);
+      assert.ok(a.length > 0 && c.length > 0,
+          'expected non-empty etherpad bodies');
+    });
+
+    it('a==c round-trip: html export -> import -> export', async function () {
+      const src = 'test7538RtHtmlSrc';
+      const dst = 'test7538RtHtmlDst';
+      await seedPad(src, SAMPLE_TEXT);
+      const a = (await exportPad(src, 'html')).toString('utf8');
+      await importToPad(dst, Buffer.from(a, 'utf8'), 'html');
+      const c = (await exportPad(dst, 'html')).toString('utf8');
+      // Strip <head> (skin-versioned hashes), trim trailing whitespace,
+      // and trim trailing <br>s — etherpad's setPadHTML appends an empty
+      // <p> on import to keep a caret below the last line, which adds
+      // exactly one trailing newline per round-trip. That's pre-existing
+      // core behavior, so the meaningful invariant is "content lines
+      // match" with the trailing newline tolerated.
+      const bodyOf = (s: string) =>
+          (s.match(/<body>([\s\S]*?)<\/body>/i)?.[1] ?? '')
+              .replace(/(?:<br\s*\/?>\s*)+$/i, '')
+              .trim();
+      assert.strictEqual(bodyOf(c), bodyOf(a),
+          `html body drift\nA:${JSON.stringify(bodyOf(a))}\nC:${JSON.stringify(bodyOf(c))}`);
+    });
+
+    it('a==c round-trip: docx export -> import -> export (line text)',
+        async function () {
+      const src = 'test7538RtDocxSrc';
+      const dst = 'test7538RtDocxDst';
+      await seedPad(src, SAMPLE_TEXT);
+      const a = await exportPad(src, 'docx');
+      await importToPad(dst, a, 'docx');
+      // Compare pad text, not docx bytes -- DOCX includes timestamps
+      // and pad ID metadata in the document properties so byte equality
+      // is impossible. Pad text equality is the right invariant.
+      const srcText = (await padManager.getPad(src)).text();
+      const dstText = (await padManager.getPad(dst)).text();
+      // setPadHTML appends a trailing newline on import, so dst is
+      // expected to be src plus one trailing '\n'.
+      const srcNorm = srcText.replace(/\n+$/, '\n');
+      const dstNorm = dstText.replace(/\n+$/, '\n');
+      assert.strictEqual(dstNorm, srcNorm,
+          `docx round-trip drift\nsrc:${JSON.stringify(srcText)}\ndst:${JSON.stringify(dstText)}`);
+    });
+  });
+
+  describe('HTML import — adjacent headings (#7538)', function () {
+    before(async function () {
+      // These tests assume ep_headings2 (or another plugin) registers
+      // h1/h2/etc. as server-side block elements via
+      // `ccRegisterBlockElements`. Without that hook, contentcollector
+      // treats <h1>/<h2> as inline and adjacent ones merge into a
+      // single pad line — making the assertions below moot. The CI
+      // backend-tests job runs without plugins installed, so skip
+      // there. Local dev with ep_headings2 installed exercises these.
+      const hooks = require('../../../static/js/pluginfw/hooks');
+      const ccBlockElems: string[] = ([] as string[]).concat(
+          ...(hooks.callAll('ccRegisterBlockElements') || []));
+      const headingsAreBlocks = ccBlockElems.map((t: string) => t.toLowerCase())
+          .includes('h1');
+      if (!headingsAreBlocks) {
+        this.skip();
+        return;
+      }
+      settings.soffice = null;
+    });
+
+    const importHtml = async (padId: string, html: string) => {
+      try { await padManager.removePad(padId); } catch { /* noop */ }
+      const tmp = path.join(os.tmpdir(),
+          `htmlimport-${process.pid}-${Date.now()}.html`);
+      await fs.writeFile(tmp, html);
+      try {
+        const r = await agent.post(`/p/${padId}/import`)
+            .attach('file', tmp).expect(200);
+        assert.strictEqual(r.body.code, 0,
+            `import failed: ${JSON.stringify(r.body)}`);
+      } finally {
+        await fs.unlink(tmp).catch(() => undefined);
+      }
+    };
+
+    it('does not introduce a blank line between H1 and H2', async function () {
+      const padId = 'test7538HtmlH1H2';
+      await importHtml(padId, '<html><body><h1>A</h1><h2>B</h2></body></html>');
+      const pad = await padManager.getPad(padId);
+      const lines = (pad.text().split('\n') as string[]).filter(
+          (l: string, i: number, arr: string[]) =>
+              // ignore the trailing blank line setPadHTML always appends
+              !(l === '' && i === arr.length - 1));
+      // We want exactly two content lines (A and B), no blank line
+      // injected between them.
+      const meaningful = lines.filter((l: string) => l.trim().length > 0);
+      assert.deepStrictEqual(meaningful.length, 2,
+          `expected 2 content lines, got: ${JSON.stringify(lines)}`);
+      const between = lines.slice(
+          lines.findIndex((l: string) => l.includes('A')) + 1,
+          lines.findIndex((l: string) => l.includes('B')));
+      assert.deepStrictEqual(between, [],
+          `expected no blank line between A and B, got: ${JSON.stringify(between)}`);
+    });
+
+    // Reproduce the realistic export-side shape: H1 + two blank pad lines
+    // (encoded by ep_align as `<br><p style></p><br><p style></p><br>`)
+    // + H2. The pad should round-trip back to H1, blank, blank, H2 -- not
+    // gain or lose blank lines.
+it('preserves blank-line count between H1 and H2 (realistic shape)', async function () {
+      const padId = 'test7538HtmlBlankLines';
+      const html =
+          '<html><body>' +
+          "<h1 style='text-align:right'>A</h1><br>" +
+          "<p style='text-align:right'></p><br>" +
+          "<p style='text-align:right'></p><br>" +
+          "<h2 style='text-align:center'>B</h2><br>" +
+          '</body></html>';
+      await importHtml(padId, html);
+      const pad = await padManager.getPad(padId);
+      const lines: string[] = pad.text().split('\n');
+      // Drop the trailing-newline appended by setPadHTML on import.
+      while (lines.length > 0 && lines[lines.length - 1] === '') lines.pop();
+      // Expect: A, '', '', B
+      const aIdx = lines.findIndex((l: string) => l.includes('A'));
+      const bIdx = lines.findIndex((l: string) => l.includes('B'));
+      assert.notStrictEqual(aIdx, -1, `expected A: ${JSON.stringify(lines)}`);
+      assert.notStrictEqual(bIdx, -1, `expected B: ${JSON.stringify(lines)}`);
+      const blankCount = bIdx - aIdx - 1;
+      assert.strictEqual(blankCount, 2,
+          `expected 2 blank lines between A and B, got ${blankCount}: ${JSON.stringify(lines)}`);
+    });
+  });
+
+  describe('Round-trip integrity: heading-style content (#7538)', function () {
+    before(function () {
+      try {
+        require.resolve('html-to-docx');
+        require.resolve('mammoth');
+      } catch {
+        this.skip();
+        return;
+      }
+      settings.soffice = null;
+    });
+
+    const fetchBuffer = (req: any): any => req
+        .buffer(true)
+        .parse((resp: any, cb: any) => {
+          const chunks: Buffer[] = [];
+          resp.on('data', (c: Buffer) => chunks.push(c));
+          resp.on('end', () => cb(null, Buffer.concat(chunks)));
+        });
+
+    it('keeps adjacent heading-style blocks on separate lines after round-trip', async function () {
+      // Regression: ep_headings2 emits <h1>/<h2>/<code> that aren't in
+      // contentcollector's default block-element set. Without the
+      // separateAdjacentHeadingBlocks fix, mammoth's <h1>A</h1><h2>B</h2>
+      // would merge into one pad line.
+      const srcPadId = 'test7538MultiHeading';
+      const dstPadId = 'test7538MultiHeadingImport';
+      const tmpFile = path.join(os.tmpdir(), `multiheading-${process.pid}.docx`);
+
+      try {
+        await padManager.removePad(srcPadId);
+        await padManager.removePad(dstPadId);
+      } catch { /* noop */ }
+
+      // Drive the import path directly with a hand-crafted DOCX whose
+      // content is just three adjacent block elements; this is what
+      // mammoth produces from the round-trip output of ep_headings2's
+      // pad HTML.
+      const htmlToDocx = require('html-to-docx');
+      const buf: Buffer = await htmlToDocx(
+          '<h1>Welcome</h1><h2>This pad</h2><p>Code line</p>');
+      await fs.writeFile(tmpFile, buf);
+
+      try {
+        await agent.post(`/p/${dstPadId}/import`)
+            .attach('file', tmpFile)
+            .expect(200);
+        const dstPad = await padManager.getPad(dstPadId);
+        const lines = dstPad.text().split('\n');
+        // Each block must land on its own line (lines may carry an
+        // etherpad heading marker prefix like '*' from ep_headings2).
+        const findLine = (needle: string) =>
+            lines.findIndex((l: string) => l.includes(needle));
+        const iWelcome = findLine('Welcome');
+        const iThisPad = findLine('This pad');
+        const iCode = findLine('Code line');
+        assert.notStrictEqual(iWelcome, -1,
+            `expected "Welcome" on its own line: ${JSON.stringify(lines)}`);
+        assert.notStrictEqual(iThisPad, -1,
+            `expected "This pad" on its own line: ${JSON.stringify(lines)}`);
+        assert.notStrictEqual(iCode, -1,
+            `expected "Code line" on its own line: ${JSON.stringify(lines)}`);
+        assert.ok(iWelcome !== iThisPad && iThisPad !== iCode,
+            `headings/code merged into the same line: ${JSON.stringify(lines)}`);
+      } finally {
+        await fs.unlink(tmpFile).catch(() => undefined);
+      }
+    });
+
+    it('preserves text content through native PDF export (sanity check)', async function () {
+      // PDF round-trip is one-way (no native PDF import) -- this just
+      // verifies the exported PDF has the source text in its visible
+      // content stream, so we know nothing got dropped on export.
+      const padId = 'test7538PdfSanity';
+      try { await padManager.removePad(padId); } catch { /* noop */ }
+      const pad = await padManager.getPad(padId, '\n');
+      await pad.setText('Hello PDF\nSecond line\n');
+
+      const exp = await fetchBuffer(agent.get(`/p/${padId}/export/pdf`))
+          .expect(200);
+      const pdf: Buffer = exp.body as Buffer;
+      assert.strictEqual(pdf.slice(0, 5).toString('ascii'), '%PDF-');
+
+      // pdfkit emits text as hex strings inside TJ ops; concat them and
+      // search the visible content.
+      const ascii = pdf.toString('latin1');
+      const visible: string[] = [];
+      const re = /<([0-9a-fA-F]{2,})>/g;
+      let m: RegExpExecArray | null;
+      while ((m = re.exec(ascii)) !== null) {
+        visible.push(Buffer.from(m[1], 'hex').toString('latin1'));
+      }
+      const concatenated = visible.join('');
+      assert.ok(concatenated.includes('Hello PDF'),
+          `expected "Hello PDF" in PDF visible content: ${concatenated}`);
+      assert.ok(concatenated.includes('Second line'),
+          `expected "Second line" in PDF visible content: ${concatenated}`);
+    });
+  });
+});

From ac9751cb0b5d5178f8fb461acdf9bd01816ade45 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 8 May 2026 19:44:25 +0200
Subject: [PATCH 12/25] build(deps-dev): bump the dev-dependencies group across
 1 directory with 6 updates (#7706)

Bumps the dev-dependencies group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `25.6.0` | `25.6.2` |
| [i18next](https://github.com/i18next/i18next) | `26.0.9` | `26.0.10` |
| [react](https://github.com/facebook/react/tree/HEAD/packages/react) | `19.2.5` | `19.2.6` |
| [react-dom](https://github.com/facebook/react/tree/HEAD/packages/react-dom) | `19.2.5` | `19.2.6` |
| [react-i18next](https://github.com/i18next/react-i18next) | `17.0.6` | `17.0.7` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `8.0.10` | `8.0.11` |



Updates `@types/node` from 25.6.0 to 25.6.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `i18next` from 26.0.9 to 26.0.10
- [Release notes](https://github.com/i18next/i18next/releases)
- [Changelog](https://github.com/i18next/i18next/blob/master/CHANGELOG.md)
- [Commits](https://github.com/i18next/i18next/compare/v26.0.9...v26.0.10)

Updates `react` from 19.2.5 to 19.2.6
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react)

Updates `react-dom` from 19.2.5 to 19.2.6
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/facebook/react/blob/main/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/v19.2.6/packages/react-dom)

Updates `react-i18next` from 17.0.6 to 17.0.7
- [Changelog](https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md)
- [Commits](https://github.com/i18next/react-i18next/compare/v17.0.6...v17.0.7)

Updates `vite` from 8.0.10 to 8.0.11
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v8.0.11/packages/vite)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-version: 25.6.2
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-dependencies
- dependency-name: i18next
  dependency-version: 26.0.10
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-dependencies
- dependency-name: react
  dependency-version: 19.2.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-dependencies
- dependency-name: react-dom
  dependency-version: 19.2.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-dependencies
- dependency-name: react-i18next
  dependency-version: 17.0.7
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-dependencies
- dependency-name: vite
  dependency-version: 8.0.11
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: dev-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 admin/package.json |  10 +-
 bin/package.json   |   2 +-
 pnpm-lock.yaml     | 998 ++++++++++++++++-----------------------------
 src/package.json   |   2 +-
 ui/package.json    |   2 +-
 5 files changed, 358 insertions(+), 656 deletions(-)

diff --git a/admin/package.json b/admin/package.json
index 8bfb022db37..3084b5fbc2b 100644
--- a/admin/package.json
+++ b/admin/package.json
@@ -25,17 +25,17 @@
     "eslint": "^10.3.0",
     "eslint-plugin-react-hooks": "^7.1.1",
     "eslint-plugin-react-refresh": "^0.5.2",
-    "i18next": "^26.0.9",
+    "i18next": "^26.0.10",
     "i18next-browser-languagedetector": "^8.2.1",
     "lucide-react": "^1.14.0",
-    "react": "^19.2.5",
-    "react-dom": "^19.2.5",
+    "react": "^19.2.6",
+    "react-dom": "^19.2.6",
     "react-hook-form": "^7.75.0",
-    "react-i18next": "^17.0.6",
+    "react-i18next": "^17.0.7",
     "react-router-dom": "^7.15.0",
     "socket.io-client": "^4.8.3",
     "typescript": "^6.0.3",
-    "vite": "^8.0.10",
+    "vite": "^8.0.11",
     "vite-plugin-babel": "^1.6.0",
     "zustand": "^5.0.13"
   }
diff --git a/bin/package.json b/bin/package.json
index 6f0a31212cf..cdd062edc2f 100644
--- a/bin/package.json
+++ b/bin/package.json
@@ -14,7 +14,7 @@
     "ueberdb2": "^5.0.48"
   },
   "devDependencies": {
-    "@types/node": "^25.6.0",
+    "@types/node": "^25.6.2",
     "@types/semver": "^7.7.1",
     "typescript": "^6.0.3"
   },
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 6f6e6a42caa..661fd42d5eb 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -45,14 +45,14 @@ importers:
     dependencies:
       '@radix-ui/react-switch':
         specifier: ^1.2.6
-        version: 1.2.6(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
+        version: 1.2.6(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
     devDependencies:
       '@radix-ui/react-dialog':
         specifier: ^1.1.15
-        version: 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
+        version: 1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
       '@radix-ui/react-toast':
         specifier: ^1.2.15
-        version: 1.2.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
+        version: 1.2.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
       '@types/react':
         specifier: ^19.2.14
         version: 19.2.14
@@ -67,7 +67,7 @@ importers:
         version: 8.59.2(eslint@10.3.0)(typescript@6.0.3)
       '@vitejs/plugin-react':
         specifier: ^6.0.1
-        version: 6.0.1(babel-plugin-react-compiler@19.1.0-rc.3)(vite@8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0))
+        version: 6.0.1(babel-plugin-react-compiler@19.1.0-rc.3)(vite@8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0))
       babel-plugin-react-compiler:
         specifier: 19.1.0-rc.3
         version: 19.1.0-rc.3
@@ -81,29 +81,29 @@ importers:
         specifier: ^0.5.2
         version: 0.5.2(eslint@10.3.0)
       i18next:
-        specifier: ^26.0.9
-        version: 26.0.9(typescript@6.0.3)
+        specifier: ^26.0.10
+        version: 26.0.10(typescript@6.0.3)
       i18next-browser-languagedetector:
         specifier: ^8.2.1
         version: 8.2.1
       lucide-react:
         specifier: ^1.14.0
-        version: 1.14.0(react@19.2.5)
+        version: 1.14.0(react@19.2.6)
       react:
-        specifier: ^19.2.5
-        version: 19.2.5
+        specifier: ^19.2.6
+        version: 19.2.6
       react-dom:
-        specifier: ^19.2.5
-        version: 19.2.5(react@19.2.5)
+        specifier: ^19.2.6
+        version: 19.2.6(react@19.2.6)
       react-hook-form:
         specifier: ^7.75.0
-        version: 7.75.0(react@19.2.5)
+        version: 7.75.0(react@19.2.6)
       react-i18next:
-        specifier: ^17.0.6
-        version: 17.0.6(i18next@26.0.9(typescript@6.0.3))(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(typescript@6.0.3)
+        specifier: ^17.0.7
+        version: 17.0.7(i18next@26.0.10(typescript@6.0.3))(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(typescript@6.0.3)
       react-router-dom:
         specifier: ^7.15.0
-        version: 7.15.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
+        version: 7.15.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
       socket.io-client:
         specifier: ^4.8.3
         version: 4.8.3
@@ -111,14 +111,14 @@ importers:
         specifier: ^6.0.3
         version: 6.0.3
       vite:
-        specifier: ^8.0.10
-        version: 8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0)
+        specifier: ^8.0.11
+        version: 8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0)
       vite-plugin-babel:
         specifier: ^1.6.0
-        version: 1.6.0(@babel/core@7.29.0)(vite@8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0))
+        version: 1.6.0(@babel/core@7.29.0)(vite@8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0))
       zustand:
         specifier: ^5.0.13
-        version: 5.0.13(@types/react@19.2.14)(react@19.2.5)(use-sync-external-store@1.6.0(react@19.2.5))
+        version: 5.0.13(@types/react@19.2.14)(react@19.2.6)(use-sync-external-store@1.6.0(react@19.2.6))
 
   bin:
     dependencies:
@@ -136,11 +136,11 @@ importers:
         version: 4.21.0
       ueberdb2:
         specifier: ^5.0.48
-        version: 5.0.48(@azure/core-client@1.10.1)(@opentelemetry/api@1.9.1)(@types/node@25.6.0)(tslib@2.8.1)(typescript@6.0.3)
+        version: 5.0.48(@azure/core-client@1.10.1)(@opentelemetry/api@1.9.1)(@types/node@25.6.2)(tslib@2.8.1)(typescript@6.0.3)
     devDependencies:
       '@types/node':
-        specifier: ^25.6.0
-        version: 25.6.0
+        specifier: ^25.6.2
+        version: 25.6.2
       '@types/semver':
         specifier: ^7.7.1
         version: 7.7.1
@@ -159,7 +159,7 @@ importers:
         version: 0.129.0
       vitepress:
         specifier: ^2.0.0-alpha.17
-        version: 2.0.0-alpha.17(@types/node@25.6.0)(jwt-decode@4.0.0)(lightningcss@1.32.0)(oxc-minify@0.129.0)(postcss@8.5.14)(tsx@4.21.0)(typescript@6.0.3)
+        version: 2.0.0-alpha.17(@types/node@25.6.2)(esbuild@0.28.0)(jwt-decode@4.0.0)(oxc-minify@0.129.0)(postcss@8.5.14)(tsx@4.21.0)(typescript@6.0.3)
 
   src:
     dependencies:
@@ -261,7 +261,7 @@ importers:
         version: 12.5.2(@azure/core-client@1.10.1)
       mysql2:
         specifier: ^3.22.3
-        version: 3.22.3(@types/node@25.6.0)
+        version: 3.22.3(@types/node@25.6.2)
       nano:
         specifier: ^11.0.5
         version: 11.0.5
@@ -333,7 +333,7 @@ importers:
         version: 4.21.0
       ueberdb2:
         specifier: ^5.0.48
-        version: 5.0.48(@azure/core-client@1.10.1)(@opentelemetry/api@1.9.1)(@types/node@25.6.0)(tslib@2.8.1)(typescript@6.0.3)
+        version: 5.0.48(@azure/core-client@1.10.1)(@opentelemetry/api@1.9.1)(@types/node@25.6.2)(tslib@2.8.1)(typescript@6.0.3)
       underscore:
         specifier: 1.13.8
         version: 1.13.8
@@ -396,8 +396,8 @@ importers:
         specifier: ^10.0.9
         version: 10.0.10
       '@types/node':
-        specifier: ^25.6.0
-        version: 25.6.0
+        specifier: ^25.6.2
+        version: 25.6.2
       '@types/oidc-provider':
         specifier: ^9.5.0
         version: 9.5.0
@@ -463,7 +463,7 @@ importers:
         version: 6.0.3
       vitest:
         specifier: ^4.1.5
-        version: 4.1.5(@opentelemetry/api@1.9.1)(@types/node@25.6.0)(jsdom@29.1.1(@noble/hashes@1.8.0))(vite@8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0))
+        version: 4.1.5(@opentelemetry/api@1.9.1)(@types/node@25.6.2)(jsdom@29.1.1(@noble/hashes@1.8.0))(vite@8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0))
 
   ui:
     devDependencies:
@@ -474,8 +474,8 @@ importers:
         specifier: ^6.0.3
         version: 6.0.3
       vite:
-        specifier: ^8.0.10
-        version: 8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0)
+        specifier: ^8.0.11
+        version: 8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0)
 
 packages:
 
@@ -1382,8 +1382,8 @@ packages:
     cpu: [x64]
     os: [win32]
 
-  '@oxc-project/types@0.127.0':
-    resolution: {integrity: sha512-aIYXQBo4lCbO4z0R3FHeucQHpF46l2LbMdxRvqvuRuW2OxdnSkcng5B8+K12spgLDj93rtN3+J2Vac/TIO+ciQ==}
+  '@oxc-project/types@0.128.0':
+    resolution: {integrity: sha512-huv1Y/LzBJkBVHt3OlC7u0zHBW9qXf1FdD7sGmc1rXc2P1mTwHssYv7jyGx5KAACSCH+9B3Bhn6Z9luHRvf7pQ==}
 
   '@paralleldrive/cuid2@2.2.2':
     resolution: {integrity: sha512-ZOBkgDwEdoYVlSeRbYYXs0S9MejQofiVYoTbKzy/6GQa39/q5tQU2IX46+shYnUkpEl3wc+J6wRlar7r2EK2xA==}
@@ -1674,103 +1674,103 @@ packages:
     peerDependencies:
       '@redis/client': ^5.12.1
 
-  '@rolldown/binding-android-arm64@1.0.0-rc.17':
-    resolution: {integrity: sha512-s70pVGhw4zqGeFnXWvAzJDlvxhlRollagdCCKRgOsgUOH3N1l0LIxf83AtGzmb5SiVM4Hjl5HyarMRfdfj3DaQ==}
+  '@rolldown/binding-android-arm64@1.0.0-rc.18':
+    resolution: {integrity: sha512-lIDyUAfD7U3+BWKzdxMbJcsYHuqXqmGz40aeRqvuAm3y5TkJSYTBW2RDrn65DJFPQqVjUAUqq5uz8urzQ8aBdQ==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm64]
     os: [android]
 
-  '@rolldown/binding-darwin-arm64@1.0.0-rc.17':
-    resolution: {integrity: sha512-4ksWc9n0mhlZpZ9PMZgTGjeOPRu8MB1Z3Tz0Mo02eWfWCHMW1zN82Qz/pL/rC+yQa+8ZnutMF0JjJe7PjwasYw==}
+  '@rolldown/binding-darwin-arm64@1.0.0-rc.18':
+    resolution: {integrity: sha512-apJq2ktnGp27nSInMR5Vcj8kY6xJzDAvfdIFlpDcAK/w4cDO58qVoi1YQsES/SKiFNge/6e4CUzgjfHduYqWpQ==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm64]
     os: [darwin]
 
-  '@rolldown/binding-darwin-x64@1.0.0-rc.17':
-    resolution: {integrity: sha512-SUSDOI6WwUVNcWxd02QEBjLdY1VPHvlEkw6T/8nYG322iYWCTxRb1vzk4E+mWWYehTp7ERibq54LSJGjmouOsw==}
+  '@rolldown/binding-darwin-x64@1.0.0-rc.18':
+    resolution: {integrity: sha512-5Ofot8xbs+pxRHJqm9/9N/4sTQOvdrwEsmPE9pdLEEoAbdZtG6F2LMDfO1sp6ZAtXJuJV/21ew2srq3W8NXB5g==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [x64]
     os: [darwin]
 
-  '@rolldown/binding-freebsd-x64@1.0.0-rc.17':
-    resolution: {integrity: sha512-hwnz3nw9dbJ05EDO/PvcjaaewqqDy7Y1rn1UO81l8iIK1GjenME75dl16ajbvSSMfv66WXSRCYKIqfgq2KCfxw==}
+  '@rolldown/binding-freebsd-x64@1.0.0-rc.18':
+    resolution: {integrity: sha512-7h8eeOTT1eyqJyx64BFCnWZpNm486hGWt2sqeLLgDxA0xI1oGZ9H7gK1S85uNGmBhkdPwa/6reTxfFFKvIsebw==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [x64]
     os: [freebsd]
 
-  '@rolldown/binding-linux-arm-gnueabihf@1.0.0-rc.17':
-    resolution: {integrity: sha512-IS+W7epTcwANmFSQFrS1SivEXHtl1JtuQA9wlxrZTcNi6mx+FDOYrakGevvvTwgj2JvWiK8B29/qD9BELZPyXQ==}
+  '@rolldown/binding-linux-arm-gnueabihf@1.0.0-rc.18':
+    resolution: {integrity: sha512-eRcm/HVt9U/JFu5RKAEKwGQYtDCKWLiaH6wOnsSEp6NMBb/3Os8LgHZlNyzMpFVNmiiMFlfb2zEnebfzJrHFmg==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm]
     os: [linux]
 
-  '@rolldown/binding-linux-arm64-gnu@1.0.0-rc.17':
-    resolution: {integrity: sha512-e6usGaHKW5BMNZOymS1UcEYGowQMWcgZ71Z17Sl/h2+ZziNJ1a9n3Zvcz6LdRyIW5572wBCTH/Z+bKuZouGk9Q==}
+  '@rolldown/binding-linux-arm64-gnu@1.0.0-rc.18':
+    resolution: {integrity: sha512-SOrT/cT4ukTmgnrEz/Hg3m7LBnuCLW9psDeMKrimRWY4I8DmnO7Lco8W2vtqPmMkbVu8iJ+g4GFLVLLOVjJ9DQ==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm64]
     os: [linux]
     libc: [glibc]
 
-  '@rolldown/binding-linux-arm64-musl@1.0.0-rc.17':
-    resolution: {integrity: sha512-b/CgbwAJpmrRLp02RPfhbudf5tZnN9nsPWK82znefso832etkem8H7FSZwxrOI9djcdTP7U6YfNhbRnh7djErg==}
+  '@rolldown/binding-linux-arm64-musl@1.0.0-rc.18':
+    resolution: {integrity: sha512-QWjdxN1HJCpBTAcZ5N5F7wju3gVPzRzSpmGzx7na0c/1qpN9CFil+xt+l9lV/1M6/gqHSNXCiqPfwhVJPeLnug==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm64]
     os: [linux]
     libc: [musl]
 
-  '@rolldown/binding-linux-ppc64-gnu@1.0.0-rc.17':
-    resolution: {integrity: sha512-4EII1iNGRUN5WwGbF/kOh/EIkoDN9HsupgLQoXfY+D1oyJm7/F4t5PYU5n8SWZgG0FEwakyM8pGgwcBYruGTlA==}
+  '@rolldown/binding-linux-ppc64-gnu@1.0.0-rc.18':
+    resolution: {integrity: sha512-ugCOyj7a4d9h3q9B+wXmf6g3a68UsjGh6dob5DHevHGMwDUbhsYNbSPxJsENcIttJZ9jv7qGM2UesLw5jqIhdg==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [ppc64]
     os: [linux]
     libc: [glibc]
 
-  '@rolldown/binding-linux-s390x-gnu@1.0.0-rc.17':
-    resolution: {integrity: sha512-AH8oq3XqQo4IibpVXvPeLDI5pzkpYn0WiZAfT05kFzoJ6tQNzwRdDYQ45M8I/gslbodRZwW8uxLhbSBbkv96rA==}
+  '@rolldown/binding-linux-s390x-gnu@1.0.0-rc.18':
+    resolution: {integrity: sha512-kKWRhbsotpXkGbcd5dllUWg5gEXcDAa8u5YnP9AV5DYNbvJHGzzuwv7dpmhc8NqKMJldl0a+x76IHbspEpEmdA==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [s390x]
     os: [linux]
     libc: [glibc]
 
-  '@rolldown/binding-linux-x64-gnu@1.0.0-rc.17':
-    resolution: {integrity: sha512-cLnjV3xfo7KslbU41Z7z8BH/E1y5mzUYzAqih1d1MDaIGZRCMqTijqLv76/P7fyHuvUcfGsIpqCdddbxLLK9rA==}
+  '@rolldown/binding-linux-x64-gnu@1.0.0-rc.18':
+    resolution: {integrity: sha512-uCo8ElcCIAMyYAZyuIZ81oFkhTSIllNvUCHCAlbhlN4ji3uC28h7IIdlXyIvGO7HsuqnV9p3rD/bpH7XhIyhRw==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [x64]
     os: [linux]
     libc: [glibc]
 
-  '@rolldown/binding-linux-x64-musl@1.0.0-rc.17':
-    resolution: {integrity: sha512-0phclDw1spsL7dUB37sIARuis2tAgomCJXAHZlpt8PXZ4Ba0dRP1e+66lsRqrfhISeN9bEGNjQs+T/Fbd7oYGw==}
+  '@rolldown/binding-linux-x64-musl@1.0.0-rc.18':
+    resolution: {integrity: sha512-XNOQZtuE6yUIvx4rwGemwh8kpL1xvU41FXy/s9K7T/3JVcqGzo3NfKM2HrbrGgfPYGFW42f07Wk++aOC6B9NWA==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [x64]
     os: [linux]
     libc: [musl]
 
-  '@rolldown/binding-openharmony-arm64@1.0.0-rc.17':
-    resolution: {integrity: sha512-0ag/hEgXOwgw4t8QyQvUCxvEg+V0KBcA6YuOx9g0r02MprutRF5dyljgm3EmR02O292UX7UeS6HzWHAl6KgyhA==}
+  '@rolldown/binding-openharmony-arm64@1.0.0-rc.18':
+    resolution: {integrity: sha512-tSn/kzrfa7tNOXr7sEacDBN4YsIqTyLqh45IO0nHDwtpKIDNDJr+VFojt+4klSpChxB29JLyduSsE0MKEwa65A==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm64]
     os: [openharmony]
 
-  '@rolldown/binding-wasm32-wasi@1.0.0-rc.17':
-    resolution: {integrity: sha512-LEXei6vo0E5wTGwpkJ4KoT3OZJRnglwldt5ziLzOlc6qqb55z4tWNq2A+PFqCJuvWWdP53CVhG1Z9NtToDPJrA==}
+  '@rolldown/binding-wasm32-wasi@1.0.0-rc.18':
+    resolution: {integrity: sha512-+J9YGmc+czgqlhYmwun3S3O0FIZhsH8ep2456xwjAdIOmuJxM7xz4P4PtrxU+Bz17a/5bqPA8o3HAAoX0teUdg==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [wasm32]
 
-  '@rolldown/binding-win32-arm64-msvc@1.0.0-rc.17':
-    resolution: {integrity: sha512-gUmyzBl3SPMa6hrqFUth9sVfcLBlYsbMzBx5PlexMroZStgzGqlZ26pYG89rBb45Mnia+oil6YAIFeEWGWhoZA==}
+  '@rolldown/binding-win32-arm64-msvc@1.0.0-rc.18':
+    resolution: {integrity: sha512-zsu47DgU0FQzSwi6sU9dZoEdUv7pc1AptSEz/Z8HBg54sV0Pbs3N0+CrIbTsgiu6EyoaNN9CHboqbLaz9lhOyQ==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [arm64]
     os: [win32]
 
-  '@rolldown/binding-win32-x64-msvc@1.0.0-rc.17':
-    resolution: {integrity: sha512-3hkiolcUAvPB9FLb3UZdfjVVNWherN1f/skkGWJP/fgSQhYUZpSIRr0/I8ZK9TkF3F7kxvJAk0+IcKvPHk9qQg==}
+  '@rolldown/binding-win32-x64-msvc@1.0.0-rc.18':
+    resolution: {integrity: sha512-7H+3yqGgmnlDTRRhw/xpYY9J1kf4GC681nVc4GqKhExZTDrVVrV2tsOR9kso0fvgBdcTCcQShx4SLLoHgaLwhg==}
     engines: {node: ^20.19.0 || >=22.12.0}
     cpu: [x64]
     os: [win32]
 
-  '@rolldown/pluginutils@1.0.0-rc.17':
-    resolution: {integrity: sha512-n8iosDOt6Ig1UhJ2AYqoIhHWh/isz0xpicHTzpKBeotdVsTEcxsSA/i3EVM7gQAj0rU27OLAxCjzlj15IWY7bg==}
+  '@rolldown/pluginutils@1.0.0-rc.18':
+    resolution: {integrity: sha512-CUY5Mnhe64xQBGZEEXQ5WyZwsc1JU3vAZLIxtrsBt3LO6UOb+C8GunVKqe9sT8NeWb4lqSaoJtp2xo6GxT1MNw==}
 
   '@rolldown/pluginutils@1.0.0-rc.2':
     resolution: {integrity: sha512-izyXV/v+cHiRfozX62W9htOAvwMo4/bXKDrQ+vom1L1qRuexPock/7VZDAhnpHCLNejd3NJ6hiab+tO0D44Rgw==}
@@ -1778,144 +1778,6 @@ packages:
   '@rolldown/pluginutils@1.0.0-rc.7':
     resolution: {integrity: sha512-qujRfC8sFVInYSPPMLQByRh7zhwkGFS4+tyMQ83srV1qrxL4g8E2tyxVVyxd0+8QeBM1mIk9KbWxkegRr76XzA==}
 
-  '@rollup/rollup-android-arm-eabi@4.60.3':
-    resolution: {integrity: sha512-x35CNW/ANXG3hE/EZpRU8MXX1JDN86hBb2wMGAtltkz7pc6cxgjpy1OMMfDosOQ+2hWqIkag/fGok1Yady9nGw==}
-    cpu: [arm]
-    os: [android]
-
-  '@rollup/rollup-android-arm64@4.60.3':
-    resolution: {integrity: sha512-xw3xtkDApIOGayehp2+Rz4zimfkaX65r4t47iy+ymQB2G4iJCBBfj0ogVg5jpvjpn8UWn/+q9tprxleYeNp3Hw==}
-    cpu: [arm64]
-    os: [android]
-
-  '@rollup/rollup-darwin-arm64@4.60.3':
-    resolution: {integrity: sha512-vo6Y5Qfpx7/5EaamIwi0WqW2+zfiusVihKatLvtN1VFVy3D13uERk/6gZLU1UiHRL6fDXqj/ELIeVRGnvcTE1g==}
-    cpu: [arm64]
-    os: [darwin]
-
-  '@rollup/rollup-darwin-x64@4.60.3':
-    resolution: {integrity: sha512-D+0QGcZhBzTN82weOnsSlY7V7+RMmPuF1CkbxyMAGE8+ZHeUjyb76ZiWmBlCu//AQQONvxcqRbwZTajZKqjuOw==}
-    cpu: [x64]
-    os: [darwin]
-
-  '@rollup/rollup-freebsd-arm64@4.60.3':
-    resolution: {integrity: sha512-6HnvHCT7fDyj6R0Ph7A6x8dQS/S38MClRWeDLqc0MdfWkxjiu1HSDYrdPhqSILzjTIC/pnXbbJbo+ft+gy/9hQ==}
-    cpu: [arm64]
-    os: [freebsd]
-
-  '@rollup/rollup-freebsd-x64@4.60.3':
-    resolution: {integrity: sha512-KHLgC3WKlUYW3ShFKnnosZDOJ0xjg9zp7au3sIm2bs/tGBeC2ipmvRh/N7JKi0t9Ue20C0dpEshi8WUubg+cnA==}
-    cpu: [x64]
-    os: [freebsd]
-
-  '@rollup/rollup-linux-arm-gnueabihf@4.60.3':
-    resolution: {integrity: sha512-DV6fJoxEYWJOvaZIsok7KrYl0tPvga5OZ2yvKHNNYyk/2roMLqQAbGhr78EQ5YhHpnhLKJD3S1WFusAkmUuV5g==}
-    cpu: [arm]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-arm-musleabihf@4.60.3':
-    resolution: {integrity: sha512-mQKoJAzvuOs6F+TZybQO4GOTSMUu7v0WdxEk24krQ/uUxXoPTtHjuaUuPmFhtBcM4K0ons8nrE3JyhTuCFtT/w==}
-    cpu: [arm]
-    os: [linux]
-    libc: [musl]
-
-  '@rollup/rollup-linux-arm64-gnu@4.60.3':
-    resolution: {integrity: sha512-Whjj2qoiJ6+OOJMGptTYazaJvjOJm+iKHpXQM1P3LzGjt7Ff++Tp7nH4N8J/BUA7R9IHfDyx4DJIflifwnbmIA==}
-    cpu: [arm64]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-arm64-musl@4.60.3':
-    resolution: {integrity: sha512-4YTNHKqGng5+yiZt3mg77nmyuCfmNfX4fPmyUapBcIk+BdwSwmCWGXOUxhXbBEkFHtoN5boLj/5NON+u5QC9tg==}
-    cpu: [arm64]
-    os: [linux]
-    libc: [musl]
-
-  '@rollup/rollup-linux-loong64-gnu@4.60.3':
-    resolution: {integrity: sha512-SU3kNlhkpI4UqlUc2VXPGK9o886ZsSeGfMAX2ba2b8DKmMXq4AL7KUrkSWVbb7koVqx41Yczx6dx5PNargIrEA==}
-    cpu: [loong64]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-loong64-musl@4.60.3':
-    resolution: {integrity: sha512-6lDLl5h4TXpB1mTf2rQWnAk/LcXrx9vBfu/DT5TIPhvMhRWaZ5MxkIc8u4lJAmBo6klTe1ywXIUHFjylW505sg==}
-    cpu: [loong64]
-    os: [linux]
-    libc: [musl]
-
-  '@rollup/rollup-linux-ppc64-gnu@4.60.3':
-    resolution: {integrity: sha512-BMo8bOw8evlup/8G+cj5xWtPyp93xPdyoSN16Zy90Q2QZ0ZYRhCt6ZJSwbrRzG9HApFabjwj2p25TUPDWrhzqQ==}
-    cpu: [ppc64]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-ppc64-musl@4.60.3':
-    resolution: {integrity: sha512-E0L8X1dZN1/Rph+5VPF6Xj2G7JJvMACVXtamTJIDrVI44Y3K+G8gQaMEAavbqCGTa16InptiVrX6eM6pmJ+7qA==}
-    cpu: [ppc64]
-    os: [linux]
-    libc: [musl]
-
-  '@rollup/rollup-linux-riscv64-gnu@4.60.3':
-    resolution: {integrity: sha512-oZJ/WHaVfHUiRAtmTAeo3DcevNsVvH8mbvodjZy7D5QKvCefO371SiKRpxoDcCxB3PTRTLayWBkvmDQKTcX/sw==}
-    cpu: [riscv64]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-riscv64-musl@4.60.3':
-    resolution: {integrity: sha512-Dhbyh7j9FybM3YaTgaHmVALwA8AkUwTPccyCQ79TG9AJUsMQqgN1DDEZNr4+QUfwiWvLDumW5vdwzoeUF+TNxQ==}
-    cpu: [riscv64]
-    os: [linux]
-    libc: [musl]
-
-  '@rollup/rollup-linux-s390x-gnu@4.60.3':
-    resolution: {integrity: sha512-cJd1X5XhHHlltkaypz1UcWLA8AcoIi1aWhsvaWDskD1oz2eKCypnqvTQ8ykMNI0RSmm7NkTdSqSSD7zM0xa6Ig==}
-    cpu: [s390x]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-x64-gnu@4.60.3':
-    resolution: {integrity: sha512-DAZDBHQfG2oQuhY7mc6I3/qB4LU2fQCjRvxbDwd/Jdvb9fypP4IJ4qmtu6lNjes6B531AI8cg1aKC2di97bUxA==}
-    cpu: [x64]
-    os: [linux]
-    libc: [glibc]
-
-  '@rollup/rollup-linux-x64-musl@4.60.3':
-    resolution: {integrity: sha512-cRxsE8c13mZOh3vP+wLDxpQBRrOHDIGOWyDL93Sy0Ga8y515fBcC2pjUfFwUe5T7tqvTvWbCpg1URM/AXdWIXA==}
-    cpu: [x64]
-    os: [linux]
-    libc: [musl]
-
-  '@rollup/rollup-openbsd-x64@4.60.3':
-    resolution: {integrity: sha512-QaWcIgRxqEdQdhJqW4DJctsH6HCmo5vHxY0krHSX4jMtOqfzC+dqDGuHM87bu4H8JBeibWx7jFz+h6/4C8wA5Q==}
-    cpu: [x64]
-    os: [openbsd]
-
-  '@rollup/rollup-openharmony-arm64@4.60.3':
-    resolution: {integrity: sha512-AaXwSvUi3QIPtroAUw1t5yHGIyqKEXwH54WUocFolZhpGDruJcs8c+xPNDRn4XiQsS7MEwnYsHW2l0MBLDMkWg==}
-    cpu: [arm64]
-    os: [openharmony]
-
-  '@rollup/rollup-win32-arm64-msvc@4.60.3':
-    resolution: {integrity: sha512-65LAKM/bAWDqKNEelHlcHvm2V+Vfb8C6INFxQXRHCvaVN1rJfwr4NvdP4FyzUaLqWfaCGaadf6UbTm8xJeYfEg==}
-    cpu: [arm64]
-    os: [win32]
-
-  '@rollup/rollup-win32-ia32-msvc@4.60.3':
-    resolution: {integrity: sha512-EEM2gyhBF5MFnI6vMKdX1LAosE627RGBzIoGMdLloPZkXrUN0Ckqgr2Qi8+J3zip/8NVVro3/FjB+tjhZUgUHA==}
-    cpu: [ia32]
-    os: [win32]
-
-  '@rollup/rollup-win32-x64-gnu@4.60.3':
-    resolution: {integrity: sha512-E5Eb5H/DpxaoXH++Qkv28RcUJboMopmdDUALBczvHMf7hNIxaDZqwY5lK12UK1BHacSmvupoEWGu+n993Z0y1A==}
-    cpu: [x64]
-    os: [win32]
-
-  '@rollup/rollup-win32-x64-msvc@4.60.3':
-    resolution: {integrity: sha512-hPt/bgL5cE+Qp+/TPHBqptcAgPzgj46mPcg/16zNUmbQk0j+mOEQV/+Lqu8QRtDV3Ek95Q6FeFITpuhl6OTsAA==}
-    cpu: [x64]
-    os: [win32]
-
   '@rtsao/scc@1.1.0':
     resolution: {integrity: sha512-zt6OdqaDoOnJ1ZYsCYGt9YmWzDXl4vQdKTyJev62gFhRGKdx7mcT54V9KIjg+d2wi9EXsPvAPKe7i7WjfVWB8g==}
 
@@ -2135,8 +1997,11 @@ packages:
   '@types/node@24.12.2':
     resolution: {integrity: sha512-A1sre26ke7HDIuY/M23nd9gfB+nrmhtYyMINbjI1zHJxYteKR6qSMX56FsmjMcDb3SMcjJg5BiRRgOCC/yBD0g==}
 
-  '@types/node@25.6.0':
-    resolution: {integrity: sha512-+qIYRKdNYJwY3vRCZMdJbPLJAtGjQBudzZzdzwQYkEPQd+PJGixUL5QfvCLDaULoLv+RhT3LDkwEfKaAkgSmNQ==}
+  '@types/node@25.6.1':
+    resolution: {integrity: sha512-coJCN8O1q4AGyyqCAUSP06P+SrMTu18BkEj3NVAK07q6QUneD2wzj3CLv9+yP+BMeZQlMvneXqqvDe3w+xcq7g==}
+
+  '@types/node@25.6.2':
+    resolution: {integrity: sha512-sokuT28dxf9JT5Kady1fsXOvI4HVpjZa95NKT5y9PNTIrs2AsobR4GFAA90ZG8M+nxVRLysCXsVj6eGC7Vbrlw==}
 
   '@types/oidc-provider@9.5.0':
     resolution: {integrity: sha512-eEzCRVTSqIHD9Bo/qRJ4XQWQ5Z/zBcG+Z2cGJluRsSuWx1RJihqRyPxhIEpMXTwPzHYRTQkVp7hwisQOwzzSAg==}
@@ -3127,8 +2992,8 @@ packages:
     resolution: {integrity: sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==}
     engines: {node: '>= 0.8', npm: 1.2.8000 || >= 1.4.16}
 
-  detect-libc@2.1.1:
-    resolution: {integrity: sha512-ecqj/sy1jcK1uWrwpR67UhYrIFQ+5WlGxth34WquCbamhFA6hkkwiu37o6J5xCHdo1oixJRfVRw+ywV+Hq/0Aw==}
+  detect-libc@2.1.2:
+    resolution: {integrity: sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==}
     engines: {node: '>=8'}
 
   detect-node-es@1.1.0:
@@ -3911,8 +3776,8 @@ packages:
   i18next-browser-languagedetector@8.2.1:
     resolution: {integrity: sha512-bZg8+4bdmaOiApD7N7BPT9W8MLZG+nPTOFlLiJiT8uzKXFjhxw4v2ierCXOwB5sFDMtuA5G4kgYZ0AznZxQ/cw==}
 
-  i18next@26.0.9:
-    resolution: {integrity: sha512-htjWlK5lGpjIDJxUdDLD6dO2jPl/RZHBpeZC80T5yr6Lci/tN3Oq9Doh9110ihliAIb4xmb45ngM76WcbP6GjA==}
+  i18next@26.0.10:
+    resolution: {integrity: sha512-k3yGPAlWR2RdMYoVXJoDZDT87qeHIWKH7gVksdZMpRty7QX/D9QZeYGvN08KGbKHke9wn01eYT+EEsrqX/YTlw==}
     peerDependencies:
       typescript: ^5 || ^6
     peerDependenciesMeta:
@@ -4616,6 +4481,11 @@ packages:
     engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1}
     hasBin: true
 
+  nanoid@3.3.12:
+    resolution: {integrity: sha512-ZB9RH/39qpq5Vu6Y+NmUaFhQR6pp+M2Xt76XBnEwDaGcVAqhlvxrl3B2bKS5D3NH3QR76v3aSrKaF/Kiy7lEtQ==}
+    engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1}
+    hasBin: true
+
   nanoid@5.1.9:
     resolution: {integrity: sha512-ZUvP7KeBLe3OZ1ypw6dI/TzYJuvHP77IM4Ry73waSQTLn8/g8rpdjfyVAh7t1/+FjBtG4lCP42MEbDxOsRpBMw==}
     engines: {node: ^18 || >=20}
@@ -4896,10 +4766,6 @@ packages:
     resolution: {integrity: sha512-SoSL4+OSEtR99LHFZQiJLkT59C5B1amGO1NzTwj7TT1qCUgUO6hxOvzkOYxD+vMrXBM3XJIKzokoERdqQq/Zmg==}
     engines: {node: ^10 || ^12 || >=14}
 
-  postcss@8.5.8:
-    resolution: {integrity: sha512-OW/rX8O/jXnm82Ey1k44pObPtdblfiuWnrd8X7GJ7emImCOstunGbXUpp7HdBrFQX6rJzn3sPT397Wp5aCwCHg==}
-    engines: {node: ^10 || ^12 || >=14}
-
   postgres-array@2.0.0:
     resolution: {integrity: sha512-VpZrUqU5A69eQyW2c5CA1jtLecCsN2U/bD6VilrFDWq5+5UIEVO7nazS3TEcHf1zuPYO/sqGvUvW62g86RXZuA==}
     engines: {node: '>=4'}
@@ -4987,10 +4853,10 @@ packages:
     resolution: {integrity: sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==}
     engines: {node: '>= 0.10'}
 
-  react-dom@19.2.5:
-    resolution: {integrity: sha512-J5bAZz+DXMMwW/wV3xzKke59Af6CHY7G4uYLN1OvBcKEsWOs4pQExj86BBKamxl/Ik5bx9whOrvBlSDfWzgSag==}
+  react-dom@19.2.6:
+    resolution: {integrity: sha512-0prMI+hvBbPjsWnxDLxlCGyM8PN6UuWjEUCYmZhO67xIV9Xasa/r/vDnq+Xyq4Lo27g8QSbO5YzARu0D1Sps3g==}
     peerDependencies:
-      react: ^19.2.5
+      react: ^19.2.6
 
   react-hook-form@7.75.0:
     resolution: {integrity: sha512-Ovv94H+0p3sJ7B9B5QxPuCP1u8V/cHuVGyH55cSwodYDtoJwK+fqk3vjfIgSX59I2U/bU4z0nRJ9HMLpNiWEmw==}
@@ -4998,10 +4864,10 @@ packages:
     peerDependencies:
       react: ^16.8.0 || ^17 || ^18 || ^19
 
-  react-i18next@17.0.6:
-    resolution: {integrity: sha512-WzJ6SMKF+GTD7JZZqxSR1AKKmXjaSu39sClUrNlwxS4Tl7a99O+ltFy6yhPMO+wgZuxpQjJ2PZkfrQKmAqrLhw==}
+  react-i18next@17.0.7:
+    resolution: {integrity: sha512-rwtPXsb/zwzDafN+gytcjF5YnqGQQIRmCQ6DctBC1VSipRB8GD/MWEVrFP42vjMyuYydxWxM8CZRt+yiNuuoHg==}
     peerDependencies:
-      i18next: '>= 26.0.1'
+      i18next: '>= 26.0.10'
       react: '>= 16.8.0'
       react-dom: '*'
       react-native: '*'
@@ -5061,8 +4927,8 @@ packages:
       '@types/react':
         optional: true
 
-  react@19.2.5:
-    resolution: {integrity: sha512-llUJLzz1zTUBrskt2pwZgLq59AemifIftw4aB7JxOqf1HY2FDaGDxgwpAPVzHU1kdWabH7FauP4i1oEeer2WCA==}
+  react@19.2.6:
+    resolution: {integrity: sha512-sfWGGfavi0xr8Pg0sVsyHMAOziVYKgPLNrS7ig+ivMNb3wbCBw3KxtflsGBAwD3gYQlE/AEZsTLgToRrSCjb0Q==}
     engines: {node: '>=0.10.0'}
 
   readable-stream@2.3.8:
@@ -5152,16 +5018,11 @@ packages:
   rfdc@1.4.1:
     resolution: {integrity: sha512-q1b3N5QkRUWUl7iyylaaj3kOpIT0N2i9MqIEQXP73GVsN9cw3fdx8X63cEmWhJGi2PPCF23Ijp7ktmd39rawIA==}
 
-  rolldown@1.0.0-rc.17:
-    resolution: {integrity: sha512-ZrT53oAKrtA4+YtBWPQbtPOxIbVDbxT0orcYERKd63VJTF13zPcgXTvD4843L8pcsI7M6MErt8QtON6lrB9tyA==}
+  rolldown@1.0.0-rc.18:
+    resolution: {integrity: sha512-phmyKBpuBdRYDf4hgyynGAYn/rDDe+iZXKVJ7WX5b1zQzpLkP5oJRPGsfJuHdzPMlyyEO/4sPW6yfSx2gf7lVg==}
     engines: {node: ^20.19.0 || >=22.12.0}
     hasBin: true
 
-  rollup@4.60.3:
-    resolution: {integrity: sha512-pAQK9HalE84QSm4Po3EmWIZPd3FnjkShVkiMlz1iligWYkWQ7wHYd1PF/T7QZ5TVSD6uSTon5gBVMSM4JfBV+A==}
-    engines: {node: '>=18.0.0', npm: '>=8.0.0'}
-    hasBin: true
-
   router@2.2.0:
     resolution: {integrity: sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==}
     engines: {node: '>= 18'}
@@ -5846,53 +5707,13 @@ packages:
       '@babel/core': ^7.0.0
       vite: '>=7.3.2'
 
-  vite@7.3.2:
-    resolution: {integrity: sha512-Bby3NOsna2jsjfLVOHKes8sGwgl4TT0E6vvpYgnAYDIF/tie7MRaFthmKuHx1NSXjiTueXH3do80FMQgvEktRg==}
+  vite@8.0.11:
+    resolution: {integrity: sha512-Jz1mxtUBR5xTT65VOdJZUUeoyLtqljmFkiUXhPTLZka3RDc9vpi/xXkyrnsdRcm2lIi3l3GPMnAidTsEGIj3Ow==}
     engines: {node: ^20.19.0 || >=22.12.0}
     hasBin: true
     peerDependencies:
       '@types/node': ^20.19.0 || >=22.12.0
-      jiti: '>=1.21.0'
-      less: ^4.0.0
-      lightningcss: ^1.21.0
-      sass: ^1.70.0
-      sass-embedded: ^1.70.0
-      stylus: '>=0.54.8'
-      sugarss: ^5.0.0
-      terser: ^5.16.0
-      tsx: ^4.8.1
-      yaml: ^2.4.2
-    peerDependenciesMeta:
-      '@types/node':
-        optional: true
-      jiti:
-        optional: true
-      less:
-        optional: true
-      lightningcss:
-        optional: true
-      sass:
-        optional: true
-      sass-embedded:
-        optional: true
-      stylus:
-        optional: true
-      sugarss:
-        optional: true
-      terser:
-        optional: true
-      tsx:
-        optional: true
-      yaml:
-        optional: true
-
-  vite@8.0.10:
-    resolution: {integrity: sha512-rZuUu9j6J5uotLDs+cAA4O5H4K1SfPliUlQwqa6YEwSrWDZzP4rhm00oJR5snMewjxF5V/K3D4kctsUTsIU9Mw==}
-    engines: {node: ^20.19.0 || >=22.12.0}
-    hasBin: true
-    peerDependencies:
-      '@types/node': ^20.19.0 || >=22.12.0
-      '@vitejs/devtools': ^0.1.0
+      '@vitejs/devtools': ^0.1.18
       esbuild: ^0.27.0 || ^0.28.0
       jiti: '>=1.21.0'
       less: ^4.0.0
@@ -6978,7 +6799,7 @@ snapshots:
   '@oxc-minify/binding-win32-x64-msvc@0.129.0':
     optional: true
 
-  '@oxc-project/types@0.127.0': {}
+  '@oxc-project/types@0.128.0': {}
 
   '@paralleldrive/cuid2@2.2.2':
     dependencies:
@@ -6993,217 +6814,217 @@ snapshots:
 
   '@radix-ui/primitive@1.1.3': {}
 
-  '@radix-ui/react-collection@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)':
+  '@radix-ui/react-collection@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)':
     dependencies:
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
-      react-dom: 19.2.5(react@19.2.5)
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
+      react-dom: 19.2.6(react@19.2.6)
     optionalDependencies:
       '@types/react': 19.2.14
       '@types/react-dom': 19.2.3(@types/react@19.2.14)
 
-  '@radix-ui/react-compose-refs@1.1.2(@types/react@19.2.14)(react@19.2.5)':
+  '@radix-ui/react-compose-refs@1.1.2(@types/react@19.2.14)(react@19.2.6)':
     dependencies:
-      react: 19.2.5
+      react: 19.2.6
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@radix-ui/react-context@1.1.2(@types/react@19.2.14)(react@19.2.5)':
+  '@radix-ui/react-context@1.1.2(@types/react@19.2.14)(react@19.2.6)':
     dependencies:
-      react: 19.2.5
+      react: 19.2.6
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@radix-ui/react-dialog@1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)':
+  '@radix-ui/react-dialog@1.1.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)':
     dependencies:
       '@radix-ui/primitive': 1.1.3
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-focus-guards': 1.1.3(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-focus-scope': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5)
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-focus-guards': 1.1.3(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-focus-scope': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-id': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.6)
       aria-hidden: 1.2.6
-      react: 19.2.5
-      react-dom: 19.2.5(react@19.2.5)
-      react-remove-scroll: 2.7.1(@types/react@19.2.14)(react@19.2.5)
+      react: 19.2.6
+      react-dom: 19.2.6(react@19.2.6)
+      react-remove-scroll: 2.7.1(@types/react@19.2.14)(react@19.2.6)
     optionalDependencies:
       '@types/react': 19.2.14
       '@types/react-dom': 19.2.3(@types/react@19.2.14)
 
-  '@radix-ui/react-dismissable-layer@1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)':
+  '@radix-ui/react-dismissable-layer@1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)':
     dependencies:
       '@radix-ui/primitive': 1.1.3
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-use-escape-keydown': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
-      react-dom: 19.2.5(react@19.2.5)
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-use-escape-keydown': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
+      react-dom: 19.2.6(react@19.2.6)
     optionalDependencies:
       '@types/react': 19.2.14
       '@types/react-dom': 19.2.3(@types/react@19.2.14)
 
-  '@radix-ui/react-focus-guards@1.1.3(@types/react@19.2.14)(react@19.2.5)':
+  '@radix-ui/react-focus-guards@1.1.3(@types/react@19.2.14)(react@19.2.6)':
     dependencies:
-      react: 19.2.5
+      react: 19.2.6
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@radix-ui/react-focus-scope@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)':
+  '@radix-ui/react-focus-scope@1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)':
     dependencies:
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
-      react-dom: 19.2.5(react@19.2.5)
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
+      react-dom: 19.2.6(react@19.2.6)
     optionalDependencies:
       '@types/react': 19.2.14
       '@types/react-dom': 19.2.3(@types/react@19.2.14)
 
-  '@radix-ui/react-id@1.1.1(@types/react@19.2.14)(react@19.2.5)':
+  '@radix-ui/react-id@1.1.1(@types/react@19.2.14)(react@19.2.6)':
     dependencies:
-      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
+      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@radix-ui/react-portal@1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)':
+  '@radix-ui/react-portal@1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)':
     dependencies:
-      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
-      react-dom: 19.2.5(react@19.2.5)
+      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
+      react-dom: 19.2.6(react@19.2.6)
     optionalDependencies:
       '@types/react': 19.2.14
       '@types/react-dom': 19.2.3(@types/react@19.2.14)
 
-  '@radix-ui/react-presence@1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)':
+  '@radix-ui/react-presence@1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)':
     dependencies:
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
-      react-dom: 19.2.5(react@19.2.5)
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
+      react-dom: 19.2.6(react@19.2.6)
     optionalDependencies:
       '@types/react': 19.2.14
       '@types/react-dom': 19.2.3(@types/react@19.2.14)
 
-  '@radix-ui/react-primitive@2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)':
+  '@radix-ui/react-primitive@2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)':
     dependencies:
-      '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
-      react-dom: 19.2.5(react@19.2.5)
+      '@radix-ui/react-slot': 1.2.3(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
+      react-dom: 19.2.6(react@19.2.6)
     optionalDependencies:
       '@types/react': 19.2.14
       '@types/react-dom': 19.2.3(@types/react@19.2.14)
 
-  '@radix-ui/react-slot@1.2.3(@types/react@19.2.14)(react@19.2.5)':
+  '@radix-ui/react-slot@1.2.3(@types/react@19.2.14)(react@19.2.6)':
     dependencies:
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@radix-ui/react-switch@1.2.6(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)':
+  '@radix-ui/react-switch@1.2.6(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)':
     dependencies:
       '@radix-ui/primitive': 1.1.3
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
-      react-dom: 19.2.5(react@19.2.5)
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-use-previous': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-use-size': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
+      react-dom: 19.2.6(react@19.2.6)
     optionalDependencies:
       '@types/react': 19.2.14
       '@types/react-dom': 19.2.3(@types/react@19.2.14)
 
-  '@radix-ui/react-toast@1.2.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)':
+  '@radix-ui/react-toast@1.2.15(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)':
     dependencies:
       '@radix-ui/primitive': 1.1.3
-      '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      react: 19.2.5
-      react-dom: 19.2.5(react@19.2.5)
+      '@radix-ui/react-collection': 1.1.7(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-compose-refs': 1.1.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-context': 1.1.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-dismissable-layer': 1.1.11(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-portal': 1.1.9(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-presence': 1.1.5(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-use-controllable-state': 1.2.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-visually-hidden': 1.2.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      react: 19.2.6
+      react-dom: 19.2.6(react@19.2.6)
     optionalDependencies:
       '@types/react': 19.2.14
       '@types/react-dom': 19.2.3(@types/react@19.2.14)
 
-  '@radix-ui/react-use-callback-ref@1.1.1(@types/react@19.2.14)(react@19.2.5)':
+  '@radix-ui/react-use-callback-ref@1.1.1(@types/react@19.2.14)(react@19.2.6)':
     dependencies:
-      react: 19.2.5
+      react: 19.2.6
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@radix-ui/react-use-controllable-state@1.2.2(@types/react@19.2.14)(react@19.2.5)':
+  '@radix-ui/react-use-controllable-state@1.2.2(@types/react@19.2.14)(react@19.2.6)':
     dependencies:
-      '@radix-ui/react-use-effect-event': 0.0.2(@types/react@19.2.14)(react@19.2.5)
-      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
+      '@radix-ui/react-use-effect-event': 0.0.2(@types/react@19.2.14)(react@19.2.6)
+      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@radix-ui/react-use-effect-event@0.0.2(@types/react@19.2.14)(react@19.2.5)':
+  '@radix-ui/react-use-effect-event@0.0.2(@types/react@19.2.14)(react@19.2.6)':
     dependencies:
-      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
+      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@radix-ui/react-use-escape-keydown@1.1.1(@types/react@19.2.14)(react@19.2.5)':
+  '@radix-ui/react-use-escape-keydown@1.1.1(@types/react@19.2.14)(react@19.2.6)':
     dependencies:
-      '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
+      '@radix-ui/react-use-callback-ref': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@radix-ui/react-use-layout-effect@1.1.1(@types/react@19.2.14)(react@19.2.5)':
+  '@radix-ui/react-use-layout-effect@1.1.1(@types/react@19.2.14)(react@19.2.6)':
     dependencies:
-      react: 19.2.5
+      react: 19.2.6
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@radix-ui/react-use-previous@1.1.1(@types/react@19.2.14)(react@19.2.5)':
+  '@radix-ui/react-use-previous@1.1.1(@types/react@19.2.14)(react@19.2.6)':
     dependencies:
-      react: 19.2.5
+      react: 19.2.6
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@radix-ui/react-use-size@1.1.1(@types/react@19.2.14)(react@19.2.5)':
+  '@radix-ui/react-use-size@1.1.1(@types/react@19.2.14)(react@19.2.6)':
     dependencies:
-      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.5)
-      react: 19.2.5
+      '@radix-ui/react-use-layout-effect': 1.1.1(@types/react@19.2.14)(react@19.2.6)
+      react: 19.2.6
     optionalDependencies:
       '@types/react': 19.2.14
 
-  '@radix-ui/react-visually-hidden@1.2.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)':
+  '@radix-ui/react-visually-hidden@1.2.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)':
     dependencies:
-      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
-      react: 19.2.5
-      react-dom: 19.2.5(react@19.2.5)
+      '@radix-ui/react-primitive': 2.1.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      react: 19.2.6
+      react-dom: 19.2.6(react@19.2.6)
     optionalDependencies:
       '@types/react': 19.2.14
       '@types/react-dom': 19.2.3(@types/react@19.2.14)
 
-  '@redis/bloom@5.12.1(@redis/client@5.12.1)':
+  '@redis/bloom@5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))':
     dependencies:
       '@redis/client': 5.12.1(@opentelemetry/api@1.9.1)
 
@@ -7213,148 +7034,73 @@ snapshots:
     optionalDependencies:
       '@opentelemetry/api': 1.9.1
 
-  '@redis/json@5.12.1(@redis/client@5.12.1)':
+  '@redis/json@5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))':
     dependencies:
       '@redis/client': 5.12.1(@opentelemetry/api@1.9.1)
 
-  '@redis/search@5.12.1(@redis/client@5.12.1)':
+  '@redis/search@5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))':
     dependencies:
       '@redis/client': 5.12.1(@opentelemetry/api@1.9.1)
 
-  '@redis/time-series@5.12.1(@redis/client@5.12.1)':
+  '@redis/time-series@5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))':
     dependencies:
       '@redis/client': 5.12.1(@opentelemetry/api@1.9.1)
 
-  '@rolldown/binding-android-arm64@1.0.0-rc.17':
+  '@rolldown/binding-android-arm64@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-darwin-arm64@1.0.0-rc.17':
+  '@rolldown/binding-darwin-arm64@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-darwin-x64@1.0.0-rc.17':
+  '@rolldown/binding-darwin-x64@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-freebsd-x64@1.0.0-rc.17':
+  '@rolldown/binding-freebsd-x64@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-linux-arm-gnueabihf@1.0.0-rc.17':
+  '@rolldown/binding-linux-arm-gnueabihf@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-linux-arm64-gnu@1.0.0-rc.17':
+  '@rolldown/binding-linux-arm64-gnu@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-linux-arm64-musl@1.0.0-rc.17':
+  '@rolldown/binding-linux-arm64-musl@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-linux-ppc64-gnu@1.0.0-rc.17':
+  '@rolldown/binding-linux-ppc64-gnu@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-linux-s390x-gnu@1.0.0-rc.17':
+  '@rolldown/binding-linux-s390x-gnu@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-linux-x64-gnu@1.0.0-rc.17':
+  '@rolldown/binding-linux-x64-gnu@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-linux-x64-musl@1.0.0-rc.17':
+  '@rolldown/binding-linux-x64-musl@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-openharmony-arm64@1.0.0-rc.17':
+  '@rolldown/binding-openharmony-arm64@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-wasm32-wasi@1.0.0-rc.17':
+  '@rolldown/binding-wasm32-wasi@1.0.0-rc.18':
     dependencies:
       '@emnapi/core': 1.10.0
       '@emnapi/runtime': 1.10.0
       '@napi-rs/wasm-runtime': 1.1.4(@emnapi/core@1.10.0)(@emnapi/runtime@1.10.0)
     optional: true
 
-  '@rolldown/binding-win32-arm64-msvc@1.0.0-rc.17':
+  '@rolldown/binding-win32-arm64-msvc@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/binding-win32-x64-msvc@1.0.0-rc.17':
+  '@rolldown/binding-win32-x64-msvc@1.0.0-rc.18':
     optional: true
 
-  '@rolldown/pluginutils@1.0.0-rc.17': {}
+  '@rolldown/pluginutils@1.0.0-rc.18': {}
 
   '@rolldown/pluginutils@1.0.0-rc.2': {}
 
   '@rolldown/pluginutils@1.0.0-rc.7': {}
 
-  '@rollup/rollup-android-arm-eabi@4.60.3':
-    optional: true
-
-  '@rollup/rollup-android-arm64@4.60.3':
-    optional: true
-
-  '@rollup/rollup-darwin-arm64@4.60.3':
-    optional: true
-
-  '@rollup/rollup-darwin-x64@4.60.3':
-    optional: true
-
-  '@rollup/rollup-freebsd-arm64@4.60.3':
-    optional: true
-
-  '@rollup/rollup-freebsd-x64@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-arm-gnueabihf@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-arm-musleabihf@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-arm64-gnu@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-arm64-musl@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-loong64-gnu@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-loong64-musl@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-ppc64-gnu@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-ppc64-musl@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-riscv64-gnu@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-riscv64-musl@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-s390x-gnu@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-x64-gnu@4.60.3':
-    optional: true
-
-  '@rollup/rollup-linux-x64-musl@4.60.3':
-    optional: true
-
-  '@rollup/rollup-openbsd-x64@4.60.3':
-    optional: true
-
-  '@rollup/rollup-openharmony-arm64@4.60.3':
-    optional: true
-
-  '@rollup/rollup-win32-arm64-msvc@4.60.3':
-    optional: true
-
-  '@rollup/rollup-win32-ia32-msvc@4.60.3':
-    optional: true
-
-  '@rollup/rollup-win32-x64-gnu@4.60.3':
-    optional: true
-
-  '@rollup/rollup-win32-x64-msvc@4.60.3':
-    optional: true
-
   '@rtsao/scc@1.1.0': {}
 
   '@rushstack/eslint-patch@1.16.1': {}
@@ -7439,14 +7185,14 @@ snapshots:
 
   '@types/accepts@1.3.7':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/async@3.2.25': {}
 
   '@types/body-parser@1.19.6':
     dependencies:
       '@types/connect': 3.4.38
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/chai@5.2.3':
     dependencies:
@@ -7459,7 +7205,7 @@ snapshots:
 
   '@types/connect@3.4.38':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/content-disposition@0.5.9': {}
 
@@ -7474,15 +7220,15 @@ snapshots:
       '@types/connect': 3.4.38
       '@types/express': 5.0.6
       '@types/keygrip': 1.0.6
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/cors@2.8.19':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/cross-spawn@6.0.6':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/debug@4.1.12':
     dependencies:
@@ -7498,7 +7244,7 @@ snapshots:
 
   '@types/express-serve-static-core@5.1.0':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
       '@types/qs': 6.14.0
       '@types/range-parser': 1.2.7
       '@types/send': 1.2.1
@@ -7515,11 +7261,11 @@ snapshots:
 
   '@types/formidable@3.5.1':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/fs-extra@9.0.13':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/hast@3.0.4':
     dependencies:
@@ -7535,7 +7281,7 @@ snapshots:
 
   '@types/jsdom@28.0.1':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
       '@types/tough-cookie': 4.0.5
       parse5: 7.3.0
       undici-types: 7.24.5
@@ -7549,7 +7295,7 @@ snapshots:
   '@types/jsonwebtoken@9.0.10':
     dependencies:
       '@types/ms': 2.1.0
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/keygrip@1.0.6': {}
 
@@ -7566,7 +7312,7 @@ snapshots:
       '@types/http-errors': 2.0.5
       '@types/keygrip': 1.0.6
       '@types/koa-compose': 3.2.8
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/linkify-it@5.0.0': {}
 
@@ -7595,7 +7341,7 @@ snapshots:
 
   '@types/node-fetch@2.6.12':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
       form-data: 4.0.5
 
   '@types/node@18.19.130':
@@ -7606,7 +7352,11 @@ snapshots:
     dependencies:
       undici-types: 7.16.0
 
-  '@types/node@25.6.0':
+  '@types/node@25.6.1':
+    dependencies:
+      undici-types: 7.19.2
+
+  '@types/node@25.6.2':
     dependencies:
       undici-types: 7.19.2
 
@@ -7614,11 +7364,11 @@ snapshots:
     dependencies:
       '@types/keygrip': 1.0.6
       '@types/koa': 3.0.0
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/pdfkit@0.17.6':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/qs@6.14.0': {}
 
@@ -7634,29 +7384,29 @@ snapshots:
 
   '@types/readable-stream@4.0.23':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/semver@7.7.1': {}
 
   '@types/send@0.17.4':
     dependencies:
       '@types/mime': 1.3.5
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/send@1.2.1':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/serve-static@1.15.7':
     dependencies:
       '@types/http-errors': 2.0.5
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
       '@types/send': 0.17.4
 
   '@types/serve-static@2.2.0':
     dependencies:
       '@types/http-errors': 2.0.5
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
 
   '@types/sinon@21.0.1':
     dependencies:
@@ -7668,7 +7418,7 @@ snapshots:
     dependencies:
       '@types/cookiejar': 2.1.5
       '@types/methods': 1.1.4
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
       form-data: 4.0.5
 
   '@types/supertest@7.2.0':
@@ -7683,7 +7433,7 @@ snapshots:
 
   '@types/tar@6.1.13':
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
       minipass: 4.2.8
 
   '@types/tough-cookie@4.0.5': {}
@@ -7933,17 +7683,17 @@ snapshots:
   '@unrs/rspack-resolver-binding-win32-x64-msvc@1.3.0':
     optional: true
 
-  '@vitejs/plugin-react@6.0.1(babel-plugin-react-compiler@19.1.0-rc.3)(vite@8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0))':
+  '@vitejs/plugin-react@6.0.1(babel-plugin-react-compiler@19.1.0-rc.3)(vite@8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0))':
     dependencies:
       '@rolldown/pluginutils': 1.0.0-rc.7
-      vite: 8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0)
+      vite: 8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0)
     optionalDependencies:
       babel-plugin-react-compiler: 19.1.0-rc.3
 
-  '@vitejs/plugin-vue@6.0.5(vite@7.3.2(@types/node@25.6.0)(lightningcss@1.32.0)(tsx@4.21.0))(vue@3.5.30(typescript@6.0.3))':
+  '@vitejs/plugin-vue@6.0.5(vite@8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0))(vue@3.5.30(typescript@6.0.3))':
     dependencies:
       '@rolldown/pluginutils': 1.0.0-rc.2
-      vite: 7.3.2(@types/node@25.6.0)(lightningcss@1.32.0)(tsx@4.21.0)
+      vite: 8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0)
       vue: 3.5.30(typescript@6.0.3)
 
   '@vitest/expect@4.1.5':
@@ -7955,13 +7705,13 @@ snapshots:
       chai: 6.2.2
       tinyrainbow: 3.1.0
 
-  '@vitest/mocker@4.1.5(vite@8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0))':
+  '@vitest/mocker@4.1.5(vite@8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0))':
     dependencies:
       '@vitest/spy': 4.1.5
       estree-walker: 3.0.3
       magic-string: 0.30.21
     optionalDependencies:
-      vite: 8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0)
+      vite: 8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0)
 
   '@vitest/pretty-format@4.1.5':
     dependencies:
@@ -8009,7 +7759,7 @@ snapshots:
       '@vue/shared': 3.5.30
       estree-walker: 2.0.2
       magic-string: 0.30.21
-      postcss: 8.5.8
+      postcss: 8.5.14
       source-map-js: 1.2.1
 
   '@vue/compiler-ssr@3.5.30':
@@ -8594,7 +8344,7 @@ snapshots:
 
   destroy@1.2.0: {}
 
-  detect-libc@2.1.1: {}
+  detect-libc@2.1.2: {}
 
   detect-node-es@1.1.0: {}
 
@@ -8712,7 +8462,7 @@ snapshots:
   engine.io@6.6.5:
     dependencies:
       '@types/cors': 2.8.19
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
       accepts: 1.3.8
       base64id: 2.0.0
       cookie: 0.7.2
@@ -8921,10 +8671,10 @@ snapshots:
       '@rushstack/eslint-patch': 1.16.1
       '@typescript-eslint/eslint-plugin': 7.18.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0)(typescript@6.0.3)
       '@typescript-eslint/parser': 7.18.0(eslint@10.3.0)(typescript@6.0.3)
-      eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0)
+      eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0)(eslint@10.3.0)
       eslint-plugin-cypress: 2.15.2(eslint@10.3.0)
       eslint-plugin-eslint-comments: 3.2.0(eslint@10.3.0)
-      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0)
+      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0)
       eslint-plugin-mocha: 10.5.0(eslint@10.3.0)
       eslint-plugin-n: 17.24.0(eslint@10.3.0)(typescript@6.0.3)
       eslint-plugin-prefer-arrow: 1.2.3(eslint@10.3.0)
@@ -8945,7 +8695,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0):
+  eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0)(eslint@10.3.0):
     dependencies:
       '@nolyfill/is-core-module': 1.0.39
       debug: 4.4.3(supports-color@8.1.1)
@@ -8956,18 +8706,18 @@ snapshots:
       stable-hash: 0.0.5
       tinyglobby: 0.2.16
     optionalDependencies:
-      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0)
+      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0)
     transitivePeerDependencies:
       - supports-color
 
-  eslint-module-utils@2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0):
+  eslint-module-utils@2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0):
     dependencies:
       debug: 3.2.7
     optionalDependencies:
       '@typescript-eslint/parser': 7.18.0(eslint@10.3.0)(typescript@6.0.3)
       eslint: 10.3.0
       eslint-import-resolver-node: 0.3.10
-      eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0)
+      eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0)(eslint@10.3.0)
     transitivePeerDependencies:
       - supports-color
 
@@ -8989,7 +8739,7 @@ snapshots:
       eslint: 10.3.0
       ignore: 5.3.2
 
-  eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0):
+  eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0):
     dependencies:
       '@rtsao/scc': 1.1.0
       array-includes: 3.1.9
@@ -9000,7 +8750,7 @@ snapshots:
       doctrine: 2.1.0
       eslint: 10.3.0
       eslint-import-resolver-node: 0.3.10
-      eslint-module-utils: 2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0)
+      eslint-module-utils: 2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0)
       hasown: 2.0.2
       is-core-module: 2.16.1
       is-glob: 4.0.3
@@ -9675,7 +9425,7 @@ snapshots:
     dependencies:
       '@babel/runtime': 7.28.6
 
-  i18next@26.0.9(typescript@6.0.3):
+  i18next@26.0.10(typescript@6.0.3):
     optionalDependencies:
       typescript: 6.0.3
 
@@ -10064,7 +9814,7 @@ snapshots:
 
   lightningcss@1.32.0:
     dependencies:
-      detect-libc: 2.1.1
+      detect-libc: 2.1.2
     optionalDependencies:
       lightningcss-android-arm64: 1.32.0
       lightningcss-darwin-arm64: 1.32.0
@@ -10172,9 +9922,9 @@ snapshots:
 
   lru.min@1.1.4: {}
 
-  lucide-react@1.14.0(react@19.2.5):
+  lucide-react@1.14.0(react@19.2.6):
     dependencies:
-      react: 19.2.5
+      react: 19.2.6
 
   magic-string@0.30.21:
     dependencies:
@@ -10357,9 +10107,9 @@ snapshots:
       - '@azure/core-client'
       - supports-color
 
-  mysql2@3.22.1(@types/node@25.6.0):
+  mysql2@3.22.1(@types/node@25.6.2):
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.2
       aws-ssl-profiles: 1.1.2
       denque: 2.1.0
       generate-function: 2.3.1
@@ -10369,9 +10119,9 @@ snapshots:
       named-placeholders: 1.1.6
       sql-escaper: 1.3.3
 
-  mysql2@3.22.3(@types/node@25.6.0):
+  mysql2@3.22.3(@types/node@25.6.2):
     dependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.2
       aws-ssl-profiles: 1.1.2
       denque: 2.1.0
       generate-function: 2.3.1
@@ -10389,6 +10139,8 @@ snapshots:
 
   nanoid@3.3.11: {}
 
+  nanoid@3.3.12: {}
+
   nanoid@5.1.9: {}
 
   native-duplexpair@1.0.0: {}
@@ -10711,13 +10463,7 @@ snapshots:
 
   postcss@8.5.14:
     dependencies:
-      nanoid: 3.3.11
-      picocolors: 1.1.1
-      source-map-js: 1.2.1
-
-  postcss@8.5.8:
-    dependencies:
-      nanoid: 3.3.11
+      nanoid: 3.3.12
       picocolors: 1.1.1
       source-map-js: 1.2.1
 
@@ -10799,68 +10545,68 @@ snapshots:
       iconv-lite: 0.7.2
       unpipe: 1.0.0
 
-  react-dom@19.2.5(react@19.2.5):
+  react-dom@19.2.6(react@19.2.6):
     dependencies:
-      react: 19.2.5
+      react: 19.2.6
       scheduler: 0.27.0
 
-  react-hook-form@7.75.0(react@19.2.5):
+  react-hook-form@7.75.0(react@19.2.6):
     dependencies:
-      react: 19.2.5
+      react: 19.2.6
 
-  react-i18next@17.0.6(i18next@26.0.9(typescript@6.0.3))(react-dom@19.2.5(react@19.2.5))(react@19.2.5)(typescript@6.0.3):
+  react-i18next@17.0.7(i18next@26.0.10(typescript@6.0.3))(react-dom@19.2.6(react@19.2.6))(react@19.2.6)(typescript@6.0.3):
     dependencies:
       '@babel/runtime': 7.29.2
       html-parse-stringify: 3.0.1
-      i18next: 26.0.9(typescript@6.0.3)
-      react: 19.2.5
-      use-sync-external-store: 1.6.0(react@19.2.5)
+      i18next: 26.0.10(typescript@6.0.3)
+      react: 19.2.6
+      use-sync-external-store: 1.6.0(react@19.2.6)
     optionalDependencies:
-      react-dom: 19.2.5(react@19.2.5)
+      react-dom: 19.2.6(react@19.2.6)
       typescript: 6.0.3
 
-  react-remove-scroll-bar@2.3.8(@types/react@19.2.14)(react@19.2.5):
+  react-remove-scroll-bar@2.3.8(@types/react@19.2.14)(react@19.2.6):
     dependencies:
-      react: 19.2.5
-      react-style-singleton: 2.2.3(@types/react@19.2.14)(react@19.2.5)
+      react: 19.2.6
+      react-style-singleton: 2.2.3(@types/react@19.2.14)(react@19.2.6)
       tslib: 2.8.1
     optionalDependencies:
       '@types/react': 19.2.14
 
-  react-remove-scroll@2.7.1(@types/react@19.2.14)(react@19.2.5):
+  react-remove-scroll@2.7.1(@types/react@19.2.14)(react@19.2.6):
     dependencies:
-      react: 19.2.5
-      react-remove-scroll-bar: 2.3.8(@types/react@19.2.14)(react@19.2.5)
-      react-style-singleton: 2.2.3(@types/react@19.2.14)(react@19.2.5)
+      react: 19.2.6
+      react-remove-scroll-bar: 2.3.8(@types/react@19.2.14)(react@19.2.6)
+      react-style-singleton: 2.2.3(@types/react@19.2.14)(react@19.2.6)
       tslib: 2.8.1
-      use-callback-ref: 1.3.3(@types/react@19.2.14)(react@19.2.5)
-      use-sidecar: 1.1.3(@types/react@19.2.14)(react@19.2.5)
+      use-callback-ref: 1.3.3(@types/react@19.2.14)(react@19.2.6)
+      use-sidecar: 1.1.3(@types/react@19.2.14)(react@19.2.6)
     optionalDependencies:
       '@types/react': 19.2.14
 
-  react-router-dom@7.15.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5):
+  react-router-dom@7.15.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6):
     dependencies:
-      react: 19.2.5
-      react-dom: 19.2.5(react@19.2.5)
-      react-router: 7.15.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5)
+      react: 19.2.6
+      react-dom: 19.2.6(react@19.2.6)
+      react-router: 7.15.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
 
-  react-router@7.15.0(react-dom@19.2.5(react@19.2.5))(react@19.2.5):
+  react-router@7.15.0(react-dom@19.2.6(react@19.2.6))(react@19.2.6):
     dependencies:
       cookie: 1.1.1
-      react: 19.2.5
+      react: 19.2.6
       set-cookie-parser: 2.7.2
     optionalDependencies:
-      react-dom: 19.2.5(react@19.2.5)
+      react-dom: 19.2.6(react@19.2.6)
 
-  react-style-singleton@2.2.3(@types/react@19.2.14)(react@19.2.5):
+  react-style-singleton@2.2.3(@types/react@19.2.14)(react@19.2.6):
     dependencies:
       get-nonce: 1.0.1
-      react: 19.2.5
+      react: 19.2.6
       tslib: 2.8.1
     optionalDependencies:
       '@types/react': 19.2.14
 
-  react@19.2.5: {}
+  react@19.2.6: {}
 
   readable-stream@2.3.8:
     dependencies:
@@ -10892,11 +10638,11 @@ snapshots:
 
   redis@5.12.1(@opentelemetry/api@1.9.1):
     dependencies:
-      '@redis/bloom': 5.12.1(@redis/client@5.12.1)
+      '@redis/bloom': 5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))
       '@redis/client': 5.12.1(@opentelemetry/api@1.9.1)
-      '@redis/json': 5.12.1(@redis/client@5.12.1)
-      '@redis/search': 5.12.1(@redis/client@5.12.1)
-      '@redis/time-series': 5.12.1(@redis/client@5.12.1)
+      '@redis/json': 5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))
+      '@redis/search': 5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))
+      '@redis/time-series': 5.12.1(@redis/client@5.12.1(@opentelemetry/api@1.9.1))
     transitivePeerDependencies:
       - '@node-rs/xxhash'
       - '@opentelemetry/api'
@@ -10987,57 +10733,26 @@ snapshots:
 
   rfdc@1.4.1: {}
 
-  rolldown@1.0.0-rc.17:
+  rolldown@1.0.0-rc.18:
     dependencies:
-      '@oxc-project/types': 0.127.0
-      '@rolldown/pluginutils': 1.0.0-rc.17
+      '@oxc-project/types': 0.128.0
+      '@rolldown/pluginutils': 1.0.0-rc.18
     optionalDependencies:
-      '@rolldown/binding-android-arm64': 1.0.0-rc.17
-      '@rolldown/binding-darwin-arm64': 1.0.0-rc.17
-      '@rolldown/binding-darwin-x64': 1.0.0-rc.17
-      '@rolldown/binding-freebsd-x64': 1.0.0-rc.17
-      '@rolldown/binding-linux-arm-gnueabihf': 1.0.0-rc.17
-      '@rolldown/binding-linux-arm64-gnu': 1.0.0-rc.17
-      '@rolldown/binding-linux-arm64-musl': 1.0.0-rc.17
-      '@rolldown/binding-linux-ppc64-gnu': 1.0.0-rc.17
-      '@rolldown/binding-linux-s390x-gnu': 1.0.0-rc.17
-      '@rolldown/binding-linux-x64-gnu': 1.0.0-rc.17
-      '@rolldown/binding-linux-x64-musl': 1.0.0-rc.17
-      '@rolldown/binding-openharmony-arm64': 1.0.0-rc.17
-      '@rolldown/binding-wasm32-wasi': 1.0.0-rc.17
-      '@rolldown/binding-win32-arm64-msvc': 1.0.0-rc.17
-      '@rolldown/binding-win32-x64-msvc': 1.0.0-rc.17
-
-  rollup@4.60.3:
-    dependencies:
-      '@types/estree': 1.0.8
-    optionalDependencies:
-      '@rollup/rollup-android-arm-eabi': 4.60.3
-      '@rollup/rollup-android-arm64': 4.60.3
-      '@rollup/rollup-darwin-arm64': 4.60.3
-      '@rollup/rollup-darwin-x64': 4.60.3
-      '@rollup/rollup-freebsd-arm64': 4.60.3
-      '@rollup/rollup-freebsd-x64': 4.60.3
-      '@rollup/rollup-linux-arm-gnueabihf': 4.60.3
-      '@rollup/rollup-linux-arm-musleabihf': 4.60.3
-      '@rollup/rollup-linux-arm64-gnu': 4.60.3
-      '@rollup/rollup-linux-arm64-musl': 4.60.3
-      '@rollup/rollup-linux-loong64-gnu': 4.60.3
-      '@rollup/rollup-linux-loong64-musl': 4.60.3
-      '@rollup/rollup-linux-ppc64-gnu': 4.60.3
-      '@rollup/rollup-linux-ppc64-musl': 4.60.3
-      '@rollup/rollup-linux-riscv64-gnu': 4.60.3
-      '@rollup/rollup-linux-riscv64-musl': 4.60.3
-      '@rollup/rollup-linux-s390x-gnu': 4.60.3
-      '@rollup/rollup-linux-x64-gnu': 4.60.3
-      '@rollup/rollup-linux-x64-musl': 4.60.3
-      '@rollup/rollup-openbsd-x64': 4.60.3
-      '@rollup/rollup-openharmony-arm64': 4.60.3
-      '@rollup/rollup-win32-arm64-msvc': 4.60.3
-      '@rollup/rollup-win32-ia32-msvc': 4.60.3
-      '@rollup/rollup-win32-x64-gnu': 4.60.3
-      '@rollup/rollup-win32-x64-msvc': 4.60.3
-      fsevents: 2.3.3
+      '@rolldown/binding-android-arm64': 1.0.0-rc.18
+      '@rolldown/binding-darwin-arm64': 1.0.0-rc.18
+      '@rolldown/binding-darwin-x64': 1.0.0-rc.18
+      '@rolldown/binding-freebsd-x64': 1.0.0-rc.18
+      '@rolldown/binding-linux-arm-gnueabihf': 1.0.0-rc.18
+      '@rolldown/binding-linux-arm64-gnu': 1.0.0-rc.18
+      '@rolldown/binding-linux-arm64-musl': 1.0.0-rc.18
+      '@rolldown/binding-linux-ppc64-gnu': 1.0.0-rc.18
+      '@rolldown/binding-linux-s390x-gnu': 1.0.0-rc.18
+      '@rolldown/binding-linux-x64-gnu': 1.0.0-rc.18
+      '@rolldown/binding-linux-x64-musl': 1.0.0-rc.18
+      '@rolldown/binding-openharmony-arm64': 1.0.0-rc.18
+      '@rolldown/binding-wasm32-wasi': 1.0.0-rc.18
+      '@rolldown/binding-win32-arm64-msvc': 1.0.0-rc.18
+      '@rolldown/binding-win32-x64-msvc': 1.0.0-rc.18
 
   router@2.2.0:
     dependencies:
@@ -11527,7 +11242,7 @@ snapshots:
       '@azure/identity': 4.13.1
       '@azure/keyvault-keys': 4.10.0(@azure/core-client@1.10.1)
       '@js-joda/core': 5.7.0
-      '@types/node': 25.6.0
+      '@types/node': 25.6.1
       bl: 6.1.6
       iconv-lite: 0.7.2
       js-md4: 0.3.2
@@ -11666,7 +11381,7 @@ snapshots:
 
   typical@7.3.0: {}
 
-  ueberdb2@5.0.48(@azure/core-client@1.10.1)(@opentelemetry/api@1.9.1)(@types/node@25.6.0)(tslib@2.8.1)(typescript@6.0.3):
+  ueberdb2@5.0.48(@azure/core-client@1.10.1)(@opentelemetry/api@1.9.1)(@types/node@25.6.2)(tslib@2.8.1)(typescript@6.0.3):
     dependencies:
       '@elastic/elasticsearch': 9.3.4
       async: 3.2.6
@@ -11674,7 +11389,7 @@ snapshots:
       dirty-ts: 1.1.8
       mongodb: 7.2.0
       mssql: 12.3.1(@azure/core-client@1.10.1)
-      mysql2: 3.22.1(@types/node@25.6.0)
+      mysql2: 3.22.1(@types/node@25.6.2)
       nano: 11.0.5
       pg: 8.20.0
       redis: 5.12.1(@opentelemetry/api@1.9.1)
@@ -11790,24 +11505,24 @@ snapshots:
 
   url-join@4.0.1: {}
 
-  use-callback-ref@1.3.3(@types/react@19.2.14)(react@19.2.5):
+  use-callback-ref@1.3.3(@types/react@19.2.14)(react@19.2.6):
     dependencies:
-      react: 19.2.5
+      react: 19.2.6
       tslib: 2.8.1
     optionalDependencies:
       '@types/react': 19.2.14
 
-  use-sidecar@1.1.3(@types/react@19.2.14)(react@19.2.5):
+  use-sidecar@1.1.3(@types/react@19.2.14)(react@19.2.6):
     dependencies:
       detect-node-es: 1.1.0
-      react: 19.2.5
+      react: 19.2.6
       tslib: 2.8.1
     optionalDependencies:
       '@types/react': 19.2.14
 
-  use-sync-external-store@1.6.0(react@19.2.5):
+  use-sync-external-store@1.6.0(react@19.2.6):
     dependencies:
-      react: 19.2.5
+      react: 19.2.6
 
   util-deprecate@1.0.2: {}
 
@@ -11841,39 +11556,25 @@ snapshots:
       x-is-array: 0.1.0
       x-is-string: 0.1.0
 
-  vite-plugin-babel@1.6.0(@babel/core@7.29.0)(vite@8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0)):
+  vite-plugin-babel@1.6.0(@babel/core@7.29.0)(vite@8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0)):
     dependencies:
       '@babel/core': 7.29.0
-      vite: 8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0)
-
-  vite@7.3.2(@types/node@25.6.0)(lightningcss@1.32.0)(tsx@4.21.0):
-    dependencies:
-      esbuild: 0.27.1
-      fdir: 6.5.0(picomatch@4.0.4)
-      picomatch: 4.0.4
-      postcss: 8.5.8
-      rollup: 4.60.3
-      tinyglobby: 0.2.16
-    optionalDependencies:
-      '@types/node': 25.6.0
-      fsevents: 2.3.3
-      lightningcss: 1.32.0
-      tsx: 4.21.0
+      vite: 8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0)
 
-  vite@8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0):
+  vite@8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0):
     dependencies:
       lightningcss: 1.32.0
       picomatch: 4.0.4
       postcss: 8.5.14
-      rolldown: 1.0.0-rc.17
+      rolldown: 1.0.0-rc.18
       tinyglobby: 0.2.16
     optionalDependencies:
-      '@types/node': 25.6.0
+      '@types/node': 25.6.2
       esbuild: 0.28.0
       fsevents: 2.3.3
       tsx: 4.21.0
 
-  vitepress@2.0.0-alpha.17(@types/node@25.6.0)(jwt-decode@4.0.0)(lightningcss@1.32.0)(oxc-minify@0.129.0)(postcss@8.5.14)(tsx@4.21.0)(typescript@6.0.3):
+  vitepress@2.0.0-alpha.17(@types/node@25.6.2)(esbuild@0.28.0)(jwt-decode@4.0.0)(oxc-minify@0.129.0)(postcss@8.5.14)(tsx@4.21.0)(typescript@6.0.3):
     dependencies:
       '@docsearch/css': 4.6.0
       '@docsearch/js': 4.6.0
@@ -11883,7 +11584,7 @@ snapshots:
       '@shikijs/transformers': 3.23.0
       '@shikijs/types': 3.23.0
       '@types/markdown-it': 14.1.2
-      '@vitejs/plugin-vue': 6.0.5(vite@7.3.2(@types/node@25.6.0)(lightningcss@1.32.0)(tsx@4.21.0))(vue@3.5.30(typescript@6.0.3))
+      '@vitejs/plugin-vue': 6.0.5(vite@8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0))(vue@3.5.30(typescript@6.0.3))
       '@vue/devtools-api': 8.1.0
       '@vue/shared': 3.5.30
       '@vueuse/core': 14.2.1(vue@3.5.30(typescript@6.0.3))
@@ -11892,23 +11593,24 @@ snapshots:
       mark.js: 8.11.1
       minisearch: 7.2.0
       shiki: 3.23.0
-      vite: 7.3.2(@types/node@25.6.0)(lightningcss@1.32.0)(tsx@4.21.0)
+      vite: 8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0)
       vue: 3.5.30(typescript@6.0.3)
     optionalDependencies:
       oxc-minify: 0.129.0
       postcss: 8.5.14
     transitivePeerDependencies:
       - '@types/node'
+      - '@vitejs/devtools'
       - async-validator
       - axios
       - change-case
       - drauu
+      - esbuild
       - fuse.js
       - idb-keyval
       - jiti
       - jwt-decode
       - less
-      - lightningcss
       - nprogress
       - qrcode
       - sass
@@ -11922,10 +11624,10 @@ snapshots:
       - universal-cookie
       - yaml
 
-  vitest@4.1.5(@opentelemetry/api@1.9.1)(@types/node@25.6.0)(jsdom@29.1.1(@noble/hashes@1.8.0))(vite@8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0)):
+  vitest@4.1.5(@opentelemetry/api@1.9.1)(@types/node@25.6.2)(jsdom@29.1.1(@noble/hashes@1.8.0))(vite@8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0)):
     dependencies:
       '@vitest/expect': 4.1.5
-      '@vitest/mocker': 4.1.5(vite@8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0))
+      '@vitest/mocker': 4.1.5(vite@8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0))
       '@vitest/pretty-format': 4.1.5
       '@vitest/runner': 4.1.5
       '@vitest/snapshot': 4.1.5
@@ -11942,11 +11644,11 @@ snapshots:
       tinyexec: 1.1.1
       tinyglobby: 0.2.16
       tinyrainbow: 3.1.0
-      vite: 8.0.10(@types/node@25.6.0)(esbuild@0.28.0)(tsx@4.21.0)
+      vite: 8.0.11(@types/node@25.6.2)(esbuild@0.28.0)(tsx@4.21.0)
       why-is-node-running: 2.3.0
     optionalDependencies:
       '@opentelemetry/api': 1.9.1
-      '@types/node': 25.6.0
+      '@types/node': 25.6.2
       jsdom: 29.1.1(@noble/hashes@1.8.0)
     transitivePeerDependencies:
       - msw
@@ -12128,10 +11830,10 @@ snapshots:
 
   zod@4.3.6: {}
 
-  zustand@5.0.13(@types/react@19.2.14)(react@19.2.5)(use-sync-external-store@1.6.0(react@19.2.5)):
+  zustand@5.0.13(@types/react@19.2.14)(react@19.2.6)(use-sync-external-store@1.6.0(react@19.2.6)):
     optionalDependencies:
       '@types/react': 19.2.14
-      react: 19.2.5
-      use-sync-external-store: 1.6.0(react@19.2.5)
+      react: 19.2.6
+      use-sync-external-store: 1.6.0(react@19.2.6)
 
   zwitch@2.0.4: {}
diff --git a/src/package.json b/src/package.json
index 5a2d93965de..aa345d391a3 100644
--- a/src/package.json
+++ b/src/package.json
@@ -113,7 +113,7 @@
     "@types/jsonwebtoken": "^9.0.10",
     "@types/mime-types": "^3.0.1",
     "@types/mocha": "^10.0.9",
-    "@types/node": "^25.6.0",
+    "@types/node": "^25.6.2",
     "@types/oidc-provider": "^9.5.0",
     "@types/pdfkit": "^0.17.6",
     "@types/semver": "^7.7.1",
diff --git a/ui/package.json b/ui/package.json
index 2529ca84913..5010d87bd24 100644
--- a/ui/package.json
+++ b/ui/package.json
@@ -12,6 +12,6 @@
   "devDependencies": {
     "ep_etherpad-lite": "workspace:../src",
     "typescript": "^6.0.3",
-    "vite": "^8.0.10"
+    "vite": "^8.0.11"
   }
 }

From 84e8461b693f8297581a4cae4dc97ffcf2c5fdab Mon Sep 17 00:00:00 2001
From: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
Date: Fri, 8 May 2026 22:30:37 +0200
Subject: [PATCH 13/25] chore: update docker write location in values-dev.yaml

---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 10fd325c67b..a84e183d286 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -329,7 +329,7 @@ jobs:
         if: success() && github.ref == 'refs/heads/develop'
         working-directory: ether-charts
         run: |
-          sed -i 's/tag: ".*"/tag: "${{ steps.build-docker.outputs.digest }}"/' values-dev.yaml
+          sed -i 's/tag: ".*"/tag: "${{ steps.build-docker.outputs.digest }}"/' charts/etherpad/values-dev.yaml
       - name: Commit and push changes
         working-directory: ether-charts
         if: success() && github.ref == 'refs/heads/develop'

From fd2f3baf5567786e96a65d5819352e5f3ac2453f Mon Sep 17 00:00:00 2001
From: SamTV12345 <40429738+samtv12345@users.noreply.github.com>
Date: Fri, 8 May 2026 22:40:59 +0200
Subject: [PATCH 14/25] chore: fixed commit path

---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index a84e183d286..fb88537f67d 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -336,6 +336,6 @@ jobs:
         run: |
           git config --global user.name 'github-actions[bot]'
           git config --global user.email 'github-actions[bot]@users.noreply.github.com'
-          git add values-dev.yaml
+          git add charts/etherpad/values-dev.yaml
           git commit -m 'Update develop image tag'
           git push

From ed4579c70133054054f138b024fa6161d6a87478 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sat, 9 May 2026 18:29:43 +0800
Subject: [PATCH 15/25] docs(7538): soffice is now optional for docx/pdf
 (#7707)

Native DOCX export, PDF export, and DOCX import shipped in #7568
via pure-JS in-process converters -- LibreOffice/soffice is no
longer required for those formats. Stale comments in
settings.json.template and settings.json.docker still implied
otherwise ("will only allow plain text and HTML import/exports"),
and the docker docs told users to configure soffice for DOCX as
well. Update them to match what's actually in core:

- soffice present: handles all office formats (existing behavior)
- soffice null: docx export, pdf export, docx import work
  natively; odt/doc/rtf export and pdf import still need soffice

Touches:
- settings.json.template (soffice + docxExport comments)
- settings.json.docker (same)
- doc/docker.md ("Office-format import/export" section)
- doc/docker.adoc (same section + the SOFFICE table row,
  matching what doc/docker.md already says since #7568)

No code changes, no behavior change -- documentation only.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 doc/docker.adoc        | 19 ++++++++++---------
 doc/docker.md          | 17 +++++++++--------
 settings.json.docker   | 17 ++++++++++-------
 settings.json.template | 17 ++++++++++-------
 4 files changed, 39 insertions(+), 31 deletions(-)

diff --git a/doc/docker.adoc b/doc/docker.adoc
index e113adf8a5b..12f8b7d5fa8 100644
--- a/doc/docker.adoc
+++ b/doc/docker.adoc
@@ -62,16 +62,17 @@ The variable value has to be a space separated, double quoted list of plugin nam
 
 Some plugins will need personalized settings. Just refer to the previous section, and include them in your custom `settings.json.docker`.
 
-==== Rebuilding including export functionality for DOC/DOCX/PDF/ODT
+==== Office-format import/export
 
-If you want to be able to export your pads to DOC/DOCX/PDF/ODT files, you can
-install Libreoffice via setting the `INSTALL_SOFFICE` build variable to any
-value.
+DOCX export, PDF export, and DOCX import work out of the box — Etherpad
+ships pure-JS in-process converters and needs no extra dependencies for
+those three formats.
 
-Also, you will need to configure the path to the libreoffice executable
-via setting the `soffice` property in `<BASEDIR>/settings.json.docker` to
-`/usr/bin/soffice` or via setting the environment variable  `SOFFICE` to
-`/usr/bin/soffice`.
+DOC/ODT/RTF export and PDF import still require LibreOffice. To enable
+them, install LibreOffice via the `INSTALL_SOFFICE` build variable (any
+value), and either set the `soffice` property in
+`<BASEDIR>/settings.json.docker` to `/usr/bin/soffice` or set the
+`SOFFICE` environment variable to `/usr/bin/soffice`.
 
 ==== Examples
 
@@ -452,7 +453,7 @@ For the editor container, you can also make it full width by adding `full-width-
 | `21600` (6 hours)
 
 | `SOFFICE`
-| Absolute path to the soffice (LibreOffice) executable. Needed for advanced import/export of pads (docx, pdf, odt). Setting it to null disables LibreOffice and will only allow plain text and HTML import/exports.
+| Absolute path to the soffice (LibreOffice) executable. When configured, all advanced import/export formats use it (docx, pdf, odt, doc, rtf). Setting it to null falls back to in-process pure-JS converters: docx and pdf export, plus docx import, still work; odt/doc/rtf and pdf import remain unavailable.
 | `null`
 
 | `ALLOW_UNKNOWN_FILE_ENDS`
diff --git a/doc/docker.md b/doc/docker.md
index 8ea54269f0d..8be4dbdaaee 100644
--- a/doc/docker.md
+++ b/doc/docker.md
@@ -35,16 +35,17 @@ The variable value has to be a space separated, double quoted list of plugin nam
 
 Some plugins will need personalized settings. Just refer to the previous section, and include them in your custom `settings.json.docker`.
 
-### Rebuilding including export functionality for DOC/DOCX/PDF/ODT
+### Office-format import/export
 
-If you want to be able to export your pads to DOC/DOCX/PDF/ODT files, you can
-install Libreoffice via setting the `INSTALL_SOFFICE` build variable to any
-value.
+DOCX export, PDF export, and DOCX import work out of the box — Etherpad
+ships pure-JS in-process converters and needs no extra dependencies for
+those three formats.
 
-Also, you will need to configure the path to the libreoffice executable
-via setting the `soffice` property in `<BASEDIR>/settings.json.docker` to
-`/usr/bin/soffice` or via setting the environment variable  `SOFFICE` to
-`/usr/bin/soffice`.
+DOC/ODT/RTF export and PDF import still require LibreOffice. To enable
+them, install LibreOffice via the `INSTALL_SOFFICE` build variable (any
+value), and either set the `soffice` property in
+`<BASEDIR>/settings.json.docker` to `/usr/bin/soffice` or set the
+`SOFFICE` environment variable to `/usr/bin/soffice`.
 
 ### Examples
 
diff --git a/settings.json.docker b/settings.json.docker
index 36becc015fd..096c722e5b2 100644
--- a/settings.json.docker
+++ b/settings.json.docker
@@ -424,18 +424,21 @@
   "maxAge": "${MAX_AGE:21600}", // 60 * 60 * 6 = 6 hours
 
   /*
-   * This is the absolute path to the soffice executable.
+   * Absolute path to the soffice (LibreOffice) executable.
    *
-   * LibreOffice is used for advanced import/export of pads (docx, pdf, odt).
-   * Setting it to null disables LibreOffice and will only allow plain text
-   * and HTML import/exports.
+   * When configured, soffice handles all advanced office-format
+   * conversions (docx, pdf, odt, doc, rtf -- both directions). When
+   * null, Etherpad falls back to pure-JS in-process converters
+   * that handle docx export, pdf export, and docx import natively.
+   * odt/doc/rtf export and pdf import still require soffice.
    */
   "soffice": "${SOFFICE:null}",
 
   /*
-   * When true (the default), the "Microsoft Word" export button downloads a .docx file via
-   * LibreOffice (requires "soffice" to be set). Set to false to revert to legacy .doc output
-   * (which also requires "soffice").
+   * When true (the default), the "Microsoft Word" export button
+   * downloads a .docx file -- via soffice if it's configured, or via
+   * the in-process html-to-docx converter otherwise. Set to false to
+   * revert to legacy .doc output (.doc still requires soffice).
    */
   "docxExport": "${DOCX_EXPORT:true}",
 
diff --git a/settings.json.template b/settings.json.template
index 863286addc1..734592d23d1 100644
--- a/settings.json.template
+++ b/settings.json.template
@@ -422,18 +422,21 @@
   "maxAge": 21600, // 60 * 60 * 6 = 6 hours
 
   /*
-   * This is the absolute path to the soffice executable.
+   * Absolute path to the soffice (LibreOffice) executable.
    *
-   * LibreOffice is used for advanced import/export of pads (docx, pdf, odt).
-   * Setting it to null disables LibreOffice and will only allow plain text
-   * and HTML import/exports.
+   * When configured, soffice handles all advanced office-format
+   * conversions (docx, pdf, odt, doc, rtf — both directions). When
+   * null, Etherpad falls back to pure-JS in-process converters
+   * that handle docx export, pdf export, and docx import natively.
+   * odt/doc/rtf export and pdf import still require soffice.
    */
   "soffice": null,
 
   /*
-   * When true (the default), the "Microsoft Word" export button downloads a .docx file via
-   * LibreOffice (requires "soffice" to be set). Set to false to revert to legacy .doc output
-   * (which also requires "soffice").
+   * When true (the default), the "Microsoft Word" export button
+   * downloads a .docx file -- via soffice if it's configured, or via
+   * the in-process html-to-docx converter otherwise. Set to false to
+   * revert to legacy .doc output (.doc still requires soffice).
    */
   "docxExport": true,
 

From 4f1b5248648c49f812c732a29ef33a8520036b75 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sun, 10 May 2026 15:55:33 +0800
Subject: [PATCH 16/25] feat(admin): document admin endpoints in OpenAPI
 (#7693) (#7705)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* chore(admin): typesafe API client + TanStack Query rails (#7638) (#2)

* docs(admin): design for typesafe API client + TanStack Query rails (#7638)

Rails-only scope: codegen toolchain, runtime client, and provider — no
call-site migrations. Admin endpoints are not yet covered by the OpenAPI
spec, so a separate issue will follow before any migration is useful.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): implementation plan for typesafe API client rails (#7638)

Step-by-step task breakdown for the rails-only PR: codegen toolchain,
runtime client, TanStack Query provider, CI freshness check, docs. No
call-site migrations until admin endpoints are added to the OpenAPI
spec (separate follow-up).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(api): export generateDefinitionForVersion from openapi hook

Required by the admin codegen script (#7638) to dump the OpenAPI spec
without booting Express. No behavior change for the request hook.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): add OpenAPI codegen + TanStack Query deps (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): add OpenAPI spec dump entry (#7638)

Loaded via tsx by gen-api.mjs in the next commit. Writes JSON to a file
path argument so log4js stdout output (from Settings init) does not
pollute the spec output.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): wire OpenAPI codegen into build (#7638)

Adds gen:api script and amends build/build-copy to regenerate
admin/src/api/schema.d.ts before compiling. The generated file is
checked in so it shows up in PR review and so a fresh checkout doesn't
need codegen to typecheck.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): typed openapi-fetch + react-query client (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): TanStack Query provider, dev-only devtools (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): mount TanStack Query provider at root (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(admin): smoke test for typed openapi-fetch client (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(admin): verify generated OpenAPI schema is up to date (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): document OpenAPI codegen workflow (#7638)

Replaces the default Vite scaffold README with admin-specific scripts
table and codegen workflow notes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build(admin): exclude __tests__ from tsc include (#7638)

The smoke test imports node:test/node:assert which need @types/node.
Admin source is browser-only, so excluding __tests__ from the production
typecheck is cleaner than adding Node types to the bundle config. The
test still runs under tsx, which doesn't share this constraint.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: regenerate lockfile with pnpm 10 to restore overrides block (#7638)

Adding admin deps with pnpm 11 stripped the top-level \`overrides:\`
section from pnpm-lock.yaml, which CI uses pnpm 10 to verify. Result:
ERR_PNPM_LOCKFILE_CONFIG_MISMATCH on every job. Re-running pnpm 10
\`install --lockfile-only\` restores the overrides block; the new admin
package entries land in the same commit. Two stale lockfile entries
not present in package.json (\`serialize-javascript\` version pin and
\`uuid@<14.0.0\`) were normalized by the regen — package.json is the
source of truth for those.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build(docker): preserve strictDepBuilds=false in trimmed workspace yaml (#7638)

Adding tsx as an admin devDep brings esbuild@0.27.x into the resolved
subgraph, and the Dockerfile's runtime stage was overwriting
pnpm-workspace.yaml with a stripped-down version that lost the
strictDepBuilds=false setting from the source repo. With pnpm 10's
default of strictDepBuilds=true, the install then errors on
ERR_PNPM_IGNORED_BUILDS for esbuild + scarf rather than warning.

Restore the strictDepBuilds=false and the @scarf/scarf ignore in the
trimmed yaml so the production install matches develop's behavior.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(admin): point client baseUrl at /api/<version> via codegen (#7638)

Qodo flagged: with baseUrl='/' and schema paths like '/createGroup',
calls landed at /createGroup, but the backend mounts the FLAT-style
spec under /api/<version>/. So once a call site lands, every request
404s.

gen:api now also emits admin/src/api/version.ts containing
LATEST_API_VERSION (read from info.version in the spec) and a derived
API_BASE_URL = `/api/<version>`. client.ts imports API_BASE_URL.
Workflow freshness check covers both generated files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build(admin): cross-platform spawn in gen-api.mjs (#7638)

Windows CI failed because spawnSync('pnpm', ...) cannot resolve
pnpm.cmd without a shell. Set shell:true on win32 only so Linux/macOS
runs avoid Node's DEP0190 warning. All spawn args are literal strings,
so the shell variant is not an injection risk.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): gitignore generated schema/version, regen on every script (#7638)

Qodo flagged the committed admin/src/api/schema.d.ts as a build artifact
that violates the rule against committing generated files (rule 467291,
"Exclude build artifacts and runtime-generated files from version control").

This commit:
- Adds admin/src/api/{schema.d.ts,version.ts} to .gitignore.
- Removes both from VCS (the prior squash had committed them).
- Chains \`gen:api\` into the dev and test scripts so a fresh checkout
  lands a working dev server / test run without an extra step. build
  and build-copy already chained gen:api.
- Drops the now-redundant CI freshness diff step from
  frontend-admin-tests.yml — with the files no longer committed, the
  build step's gen:api invocation is the only check needed.
- Updates admin/README.md to describe the new generated-file workflow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): design for admin OpenAPI coverage (#7693)

Adds the design doc for documenting `/admin-auth/*` and `/admin/update/status`
in the OpenAPI spec so the typed client generated by #7695 (`admin/src/api/
schema.d.ts`) gains admin call-sites the day it lands.

This PR is stacked on #7695 — codegen rails must merge first. Schema-only,
no call-site migrations (those are an explicit follow-up named in #7693).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): correct UpdateStatus schema to base-branch shape (#7693)

The first draft mirrored the Tier 2 (#7607) response shape, but this PR
stacks on #7695 whose updateStatus.ts only emits the Tier 1 fields. Fix
the schema, install-method enum, and tier enum to match types.ts and
the actual handler. Tier 2 amends UpdateStatus when it lands.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): implementation plan for admin OpenAPI coverage (#7693)

Step-by-step task breakdown for the schema-only PR: stub the document,
add /admin-auth/ + /admin/update/status paths and sub-schemas,
collision regression, /admin/openapi.json route, codegen merge, and CI
verification. No call-site migrations.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): stub OpenAPI document for admin endpoints (#7693)

Adds generateAdminDefinition() returning a minimal valid OpenAPI 3.0
document with no paths yet, plus security schemes for the two auth
modes (Basic + session cookie). Subsequent tasks fill in the actual
admin paths.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): document POST /admin-auth/ in OpenAPI (#7693)

Adds verifyAdminAccess as the operation that the admin UI's LoginScreen
and App session check both call. Documents Basic auth, session cookie,
and anonymous request modes plus their 200/401/403 responses.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): document GET /admin/update/status in OpenAPI (#7693)

Adds getUpdateStatus operation plus UpdateStatus, ReleaseInfo,
PolicyResult, and VulnerableBelowDirective sub-schemas. Property names
and enums mirror src/node/updater/types.ts and the response object
emitted by updateStatus.ts. Tier 2 (#7607) will amend UpdateStatus when
it ships execution/lastResult/lockHeld.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(admin): regression net for admin/public OpenAPI collisions (#7693)

Cross-checks admin paths, operationIds, and schema names against the
latest public spec. Today there are no overlaps; the test exists to
catch future renames before they break the merged client codegen.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): expose admin OpenAPI doc at /admin/openapi.json (#7693)

Mounts the admin OpenAPI document at /admin/openapi.json (CORS: *) via
an expressPreSession hook, matching the /api/openapi.json convention.
The admin SPA wildcard at /admin/{*filename} registers later in
expressCreateServer, so the JSON route wins. Live-route test confirms
JSON content-type and CORS header.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): mergeOpenAPI helper for codegen pipeline (#7693)

Pure-JS deep-merge of two OpenAPI 3.0 documents. Unions paths and
components by key; throws on collisions. Public document's info,
servers, and root security win over the admin document's. Used by
dump-spec.ts to produce a single merged JSON for openapi-typescript.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): fix stale "Section 3" reference in spec (#7693)

Drafting numbered the design walkthrough; final spec uses titled
sections. Update the back-reference accordingly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): include admin OpenAPI in generated client (#7693)

Modifies dump-spec.ts to import generateAdminDefinition alongside the
public generator and feed both through mergeOpenAPI before writing the
JSON consumed by openapi-typescript. The resulting admin/src/api/
schema.d.ts paths interface now exposes /admin-auth/ and
/admin/update/status, ready for typed call-site adoption in a follow-up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(admin): gate /admin/openapi.json behind a feature flag (#7693)

Address Qodo finding 1: new features must ship behind a flag, disabled
by default (CONTRIBUTING.md, AGENTS.MD, best_practices.md). Adds
settings.adminOpenAPI.enabled (default false). expressPreSession
returns early when the flag is off, so the route is dormant on a fresh
install.

The codegen pipeline imports generateAdminDefinition() in-process and
does not depend on the runtime route, so default-off has no effect on
the typed client. Operators who want third-party tooling (Postman,
swagger-ui, downstream clients) to consume the spec at runtime opt in
via settings.

Adds:
- SettingsType + defaults entry in src/node/utils/Settings.ts
- settings.json.template documentation
- A backend spec asserting expressPreSession is a no-op when the flag
  is off (live route test now sets the flag explicitly)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(admin): split fetchClient by surface; admin client baseUrl='/' (#7693)

Address Qodo finding 2 (correctness bug). The merged schema introduced
in this PR exposes both public-API paths (under /api/<version>/) and
admin paths (at root, e.g. /admin-auth/). The single fetchClient from
#7695 has baseUrl=API_BASE_URL ("/api/<version>"), so calling an admin
path through it would resolve to /api/<version>/admin-auth/ — wrong.

Fix:
- Narrow the generated `paths` interface by URL prefix
  (`/admin*` vs everything else).
- Export two clients: `fetchClient` (public, baseUrl=/api/<version>)
  and `adminFetchClient` (admin, baseUrl='/').
- Mirror with `$api` / `$adminApi` query hook factories.

TypeScript now rejects mixing surfaces at compile time:
  fetchClient.GET('/admin-auth/')        // type error: not in PublicPaths
  adminFetchClient.GET('/createGroup')   // type error: not in AdminPaths

Smoke test updated to assert all four exports exist.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): spec — feature flag + dual-client design (#7693)

Reflect Qodo-driven changes:
- /admin/openapi.json route is now feature-flagged (default off).
- admin/src/api/client.ts splits paths by URL prefix and exports two
  clients (public + admin) so TypeScript rejects mixing surfaces.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(admin): check adminOpenAPI flag per-request, not at hook setup (#7693)

The first feature-flag commit (dbcfb3902) gated the route by checking
the flag inside expressPreSession and skipping app.get() when off. That
broke under the full backend suite because common.init() is cached: the
first spec that calls it boots the server with whatever flag state was
present at that moment, and later specs cannot retroactively register
the route by toggling the flag.

Move the flag check inside the request handler:

- Route is always registered.
- Handler returns 404 application/json when the flag is off (so callers
  get a clear "feature disabled" signal rather than the SPA wildcard's
  text/html catch-all).
- Handler returns the spec + CORS * when the flag is on.

Tests now toggle the flag in-process and exercise both states against
the shared agent — no server restart needed. Added a "returns 404 JSON
when off" test alongside the existing "200 + spec + CORS when on".

Full backend suite: 1007 passing, 6 pending, 0 failures.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitignore                                    |    5 +
 admin/README.md                               |   78 +-
 admin/package.json                            |   18 +-
 .../scripts/__tests__/merge-openapi.test.mjs  |   74 ++
 admin/scripts/dump-spec.ts                    |   57 +
 admin/scripts/gen-api.mjs                     |   78 ++
 admin/scripts/merge-openapi.mjs               |   56 +
 admin/src/api/QueryProvider.tsx               |   40 +
 admin/src/api/__tests__/client.test.ts        |   20 +
 admin/src/api/client.ts                       |   30 +
 admin/src/main.tsx                            |   15 +-
 admin/tsconfig.json                           |    1 +
 ...026-05-01-issue-7638-admin-typesafe-api.md |  804 +++++++++++++
 .../2026-05-08-issue-7693-admin-openapi.md    | 1058 +++++++++++++++++
 ...01-issue-7638-admin-typesafe-api-design.md |  198 +++
 ...6-05-08-issue-7693-admin-openapi-design.md |  304 +++++
 pnpm-lock.yaml                                |  244 +++-
 settings.json.template                        |   13 +
 src/ep.json                                   |    6 +
 src/node/hooks/express/openapi-admin.ts       |  182 +++
 src/node/hooks/express/openapi.ts             |    3 +
 src/node/utils/Settings.ts                    |   15 +
 src/tests/backend/specs/openapi-admin.ts      |  216 ++++
 23 files changed, 3463 insertions(+), 52 deletions(-)
 create mode 100644 admin/scripts/__tests__/merge-openapi.test.mjs
 create mode 100644 admin/scripts/dump-spec.ts
 create mode 100644 admin/scripts/gen-api.mjs
 create mode 100644 admin/scripts/merge-openapi.mjs
 create mode 100644 admin/src/api/QueryProvider.tsx
 create mode 100644 admin/src/api/__tests__/client.test.ts
 create mode 100644 admin/src/api/client.ts
 create mode 100644 docs/superpowers/plans/2026-05-01-issue-7638-admin-typesafe-api.md
 create mode 100644 docs/superpowers/plans/2026-05-08-issue-7693-admin-openapi.md
 create mode 100644 docs/superpowers/specs/2026-05-01-issue-7638-admin-typesafe-api-design.md
 create mode 100644 docs/superpowers/specs/2026-05-08-issue-7693-admin-openapi-design.md
 create mode 100644 src/node/hooks/express/openapi-admin.ts
 create mode 100644 src/tests/backend/specs/openapi-admin.ts

diff --git a/.gitignore b/.gitignore
index 098074ad290..c38ed72cc40 100644
--- a/.gitignore
+++ b/.gitignore
@@ -38,3 +38,8 @@ stage/
 prime/
 .craft/
 *.snap
+
+# Generated by `pnpm --filter admin gen:api` from src/node/hooks/express/openapi.ts.
+# Regenerated by build/test/dev scripts; not committed.
+/admin/src/api/schema.d.ts
+/admin/src/api/version.ts
diff --git a/admin/README.md b/admin/README.md
index 0d6babeddbd..6d069bba4d6 100644
--- a/admin/README.md
+++ b/admin/README.md
@@ -1,30 +1,66 @@
-# React + TypeScript + Vite
+# Admin UI
 
-This template provides a minimal setup to get React working in Vite with HMR and some ESLint rules.
+Vite + React 19 single-page app served at `/admin`. Talks to the backend over
+socket.io for the existing settings / plugins / pads pages, and (when
+endpoints are added to the OpenAPI spec) over a typed REST client.
 
-Currently, two official plugins are available:
+## Scripts
 
-- [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/blob/main/packages/plugin-react/README.md) uses [Babel](https://babeljs.io/) for Fast Refresh
-- [@vitejs/plugin-react-swc](https://github.com/vitejs/vite-plugin-react-swc) uses [SWC](https://swc.rs/) for Fast Refresh
+| Script               | What it does                                             |
+| -------------------- | -------------------------------------------------------- |
+| `pnpm dev`           | `gen:api` + Vite dev server (expects backend on :9001).  |
+| `pnpm gen:api`       | Regenerates `src/api/{schema.d.ts,version.ts}` from the OpenAPI spec. |
+| `pnpm build`         | `gen:api` + `tsc` + `vite build`.                        |
+| `pnpm build-copy`    | Same, but writes into `../src/templates/admin`.          |
+| `pnpm test`          | `gen:api` + smoke tests for the API client wiring.       |
+| `pnpm lint`          | ESLint.                                                  |
 
-## Expanding the ESLint configuration
+## Typed API client
 
-If you are developing a production application, we recommend updating the configuration to enable type aware lint rules:
+The admin uses [`openapi-typescript`] to generate types from
+`src/node/hooks/express/openapi.ts`, [`openapi-fetch`] for typed requests, and
+[`openapi-react-query`] for TanStack Query bindings.
 
-- Configure the top-level `parserOptions` property like this:
+[`openapi-typescript`]: https://github.com/openapi-ts/openapi-typescript
+[`openapi-fetch`]: https://github.com/openapi-ts/openapi-typescript/tree/main/packages/openapi-fetch
+[`openapi-react-query`]: https://github.com/openapi-ts/openapi-typescript/tree/main/packages/openapi-react-query
 
-```js
-export default {
-  // other rules...
-  parserOptions: {
-    ecmaVersion: 'latest',
-    sourceType: 'module',
-    project: ['./tsconfig.json', './tsconfig.node.json'],
-    tsconfigRootDir: __dirname,
-  },
-}
+### Generated files
+
+`admin/src/api/schema.d.ts` and `admin/src/api/version.ts` are generated by
+`gen:api` and gitignored — never commit them. They are produced by:
+
+```sh
+pnpm --filter admin gen:api
+```
+
+`admin/scripts/gen-api.mjs` loads `src/node/hooks/express/openapi.ts`, calls
+`generateDefinitionForVersion` for the latest API version, pipes the JSON
+through `openapi-typescript` to produce `schema.d.ts`, and emits a runtime
+constant `LATEST_API_VERSION` (read from `info.version` in the spec) to
+`version.ts` so `client.ts` can build the right `/api/<version>/` baseUrl.
+
+`gen:api` runs as the first step of `dev`, `build`, `build-copy`, and
+`test`, so a fresh checkout produces the generated files automatically when
+any of those scripts is invoked. After modifying any of the following, the
+next `pnpm <dev|build|test>` will refresh the generated files; you can also
+run `gen:api` directly:
+
+- `src/node/hooks/express/openapi.ts`
+- `src/node/handler/APIHandler.ts` (changes to `latestApiVersion`)
+- the resource definitions referenced by `openapi.ts`
+
+### Using the client
+
+```tsx
+import { $api } from './api/client';
+
+const SettingsPanel = () => {
+  const { data } = $api.useQuery('get', '/admin/settings'); // example
+  return <pre>{JSON.stringify(data, null, 2)}</pre>;
+};
 ```
 
-- Replace `plugin:@typescript-eslint/recommended` to `plugin:@typescript-eslint/recommended-type-checked` or `plugin:@typescript-eslint/strict-type-checked`
-- Optionally add `plugin:@typescript-eslint/stylistic-type-checked`
-- Install [eslint-plugin-react](https://github.com/jsx-eslint/eslint-plugin-react) and add `plugin:react/recommended` & `plugin:react/jsx-runtime` to the `extends` list
+The admin endpoints are not yet present in the OpenAPI spec — this client is
+in place to support upcoming work (see issue #7638 follow-up). For now, it is
+exercised only by the smoke test.
diff --git a/admin/package.json b/admin/package.json
index 3084b5fbc2b..cd5cb440907 100644
--- a/admin/package.json
+++ b/admin/package.json
@@ -4,14 +4,20 @@
   "version": "2.7.3",
   "type": "module",
   "scripts": {
-    "dev": "vite",
-    "build": "tsc && vite build",
+    "dev": "pnpm gen:api && vite",
+    "gen:api": "node scripts/gen-api.mjs",
+    "build": "pnpm gen:api && tsc && vite build",
     "lint": "eslint . --ext ts,tsx --report-unused-disable-directives --max-warnings 0",
-    "build-copy": "tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
-    "preview": "vite preview"
+    "build-copy": "pnpm gen:api && tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
+    "preview": "vite preview",
+    "test": "pnpm gen:api && tsx --test src/api/__tests__/client.test.ts"
   },
   "dependencies": {
-    "@radix-ui/react-switch": "^1.2.6"
+    "@radix-ui/react-switch": "^1.2.6",
+    "@tanstack/react-query": "^5.100.9",
+    "@tanstack/react-query-devtools": "^5.100.9",
+    "openapi-fetch": "^0.17.0",
+    "openapi-react-query": "^0.5.4"
   },
   "devDependencies": {
     "@radix-ui/react-dialog": "^1.1.15",
@@ -28,12 +34,14 @@
     "i18next": "^26.0.10",
     "i18next-browser-languagedetector": "^8.2.1",
     "lucide-react": "^1.14.0",
+    "openapi-typescript": "^7.13.0",
     "react": "^19.2.6",
     "react-dom": "^19.2.6",
     "react-hook-form": "^7.75.0",
     "react-i18next": "^17.0.7",
     "react-router-dom": "^7.15.0",
     "socket.io-client": "^4.8.3",
+    "tsx": "^4.21.0",
     "typescript": "^6.0.3",
     "vite": "^8.0.11",
     "vite-plugin-babel": "^1.6.0",
diff --git a/admin/scripts/__tests__/merge-openapi.test.mjs b/admin/scripts/__tests__/merge-openapi.test.mjs
new file mode 100644
index 00000000000..7fb454c1150
--- /dev/null
+++ b/admin/scripts/__tests__/merge-openapi.test.mjs
@@ -0,0 +1,74 @@
+import {test} from 'node:test';
+import {strict as assert} from 'node:assert';
+import {mergeOpenAPI} from '../merge-openapi.mjs';
+
+const minimal = (overrides = {}) => ({
+  openapi: '3.0.2',
+  info: {title: 'X', version: '0.0.0'},
+  paths: {},
+  components: {schemas: {}, securitySchemes: {}},
+  ...overrides,
+});
+
+test('unions paths from both docs', () => {
+  const pub = minimal({paths: {'/createGroup': {post: {operationId: 'createGroup'}}}});
+  const adm = minimal({paths: {'/admin-auth/': {post: {operationId: 'verifyAdminAccess'}}}});
+  const out = mergeOpenAPI(pub, adm);
+  assert.deepEqual(Object.keys(out.paths).sort(), ['/admin-auth/', '/createGroup']);
+});
+
+test('throws on path collision', () => {
+  const pub = minimal({paths: {'/x': {get: {}}}});
+  const adm = minimal({paths: {'/x': {post: {}}}});
+  assert.throws(() => mergeOpenAPI(pub, adm), /path collision/i);
+});
+
+test('unions components.schemas', () => {
+  const pub = minimal({components: {schemas: {A: {}}, securitySchemes: {}}});
+  const adm = minimal({components: {schemas: {B: {}}, securitySchemes: {}}});
+  const out = mergeOpenAPI(pub, adm);
+  assert.deepEqual(Object.keys(out.components.schemas).sort(), ['A', 'B']);
+});
+
+test('throws on schema name collision', () => {
+  const pub = minimal({components: {schemas: {Dup: {}}, securitySchemes: {}}});
+  const adm = minimal({components: {schemas: {Dup: {}}, securitySchemes: {}}});
+  assert.throws(() => mergeOpenAPI(pub, adm), /schema collision/i);
+});
+
+test('unions securitySchemes', () => {
+  const pub = minimal({components: {schemas: {}, securitySchemes: {apiKey: {}}}});
+  const adm = minimal({components: {schemas: {}, securitySchemes: {basicAuth: {}}}});
+  const out = mergeOpenAPI(pub, adm);
+  assert.deepEqual(
+    Object.keys(out.components.securitySchemes).sort(),
+    ['apiKey', 'basicAuth'],
+  );
+});
+
+test('preserves public root security; admin per-operation security survives', () => {
+  const pub = minimal({security: [{apiKey: []}]});
+  const adm = minimal({
+    paths: {
+      '/admin-auth/': {
+        post: {
+          security: [{basicAuth: []}, {}],
+        },
+      },
+    },
+  });
+  const out = mergeOpenAPI(pub, adm);
+  assert.deepEqual(out.security, [{apiKey: []}]);
+  assert.deepEqual(
+    out.paths['/admin-auth/'].post.security,
+    [{basicAuth: []}, {}],
+  );
+});
+
+test('public info wins on conflict', () => {
+  const pub = minimal({info: {title: 'Public', version: '1.0'}});
+  const adm = minimal({info: {title: 'Admin', version: '2.0'}});
+  const out = mergeOpenAPI(pub, adm);
+  assert.equal(out.info.title, 'Public');
+  assert.equal(out.info.version, '1.0');
+});
diff --git a/admin/scripts/dump-spec.ts b/admin/scripts/dump-spec.ts
new file mode 100644
index 00000000000..6c229e80270
--- /dev/null
+++ b/admin/scripts/dump-spec.ts
@@ -0,0 +1,57 @@
+// admin/scripts/dump-spec.ts
+//
+// Imports the public + admin OpenAPI spec builders from the etherpad
+// source, merges them into one document, and writes JSON to argv[2].
+// Invoked by admin/scripts/gen-api.mjs via `tsx`.
+//
+// Why a file argument instead of stdout: importing openapi*.ts triggers
+// Settings init, which configures log4js to write INFO/WARN lines to
+// stdout. Capturing stdout would mix logs with JSON.
+
+import {writeFileSync} from 'node:fs';
+import path from 'node:path';
+import {fileURLToPath, pathToFileURL} from 'node:url';
+// @ts-expect-error — sibling .mjs has no .d.ts; tsx resolves it at runtime.
+import {mergeOpenAPI} from './merge-openapi.mjs';
+
+const outFile = process.argv[2];
+if (!outFile) {
+  process.stderr.write('Usage: tsx scripts/dump-spec.ts <output-path>\n');
+  process.exit(2);
+}
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const repoRoot = path.resolve(here, '..', '..');
+
+const apiHandlerPath = path.join(repoRoot, 'src', 'node', 'handler', 'APIHandler.ts');
+const openapiPath = path.join(repoRoot, 'src', 'node', 'hooks', 'express', 'openapi.ts');
+const openapiAdminPath = path.join(
+  repoRoot, 'src', 'node', 'hooks', 'express', 'openapi-admin.ts',
+);
+
+type ApiHandlerModule = {latestApiVersion: string};
+type OpenApiModule = {
+  generateDefinitionForVersion: (version: string, style?: string) => unknown;
+  APIPathStyle: {FLAT: string; REST: string};
+};
+type OpenApiAdminModule = {
+  generateAdminDefinition: () => unknown;
+};
+
+const apiHandlerMod = await import(pathToFileURL(apiHandlerPath).href);
+const openapiMod = await import(pathToFileURL(openapiPath).href);
+const openapiAdminMod = await import(pathToFileURL(openapiAdminPath).href);
+
+const apiHandler = (apiHandlerMod.default ?? apiHandlerMod) as ApiHandlerModule;
+const openapi = (openapiMod.default ?? openapiMod) as OpenApiModule;
+const openapiAdmin = (openapiAdminMod.default ?? openapiAdminMod) as OpenApiAdminModule;
+
+const publicSpec = openapi.generateDefinitionForVersion(
+  apiHandler.latestApiVersion,
+  openapi.APIPathStyle.FLAT,
+);
+const adminSpec = openapiAdmin.generateAdminDefinition();
+
+const merged = mergeOpenAPI(publicSpec, adminSpec);
+
+writeFileSync(path.resolve(outFile), JSON.stringify(merged, null, 2), 'utf8');
diff --git a/admin/scripts/gen-api.mjs b/admin/scripts/gen-api.mjs
new file mode 100644
index 00000000000..d96383e2563
--- /dev/null
+++ b/admin/scripts/gen-api.mjs
@@ -0,0 +1,78 @@
+// admin/scripts/gen-api.mjs
+//
+// Regenerates admin/src/api/schema.d.ts from the live OpenAPI spec exported
+// by src/node/hooks/express/openapi.ts. Run via `pnpm --filter admin gen:api`.
+
+import { spawnSync } from 'node:child_process';
+import { mkdtempSync, rmSync, writeFileSync, readFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const adminRoot = path.resolve(here, '..');
+const outFile = path.join(adminRoot, 'src', 'api', 'schema.d.ts');
+
+const tmpDir = mkdtempSync(path.join(tmpdir(), 'etherpad-openapi-'));
+const specPath = path.join(tmpDir, 'spec.json');
+
+// On Windows pnpm resolves to pnpm.cmd, which spawnSync can only find via a
+// shell. Use shell on Windows only to avoid Node's DEP0190 warning elsewhere.
+// Every argument here is fixed (no user input) so the shell:true variant is
+// not an injection risk.
+const spawnOpts = {
+  cwd: adminRoot,
+  stdio: 'inherit',
+  shell: process.platform === 'win32',
+};
+
+try {
+  const dump = spawnSync(
+    'pnpm',
+    ['exec', 'tsx', 'scripts/dump-spec.ts', specPath],
+    spawnOpts,
+  );
+  if (dump.status !== 0) {
+    console.error(`dump-spec.ts failed with exit code ${dump.status}`);
+    process.exit(dump.status ?? 1);
+  }
+
+  const gen = spawnSync(
+    'pnpm',
+    ['exec', 'openapi-typescript', specPath, '-o', outFile],
+    spawnOpts,
+  );
+  if (gen.status !== 0) {
+    console.error(`openapi-typescript failed with exit code ${gen.status}`);
+    process.exit(gen.status ?? 1);
+  }
+
+  const header =
+    `// GENERATED — do not edit. Run \`pnpm --filter admin gen:api\` to regenerate.\n` +
+    `// Source: src/node/hooks/express/openapi.ts (#7638)\n\n`;
+  const body = readFileSync(outFile, 'utf8');
+  writeFileSync(outFile, header + body, 'utf8');
+
+  // Emit a runtime-side version constant so client.ts can build the right
+  // baseUrl. Generated paths are unprefixed (e.g. "/createGroup"), but the
+  // backend mounts the FLAT-style spec under /api/<version>/.
+  const spec = JSON.parse(readFileSync(specPath, 'utf8'));
+  const apiVersion = spec?.info?.version;
+  if (typeof apiVersion !== 'string' || apiVersion.length === 0) {
+    console.error('OpenAPI spec is missing info.version; cannot emit version.ts');
+    process.exit(1);
+  }
+  const versionFile = path.join(adminRoot, 'src', 'api', 'version.ts');
+  writeFileSync(
+    versionFile,
+    header +
+      `export const LATEST_API_VERSION = ${JSON.stringify(apiVersion)};\n` +
+      `export const API_BASE_URL = \`/api/\${LATEST_API_VERSION}\`;\n`,
+    'utf8',
+  );
+
+  console.log(`Wrote ${path.relative(process.cwd(), outFile)}`);
+  console.log(`Wrote ${path.relative(process.cwd(), versionFile)}`);
+} finally {
+  rmSync(tmpDir, { recursive: true, force: true });
+}
diff --git a/admin/scripts/merge-openapi.mjs b/admin/scripts/merge-openapi.mjs
new file mode 100644
index 00000000000..ff78576c7ce
--- /dev/null
+++ b/admin/scripts/merge-openapi.mjs
@@ -0,0 +1,56 @@
+// admin/scripts/merge-openapi.mjs
+//
+// Deep-merges the public-API OpenAPI document with the admin OpenAPI
+// document into a single document for openapi-typescript to consume.
+//
+// Rules:
+//   - paths: union by key; collision throws
+//   - components.{schemas,parameters,responses,securitySchemes}: union by name; collision throws
+//   - root info, servers, security: public wins (admin's are ignored at the root)
+//   - per-operation security on admin paths is preserved untouched
+
+const unionMap = (label, a = {}, b = {}) => {
+  const out = {...a};
+  for (const [k, v] of Object.entries(b)) {
+    if (k in out) {
+      throw new Error(`${label} on key "${k}"`);
+    }
+    out[k] = v;
+  }
+  return out;
+};
+
+export const mergeOpenAPI = (publicDoc, adminDoc) => {
+  if (!publicDoc || !adminDoc) {
+    throw new Error('mergeOpenAPI requires both publicDoc and adminDoc');
+  }
+  return {
+    openapi: publicDoc.openapi || adminDoc.openapi,
+    info: publicDoc.info,
+    ...(publicDoc.servers ? {servers: publicDoc.servers} : {}),
+    ...(publicDoc.security ? {security: publicDoc.security} : {}),
+    paths: unionMap('path collision', publicDoc.paths, adminDoc.paths),
+    components: {
+      schemas: unionMap(
+        'schema collision',
+        publicDoc.components?.schemas,
+        adminDoc.components?.schemas,
+      ),
+      parameters: unionMap(
+        'parameter collision',
+        publicDoc.components?.parameters,
+        adminDoc.components?.parameters,
+      ),
+      responses: unionMap(
+        'response collision',
+        publicDoc.components?.responses,
+        adminDoc.components?.responses,
+      ),
+      securitySchemes: unionMap(
+        'securityScheme collision',
+        publicDoc.components?.securitySchemes,
+        adminDoc.components?.securitySchemes,
+      ),
+    },
+  };
+};
diff --git a/admin/src/api/QueryProvider.tsx b/admin/src/api/QueryProvider.tsx
new file mode 100644
index 00000000000..54ee2d95cec
--- /dev/null
+++ b/admin/src/api/QueryProvider.tsx
@@ -0,0 +1,40 @@
+// admin/src/api/QueryProvider.tsx
+//
+// TanStack Query provider for the admin UI. Devtools are loaded lazily and
+// only in dev builds so they don't ship to production.
+
+import { lazy, Suspense, useState, type ReactNode } from 'react';
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+
+const Devtools = import.meta.env.DEV
+  ? lazy(() =>
+      import('@tanstack/react-query-devtools').then((m) => ({
+        default: m.ReactQueryDevtools,
+      })),
+    )
+  : null;
+
+export const QueryProvider = ({ children }: { children: ReactNode }) => {
+  const [client] = useState(
+    () =>
+      new QueryClient({
+        defaultOptions: {
+          queries: {
+            staleTime: 30_000,
+            refetchOnWindowFocus: true,
+          },
+        },
+      }),
+  );
+
+  return (
+    <QueryClientProvider client={client}>
+      {children}
+      {Devtools && (
+        <Suspense fallback={null}>
+          <Devtools initialIsOpen={false} />
+        </Suspense>
+      )}
+    </QueryClientProvider>
+  );
+};
diff --git a/admin/src/api/__tests__/client.test.ts b/admin/src/api/__tests__/client.test.ts
new file mode 100644
index 00000000000..23230390bd5
--- /dev/null
+++ b/admin/src/api/__tests__/client.test.ts
@@ -0,0 +1,20 @@
+// admin/src/api/__tests__/client.test.ts
+//
+// Smoke test that the OpenAPI client module loads and exposes the expected
+// surface. Catches toolchain wiring regressions (missing peer deps,
+// generator output that doesn't export `paths`, etc.).
+
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+
+test('client module exports public + admin clients and query hooks', async () => {
+  const mod = await import('../client.ts');
+  assert.ok(mod.fetchClient, 'fetchClient export is present');
+  assert.ok(mod.adminFetchClient, 'adminFetchClient export is present');
+  assert.ok(mod.$api, '$api export is present');
+  assert.ok(mod.$adminApi, '$adminApi export is present');
+  assert.equal(typeof mod.fetchClient.GET, 'function', 'fetchClient.GET is a function');
+  assert.equal(typeof mod.adminFetchClient.GET, 'function', 'adminFetchClient.GET is a function');
+  assert.equal(typeof mod.$api.useQuery, 'function', '$api.useQuery is a function');
+  assert.equal(typeof mod.$adminApi.useQuery, 'function', '$adminApi.useQuery is a function');
+});
diff --git a/admin/src/api/client.ts b/admin/src/api/client.ts
new file mode 100644
index 00000000000..39294c9769e
--- /dev/null
+++ b/admin/src/api/client.ts
@@ -0,0 +1,30 @@
+// admin/src/api/client.ts
+//
+// Typed HTTP clients and TanStack Query hooks derived from the generated
+// OpenAPI schema. Regenerate the schema with `pnpm --filter admin gen:api`.
+//
+// The merged spec covers two surfaces with different baseUrls:
+//
+//   - Public versioned API at /api/<version>/   (paths like /createGroup)
+//   - Admin endpoints at root                   (paths like /admin-auth/)
+//
+// We narrow the generated `paths` interface by URL prefix and create one
+// typed client per surface. TypeScript then rejects calling an admin path on
+// the public client (or vice versa) at compile time — there is no shared
+// client whose runtime baseUrl would silently target the wrong surface.
+
+import createClient from 'openapi-fetch';
+import createQueryHooks from 'openapi-react-query';
+import type { paths } from './schema';
+import { API_BASE_URL } from './version';
+
+type AdminPath = Extract<keyof paths, `/admin${string}`>;
+type PublicPath = Exclude<keyof paths, AdminPath>;
+type PublicPaths = Pick<paths, PublicPath>;
+type AdminPaths = Pick<paths, AdminPath>;
+
+export const fetchClient = createClient<PublicPaths>({ baseUrl: API_BASE_URL });
+export const adminFetchClient = createClient<AdminPaths>({ baseUrl: '/' });
+
+export const $api = createQueryHooks(fetchClient);
+export const $adminApi = createQueryHooks(adminFetchClient);
diff --git a/admin/src/main.tsx b/admin/src/main.tsx
index c7dcc456bf6..e5f6c8ab452 100644
--- a/admin/src/main.tsx
+++ b/admin/src/main.tsx
@@ -14,6 +14,7 @@ import {PadPage} from "./pages/PadPage.tsx";
 import {ToastDialog} from "./utils/Toast.tsx";
 import {ShoutPage} from "./pages/ShoutPage.tsx";
 import {UpdatePage} from "./pages/UpdatePage.tsx";
+import {QueryProvider} from './api/QueryProvider.tsx';
 
 const router = createBrowserRouter(createRoutesFromElements(
     <><Route element={<App/>}>
@@ -34,11 +35,13 @@ const router = createBrowserRouter(createRoutesFromElements(
 
 ReactDOM.createRoot(document.getElementById('root')!).render(
   <React.StrictMode>
-      <I18nextProvider i18n={i18n}>
-      <Toast.Provider>
-          <ToastDialog/>
-          <RouterProvider router={router}/>
-      </Toast.Provider>
-      </I18nextProvider>
+      <QueryProvider>
+          <I18nextProvider i18n={i18n}>
+          <Toast.Provider>
+              <ToastDialog/>
+              <RouterProvider router={router}/>
+          </Toast.Provider>
+          </I18nextProvider>
+      </QueryProvider>
   </React.StrictMode>,
 )
diff --git a/admin/tsconfig.json b/admin/tsconfig.json
index a7fc6fbf23d..ae96c41ebf8 100644
--- a/admin/tsconfig.json
+++ b/admin/tsconfig.json
@@ -21,5 +21,6 @@
     "noFallthroughCasesInSwitch": true
   },
   "include": ["src"],
+  "exclude": ["src/**/__tests__/**"],
   "references": [{ "path": "./tsconfig.node.json" }]
 }
diff --git a/docs/superpowers/plans/2026-05-01-issue-7638-admin-typesafe-api.md b/docs/superpowers/plans/2026-05-01-issue-7638-admin-typesafe-api.md
new file mode 100644
index 00000000000..49623f4c6e8
--- /dev/null
+++ b/docs/superpowers/plans/2026-05-01-issue-7638-admin-typesafe-api.md
@@ -0,0 +1,804 @@
+# Issue 7638 — Typesafe Admin API Client + TanStack Query Rails Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Lay down the codegen toolchain, runtime client, and TanStack Query provider for the admin UI. No call-site migrations.
+
+**Architecture:** A small Node script imports the OpenAPI spec builder from `src/node/hooks/express/openapi.ts`, writes the JSON to a temp file, and runs `openapi-typescript` to produce a checked-in `admin/src/api/schema.d.ts`. The runtime exposes a typed `openapi-fetch` client and `openapi-react-query` hooks via `admin/src/api/client.ts`, mounted under a `<QueryProvider>` at the admin root. CI re-runs codegen and fails if the working tree is dirty.
+
+**Tech Stack:** TypeScript, React 19, Vite (rolldown-vite), `openapi-typescript`, `openapi-fetch`, `openapi-react-query`, `@tanstack/react-query`, `@tanstack/react-query-devtools`, `tsx` (devDep, runs the codegen script against TS source).
+
+**Spec:** `docs/superpowers/specs/2026-05-01-issue-7638-admin-typesafe-api-design.md`
+
+**Branch:** `chore/admin-typesafe-api-7638` (already cut off `origin/develop`, design doc committed as `41d2babf4`).
+
+**Working directory for all commands:** `/home/jose/etherpad/etherpad-lite` unless otherwise stated.
+
+---
+
+## File Structure
+
+**Create:**
+- `admin/scripts/gen-api.mjs` — orchestrator script. Invokes `tsx` to run a small TS entry that prints the spec JSON, captures stdout to a temp file, then shells out to `openapi-typescript`.
+- `admin/scripts/dump-spec.ts` — TS entry that imports `generateDefinitionForVersion` from the etherpad source and writes the JSON to stdout.
+- `admin/src/api/schema.d.ts` — generated. Checked in.
+- `admin/src/api/client.ts` — `openapi-fetch` + `openapi-react-query` instances.
+- `admin/src/api/QueryProvider.tsx` — TanStack Query provider, dev-only devtools.
+- `admin/src/api/__tests__/client.test.ts` — module-load smoke test.
+- `admin/README.md` — codegen docs (file does not currently exist).
+
+**Modify:**
+- `src/node/hooks/express/openapi.ts` — add `export { generateDefinitionForVersion }` at the end so external scripts can call the spec builder. Surgical change, no behavior delta.
+- `admin/package.json` — add deps and `gen:api` script; amend `build` to run `gen:api` first.
+- `admin/src/main.tsx` — wrap router subtree in `<QueryProvider>`.
+- `.github/workflows/frontend-admin-tests.yml` — add a freshness-check step before the existing admin build step.
+
+**Conventions to honor:**
+- Per project memory, the PR will go to `johnmclear/etherpad-lite`, not `ether/etherpad-lite`.
+- Commit at the end of each task.
+- Run `pnpm ts-check` and admin's lint at the end before declaring done.
+
+---
+
+## Task 1: Export the spec builder from `openapi.ts`
+
+**Files:**
+- Modify: `src/node/hooks/express/openapi.ts:422` (and end of file)
+
+The script needs to call `generateDefinitionForVersion` from outside the module. It is currently only used within the file. Adding a CommonJS-style export keeps the existing `exports.expressPreSession` style consistent.
+
+- [ ] **Step 1: Read the current export style at the bottom of the file**
+
+Run: `grep -n "^exports\." src/node/hooks/express/openapi.ts`
+Expected output: a line like `578:exports.expressPreSession = async (hookName:string, {app}:any) => {`
+
+- [ ] **Step 2: Add the export**
+
+Append at the end of `src/node/hooks/express/openapi.ts` (after the existing hook export, after line 771):
+
+```ts
+exports.generateDefinitionForVersion = generateDefinitionForVersion;
+exports.APIPathStyle = APIPathStyle;
+```
+
+(Both are needed: the script will call `generateDefinitionForVersion(apiHandler.latestApiVersion, APIPathStyle.FLAT)` and we want a single import surface.)
+
+- [ ] **Step 3: Verify ts-check still passes**
+
+Run: `pnpm ts-check`
+Expected: no new errors. (If pre-existing errors are present, confirm none are in `openapi.ts`.)
+
+- [ ] **Step 4: Commit**
+
+```bash
+git add src/node/hooks/express/openapi.ts
+git commit -m "$(cat <<'EOF'
+feat(api): export generateDefinitionForVersion from openapi hook
+
+Required by the admin codegen script (#7638) to dump the OpenAPI spec
+without booting Express. No behavior change for the request hook.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 2: Add admin dependencies
+
+**Files:**
+- Modify: `admin/package.json`
+
+- [ ] **Step 1: Read the current `admin/package.json`**
+
+Run: `cat admin/package.json`
+Expected: confirm there is a `dependencies` block and a `devDependencies` block.
+
+- [ ] **Step 2: Install runtime deps**
+
+Run:
+```bash
+pnpm --filter admin add @tanstack/react-query @tanstack/react-query-devtools openapi-fetch openapi-react-query
+```
+Expected: deps added under `dependencies`. `pnpm-lock.yaml` updated at repo root.
+
+- [ ] **Step 3: Install dev deps**
+
+Run:
+```bash
+pnpm --filter admin add -D openapi-typescript tsx
+```
+Expected: deps added under `devDependencies`.
+
+- [ ] **Step 4: Sanity check the diff**
+
+Run: `git diff admin/package.json`
+Expected: six new entries (4 deps, 2 devDeps), no other changes.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add admin/package.json pnpm-lock.yaml
+git commit -m "$(cat <<'EOF'
+chore(admin): add OpenAPI codegen + TanStack Query deps (#7638)
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 3: Write the spec-dump entry
+
+**Files:**
+- Create: `admin/scripts/dump-spec.ts`
+
+This file is intentionally tiny. It runs under `tsx` so it can resolve the etherpad-lite TypeScript source directly.
+
+- [ ] **Step 1: Create the file**
+
+```ts
+// admin/scripts/dump-spec.ts
+//
+// Imports the OpenAPI spec builder from the etherpad source and writes the
+// flat-style spec for the latest API version as JSON to stdout. Invoked by
+// admin/scripts/gen-api.mjs via `tsx`.
+
+import path from 'node:path';
+import { pathToFileURL } from 'node:url';
+
+const repoRoot = path.resolve(__dirname, '..', '..');
+
+// `openapi.ts` uses CommonJS-style `exports.*` despite living in an ESM repo,
+// so we go through createRequire to load it cleanly.
+import { createRequire } from 'node:module';
+const require = createRequire(pathToFileURL(path.join(repoRoot, 'src', 'node', 'hooks', 'express', 'openapi.ts')).toString());
+
+const apiHandler = require('../../src/node/handler/APIHandler');
+const { generateDefinitionForVersion, APIPathStyle } =
+  require('../../src/node/hooks/express/openapi') as {
+    generateDefinitionForVersion: (version: string, style?: string) => unknown;
+    APIPathStyle: { FLAT: string; REST: string };
+  };
+
+const spec = generateDefinitionForVersion(apiHandler.latestApiVersion, APIPathStyle.FLAT);
+process.stdout.write(JSON.stringify(spec, null, 2));
+```
+
+- [ ] **Step 2: Smoke-test the entry**
+
+Run:
+```bash
+cd admin && pnpm exec tsx scripts/dump-spec.ts > /tmp/etherpad-spec.json
+echo "exit: $?"
+head -c 200 /tmp/etherpad-spec.json
+```
+Expected: exit 0; the head output starts with `{` and contains `"openapi"` and `"paths"`.
+
+If the script fails because importing `openapi.ts` triggers errors from `Settings`, debug by running `pnpm exec tsx -e "require('../src/node/hooks/express/openapi.ts')"` from `admin/` to isolate. The most likely fix is to set `EP_LOG_DESTINATION=stderr` or similar; do not refactor `Settings` from this PR — note the issue and ask before expanding scope.
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add admin/scripts/dump-spec.ts
+git commit -m "$(cat <<'EOF'
+chore(admin): add OpenAPI spec dump entry (#7638)
+
+Loaded via tsx by gen-api.mjs in the next commit.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 4: Write the codegen orchestrator
+
+**Files:**
+- Create: `admin/scripts/gen-api.mjs`
+
+- [ ] **Step 1: Create the file**
+
+```js
+// admin/scripts/gen-api.mjs
+//
+// Regenerates admin/src/api/schema.d.ts from the live OpenAPI spec exported
+// by src/node/hooks/express/openapi.ts. Run via `pnpm --filter admin gen:api`.
+
+import { spawnSync } from 'node:child_process';
+import { mkdtempSync, rmSync, writeFileSync, readFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import path from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const adminRoot = path.resolve(here, '..');
+const outFile = path.join(adminRoot, 'src', 'api', 'schema.d.ts');
+
+const tmpDir = mkdtempSync(path.join(tmpdir(), 'etherpad-openapi-'));
+const specPath = path.join(tmpDir, 'spec.json');
+
+try {
+  const dump = spawnSync('pnpm', ['exec', 'tsx', 'scripts/dump-spec.ts'], {
+    cwd: adminRoot,
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'inherit'],
+  });
+  if (dump.status !== 0) {
+    console.error(`dump-spec.ts failed with exit code ${dump.status}`);
+    process.exit(dump.status ?? 1);
+  }
+  writeFileSync(specPath, dump.stdout, 'utf8');
+
+  const gen = spawnSync(
+    'pnpm',
+    ['exec', 'openapi-typescript', specPath, '-o', outFile],
+    { cwd: adminRoot, stdio: 'inherit' },
+  );
+  if (gen.status !== 0) {
+    console.error(`openapi-typescript failed with exit code ${gen.status}`);
+    process.exit(gen.status ?? 1);
+  }
+
+  const header =
+    `// GENERATED — do not edit. Run \`pnpm --filter admin gen:api\` to regenerate.\n` +
+    `// Source: src/node/hooks/express/openapi.ts (#7638)\n\n`;
+  const body = readFileSync(outFile, 'utf8');
+  writeFileSync(outFile, header + body, 'utf8');
+
+  console.log(`Wrote ${path.relative(process.cwd(), outFile)}`);
+} finally {
+  rmSync(tmpDir, { recursive: true, force: true });
+}
+```
+
+- [ ] **Step 2: Add the `gen:api` script and amend `build`**
+
+In `admin/package.json`, edit the `scripts` block. Before:
+
+```json
+"scripts": {
+  "dev": "vite",
+  "build": "tsc && vite build",
+  "lint": "eslint . --ext ts,tsx --report-unused-disable-directives --max-warnings 0",
+  "build-copy": "tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
+  "preview": "vite preview"
+}
+```
+
+After:
+
+```json
+"scripts": {
+  "dev": "vite",
+  "gen:api": "node scripts/gen-api.mjs",
+  "build": "pnpm gen:api && tsc && vite build",
+  "lint": "eslint . --ext ts,tsx --report-unused-disable-directives --max-warnings 0",
+  "build-copy": "pnpm gen:api && tsc && vite build --outDir ../src/templates/admin --emptyOutDir",
+  "preview": "vite preview"
+}
+```
+
+- [ ] **Step 3: Run codegen and confirm output**
+
+Run:
+```bash
+mkdir -p admin/src/api
+pnpm --filter admin gen:api
+ls -la admin/src/api/schema.d.ts
+head -10 admin/src/api/schema.d.ts
+```
+Expected:
+- exit 0
+- `schema.d.ts` exists, > 1 KB
+- first two lines are the generated header
+- subsequent lines contain `export interface paths` and entries like `"/api/{version}/createGroup"`
+
+- [ ] **Step 4: Commit script + package.json + generated schema**
+
+```bash
+git add admin/scripts/gen-api.mjs admin/package.json admin/src/api/schema.d.ts
+git commit -m "$(cat <<'EOF'
+chore(admin): wire OpenAPI codegen into build (#7638)
+
+Adds `gen:api` script and amends `build`/`build-copy` to regenerate
+admin/src/api/schema.d.ts before compiling. The generated file is
+checked in so it shows up in PR review and so a fresh checkout doesn't
+need codegen to typecheck.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 5: Runtime client module
+
+**Files:**
+- Create: `admin/src/api/client.ts`
+
+- [ ] **Step 1: Create the file**
+
+```ts
+// admin/src/api/client.ts
+//
+// Typed HTTP client and TanStack Query hooks derived from the generated
+// OpenAPI schema. Regenerate the schema with `pnpm --filter admin gen:api`.
+
+import createClient from 'openapi-fetch';
+import createQueryHooks from 'openapi-react-query';
+import type { paths } from './schema';
+
+export const fetchClient = createClient<paths>({ baseUrl: '/' });
+export const $api = createQueryHooks(fetchClient);
+```
+
+- [ ] **Step 2: Confirm typecheck passes**
+
+Run: `pnpm --filter admin exec tsc --noEmit`
+Expected: no errors. If `paths` is missing from `schema.d.ts`, rerun `pnpm --filter admin gen:api` (it should have produced an `export interface paths` already in Task 4).
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add admin/src/api/client.ts
+git commit -m "$(cat <<'EOF'
+feat(admin): typed openapi-fetch + react-query client (#7638)
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 6: Query provider with dev-only devtools
+
+**Files:**
+- Create: `admin/src/api/QueryProvider.tsx`
+
+- [ ] **Step 1: Create the file**
+
+```tsx
+// admin/src/api/QueryProvider.tsx
+//
+// TanStack Query provider for the admin UI. Devtools are loaded lazily and
+// only in dev builds so they don't ship to production.
+
+import { lazy, Suspense, useState, type ReactNode } from 'react';
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+
+const Devtools = import.meta.env.DEV
+  ? lazy(() =>
+      import('@tanstack/react-query-devtools').then((m) => ({
+        default: m.ReactQueryDevtools,
+      })),
+    )
+  : null;
+
+export const QueryProvider = ({ children }: { children: ReactNode }) => {
+  const [client] = useState(
+    () =>
+      new QueryClient({
+        defaultOptions: {
+          queries: {
+            staleTime: 30_000,
+            refetchOnWindowFocus: true,
+          },
+        },
+      }),
+  );
+
+  return (
+    <QueryClientProvider client={client}>
+      {children}
+      {Devtools && (
+        <Suspense fallback={null}>
+          <Devtools initialIsOpen={false} />
+        </Suspense>
+      )}
+    </QueryClientProvider>
+  );
+};
+```
+
+- [ ] **Step 2: Typecheck**
+
+Run: `pnpm --filter admin exec tsc --noEmit`
+Expected: no errors.
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add admin/src/api/QueryProvider.tsx
+git commit -m "$(cat <<'EOF'
+feat(admin): TanStack Query provider, dev-only devtools (#7638)
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 7: Mount the provider at the admin root
+
+**Files:**
+- Modify: `admin/src/main.tsx`
+
+- [ ] **Step 1: Read the file to confirm current shape**
+
+Run: `cat admin/src/main.tsx`
+Expected: matches the structure where `<I18nextProvider>` wraps `<Toast.Provider>` wraps `<RouterProvider>` inside `<React.StrictMode>`.
+
+- [ ] **Step 2: Edit `admin/src/main.tsx`**
+
+Add the import after the existing imports:
+
+```tsx
+import { QueryProvider } from './api/QueryProvider.tsx';
+```
+
+Wrap the existing `<I18nextProvider>...</I18nextProvider>` subtree in `<QueryProvider>`. The render block becomes:
+
+```tsx
+ReactDOM.createRoot(document.getElementById('root')!).render(
+  <React.StrictMode>
+    <QueryProvider>
+      <I18nextProvider i18n={i18n}>
+        <Toast.Provider>
+          <ToastDialog/>
+          <RouterProvider router={router}/>
+        </Toast.Provider>
+      </I18nextProvider>
+    </QueryProvider>
+  </React.StrictMode>,
+)
+```
+
+(Provider order matters only for context lookups; placing `QueryProvider` outside `I18nextProvider` is fine because it does not consume i18n.)
+
+- [ ] **Step 3: Typecheck**
+
+Run: `pnpm --filter admin exec tsc --noEmit`
+Expected: no errors.
+
+- [ ] **Step 4: Build the admin bundle**
+
+Run: `pnpm --filter admin run build`
+Expected: build succeeds. Output indicates one bundle (no extra chunk for devtools in production — confirm by grepping the `dist/` for `query-devtools` strings; should be absent).
+
+```bash
+grep -rn "ReactQueryDevtools" admin/dist/ 2>/dev/null | head
+```
+Expected: no matches (production bundle excludes devtools).
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add admin/src/main.tsx
+git commit -m "$(cat <<'EOF'
+feat(admin): mount TanStack Query provider at root (#7638)
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 8: Smoke test for the client module
+
+**Files:**
+- Create: `admin/src/api/__tests__/client.test.ts`
+
+The admin package does not yet ship a unit test runner. Reuse whatever the rest of admin uses for tests if anything; otherwise, this test runs under `tsx --test` (Node's built-in test runner, no extra deps). Confirm at Step 1.
+
+- [ ] **Step 1: Detect the test runner**
+
+Run:
+```bash
+grep -E '"(test|vitest|jest)"' admin/package.json
+ls admin/vitest.config.* admin/jest.config.* 2>/dev/null
+```
+
+If admin has no runner configured, use Node's built-in `node:test` (which `tsx` supports).
+
+- [ ] **Step 2: Create the test file**
+
+```ts
+// admin/src/api/__tests__/client.test.ts
+//
+// Smoke test that the OpenAPI client module loads and exposes the expected
+// surface. Catches toolchain wiring regressions (missing peer deps,
+// generator output that doesn't export `paths`, etc.).
+
+import { test } from 'node:test';
+import assert from 'node:assert/strict';
+
+test('client module exports fetchClient and $api', async () => {
+  const mod = await import('../client.ts');
+  assert.ok(mod.fetchClient, 'fetchClient export is present');
+  assert.ok(mod.$api, '$api export is present');
+  assert.equal(typeof mod.fetchClient.GET, 'function', 'fetchClient.GET is a function');
+  assert.equal(typeof mod.$api.useQuery, 'function', '$api.useQuery is a function');
+});
+```
+
+- [ ] **Step 3: Add a `test` script to `admin/package.json`** (only if one does not already exist)
+
+If `admin/package.json` has no `"test"` script, add:
+
+```json
+"test": "tsx --test src/api/__tests__/client.test.ts"
+```
+
+If admin already has a test runner (e.g. `vitest`), skip the script addition and instead place the test at the location the existing runner picks up (`*.test.ts` is conventional for both vitest and node:test).
+
+- [ ] **Step 4: Run the test**
+
+Run: `pnpm --filter admin test`
+Expected: 1 test passing.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add admin/src/api/__tests__/client.test.ts admin/package.json
+git commit -m "$(cat <<'EOF'
+test(admin): smoke test for typed openapi-fetch client (#7638)
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 9: CI freshness check
+
+**Files:**
+- Modify: `.github/workflows/frontend-admin-tests.yml`
+
+Add a step before the existing `Build admin frontend` step that runs codegen and fails if the working tree changed.
+
+- [ ] **Step 1: Read the current workflow**
+
+Run: `grep -n "Build admin frontend" .github/workflows/frontend-admin-tests.yml`
+Expected: a single match around the build step that runs `pnpm run build` from `working-directory: admin`.
+
+- [ ] **Step 2: Insert the freshness check**
+
+Insert immediately before the `Build admin frontend` step:
+
+```yaml
+      - name: Verify admin OpenAPI schema is up to date
+        working-directory: admin
+        run: |
+          pnpm gen:api
+          if ! git diff --exit-code src/api/schema.d.ts; then
+            echo ""
+            echo "::error::admin/src/api/schema.d.ts is out of date."
+            echo "Run \`pnpm --filter admin gen:api\` and commit the result."
+            exit 1
+          fi
+```
+
+- [ ] **Step 3: Lint the YAML**
+
+Run: `python3 -c "import yaml,sys; yaml.safe_load(open('.github/workflows/frontend-admin-tests.yml'))" && echo OK`
+Expected: `OK`.
+
+- [ ] **Step 4: Commit**
+
+```bash
+git add .github/workflows/frontend-admin-tests.yml
+git commit -m "$(cat <<'EOF'
+ci(admin): verify generated OpenAPI schema is up to date (#7638)
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 10: Documentation
+
+**Files:**
+- Create: `admin/README.md`
+
+- [ ] **Step 1: Create the file**
+
+```markdown
+# Admin UI
+
+Vite + React 19 single-page app served at `/admin`. Talks to the backend over
+socket.io for the existing settings / plugins / pads pages, and (when
+endpoints are added to the OpenAPI spec) over a typed REST client.
+
+## Scripts
+
+| Script               | What it does                                             |
+| -------------------- | -------------------------------------------------------- |
+| `pnpm dev`           | Vite dev server. Expects an etherpad backend on :9001.   |
+| `pnpm gen:api`       | Regenerates `src/api/schema.d.ts` from the OpenAPI spec. |
+| `pnpm build`         | `gen:api` + `tsc` + `vite build`.                        |
+| `pnpm build-copy`    | Same, but writes into `../src/templates/admin`.          |
+| `pnpm test`          | Smoke tests for the API client wiring.                   |
+| `pnpm lint`          | ESLint.                                                  |
+
+## Typed API client
+
+The admin uses [`openapi-typescript`] to generate types from
+`src/node/hooks/express/openapi.ts`, [`openapi-fetch`] for typed requests, and
+[`openapi-react-query`] for TanStack Query bindings.
+
+[`openapi-typescript`]: https://github.com/openapi-ts/openapi-typescript
+[`openapi-fetch`]: https://github.com/openapi-ts/openapi-typescript/tree/main/packages/openapi-fetch
+[`openapi-react-query`]: https://github.com/openapi-ts/openapi-typescript/tree/main/packages/openapi-react-query
+
+### Regenerating the schema
+
+```sh
+pnpm --filter admin gen:api
+```
+
+This runs `admin/scripts/gen-api.mjs`, which loads
+`src/node/hooks/express/openapi.ts`, calls `generateDefinitionForVersion` for
+the latest API version, pipes the JSON through `openapi-typescript`, and
+writes the result to `admin/src/api/schema.d.ts`. The generated file is
+checked in.
+
+Run `gen:api` after any change to:
+
+- `src/node/hooks/express/openapi.ts`
+- `src/node/handler/APIHandler.ts` (changes to `latestApiVersion`)
+- the resource definitions referenced by `openapi.ts`
+
+### CI freshness check
+
+`.github/workflows/frontend-admin-tests.yml` runs `pnpm gen:api` and fails the
+build if `admin/src/api/schema.d.ts` is out of date. If you see the failure
+locally, run `pnpm --filter admin gen:api` and commit the regenerated file.
+
+### Using the client
+
+```tsx
+import { $api } from './api/client';
+
+const SettingsPanel = () => {
+  const { data } = $api.useQuery('get', '/admin/settings'); // example
+  return <pre>{JSON.stringify(data, null, 2)}</pre>;
+};
+```
+
+The admin endpoints are not yet present in the OpenAPI spec — this client is
+in place to support upcoming work (see issue #7638 follow-up). For now, it is
+exercised only by the smoke test.
+```
+
+- [ ] **Step 2: Commit**
+
+```bash
+git add admin/README.md
+git commit -m "$(cat <<'EOF'
+docs(admin): document OpenAPI codegen workflow (#7638)
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 11: Full verification pass
+
+No new files — this task confirms the work is green end-to-end before pushing.
+
+- [ ] **Step 1: Clean rebuild**
+
+Run:
+```bash
+pnpm --filter admin gen:api
+pnpm --filter admin run build
+```
+Expected: both succeed.
+
+- [ ] **Step 2: Repo-wide typecheck**
+
+Run: `pnpm ts-check`
+Expected: no new errors versus baseline. If there are pre-existing errors, confirm none are in files this PR touched.
+
+- [ ] **Step 3: Admin tests**
+
+Run: `pnpm --filter admin test`
+Expected: 1 test passing.
+
+- [ ] **Step 4: Backend unit tests** (sanity — `openapi.ts` change)
+
+Run: `pnpm test` (or the narrowest available suite covering the API hook; if the full suite is slow, run specs that exercise `openapi.ts` only).
+Expected: green.
+
+- [ ] **Step 5: Confirm devtools absent from production bundle**
+
+Run: `grep -rn "ReactQueryDevtools" admin/dist/ 2>/dev/null`
+Expected: zero matches.
+
+- [ ] **Step 6: Manual smoke**
+
+Per project convention (memory: install plugin/branch for manual test), install this branch on a local etherpad and:
+- Open `/admin/` in a dev build (`pnpm --filter admin dev`). Confirm the React Query devtools panel button appears in the bottom corner.
+- Open `/admin/` in the production-built bundle. Confirm devtools panel is absent.
+- Click through plugins / settings / pads / shout pages and confirm no regression versus pre-PR behavior (existing socket.io flows unchanged).
+
+Document the smoke results in the PR description.
+
+- [ ] **Step 7: Push**
+
+```bash
+git push -u fork chore/admin-typesafe-api-7638
+```
+
+- [ ] **Step 8: Open PR**
+
+```bash
+gh pr create \
+  --repo johnmclear/etherpad-lite \
+  --title "chore(admin): typesafe API client + TanStack Query rails (#7638)" \
+  --body "$(cat <<'EOF'
+## Summary
+
+Lays down the rails for a typesafe, OpenAPI-derived admin API client backed by TanStack Query. Closes #7638.
+
+- Codegen toolchain (`pnpm --filter admin gen:api`) producing `admin/src/api/schema.d.ts` from `src/node/hooks/express/openapi.ts`.
+- Runtime client (`openapi-fetch` + `openapi-react-query`).
+- `<QueryProvider>` mounted at the admin root with dev-only devtools.
+- CI freshness check on the generated schema.
+- `admin/README.md` documenting the workflow.
+
+**No call sites migrated.** Admin endpoints aren't in the OpenAPI spec yet — that gap is filed as a follow-up issue and must land before any migration is useful. #7601 should rebase onto this branch.
+
+**Semver:** patch — build tooling + currently-unused runtime libs, no observable behavior change.
+
+## Test plan
+
+- [x] `pnpm --filter admin gen:api` runs clean
+- [x] `pnpm --filter admin run build` succeeds
+- [x] `pnpm --filter admin test` passes (smoke test)
+- [x] `pnpm ts-check` clean
+- [x] Production bundle does not contain devtools
+- [x] Manual smoke: dev build shows devtools, prod build hides them, existing socket.io pages unaffected
+
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
+EOF
+)"
+```
+
+- [ ] **Step 9: Trigger Qodo review** (per project convention)
+
+```bash
+gh pr comment <PR-number> --repo johnmclear/etherpad-lite --body "/review"
+```
+
+- [ ] **Step 10: File the spec-coverage follow-up issue**
+
+Create a new issue on `ether/etherpad` titled "Document admin endpoints in the OpenAPI spec" and link from the PR body. The issue should note that 7638 rails are unused until admin endpoints are added.
+
+---
+
+## Risk register (carried from spec)
+
+- **`openapi.ts` not cleanly importable.** If `dump-spec.ts` fails to import the module due to side effects (Settings, log4js init), pause and ask before refactoring `Settings`. A common workaround is to set `EP_LOG_DESTINATION=stderr` or set `NODE_ENV=production`. Do not silently expand scope.
+- **Generated schema differs by Node version.** `openapi-typescript` output is deterministic, but if a contributor sees a phantom diff, confirm Node major matches the CI matrix (22/24/25 today; CI uses 24 on PRs).
+- **Bundle size.** ~12 KB gzipped added to the admin bundle even with no call sites. Acceptable; flagged in the PR body for transparency.
+
+## Out of scope (do not pull in)
+
+- Adding admin endpoints to the OpenAPI spec.
+- Migrating any `fetch()` site in `admin/src/`.
+- Backend handler changes.
+- Pad-side frontend changes.
diff --git a/docs/superpowers/plans/2026-05-08-issue-7693-admin-openapi.md b/docs/superpowers/plans/2026-05-08-issue-7693-admin-openapi.md
new file mode 100644
index 00000000000..b1a545b6dc4
--- /dev/null
+++ b/docs/superpowers/plans/2026-05-08-issue-7693-admin-openapi.md
@@ -0,0 +1,1058 @@
+# Issue 7693 — Admin OpenAPI Coverage Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Add OpenAPI 3.0 coverage for `/admin-auth/` and `/admin/update/status` so the typed client generated by PR #7695 includes admin call-sites.
+
+**Architecture:** New hand-authored OpenAPI document `src/node/hooks/express/openapi-admin.ts` (no APIHandler reflection — admin routes aren't APIHandler-driven). Codegen-side merge in `admin/scripts/dump-spec.ts` unions the public and admin docs into one JSON before `openapi-typescript` runs, producing one `admin/src/api/schema.d.ts` covering both surfaces.
+
+**Tech Stack:** TypeScript (server hook), Node ESM (admin scripts), `openapi-schema-validation` (already in repo), Mocha (backend specs), Node `--test` runner (admin script tests).
+
+**Branch:** `feat/7693-admin-openapi`, stacked on `chore/admin-typesafe-api-7638-upstream` (PR #7695). Already created.
+
+**Spec:** `docs/superpowers/specs/2026-05-08-issue-7693-admin-openapi-design.md`
+
+---
+
+## File Structure
+
+| File                                                       | Status   | Responsibility                                                                                       |
+| ---------------------------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------- |
+| `src/node/hooks/express/openapi-admin.ts`                  | Create   | Hand-authored admin OpenAPI document. Exports `generateAdminDefinition()` and an `expressPreSession` hook serving `/admin/openapi.json`. |
+| `src/tests/backend/specs/openapi-admin.ts`                  | Create   | Mocha specs asserting document shape, sub-schema fidelity, and cross-collision against the public spec. |
+| `admin/scripts/merge-openapi.mjs`                          | Create   | Pure-JS deep-merge of two OpenAPI 3.0 documents with collision detection.                           |
+| `admin/scripts/__tests__/merge-openapi.test.mjs`           | Create   | Node `--test` unit specs for `mergeOpenAPI`.                                                        |
+| `admin/scripts/dump-spec.ts`                               | Modify   | Also import `generateAdminDefinition`, merge with the public spec, write the merged JSON.            |
+| `src/ep.json`                                              | Modify   | Register `openapi-admin` as a part with `expressPreSession` hook so `/admin/openapi.json` mounts.    |
+
+---
+
+## Task 1: Stub `openapi-admin.ts` with empty paths
+
+**Files:**
+- Create: `src/node/hooks/express/openapi-admin.ts`
+- Create: `src/tests/backend/specs/openapi-admin.ts`
+
+- [ ] **Step 1: Write the failing test**
+
+Create `src/tests/backend/specs/openapi-admin.ts`:
+
+```ts
+'use strict';
+
+import {strict as assert} from 'assert';
+const validateOpenAPI = require('openapi-schema-validation').validate;
+
+const openapiAdmin = require('../../../node/hooks/express/openapi-admin');
+
+describe('admin OpenAPI document', function () {
+  let doc: any;
+
+  before(function () {
+    doc = openapiAdmin.generateAdminDefinition();
+  });
+
+  it('returns a valid OpenAPI 3.0 document', function () {
+    const {valid, errors} = validateOpenAPI(doc, 3);
+    if (!valid) {
+      throw new Error(
+        `admin OpenAPI doc is invalid: ${JSON.stringify(errors, null, 2)}`,
+      );
+    }
+  });
+
+  it('declares info.title as "Etherpad Admin API"', function () {
+    assert.equal(doc.info.title, 'Etherpad Admin API');
+  });
+
+  it('exposes basicAuth and sessionCookie security schemes', function () {
+    assert.ok(doc.components.securitySchemes.basicAuth);
+    assert.equal(doc.components.securitySchemes.basicAuth.type, 'http');
+    assert.equal(doc.components.securitySchemes.basicAuth.scheme, 'basic');
+    assert.ok(doc.components.securitySchemes.sessionCookie);
+    assert.equal(doc.components.securitySchemes.sessionCookie.type, 'apiKey');
+    assert.equal(doc.components.securitySchemes.sessionCookie.in, 'cookie');
+  });
+});
+```
+
+- [ ] **Step 2: Run test to verify it fails**
+
+Run: `pnpm run test -- --grep "admin OpenAPI document"`
+Expected: FAIL — module `../../../node/hooks/express/openapi-admin` not found.
+
+- [ ] **Step 3: Write minimal implementation**
+
+Create `src/node/hooks/express/openapi-admin.ts`:
+
+```ts
+'use strict';
+
+import {getEpVersion} from '../../utils/Settings';
+
+const OPENAPI_VERSION = '3.0.2';
+
+/**
+ * Build the OpenAPI 3.0 document for Etherpad's admin endpoints.
+ *
+ * Distinct from the public versioned API document built by openapi.ts —
+ * admin routes are plain Express handlers (not APIHandler-driven), so this
+ * spec is hand-authored. The shape is consumed by admin/scripts/dump-spec.ts
+ * for client-side codegen and exposed at GET /admin/openapi.json for
+ * downstream tooling.
+ */
+export const generateAdminDefinition = (): any => ({
+  openapi: OPENAPI_VERSION,
+  info: {
+    title: 'Etherpad Admin API',
+    description:
+      'Authenticated administrative endpoints consumed by the Etherpad admin UI. ' +
+      'Distinct from the public /api/{version}/* surface served by /api/openapi.json.',
+    version: getEpVersion(),
+  },
+  paths: {},
+  components: {
+    schemas: {},
+    securitySchemes: {
+      basicAuth: {
+        type: 'http',
+        scheme: 'basic',
+      },
+      sessionCookie: {
+        type: 'apiKey',
+        in: 'cookie',
+        name: 'express_sid',
+      },
+    },
+  },
+});
+
+exports.generateAdminDefinition = generateAdminDefinition;
+```
+
+- [ ] **Step 4: Run test to verify it passes**
+
+Run: `pnpm run test -- --grep "admin OpenAPI document"`
+Expected: PASS — 3 tests passing.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add src/node/hooks/express/openapi-admin.ts src/tests/backend/specs/openapi-admin.ts
+git commit -m "feat(admin): stub OpenAPI document for admin endpoints (#7693)
+
+Adds generateAdminDefinition() returning a minimal valid OpenAPI 3.0
+document with no paths yet, plus security schemes for the two auth
+modes (Basic + session cookie). Subsequent tasks fill in the actual
+admin paths.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>"
+```
+
+---
+
+## Task 2: Add `POST /admin-auth/` — `verifyAdminAccess`
+
+**Files:**
+- Modify: `src/node/hooks/express/openapi-admin.ts`
+- Modify: `src/tests/backend/specs/openapi-admin.ts`
+
+- [ ] **Step 1: Add failing tests**
+
+Append to `src/tests/backend/specs/openapi-admin.ts` (inside the existing `describe`):
+
+```ts
+  describe('/admin-auth/', function () {
+    it('declares POST with operationId verifyAdminAccess', function () {
+      const op = doc.paths['/admin-auth/']?.post;
+      assert.ok(op, 'POST /admin-auth/ is missing');
+      assert.equal(op.operationId, 'verifyAdminAccess');
+    });
+
+    it('documents responses 200, 401, 403', function () {
+      const responses = doc.paths['/admin-auth/'].post.responses;
+      assert.ok(responses['200'], 'missing 200 response');
+      assert.ok(responses['401'], 'missing 401 response');
+      assert.ok(responses['403'], 'missing 403 response');
+    });
+
+    it('declares security: basicAuth, sessionCookie, anonymous', function () {
+      const security = doc.paths['/admin-auth/'].post.security;
+      assert.ok(Array.isArray(security));
+      // Each entry is an object: empty {} = anonymous OK.
+      const keys = security.map((s: any) => Object.keys(s)[0] ?? '__anon__');
+      assert.deepEqual(keys.sort(), ['__anon__', 'basicAuth', 'sessionCookie'].sort());
+    });
+  });
+```
+
+- [ ] **Step 2: Run tests to verify they fail**
+
+Run: `pnpm run test -- --grep "admin OpenAPI document"`
+Expected: FAIL — three new tests fail because `paths['/admin-auth/']` is undefined.
+
+- [ ] **Step 3: Implement the path**
+
+Edit `src/node/hooks/express/openapi-admin.ts`. Replace `paths: {}` with:
+
+```ts
+  paths: {
+    '/admin-auth/': {
+      post: {
+        operationId: 'verifyAdminAccess',
+        summary: 'Verify or establish an admin session',
+        description:
+          'POST with `Authorization: Basic <user:pass>` to log in as an admin ' +
+          '(server sets a session cookie on success). POST with no auth header ' +
+          'to verify an existing admin session cookie. The response body is ' +
+          'always empty; the status code conveys the outcome.',
+        security: [
+          {basicAuth: []},
+          {sessionCookie: []},
+          {},
+        ],
+        responses: {
+          '200': {description: 'Caller is an authenticated admin.'},
+          '401': {description: 'No authentication presented and no admin session exists.'},
+          '403': {description: 'Authenticated, but the user is not an admin.'},
+        },
+      },
+    },
+  },
+```
+
+- [ ] **Step 4: Run tests to verify they pass**
+
+Run: `pnpm run test -- --grep "admin OpenAPI document"`
+Expected: PASS — all 6 tests passing (3 from Task 1 + 3 new).
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add src/node/hooks/express/openapi-admin.ts src/tests/backend/specs/openapi-admin.ts
+git commit -m "feat(admin): document POST /admin-auth/ in OpenAPI (#7693)
+
+Adds verifyAdminAccess as the operation that the admin UI's LoginScreen
+and App session check both call. Documents Basic auth, session cookie,
+and anonymous request modes plus their 200/401/403 responses.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>"
+```
+
+---
+
+## Task 3: Add `GET /admin/update/status` — `getUpdateStatus`
+
+**Files:**
+- Modify: `src/node/hooks/express/openapi-admin.ts`
+- Modify: `src/tests/backend/specs/openapi-admin.ts`
+
+- [ ] **Step 1: Add failing tests**
+
+Append to `src/tests/backend/specs/openapi-admin.ts` (inside the existing top-level `describe`):
+
+```ts
+  describe('/admin/update/status', function () {
+    it('declares GET with operationId getUpdateStatus', function () {
+      const op = doc.paths['/admin/update/status']?.get;
+      assert.ok(op, 'GET /admin/update/status is missing');
+      assert.equal(op.operationId, 'getUpdateStatus');
+    });
+
+    it('200 response references components.schemas.UpdateStatus', function () {
+      const ok = doc.paths['/admin/update/status'].get.responses['200'];
+      assert.equal(
+        ok.content['application/json'].schema.$ref,
+        '#/components/schemas/UpdateStatus',
+      );
+    });
+
+    it('declares security: sessionCookie OR anonymous', function () {
+      const security = doc.paths['/admin/update/status'].get.security;
+      const keys = security.map((s: any) => Object.keys(s)[0] ?? '__anon__');
+      assert.deepEqual(keys.sort(), ['__anon__', 'sessionCookie'].sort());
+    });
+  });
+
+  describe('UpdateStatus schema', function () {
+    it('declares all properties emitted by the handler', function () {
+      const schema = doc.components.schemas.UpdateStatus;
+      assert.equal(schema.type, 'object');
+      const props = Object.keys(schema.properties).sort();
+      assert.deepEqual(props, [
+        'currentVersion',
+        'installMethod',
+        'lastCheckAt',
+        'latest',
+        'policy',
+        'tier',
+        'vulnerableBelow',
+      ]);
+    });
+
+    it('installMethod enum matches updater/types.ts InstallMethod', function () {
+      const enums = doc.components.schemas.UpdateStatus.properties.installMethod.enum;
+      assert.deepEqual(enums.sort(), ['auto', 'docker', 'git', 'managed', 'npm']);
+    });
+
+    it('tier enum matches updater/types.ts Tier', function () {
+      const enums = doc.components.schemas.UpdateStatus.properties.tier.enum;
+      assert.deepEqual(enums.sort(), ['auto', 'autonomous', 'manual', 'notify', 'off']);
+    });
+
+    it('declares ReleaseInfo, PolicyResult, VulnerableBelowDirective sub-schemas', function () {
+      assert.ok(doc.components.schemas.ReleaseInfo);
+      assert.ok(doc.components.schemas.PolicyResult);
+      assert.ok(doc.components.schemas.VulnerableBelowDirective);
+    });
+
+    it('ReleaseInfo properties mirror updater/types.ts', function () {
+      const props = Object.keys(doc.components.schemas.ReleaseInfo.properties).sort();
+      assert.deepEqual(props, [
+        'body', 'htmlUrl', 'prerelease', 'publishedAt', 'tag', 'version',
+      ]);
+    });
+
+    it('PolicyResult properties mirror updater/types.ts', function () {
+      const props = Object.keys(doc.components.schemas.PolicyResult.properties).sort();
+      assert.deepEqual(props, [
+        'canAuto', 'canAutonomous', 'canManual', 'canNotify', 'reason',
+      ]);
+    });
+
+    it('VulnerableBelowDirective properties mirror updater/types.ts', function () {
+      const props = Object.keys(doc.components.schemas.VulnerableBelowDirective.properties).sort();
+      assert.deepEqual(props, ['announcedBy', 'threshold']);
+    });
+  });
+```
+
+- [ ] **Step 2: Run tests to verify they fail**
+
+Run: `pnpm run test -- --grep "admin OpenAPI document"`
+Expected: FAIL — schema and path entries undefined.
+
+- [ ] **Step 3: Implement the schemas and path**
+
+Edit `src/node/hooks/express/openapi-admin.ts`. Replace the empty `schemas: {}` with:
+
+```ts
+    schemas: {
+      ReleaseInfo: {
+        type: 'object',
+        required: ['version', 'tag', 'body', 'publishedAt', 'prerelease', 'htmlUrl'],
+        properties: {
+          version:     {type: 'string', description: 'Semver string without leading "v".'},
+          tag:         {type: 'string', description: 'Original GitHub tag_name (e.g. "v2.7.2").'},
+          body:        {type: 'string', description: 'Markdown body of the release.'},
+          publishedAt: {type: 'string', format: 'date-time'},
+          prerelease:  {type: 'boolean'},
+          htmlUrl:     {type: 'string', format: 'uri'},
+        },
+      },
+      PolicyResult: {
+        type: 'object',
+        required: ['canNotify', 'canManual', 'canAuto', 'canAutonomous', 'reason'],
+        properties: {
+          canNotify:     {type: 'boolean'},
+          canManual:     {type: 'boolean'},
+          canAuto:       {type: 'boolean'},
+          canAutonomous: {type: 'boolean'},
+          reason:        {type: 'string'},
+        },
+      },
+      VulnerableBelowDirective: {
+        type: 'object',
+        required: ['announcedBy', 'threshold'],
+        properties: {
+          announcedBy: {type: 'string'},
+          threshold:   {type: 'string'},
+        },
+      },
+      UpdateStatus: {
+        type: 'object',
+        required: ['currentVersion', 'installMethod', 'tier', 'vulnerableBelow'],
+        properties: {
+          currentVersion: {type: 'string'},
+          latest: {
+            allOf: [{$ref: '#/components/schemas/ReleaseInfo'}],
+            nullable: true,
+          },
+          lastCheckAt: {type: 'string', format: 'date-time', nullable: true},
+          installMethod: {
+            type: 'string',
+            enum: ['auto', 'git', 'docker', 'npm', 'managed'],
+          },
+          tier: {
+            type: 'string',
+            enum: ['off', 'notify', 'manual', 'auto', 'autonomous'],
+          },
+          policy: {
+            allOf: [{$ref: '#/components/schemas/PolicyResult'}],
+            nullable: true,
+          },
+          vulnerableBelow: {
+            type: 'array',
+            items: {$ref: '#/components/schemas/VulnerableBelowDirective'},
+          },
+        },
+      },
+    },
+```
+
+Then add the new path entry alongside `/admin-auth/`:
+
+```ts
+    '/admin/update/status': {
+      get: {
+        operationId: 'getUpdateStatus',
+        summary: 'Fetch updater status for the admin UI banner and update page',
+        description:
+          'Returns the cached update state (current version, latest known release, ' +
+          'install method, tier, policy verdict, and vulnerability directives). ' +
+          'Open by default; gated to authenticated admin sessions when ' +
+          'updates.requireAdminForStatus=true in settings.',
+        security: [
+          {sessionCookie: []},
+          {},
+        ],
+        responses: {
+          '200': {
+            description: 'Update status payload.',
+            content: {
+              'application/json': {
+                schema: {$ref: '#/components/schemas/UpdateStatus'},
+              },
+            },
+          },
+          '401': {
+            description: 'requireAdminForStatus is set and no admin session exists.',
+          },
+          '403': {
+            description: 'requireAdminForStatus is set and the session user is not an admin.',
+          },
+        },
+      },
+    },
+```
+
+- [ ] **Step 4: Run tests to verify they pass**
+
+Run: `pnpm run test -- --grep "admin OpenAPI document"`
+Expected: PASS — all tests passing.
+
+- [ ] **Step 5: Cross-check schema parity with handler**
+
+Run: `grep -A20 "res.json({" src/node/hooks/express/updateStatus.ts`
+
+Confirm every key in the handler's response object appears in the
+`UpdateStatus.properties` declared above. (The test from Step 1 already
+asserts this, but the manual eyeball is cheap insurance against typos.)
+
+- [ ] **Step 6: Commit**
+
+```bash
+git add src/node/hooks/express/openapi-admin.ts src/tests/backend/specs/openapi-admin.ts
+git commit -m "feat(admin): document GET /admin/update/status in OpenAPI (#7693)
+
+Adds getUpdateStatus operation plus UpdateStatus, ReleaseInfo,
+PolicyResult, and VulnerableBelowDirective sub-schemas. Property names
+and enums mirror src/node/updater/types.ts and the response object
+emitted by updateStatus.ts. Tier 2 (#7607) will amend UpdateStatus when
+it ships execution/lastResult/lockHeld.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>"
+```
+
+---
+
+## Task 4: Cross-collision regression test against the public spec
+
+**Files:**
+- Modify: `src/tests/backend/specs/openapi-admin.ts`
+
+- [ ] **Step 1: Add failing test**
+
+Append to the top-level `describe` in `src/tests/backend/specs/openapi-admin.ts`:
+
+```ts
+  describe('cross-collision with public spec', function () {
+    it('admin paths and operationIds do not collide with the latest public spec', function () {
+      const apiHandler = require('../../../node/handler/APIHandler');
+      const openapi = require('../../../node/hooks/express/openapi');
+      const publicDoc = openapi.generateDefinitionForVersion(
+        apiHandler.latestApiVersion,
+        openapi.APIPathStyle.FLAT,
+      );
+
+      const adminPaths = Object.keys(doc.paths);
+      const publicPaths = Object.keys(publicDoc.paths);
+      const pathCollisions = adminPaths.filter((p) => publicPaths.includes(p));
+      assert.deepEqual(pathCollisions, [], `path collisions: ${pathCollisions.join(', ')}`);
+
+      const collectOpIds = (d: any): string[] => {
+        const ids: string[] = [];
+        for (const item of Object.values(d.paths) as any[]) {
+          for (const op of Object.values(item) as any[]) {
+            if (op && typeof op.operationId === 'string') ids.push(op.operationId);
+          }
+        }
+        return ids;
+      };
+      const adminIds = collectOpIds(doc);
+      const publicIds = collectOpIds(publicDoc);
+      const idCollisions = adminIds.filter((id) => publicIds.includes(id));
+      assert.deepEqual(idCollisions, [], `operationId collisions: ${idCollisions.join(', ')}`);
+    });
+
+    it('schema names do not collide with the latest public spec', function () {
+      const apiHandler = require('../../../node/handler/APIHandler');
+      const openapi = require('../../../node/hooks/express/openapi');
+      const publicDoc = openapi.generateDefinitionForVersion(
+        apiHandler.latestApiVersion,
+        openapi.APIPathStyle.FLAT,
+      );
+
+      const adminSchemas = Object.keys(doc.components.schemas);
+      const publicSchemas = Object.keys(publicDoc.components.schemas || {});
+      const collisions = adminSchemas.filter((n) => publicSchemas.includes(n));
+      assert.deepEqual(collisions, [], `schema name collisions: ${collisions.join(', ')}`);
+    });
+  });
+```
+
+- [ ] **Step 2: Run tests**
+
+Run: `pnpm run test -- --grep "admin OpenAPI document"`
+Expected: PASS — current admin paths (`/admin-auth/`, `/admin/update/status`)
+and schemas (`UpdateStatus`, `ReleaseInfo`, `PolicyResult`,
+`VulnerableBelowDirective`) do not collide with public spec entries.
+
+If a collision IS detected (e.g. someone renames a public schema to
+`PolicyResult` later), this test fails loudly before codegen breaks.
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add src/tests/backend/specs/openapi-admin.ts
+git commit -m "test(admin): regression net for admin/public OpenAPI collisions (#7693)
+
+Cross-checks admin paths, operationIds, and schema names against the
+latest public spec. Today there are no overlaps; the test exists to
+catch future renames before they break the merged client codegen.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>"
+```
+
+---
+
+## Task 5: Mount `/admin/openapi.json` via `expressPreSession` hook
+
+**Files:**
+- Modify: `src/node/hooks/express/openapi-admin.ts`
+- Modify: `src/ep.json`
+- Modify: `src/tests/backend/specs/openapi-admin.ts`
+
+- [ ] **Step 1: Add failing live-route test**
+
+Append to `src/tests/backend/specs/openapi-admin.ts`:
+
+```ts
+  describe('GET /admin/openapi.json', function () {
+    let agent: any;
+    before(async function () {
+      const common = require('../../common');
+      agent = await common.init();
+    });
+
+    it('serves the admin OpenAPI document as JSON', async function () {
+      const res = await agent.get('/admin/openapi.json').expect(200);
+      assert.match(res.headers['content-type'] || '', /application\/json/);
+      assert.equal(res.body.openapi, '3.0.2');
+      assert.equal(res.body.info.title, 'Etherpad Admin API');
+      assert.ok(res.body.paths['/admin-auth/']);
+    });
+
+    it('sets a permissive CORS header (matches /api/openapi.json)', async function () {
+      const res = await agent.get('/admin/openapi.json').expect(200);
+      assert.equal(res.headers['access-control-allow-origin'], '*');
+    });
+  });
+```
+
+- [ ] **Step 2: Run tests to verify they fail**
+
+Run: `pnpm run test -- --grep "GET /admin/openapi.json"`
+Expected: FAIL — 404 (route not registered).
+
+- [ ] **Step 3: Add the express hook**
+
+Append to `src/node/hooks/express/openapi-admin.ts`:
+
+```ts
+import {ArgsExpressType} from '../../types/ArgsExpressType';
+
+export const expressPreSession = async (
+  _hookName: string,
+  {app}: ArgsExpressType,
+): Promise<void> => {
+  app.get('/admin/openapi.json', (_req: any, res: any) => {
+    res.header('Access-Control-Allow-Origin', '*');
+    res.json(generateAdminDefinition());
+  });
+};
+
+exports.expressPreSession = expressPreSession;
+```
+
+The route registers in `expressPreSession`, which runs before
+`expressCreateServer` (where `admin.ts` registers the SPA wildcard
+`/admin/{*filename}`). Earlier registration wins — see the same pattern
+in `openapi.ts`.
+
+- [ ] **Step 4: Register the part in ep.json**
+
+Edit `src/ep.json`. Find the existing `openapi` part:
+
+```json
+{
+  "name": "openapi",
+  "hooks": {
+    "expressPreSession": "ep_etherpad-lite/node/hooks/express/openapi"
+  }
+}
+```
+
+Add a new entry directly after it:
+
+```json
+{
+  "name": "openapi-admin",
+  "hooks": {
+    "expressPreSession": "ep_etherpad-lite/node/hooks/express/openapi-admin"
+  }
+}
+```
+
+- [ ] **Step 5: Run tests to verify they pass**
+
+Run: `pnpm run test -- --grep "GET /admin/openapi.json"`
+Expected: PASS.
+
+- [ ] **Step 6: Verify no regression in the existing admin SPA route**
+
+Run: `pnpm run test -- --grep "admin"`
+Expected: PASS — every admin-related backend test still passes.
+
+The wildcard at `admin.ts:24` (`/admin/{*filename}`) registers in
+`expressCreateServer`, which fires after `expressPreSession`, so our
+`/admin/openapi.json` resolves first. If this test fails because the SPA
+wildcard is hit, the bug is hook-order — verify by adding a logger to
+both hooks.
+
+- [ ] **Step 7: Commit**
+
+```bash
+git add src/node/hooks/express/openapi-admin.ts src/ep.json src/tests/backend/specs/openapi-admin.ts
+git commit -m "feat(admin): expose admin OpenAPI doc at /admin/openapi.json (#7693)
+
+Mounts the admin OpenAPI document at /admin/openapi.json (CORS: *) via an
+expressPreSession hook, matching the /api/openapi.json convention. The
+admin SPA wildcard at /admin/{*filename} registers later in
+expressCreateServer, so the JSON route wins.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>"
+```
+
+---
+
+## Task 6: Implement `merge-openapi.mjs`
+
+**Files:**
+- Create: `admin/scripts/merge-openapi.mjs`
+- Create: `admin/scripts/__tests__/merge-openapi.test.mjs`
+
+- [ ] **Step 1: Write failing tests**
+
+Create `admin/scripts/__tests__/merge-openapi.test.mjs`:
+
+```js
+import {test} from 'node:test';
+import {strict as assert} from 'node:assert';
+import {mergeOpenAPI} from '../merge-openapi.mjs';
+
+const minimal = (overrides = {}) => ({
+  openapi: '3.0.2',
+  info: {title: 'X', version: '0.0.0'},
+  paths: {},
+  components: {schemas: {}, securitySchemes: {}},
+  ...overrides,
+});
+
+test('unions paths from both docs', () => {
+  const pub = minimal({paths: {'/createGroup': {post: {operationId: 'createGroup'}}}});
+  const adm = minimal({paths: {'/admin-auth/': {post: {operationId: 'verifyAdminAccess'}}}});
+  const out = mergeOpenAPI(pub, adm);
+  assert.deepEqual(Object.keys(out.paths).sort(), ['/admin-auth/', '/createGroup']);
+});
+
+test('throws on path collision', () => {
+  const pub = minimal({paths: {'/x': {get: {}}}});
+  const adm = minimal({paths: {'/x': {post: {}}}});
+  assert.throws(() => mergeOpenAPI(pub, adm), /path collision/i);
+});
+
+test('unions components.schemas', () => {
+  const pub = minimal({components: {schemas: {A: {}}, securitySchemes: {}}});
+  const adm = minimal({components: {schemas: {B: {}}, securitySchemes: {}}});
+  const out = mergeOpenAPI(pub, adm);
+  assert.deepEqual(Object.keys(out.components.schemas).sort(), ['A', 'B']);
+});
+
+test('throws on schema name collision', () => {
+  const pub = minimal({components: {schemas: {Dup: {}}, securitySchemes: {}}});
+  const adm = minimal({components: {schemas: {Dup: {}}, securitySchemes: {}}});
+  assert.throws(() => mergeOpenAPI(pub, adm), /schema collision/i);
+});
+
+test('unions securitySchemes', () => {
+  const pub = minimal({components: {schemas: {}, securitySchemes: {apiKey: {}}}});
+  const adm = minimal({components: {schemas: {}, securitySchemes: {basicAuth: {}}}});
+  const out = mergeOpenAPI(pub, adm);
+  assert.deepEqual(
+    Object.keys(out.components.securitySchemes).sort(),
+    ['apiKey', 'basicAuth'],
+  );
+});
+
+test('preserves public root security; admin per-operation security survives', () => {
+  const pub = minimal({security: [{apiKey: []}]});
+  const adm = minimal({
+    paths: {
+      '/admin-auth/': {
+        post: {
+          security: [{basicAuth: []}, {}],
+        },
+      },
+    },
+  });
+  const out = mergeOpenAPI(pub, adm);
+  assert.deepEqual(out.security, [{apiKey: []}]);
+  assert.deepEqual(
+    out.paths['/admin-auth/'].post.security,
+    [{basicAuth: []}, {}],
+  );
+});
+
+test('public info wins on conflict', () => {
+  const pub = minimal({info: {title: 'Public', version: '1.0'}});
+  const adm = minimal({info: {title: 'Admin', version: '2.0'}});
+  const out = mergeOpenAPI(pub, adm);
+  assert.equal(out.info.title, 'Public');
+  assert.equal(out.info.version, '1.0');
+});
+```
+
+- [ ] **Step 2: Run tests to verify they fail**
+
+Run: `cd admin && pnpm exec node --test scripts/__tests__/merge-openapi.test.mjs`
+Expected: FAIL — module not found.
+
+- [ ] **Step 3: Implement the merge function**
+
+Create `admin/scripts/merge-openapi.mjs`:
+
+```js
+// admin/scripts/merge-openapi.mjs
+//
+// Deep-merges the public-API OpenAPI document with the admin OpenAPI
+// document into a single document for openapi-typescript to consume.
+//
+// Rules:
+//   - paths: union by key; collision throws
+//   - components.{schemas,parameters,responses,securitySchemes}: union by name; collision throws
+//   - root info, servers, security: public wins (admin's are ignored at the root)
+//   - per-operation security on admin paths is preserved untouched
+
+const unionMap = (label, a = {}, b = {}) => {
+  const out = {...a};
+  for (const [k, v] of Object.entries(b)) {
+    if (k in out) {
+      throw new Error(`${label} collision on key "${k}"`);
+    }
+    out[k] = v;
+  }
+  return out;
+};
+
+export const mergeOpenAPI = (publicDoc, adminDoc) => {
+  if (!publicDoc || !adminDoc) {
+    throw new Error('mergeOpenAPI requires both publicDoc and adminDoc');
+  }
+  return {
+    openapi: publicDoc.openapi || adminDoc.openapi,
+    info: publicDoc.info,
+    ...(publicDoc.servers ? {servers: publicDoc.servers} : {}),
+    ...(publicDoc.security ? {security: publicDoc.security} : {}),
+    paths: unionMap('path collision', publicDoc.paths, adminDoc.paths),
+    components: {
+      schemas: unionMap(
+        'schema collision',
+        publicDoc.components?.schemas,
+        adminDoc.components?.schemas,
+      ),
+      parameters: unionMap(
+        'parameter collision',
+        publicDoc.components?.parameters,
+        adminDoc.components?.parameters,
+      ),
+      responses: unionMap(
+        'response collision',
+        publicDoc.components?.responses,
+        adminDoc.components?.responses,
+      ),
+      securitySchemes: unionMap(
+        'securityScheme collision',
+        publicDoc.components?.securitySchemes,
+        adminDoc.components?.securitySchemes,
+      ),
+    },
+  };
+};
+```
+
+- [ ] **Step 4: Run tests to verify they pass**
+
+Run: `cd admin && pnpm exec node --test scripts/__tests__/merge-openapi.test.mjs`
+Expected: PASS — 7 tests passing.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add admin/scripts/merge-openapi.mjs admin/scripts/__tests__/merge-openapi.test.mjs
+git commit -m "feat(admin): mergeOpenAPI helper for codegen pipeline (#7693)
+
+Pure-JS deep-merge of two OpenAPI 3.0 documents. Unions paths and
+components by key; throws on collisions. Public document's info,
+servers, and root security win over the admin document's. Used by
+dump-spec.ts to produce a single merged JSON for openapi-typescript.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>"
+```
+
+---
+
+## Task 7: Wire `merge-openapi` into `dump-spec.ts`
+
+**Files:**
+- Modify: `admin/scripts/dump-spec.ts`
+
+- [ ] **Step 1: Read the current file**
+
+Run: `cat admin/scripts/dump-spec.ts`
+
+Confirm it currently imports only `openapi.ts`'s `generateDefinitionForVersion`.
+
+- [ ] **Step 2: Modify the script**
+
+Replace `admin/scripts/dump-spec.ts` with:
+
+```ts
+// admin/scripts/dump-spec.ts
+//
+// Imports the public + admin OpenAPI spec builders from the etherpad
+// source, merges them into one document, and writes JSON to argv[2].
+// Invoked by admin/scripts/gen-api.mjs via `tsx`.
+//
+// Why a file argument instead of stdout: importing openapi*.ts triggers
+// Settings init, which configures log4js to write INFO/WARN lines to
+// stdout. Capturing stdout would mix logs with JSON.
+
+import {writeFileSync} from 'node:fs';
+import path from 'node:path';
+import {fileURLToPath, pathToFileURL} from 'node:url';
+import {mergeOpenAPI} from './merge-openapi.mjs';
+
+const outFile = process.argv[2];
+if (!outFile) {
+  process.stderr.write('Usage: tsx scripts/dump-spec.ts <output-path>\n');
+  process.exit(2);
+}
+
+const here = path.dirname(fileURLToPath(import.meta.url));
+const repoRoot = path.resolve(here, '..', '..');
+
+const apiHandlerPath = path.join(repoRoot, 'src', 'node', 'handler', 'APIHandler.ts');
+const openapiPath = path.join(repoRoot, 'src', 'node', 'hooks', 'express', 'openapi.ts');
+const openapiAdminPath = path.join(
+  repoRoot, 'src', 'node', 'hooks', 'express', 'openapi-admin.ts',
+);
+
+type ApiHandlerModule = {latestApiVersion: string};
+type OpenApiModule = {
+  generateDefinitionForVersion: (version: string, style?: string) => unknown;
+  APIPathStyle: {FLAT: string; REST: string};
+};
+type OpenApiAdminModule = {
+  generateAdminDefinition: () => unknown;
+};
+
+const apiHandlerMod = await import(pathToFileURL(apiHandlerPath).href);
+const openapiMod = await import(pathToFileURL(openapiPath).href);
+const openapiAdminMod = await import(pathToFileURL(openapiAdminPath).href);
+
+const apiHandler = (apiHandlerMod.default ?? apiHandlerMod) as ApiHandlerModule;
+const openapi = (openapiMod.default ?? openapiMod) as OpenApiModule;
+const openapiAdmin = (openapiAdminMod.default ?? openapiAdminMod) as OpenApiAdminModule;
+
+const publicSpec = openapi.generateDefinitionForVersion(
+  apiHandler.latestApiVersion,
+  openapi.APIPathStyle.FLAT,
+);
+const adminSpec = openapiAdmin.generateAdminDefinition();
+
+const merged = mergeOpenAPI(publicSpec, adminSpec);
+
+writeFileSync(path.resolve(outFile), JSON.stringify(merged, null, 2), 'utf8');
+```
+
+- [ ] **Step 3: Regenerate the typed client**
+
+Run: `pnpm --filter admin gen:api`
+Expected: stdout reports `Wrote admin/src/api/schema.d.ts` and `Wrote admin/src/api/version.ts`. No errors.
+
+- [ ] **Step 4: Verify schema.d.ts contains admin paths**
+
+Run: `grep -E '"/admin-auth/"|"/admin/update/status"' admin/src/api/schema.d.ts | head`
+Expected: both path strings appear at least once each.
+
+- [ ] **Step 5: Run admin client tests**
+
+Run: `pnpm --filter admin test`
+Expected: existing client tests still pass (`pnpm gen:api` chains in front).
+
+- [ ] **Step 6: Run TypeScript build**
+
+Run: `pnpm --filter admin build`
+Expected: `tsc` and vite build complete with no errors. This proves the
+generated types are syntactically valid and admin source still compiles
+(no call-site changes are made — the existing fetch() sites compile
+exactly as before; the new types are simply available for future use).
+
+- [ ] **Step 7: Commit**
+
+```bash
+git add admin/scripts/dump-spec.ts
+git commit -m "feat(admin): include admin OpenAPI in generated client (#7693)
+
+Modifies dump-spec.ts to import generateAdminDefinition alongside the
+public generator and feed both through mergeOpenAPI before writing the
+JSON consumed by openapi-typescript. The resulting admin/src/api/
+schema.d.ts paths interface now exposes /admin-auth/ and
+/admin/update/status, ready for typed call-site adoption in a follow-up.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>"
+```
+
+---
+
+## Task 8: Full backend test suite + ts-check
+
+**Files:** none
+
+- [ ] **Step 1: Run backend tests**
+
+Run: `pnpm run test 2>&1 | tail -30`
+Expected: All Mocha specs pass. If anything unrelated fails, the failure
+is preexisting on the base branch — capture the output and confirm via
+`git stash && pnpm run test` against the unmodified base before
+declaring victory.
+
+- [ ] **Step 2: Run TypeScript check**
+
+Run: `pnpm run ts-check 2>&1 | tail -20`
+Expected: 0 errors.
+
+- [ ] **Step 3: Run admin merge tests**
+
+Run: `cd admin && pnpm exec node --test scripts/__tests__/merge-openapi.test.mjs`
+Expected: PASS — 7 tests.
+
+- [ ] **Step 4: Smoke the route in a live server**
+
+Start the dev server in one terminal: `pnpm run dev`
+In another: `curl -s http://localhost:9001/admin/openapi.json | jq '.info.title, (.paths | keys | length)'`
+Expected output:
+```
+"Etherpad Admin API"
+2
+```
+
+- [ ] **Step 5: Confirm no broken admin SPA**
+
+In a browser, open `http://localhost:9001/admin/`. Expected: admin
+LoginScreen renders (the wildcard `/admin/{*filename}` still serves the
+SPA). The `/admin/openapi.json` route did not break the wildcard
+because the JSON route is registered earlier in the hook chain.
+
+- [ ] **Step 6: No commit; this task is verification-only.**
+
+---
+
+## Task 9: Open the PR
+
+**Files:** none
+
+- [ ] **Step 1: Push the branch**
+
+```bash
+git push -u fork feat/7693-admin-openapi
+```
+
+- [ ] **Step 2: Open the draft PR against the PR #7695 branch**
+
+```bash
+gh pr create \
+  --repo ether/etherpad \
+  --base chore/admin-typesafe-api-7638-upstream \
+  --head JohnMcLear:feat/7693-admin-openapi \
+  --draft \
+  --title "feat(admin): document admin endpoints in OpenAPI (#7693)" \
+  --body "$(cat <<'EOF'
+## Summary
+
+- Adds hand-authored `openapi-admin.ts` covering `POST /admin-auth/` (verifyAdminAccess) and `GET /admin/update/status` (getUpdateStatus).
+- Merges admin spec into the codegen pipeline so `admin/src/api/schema.d.ts` exposes the admin paths.
+- Mounts `/admin/openapi.json` (CORS: *) for downstream tooling.
+- No call-site migrations — explicit follow-up named in #7693.
+
+Stacks on #7695. Will be re-targeted at `develop` and rebased once #7695 merges.
+
+Closes #7693.
+
+## Test plan
+
+- [ ] `pnpm run test` — admin OpenAPI Mocha specs pass, full suite green.
+- [ ] `pnpm run ts-check` — 0 errors.
+- [ ] `cd admin && pnpm exec node --test scripts/__tests__/merge-openapi.test.mjs` — 7 unit tests pass.
+- [ ] `pnpm --filter admin build` — tsc + vite build clean.
+- [ ] `curl /admin/openapi.json` returns the expected JSON in a live dev server.
+- [ ] Admin SPA at `/admin/` still loads; the wildcard route is not broken.
+
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
+EOF
+)"
+```
+
+- [ ] **Step 3: Echo the PR URL**
+
+The `gh pr create` command prints the URL. Capture and surface it to the user.
+
+---
+
+## Self-Review Notes
+
+- Spec coverage: each spec section maps to a task — Task 1 covers info+security schemes, Task 2 `/admin-auth/`, Task 3 `/admin/update/status` + sub-schemas, Task 4 collision regression, Task 5 the runtime route, Task 6+7 the codegen merge, Task 8 verification, Task 9 ships.
+- Placeholder scan: every code block is concrete; no "TBD" or "etc.".
+- Type consistency: `generateAdminDefinition` is named identically across Task 1 (creation), Task 5 (used inside the hook), Task 7 (imported by `dump-spec.ts`), and Task 8 (used by tests). Same for `mergeOpenAPI`. Schema names (`UpdateStatus`, `ReleaseInfo`, `PolicyResult`, `VulnerableBelowDirective`) are consistent across Task 3 (creation) and Task 4 (collision check).
+- Out-of-scope drift: the plan does NOT modify any existing fetch() call site, does NOT add `execution`/`lastResult`/`lockHeld` (those are Tier 2's job), and does NOT touch the public openapi.ts.
diff --git a/docs/superpowers/specs/2026-05-01-issue-7638-admin-typesafe-api-design.md b/docs/superpowers/specs/2026-05-01-issue-7638-admin-typesafe-api-design.md
new file mode 100644
index 00000000000..35a0fa1a538
--- /dev/null
+++ b/docs/superpowers/specs/2026-05-01-issue-7638-admin-typesafe-api-design.md
@@ -0,0 +1,198 @@
+# Issue 7638 — Typesafe Admin API Client + TanStack Query Rails
+
+**Status:** design approved 2026-05-01
+**Issue:** https://github.com/ether/etherpad/issues/7638
+**Related:** #7601 (introduces new admin REST sites that will adopt these rails)
+
+## Goal
+
+Lay down the toolchain and runtime rails for a typesafe, OpenAPI-derived admin
+API client backed by TanStack Query. Do not migrate any existing call sites.
+
+## Why rails-only
+
+The issue's framing ("migrate every `useEffect`+`fetch` site") overstates what is
+actually present in `admin/src/` today.
+
+- The only REST `fetch()` sites are `App.tsx` and `LoginScreen.tsx` (both POST to
+  `/admin-auth/`) and `i18n.ts` (locale loading).
+- All admin pages with real data flow (Settings, Plugins, Pads, Shout) run over
+  socket.io + zustand, not REST.
+- The OpenAPI spec produced by `src/node/hooks/express/openapi.ts` only covers
+  the public Etherpad HTTP API under `/api/{version}/*`. It documents zero admin
+  endpoints — no `/admin-auth/`, no future `/admin/*` REST endpoints from #7601.
+
+So the generated client has nothing in `admin/src/` to type today. The value of
+landing this PR now is to get the rails in place so #7601 (and any subsequent
+admin REST work) can adopt them on day one.
+
+A separate issue will be filed to add admin endpoint coverage to the OpenAPI
+spec; until that lands, no migrations are useful.
+
+## Out of scope
+
+- Admin endpoint coverage in the OpenAPI spec (separate issue).
+- Migrating any existing `fetch()` call site.
+- Backend changes.
+- Pad-side frontend.
+
+## Toolchain
+
+| Package                          | Type           | Purpose                                  |
+| -------------------------------- | -------------- | ---------------------------------------- |
+| `openapi-typescript`             | devDependency  | Generates `.d.ts` from the OpenAPI spec  |
+| `openapi-fetch`                  | dependency     | Typed `fetch` wrapper                    |
+| `openapi-react-query`            | dependency     | TanStack Query bindings over the client  |
+| `@tanstack/react-query`          | dependency     | Query runtime                            |
+| `@tanstack/react-query-devtools` | dependency     | Dev-only devtools panel                  |
+
+All added to `admin/package.json`. No version pinning beyond standard caret
+ranges; pick the latest stable at implementation time.
+
+## Codegen (option 3, hybrid)
+
+One checked-in artifact, CI-enforced freshness.
+
+### Script: `admin/scripts/gen-api.mjs`
+
+1. Imports the spec-building entry point from
+   `src/node/hooks/express/openapi.ts` (or a thin wrapper module that calls
+   the spec builder without booting Express). Writes the resulting spec JSON
+   to a temp file in `os.tmpdir()`.
+2. Shells out:
+   `openapi-typescript <tmp> -o admin/src/api/schema.d.ts`.
+3. Prepends a generated header comment to the output:
+   `// GENERATED — do not edit. Run \`pnpm gen:api\` to regenerate.`
+4. Removes the temp file.
+
+If `openapi.ts` cannot be loaded as an ES module without side effects (e.g.
+because it imports settings or boots an Express app at import time), the
+implementation must extract the pure spec-builder into a dedicated module so
+the script can call it cleanly. That refactor is in scope; the touch should be
+minimal.
+
+### Wiring
+
+- `admin/package.json`:
+  - `"scripts": { "gen:api": "node scripts/gen-api.mjs", ... }`.
+  - `"build"` is amended to run `gen:api` before `tsc && vite build` so a
+    fresh checkout builds without manual steps.
+- Root `package.json`: existing admin build entry point invokes the same
+  script (or relies on `admin/package.json`'s amended `build`).
+
+### Generated output
+
+- Path: `admin/src/api/schema.d.ts`.
+- Checked in.
+- First line: generated-header comment.
+
+### CI freshness check
+
+A CI job (folded into the existing admin lint workflow if practical, otherwise
+a new step) runs:
+
+```bash
+pnpm --filter admin gen:api
+git diff --exit-code admin/src/api/schema.d.ts
+```
+
+If the diff is non-empty, CI fails with a message instructing the contributor
+to run `pnpm --filter admin gen:api` and commit the result.
+
+## Runtime client
+
+### `admin/src/api/client.ts`
+
+```ts
+import createClient from "openapi-fetch";
+import createQueryHooks from "openapi-react-query";
+import type { paths } from "./schema";
+
+export const fetchClient = createClient<paths>({ baseUrl: "/" });
+export const $api = createQueryHooks(fetchClient);
+```
+
+### `admin/src/api/QueryProvider.tsx`
+
+- Wraps children in `QueryClientProvider`.
+- Single shared `QueryClient` constructed once (module-level or `useState`
+  initializer), with defaults:
+  - `staleTime: 30_000`
+  - `refetchOnWindowFocus: true`
+  - Other defaults left at library defaults.
+- Mounts `ReactQueryDevtools` only when `import.meta.env.DEV` is true. Use a
+  dynamic `import()` so devtools do not ship in the production bundle.
+
+### `admin/src/main.tsx`
+
+Wrap `<App />` in `<QueryProvider>`. No other changes.
+
+## Documentation
+
+`admin/README.md` (create or extend) documents:
+
+- How to regenerate: `pnpm --filter admin gen:api`.
+- When to regenerate: after any change to `src/node/hooks/express/openapi.ts`
+  or anything that affects the spec it builds.
+- What gets regenerated: `admin/src/api/schema.d.ts` only.
+- The CI freshness check and how to recover from a failing check.
+- A short "how to use the client" snippet showing
+  `$api.useQuery("get", "/some/path")` once admin endpoints are in the spec.
+
+## Tests
+
+- **Module-load smoke test** (`admin/src/api/__tests__/client.test.ts` or
+  similar, matching whatever test infra `admin/` already uses): imports
+  `$api` and `fetchClient`, asserts both are defined. This catches toolchain
+  wiring breakage (missing peer deps, bad export shape, etc.).
+- **CI freshness check** (above) is the test for spec/schema sync.
+- **Manual smoke after PR install:** install the branch on the local
+  Etherpad, open `/admin`, confirm:
+  - Existing socket.io flows (settings, plugins, pads) still work — no
+    regressions from the `<QueryProvider>` wrap.
+  - React Query devtools panel appears in a dev build (`pnpm --filter admin
+    dev`) and is absent from a production build.
+
+Note: per project convention, the user expects automated tests before manual
+verification, but the manual smoke is unavoidable here because devtools
+visibility and provider wrap are runtime concerns. The smoke check is a
+secondary safety net, not the primary test strategy.
+
+## Branch / PR plan
+
+- Fork: `johnmclear/etherpad-lite` (per project convention; never commit
+  directly to `ether/etherpad-lite`).
+- Branch: `chore/admin-typesafe-api-7638`.
+- Base: latest `main` of the fork, after syncing from `ether/etherpad-lite`.
+- PR title: `chore(admin): typesafe API client + TanStack Query rails`.
+- PR body declares semver: **patch** (build tooling + unused runtime libs;
+  no observable behavior change).
+- PR body links #7638 and notes:
+  - Rails-only — no call site migrations.
+  - Separate spec-coverage issue to follow.
+  - #7601 should rebase onto this branch once merged.
+
+## Risks
+
+- **`openapi.ts` not cleanly importable.** If pulling the spec builder out
+  requires touching production paths, that risk needs a small refactor PR
+  first. Mitigation: keep the extraction surgical; if it grows, split into
+  its own PR and rebase 7638 on top.
+- **Bundle size.** TanStack Query + react-query bindings add ~12 KB gzipped
+  to the admin bundle even with no call sites using it. Acceptable for an
+  internal admin UI; flag in PR body for transparency.
+- **Provider wrap regressions.** `<QueryProvider>` wrapping `<App />` should
+  be inert for socket.io paths but the manual smoke confirms.
+
+## Definition of done
+
+- `pnpm --filter admin gen:api` runs cleanly on a fresh checkout.
+- `pnpm --filter admin build` succeeds.
+- `admin/src/api/schema.d.ts` is checked in with the generated header.
+- `<QueryProvider>` wraps `<App />`; devtools visible in dev, absent in
+  production build.
+- CI freshness check is wired and passing.
+- `admin/README.md` documents the codegen workflow.
+- Manual smoke confirms no regression in existing socket.io-driven pages.
+- PR opened against `johnmclear/etherpad-lite`, semver labelled patch,
+  Qodo `/review` triggered after push.
diff --git a/docs/superpowers/specs/2026-05-08-issue-7693-admin-openapi-design.md b/docs/superpowers/specs/2026-05-08-issue-7693-admin-openapi-design.md
new file mode 100644
index 00000000000..547aa478035
--- /dev/null
+++ b/docs/superpowers/specs/2026-05-08-issue-7693-admin-openapi-design.md
@@ -0,0 +1,304 @@
+# Issue 7693 — Document admin endpoints in the OpenAPI spec
+
+**Status:** design approved 2026-05-08
+**Issue:** https://github.com/ether/etherpad/issues/7693
+**Stacks on:** PR #7695 (`chore/admin-typesafe-api-7638-upstream`) — codegen rails
+**Related:** #7601 (introduced `/admin/update/status`); #7607 (Tier 2 update endpoints, in-flight)
+
+## Goal
+
+Add OpenAPI definitions for the admin endpoints currently consumed by the admin
+UI so the typed client generated by PR #7695 (`admin/src/api/schema.d.ts`)
+gains admin call-sites the day it lands.
+
+This PR adds the schema only. **No call-sites migrate** — that is the explicit
+follow-up named in #7693.
+
+## Scope
+
+In:
+
+- `POST /admin-auth/` — login + session check (consumed by `LoginScreen.tsx`
+  and `App.tsx`).
+- `GET  /admin/update/status` — Tier 1 update banner data (consumed by
+  `UpdateBanner.tsx` and `UpdatePage.tsx`; introduced by #7601, merged on
+  develop).
+
+Out:
+
+- `/admin/update/{apply,cancel,acknowledge,log}` — Tier 2 endpoints from the
+  in-flight `feat/7607-auto-update-tier2-manual-click` branch. That PR amends
+  `openapi-admin.ts` when it lands.
+- The admin SPA static-file route (`/admin/{*filename}`) — not an API.
+- `/admin/socket.io/*` — websocket; out of OpenAPI scope.
+- `/api/version-status` — already public, belongs in the public spec, not the
+  admin spec.
+- Migrating any of the four admin `fetch()` call-sites to `$api`.
+
+## Architecture
+
+### File layout (new files marked NEW)
+
+```
+src/node/hooks/express/
+├── openapi.ts            unchanged — APIHandler-driven public spec
+└── openapi-admin.ts      NEW — hand-authored OpenAPI 3.0 doc for admin routes
+
+src/tests/backend/specs/
+└── openapi-admin.ts      NEW — Mocha specs asserting document shape
+
+admin/scripts/
+├── dump-spec.ts          MODIFIED — also import generateAdminDefinition,
+│                         deep-merge into one document, write merged JSON
+├── merge-openapi.mjs     NEW — focused deep-merge with collision detection
+├── __tests__/
+│   └── merge-openapi.test.mjs  NEW — node --test unit specs for the merge
+└── gen-api.mjs           unchanged — still calls dump-spec.ts then
+                          openapi-typescript on the resulting JSON
+```
+
+`openapi-admin.ts` is a **static OpenAPI document** (no APIHandler reflection).
+Hand-authored because admin routes aren't registered through APIHandler — they
+are plain Express handlers. This keeps `openapi.ts`'s 771-line generator
+untouched and avoids tangling two different generation strategies in one
+module.
+
+### Why merge in `dump-spec.ts` rather than at `openapi-typescript` time
+
+`openapi-typescript` only accepts one input. We could run it twice and emit
+two `.d.ts` files, but the chosen design (see "Codegen merge" below) is a
+single merged `schema.d.ts`. The merge therefore happens at JSON-dump time,
+before `openapi-typescript` runs.
+
+### Two clients, one schema
+
+The merged schema covers two surfaces with different baseUrls (public API
+under `/api/<version>/`, admin endpoints at root). A single runtime client
+with one `baseUrl` cannot target both correctly. `admin/src/api/client.ts`
+therefore narrows the generated `paths` interface by URL prefix and exports
+two clients:
+
+```ts
+type AdminPath = Extract<keyof paths, `/admin${string}`>;
+type PublicPath = Exclude<keyof paths, AdminPath>;
+export const fetchClient      = createClient<Pick<paths, PublicPath>>({ baseUrl: API_BASE_URL });
+export const adminFetchClient = createClient<Pick<paths, AdminPath>>({  baseUrl: '/' });
+export const $api      = createQueryHooks(fetchClient);
+export const $adminApi = createQueryHooks(adminFetchClient);
+```
+
+Narrowing at the type level means TypeScript rejects calling an admin path
+on `fetchClient` (or vice versa) at compile time — the runtime baseUrl
+mismatch is unrepresentable.
+
+## OpenAPI document contents
+
+### Info & security schemes
+
+```yaml
+openapi: 3.0.2
+info:
+  title: Etherpad Admin API
+  version: <getEpVersion()>
+  description: |
+    Authenticated administrative endpoints consumed by the Etherpad admin UI.
+    Distinct from the public /api/{version}/* surface served by openapi.json.
+
+components:
+  securitySchemes:
+    basicAuth:
+      type: http
+      scheme: basic
+    sessionCookie:
+      type: apiKey
+      in: cookie
+      name: express_sid
+```
+
+`basicAuth` covers the login POST to `/admin-auth/`. `sessionCookie` covers
+post-login admin sessions established by `express-session` (cookie name
+`express_sid` is the Etherpad default; if a deployment overrides it the spec
+remains structurally correct — only the documented cookie name shifts).
+
+The two schemes coexist on `/admin-auth/`; only `sessionCookie` applies on
+`/admin/update/status`.
+
+### Paths
+
+#### `POST /admin-auth/` — `verifyAdminAccess`
+
+- **Security:** `[{ basicAuth: [] }, { sessionCookie: [] }, {}]` — Basic *or*
+  session cookie *or* none. The empty object documents that the server
+  accepts the request without auth and replies `401`.
+- **Responses:**
+  - `200` — admin verified (Basic logged in, or session cookie was valid for
+    an admin user). Empty body.
+  - `401` — no auth presented and no session. Empty body.
+  - `403` — auth presented or session present, but the user is not an admin.
+    Empty body.
+- **Description:** notes that POST with `Authorization: Basic …` establishes
+  an admin session; POST with no auth header verifies an existing one.
+
+This single-operation modeling matches reality: the route is one
+middleware-terminated path that branches on what the client sends. Two
+operations on the same path would imply different server behavior the
+admin UI does not actually depend on.
+
+#### `GET /admin/update/status` — `getUpdateStatus`
+
+- **Security:** `[{ sessionCookie: [] }, {}]` — cookie when
+  `updates.requireAdminForStatus=true`, otherwise anonymous OK. The
+  conditional is documented in the description; clients that depend on
+  receiving the full diagnostic payload should send the session cookie.
+- **Responses:**
+  - `200` — JSON body matching the `UpdateStatus` schema below.
+  - `401` / `403` — only emitted when `updates.requireAdminForStatus=true`.
+
+Response schema `UpdateStatus` mirrors the runtime shape returned by
+`src/node/hooks/express/updateStatus.ts:res.json({...})` on the base branch
+(`chore/admin-typesafe-api-7638-upstream`, which mirrors develop's Tier 1):
+
+```yaml
+UpdateStatus:
+  type: object
+  required: [currentVersion, installMethod, tier, vulnerableBelow]
+  properties:
+    currentVersion:   { type: string }
+    latest:           { $ref: '#/components/schemas/ReleaseInfo', nullable: true }
+    lastCheckAt:      { type: string, format: date-time, nullable: true }
+    installMethod:    { type: string, enum: [auto, git, docker, npm, managed] }
+    tier:             { type: string, enum: [off, notify, manual, auto, autonomous] }
+    policy:           { $ref: '#/components/schemas/PolicyResult', nullable: true }
+    vulnerableBelow:
+      type: array
+      items: { $ref: '#/components/schemas/VulnerableBelowDirective' }
+```
+
+Sub-schemas (`ReleaseInfo`, `PolicyResult`, `VulnerableBelowDirective`)
+mirror the exported interfaces in `src/node/updater/types.ts` exactly:
+
+- `ReleaseInfo`: `version`, `tag`, `body`, `publishedAt`, `prerelease`, `htmlUrl`.
+- `PolicyResult`: `canNotify`, `canManual`, `canAuto`, `canAutonomous`, `reason`.
+- `VulnerableBelowDirective`: `announcedBy`, `threshold`.
+
+The Tier 2 PR (#7607) will amend `UpdateStatus` to add `execution`,
+`lastResult`, and `lockHeld` (with their corresponding sub-schemas) when it
+ships its own changes to `updateStatus.ts`. Those fields are out of scope
+here.
+
+### Public exposure (runtime)
+
+`openapi-admin.ts` exports an `expressPreSession` hook that **conditionally**
+mounts:
+
+```
+GET /admin/openapi.json   (CORS: *)
+```
+
+The route is gated by `settings.adminOpenAPI.enabled`, **default `false`**,
+per the project's "new features behind a flag, off by default" policy
+(CONTRIBUTING.md, AGENTS.MD, best_practices.md). When the flag is off,
+`expressPreSession` returns early and the route is dormant.
+
+When enabled, the route registers in `expressPreSession`, which runs before
+`expressCreateServer` (where `admin.ts` registers the SPA wildcard
+`/admin/{*filename}`). The earlier registration ensures
+`/admin/openapi.json` resolves before the wildcard catches it.
+
+Codegen does not depend on this route — `dump-spec.ts` calls
+`generateAdminDefinition()` in-process. The route exists for downstream
+tooling (Postman, swagger-ui, third-party clients) that operators choose to
+expose.
+
+## Codegen merge
+
+`merge-openapi.mjs` exports one function:
+
+```js
+mergeOpenAPI(publicDoc, adminDoc) -> mergedDoc
+```
+
+Rules:
+
+| Section                        | Rule                                                              |
+| ------------------------------ | ----------------------------------------------------------------- |
+| `paths`                        | Union by path key. Collision throws.                              |
+| `components.schemas`           | Union by name. Collision throws.                                  |
+| `components.parameters`        | Union by name. Collision throws.                                  |
+| `components.responses`         | Union by name. Collision throws.                                  |
+| `components.securitySchemes`   | Union by name. Collision throws.                                  |
+| `security` (root)              | Public spec's root `security` is preserved; admin paths declare their own per-operation security so admin requirements never apply to public paths. |
+| `info`, `servers`              | Public spec wins.                                                 |
+
+Throwing on collision is intentional: silent overwrite is a footgun, and the
+backend test below catches collisions before merge runs in CI.
+
+## Tests
+
+### Backend — `src/tests/backend/specs/openapi-admin.ts`
+
+Mocha specs against `generateAdminDefinition()`. No live HTTP.
+
+- Document is valid OpenAPI 3.0 (smoke check via `openapi-schema-validation`,
+  already in `node_modules`).
+- `paths['/admin-auth/'].post.operationId === 'verifyAdminAccess'` and
+  declares responses `200`, `401`, `403`.
+- `paths['/admin/update/status'].get.operationId === 'getUpdateStatus'` and
+  references `#/components/schemas/UpdateStatus`.
+- `components.securitySchemes` contains `basicAuth` and `sessionCookie`.
+- `components.schemas.UpdateStatus.properties` contains every property name
+  emitted by `updateStatus.ts:res.json({...})`. Cross-checked by importing
+  the same handler and asserting key parity. This is the regression net for
+  spec/handler drift.
+- Admin operationIds and admin path keys do not collide with the public
+  spec (cross-loaded via `generateDefinitionForVersion`). Cross-collision
+  is impossible today (admin paths start with `/admin`, public paths are
+  flat or `/createGroup`-style), but the test fails loudly if a future
+  rename breaks the assumption.
+
+### Codegen merge — `admin/scripts/__tests__/merge-openapi.test.mjs`
+
+Node `--test` runner (already used by #7695 for `client.test.ts`).
+
+- Two minimal docs merge into the expected union.
+- Path collision throws.
+- Schema-name collision throws.
+- Public root `security` is preserved when admin doc declares no root
+  security.
+- Per-operation security on admin paths survives the merge unchanged.
+
+### No frontend tests this PR
+
+No call-sites migrate, so there is nothing UI-observable to assert.
+Migration PRs add Playwright coverage when they touch each fetch.
+
+## Risks & mitigations
+
+| Risk                                                                         | Mitigation                                                                                                                            |
+| ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------- |
+| `UpdateStatus` schema drifts from `updateStatus.ts` over time                | Backend spec cross-checks property names against the handler. Tier 2 PR amends both spec and handler in one change.                   |
+| Tier 2 (#7607) rebase conflicts with the new `openapi-admin.ts`              | This PR adds only `/admin/update/status`. Tier 2 appends new entries — no conflict on the existing one.                               |
+| `merge-openapi.mjs` silently overwrites a duplicate                          | Throws on collision. Backend spec cross-checks against the public spec.                                                               |
+| `/admin/openapi.json` collides with `/admin/{*filename}` SPA wildcard        | `openapi-admin.ts` registers in `expressPreSession`; `admin.ts` registers in `expressCreateServer`. Earlier hook wins. Backend smoke test confirms 200 + JSON content-type. |
+| #7695 changes shape before it merges, breaking our base                      | This PR is stacked on #7695's branch. Rebase when #7695 rebases. PR description documents the dependency.                             |
+| `express_sid` is not the actual cookie name in some deployments              | Documented; spec is structurally correct; deployments that override it can still consume a typed client.                              |
+
+## Rollout
+
+1. Branch `feat/7693-admin-openapi` from `chore/admin-typesafe-api-7638-upstream`.
+2. Add `openapi-admin.ts`, `merge-openapi.mjs`; modify `dump-spec.ts`.
+3. Add backend spec and merge unit tests.
+4. Open PR #7693 as **draft**, base set to `chore/admin-typesafe-api-7638-upstream`.
+5. When PR #7695 merges to develop, change base to `develop`, rebase, mark
+   ready for review.
+6. Follow-up PR (separately tracked) migrates the four admin `fetch()`
+   sites: `LoginScreen.tsx`, `App.tsx`, `UpdateBanner.tsx`, `UpdatePage.tsx`.
+
+## Open question deferred to implementation
+
+The `express_sid` cookie name is the documented default but Etherpad
+deployments can override it via settings. Implementation will read the
+configured name at spec-generation time (or document the override path) so
+the spec reflects the running configuration. If reading the configured name
+is awkward at codegen time (it requires booting Settings), the spec keeps
+the default and notes the override in the description.
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 661fd42d5eb..d8dff4f8f77 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -46,6 +46,18 @@ importers:
       '@radix-ui/react-switch':
         specifier: ^1.2.6
         version: 1.2.6(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.6(react@19.2.6))(react@19.2.6)
+      '@tanstack/react-query':
+        specifier: ^5.100.9
+        version: 5.100.9(react@19.2.6)
+      '@tanstack/react-query-devtools':
+        specifier: ^5.100.9
+        version: 5.100.9(@tanstack/react-query@5.100.9(react@19.2.6))(react@19.2.6)
+      openapi-fetch:
+        specifier: ^0.17.0
+        version: 0.17.0
+      openapi-react-query:
+        specifier: ^0.5.4
+        version: 0.5.4(@tanstack/react-query@5.100.9(react@19.2.6))(openapi-fetch@0.17.0)
     devDependencies:
       '@radix-ui/react-dialog':
         specifier: ^1.1.15
@@ -89,6 +101,9 @@ importers:
       lucide-react:
         specifier: ^1.14.0
         version: 1.14.0(react@19.2.6)
+      openapi-typescript:
+        specifier: ^7.13.0
+        version: 7.13.0(typescript@6.0.3)
       react:
         specifier: ^19.2.6
         version: 19.2.6
@@ -107,6 +122,9 @@ importers:
       socket.io-client:
         specifier: ^4.8.3
         version: 4.8.3
+      tsx:
+        specifier: ^4.21.0
+        version: 4.21.0
       typescript:
         specifier: ^6.0.3
         version: 6.0.3
@@ -159,7 +177,7 @@ importers:
         version: 0.129.0
       vitepress:
         specifier: ^2.0.0-alpha.17
-        version: 2.0.0-alpha.17(@types/node@25.6.2)(esbuild@0.28.0)(jwt-decode@4.0.0)(oxc-minify@0.129.0)(postcss@8.5.14)(tsx@4.21.0)(typescript@6.0.3)
+        version: 2.0.0-alpha.17(@types/node@25.6.2)(change-case@5.4.4)(esbuild@0.28.0)(jwt-decode@4.0.0)(oxc-minify@0.129.0)(postcss@8.5.14)(tsx@4.21.0)(typescript@6.0.3)
 
   src:
     dependencies:
@@ -1674,6 +1692,16 @@ packages:
     peerDependencies:
       '@redis/client': ^5.12.1
 
+  '@redocly/ajv@8.11.2':
+    resolution: {integrity: sha512-io1JpnwtIcvojV7QKDUSIuMN/ikdOUd1ReEnUnMKGfDVridQZ31J0MmIuqwuRjWDZfmvr+Q0MqCcfHM2gTivOg==}
+
+  '@redocly/config@0.22.0':
+    resolution: {integrity: sha512-gAy93Ddo01Z3bHuVdPWfCwzgfaYgMdaZPcfL7JZ7hWJoK9V0lXDbigTWkhiPFAaLWzbOJ+kbUQG1+XwIm0KRGQ==}
+
+  '@redocly/openapi-core@1.34.14':
+    resolution: {integrity: sha512-y+xFx+Zz54Xhr8jUdnLENYnt7Y7GEDL6Q03ga7rTtX8DVwefX9H+hQEPgJp1nda7vdH+wJ9/HBVvyfBuW9x6rA==}
+    engines: {node: '>=18.17.0', npm: '>=9.5.0'}
+
   '@rolldown/binding-android-arm64@1.0.0-rc.18':
     resolution: {integrity: sha512-lIDyUAfD7U3+BWKzdxMbJcsYHuqXqmGz40aeRqvuAm3y5TkJSYTBW2RDrn65DJFPQqVjUAUqq5uz8urzQ8aBdQ==}
     engines: {node: ^20.19.0 || >=22.12.0}
@@ -1839,6 +1867,23 @@ packages:
   '@swc/helpers@0.5.21':
     resolution: {integrity: sha512-jI/VAmtdjB/RnI8GTnokyX7Ug8c+g+ffD6QRLa6XQewtnGyukKkKSk3wLTM3b5cjt1jNh9x0jfVlagdN2gDKQg==}
 
+  '@tanstack/query-core@5.100.9':
+    resolution: {integrity: sha512-SJSFw1S8+kQ0+knv/XGfrbocWoAlT7vDKsSImtLx3ZPQmEcR46hkDjLSvynSy25N8Ms4tIEini1FuBd5k7IscQ==}
+
+  '@tanstack/query-devtools@5.100.9':
+    resolution: {integrity: sha512-gqiptrTIhbK2PuCaPRHmWXfJG1NGYVFpAr0HqogEqiSBNB5xDz6fmesQt7w4WgMOqOQPnPHJ3ZDMuhDaXvNO8g==}
+
+  '@tanstack/react-query-devtools@5.100.9':
+    resolution: {integrity: sha512-mM3slaVGXJmz+pOLgXdANj75ikgQCyudyl3kmFvm6brI1JyVeY/+IeD17uDHIvZrD8hfoO2sdZ54RFsHdYAuhA==}
+    peerDependencies:
+      '@tanstack/react-query': ^5.100.9
+      react: ^18 || ^19
+
+  '@tanstack/react-query@5.100.9':
+    resolution: {integrity: sha512-Oa44XkaI3kCNN6ME0KByU3xT3SEUNOMfZpHxL6+wFoTm+OeUFYHKdeYVe0aOXlRDm/f15sgLwEt2HDorIdW8+A==}
+    peerDependencies:
+      react: ^18 || ^19
+
   '@tediousjs/connection-string@1.1.0':
     resolution: {integrity: sha512-z9ZBWEG+8pIB5V1zYzlRPXx0oRJ5H7coPnMQK8EZOw03UTPI9Umn6viL36f5w+CuqkKsnCM50RVStpjZmR0Bng==}
 
@@ -2483,6 +2528,10 @@ packages:
   ajv@8.18.0:
     resolution: {integrity: sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==}
 
+  ansi-colors@4.1.3:
+    resolution: {integrity: sha512-/6w/C21Pm1A7aZitlI5Ni/2J6FFQN8i1Cvz3kHABAAbw93v/NlvKdVOqz7CCWz/3iv/JplRSEEZ83XION15ovw==}
+    engines: {node: '>=6'}
+
   ansi-regex@5.0.1:
     resolution: {integrity: sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==}
     engines: {node: '>=8'}
@@ -2725,6 +2774,9 @@ packages:
     resolution: {integrity: sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==}
     engines: {node: '>=10'}
 
+  change-case@5.4.4:
+    resolution: {integrity: sha512-HRQyTk2/YPEkt9TnUPbOpr64Uw3KOicFWPVBb+xiHvd6eBx/qPr9xqfBFDT8P2vWsvvz4jbEkfDe71W3VyNu2w==}
+
   character-entities-html4@2.1.0:
     resolution: {integrity: sha512-1v7fgQRj6hnSwFpq1Eu0ynr/CDEw0rXo2B61qXrLNdHZmPKgb7fqS1a2JwF0rISo9q77jDI8VMEHoApn8qDoZA==}
 
@@ -2765,6 +2817,9 @@ packages:
   color-name@1.1.4:
     resolution: {integrity: sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==}
 
+  colorette@1.4.0:
+    resolution: {integrity: sha512-Y2oEozpomLn7Q3HFP7dpww7AtMJplbM9lGZP6RDfHqmbeRjiwRg4n6VM6j4KLmRke85uWEI7JqF17f3pqdRA0g==}
+
   combined-stream@1.0.8:
     resolution: {integrity: sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==}
     engines: {node: '>= 0.8'}
@@ -3597,9 +3652,6 @@ packages:
     resolution: {integrity: sha512-w9UMqWwJxHNOvoNzSJ2oPF5wvYcvP7jUvYzhp67yEhTi17ZDBBC1z9pTdGuzjD+EFIqLSYRweZjqfiPzQ06Ebg==}
     engines: {node: '>= 0.4'}
 
-  get-tsconfig@4.13.0:
-    resolution: {integrity: sha512-1VKTZJCwBrvbd+Wn3AOgQP/2Av+TfTCOlE4AcRJE72W1ksZXbAx8PPBR9RzgTeSPzlPMHrbANMH3LbltH73wxQ==}
-
   get-tsconfig@4.14.0:
     resolution: {integrity: sha512-yTb+8DXzDREzgvYmh6s9vHsSVCHeC0G3PI5bEXNBHtmshPnO+S5O7qgLEOn0I5QvMy6kpZN8K1NKGyilLb93wA==}
 
@@ -3814,6 +3866,10 @@ packages:
     resolution: {integrity: sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==}
     engines: {node: '>=0.8.19'}
 
+  index-to-position@1.2.0:
+    resolution: {integrity: sha512-Yg7+ztRkqslMAS2iFaU+Oa4KTSidr63OsFGlOrJoW981kIYO3CGCS3wA95P1mUi/IVSJkn0D479KTJpVpvFNuw==}
+    engines: {node: '>=18'}
+
   individual@3.0.0:
     resolution: {integrity: sha512-rUY5vtT748NMRbEMrTNiFfy29BgGZwGXUi2NFUVMWQrogSLzlJvQV9eeMWi+g1aVaQ53tpyLAQtd5x/JH0Nh1g==}
 
@@ -4007,6 +4063,10 @@ packages:
     resolution: {integrity: sha512-cEiJEAEoIbWfCZYKWhVwFuvPX1gETRYPw6LlaTKoxD3s2AkXzkCjnp6h0V77ozyqj0jakteJ4YqDJT830+lVGw==}
     engines: {node: '>=14'}
 
+  js-levenshtein@1.1.6:
+    resolution: {integrity: sha512-X2BB11YZtrRqY4EnQcLX5Rh373zbK4alC1FW7D7MBhL2gtcC17cTnr6DmfHZeS0s2rTHjUTMMHfG7gO8SSdw+g==}
+    engines: {node: '>=0.10.0'}
+
   js-md4@0.3.2:
     resolution: {integrity: sha512-/GDnfQYsltsjRswQhN9fhv3EMw2sCpUdrdxyWDOUK7eyD++r3gRhzgiQgc/x4MAv2i1iuQ4lxO5mvqM3vj4bwA==}
 
@@ -4376,6 +4436,10 @@ packages:
   minimatch@3.1.5:
     resolution: {integrity: sha512-VgjWUsnnT6n+NUk6eZq77zeFdpW2LWDzP6zFGrCbHXiYNul5Dzqk2HHQ5uFH2DNW5Xbp8+jVzaeNt94ssEEl4w==}
 
+  minimatch@5.1.9:
+    resolution: {integrity: sha512-7o1wEA2RyMP7Iu7GNba9vc0RWWGACJOCZBJX2GJWip0ikV+wcOsgVuY9uE8CPiyQhkGFSlhuSkZPavN7u1c2Fw==}
+    engines: {node: '>=10'}
+
   minimatch@9.0.9:
     resolution: {integrity: sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg==}
     engines: {node: '>=16 || 14 >=14.17'}
@@ -4603,6 +4667,15 @@ packages:
     resolution: {integrity: sha512-1tfLpC+7CajKv08vuFOLm4t8rJvJyqKuyau5IIIrGg3YuQYhmP7JqDL6p6WnbDCusmh3krCrKXoHB6hLF/iHcQ==}
     engines: {node: '>=20.0.0'}
 
+  openapi-fetch@0.17.0:
+    resolution: {integrity: sha512-PsbZR1wAPcG91eEthKhN+Zn92FMHxv+/faECIwjXdxfTODGSGegYv0sc1Olz+HYPvKOuoXfp+0pA2XVt2cI0Ig==}
+
+  openapi-react-query@0.5.4:
+    resolution: {integrity: sha512-V9lRiozjHot19/BYSgXYoyznDxDJQhEBSdi26+SJ0UqjMANLQhkni4XG+Z7e3Ag7X46ZLMrL9VxYkghU3QvbWg==}
+    peerDependencies:
+      '@tanstack/react-query': ^5.80.0
+      openapi-fetch: ^0.17.0
+
   openapi-schema-validation@0.4.2:
     resolution: {integrity: sha512-K8LqLpkUf2S04p2Nphq9L+3bGFh/kJypxIG2NVGKX0ffzT4NQI9HirhiY6Iurfej9lCu7y4Ndm4tv+lm86Ck7w==}
 
@@ -4612,6 +4685,15 @@ packages:
   openapi-types@12.1.3:
     resolution: {integrity: sha512-N4YtSYJqghVu4iek2ZUvcN/0aqH1kRDuNqzcycDxhOUpg7GdvLa2F3DgS6yBNhInhv2r/6I0Flkn7CqL8+nIcw==}
 
+  openapi-typescript-helpers@0.1.0:
+    resolution: {integrity: sha512-OKTGPthhivLw/fHz6c3OPtg72vi86qaMlqbJuVJ23qOvQ+53uw1n7HdmkJFibloF7QEjDrDkzJiOJuockM/ljw==}
+
+  openapi-typescript@7.13.0:
+    resolution: {integrity: sha512-EFP392gcqXS7ntPvbhBzbF8TyBA+baIYEm791Hy5YkjDYKTnk/Tn5OQeKm5BIZvJihpp8Zzr4hzx0Irde1LNGQ==}
+    hasBin: true
+    peerDependencies:
+      typescript: ^5.x
+
   option@0.2.4:
     resolution: {integrity: sha512-pkEqbDyl8ou5cpq+VsnQbe/WlEy5qS7xPzMS1U55OCG9KPvwFD46zDbxQIj3egJSFc3D+XhYOPUzz49zQAVy7A==}
 
@@ -4655,6 +4737,10 @@ packages:
   pako@1.0.11:
     resolution: {integrity: sha512-4hLB8Py4zZce5s4yd9XzopqwVv/yGNhV1Bl8NTmCq1763HeK2+EwVTv+leGeL13Dnh2wfbqowVPXCIO0z4taYw==}
 
+  parse-json@8.3.0:
+    resolution: {integrity: sha512-ybiGyvspI+fAoRQbIPRddCcSTV9/LsJbf0e/S85VLowVGzRmokfneg2kwVW/KU5rOXrPSbF1qAKPMgNTqqROQQ==}
+    engines: {node: '>=18'}
+
   parse5@7.3.0:
     resolution: {integrity: sha512-IInvU7fabl34qmi9gY8XOVxhYyMyuH2xUNpb2q8/Y+7552KlejkRvqvD19nMoUW/uQGGbqNpA6Tufu5FL5BZgw==}
 
@@ -4755,6 +4841,10 @@ packages:
     engines: {node: '>=18'}
     hasBin: true
 
+  pluralize@8.0.0:
+    resolution: {integrity: sha512-Nc3IT5yHzflTfbjgqWcCPpo7DaKy4FnpB0l/zCAW0Tc7jxAiuqSxHasntB3D7887LSrA93kDJ9IXovxJYxyLCA==}
+    engines: {node: '>=4'}
+
   png-js@1.1.0:
     resolution: {integrity: sha512-PM/uYGzGdNSzqeOgly68+6wKQDL1SY0a/N+OEa/+br6LnHWOAJB0Npiamnodfq3jd2LS/i2fMeOKSAILjA+m5Q==}
 
@@ -5374,6 +5464,10 @@ packages:
     resolution: {integrity: sha512-oK8WG9diS3DlhdUkcFn4tkNIiIbBx9lI2ClF8K+b2/m8Eyv47LSawxUzZQSNKUrVb2KsqeTDCcjAAVPYaSLVTA==}
     engines: {node: '>=14.18.0'}
 
+  supports-color@10.2.2:
+    resolution: {integrity: sha512-SS+jx45GF1QjgEXQx4NJZV9ImqmO2NPz5FNsIHrsDjh2YsHnawpan7SNQ1o8NuhrbHZy9AZhIoCUiCeaW/C80g==}
+    engines: {node: '>=18'}
+
   supports-color@7.2.0:
     resolution: {integrity: sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==}
     engines: {node: '>=8'}
@@ -5538,6 +5632,10 @@ packages:
     resolution: {integrity: sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==}
     engines: {node: '>=10'}
 
+  type-fest@4.41.0:
+    resolution: {integrity: sha512-TeTSQ6H5YHvpqVwBRcnLDCBnDOHWYu7IvGbHT6N8AOymcr9PJGjc1GTtiWZTYg0NCgYwvnYWEkVChQAr9bjfwA==}
+    engines: {node: '>=16'}
+
   type-is@2.0.1:
     resolution: {integrity: sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==}
     engines: {node: '>= 0.6'}
@@ -5647,6 +5745,9 @@ packages:
     peerDependencies:
       browserslist: '>= 4.21.0'
 
+  uri-js-replace@1.0.1:
+    resolution: {integrity: sha512-W+C9NWNLFOoBI2QWDp4UT9pv65r2w5Cx+3sTYFvtMdDBxkKt1syCqsUdSFAChbEe1uK5TfS04wt/nGwmaeIQ0g==}
+
   uri-js@4.4.1:
     resolution: {integrity: sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==}
 
@@ -5964,6 +6065,9 @@ packages:
     resolution: {integrity: sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==}
     engines: {node: '>=18'}
 
+  yaml-ast-parser@0.0.43:
+    resolution: {integrity: sha512-2PTINUwsRqSd+s8XxKaJWQlUuEMHJQyEuh2edBbW8KNJz0SJPwUSD2zRWqezFEdN7IzAgeuYHFUCF7o8zRdZ0A==}
+
   yargs-parser@21.1.1:
     resolution: {integrity: sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==}
     engines: {node: '>=12'}
@@ -7046,6 +7150,29 @@ snapshots:
     dependencies:
       '@redis/client': 5.12.1(@opentelemetry/api@1.9.1)
 
+  '@redocly/ajv@8.11.2':
+    dependencies:
+      fast-deep-equal: 3.1.3
+      json-schema-traverse: 1.0.0
+      require-from-string: 2.0.2
+      uri-js-replace: 1.0.1
+
+  '@redocly/config@0.22.0': {}
+
+  '@redocly/openapi-core@1.34.14(supports-color@10.2.2)':
+    dependencies:
+      '@redocly/ajv': 8.11.2
+      '@redocly/config': 0.22.0
+      colorette: 1.4.0
+      https-proxy-agent: 7.0.6(supports-color@10.2.2)
+      js-levenshtein: 1.1.6
+      js-yaml: 4.1.1
+      minimatch: 5.1.9
+      pluralize: 8.0.0
+      yaml-ast-parser: 0.0.43
+    transitivePeerDependencies:
+      - supports-color
+
   '@rolldown/binding-android-arm64@1.0.0-rc.18':
     optional: true
 
@@ -7174,6 +7301,21 @@ snapshots:
     dependencies:
       tslib: 2.8.1
 
+  '@tanstack/query-core@5.100.9': {}
+
+  '@tanstack/query-devtools@5.100.9': {}
+
+  '@tanstack/react-query-devtools@5.100.9(@tanstack/react-query@5.100.9(react@19.2.6))(react@19.2.6)':
+    dependencies:
+      '@tanstack/query-devtools': 5.100.9
+      '@tanstack/react-query': 5.100.9(react@19.2.6)
+      react: 19.2.6
+
+  '@tanstack/react-query@5.100.9(react@19.2.6)':
+    dependencies:
+      '@tanstack/query-core': 5.100.9
+      react: 19.2.6
+
   '@tediousjs/connection-string@1.1.0': {}
 
   '@tootallnate/quickjs-emscripten@0.23.0': {}
@@ -7811,12 +7953,13 @@ snapshots:
       '@vueuse/shared': 14.2.1(vue@3.5.30(typescript@6.0.3))
       vue: 3.5.30(typescript@6.0.3)
 
-  '@vueuse/integrations@14.2.1(focus-trap@8.0.0)(jwt-decode@4.0.0)(vue@3.5.30(typescript@6.0.3))':
+  '@vueuse/integrations@14.2.1(change-case@5.4.4)(focus-trap@8.0.0)(jwt-decode@4.0.0)(vue@3.5.30(typescript@6.0.3))':
     dependencies:
       '@vueuse/core': 14.2.1(vue@3.5.30(typescript@6.0.3))
       '@vueuse/shared': 14.2.1(vue@3.5.30(typescript@6.0.3))
       vue: 3.5.30(typescript@6.0.3)
     optionalDependencies:
+      change-case: 5.4.4
       focus-trap: 8.0.0
       jwt-decode: 4.0.0
 
@@ -7872,6 +8015,8 @@ snapshots:
       json-schema-traverse: 1.0.0
       require-from-string: 2.0.2
 
+  ansi-colors@4.1.3: {}
+
   ansi-regex@5.0.1: {}
 
   ansi-regex@6.2.2: {}
@@ -8131,6 +8276,8 @@ snapshots:
       ansi-styles: 4.3.0
       supports-color: 7.2.0
 
+  change-case@5.4.4: {}
+
   character-entities-html4@2.1.0: {}
 
   character-entities-legacy@3.0.0: {}
@@ -8163,6 +8310,8 @@ snapshots:
 
   color-name@1.1.4: {}
 
+  colorette@1.4.0: {}
+
   combined-stream@1.0.8:
     dependencies:
       delayed-stream: 1.0.0
@@ -8287,6 +8436,12 @@ snapshots:
     dependencies:
       ms: 2.1.3
 
+  debug@4.4.3(supports-color@10.2.2):
+    dependencies:
+      ms: 2.1.3
+    optionalDependencies:
+      supports-color: 10.2.2
+
   debug@4.4.3(supports-color@8.1.1):
     dependencies:
       ms: 2.1.3
@@ -8671,10 +8826,10 @@ snapshots:
       '@rushstack/eslint-patch': 1.16.1
       '@typescript-eslint/eslint-plugin': 7.18.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0)(typescript@6.0.3)
       '@typescript-eslint/parser': 7.18.0(eslint@10.3.0)(typescript@6.0.3)
-      eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0)(eslint@10.3.0)
+      eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0)
       eslint-plugin-cypress: 2.15.2(eslint@10.3.0)
       eslint-plugin-eslint-comments: 3.2.0(eslint@10.3.0)
-      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0)
+      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0)
       eslint-plugin-mocha: 10.5.0(eslint@10.3.0)
       eslint-plugin-n: 17.24.0(eslint@10.3.0)(typescript@6.0.3)
       eslint-plugin-prefer-arrow: 1.2.3(eslint@10.3.0)
@@ -8695,7 +8850,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0)(eslint@10.3.0):
+  eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0):
     dependencies:
       '@nolyfill/is-core-module': 1.0.39
       debug: 4.4.3(supports-color@8.1.1)
@@ -8706,18 +8861,18 @@ snapshots:
       stable-hash: 0.0.5
       tinyglobby: 0.2.16
     optionalDependencies:
-      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0)
+      eslint-plugin-import: 2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0)
     transitivePeerDependencies:
       - supports-color
 
-  eslint-module-utils@2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0):
+  eslint-module-utils@2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0):
     dependencies:
       debug: 3.2.7
     optionalDependencies:
       '@typescript-eslint/parser': 7.18.0(eslint@10.3.0)(typescript@6.0.3)
       eslint: 10.3.0
       eslint-import-resolver-node: 0.3.10
-      eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0)(eslint@10.3.0)
+      eslint-import-resolver-typescript: 3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0)
     transitivePeerDependencies:
       - supports-color
 
@@ -8739,7 +8894,7 @@ snapshots:
       eslint: 10.3.0
       ignore: 5.3.2
 
-  eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0):
+  eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0):
     dependencies:
       '@rtsao/scc': 1.1.0
       array-includes: 3.1.9
@@ -8750,7 +8905,7 @@ snapshots:
       doctrine: 2.1.0
       eslint: 10.3.0
       eslint-import-resolver-node: 0.3.10
-      eslint-module-utils: 2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1)(eslint@10.3.0)
+      eslint-module-utils: 2.12.1(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint-import-resolver-node@0.3.10)(eslint-import-resolver-typescript@3.9.1(eslint-plugin-import@2.32.0(@typescript-eslint/parser@7.18.0(eslint@10.3.0)(typescript@6.0.3))(eslint@10.3.0))(eslint@10.3.0))(eslint@10.3.0)
       hasown: 2.0.2
       is-core-module: 2.16.1
       is-glob: 4.0.3
@@ -9162,10 +9317,6 @@ snapshots:
       es-errors: 1.3.0
       get-intrinsic: 1.3.0
 
-  get-tsconfig@4.13.0:
-    dependencies:
-      resolve-pkg-maps: 1.0.0
-
   get-tsconfig@4.14.0:
     dependencies:
       resolve-pkg-maps: 1.0.0
@@ -9421,6 +9572,13 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  https-proxy-agent@7.0.6(supports-color@10.2.2):
+    dependencies:
+      agent-base: 7.1.4
+      debug: 4.4.3(supports-color@10.2.2)
+    transitivePeerDependencies:
+      - supports-color
+
   i18next-browser-languagedetector@8.2.1:
     dependencies:
       '@babel/runtime': 7.28.6
@@ -9453,6 +9611,8 @@ snapshots:
 
   imurmurhash@0.1.4: {}
 
+  index-to-position@1.2.0: {}
+
   individual@3.0.0: {}
 
   inherits@2.0.4: {}
@@ -9630,6 +9790,8 @@ snapshots:
 
   js-cookie@3.0.5: {}
 
+  js-levenshtein@1.1.6: {}
+
   js-md4@0.3.2: {}
 
   js-md5@0.8.3: {}
@@ -10024,6 +10186,10 @@ snapshots:
     dependencies:
       brace-expansion: 1.1.14
 
+  minimatch@5.1.9:
+    dependencies:
+      brace-expansion: 5.0.5
+
   minimatch@9.0.9:
     dependencies:
       brace-expansion: 2.1.0
@@ -10277,6 +10443,16 @@ snapshots:
       openapi-types: 12.1.3
       qs: 6.15.0
 
+  openapi-fetch@0.17.0:
+    dependencies:
+      openapi-typescript-helpers: 0.1.0
+
+  openapi-react-query@0.5.4(@tanstack/react-query@5.100.9(react@19.2.6))(openapi-fetch@0.17.0):
+    dependencies:
+      '@tanstack/react-query': 5.100.9(react@19.2.6)
+      openapi-fetch: 0.17.0
+      openapi-typescript-helpers: 0.1.0
+
   openapi-schema-validation@0.4.2:
     dependencies:
       jsonschema: 1.2.4
@@ -10292,6 +10468,18 @@ snapshots:
 
   openapi-types@12.1.3: {}
 
+  openapi-typescript-helpers@0.1.0: {}
+
+  openapi-typescript@7.13.0(typescript@6.0.3):
+    dependencies:
+      '@redocly/openapi-core': 1.34.14(supports-color@10.2.2)
+      ansi-colors: 4.1.3
+      change-case: 5.4.4
+      parse-json: 8.3.0
+      supports-color: 10.2.2
+      typescript: 6.0.3
+      yargs-parser: 21.1.1
+
   option@0.2.4: {}
 
   optional-js@2.3.0: {}
@@ -10366,6 +10554,12 @@ snapshots:
 
   pako@1.0.11: {}
 
+  parse-json@8.3.0:
+    dependencies:
+      '@babel/code-frame': 7.29.0
+      index-to-position: 1.2.0
+      type-fest: 4.41.0
+
   parse5@7.3.0:
     dependencies:
       entities: 6.0.1
@@ -10455,6 +10649,8 @@ snapshots:
     optionalDependencies:
       fsevents: 2.3.2
 
+  pluralize@8.0.0: {}
+
   png-js@1.1.0:
     dependencies:
       browserify-zlib: 0.2.0
@@ -11183,6 +11379,8 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  supports-color@10.2.2: {}
+
   supports-color@7.2.0:
     dependencies:
       has-flag: 4.0.0
@@ -11324,7 +11522,7 @@ snapshots:
   tsx@4.21.0:
     dependencies:
       esbuild: 0.27.1
-      get-tsconfig: 4.13.0
+      get-tsconfig: 4.14.0
     optionalDependencies:
       fsevents: 2.3.3
 
@@ -11338,6 +11536,8 @@ snapshots:
 
   type-fest@0.20.2: {}
 
+  type-fest@4.41.0: {}
+
   type-is@2.0.1:
     dependencies:
       content-type: 1.0.5
@@ -11499,6 +11699,8 @@ snapshots:
       escalade: 3.2.0
       picocolors: 1.1.1
 
+  uri-js-replace@1.0.1: {}
+
   uri-js@4.4.1:
     dependencies:
       punycode: 2.3.1
@@ -11574,7 +11776,7 @@ snapshots:
       fsevents: 2.3.3
       tsx: 4.21.0
 
-  vitepress@2.0.0-alpha.17(@types/node@25.6.2)(esbuild@0.28.0)(jwt-decode@4.0.0)(oxc-minify@0.129.0)(postcss@8.5.14)(tsx@4.21.0)(typescript@6.0.3):
+  vitepress@2.0.0-alpha.17(@types/node@25.6.2)(change-case@5.4.4)(esbuild@0.28.0)(jwt-decode@4.0.0)(oxc-minify@0.129.0)(postcss@8.5.14)(tsx@4.21.0)(typescript@6.0.3):
     dependencies:
       '@docsearch/css': 4.6.0
       '@docsearch/js': 4.6.0
@@ -11588,7 +11790,7 @@ snapshots:
       '@vue/devtools-api': 8.1.0
       '@vue/shared': 3.5.30
       '@vueuse/core': 14.2.1(vue@3.5.30(typescript@6.0.3))
-      '@vueuse/integrations': 14.2.1(focus-trap@8.0.0)(jwt-decode@4.0.0)(vue@3.5.30(typescript@6.0.3))
+      '@vueuse/integrations': 14.2.1(change-case@5.4.4)(focus-trap@8.0.0)(jwt-decode@4.0.0)(vue@3.5.30(typescript@6.0.3))
       focus-trap: 8.0.0
       mark.js: 8.11.1
       minisearch: 7.2.0
@@ -11803,6 +12005,8 @@ snapshots:
 
   yallist@5.0.0: {}
 
+  yaml-ast-parser@0.0.43: {}
+
   yargs-parser@21.1.1: {}
 
   yargs-unparser@2.0.0:
diff --git a/settings.json.template b/settings.json.template
index 734592d23d1..3e477b032e9 100644
--- a/settings.json.template
+++ b/settings.json.template
@@ -230,6 +230,19 @@
     "requireAdminForStatus": false
   },
 
+  /*
+   * Admin OpenAPI document at /admin/openapi.json.
+   *
+   * Disabled by default per Etherpad's "new features behind a flag, off by
+   * default" policy. The admin UI's typed client embeds the spec at build
+   * time, so the runtime route is only useful for third-party tooling
+   * (Postman, swagger-ui, downstream clients). Set `enabled: true` to mount
+   * the route; the SPA at /admin/ continues to serve normally either way.
+   */
+  "adminOpenAPI": {
+    "enabled": false
+  },
+
   /*
    * Contact address for admin notifications (updates, security advisories, future features).
    * Set to null to disable outbound mail from the updater.
diff --git a/src/ep.json b/src/ep.json
index bf90c52d43b..319f8f792e1 100644
--- a/src/ep.json
+++ b/src/ep.json
@@ -139,6 +139,12 @@
       "hooks": {
         "expressPreSession": "ep_etherpad-lite/node/hooks/express/openapi"
       }
+    },
+    {
+      "name": "openapi-admin",
+      "hooks": {
+        "expressPreSession": "ep_etherpad-lite/node/hooks/express/openapi-admin"
+      }
     }
   ]
 }
diff --git a/src/node/hooks/express/openapi-admin.ts b/src/node/hooks/express/openapi-admin.ts
new file mode 100644
index 00000000000..53b9a77a02e
--- /dev/null
+++ b/src/node/hooks/express/openapi-admin.ts
@@ -0,0 +1,182 @@
+'use strict';
+
+import {ArgsExpressType} from '../../types/ArgsExpressType';
+import settings, {getEpVersion} from '../../utils/Settings';
+
+const OPENAPI_VERSION = '3.0.2';
+
+/**
+ * Build the OpenAPI 3.0 document for Etherpad's admin endpoints.
+ *
+ * Distinct from the public versioned API document built by openapi.ts —
+ * admin routes are plain Express handlers (not APIHandler-driven), so this
+ * spec is hand-authored. The shape is consumed by admin/scripts/dump-spec.ts
+ * for client-side codegen, and (when settings.adminOpenAPI.enabled) exposed
+ * at GET /admin/openapi.json for downstream tooling.
+ */
+export const generateAdminDefinition = (): any => ({
+  openapi: OPENAPI_VERSION,
+  info: {
+    title: 'Etherpad Admin API',
+    description:
+      'Authenticated administrative endpoints consumed by the Etherpad admin UI. ' +
+      'Distinct from the public /api/{version}/* surface served by /api/openapi.json.',
+    version: getEpVersion(),
+  },
+  paths: {
+    '/admin-auth/': {
+      post: {
+        operationId: 'verifyAdminAccess',
+        summary: 'Verify or establish an admin session',
+        description:
+          'POST with `Authorization: Basic <user:pass>` to log in as an admin ' +
+          '(server sets a session cookie on success). POST with no auth header ' +
+          'to verify an existing admin session cookie. The response body is ' +
+          'always empty; the status code conveys the outcome.',
+        security: [
+          {basicAuth: []},
+          {sessionCookie: []},
+          {},
+        ],
+        responses: {
+          '200': {description: 'Caller is an authenticated admin.'},
+          '401': {description: 'No authentication presented and no admin session exists.'},
+          '403': {description: 'Authenticated, but the user is not an admin.'},
+        },
+      },
+    },
+    '/admin/update/status': {
+      get: {
+        operationId: 'getUpdateStatus',
+        summary: 'Fetch updater status for the admin UI banner and update page',
+        description:
+          'Returns the cached update state (current version, latest known release, ' +
+          'install method, tier, policy verdict, and vulnerability directives). ' +
+          'Open by default; gated to authenticated admin sessions when ' +
+          'updates.requireAdminForStatus=true in settings.',
+        security: [
+          {sessionCookie: []},
+          {},
+        ],
+        responses: {
+          '200': {
+            description: 'Update status payload.',
+            content: {
+              'application/json': {
+                schema: {$ref: '#/components/schemas/UpdateStatus'},
+              },
+            },
+          },
+          '401': {
+            description: 'requireAdminForStatus is set and no admin session exists.',
+          },
+          '403': {
+            description: 'requireAdminForStatus is set and the session user is not an admin.',
+          },
+        },
+      },
+    },
+  },
+  components: {
+    schemas: {
+      ReleaseInfo: {
+        type: 'object',
+        required: ['version', 'tag', 'body', 'publishedAt', 'prerelease', 'htmlUrl'],
+        properties: {
+          version:     {type: 'string', description: 'Semver string without leading "v".'},
+          tag:         {type: 'string', description: 'Original GitHub tag_name (e.g. "v2.7.2").'},
+          body:        {type: 'string', description: 'Markdown body of the release.'},
+          publishedAt: {type: 'string', format: 'date-time'},
+          prerelease:  {type: 'boolean'},
+          htmlUrl:     {type: 'string', format: 'uri'},
+        },
+      },
+      PolicyResult: {
+        type: 'object',
+        required: ['canNotify', 'canManual', 'canAuto', 'canAutonomous', 'reason'],
+        properties: {
+          canNotify:     {type: 'boolean'},
+          canManual:     {type: 'boolean'},
+          canAuto:       {type: 'boolean'},
+          canAutonomous: {type: 'boolean'},
+          reason:        {type: 'string'},
+        },
+      },
+      VulnerableBelowDirective: {
+        type: 'object',
+        required: ['announcedBy', 'threshold'],
+        properties: {
+          announcedBy: {type: 'string'},
+          threshold:   {type: 'string'},
+        },
+      },
+      UpdateStatus: {
+        type: 'object',
+        required: ['currentVersion', 'installMethod', 'tier', 'vulnerableBelow'],
+        properties: {
+          currentVersion: {type: 'string'},
+          latest: {
+            allOf: [{$ref: '#/components/schemas/ReleaseInfo'}],
+            nullable: true,
+          },
+          lastCheckAt: {type: 'string', format: 'date-time', nullable: true},
+          installMethod: {
+            type: 'string',
+            enum: ['auto', 'git', 'docker', 'npm', 'managed'],
+          },
+          tier: {
+            type: 'string',
+            enum: ['off', 'notify', 'manual', 'auto', 'autonomous'],
+          },
+          policy: {
+            allOf: [{$ref: '#/components/schemas/PolicyResult'}],
+            nullable: true,
+          },
+          vulnerableBelow: {
+            type: 'array',
+            items: {$ref: '#/components/schemas/VulnerableBelowDirective'},
+          },
+        },
+      },
+    },
+    securitySchemes: {
+      basicAuth: {
+        type: 'http',
+        scheme: 'basic',
+      },
+      sessionCookie: {
+        type: 'apiKey',
+        in: 'cookie',
+        name: 'express_sid',
+      },
+    },
+  },
+});
+
+exports.generateAdminDefinition = generateAdminDefinition;
+
+export const expressPreSession = async (
+  _hookName: string,
+  {app}: ArgsExpressType,
+): Promise<void> => {
+  // Behind a feature flag, default off. Etherpad policy
+  // (CONTRIBUTING.md, AGENTS.MD) requires new features to ship disabled by
+  // default. The route is only useful for third-party tooling — codegen
+  // imports generateAdminDefinition() in-process and does not depend on it.
+  //
+  // The flag is checked per-request (not at registration time) so toggling
+  // settings.adminOpenAPI.enabled at runtime takes effect immediately and
+  // so test suites that share a long-lived Express agent can exercise both
+  // states without restarting the server.
+  app.get('/admin/openapi.json', (_req: any, res: any) => {
+    if (!settings.adminOpenAPI?.enabled) {
+      // Return JSON 404 (not the SPA's text/html catch-all) so callers get
+      // a clear "feature disabled" signal rather than an HTML page.
+      return res.status(404).type('application/json').send({error: 'Not Found'});
+    }
+    res.header('Access-Control-Allow-Origin', '*');
+    res.json(generateAdminDefinition());
+  });
+};
+
+exports.expressPreSession = expressPreSession;
diff --git a/src/node/hooks/express/openapi.ts b/src/node/hooks/express/openapi.ts
index e07daf6d86b..6eb420f2894 100644
--- a/src/node/hooks/express/openapi.ts
+++ b/src/node/hooks/express/openapi.ts
@@ -769,3 +769,6 @@ const generateServerForApiVersion = (apiRoot:string, req:any): {
 } => ({
   url: `${settings.ssl ? 'https' : 'http'}://${req.headers.host}${apiRoot}`,
 });
+
+exports.generateDefinitionForVersion = generateDefinitionForVersion;
+exports.APIPathStyle = APIPathStyle;
diff --git a/src/node/utils/Settings.ts b/src/node/utils/Settings.ts
index 3b5e9790f9c..28e237073df 100644
--- a/src/node/utils/Settings.ts
+++ b/src/node/utils/Settings.ts
@@ -332,6 +332,9 @@ export type SettingsType = {
     githubRepo: string,
     requireAdminForStatus: boolean,
   },
+  adminOpenAPI: {
+    enabled: boolean,
+  },
   adminEmail: string | null,
   getPublicSettings: () => Pick<SettingsType, "title" | "skinVariants"|"randomVersionString"|"skinName"|"toolbar"| "exposeVersion"| "gitVersion" | "enablePadWideSettings" | "enablePluginPadOptions" | "privacyBanner">,
 }
@@ -516,6 +519,18 @@ const settings: SettingsType = {
     // disabling the updater itself.
     requireAdminForStatus: false,
   },
+  /**
+   * Admin OpenAPI document endpoint at /admin/openapi.json.
+   *
+   * Disabled by default per Etherpad's "new features behind a flag, off by
+   * default" policy (see CONTRIBUTING.md). The codegen pipeline imports
+   * generateAdminDefinition() in-process and does not depend on the route;
+   * enable this only if you want third-party tooling (Postman, swagger-ui,
+   * downstream clients) to consume the spec at runtime.
+   */
+  adminOpenAPI: {
+    enabled: false,
+  },
   /**
    * Contact address for admin notifications (updates, future security advisories).
    * Null disables outbound mail from the updater.
diff --git a/src/tests/backend/specs/openapi-admin.ts b/src/tests/backend/specs/openapi-admin.ts
new file mode 100644
index 00000000000..eb98f9a0ff9
--- /dev/null
+++ b/src/tests/backend/specs/openapi-admin.ts
@@ -0,0 +1,216 @@
+'use strict';
+
+import {strict as assert} from 'assert';
+const validateOpenAPI = require('openapi-schema-validation').validate;
+
+const openapiAdmin = require('../../../node/hooks/express/openapi-admin');
+
+describe('admin OpenAPI document', function () {
+  let doc: any;
+
+  before(function () {
+    doc = openapiAdmin.generateAdminDefinition();
+  });
+
+  it('returns a valid OpenAPI 3.0 document', function () {
+    const {valid, errors} = validateOpenAPI(doc, 3);
+    if (!valid) {
+      throw new Error(
+        `admin OpenAPI doc is invalid: ${JSON.stringify(errors, null, 2)}`,
+      );
+    }
+  });
+
+  it('declares info.title as "Etherpad Admin API"', function () {
+    assert.equal(doc.info.title, 'Etherpad Admin API');
+  });
+
+  it('exposes basicAuth and sessionCookie security schemes', function () {
+    assert.ok(doc.components.securitySchemes.basicAuth);
+    assert.equal(doc.components.securitySchemes.basicAuth.type, 'http');
+    assert.equal(doc.components.securitySchemes.basicAuth.scheme, 'basic');
+    assert.ok(doc.components.securitySchemes.sessionCookie);
+    assert.equal(doc.components.securitySchemes.sessionCookie.type, 'apiKey');
+    assert.equal(doc.components.securitySchemes.sessionCookie.in, 'cookie');
+  });
+
+  describe('/admin-auth/', function () {
+    it('declares POST with operationId verifyAdminAccess', function () {
+      const op = doc.paths['/admin-auth/']?.post;
+      assert.ok(op, 'POST /admin-auth/ is missing');
+      assert.equal(op.operationId, 'verifyAdminAccess');
+    });
+
+    it('documents responses 200, 401, 403', function () {
+      const responses = doc.paths['/admin-auth/'].post.responses;
+      assert.ok(responses['200'], 'missing 200 response');
+      assert.ok(responses['401'], 'missing 401 response');
+      assert.ok(responses['403'], 'missing 403 response');
+    });
+
+    it('declares security: basicAuth, sessionCookie, anonymous', function () {
+      const security = doc.paths['/admin-auth/'].post.security;
+      assert.ok(Array.isArray(security));
+      const keys = security.map((s: any) => Object.keys(s)[0] ?? '__anon__');
+      assert.deepEqual(keys.sort(), ['__anon__', 'basicAuth', 'sessionCookie'].sort());
+    });
+  });
+
+  describe('/admin/update/status', function () {
+    it('declares GET with operationId getUpdateStatus', function () {
+      const op = doc.paths['/admin/update/status']?.get;
+      assert.ok(op, 'GET /admin/update/status is missing');
+      assert.equal(op.operationId, 'getUpdateStatus');
+    });
+
+    it('200 response references components.schemas.UpdateStatus', function () {
+      const ok = doc.paths['/admin/update/status'].get.responses['200'];
+      assert.equal(
+        ok.content['application/json'].schema.$ref,
+        '#/components/schemas/UpdateStatus',
+      );
+    });
+
+    it('declares security: sessionCookie OR anonymous', function () {
+      const security = doc.paths['/admin/update/status'].get.security;
+      const keys = security.map((s: any) => Object.keys(s)[0] ?? '__anon__');
+      assert.deepEqual(keys.sort(), ['__anon__', 'sessionCookie'].sort());
+    });
+  });
+
+  describe('UpdateStatus schema', function () {
+    it('declares all properties emitted by the handler', function () {
+      const schema = doc.components.schemas.UpdateStatus;
+      assert.equal(schema.type, 'object');
+      const props = Object.keys(schema.properties).sort();
+      assert.deepEqual(props, [
+        'currentVersion',
+        'installMethod',
+        'lastCheckAt',
+        'latest',
+        'policy',
+        'tier',
+        'vulnerableBelow',
+      ]);
+    });
+
+    it('installMethod enum matches updater/types.ts InstallMethod', function () {
+      const enums = doc.components.schemas.UpdateStatus.properties.installMethod.enum;
+      assert.deepEqual(enums.slice().sort(), ['auto', 'docker', 'git', 'managed', 'npm']);
+    });
+
+    it('tier enum matches updater/types.ts Tier', function () {
+      const enums = doc.components.schemas.UpdateStatus.properties.tier.enum;
+      assert.deepEqual(enums.slice().sort(), ['auto', 'autonomous', 'manual', 'notify', 'off']);
+    });
+
+    it('declares ReleaseInfo, PolicyResult, VulnerableBelowDirective sub-schemas', function () {
+      assert.ok(doc.components.schemas.ReleaseInfo);
+      assert.ok(doc.components.schemas.PolicyResult);
+      assert.ok(doc.components.schemas.VulnerableBelowDirective);
+    });
+
+    it('ReleaseInfo properties mirror updater/types.ts', function () {
+      const props = Object.keys(doc.components.schemas.ReleaseInfo.properties).sort();
+      assert.deepEqual(props, [
+        'body', 'htmlUrl', 'prerelease', 'publishedAt', 'tag', 'version',
+      ]);
+    });
+
+    it('PolicyResult properties mirror updater/types.ts', function () {
+      const props = Object.keys(doc.components.schemas.PolicyResult.properties).sort();
+      assert.deepEqual(props, [
+        'canAuto', 'canAutonomous', 'canManual', 'canNotify', 'reason',
+      ]);
+    });
+
+    it('VulnerableBelowDirective properties mirror updater/types.ts', function () {
+      const props = Object.keys(doc.components.schemas.VulnerableBelowDirective.properties).sort();
+      assert.deepEqual(props, ['announcedBy', 'threshold']);
+    });
+  });
+
+  describe('cross-collision with public spec', function () {
+    let publicDoc: any;
+    before(function () {
+      const apiHandler = require('../../../node/handler/APIHandler');
+      const openapi = require('../../../node/hooks/express/openapi');
+      publicDoc = openapi.generateDefinitionForVersion(
+        apiHandler.latestApiVersion,
+        openapi.APIPathStyle.FLAT,
+      );
+    });
+
+    it('admin paths and operationIds do not collide with the latest public spec', function () {
+      const adminPaths = Object.keys(doc.paths);
+      const publicPaths = Object.keys(publicDoc.paths);
+      const pathCollisions = adminPaths.filter((p) => publicPaths.includes(p));
+      assert.deepEqual(pathCollisions, [], `path collisions: ${pathCollisions.join(', ')}`);
+
+      const collectOpIds = (d: any): string[] => {
+        const ids: string[] = [];
+        for (const item of Object.values(d.paths) as any[]) {
+          for (const op of Object.values(item) as any[]) {
+            if (op && typeof op.operationId === 'string') ids.push(op.operationId);
+          }
+        }
+        return ids;
+      };
+      const adminIds = collectOpIds(doc);
+      const publicIds = collectOpIds(publicDoc);
+      const idCollisions = adminIds.filter((id) => publicIds.includes(id));
+      assert.deepEqual(idCollisions, [], `operationId collisions: ${idCollisions.join(', ')}`);
+    });
+
+    it('schema names do not collide with the latest public spec', function () {
+      const adminSchemas = Object.keys(doc.components.schemas);
+      const publicSchemas = Object.keys(publicDoc.components.schemas || {});
+      const collisions = adminSchemas.filter((n) => publicSchemas.includes(n));
+      assert.deepEqual(collisions, [], `schema name collisions: ${collisions.join(', ')}`);
+    });
+  });
+
+  describe('GET /admin/openapi.json (feature flag)', function () {
+    // The route is registered unconditionally; the handler reads
+    // settings.adminOpenAPI.enabled per-request. This lets a single Express
+    // agent (shared across the whole suite via common.init()) exercise both
+    // states by toggling the flag in-process — no server restart needed.
+    let agent: any;
+    let settingsModule: any;
+
+    before(async function () {
+      const common = require('../common');
+      agent = await common.init();
+      settingsModule = require('../../../node/utils/Settings').default;
+    });
+
+    after(function () {
+      // Restore default-off so subsequent specs don't see leaked state.
+      if (settingsModule?.adminOpenAPI) settingsModule.adminOpenAPI.enabled = false;
+    });
+
+    it('returns 404 JSON when settings.adminOpenAPI.enabled is false (default)', async function () {
+      settingsModule.adminOpenAPI = settingsModule.adminOpenAPI || {enabled: false};
+      settingsModule.adminOpenAPI.enabled = false;
+      const res = await agent.get('/admin/openapi.json').expect(404);
+      assert.match(res.headers['content-type'] || '', /application\/json/);
+      assert.deepEqual(res.body, {error: 'Not Found'});
+    });
+
+    it('serves the admin OpenAPI document as JSON when the flag is on', async function () {
+      settingsModule.adminOpenAPI.enabled = true;
+      const res = await agent.get('/admin/openapi.json').expect(200);
+      assert.match(res.headers['content-type'] || '', /application\/json/);
+      assert.equal(res.body.openapi, '3.0.2');
+      assert.equal(res.body.info.title, 'Etherpad Admin API');
+      assert.ok(res.body.paths['/admin-auth/']);
+      assert.ok(res.body.paths['/admin/update/status']);
+    });
+
+    it('sets a permissive CORS header when enabled (matches /api/openapi.json)', async function () {
+      settingsModule.adminOpenAPI.enabled = true;
+      const res = await agent.get('/admin/openapi.json').expect(200);
+      assert.equal(res.headers['access-control-allow-origin'], '*');
+    });
+  });
+});

From efb8328084b3bb577a164e299bf90ce27a3fdc65 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sun, 10 May 2026 16:00:07 +0800
Subject: [PATCH 17/25] =?UTF-8?q?feat(updater):=20tier=202=20=E2=80=94=20m?=
 =?UTF-8?q?anual-click=20update=20from=20/admin/update=20(#7607)=20(#7704)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* docs(updater): PR 2 (Tier 2 manual-click) implementation plan

20-task TDD plan for shipping the manual-click update flow on top of the
Tier 1 (notify) work merged in #7601. Covers UpdateExecutor, RollbackHandler,
SessionDrainer, lock + trustedKeys, four admin endpoints (apply / cancel /
acknowledge / log), admin UI updates, integration tests against a tmp git
repo, and a manual smoke runbook for the spec's "before each tier ships"
gate. Plan deliberately scopes signature verification to an opt-in stub
(updates.requireSignature: false default) to avoid blocking on a separate
release-signing project.

Plan: docs/superpowers/plans/2026-05-08-auto-update-pr2-manual-click.md
Spec: docs/superpowers/specs/2026-04-25-auto-update-design.md
Issue: ether/etherpad#7607

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): extend state + settings for Tier 2 manual-click

Adds ExecutionStatus discriminated union, bootCount, and lastResult to
UpdateState, plus the preApplyGraceMinutes/drainSeconds/diskSpaceMinMB/
requireSignature/trustedKeysPath knobs that Tier 2's executor needs.
loadState backfills the new fields on Tier 1 state files so existing
installs keep working.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): PID-based update.lock with stale-pid reaping

Single-flight guard for Tier 2's UpdateExecutor. Atomic O_CREAT|O_EXCL
acquire; on EEXIST, sends signal 0 to the recorded PID and reaps if dead.
Unparseable / partially-written lock files are treated as stale rather
than fatal so a half-written lock from a SIGKILL'd parent doesn't lock
the install out forever.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): verifyReleaseTag — gpg-via-git stub for Tier 2 preflight

Default updates.requireSignature=false: log a warning and return ok with
reason=signature-not-required. Set true to make preflight refuse a tag
whose signature does not verify under the system keyring (or
trustedKeysPath via GNUPGHOME). Etherpad's release process does not yet
sign tags consistently; turning the check on by default would break
Tier 2 for every admin and forcing a release-signing change is out of
scope for this PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): preflight check pipeline for Tier 2

Pure orchestrator over injected probes for install-method, working tree,
disk space, pnpm presence, lock state, remote tag existence and
signature verification. Cheap-and-definitive checks run first; first
failure short-circuits with a typed reason that the route layer will
surface in the preflight-failed admin banner.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): rolling update.log helpers (appendLine + tailLines)

Direct file-append + size-based rotation rather than a log4js appender —
avoids re-configuring log4js on top of the user's existing logconfig.
appendLine creates parents, rotates at 10MB (configurable), keeps 5
backups by default. tailLines reads the last N lines for /admin/update/log.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): SessionDrainer + handshake guard

Drainer schedules T-60 / -30 / -10 broadcasts and resolves at T=0;
isAcceptingConnections() flips off for the duration. PadMessageHandler
consults the flag at the start of CLIENT_READY and disconnects new
joiners with reason "updateInProgress" — existing sockets are
unaffected. Drains shorter than 30s collapse the early timers to fire
ASAP rather than queue past the drain end.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): UpdateExecutor — snapshot, fetch/checkout/install/build, exit 75

Pure-DI orchestrator: spawnFn, copyFile, readSha, saveState, exit are all
injected so unit tests run the full pipeline without spawning real
children or mutating the real install. Streams stdout/stderr to
update.log via the now-best-effort appendLine helper (swallows fs errors
so the executor itself never breaks on read-only / unwritable log dirs).
Failure paths transition to rolling-back and return — the route layer
hands off to RollbackHandler which owns the rollback exit, so we don't
double-exit and lose tail lines.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): RollbackHandler — health-check timer + crash-loop guard

checkPendingVerification arms a 60s timer at boot when state is
pending-verification and increments bootCount; bootCount>2 forces an
immediate rollback (crash-loop guard). markVerified persists the
verified state and stops the timer. performRollback restores the
backup lockfile, runs git checkout <fromSha> and pnpm install, lands on
rolled-back or rollback-failed (terminal) on sub-step failure, exits 75
either way so the supervisor restart brings the new state up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): wire RollbackHandler into boot + UpdatePolicy honours rollback-failed

- expressCreateServer now invokes checkPendingVerification before polling starts
  so a previous boot's pending-verification either re-arms the health-check
  timer or, when bootCount has climbed past the crash-loop threshold, forces
  an immediate rollback.
- server.ts calls markBootHealthy after state hits RUNNING so /health-being-up
  is the implicit happy-path signal that cancels the rollback timer.
- /admin/update/status surfaces execution + lastResult + lockHeld so the admin
  UI can render the right Apply / Cancel / Acknowledge state.
- UpdatePolicy gains an `executionStatus` input. While it equals 'rollback-failed',
  canAuto / canAutonomous are denied (reason: rollback-failed-terminal); manual
  stays on because clicking Apply IS the intervention the terminal state needs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): apply / cancel / acknowledge / log endpoints

Strict admin-only POSTs that drive Tier 2's manual-click flow:
- POST /admin/update/apply: acquire lock, persist preflight, run preflight,
  drain $drainSeconds, executeUpdate (which exits 75 on success), or run
  performRollback on a failure path (also exits 75).
- POST /admin/update/cancel: cancel a pre-execute drain/preflight, write
  cancelled lastResult, release lock.
- POST /admin/update/acknowledge: clear terminal states (preflight-failed,
  rolled-back, rollback-failed) back to idle. lastResult is preserved so
  the admin still sees what happened.
- GET /admin/update/log: tail var/log/update.log (200 lines) for the in-
  progress UI. Strict admin auth.

Also:
- socketio hook exports getIo() so the apply endpoint can broadcast the
  drain shoutMessage outside the regular hook surface.
- ep.json registers updateActions after admin/updateStatus.
- 11 mocha integration tests cover auth, policy denial, execution-busy,
  acknowledge-clears-terminal, log content-type.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): admin UI Apply/Cancel/Acknowledge + live log stream

UpdatePage renders the right action set based on execution.status:
Apply when idle/verified and policy allows, Cancel during
preflight/draining, Acknowledge on terminal preflight-failed /
rolled-back / rollback-failed. While the executor is in flight
(preflight/draining/executing/rolling-back) the page polls
/admin/update/log + /admin/update/status once a second and shows the
rolling tail; polling stops automatically when the run terminates.

lastResult and policy denial reasons surface localised copy. Buttons
disable themselves while a network round-trip is in flight to dodge
double-clicks. New i18n keys live under update.page.{apply,cancel,
acknowledge,log,execution,policy.*,last_result.*}, update.execution.*,
update.banner.terminal.rollback-failed, and update.drain.{t60,t30,t10}.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): pad shoutMessage renders update.drain.* via html10n

broadcastShout now sends {messageKey, values, sticky} so the existing
pad-side shout pipeline can route through html10n.get(). The renderer
gains a values pass-through so update.drain.t60 etc. interpolate
{{seconds}}, and gives updater shouts a different gritter title (the
banner.title localised string) so users know it's a system event
rather than a generic admin message.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): rollback uses git checkout -f + integration suite over tmp git repo

RollbackHandler now does git checkout -f <fromSha> BEFORE overlaying the
backup lockfile. Without -f, git refuses checkout when there are
unstaged modifications to files it would overwrite — exactly the case
after a partial executor run that mutated the working tree. With -f the
partial mutation is discarded and the working tree returns to fromSha
cleanly. The backup-lockfile copy is still done (belt-and-braces) but
tolerates ENOENT since checkout already restored the right lockfile.

The new integration suite at src/tests/backend/specs/updater-integration.ts
exercises the full pipeline against a disposable git repo: happy path,
install-fail rollback, build-fail rollback, crash-loop guard, and a
target-sha-doesn't-exist rollback-failed terminal case. 5 mocha tests.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(updater): Playwright admin Apply / Cancel / Acknowledge flow

Stubs /admin/update/status (and /admin/update/apply for the apply path)
at the route level so we can assert UI transitions without actually
running an update. Four scenarios:
- Apply button POSTs and re-fetches status (>=2 status fetches total).
- install-method-not-writable hides the button and shows localised
  denial copy.
- rollback-failed terminal state shows the Acknowledge button and the
  "Manual intervention required" lastResult copy.
- lockHeld=true hides Apply even when policy.canManual is on.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(updater): admin banner shows rollback-failed terminal alert

When execution.status === 'rollback-failed' the banner switches to a
role=alert with the strong update.banner.terminal.rollback-failed copy
and overrides the regular "update available" framing — an admin who
left the system in this state needs to fix it before any other admin
work matters. Other terminal states (preflight-failed, rolled-back) are
informational and surface on the page itself, not the banner.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(updater): Tier 2 admin docs + manual smoke runbook + CHANGELOG

doc/admin/updates.md gains a full Tier 2 section: prerequisites
(git install + process supervisor with sample systemd unit), Apply
flow with timings, every failure mode and the resulting state, the
four endpoints, and the signature-verification opt-in. Settings
table picks up the new updates.* knobs.

docs/superpowers/specs/2026-04-25-auto-update-runbook.md is the
manual smoke runbook the design spec calls for: disposable VM,
systemd unit, every observable transition (happy path, install/
build-fail rollback, crash-loop guard, rollback-failed terminal,
cancel during drain) plus a sign-off checklist for the release cut.

CHANGELOG Unreleased section explains the supervisor requirement
and points readers at the runbook.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(updater): note docker-friendly update flows as follow-up work

Tier 2 refuses Apply on installMethod=docker because in-container
mutation doesn't survive a container restart. Adds a future-work note
covering the two reasonable paths for an in-product docker Apply
button (instructions-only vs deploy-webhook) and explicitly rules out
mounting /var/run/docker.sock as a footgun. Watchtower gets a pointer
for admins who want fully autonomous docker updates today.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(updater): address Qodo review (1-6) + Playwright strict-mode CI fix

1. Tier 2 endpoints now gate on tier in {manual, auto, autonomous} —
   notify and off return 404 to match the prior PR-1 behaviour. Gate is
   evaluated per-request via app.use middleware so a settings.json reload
   takes effect without a full restart, and so integration tests can flip
   the tier dynamically. Adds a regression test that exercises 404 at
   tier=notify across all four endpoints.

2. cancel/apply race fixed: /admin/update/cancel no longer releases the
   lock — apply's finally block owns it for the request's lifetime. Apply
   now reloads state after preflight and aborts with 409 cancelled-during-
   preflight if execution.status is no longer 'preflight' for the same
   targetTag. Prevents a second apply from sneaking in while the first is
   still running its slow checks, and prevents the post-cancel apply from
   continuing into drain/execute.

3. SessionDrainer now restores acceptingConnections=true at drain
   completion (not just on cancel). The lock + persisted execution.status
   prevent a fresh apply from racing in — the in-memory flag was redundant
   safety that turned into a wedge if the executor threw post-drain. Adds
   a unit test asserting the flag is restored after natural drain end.

4. PadMessageHandler drain guard switched from socket.json.send (a
   socket.io v2/v3 API that may not exist on v4) to socket.emit('message',
   ...) for consistency with the other disconnect paths in the file.

5. Spawn 'error' handlers added to runStep helpers in UpdateExecutor and
   RollbackHandler, plus the gpg verify-tag spawn in trustedKeys. Without
   them, a missing/unexecutable binary leaves the promise hanging forever
   and the update flow stuck in-flight. SpawnFn type extended to allow
   on('error', ...) listeners cleanly. Spawn errors now resolve with code
   1 + the error message in stderr, so the existing failure-detection
   branches fire normally.

6. executeUpdate body wrapped in try/catch. An exception from readSha,
   saveState, copyFile, or any step now lands in a rolling-back persist +
   returns failed-checkout, so the route's post-executor rollback path
   picks it up. State can no longer wedge at 'executing'. The catch's
   inner saveState is itself try/wrapped so a write-after-write failure
   doesn't crash the route either.

CI: Playwright update-page-actions strict-mode violation fixed. Both the
banner and the lastResult <p> contain "Manual intervention required";
selector now scopes to p.last-result-rollback-failed for the lastResult
assertion specifically.

129 vitest unit tests + 23 mocha integration tests passing; ts-check clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(updater): address Qodo #7 (status leak) + #8 (short-drain values)

#7. /admin/update/status now redacts diagnostic strings for unauth callers
even when requireAdminForStatus is left at its default (false). Status
enum + outcome enum are kept (the admin banner / pad-side badge need them
to render the right UI) but execution.reason / execution.fromSha /
execution.targetTag and the same fields on lastResult are stripped.
Authed admin sessions still get the full payload — they're looking at
their own server's diagnostics. Two new mocha tests cover both paths:
"redacts execution.reason / lastResult.reason for unauth callers" and
"returns full diagnostic payload to authed admin sessions".

#8. SessionDrainer no longer schedules T-30 / T-10 broadcasts when the
configured drainSeconds can't honour them. Previously, with drainSeconds
< 30 the T-30 timer fired at zero remaining but the broadcast still
claimed "30 seconds" — misleading. Now T-30 only schedules when
drainSeconds > 30 and T-10 only when > 10. Admins picking a short drain
get fewer announcements but each carries an accurate countdown. The
opening announcement now reports the configured drain length rather
than a hardcoded 60. Two updated unit tests: drainSeconds=15 (skips
T-30, still fires T-10) and drainSeconds=5 (skips both).

131 vitest unit + 26 mocha integration tests passing; ts-check clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(updater): address Qodo follow-up — tag injection, rollback rejections, state validation

Qodo posted three new concerns after the first fix push.

1. Git tag option injection (security). The release tag from GitHub's
   tag_name flowed into `git checkout` / `git verify-tag` as a positional
   arg. A tag starting with '-' would be parsed as an option and could
   bypass signature verification or change checkout semantics. Mitigated
   in three layers:

   - New refSafety helper (isValidTag / assertValidTag / refsTagsForm)
     enforces a strict subset of git's check-ref-format spec: rejects
     leading '-' or '.', whitespace, control chars, and ~ ^ : ? * [ \\
     and the '..' sequence.
   - VersionChecker validates tag_name before persisting to state, so a
     malformed value from a misconfigured githubRepo never lands on disk.
   - UpdateExecutor calls assertValidTag and uses the refs/tags/<tag>
     form for git checkout. trustedKeys also validates and adds '--' to
     git verify-tag for an end-of-options marker. updateActions does an
     up-front isValidTag check on state.latest.tag so a corrupt state
     file gets a clean 409 instead of a 500.

2. Unhandled rollback rejections. checkPendingVerification was firing
   `void deps.saveState(...)` and `void performRollback(...)` without
   .catch(), so an fs error during boot's rollback path would bubble out
   as an unhandled rejection. Both callsites now go through fireSaveState
   / fireRollback helpers that catch and log; rollback rejections fall
   through to a best-effort terminal-state write + exit 75 so the
   supervisor can re-try the next boot with bootCount++.

3. Execution state under-validated. isValidExecution previously checked
   only that `status` was a known enum value, so a hand-edited state file
   with `{execution: {status: 'pending-verification'}}` (missing fromSha
   / targetTag / deadlineAt) would pass validation and reach
   RollbackHandler with undefined refs. The validator now consults a
   per-status required-fields map mirroring the ExecutionStatus union in
   types.ts and rejects empty strings as well as missing fields. Same
   tightening applied to lastResult.outcome (must be in the allowed enum,
   not just any string). Six new unit tests cover hand-edited corruption.

145 vitest + 26 mocha tests green; ts-check clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md                                  |   12 +
 admin/src/components/UpdateBanner.tsx         |   16 +-
 admin/src/pages/UpdatePage.tsx                |  132 +-
 admin/src/store/store.ts                      |   28 +
 doc/admin/updates.md                          |   87 +-
 ...2026-05-08-auto-update-pr2-manual-click.md | 3222 +++++++++++++++++
 .../specs/2026-04-25-auto-update-runbook.md   |  202 ++
 settings.json.docker                          |    8 +-
 settings.json.template                        |   17 +-
 src/ep.json                                   |    7 +
 src/locales/en.json                           |   28 +
 src/node/handler/PadMessageHandler.ts         |   12 +
 src/node/hooks/express/socketio.ts            |    3 +
 src/node/hooks/express/updateActions.ts       |  360 ++
 src/node/hooks/express/updateStatus.ts        |   47 +-
 src/node/server.ts                            |   11 +
 src/node/updater/RollbackHandler.ts           |  246 ++
 src/node/updater/SessionDrainer.ts            |   91 +
 src/node/updater/UpdateExecutor.ts            |  219 ++
 src/node/updater/UpdatePolicy.ts              |   28 +-
 src/node/updater/VersionChecker.ts            |   10 +
 src/node/updater/index.ts                     |   40 +
 src/node/updater/lock.ts                      |   78 +
 src/node/updater/preflight.ts                 |   54 +
 src/node/updater/refSafety.ts                 |   43 +
 src/node/updater/state.ts                     |   83 +-
 src/node/updater/trustedKeys.ts               |   75 +
 src/node/updater/types.ts                     |   51 +
 src/node/updater/updateLog.ts                 |   82 +
 src/node/utils/Settings.ts                    |   16 +
 src/static/js/pad.ts                          |   12 +-
 .../specs/updater/RollbackHandler.test.ts     |  203 ++
 .../specs/updater/SessionDrainer.test.ts      |  110 +
 .../specs/updater/UpdateExecutor.test.ts      |  145 +
 .../specs/updater/UpdatePolicy.test.ts        |   31 +
 .../backend-new/specs/updater/lock.test.ts    |   69 +
 .../specs/updater/preflight.test.ts           |   78 +
 .../specs/updater/refSafety.test.ts           |   63 +
 .../backend-new/specs/updater/state.test.ts   |  165 +
 .../specs/updater/trustedKeys.test.ts         |   98 +
 .../specs/updater/updateLog.test.ts           |  112 +
 src/tests/backend/specs/updateActions.ts      |  196 +
 src/tests/backend/specs/updateStatus.ts       |   72 +
 .../backend/specs/updater-integration.ts      |  265 ++
 .../admin-spec/update-page-actions.spec.ts    |  111 +
 45 files changed, 6991 insertions(+), 47 deletions(-)
 create mode 100644 docs/superpowers/plans/2026-05-08-auto-update-pr2-manual-click.md
 create mode 100644 docs/superpowers/specs/2026-04-25-auto-update-runbook.md
 create mode 100644 src/node/hooks/express/updateActions.ts
 create mode 100644 src/node/updater/RollbackHandler.ts
 create mode 100644 src/node/updater/SessionDrainer.ts
 create mode 100644 src/node/updater/UpdateExecutor.ts
 create mode 100644 src/node/updater/lock.ts
 create mode 100644 src/node/updater/preflight.ts
 create mode 100644 src/node/updater/refSafety.ts
 create mode 100644 src/node/updater/trustedKeys.ts
 create mode 100644 src/node/updater/updateLog.ts
 create mode 100644 src/tests/backend-new/specs/updater/RollbackHandler.test.ts
 create mode 100644 src/tests/backend-new/specs/updater/SessionDrainer.test.ts
 create mode 100644 src/tests/backend-new/specs/updater/UpdateExecutor.test.ts
 create mode 100644 src/tests/backend-new/specs/updater/lock.test.ts
 create mode 100644 src/tests/backend-new/specs/updater/preflight.test.ts
 create mode 100644 src/tests/backend-new/specs/updater/refSafety.test.ts
 create mode 100644 src/tests/backend-new/specs/updater/trustedKeys.test.ts
 create mode 100644 src/tests/backend-new/specs/updater/updateLog.test.ts
 create mode 100644 src/tests/backend/specs/updateActions.ts
 create mode 100644 src/tests/backend/specs/updater-integration.ts
 create mode 100644 src/tests/frontend-new/admin-spec/update-page-actions.spec.ts

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8541a34b129..346603d950d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,15 @@
+# Unreleased
+
+### Notable enhancements
+
+- **Self-update subsystem — Tier 2 (manual click).**
+  - Admins on a git install can click "Apply update" at `/admin/update`. Etherpad runs a 60s session drain (with T-60 / T-30 / T-10 broadcasts to every pad), `git fetch / checkout / pnpm install --frozen-lockfile / pnpm run build:ui`, and exits with code 75 so a process supervisor restarts it on the new version. The next boot runs a 60s health check; if `/health` doesn't come up the previous SHA + lockfile are restored automatically.
+  - Crash-loop guard: if the new version reboots more than twice without the health check completing, RollbackHandler forces a rollback regardless of the timer.
+  - Terminal `rollback-failed` state surfaces a strong banner; the admin clicks Acknowledge once they've manually recovered to clear the lock and re-allow Tier 2 attempts.
+  - New settings under `updates.*`: `preApplyGraceMinutes`, `drainSeconds`, `rollbackHealthCheckSeconds`, `diskSpaceMinMB`, `requireSignature`, `trustedKeysPath`. Tag signature verification is opt-in (default `false`) — see `doc/admin/updates.md` for the keyring setup.
+  - **A process supervisor (systemd / pm2 / docker `--restart=unless-stopped`) is required to apply updates.** Without one, exit 75 leaves the instance down.
+  - Tiers 3 (auto with grace window) and 4 (autonomous in maintenance window) remain designed but unimplemented and will land in subsequent releases.
+
 # 2.7.3
 
 ### Breaking changes
diff --git a/admin/src/components/UpdateBanner.tsx b/admin/src/components/UpdateBanner.tsx
index 36f1faddc29..e69e89c2625 100644
--- a/admin/src/components/UpdateBanner.tsx
+++ b/admin/src/components/UpdateBanner.tsx
@@ -17,7 +17,21 @@ export const UpdateBanner = () => {
     return () => { cancelled = true; };
   }, [setUpdateStatus]);
 
-  if (!updateStatus || !updateStatus.latest) return null;
+  if (!updateStatus) return null;
+
+  // Terminal rollback-failed wins over the regular "update available" banner —
+  // an admin who left the system in this state needs to fix it before any
+  // other admin work matters.
+  if (updateStatus.execution?.status === 'rollback-failed') {
+    return (
+      <div className="update-banner update-banner-terminal" role="alert">
+        <strong><Trans i18nKey="update.banner.terminal.rollback-failed"/></strong>{' '}
+        <Link to="/update">{t('update.banner.cta')}</Link>
+      </div>
+    );
+  }
+
+  if (!updateStatus.latest) return null;
   if (updateStatus.currentVersion === updateStatus.latest.version) return null;
 
   return (
diff --git a/admin/src/pages/UpdatePage.tsx b/admin/src/pages/UpdatePage.tsx
index 0d669a446f3..8e9c3354884 100644
--- a/admin/src/pages/UpdatePage.tsx
+++ b/admin/src/pages/UpdatePage.tsx
@@ -9,37 +9,75 @@ type FetchState =
   | {kind: 'error', status: number}
   | {kind: 'ok'};
 
+const IN_FLIGHT_STATUSES = ['preflight', 'draining', 'executing', 'rolling-back'];
+
 export const UpdatePage = () => {
   const {t} = useTranslation();
   const us = useStore((s) => s.updateStatus);
   const setUpdateStatus = useStore((s) => s.setUpdateStatus);
+  const log = useStore((s) => s.updateLog);
+  const setLog = useStore((s) => s.setUpdateLog);
   // Self-fetch so the page renders an explicit state even if UpdateBanner's
   // best-effort fetch never landed (route returns 404 when tier=off, 401/403
   // if requireAdminForStatus is set, or a transient network error).
   const [fetchState, setFetchState] = useState<FetchState>(us ? {kind: 'ok'} : {kind: 'loading'});
+  const [actionInFlight, setActionInFlight] = useState(false);
+
+  const refreshStatus = async () => {
+    try {
+      const r = await fetch('/admin/update/status', {credentials: 'same-origin'});
+      if (r.ok) {
+        const data = await r.json();
+        setUpdateStatus(data);
+        setFetchState({kind: 'ok'});
+      } else if (r.status === 404) {
+        setFetchState({kind: 'disabled'});
+      } else if (r.status === 401 || r.status === 403) {
+        setFetchState({kind: 'unauthorized'});
+      } else {
+        setFetchState({kind: 'error', status: r.status});
+      }
+    } catch {
+      setFetchState({kind: 'error', status: 0});
+    }
+  };
 
   useEffect(() => {
     let cancelled = false;
-    fetch('/admin/update/status', {credentials: 'same-origin'})
-      .then(async (r) => {
-        if (cancelled) return;
-        if (r.ok) {
-          const data = await r.json();
-          setUpdateStatus(data);
-          setFetchState({kind: 'ok'});
-        } else if (r.status === 404) {
-          setFetchState({kind: 'disabled'});
-        } else if (r.status === 401 || r.status === 403) {
-          setFetchState({kind: 'unauthorized'});
-        } else {
-          setFetchState({kind: 'error', status: r.status});
-        }
-      })
-      .catch(() => {
-        if (!cancelled) setFetchState({kind: 'error', status: 0});
-      });
+    void refreshStatus().then(() => { if (cancelled) return; });
     return () => { cancelled = true; };
-  }, [setUpdateStatus]);
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, []);
+
+  // Poll log + status while the executor is in flight, then stop.
+  const status = us?.execution?.status ?? 'idle';
+  const inFlight = IN_FLIGHT_STATUSES.includes(status);
+  useEffect(() => {
+    if (!inFlight) return;
+    let cancelled = false;
+    const tick = async () => {
+      if (cancelled) return;
+      try {
+        const lr = await fetch('/admin/update/log', {credentials: 'same-origin'});
+        if (lr.ok) setLog(await lr.text());
+      } catch {/* noop */}
+      await refreshStatus();
+      if (!cancelled) setTimeout(tick, 1000);
+    };
+    void tick();
+    return () => { cancelled = true; };
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [inFlight]);
+
+  const post = async (path: string) => {
+    setActionInFlight(true);
+    try {
+      await fetch(path, {method: 'POST', credentials: 'same-origin'});
+      await refreshStatus();
+    } finally {
+      setActionInFlight(false);
+    }
+  };
 
   if (fetchState.kind === 'loading') {
     return <div>{t('admin.loading', {defaultValue: 'Loading...'})}</div>;
@@ -61,16 +99,22 @@ export const UpdatePage = () => {
     );
   }
   if (fetchState.kind === 'error' || !us) {
-    const status = fetchState.kind === 'error' ? fetchState.status : 0;
+    const stat = fetchState.kind === 'error' ? fetchState.status : 0;
     return (
       <div className="update-page">
         <h1><Trans i18nKey="update.page.title"/></h1>
-        <p>{t('update.page.error', {defaultValue: 'Could not load update status (status {{status}}).', status})}</p>
+        <p>{t('update.page.error', {defaultValue: 'Could not load update status (status {{status}}).', status: stat})}</p>
       </div>
     );
   }
 
   const upToDate = !us.latest || us.currentVersion === us.latest.version;
+  const showApply = !!us.policy?.canManual
+    && (status === 'idle' || status === 'verified')
+    && !us.lockHeld
+    && !upToDate;
+  const showCancel = status === 'preflight' || status === 'draining';
+  const showAcknowledge = status === 'preflight-failed' || status === 'rolled-back' || status === 'rollback-failed';
 
   return (
     <div className="update-page">
@@ -86,7 +130,53 @@ export const UpdatePage = () => {
         <dd>{us.installMethod}</dd>
         <dt><Trans i18nKey="update.page.tier"/></dt>
         <dd>{us.tier}</dd>
+        <dt><Trans i18nKey="update.page.execution"/></dt>
+        <dd>{t(`update.execution.${status}`, {defaultValue: status})}</dd>
       </dl>
+
+      {us.lastResult && (
+        <p className={`last-result last-result-${us.lastResult.outcome}`}>
+          <Trans
+            i18nKey={`update.page.last_result.${us.lastResult.outcome}`}
+            values={{tag: us.lastResult.targetTag, reason: us.lastResult.reason ?? ''}}
+          />
+        </p>
+      )}
+
+      {us.policy && !us.policy.canManual && !upToDate && (
+        <p className="policy-deny">
+          <Trans
+            i18nKey={`update.page.policy.${us.policy.reason}`}
+            defaults={us.policy.reason}
+          />
+        </p>
+      )}
+
+      <div className="update-actions">
+        {showApply && (
+          <button onClick={() => post('/admin/update/apply')} disabled={actionInFlight}>
+            {t('update.page.apply')}
+          </button>
+        )}
+        {showCancel && (
+          <button onClick={() => post('/admin/update/cancel')} disabled={actionInFlight}>
+            {t('update.page.cancel')}
+          </button>
+        )}
+        {showAcknowledge && (
+          <button onClick={() => post('/admin/update/acknowledge')} disabled={actionInFlight}>
+            {t('update.page.acknowledge')}
+          </button>
+        )}
+      </div>
+
+      {inFlight && (
+        <section className="update-log">
+          <h2><Trans i18nKey="update.page.log"/></h2>
+          <pre style={{whiteSpace: 'pre-wrap', maxHeight: '320px', overflow: 'auto'}}>{log}</pre>
+        </section>
+      )}
+
       {upToDate ? (
         <p><Trans i18nKey="update.page.up_to_date"/></p>
       ) : us.latest ? (
diff --git a/admin/src/store/store.ts b/admin/src/store/store.ts
index f3748f47cd4..71c85b5036f 100644
--- a/admin/src/store/store.ts
+++ b/admin/src/store/store.ts
@@ -3,6 +3,26 @@ import {Socket} from "socket.io-client";
 import {PadSearchResult} from "../utils/PadSearch.ts";
 import {InstalledPlugin} from "../pages/Plugin.ts";
 
+export type Execution =
+  | {status: 'idle'}
+  | {status: 'preflight'; targetTag: string; startedAt: string}
+  | {status: 'preflight-failed'; targetTag: string; reason: string; at: string}
+  | {status: 'draining'; targetTag: string; drainEndsAt: string; startedAt: string}
+  | {status: 'executing'; targetTag: string; fromSha: string; startedAt: string}
+  | {status: 'pending-verification'; targetTag: string; fromSha: string; deadlineAt: string}
+  | {status: 'verified'; targetTag: string; verifiedAt: string}
+  | {status: 'rolling-back'; reason: string; targetTag: string; fromSha: string; at: string}
+  | {status: 'rolled-back'; reason: string; targetTag: string; restoredSha: string; at: string}
+  | {status: 'rollback-failed'; reason: string; targetTag: string; fromSha: string; at: string};
+
+export type LastResult = null | {
+  targetTag: string;
+  fromSha: string;
+  outcome: 'verified' | 'rolled-back' | 'rollback-failed' | 'preflight-failed' | 'cancelled';
+  reason: string | null;
+  at: string;
+};
+
 export interface UpdateStatusPayload {
   currentVersion: string;
   latest: null | {
@@ -18,6 +38,10 @@ export interface UpdateStatusPayload {
   tier: string;
   policy: null | {canNotify: boolean; canManual: boolean; canAuto: boolean; canAutonomous: boolean; reason: string};
   vulnerableBelow: Array<{announcedBy: string; threshold: string}>;
+  // Tier 2 additions:
+  execution: Execution;
+  lastResult: LastResult;
+  lockHeld: boolean;
 }
 
 type ToastState = {
@@ -45,6 +69,8 @@ type StoreState = {
   setInstalledPlugins: (plugins: InstalledPlugin[])=>void,
   updateStatus: UpdateStatusPayload | null,
   setUpdateStatus: (s: UpdateStatusPayload) => void,
+  updateLog: string,
+  setUpdateLog: (log: string) => void,
 }
 
 
@@ -70,4 +96,6 @@ export const useStore = create<StoreState>()((set) => ({
   setInstalledPlugins: (plugins)=>set({installedPlugins: plugins}),
   updateStatus: null,
   setUpdateStatus: (s) => set({updateStatus: s}),
+  updateLog: '',
+  setUpdateLog: (log) => set({updateLog: log}),
 }));
diff --git a/doc/admin/updates.md b/doc/admin/updates.md
index 852912de3d9..ddafa889d26 100644
--- a/doc/admin/updates.md
+++ b/doc/admin/updates.md
@@ -1,8 +1,11 @@
 # Etherpad updates
 
-Etherpad ships with a built-in update subsystem. **Tier 1 (notify)** is enabled by default: a banner appears in the admin UI when a new release is available, and pad users see a discreet badge if the running version is severely outdated or flagged as vulnerable. No automatic execution happens at this tier — admins are simply informed.
+Etherpad ships with a built-in update subsystem.
 
-Tiers 2 (manual click), 3 (auto with grace window), and 4 (autonomous in maintenance window) are designed but not yet implemented. They will land in subsequent releases.
+- **Tier 1 (notify)** — default. A banner appears in the admin UI when a new release is available, and pad users see a discreet badge if the running version is severely outdated or flagged as vulnerable. No execution.
+- **Tier 2 (manual click)** — admins on a git install can click "Apply update" at `/admin/update`. Etherpad drains active sessions, runs `git fetch / checkout / pnpm install / pnpm run build:ui`, and exits with code 75 so a process supervisor restarts it on the new version. Auto-rolls back on failure.
+- **Tier 3 (auto with grace window)** — designed, not yet implemented.
+- **Tier 4 (autonomous in maintenance window)** — designed, not yet implemented.
 
 ## Settings
 
@@ -17,7 +20,14 @@ In `settings.json`:
     "installMethod": "auto",
     "checkIntervalHours": 6,
     "githubRepo": "ether/etherpad",
-    "requireAdminForStatus": false
+    "requireAdminForStatus": false,
+    // Tier 2+ knobs (only meaningful at tier "manual" or higher):
+    "preApplyGraceMinutes": 0,
+    "drainSeconds": 60,
+    "rollbackHealthCheckSeconds": 60,
+    "diskSpaceMinMB": 500,
+    "requireSignature": false,
+    "trustedKeysPath": null
   },
   "adminEmail": null
 }
@@ -32,6 +42,12 @@ In `settings.json`:
 | `updates.checkIntervalHours` | `6` | How often to poll GitHub Releases. |
 | `updates.githubRepo` | `"ether/etherpad"` | Override for forks. |
 | `updates.requireAdminForStatus` | `false` | Lock the `/admin/update/status` endpoint to authenticated admin sessions. Default `false` matches existing Etherpad behavior — `/health` already exposes `releaseId` publicly, and changelog data comes from a public GitHub release. Set `true` to hide the full update payload from non-admins without disabling the updater (`tier: "off"` is the heavier opt-out that removes the endpoints entirely). |
+| `updates.preApplyGraceMinutes` | `0` | **Tier 3 only.** Wait this many minutes between detecting a new release and starting the drain so the admin can cancel. Has no effect at tier `"manual"`. |
+| `updates.drainSeconds` | `60` | How long to broadcast "restart imminent" announcements to active pads before exiting. T-60 / T-30 / T-10 broadcasts fire automatically at the matching offsets within this window. |
+| `updates.rollbackHealthCheckSeconds` | `60` | After a fresh boot post-update, give `/health` this long to come up. If it doesn't, RollbackHandler restores the previous SHA. |
+| `updates.diskSpaceMinMB` | `500` | Pre-flight refuses to start an update unless the install volume has at least this many MB free. |
+| `updates.requireSignature` | `false` | When `true`, refuse updates whose tag is not signed by a trusted key. Verification is done via `git verify-tag <tag>` against the user's GPG keyring. Default `false` because Etherpad's release process does not yet sign tags consistently — turning the check on by default would block every Tier 2 update. Set `true` if you run your own builds or have imported a fork's keys. |
+| `updates.trustedKeysPath` | `null` | Override the keyring location passed to `git verify-tag` via the `$GNUPGHOME` env var. Useful when the trusted keys live in a dedicated keyring outside the Etherpad user's home. Only meaningful when `requireSignature: true`. |
 | `adminEmail` | `null` | Top-level. Contact for admin notifications. Setting it enables the email nudges below. |
 
 ## What "outdated" means
@@ -81,3 +97,68 @@ The version check sends no telemetry. Etherpad fetches the public GitHub Release
 Set the value explicitly if the heuristics get it wrong (e.g., a docker container that bind-mounts a writable git checkout).
 
 In PR 1 (notify only) the install method does not change behavior — every install method gets the banner. From PR 2 onward the install method gates whether the manual-click and automatic tiers can run; only `"git"` is initially supported for write tiers.
+
+## Tier 2 — manual click
+
+Tier 2 is opt-in. To enable: set `updates.tier: "manual"` and ensure your install was deployed via git (not docker / npm / managed package).
+
+### Process supervisor is required
+
+Etherpad applies an update by **exiting with code 75** so a process supervisor restarts it. Without a supervisor the instance simply exits and stays down. Common supervisor setups:
+
+- **systemd:** add `Restart=on-failure` + `RestartSec=5` to your unit file.
+- **pm2:** the default behaviour restarts on exit.
+- **docker:** add `--restart=unless-stopped` (Tier 2 itself is not supported on docker installs anyway, but if you wrap your own image around a git checkout this applies).
+
+### What clicking "Apply update" does
+
+1. **Lock acquire** — `var/update.lock` (PID-based, stale locks reaped automatically).
+2. **Pre-flight checks** — install method writable, working tree clean, free disk ≥ `diskSpaceMinMB`, `pnpm` on `PATH`, target tag exists at the configured remote, signature verifies (if `requireSignature: true`). On failure, state goes to `preflight-failed` with a typed reason; the admin sees a banner and clicks **Acknowledge** to clear it. No filesystem mutation has happened — nothing to roll back.
+3. **Drain** — `drainSeconds` window during which T-60 / T-30 / T-10 announcements broadcast to every connected pad and new socket connections are refused. Click **Cancel** during this window to abort cleanly.
+4. **Execute** — `git fetch --tags origin`, `git checkout <tag>`, `pnpm install --frozen-lockfile`, `pnpm run build:ui`. Output streams to `var/log/update.log` (rotated 10 MB × 5).
+5. **Exit 75** — the supervisor restarts on the new version.
+6. **Health check** — RollbackHandler arms a `rollbackHealthCheckSeconds` timer at boot. When `/health` responds 200 (i.e., Etherpad reaches the `RUNNING` state) the timer cancels and the state lands on `verified`.
+
+### Failure modes
+
+| What went wrong | Resulting state | Admin action |
+| --- | --- | --- |
+| Pre-flight check fails | `preflight-failed` | Click **Acknowledge** after fixing the underlying issue (free up disk, clean working tree, etc.). |
+| `git fetch` / `git checkout` fails mid-flow | `rolled-back` | Informational. The working tree is back where it started; click **Acknowledge** to clear. |
+| `pnpm install` or `pnpm run build:ui` fails | `rolled-back` | Same as above. The lockfile and SHA are restored. |
+| `/health` doesn't come up within `rollbackHealthCheckSeconds` | `rolled-back` | Same — RollbackHandler restores the previous SHA + lockfile and exits 75 again. |
+| The new version crashes at boot more than twice (`bootCount > 2`) | `rolled-back` | Crash-loop guard kicks in regardless of the health-check timer. |
+| Rollback itself fails (e.g., `pnpm install` errors restoring old lockfile) | `rollback-failed` | **Manual intervention required.** The admin banner switches to a strong red alert. Restore the install by hand, then click **Acknowledge** to clear the lock and re-allow Tier 2 attempts. |
+
+### Endpoints
+
+All Tier 2 endpoints require an authenticated admin session (`is_admin: true`) regardless of `requireAdminForStatus`.
+
+- `POST /admin/update/apply` — start an apply. Returns `202 {accepted, drainEndsAt}` once the drain begins. Body unused.
+- `POST /admin/update/cancel` — cancel during pre-flight or drain. Returns `409` once the executor has begun mutating the filesystem (state machine guarantees we either complete or roll back from there).
+- `POST /admin/update/acknowledge` — clear a terminal `preflight-failed` / `rolled-back` / `rollback-failed` state back to `idle`.
+- `GET /admin/update/log` — tail the last 200 lines of `var/log/update.log`. Plain text. Used by the in-progress UI.
+
+### Signature verification
+
+Default off. Etherpad releases are not yet consistently signed; turning verification on by default would block every Tier 2 update. To enable:
+
+```jsonc
+"updates": {
+  "requireSignature": true,
+  "trustedKeysPath": "/srv/etherpad/keys"   // optional — defaults to the OS user keyring
+}
+```
+
+The check shells out to `git verify-tag <tag>`. The keyring at `trustedKeysPath` is passed to git via `GNUPGHOME`. If `trustedKeysPath` is `null` (default), the OS user's default keyring is used.
+
+### Docker-friendly update flows (future work)
+
+Tier 2 deliberately refuses to apply on `installMethod: "docker"` because in-container `git fetch / pnpm install / build:ui` doesn't survive a container restart — the orchestrator brings the container back up on the same image tag and the work is lost. Docker installs stay on Tier 1 (banner + version status) for now.
+
+The right way to give docker admins an in-product Apply button is to delegate to the orchestrator rather than mutate the container. Two patterns to consider in a follow-up PR:
+
+- **Instructions-only.** When the page detects `installMethod: docker` *and* a newer release exists, swap the policy-denial copy for actionable instructions (`docker pull etherpad/etherpad:<tag>` for plain docker; `docker compose pull && docker compose up -d` for compose). Cheap, no new attack surface.
+- **Deploy webhook.** New setting `updates.dockerWebhook`. When set, the Apply button on a docker install POSTs to the configured URL and trusts the orchestrator (Render / Railway / Fly / Portainer / Coolify / GitHub Actions — they all expose redeploy webhooks) to do the actual pull-and-recreate.
+
+Direct Docker-socket access (mount `/var/run/docker.sock` into the container) is **out of scope** — anyone who escapes the Etherpad process via that socket gets root on the host. Admins who want fully autonomous docker updates should run [Watchtower](https://containrrr.dev/watchtower/) alongside Etherpad rather than bake equivalent privilege into Etherpad itself.
diff --git a/docs/superpowers/plans/2026-05-08-auto-update-pr2-manual-click.md b/docs/superpowers/plans/2026-05-08-auto-update-pr2-manual-click.md
new file mode 100644
index 00000000000..2840f0ff214
--- /dev/null
+++ b/docs/superpowers/plans/2026-05-08-auto-update-pr2-manual-click.md
@@ -0,0 +1,3222 @@
+# Auto-Update PR 2 — Tier 2 (Manual Click) Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Ship Tier 2 of the four-tier auto-update subsystem: an admin can click "Apply now" on the existing `/admin/update` page, Etherpad drains active sessions for 60s, runs `git fetch / checkout / pnpm install --frozen-lockfile / pnpm run build:ui`, exits 75 for a process supervisor to restart, and on the next boot a health-check timer either marks the update verified or rolls back.
+
+**Architecture:** Build atomic primitives (lock, executor, rollback, drainer) under `src/node/updater/`, expose four admin-only state-changing endpoints (`apply`, `cancel`, `acknowledge`, `log`) plus log-tail streaming, wire RollbackHandler into the boot sequence, and extend the existing `/admin/update` page with an Apply button + log view + terminal-state acknowledgement UI. Every executable step goes through dependency-injected `spawn`/`fetch`/`fs` so we can run the full pipeline in tests against a tmp git repo without mutating the real install.
+
+**Tech Stack:** TypeScript (Node 20+), `child_process.spawn`, `node:fs/promises`, log4js (rolling-file appender), express + supertest (mocha integration), vitest (unit), React + zustand + react-i18next (admin UI), Playwright (admin E2E).
+
+**Spec:** `docs/superpowers/specs/2026-04-25-auto-update-design.md` (sections "Architecture / Components", "API surface / Tier 2 — manual click", "Error handling", "Phased rollout / PR 2").
+
+**Out of scope (deferred):** Tier 3 Scheduler + grace window, Tier 4 MaintenanceWindow, real GPG signature verification (we ship a feature-flagged stub gated by `updates.requireSignature: false`; documented as follow-up).
+
+---
+
+## File Structure
+
+### New files
+- `src/node/updater/lock.ts` — PID-based file lock (`var/update.lock`), stale-pid reaper.
+- `src/node/updater/trustedKeys.ts` — release-tag signature verification (stubbed unless `requireSignature: true`).
+- `src/node/updater/preflight.ts` — pure-ish pre-flight checks (working tree clean, disk space, lock free, install method writable, target tag exists, sig verifies).
+- `src/node/updater/UpdateExecutor.ts` — child-process orchestration (snapshot → fetch → checkout → install → build → exit 75). All shell-outs go through an injected `spawnFn`.
+- `src/node/updater/RollbackHandler.ts` — boot-time pending-verification check, 60s health timer, crash-loop guard, restore SHA + lockfile + retry install on failure.
+- `src/node/updater/SessionDrainer.ts` — broadcasts shoutMessage at T-60/-30/-10, refuses new socket connections via a module flag.
+- `src/node/updater/updateLog.ts` — log4js rolling-file appender pointed at `var/log/update.log` (10MB × 5) + `tailLines(n)` helper.
+- `src/node/hooks/express/updateActions.ts` — registers `POST /admin/update/{apply,cancel,acknowledge}` and `GET /admin/update/log`. Strict admin auth on all four.
+- `src/tests/backend-new/specs/updater/lock.test.ts`
+- `src/tests/backend-new/specs/updater/preflight.test.ts`
+- `src/tests/backend-new/specs/updater/UpdateExecutor.test.ts`
+- `src/tests/backend-new/specs/updater/RollbackHandler.test.ts`
+- `src/tests/backend-new/specs/updater/SessionDrainer.test.ts`
+- `src/tests/backend-new/specs/updater/updateLog.test.ts`
+- `src/tests/backend/specs/updateActions.ts` — mocha integration tests for apply/cancel/acknowledge/log.
+- `src/tests/backend/specs/updater-integration.ts` — end-to-end against a tmp git repo (happy path, install-fail rollback, build-fail rollback, health-check timeout, crash-loop forced rollback, terminal `rollback-failed` blocks auto/autonomous but allows manual).
+- `src/tests/frontend-new/admin-spec/update-page-actions.spec.ts` — Playwright: Apply button, log stream visibility, terminal-state Acknowledge, refusal when policy denies.
+- `doc/admin/updates.md` — extend with Tier 2 docs (Apply flow, settings, supervisor requirement).
+
+### Modified files
+- `src/node/updater/types.ts` — extend `UpdateState` with `execution: ExecutionState`, `bootCount: number`, `lastResult`. Add discriminated `ExecutionStatus` union covering all states from the spec's state machine.
+- `src/node/updater/state.ts` — extend the `isValid` validator to cover the new fields; backfill defaults during load so state files written by PR 1 still load.
+- `src/node/updater/UpdatePolicy.ts` — extend `evaluatePolicy` so `canManual` returns false in `rollback-failed`-equivalent terminal states only when `purpose === 'auto'`; manual remains permitted (admin clicking Apply *is* the intervention). Add `purpose: 'manual' | 'auto'` to the input.
+- `src/node/updater/index.ts` — call RollbackHandler.checkPendingVerification at boot before VersionChecker starts; expose getters needed by routes.
+- `src/node/utils/Settings.ts` — add `updates.preApplyGraceMinutes` (default 0 in PR 2; tier 3 makes it meaningful), `updates.drainSeconds` (default 60), `updates.rollbackHealthCheckSeconds` (default 60), `updates.diskSpaceMinMB` (default 500), `updates.requireSignature` (default false), `updates.trustedKeysPath` (default null).
+- `settings.json.template`, `settings.json.docker` — add the new `updates.*` keys with shipped defaults and a comment block.
+- `src/static/js/pad_utils.js` (or the COLLABROOM message handler) — recognise a new `shoutMessage` subtype `update-drain` so the drain notice has its own translatable string and CSS hook (the spec calls this a "system message at T-60/T-30/T-10"; we route it through the existing shout pipeline).
+- `src/locales/en.json` — add `update.page.apply`, `update.page.cancel`, `update.page.acknowledge`, `update.page.log`, `update.page.execution`, `update.page.policy.*`, `update.page.last_result.*`, `update.execution.*`, `update.banner.terminal.rollback-failed`, `update.drain.t60`, `update.drain.t30`, `update.drain.t10`.
+- `admin/src/store/store.ts` — extend `UpdateStatusPayload` with `execution`, `bootCount`, `lastResult` to match server shape; add `setUpdateLog` slice.
+- `admin/src/pages/UpdatePage.tsx` — Apply / Cancel / Acknowledge buttons (gated on `policy.canManual`), polling log view while `execution.status === 'executing' | 'draining'`, terminal-state copy + Acknowledge button.
+- `admin/src/components/UpdateBanner.tsx` — surface terminal states (`rollback-failed`, `preflight-failed`, `rolled-back-*`) with stronger copy.
+- `CHANGELOG.md` — Unreleased section entry.
+
+---
+
+## Conventions
+
+- **Test runners:** unit specs go under `src/tests/backend-new/specs/updater/*.test.ts` and run with vitest (`pnpm vitest run path/to/file`). Integration/API specs go under `src/tests/backend/specs/*.ts` and run with mocha via `pnpm run test --runInBand` or `pnpm run test -- --grep <name>`.
+- **TDD loop:** write the failing test, run it, see the expected failure mode, write the minimum code to pass, run again, commit.
+- **Commits:** one per task. Conventional Commits style. The footer used elsewhere on this branch is `Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>`.
+- **No new "etherpad-lite" references** — the project is now "etherpad" in user-facing strings, docs, and configs (memory: `feedback_no_etherpad_lite_name`).
+- **Always i18n** — never hardcode user-facing English (memory: `feedback_always_i18n`). Use existing keys when possible.
+- **Working tree:** before starting, switch to a fresh branch off `develop`. Never push to `develop` or `main` directly (memory: `feedback_no_direct_push`).
+
+---
+
+## Task 0: Branch off develop
+
+**Files:** none (git only).
+
+- [ ] **Step 1: Stash anything dirty, switch to develop, pull, branch off**
+
+```bash
+git stash push -u -m "wip-7696-popup-scroll" || true
+git fetch origin
+git checkout develop
+git pull --ff-only origin develop
+git checkout -b feat/7607-auto-update-tier2-manual-click
+```
+
+Expected: branch `feat/7607-auto-update-tier2-manual-click` based on latest `origin/develop`.
+
+- [ ] **Step 2: Confirm Tier 1 surface still passes**
+
+Run: `pnpm run ts-check && pnpm vitest run src/tests/backend-new/specs/updater`
+Expected: PASS (we are baselining before adding code).
+
+---
+
+## Task 1: Extend types + state validator + settings for Tier 2
+
+**Files:**
+- Modify: `src/node/updater/types.ts`
+- Modify: `src/node/updater/state.ts`
+- Modify: `src/node/utils/Settings.ts`
+- Modify: `settings.json.template`
+- Modify: `settings.json.docker`
+- Test: `src/tests/backend-new/specs/updater/state.test.ts` (existing — extend)
+
+- [ ] **Step 1: Add a failing test for the extended state shape**
+
+Append to `src/tests/backend-new/specs/updater/state.test.ts` inside its existing `describe`:
+
+```typescript
+import {EMPTY_STATE} from '../../../../node/updater/types';
+
+describe('Tier 2 state extensions', () => {
+  it('EMPTY_STATE carries an idle execution block, bootCount 0, no lastResult', () => {
+    expect(EMPTY_STATE.execution).toEqual({status: 'idle'});
+    expect(EMPTY_STATE.bootCount).toBe(0);
+    expect(EMPTY_STATE.lastResult).toBeNull();
+  });
+
+  it('loadState backfills missing Tier 2 fields on a Tier 1 file', async () => {
+    const tmp = path.join(os.tmpdir(), `state-${Date.now()}.json`);
+    await fs.writeFile(tmp, JSON.stringify({
+      schemaVersion: 1, lastCheckAt: null, lastEtag: null, latest: null,
+      vulnerableBelow: [], email: {severeAt: null, vulnerableAt: null, vulnerableNewReleaseTag: null},
+    }));
+    const state = await loadState(tmp);
+    expect(state.execution).toEqual({status: 'idle'});
+    expect(state.bootCount).toBe(0);
+    expect(state.lastResult).toBeNull();
+    await fs.unlink(tmp);
+  });
+
+  it('rejects a malformed execution block by resetting to EMPTY_STATE', async () => {
+    const tmp = path.join(os.tmpdir(), `state-${Date.now()}.json`);
+    await fs.writeFile(tmp, JSON.stringify({
+      schemaVersion: 1, lastCheckAt: null, lastEtag: null, latest: null,
+      vulnerableBelow: [], email: {severeAt: null, vulnerableAt: null, vulnerableNewReleaseTag: null},
+      execution: 'not-an-object',
+    }));
+    const state = await loadState(tmp);
+    expect(state).toEqual(EMPTY_STATE);
+    await fs.unlink(tmp);
+  });
+});
+```
+
+(Add `import os from 'node:os'` and `import fs from 'node:fs/promises'` at the top of the file if not present.)
+
+- [ ] **Step 2: Run the test to confirm it fails**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/state.test.ts`
+Expected: FAIL on `EMPTY_STATE.execution` being undefined.
+
+- [ ] **Step 3: Extend `types.ts`**
+
+Replace the bottom of `src/node/updater/types.ts` (`UpdateState` interface and `EMPTY_STATE`) with:
+
+```typescript
+/**
+ * Discriminated union mirroring the state machine in
+ * docs/superpowers/specs/2026-04-25-auto-update-design.md (section "State machine").
+ *
+ * Terminal states (`rollback-failed`) require an admin POST to /admin/update/acknowledge
+ * before further auto/autonomous attempts are allowed. Manual updates remain permitted
+ * because an admin clicking Apply *is* the intervention.
+ */
+export type ExecutionStatus =
+  | {status: 'idle'}
+  | {status: 'preflight'; targetTag: string; startedAt: string}
+  | {status: 'preflight-failed'; targetTag: string; reason: string; at: string}
+  | {status: 'draining'; targetTag: string; drainEndsAt: string; startedAt: string}
+  | {status: 'executing'; targetTag: string; fromSha: string; startedAt: string}
+  | {status: 'pending-verification'; targetTag: string; fromSha: string; deadlineAt: string}
+  | {status: 'verified'; targetTag: string; verifiedAt: string}
+  | {status: 'rolling-back'; reason: string; targetTag: string; fromSha: string; at: string}
+  | {status: 'rolled-back'; reason: string; targetTag: string; restoredSha: string; at: string}
+  | {status: 'rollback-failed'; reason: string; targetTag: string; fromSha: string; at: string};
+
+export type LastUpdateResult = {
+  /** Tag we were updating to. */
+  targetTag: string;
+  /** SHA we were updating from. */
+  fromSha: string;
+  /** Outcome to surface in admin UI. */
+  outcome: 'verified' | 'rolled-back' | 'rollback-failed' | 'preflight-failed' | 'cancelled';
+  /** Human-readable reason on non-success. */
+  reason: string | null;
+  /** ISO timestamp when this result was finalised. */
+  at: string;
+} | null;
+
+export interface UpdateState {
+  schemaVersion: 1;
+  lastCheckAt: string | null;
+  lastEtag: string | null;
+  latest: ReleaseInfo | null;
+  vulnerableBelow: VulnerableBelowDirective[];
+  email: EmailSendLog;
+  /** Current in-flight execution state. Persisted so a restart mid-update reaches RollbackHandler. */
+  execution: ExecutionStatus;
+  /**
+   * Boot counter that the RollbackHandler increments while a `pending-verification`
+   * status is live. > 2 means the new version crash-looped; force rollback regardless of timer.
+   */
+  bootCount: number;
+  /** Most recent terminal outcome, surfaced in admin UI even after `execution` returns to idle. */
+  lastResult: LastUpdateResult;
+}
+
+export const EMPTY_STATE: UpdateState = {
+  schemaVersion: 1,
+  lastCheckAt: null,
+  lastEtag: null,
+  latest: null,
+  vulnerableBelow: [],
+  email: {
+    severeAt: null,
+    vulnerableAt: null,
+    vulnerableNewReleaseTag: null,
+  },
+  execution: {status: 'idle'},
+  bootCount: 0,
+  lastResult: null,
+};
+```
+
+- [ ] **Step 4: Extend `state.ts` validators**
+
+In `src/node/updater/state.ts`, add these helpers above `isValid` and call them from `isValid`:
+
+```typescript
+const VALID_STATUSES = new Set([
+  'idle', 'preflight', 'preflight-failed', 'draining', 'executing',
+  'pending-verification', 'verified', 'rolling-back', 'rolled-back', 'rollback-failed',
+]);
+
+const isValidExecution = (v: unknown): boolean => {
+  if (!isPlainObject(v)) return false;
+  return typeof v.status === 'string' && VALID_STATUSES.has(v.status as string);
+};
+
+const isValidLastResult = (v: unknown): boolean => {
+  if (v === null) return true;
+  if (!isPlainObject(v)) return false;
+  return typeof v.targetTag === 'string'
+    && typeof v.fromSha === 'string'
+    && typeof v.outcome === 'string'
+    && (v.reason === null || typeof v.reason === 'string')
+    && typeof v.at === 'string';
+};
+```
+
+Update `isValid` to *backfill* the new fields if missing instead of rejecting (to keep PR 1 state files loadable), and reject only when present-and-malformed:
+
+```typescript
+const isValid = (raw: unknown): raw is UpdateState => {
+  if (!isPlainObject(raw)) return false;
+  if (raw.schemaVersion !== 1) return false;
+  if (!isStringOrNull(raw.lastCheckAt)) return false;
+  if (!isStringOrNull(raw.lastEtag)) return false;
+  if (!isValidLatest(raw.latest)) return false;
+  if (!isValidVulnerableBelow(raw.vulnerableBelow)) return false;
+  if (!isValidEmail(raw.email)) return false;
+  // PR 2 fields: missing → backfill at load time; present-but-wrong → reject.
+  if (raw.execution !== undefined && !isValidExecution(raw.execution)) return false;
+  if (raw.bootCount !== undefined && typeof raw.bootCount !== 'number') return false;
+  if (raw.lastResult !== undefined && !isValidLastResult(raw.lastResult)) return false;
+  return true;
+};
+```
+
+Update `loadState` to splat defaults for the new fields:
+
+```typescript
+export const loadState = async (filePath: string): Promise<UpdateState> => {
+  let raw: string;
+  try {
+    raw = await fs.readFile(filePath, 'utf8');
+  } catch (err: any) {
+    if (err.code === 'ENOENT') return structuredClone(EMPTY_STATE);
+    throw err;
+  }
+  let parsed: unknown;
+  try { parsed = JSON.parse(raw); } catch { return structuredClone(EMPTY_STATE); }
+  if (!isValid(parsed)) return structuredClone(EMPTY_STATE);
+  // Backfill PR 2 fields on a Tier 1 state file.
+  return {
+    ...structuredClone(EMPTY_STATE),
+    ...(parsed as object),
+    execution: (parsed as any).execution ?? structuredClone(EMPTY_STATE.execution),
+    bootCount: (parsed as any).bootCount ?? 0,
+    lastResult: (parsed as any).lastResult ?? null,
+  };
+};
+```
+
+- [ ] **Step 5: Extend `Settings.ts` typing and defaults**
+
+In the `SettingsType.updates` block (around line 326) add:
+
+```typescript
+  preApplyGraceMinutes: number,
+  drainSeconds: number,
+  rollbackHealthCheckSeconds: number,
+  diskSpaceMinMB: number,
+  requireSignature: boolean,
+  trustedKeysPath: string | null,
+```
+
+In the `settings: SettingsType = { ... updates: { ... } ... }` defaults (around line 506) add:
+
+```typescript
+    preApplyGraceMinutes: 0,
+    drainSeconds: 60,
+    rollbackHealthCheckSeconds: 60,
+    diskSpaceMinMB: 500,
+    requireSignature: false,
+    trustedKeysPath: null,
+```
+
+Add the same keys to `settings.json.template` and `settings.json.docker` inside their `updates` blocks. Comment in template:
+
+```jsonc
+  "updates": {
+    "tier": "notify",
+    /* ... existing keys ... */
+    /* Tier 2+ knobs (only meaningful at tier "manual" or higher) */
+    "preApplyGraceMinutes": 0,
+    "drainSeconds": 60,
+    "rollbackHealthCheckSeconds": 60,
+    "diskSpaceMinMB": 500,
+    /* When true, refuse updates whose tag is not signed by a trusted key. */
+    "requireSignature": false,
+    "trustedKeysPath": null
+  },
+```
+
+- [ ] **Step 6: Run the tests**
+
+```bash
+pnpm vitest run src/tests/backend-new/specs/updater/state.test.ts
+pnpm run ts-check
+```
+
+Expected: state tests PASS, ts-check clean.
+
+- [ ] **Step 7: Commit**
+
+```bash
+git add src/node/updater/types.ts src/node/updater/state.ts \
+  src/node/utils/Settings.ts settings.json.template settings.json.docker \
+  src/tests/backend-new/specs/updater/state.test.ts
+git commit -m "$(cat <<'EOF'
+feat(updater): extend state + settings for Tier 2 manual-click
+
+Adds ExecutionStatus discriminated union, bootCount, and lastResult to
+UpdateState, plus the preApplyGraceMinutes/drainSeconds/diskSpaceMinMB/
+requireSignature/trustedKeysPath knobs that Tier 2's executor needs.
+loadState backfills the new fields on Tier 1 state files so existing
+installs keep working.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 2: PID-based update lock
+
+**Files:**
+- Create: `src/node/updater/lock.ts`
+- Test: `src/tests/backend-new/specs/updater/lock.test.ts`
+
+The lock at `var/update.lock` carries the holder's PID. A second acquire reads the file, sends signal 0 to the recorded PID; if the PID is gone (ESRCH) the lock is stale and we reap it.
+
+- [ ] **Step 1: Write failing test**
+
+Create `src/tests/backend-new/specs/updater/lock.test.ts`:
+
+```typescript
+import {describe, it, expect, beforeEach, afterEach} from 'vitest';
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import os from 'node:os';
+import {acquireLock, releaseLock, isHeld} from '../../../../node/updater/lock';
+
+describe('update lock', () => {
+  let dir: string;
+  let lockPath: string;
+  beforeEach(async () => {
+    dir = await fs.mkdtemp(path.join(os.tmpdir(), 'updater-lock-'));
+    lockPath = path.join(dir, 'update.lock');
+  });
+  afterEach(async () => {
+    await fs.rm(dir, {recursive: true, force: true});
+  });
+
+  it('acquires and releases', async () => {
+    expect(await acquireLock(lockPath)).toBe(true);
+    expect(await isHeld(lockPath)).toBe(true);
+    await releaseLock(lockPath);
+    expect(await isHeld(lockPath)).toBe(false);
+  });
+
+  it('rejects a second acquire while live', async () => {
+    expect(await acquireLock(lockPath)).toBe(true);
+    expect(await acquireLock(lockPath)).toBe(false);
+    await releaseLock(lockPath);
+  });
+
+  it('reaps a stale lock whose PID is gone', async () => {
+    // Write a lock claiming a PID that almost certainly does not exist.
+    await fs.writeFile(lockPath, JSON.stringify({pid: 2147483646, at: new Date().toISOString()}));
+    expect(await acquireLock(lockPath)).toBe(true);
+    await releaseLock(lockPath);
+  });
+
+  it('treats an unparseable lock file as stale', async () => {
+    await fs.writeFile(lockPath, 'garbage');
+    expect(await acquireLock(lockPath)).toBe(true);
+    await releaseLock(lockPath);
+  });
+});
+```
+
+- [ ] **Step 2: Run — expect fail (module missing)**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/lock.test.ts`
+Expected: FAIL with import error.
+
+- [ ] **Step 3: Implement lock**
+
+Create `src/node/updater/lock.ts`:
+
+```typescript
+import fs from 'node:fs/promises';
+import path from 'node:path';
+
+interface LockFile {pid: number; at: string}
+
+const isPidLive = (pid: number): boolean => {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err: any) {
+    // ESRCH = no such process (stale). EPERM = exists but we can't signal — treat as live.
+    return err.code !== 'ESRCH';
+  }
+};
+
+const readIfPresent = async (lockPath: string): Promise<LockFile | null> => {
+  let raw: string;
+  try { raw = await fs.readFile(lockPath, 'utf8'); }
+  catch (err: any) { return err.code === 'ENOENT' ? null : null; }
+  try {
+    const parsed = JSON.parse(raw);
+    if (typeof parsed?.pid !== 'number' || typeof parsed?.at !== 'string') return null;
+    return parsed;
+  } catch { return null; }
+};
+
+/**
+ * Atomic acquire via O_CREAT|O_EXCL. If the file already exists, the holder's PID
+ * is checked; if dead, we reap and retry once. Returns false on a live conflict.
+ */
+export const acquireLock = async (lockPath: string): Promise<boolean> => {
+  await fs.mkdir(path.dirname(lockPath), {recursive: true});
+  const payload = JSON.stringify({pid: process.pid, at: new Date().toISOString()});
+  try {
+    const fh = await fs.open(lockPath, 'wx');
+    try { await fh.writeFile(payload); } finally { await fh.close(); }
+    return true;
+  } catch (err: any) {
+    if (err.code !== 'EEXIST') throw err;
+  }
+  const existing = await readIfPresent(lockPath);
+  if (existing && isPidLive(existing.pid)) return false;
+  // Stale — unlink and retry once. A concurrent reaper may beat us, so EEXIST is also "no".
+  try { await fs.unlink(lockPath); } catch (err: any) { if (err.code !== 'ENOENT') throw err; }
+  try {
+    const fh = await fs.open(lockPath, 'wx');
+    try { await fh.writeFile(payload); } finally { await fh.close(); }
+    return true;
+  } catch (err: any) {
+    if (err.code === 'EEXIST') return false;
+    throw err;
+  }
+};
+
+export const releaseLock = async (lockPath: string): Promise<void> => {
+  try { await fs.unlink(lockPath); }
+  catch (err: any) { if (err.code !== 'ENOENT') throw err; }
+};
+
+export const isHeld = async (lockPath: string): Promise<boolean> => {
+  const f = await readIfPresent(lockPath);
+  return !!f && isPidLive(f.pid);
+};
+```
+
+- [ ] **Step 4: Run — expect pass**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/lock.test.ts`
+Expected: PASS (4 tests).
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add src/node/updater/lock.ts src/tests/backend-new/specs/updater/lock.test.ts
+git commit -m "$(cat <<'EOF'
+feat(updater): PID-based update.lock with stale-pid reaping
+
+Single-flight guard for Tier 2's UpdateExecutor. Atomic O_CREAT|O_EXCL
+acquire; on EEXIST, sends signal 0 to the recorded PID and reaps if dead.
+Unparseable lock files are treated as stale rather than fatal so a
+half-written lock from a SIGKILL'd parent doesn't lock the install out.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 3: Trusted-keys / signature verification stub
+
+**Files:**
+- Create: `src/node/updater/trustedKeys.ts`
+- Test: `src/tests/backend-new/specs/updater/trustedKeys.test.ts`
+
+We ship a feature-flagged signature verifier. With `updates.requireSignature: false` (default) we log a one-line warning and return `ok`. With `requireSignature: true` we shell out to `git verify-tag <tag>` and require exit 0; the trusted set is whatever keys are imported into the Etherpad user's GnuPG keyring (or a custom keyring at `updates.trustedKeysPath` — passed to git via `GNUPGHOME`). Real key-rotation policy is documented as follow-up; this gives admins who care a working knob today.
+
+- [ ] **Step 1: Failing test**
+
+Create `src/tests/backend-new/specs/updater/trustedKeys.test.ts`:
+
+```typescript
+import {describe, it, expect, vi} from 'vitest';
+import {verifyReleaseTag} from '../../../../node/updater/trustedKeys';
+
+describe('verifyReleaseTag', () => {
+  it('returns ok when requireSignature is false (no spawn)', async () => {
+    const spawnFn = vi.fn();
+    const r = await verifyReleaseTag({
+      tag: 'v2.7.3', repoDir: '/tmp/x', requireSignature: false,
+      trustedKeysPath: null, spawnFn: spawnFn as any,
+    });
+    expect(r).toEqual({ok: true, reason: 'signature-not-required'});
+    expect(spawnFn).not.toHaveBeenCalled();
+  });
+
+  it('returns ok on git verify-tag exit 0', async () => {
+    const spawnFn = vi.fn(() => ({on: (e: string, cb: any) => e === 'close' && setTimeout(() => cb(0), 0)}));
+    const r = await verifyReleaseTag({
+      tag: 'v2.7.3', repoDir: '/tmp/x', requireSignature: true,
+      trustedKeysPath: null, spawnFn: spawnFn as any,
+    });
+    expect(r.ok).toBe(true);
+    expect(spawnFn).toHaveBeenCalledWith(
+      'git',
+      ['verify-tag', 'v2.7.3'],
+      expect.objectContaining({cwd: '/tmp/x'}),
+    );
+  });
+
+  it('returns failure on non-zero exit', async () => {
+    const spawnFn = vi.fn(() => ({on: (e: string, cb: any) => e === 'close' && setTimeout(() => cb(1), 0)}));
+    const r = await verifyReleaseTag({
+      tag: 'v2.7.3', repoDir: '/tmp/x', requireSignature: true,
+      trustedKeysPath: null, spawnFn: spawnFn as any,
+    });
+    expect(r).toEqual({ok: false, reason: 'signature-verification-failed'});
+  });
+
+  it('passes GNUPGHOME when trustedKeysPath is set', async () => {
+    const calls: any[] = [];
+    const spawnFn = vi.fn((cmd: string, args: string[], opts: any) => {
+      calls.push({cmd, args, env: opts.env});
+      return {on: (e: string, cb: any) => e === 'close' && setTimeout(() => cb(0), 0)} as any;
+    });
+    await verifyReleaseTag({
+      tag: 'v2.7.3', repoDir: '/tmp/x', requireSignature: true,
+      trustedKeysPath: '/srv/etherpad/keys', spawnFn: spawnFn as any,
+    });
+    expect(calls[0].env.GNUPGHOME).toBe('/srv/etherpad/keys');
+  });
+});
+```
+
+- [ ] **Step 2: Run — fail**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/trustedKeys.test.ts`
+Expected: FAIL (module missing).
+
+- [ ] **Step 3: Implement**
+
+Create `src/node/updater/trustedKeys.ts`:
+
+```typescript
+import {spawn as realSpawn, SpawnOptions} from 'node:child_process';
+import log4js from 'log4js';
+
+const logger = log4js.getLogger('updater');
+
+export type SpawnFn = (cmd: string, args: string[], opts: SpawnOptions) => {
+  on: (event: 'close', cb: (code: number | null) => void) => void;
+};
+
+export interface VerifyArgs {
+  tag: string;
+  repoDir: string;
+  requireSignature: boolean;
+  trustedKeysPath: string | null;
+  spawnFn?: SpawnFn;
+}
+
+export type VerifyResult =
+  | {ok: true; reason: 'signature-verified' | 'signature-not-required'}
+  | {ok: false; reason: 'signature-verification-failed'};
+
+/**
+ * Verify a release tag's GPG signature. With requireSignature=false (default)
+ * this is a documented no-op — Etherpad's release process does not yet sign
+ * tags consistently and forcing verification on by default would break Tier 2
+ * for everyone. Admins who manage their own builds set requireSignature=true
+ * and import their trusted keys into the Etherpad user's keyring (or a
+ * dedicated one via trustedKeysPath -> $GNUPGHOME).
+ */
+export const verifyReleaseTag = async (args: VerifyArgs): Promise<VerifyResult> => {
+  if (!args.requireSignature) {
+    logger.warn(`verifyReleaseTag: signature check skipped (updates.requireSignature=false) for ${args.tag}`);
+    return {ok: true, reason: 'signature-not-required'};
+  }
+  const spawnFn = args.spawnFn ?? (realSpawn as unknown as SpawnFn);
+  const env: NodeJS.ProcessEnv = {...process.env};
+  if (args.trustedKeysPath) env.GNUPGHOME = args.trustedKeysPath;
+  const child = spawnFn('git', ['verify-tag', args.tag], {cwd: args.repoDir, env, stdio: 'ignore'});
+  const code: number | null = await new Promise((resolve) => child.on('close', resolve));
+  if (code === 0) return {ok: true, reason: 'signature-verified'};
+  return {ok: false, reason: 'signature-verification-failed'};
+};
+```
+
+- [ ] **Step 4: Run — pass**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/trustedKeys.test.ts`
+Expected: PASS (4 tests).
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add src/node/updater/trustedKeys.ts src/tests/backend-new/specs/updater/trustedKeys.test.ts
+git commit -m "$(cat <<'EOF'
+feat(updater): verifyReleaseTag — gpg-via-git stub for Tier 2 preflight
+
+Default updates.requireSignature=false: log a warning and return ok.
+Set true to make preflight refuse a tag whose signature does not verify
+under the system keyring (or trustedKeysPath via GNUPGHOME). Etherpad's
+release process does not yet sign tags consistently; turning the check
+on by default would break Tier 2 for every admin and forcing a release-
+signing change is out of scope for this PR.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 4: Pre-flight checks
+
+**Files:**
+- Create: `src/node/updater/preflight.ts`
+- Test: `src/tests/backend-new/specs/updater/preflight.test.ts`
+
+The `runPreflight` function takes everything it needs as injected dependencies — no direct fs/spawn — so unit tests can stub each individual check.
+
+- [ ] **Step 1: Failing test**
+
+Create `src/tests/backend-new/specs/updater/preflight.test.ts`:
+
+```typescript
+import {describe, it, expect, vi} from 'vitest';
+import {runPreflight} from '../../../../node/updater/preflight';
+
+const baseDeps = {
+  installMethod: 'git' as const,
+  workingTreeClean: vi.fn(async () => true),
+  freeDiskMB: vi.fn(async () => 5000),
+  pnpmOnPath: vi.fn(async () => true),
+  lockHeld: vi.fn(async () => false),
+  remoteHasTag: vi.fn(async () => true),
+  verifyTag: vi.fn(async () => ({ok: true as const, reason: 'signature-not-required' as const})),
+};
+
+const baseInput = {
+  targetTag: 'v2.7.3',
+  diskSpaceMinMB: 500,
+  requireSignature: false,
+  trustedKeysPath: null,
+};
+
+describe('runPreflight', () => {
+  it('passes when all checks pass', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps});
+    expect(r).toEqual({ok: true});
+  });
+
+  it('rejects non-writable install methods', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps, installMethod: 'docker'});
+    expect(r).toEqual({ok: false, reason: 'install-method-not-writable'});
+  });
+
+  it('rejects a dirty working tree', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps, workingTreeClean: vi.fn(async () => false)});
+    expect(r).toEqual({ok: false, reason: 'dirty-working-tree'});
+  });
+
+  it('rejects insufficient disk space', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps, freeDiskMB: vi.fn(async () => 100)});
+    expect(r).toEqual({ok: false, reason: 'low-disk-space'});
+  });
+
+  it('rejects when pnpm is missing', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps, pnpmOnPath: vi.fn(async () => false)});
+    expect(r).toEqual({ok: false, reason: 'pnpm-not-found'});
+  });
+
+  it('rejects when the lock is held', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps, lockHeld: vi.fn(async () => true)});
+    expect(r).toEqual({ok: false, reason: 'lock-held'});
+  });
+
+  it('rejects when the remote tag is missing', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps, remoteHasTag: vi.fn(async () => false)});
+    expect(r).toEqual({ok: false, reason: 'remote-tag-missing'});
+  });
+
+  it('rejects when signature verification fails', async () => {
+    const r = await runPreflight(baseInput, {
+      ...baseDeps,
+      verifyTag: vi.fn(async () => ({ok: false as const, reason: 'signature-verification-failed' as const})),
+    });
+    expect(r).toEqual({ok: false, reason: 'signature-verification-failed'});
+  });
+});
+```
+
+- [ ] **Step 2: Run — fail**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/preflight.test.ts`
+Expected: FAIL.
+
+- [ ] **Step 3: Implement**
+
+Create `src/node/updater/preflight.ts`:
+
+```typescript
+import {InstallMethod} from './types';
+import type {VerifyResult} from './trustedKeys';
+
+export type PreflightReason =
+  | 'install-method-not-writable'
+  | 'dirty-working-tree'
+  | 'low-disk-space'
+  | 'pnpm-not-found'
+  | 'lock-held'
+  | 'remote-tag-missing'
+  | 'signature-verification-failed';
+
+export interface PreflightInput {
+  targetTag: string;
+  diskSpaceMinMB: number;
+  requireSignature: boolean;
+  trustedKeysPath: string | null;
+}
+
+export interface PreflightDeps {
+  installMethod: Exclude<InstallMethod, 'auto'>;
+  workingTreeClean: () => Promise<boolean>;
+  freeDiskMB: () => Promise<number>;
+  pnpmOnPath: () => Promise<boolean>;
+  lockHeld: () => Promise<boolean>;
+  remoteHasTag: (tag: string) => Promise<boolean>;
+  verifyTag: () => Promise<VerifyResult>;
+}
+
+export type PreflightResult = {ok: true} | {ok: false; reason: PreflightReason};
+
+const WRITABLE: ReadonlySet<Exclude<InstallMethod, 'auto'>> = new Set(['git']);
+
+/**
+ * Sequenced preflight: each check is fast and reads the world. Order matters —
+ * cheap, definitive failures (install method) run before slow ones (network tag
+ * lookup, gpg). The first failure short-circuits.
+ */
+export const runPreflight = async (
+  input: PreflightInput,
+  deps: PreflightDeps,
+): Promise<PreflightResult> => {
+  if (!WRITABLE.has(deps.installMethod)) return {ok: false, reason: 'install-method-not-writable'};
+  if (!await deps.workingTreeClean()) return {ok: false, reason: 'dirty-working-tree'};
+  if ((await deps.freeDiskMB()) < input.diskSpaceMinMB) return {ok: false, reason: 'low-disk-space'};
+  if (!await deps.pnpmOnPath()) return {ok: false, reason: 'pnpm-not-found'};
+  if (await deps.lockHeld()) return {ok: false, reason: 'lock-held'};
+  if (!await deps.remoteHasTag(input.targetTag)) return {ok: false, reason: 'remote-tag-missing'};
+  const sig = await deps.verifyTag();
+  if (!sig.ok) return {ok: false, reason: 'signature-verification-failed'};
+  return {ok: true};
+};
+```
+
+- [ ] **Step 4: Run — pass**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/preflight.test.ts`
+Expected: PASS (8 tests).
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add src/node/updater/preflight.ts src/tests/backend-new/specs/updater/preflight.test.ts
+git commit -m "$(cat <<'EOF'
+feat(updater): preflight check pipeline for Tier 2
+
+Pure orchestrator over injected probes for install-method, working tree,
+disk space, pnpm presence, lock state, remote tag existence and signature
+verification. Cheap-and-definitive checks run first; first failure short-
+circuits with a typed reason that the route layer will surface in the
+preflight-failed admin banner.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 5: Update log appender + tail
+
+**Files:**
+- Create: `src/node/updater/updateLog.ts`
+- Test: `src/tests/backend-new/specs/updater/updateLog.test.ts`
+
+A dedicated log4js logger writes to `var/log/update.log` with a 10 MB × 5 rolling-file appender. `tailLines(n)` reads the most recent `n` lines from the active log file for the `/admin/update/log` endpoint.
+
+- [ ] **Step 1: Failing test**
+
+Create `src/tests/backend-new/specs/updater/updateLog.test.ts`:
+
+```typescript
+import {describe, it, expect, beforeEach, afterEach} from 'vitest';
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import os from 'node:os';
+import {tailLines} from '../../../../node/updater/updateLog';
+
+describe('tailLines', () => {
+  let dir: string;
+  let logPath: string;
+  beforeEach(async () => {
+    dir = await fs.mkdtemp(path.join(os.tmpdir(), 'updater-log-'));
+    logPath = path.join(dir, 'update.log');
+  });
+  afterEach(async () => { await fs.rm(dir, {recursive: true, force: true}); });
+
+  it('returns [] when file is missing', async () => {
+    expect(await tailLines(logPath, 10)).toEqual([]);
+  });
+
+  it('returns up to N lines when file is shorter', async () => {
+    await fs.writeFile(logPath, 'a\nb\nc\n');
+    expect(await tailLines(logPath, 10)).toEqual(['a', 'b', 'c']);
+  });
+
+  it('returns the last N when file is longer', async () => {
+    const lines = Array.from({length: 500}, (_, i) => `line-${i}`);
+    await fs.writeFile(logPath, lines.join('\n') + '\n');
+    expect(await tailLines(logPath, 5)).toEqual(['line-495', 'line-496', 'line-497', 'line-498', 'line-499']);
+  });
+
+  it('handles a final-line-without-newline', async () => {
+    await fs.writeFile(logPath, 'a\nb\nc');
+    expect(await tailLines(logPath, 10)).toEqual(['a', 'b', 'c']);
+  });
+});
+```
+
+- [ ] **Step 2: Run — fail**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/updateLog.test.ts`
+Expected: FAIL.
+
+- [ ] **Step 3: Implement**
+
+Create `src/node/updater/updateLog.ts`:
+
+```typescript
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import log4js from 'log4js';
+
+let configured = false;
+
+/** Idempotently register a rolling-file appender for the updater log. */
+export const ensureUpdateLogAppender = (logPath: string): void => {
+  if (configured) return;
+  const dir = path.dirname(logPath);
+  // mkdir is sync-best-effort: log4js will surface any deeper failure on first write.
+  try { require('node:fs').mkdirSync(dir, {recursive: true}); } catch {/* noop */}
+  const cfg: any = log4js.getConfig?.() ?? null;
+  // We don't try to mutate an arbitrary external log4js config — we just add our category.
+  log4js.addLayout?.('json', () => (e: any) => JSON.stringify({t: e.startTime, lvl: e.level.levelStr, m: e.data.join(' ')}));
+  log4js.configure({
+    appenders: {
+      ...(cfg?.appenders || {}),
+      updateLog: {type: 'file', filename: logPath, maxLogSize: 10 * 1024 * 1024, backups: 5, compress: false},
+    },
+    categories: {
+      ...(cfg?.categories || {default: {appenders: ['out'], level: 'info'}}),
+      updater: {appenders: ['updateLog'], level: 'info'},
+    },
+  });
+  configured = true;
+};
+
+/** Read the last `n` newline-separated lines from the active log file. Empty array if missing. */
+export const tailLines = async (logPath: string, n: number): Promise<string[]> => {
+  let raw: string;
+  try { raw = await fs.readFile(logPath, 'utf8'); }
+  catch (err: any) { if (err.code === 'ENOENT') return []; throw err; }
+  const stripped = raw.endsWith('\n') ? raw.slice(0, -1) : raw;
+  if (stripped.length === 0) return [];
+  const all = stripped.split('\n');
+  return all.slice(Math.max(0, all.length - n));
+};
+```
+
+> **Note on `log4js.configure`:** Etherpad's main entrypoint already calls `log4js.configure` once. Calling it again replaces the config. The `cfg = log4js.getConfig?.()` spread above preserves the existing appenders and categories so we only *add* `updateLog` and the `updater` category. If `getConfig` isn't exposed in the runtime version of log4js, the fallback writes both `default` and `updater` so existing log lines still go somewhere — verify behaviour with the smoke test below.
+
+- [ ] **Step 4: Run — pass**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/updateLog.test.ts`
+Expected: PASS (4 tests).
+
+- [ ] **Step 5: Smoke-test the appender against the real boot path**
+
+Run: `pnpm run dev -- --port 9003 &` (start in background) then `tail -n 20 var/log/etherpad.log`. Confirm normal logs still appear, then `curl -fsSL http://localhost:9003/health` and verify the existing `default` appender output is unchanged. Stop with `kill %1`.
+
+If existing logs disappear, the spread of `cfg.appenders/categories` did not preserve them — adjust `ensureUpdateLogAppender` to use the appender registration API rather than `configure`. (Concretely: many log4js builds support `log4js.recording()` or one can keep a reference to the original config from `Settings.ts`'s `log4js.configure(...)` call and re-apply it merged. If the `getConfig?` path returns `null`, fall back to copying the layout from `settings.logconfig` which is what `Settings.ts` builds.)
+
+- [ ] **Step 6: Commit**
+
+```bash
+git add src/node/updater/updateLog.ts src/tests/backend-new/specs/updater/updateLog.test.ts
+git commit -m "$(cat <<'EOF'
+feat(updater): rolling update.log appender + tailLines helper
+
+ensureUpdateLogAppender adds a 10MB x 5 rolling-file appender for the
+'updater' log4js category at var/log/update.log; tailLines reads the
+last N lines for the /admin/update/log streaming endpoint without
+loading the whole file into memory if a partial read suffices.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 6: SessionDrainer
+
+**Files:**
+- Create: `src/node/updater/SessionDrainer.ts`
+- Test: `src/tests/backend-new/specs/updater/SessionDrainer.test.ts`
+
+The drainer schedules three broadcasts (T-60, T-30, T-10), flips a module-level "no new connections" flag, and resolves a promise at T=0. The flag is read by a lightweight check we'll add to PadMessageHandler in this same task. Tests use fake timers and a stubbed broadcaster.
+
+- [ ] **Step 1: Failing test**
+
+Create `src/tests/backend-new/specs/updater/SessionDrainer.test.ts`:
+
+```typescript
+import {describe, it, expect, vi, beforeEach, afterEach} from 'vitest';
+import {createDrainer, isAcceptingConnections, _resetForTests} from '../../../../node/updater/SessionDrainer';
+
+describe('SessionDrainer', () => {
+  beforeEach(() => { vi.useFakeTimers(); _resetForTests(); });
+  afterEach(() => { vi.useRealTimers(); _resetForTests(); });
+
+  it('emits T-60, T-30, T-10 and resolves at T=0', async () => {
+    const broadcasts: Array<{at: number; key: string}> = [];
+    const drainer = createDrainer({
+      drainSeconds: 60,
+      broadcast: (key, _values) => { broadcasts.push({at: Date.now(), key}); },
+    });
+    const start = Date.now();
+    const done = drainer.start();
+    // T-60 broadcast fires immediately on start.
+    expect(broadcasts.map((b) => b.key)).toEqual(['update.drain.t60']);
+    await vi.advanceTimersByTimeAsync(30_000);
+    expect(broadcasts.map((b) => b.key)).toEqual(['update.drain.t60', 'update.drain.t30']);
+    await vi.advanceTimersByTimeAsync(20_000);
+    expect(broadcasts.map((b) => b.key)).toEqual([
+      'update.drain.t60', 'update.drain.t30', 'update.drain.t10',
+    ]);
+    await vi.advanceTimersByTimeAsync(10_000);
+    await done;
+    expect(Date.now() - start).toBe(60_000);
+  });
+
+  it('flips isAcceptingConnections to false during drain and back on cancel', () => {
+    const drainer = createDrainer({drainSeconds: 60, broadcast: () => {}});
+    expect(isAcceptingConnections()).toBe(true);
+    drainer.start();
+    expect(isAcceptingConnections()).toBe(false);
+    drainer.cancel();
+    expect(isAcceptingConnections()).toBe(true);
+  });
+
+  it('cancel before T=0 resolves the start() promise as cancelled', async () => {
+    const drainer = createDrainer({drainSeconds: 60, broadcast: () => {}});
+    const done = drainer.start();
+    await vi.advanceTimersByTimeAsync(20_000);
+    drainer.cancel();
+    const r = await done;
+    expect(r).toEqual({outcome: 'cancelled'});
+  });
+});
+```
+
+- [ ] **Step 2: Run — fail**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/SessionDrainer.test.ts`
+Expected: FAIL.
+
+- [ ] **Step 3: Implement**
+
+Create `src/node/updater/SessionDrainer.ts`:
+
+```typescript
+let acceptingConnections = true;
+
+export const isAcceptingConnections = (): boolean => acceptingConnections;
+export const _resetForTests = (): void => { acceptingConnections = true; };
+
+export interface DrainerOpts {
+  drainSeconds: number;
+  /** Called for every broadcast; the i18n key is fixed but `values` may carry timing data. */
+  broadcast: (i18nKey: 'update.drain.t60' | 'update.drain.t30' | 'update.drain.t10', values: Record<string, unknown>) => void;
+}
+
+export interface Drainer {
+  start: () => Promise<{outcome: 'completed' | 'cancelled'}>;
+  cancel: () => void;
+}
+
+export const createDrainer = ({drainSeconds, broadcast}: DrainerOpts): Drainer => {
+  const timers: NodeJS.Timeout[] = [];
+  let resolveDone: ((r: {outcome: 'completed' | 'cancelled'}) => void) | null = null;
+  let cancelled = false;
+
+  const fire = (k: 'update.drain.t60' | 'update.drain.t30' | 'update.drain.t10', secondsRemaining: number) => {
+    if (cancelled) return;
+    broadcast(k, {seconds: secondsRemaining});
+  };
+
+  const start = (): Promise<{outcome: 'completed' | 'cancelled'}> => {
+    if (resolveDone) return Promise.reject(new Error('drainer already started'));
+    acceptingConnections = false;
+    return new Promise((resolve) => {
+      resolveDone = resolve;
+      const ms = drainSeconds * 1000;
+      // T-60 broadcast fires at start; T-30 and T-10 at offsets.
+      fire('update.drain.t60', drainSeconds);
+      timers.push(setTimeout(() => fire('update.drain.t30', 30), Math.max(0, ms - 30_000)));
+      timers.push(setTimeout(() => fire('update.drain.t10', 10), Math.max(0, ms - 10_000)));
+      timers.push(setTimeout(() => {
+        if (cancelled) return;
+        acceptingConnections = true; // executor takes over from here; flag goes back on after exit/restart anyway
+        resolveDone?.({outcome: 'completed'});
+        resolveDone = null;
+      }, ms));
+    });
+  };
+
+  const cancel = (): void => {
+    if (cancelled) return;
+    cancelled = true;
+    for (const t of timers) clearTimeout(t);
+    timers.length = 0;
+    acceptingConnections = true;
+    resolveDone?.({outcome: 'cancelled'});
+    resolveDone = null;
+  };
+
+  return {start, cancel};
+};
+```
+
+- [ ] **Step 4: Run — pass**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/SessionDrainer.test.ts`
+Expected: PASS (3 tests).
+
+- [ ] **Step 5: Wire `isAcceptingConnections` into the socket handshake**
+
+In `src/node/handler/PadMessageHandler.ts`, near the top of `handleMessage` (or wherever new socket connections enter the pad-message pipeline — pick the function that runs on every incoming socket and short-circuits before the Pad lookup), add:
+
+```typescript
+import {isAcceptingConnections} from '../updater/SessionDrainer';
+
+// ...inside the connection-accept path, before any expensive work:
+if (!isAcceptingConnections()) {
+  socket.json.send({disconnect: 'updateInProgress'});
+  socket.disconnect(true);
+  return;
+}
+```
+
+Locate the existing connection-accept path with: `grep -nE "handleMessage|handleClientReady" src/node/handler/PadMessageHandler.ts | head`. Place the guard inside `handleClientReady` before the Pad is fetched.
+
+- [ ] **Step 6: Add a regression test for the guard**
+
+Create `src/tests/backend-new/specs/updater/drainer-handshake.test.ts`:
+
+```typescript
+import {describe, it, expect, beforeEach, afterEach, vi} from 'vitest';
+
+describe('PadMessageHandler refuses connections during drain', () => {
+  beforeEach(() => { vi.resetModules(); });
+  afterEach(() => { vi.resetModules(); });
+
+  it('handleClientReady disconnects when isAcceptingConnections is false', async () => {
+    vi.doMock('../../../../node/updater/SessionDrainer', () => ({
+      isAcceptingConnections: () => false,
+    }));
+    const PadMessageHandler = await import('../../../../node/handler/PadMessageHandler');
+    const sent: any[] = [];
+    let disconnected = false;
+    const fakeSocket: any = {
+      id: 'sock-1',
+      json: {send: (m: unknown) => sent.push(m)},
+      disconnect: () => { disconnected = true; },
+      conn: {request: {}},
+    };
+    // handleClientReady takes (socket, message); message can be a stub.
+    if (typeof (PadMessageHandler as any).handleClientReady === 'function') {
+      await (PadMessageHandler as any).handleClientReady(fakeSocket, {padId: 'doesntmatter'});
+    } else {
+      // Fallback to handleMessage if handleClientReady is private.
+      await (PadMessageHandler as any).handleMessage(fakeSocket, {type: 'CLIENT_READY', padId: 'doesntmatter'});
+    }
+    expect(disconnected).toBe(true);
+    expect(sent[0]).toEqual({disconnect: 'updateInProgress'});
+  });
+});
+```
+
+- [ ] **Step 7: Run — pass**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/`
+Expected: all updater unit tests PASS.
+
+- [ ] **Step 8: Commit**
+
+```bash
+git add src/node/updater/SessionDrainer.ts src/node/handler/PadMessageHandler.ts \
+  src/tests/backend-new/specs/updater/SessionDrainer.test.ts \
+  src/tests/backend-new/specs/updater/drainer-handshake.test.ts
+git commit -m "$(cat <<'EOF'
+feat(updater): SessionDrainer + handshake guard
+
+Drainer schedules T-60/-30/-10 shoutMessage broadcasts and resolves at T=0;
+PadMessageHandler short-circuits new CLIENT_READY messages while the
+drainer's flag is off, so admins applying an update don't get a stampede
+of fresh sockets between the broadcast and exit 75.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 7: UpdateExecutor
+
+**Files:**
+- Create: `src/node/updater/UpdateExecutor.ts`
+- Test: `src/tests/backend-new/specs/updater/UpdateExecutor.test.ts`
+
+The executor accepts injected `spawnFn`, `fs`, `now`, `exit`, and `saveState` so unit tests run without spawning real children or mutating the real install. It writes `state.execution` at every transition and copies `pnpm-lock.yaml` + the current SHA to `var/update-backup/` before any mutation.
+
+- [ ] **Step 1: Failing test**
+
+Create `src/tests/backend-new/specs/updater/UpdateExecutor.test.ts`:
+
+```typescript
+import {describe, it, expect, vi, beforeEach} from 'vitest';
+import {executeUpdate} from '../../../../node/updater/UpdateExecutor';
+import {EMPTY_STATE} from '../../../../node/updater/types';
+
+const okSpawn = (script: Array<{cmd: string; exit: number; stderr?: string}>) => {
+  let i = 0;
+  return vi.fn((cmd: string, args: string[]) => {
+    const step = script[i++];
+    if (!step) throw new Error(`Unexpected spawn call: ${cmd} ${args.join(' ')}`);
+    if (step.cmd !== `${cmd} ${args.join(' ')}`) {
+      throw new Error(`Spawn order mismatch: expected "${step.cmd}", got "${cmd} ${args.join(' ')}"`);
+    }
+    return {
+      stdout: {on: () => {}}, stderr: {on: (e: string, cb: any) => step.stderr && e === 'data' && cb(Buffer.from(step.stderr))},
+      on: (e: string, cb: any) => e === 'close' && setTimeout(() => cb(step.exit), 0),
+    } as any;
+  });
+};
+
+describe('executeUpdate happy path', () => {
+  let savedStates: any[] = [];
+  let written: Record<string, string> = {};
+  let exited: number | null = null;
+
+  beforeEach(() => { savedStates = []; written = {}; exited = null; });
+
+  const baseDeps = () => ({
+    repoDir: '/srv/etherpad',
+    backupDir: '/srv/etherpad/var/update-backup',
+    spawnFn: okSpawn([
+      {cmd: 'git rev-parse HEAD', exit: 0},
+      {cmd: 'git fetch --tags origin', exit: 0},
+      {cmd: 'git checkout v2.7.3', exit: 0},
+      {cmd: 'pnpm install --frozen-lockfile', exit: 0},
+      {cmd: 'pnpm run build:ui', exit: 0},
+    ]),
+    readSha: vi.fn(async () => 'abc123'),
+    copyFile: vi.fn(async (_a: string, _b: string) => { written[_b] = 'lock'; }),
+    saveState: vi.fn(async (s: any) => { savedStates.push(structuredClone(s)); }),
+    initialState: structuredClone(EMPTY_STATE),
+    targetTag: 'v2.7.3',
+    now: () => new Date('2026-05-08T10:00:00Z'),
+    exit: (code: number) => { exited = code; },
+  });
+
+  it('snapshots, runs steps, persists pending-verification, exits 75', async () => {
+    const deps = baseDeps();
+    const result = await executeUpdate(deps);
+    expect(result).toEqual({outcome: 'pending-verification'});
+    expect(deps.copyFile).toHaveBeenCalledWith(
+      '/srv/etherpad/pnpm-lock.yaml',
+      '/srv/etherpad/var/update-backup/pnpm-lock.yaml',
+    );
+    expect(savedStates.at(-1).execution.status).toBe('pending-verification');
+    expect(savedStates.at(-1).execution.fromSha).toBe('abc123');
+    expect(savedStates.at(-1).bootCount).toBe(0);
+    expect(exited).toBe(75);
+  });
+
+  it('install failure flips state to rolling-back', async () => {
+    const deps = baseDeps();
+    deps.spawnFn = okSpawn([
+      {cmd: 'git rev-parse HEAD', exit: 0},
+      {cmd: 'git fetch --tags origin', exit: 0},
+      {cmd: 'git checkout v2.7.3', exit: 0},
+      {cmd: 'pnpm install --frozen-lockfile', exit: 1, stderr: 'resolver bork'},
+    ]);
+    const result = await executeUpdate(deps);
+    expect(result.outcome).toBe('failed-install');
+    expect(savedStates.at(-1).execution.status).toBe('rolling-back');
+    expect(exited).toBe(null); // executor does not exit; rollback path drives the next exit
+  });
+
+  it('build failure flips state to rolling-back', async () => {
+    const deps = baseDeps();
+    deps.spawnFn = okSpawn([
+      {cmd: 'git rev-parse HEAD', exit: 0},
+      {cmd: 'git fetch --tags origin', exit: 0},
+      {cmd: 'git checkout v2.7.3', exit: 0},
+      {cmd: 'pnpm install --frozen-lockfile', exit: 0},
+      {cmd: 'pnpm run build:ui', exit: 2},
+    ]);
+    const result = await executeUpdate(deps);
+    expect(result.outcome).toBe('failed-build');
+    expect(savedStates.at(-1).execution.status).toBe('rolling-back');
+  });
+});
+```
+
+- [ ] **Step 2: Run — fail**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/UpdateExecutor.test.ts`
+Expected: FAIL (module missing).
+
+- [ ] **Step 3: Implement**
+
+Create `src/node/updater/UpdateExecutor.ts`:
+
+```typescript
+import path from 'node:path';
+import log4js from 'log4js';
+import {SpawnOptions} from 'node:child_process';
+import {UpdateState} from './types';
+
+const logger = log4js.getLogger('updater');
+
+export type SpawnFn = (cmd: string, args: string[], opts: SpawnOptions) => {
+  stdout: {on: (event: 'data', cb: (chunk: Buffer) => void) => void};
+  stderr: {on: (event: 'data', cb: (chunk: Buffer) => void) => void};
+  on: (event: 'close', cb: (code: number | null) => void) => void;
+};
+
+export interface ExecutorDeps {
+  repoDir: string;
+  backupDir: string;
+  spawnFn: SpawnFn;
+  readSha: () => Promise<string>;
+  copyFile: (src: string, dst: string) => Promise<void>;
+  saveState: (s: UpdateState) => Promise<void>;
+  initialState: UpdateState;
+  targetTag: string;
+  now: () => Date;
+  exit: (code: number) => void;
+}
+
+export type ExecutorResult =
+  | {outcome: 'pending-verification'}
+  | {outcome: 'failed-install'; reason: string}
+  | {outcome: 'failed-build'; reason: string}
+  | {outcome: 'failed-checkout'; reason: string};
+
+const runStep = (spawnFn: SpawnFn, repoDir: string, cmd: string, args: string[]):
+    Promise<{code: number | null; stderr: string}> => new Promise((resolve) => {
+  let stderr = '';
+  const child = spawnFn(cmd, args, {cwd: repoDir, stdio: ['ignore', 'pipe', 'pipe']});
+  child.stdout.on('data', (chunk: Buffer) => logger.info(`[${cmd}] ${chunk.toString().trimEnd()}`));
+  child.stderr.on('data', (chunk: Buffer) => { stderr += chunk.toString(); logger.warn(`[${cmd}] ${chunk.toString().trimEnd()}`); });
+  child.on('close', (code) => resolve({code, stderr}));
+});
+
+/**
+ * Run the update pipeline. Each step writes state before/after so a hard kill
+ * mid-step lands the next boot in a known state for RollbackHandler to resolve.
+ *
+ * On install/build failure the executor transitions to `rolling-back`, persists,
+ * and returns. The route layer hands control to RollbackHandler which restores
+ * the lockfile and SHA. The executor does NOT exit on failure paths — the
+ * rollback path owns that exit.
+ */
+export const executeUpdate = async (deps: ExecutorDeps): Promise<ExecutorResult> => {
+  const fromSha = await deps.readSha();
+  let s: UpdateState = {
+    ...deps.initialState,
+    execution: {status: 'executing', targetTag: deps.targetTag, fromSha, startedAt: deps.now().toISOString()},
+    bootCount: 0,
+  };
+  await deps.saveState(s);
+
+  // Snapshot lockfile (SHA captured above).
+  await deps.copyFile(path.join(deps.repoDir, 'pnpm-lock.yaml'), path.join(deps.backupDir, 'pnpm-lock.yaml'));
+
+  const fail = async (
+    outcome: 'failed-install' | 'failed-build' | 'failed-checkout',
+    reason: string,
+  ): Promise<ExecutorResult> => {
+    s = {
+      ...s,
+      execution: {status: 'rolling-back', reason, targetTag: deps.targetTag, fromSha, at: deps.now().toISOString()},
+    };
+    await deps.saveState(s);
+    logger.error(`update step failed (${outcome}): ${reason}`);
+    return {outcome, reason};
+  };
+
+  let r = await runStep(deps.spawnFn, deps.repoDir, 'git', ['fetch', '--tags', 'origin']);
+  if (r.code !== 0) return fail('failed-checkout', `git fetch exit ${r.code}: ${r.stderr.trim()}`);
+
+  r = await runStep(deps.spawnFn, deps.repoDir, 'git', ['checkout', deps.targetTag]);
+  if (r.code !== 0) return fail('failed-checkout', `git checkout exit ${r.code}: ${r.stderr.trim()}`);
+
+  r = await runStep(deps.spawnFn, deps.repoDir, 'pnpm', ['install', '--frozen-lockfile']);
+  if (r.code !== 0) return fail('failed-install', `pnpm install exit ${r.code}: ${r.stderr.trim()}`);
+
+  r = await runStep(deps.spawnFn, deps.repoDir, 'pnpm', ['run', 'build:ui']);
+  if (r.code !== 0) return fail('failed-build', `pnpm run build:ui exit ${r.code}: ${r.stderr.trim()}`);
+
+  // Pending-verification: the next boot's RollbackHandler arms the health-check timer.
+  s = {
+    ...s,
+    execution: {
+      status: 'pending-verification',
+      targetTag: deps.targetTag,
+      fromSha,
+      // RollbackHandler computes the actual deadline at boot using rollbackHealthCheckSeconds.
+      // We persist a placeholder so the field is present.
+      deadlineAt: deps.now().toISOString(),
+    },
+    bootCount: 0,
+  };
+  await deps.saveState(s);
+  logger.info(`update executed: ${fromSha} -> ${deps.targetTag}; exiting 75 for supervisor restart`);
+  deps.exit(75);
+  return {outcome: 'pending-verification'};
+};
+```
+
+> The test stubs `readSha`/`copyFile`/`saveState` because the production caller (in Task 11) provides real implementations. The executor's body never imports `node:fs` or real spawn — keeping the unit test fast and isolated.
+
+- [ ] **Step 4: Run — pass**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/UpdateExecutor.test.ts`
+Expected: PASS (3 tests).
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add src/node/updater/UpdateExecutor.ts src/tests/backend-new/specs/updater/UpdateExecutor.test.ts
+git commit -m "$(cat <<'EOF'
+feat(updater): UpdateExecutor — snapshot, fetch/checkout/install/build, exit 75
+
+Pure-DI orchestrator: every shell-out goes through an injected spawnFn,
+every fs touch through an injected fs facade, every state write through
+the saveState dependency. Unit tests cover the happy path + the install
+and build failure transitions to rolling-back. The rollback path itself
+lives in Task 8 (RollbackHandler); on failure the executor persists
+state and returns without exiting so the route layer can run rollback.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 8: RollbackHandler
+
+**Files:**
+- Create: `src/node/updater/RollbackHandler.ts`
+- Test: `src/tests/backend-new/specs/updater/RollbackHandler.test.ts`
+
+Two paths:
+
+1. **`checkPendingVerification(state)`** runs at boot. If `state.execution.status === 'pending-verification'`, increment `bootCount`, persist, and either (a) if `bootCount > 2` force an immediate rollback, or (b) arm a 60s timer that on expiry rolls back, on success marks `verified`. Health success is signalled externally — for PR 2 we treat completion of boot through `expressCreateServer` as the success signal (RollbackHandler exposes a `markVerified()` callable).
+2. **`performRollback(reason)`** runs from inside the executor's failure paths *and* from the boot-time crash-loop / health-timeout paths. It copies the backup lockfile back, runs `git checkout <fromSha>`, `pnpm install --frozen-lockfile`, persists `rolled-back` (or `rollback-failed` on any sub-step error), and exits 75.
+
+- [ ] **Step 1: Failing test**
+
+Create `src/tests/backend-new/specs/updater/RollbackHandler.test.ts`:
+
+```typescript
+import {describe, it, expect, vi, beforeEach} from 'vitest';
+import {checkPendingVerification, performRollback} from '../../../../node/updater/RollbackHandler';
+import {EMPTY_STATE} from '../../../../node/updater/types';
+
+const baseDeps = () => ({
+  repoDir: '/srv/etherpad',
+  backupDir: '/srv/etherpad/var/update-backup',
+  spawnFn: vi.fn((_c: string, _a: string[]) => ({
+    stdout: {on: () => {}}, stderr: {on: () => {}},
+    on: (e: string, cb: any) => e === 'close' && setTimeout(() => cb(0), 0),
+  })) as any,
+  copyFile: vi.fn(async (_a: string, _b: string) => {}),
+  saveState: vi.fn(async (_s: any) => {}),
+  exit: vi.fn((_code: number) => {}),
+  now: () => new Date('2026-05-08T10:00:00Z'),
+});
+
+describe('checkPendingVerification', () => {
+  beforeEach(() => { vi.useFakeTimers(); });
+
+  it('idle state is a no-op', async () => {
+    const r = checkPendingVerification(structuredClone(EMPTY_STATE), {
+      ...baseDeps(), rollbackHealthCheckSeconds: 60,
+    });
+    expect(r.armed).toBe(false);
+  });
+
+  it('pending-verification with bootCount<=2 arms a timer and increments bootCount', async () => {
+    const deps = baseDeps();
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {status: 'pending-verification', targetTag: 'v2.7.3', fromSha: 'abc', deadlineAt: '2026-05-08T10:00:00Z'} as const,
+      bootCount: 0,
+    };
+    const r = checkPendingVerification(state, {...deps, rollbackHealthCheckSeconds: 60});
+    expect(r.armed).toBe(true);
+    // bootCount has been bumped and state persisted.
+    expect(deps.saveState).toHaveBeenCalledWith(expect.objectContaining({bootCount: 1}));
+    // markVerified clears the timer and lands on `verified`.
+    r.markVerified();
+    await vi.advanceTimersByTimeAsync(60_000);
+    expect(deps.exit).not.toHaveBeenCalled();
+  });
+
+  it('pending-verification with bootCount>2 forces immediate rollback', async () => {
+    const deps = baseDeps();
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {status: 'pending-verification', targetTag: 'v2.7.3', fromSha: 'abc', deadlineAt: '2026-05-08T10:00:00Z'} as const,
+      bootCount: 3,
+    };
+    const r = checkPendingVerification(state, {...deps, rollbackHealthCheckSeconds: 60});
+    expect(r.armed).toBe(false);
+    // Rollback ran; exit 75 was called once we hit the end of performRollback.
+    await vi.runAllTimersAsync();
+    expect(deps.exit).toHaveBeenCalledWith(75);
+  });
+
+  it('timer expiry triggers rollback when markVerified is never called', async () => {
+    const deps = baseDeps();
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {status: 'pending-verification', targetTag: 'v2.7.3', fromSha: 'abc', deadlineAt: '2026-05-08T10:00:00Z'} as const,
+      bootCount: 0,
+    };
+    const r = checkPendingVerification(state, {...deps, rollbackHealthCheckSeconds: 60});
+    expect(r.armed).toBe(true);
+    await vi.advanceTimersByTimeAsync(60_000);
+    expect(deps.exit).toHaveBeenCalledWith(75);
+  });
+});
+
+describe('performRollback', () => {
+  it('happy path: restores lockfile, checkout from-sha, pnpm install, exit 75, status=rolled-back', async () => {
+    const deps = baseDeps();
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {status: 'rolling-back', reason: 'install-failed', targetTag: 'v2.7.3', fromSha: 'abc', at: '2026-05-08T10:00:00Z'} as const,
+      bootCount: 0,
+    };
+    await performRollback(state, {...deps, rollbackHealthCheckSeconds: 60});
+    expect(deps.copyFile).toHaveBeenCalledWith(
+      '/srv/etherpad/var/update-backup/pnpm-lock.yaml',
+      '/srv/etherpad/pnpm-lock.yaml',
+    );
+    expect(deps.saveState).toHaveBeenLastCalledWith(expect.objectContaining({
+      execution: expect.objectContaining({status: 'rolled-back'}),
+      lastResult: expect.objectContaining({outcome: 'rolled-back'}),
+    }));
+    expect(deps.exit).toHaveBeenCalledWith(75);
+  });
+
+  it('rollback failure lands on rollback-failed (terminal)', async () => {
+    const deps = baseDeps();
+    let i = 0;
+    deps.spawnFn = vi.fn(() => ({
+      stdout: {on: () => {}}, stderr: {on: () => {}},
+      on: (e: string, cb: any) => e === 'close' && setTimeout(() => cb(i++ === 0 ? 0 : 1), 0),
+    })) as any;
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {status: 'rolling-back', reason: 'install-failed', targetTag: 'v2.7.3', fromSha: 'abc', at: '2026-05-08T10:00:00Z'} as const,
+      bootCount: 0,
+    };
+    await performRollback(state, {...deps, rollbackHealthCheckSeconds: 60});
+    expect(deps.saveState).toHaveBeenLastCalledWith(expect.objectContaining({
+      execution: expect.objectContaining({status: 'rollback-failed'}),
+      lastResult: expect.objectContaining({outcome: 'rollback-failed'}),
+    }));
+    expect(deps.exit).toHaveBeenCalledWith(75);
+  });
+});
+```
+
+- [ ] **Step 2: Run — fail**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/RollbackHandler.test.ts`
+Expected: FAIL (module missing).
+
+- [ ] **Step 3: Implement**
+
+Create `src/node/updater/RollbackHandler.ts`:
+
+```typescript
+import path from 'node:path';
+import log4js from 'log4js';
+import {SpawnOptions} from 'node:child_process';
+import {UpdateState} from './types';
+import type {SpawnFn} from './UpdateExecutor';
+
+const logger = log4js.getLogger('updater');
+
+export interface RollbackDeps {
+  repoDir: string;
+  backupDir: string;
+  spawnFn: SpawnFn;
+  copyFile: (src: string, dst: string) => Promise<void>;
+  saveState: (s: UpdateState) => Promise<void>;
+  exit: (code: number) => void;
+  now: () => Date;
+  rollbackHealthCheckSeconds: number;
+}
+
+const runStep = (spawnFn: SpawnFn, cwd: string, cmd: string, args: string[]):
+    Promise<number | null> => new Promise((resolve) => {
+  const child = spawnFn(cmd, args, {cwd, stdio: ['ignore', 'pipe', 'pipe']});
+  child.stdout.on('data', (b: Buffer) => logger.info(`[${cmd}] ${b.toString().trimEnd()}`));
+  child.stderr.on('data', (b: Buffer) => logger.warn(`[${cmd}] ${b.toString().trimEnd()}`));
+  child.on('close', (c) => resolve(c));
+});
+
+/** Restore the previous SHA + lockfile. Lands on `rolled-back` on success, `rollback-failed` on any sub-step error. Always exits 75 so the supervisor restarts on a known state. */
+export const performRollback = async (state: UpdateState, deps: RollbackDeps): Promise<void> => {
+  const exec = state.execution;
+  if (exec.status !== 'rolling-back' && exec.status !== 'pending-verification') {
+    throw new Error(`performRollback called from unexpected status: ${exec.status}`);
+  }
+  const fromSha = (exec as {fromSha: string}).fromSha;
+  const targetTag = (exec as {targetTag: string}).targetTag;
+  const reason = exec.status === 'rolling-back' ? exec.reason : 'health-check-failed-or-crash-loop';
+  const failTerminal = async (subReason: string): Promise<void> => {
+    const at = deps.now().toISOString();
+    await deps.saveState({
+      ...state,
+      execution: {status: 'rollback-failed', reason: `${reason}; rollback also failed: ${subReason}`, targetTag, fromSha, at},
+      lastResult: {targetTag, fromSha, outcome: 'rollback-failed', reason: `${reason}; rollback failed: ${subReason}`, at},
+      bootCount: 0,
+    });
+    logger.error(`rollback FAILED: ${subReason}; manual intervention required (POST /admin/update/acknowledge after fixing)`);
+    deps.exit(75);
+  };
+
+  try {
+    await deps.copyFile(path.join(deps.backupDir, 'pnpm-lock.yaml'), path.join(deps.repoDir, 'pnpm-lock.yaml'));
+  } catch (err) {
+    return failTerminal(`copy lockfile: ${(err as Error).message}`);
+  }
+
+  const checkoutCode = await runStep(deps.spawnFn, deps.repoDir, 'git', ['checkout', fromSha]);
+  if (checkoutCode !== 0) return failTerminal(`git checkout ${fromSha} exit ${checkoutCode}`);
+
+  const installCode = await runStep(deps.spawnFn, deps.repoDir, 'pnpm', ['install', '--frozen-lockfile']);
+  if (installCode !== 0) return failTerminal(`pnpm install exit ${installCode}`);
+
+  const at = deps.now().toISOString();
+  await deps.saveState({
+    ...state,
+    execution: {status: 'rolled-back', reason, targetTag, restoredSha: fromSha, at},
+    lastResult: {targetTag, fromSha, outcome: 'rolled-back', reason, at},
+    bootCount: 0,
+  });
+  logger.warn(`rolled back to ${fromSha} (reason: ${reason})`);
+  deps.exit(75);
+};
+
+export interface CheckResult {
+  /** True if a health-check timer was armed and is awaiting markVerified or expiry. */
+  armed: boolean;
+  /** Cancels the timer and transitions to `verified`. No-op when armed is false. */
+  markVerified: () => void;
+}
+
+/**
+ * Inspect the persisted execution state at boot and react:
+ *  - idle / verified / etc.: no-op.
+ *  - pending-verification with bootCount > 2: force rollback (crash-loop guard).
+ *  - pending-verification otherwise: increment bootCount, persist, arm a timer.
+ */
+export const checkPendingVerification = (state: UpdateState, deps: RollbackDeps): CheckResult => {
+  const exec = state.execution;
+  if (exec.status !== 'pending-verification') return {armed: false, markVerified: () => {}};
+
+  if (state.bootCount > 2) {
+    // Don't await — fire and forget so boot proceeds and exit happens asynchronously.
+    void performRollback(state, deps);
+    return {armed: false, markVerified: () => {}};
+  }
+
+  const incremented: UpdateState = {...state, bootCount: state.bootCount + 1};
+  void deps.saveState(incremented);
+
+  let cleared = false;
+  const timer = setTimeout(() => {
+    if (cleared) return;
+    void performRollback({
+      ...incremented,
+      execution: {status: 'rolling-back', reason: 'health-check-timeout', targetTag: exec.targetTag, fromSha: exec.fromSha, at: deps.now().toISOString()},
+    }, deps);
+  }, deps.rollbackHealthCheckSeconds * 1000);
+
+  return {
+    armed: true,
+    markVerified: () => {
+      if (cleared) return;
+      cleared = true;
+      clearTimeout(timer);
+      const at = deps.now().toISOString();
+      void deps.saveState({
+        ...incremented,
+        execution: {status: 'verified', targetTag: exec.targetTag, verifiedAt: at},
+        lastResult: {targetTag: exec.targetTag, fromSha: exec.fromSha, outcome: 'verified', reason: null, at},
+        bootCount: 0,
+      });
+      logger.info(`update verified after restart: ${exec.fromSha} -> ${exec.targetTag}`);
+    },
+  };
+};
+```
+
+- [ ] **Step 4: Run — pass**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/RollbackHandler.test.ts`
+Expected: PASS (5 tests).
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add src/node/updater/RollbackHandler.ts src/tests/backend-new/specs/updater/RollbackHandler.test.ts
+git commit -m "$(cat <<'EOF'
+feat(updater): RollbackHandler — health-check timer + crash-loop guard
+
+checkPendingVerification arms a 60s health-check timer at boot when state
+is pending-verification, increments bootCount, and forces an immediate
+rollback when bootCount>2 (crash-loop guard). performRollback restores the
+lockfile and SHA, retries pnpm install, and lands on rolled-back or the
+terminal rollback-failed state on sub-step failure. Both paths exit 75 so
+the supervisor restarts cleanly on the new known state.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 9: Wire RollbackHandler into the boot sequence
+
+**Files:**
+- Modify: `src/node/updater/index.ts`
+- Modify: `src/node/hooks/express/updateStatus.ts` (extend status endpoint with execution + lastResult)
+- Test: `src/tests/backend-new/specs/updater/index-boot.test.ts`
+
+Boot sequence add: after `detectInstallMethod`, before `startPolling`, run `checkPendingVerification`. Stash the returned `markVerified` so `expressCreateServer`'s success path can call it once Etherpad is `RUNNING`.
+
+- [ ] **Step 1: Failing test**
+
+Create `src/tests/backend-new/specs/updater/index-boot.test.ts`:
+
+```typescript
+import {describe, it, expect, beforeEach, afterEach, vi} from 'vitest';
+
+describe('updater boot wiring', () => {
+  beforeEach(() => { vi.resetModules(); });
+  afterEach(() => { vi.resetModules(); });
+
+  it('calls checkPendingVerification with the loaded state', async () => {
+    const calls: any[] = [];
+    vi.doMock('../../../../node/updater/RollbackHandler', () => ({
+      checkPendingVerification: (s: any) => { calls.push(s); return {armed: false, markVerified: () => {}}; },
+      performRollback: vi.fn(),
+    }));
+    vi.doMock('../../../../node/updater/InstallMethodDetector', () => ({
+      detectInstallMethod: vi.fn(async () => 'git'),
+    }));
+    vi.doMock('../../../../node/updater/state', () => ({
+      loadState: vi.fn(async () => ({schemaVersion: 1, execution: {status: 'idle'}, bootCount: 0, lastResult: null,
+        lastCheckAt: null, lastEtag: null, latest: null, vulnerableBelow: [],
+        email: {severeAt: null, vulnerableAt: null, vulnerableNewReleaseTag: null}})),
+      saveState: vi.fn(async () => {}),
+    }));
+    vi.doMock('../../../../node/utils/Settings', () => ({
+      default: {root: '/srv/etherpad', updates: {tier: 'manual', githubRepo: 'ether/etherpad', checkIntervalHours: 6, installMethod: 'auto', rollbackHealthCheckSeconds: 60}, adminEmail: null},
+      getEpVersion: () => '2.7.2',
+    }));
+    const updater = await import('../../../../node/updater');
+    await updater.expressCreateServer();
+    expect(calls).toHaveLength(1);
+    await updater.shutdown();
+  });
+});
+```
+
+- [ ] **Step 2: Run — fail**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/index-boot.test.ts`
+Expected: FAIL.
+
+- [ ] **Step 3: Wire it up**
+
+In `src/node/updater/index.ts`, add the import and the boot hook:
+
+```typescript
+import {spawn} from 'node:child_process';
+import fs from 'node:fs/promises';
+import {checkPendingVerification, performRollback, CheckResult} from './RollbackHandler';
+import {ensureUpdateLogAppender} from './updateLog';
+
+let pendingVerification: CheckResult | null = null;
+
+const rollbackDeps = () => ({
+  repoDir: settings.root,
+  backupDir: path.join(settings.root, 'var', 'update-backup'),
+  spawnFn: spawn as unknown as import('./UpdateExecutor').SpawnFn,
+  copyFile: (src: string, dst: string) => fs.copyFile(src, dst),
+  saveState: (s: UpdateState) => saveState(stateFilePath(), s),
+  exit: (code: number) => process.exit(code),
+  now: () => new Date(),
+  rollbackHealthCheckSeconds: Number(settings.updates.rollbackHealthCheckSeconds) || 60,
+});
+```
+
+Replace `expressCreateServer` with:
+
+```typescript
+export const expressCreateServer = async (): Promise<void> => {
+  ensureUpdateLogAppender(path.join(settings.root, 'var', 'log', 'update.log'));
+  detectedMethod = await detectInstallMethod({
+    override: settings.updates.installMethod,
+    rootDir: settings.root,
+  });
+  logger.info(`updater: install method = ${detectedMethod}, tier = ${settings.updates.tier}`);
+
+  const state = await getCurrentState();
+  pendingVerification = checkPendingVerification(state, rollbackDeps());
+
+  if (settings.updates.tier !== 'off') startPolling();
+};
+
+/** Called by the Etherpad runtime once the express stack is fully wired and /health is up. */
+export const markBootHealthy = (): void => {
+  if (pendingVerification) {
+    pendingVerification.markVerified();
+    pendingVerification = null;
+  }
+};
+
+/** Exposed for routes. */
+export const getRollbackDeps = rollbackDeps;
+export const getPendingVerification = () => pendingVerification;
+```
+
+In `src/node/server.ts`, after the `state = State.RUNNING` line (around line 176), add:
+
+```typescript
+// Once the server is RUNNING, /health responds 200 — that is the implicit health
+// signal the updater's pending-verification timer is waiting for.
+try {
+  // eslint-disable-next-line @typescript-eslint/no-var-requires
+  require('./updater').markBootHealthy();
+} catch (err) {
+  logger.debug(`markBootHealthy: ${(err as Error).message}`);
+}
+```
+
+In `src/node/hooks/express/updateStatus.ts`, extend the `/admin/update/status` response:
+
+```typescript
+res.json({
+  currentVersion: current,
+  latest: state.latest,
+  lastCheckAt: state.lastCheckAt,
+  installMethod,
+  tier: settings.updates.tier,
+  policy,
+  vulnerableBelow: state.vulnerableBelow,
+  // PR 2 additions:
+  execution: state.execution,
+  lastResult: state.lastResult,
+  lockHeld: await import('../../updater/lock').then((m) => m.isHeld(require('node:path').join(settings.root, 'var', 'update.lock'))),
+});
+```
+
+- [ ] **Step 4: Run — pass**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/index-boot.test.ts`
+Expected: PASS.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add src/node/updater/index.ts src/node/server.ts src/node/hooks/express/updateStatus.ts \
+  src/tests/backend-new/specs/updater/index-boot.test.ts
+git commit -m "$(cat <<'EOF'
+feat(updater): wire RollbackHandler into boot + extend /admin/update/status
+
+expressCreateServer now invokes checkPendingVerification before polling
+starts; server.ts calls markBootHealthy after state hits RUNNING so the
+60s health-check timer cancels cleanly when the new version boots fine.
+The status endpoint surfaces execution + lastResult + lockHeld so the
+admin UI can render Apply / Cancel / Acknowledge state correctly.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 10: Refine UpdatePolicy for terminal-state gating
+
+**Files:**
+- Modify: `src/node/updater/UpdatePolicy.ts`
+- Modify: `src/tests/backend-new/specs/updater/UpdatePolicy.test.ts`
+
+`canAuto` and `canAutonomous` must return false while `execution.status === 'rollback-failed'` (manual remains allowed).
+
+- [ ] **Step 1: Add failing tests**
+
+Append to `UpdatePolicy.test.ts`:
+
+```typescript
+describe('terminal-state gating', () => {
+  it('rollback-failed denies auto/autonomous but allows manual', () => {
+    const r = evaluatePolicy({
+      ...baseInput, tier: 'autonomous',
+      executionStatus: 'rollback-failed',
+    });
+    expect(r.canManual).toBe(true);
+    expect(r.canAuto).toBe(false);
+    expect(r.canAutonomous).toBe(false);
+    expect(r.reason).toBe('rollback-failed-terminal');
+  });
+
+  it('idle execution does not affect canManual/canAuto', () => {
+    const r = evaluatePolicy({...baseInput, tier: 'autonomous', executionStatus: 'idle'});
+    expect(r.canManual).toBe(true);
+    expect(r.canAuto).toBe(true);
+    expect(r.canAutonomous).toBe(true);
+  });
+});
+```
+
+- [ ] **Step 2: Run — fail**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/UpdatePolicy.test.ts`
+Expected: FAIL.
+
+- [ ] **Step 3: Update implementation**
+
+In `src/node/updater/UpdatePolicy.ts`:
+
+```typescript
+export interface PolicyInput {
+  installMethod: Exclude<InstallMethod, 'auto'>;
+  tier: Tier;
+  current: string;
+  latest: string;
+  /** Optional — when known. Only `rollback-failed` materially changes policy. */
+  executionStatus?: string;
+}
+
+export const evaluatePolicy = ({installMethod, tier, current, latest, executionStatus}: PolicyInput): PolicyResult => {
+  if (tier === 'off') {
+    return {canNotify: false, canManual: false, canAuto: false, canAutonomous: false, reason: 'tier-off'};
+  }
+  if (compareSemver(current, latest) >= 0) {
+    return {canNotify: false, canManual: false, canAuto: false, canAutonomous: false, reason: 'up-to-date'};
+  }
+  const canNotify = true;
+  const writable = WRITABLE_METHODS.has(installMethod);
+  if (!writable) {
+    return {canNotify, canManual: false, canAuto: false, canAutonomous: false, reason: 'install-method-not-writable'};
+  }
+  const terminal = executionStatus === 'rollback-failed';
+  return {
+    canNotify,
+    canManual: tier === 'manual' || tier === 'auto' || tier === 'autonomous',
+    canAuto: !terminal && (tier === 'auto' || tier === 'autonomous'),
+    canAutonomous: !terminal && tier === 'autonomous',
+    reason: terminal ? 'rollback-failed-terminal' : 'ok',
+  };
+};
+```
+
+Also update the `updateStatus.ts` call to pass `executionStatus: state.execution.status`.
+
+- [ ] **Step 4: Run — pass**
+
+Run: `pnpm vitest run src/tests/backend-new/specs/updater/UpdatePolicy.test.ts`
+Expected: PASS (existing + 2 new).
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add src/node/updater/UpdatePolicy.ts src/node/hooks/express/updateStatus.ts \
+  src/tests/backend-new/specs/updater/UpdatePolicy.test.ts
+git commit -m "$(cat <<'EOF'
+feat(updater): UpdatePolicy honours rollback-failed terminal state
+
+canAuto/canAutonomous are denied while execution.status === 'rollback-failed';
+canManual stays on because an admin clicking Apply *is* the intervention the
+terminal state requires. Status endpoint passes execution.status through so
+the admin UI sees the right policy result.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 11: Apply / Cancel / Acknowledge / Log endpoints
+
+**Files:**
+- Create: `src/node/hooks/express/updateActions.ts`
+- Modify: `src/node/hooks/express/admin.ts` if a hook-registration list lives there (none required if hooks loaded via `ep.json` — see step 3)
+- Modify: `src/node/updater/ep.json` (or `src/ep.json`) to register the new hook
+- Test: `src/tests/backend/specs/updateActions.ts` (mocha integration)
+
+Strict admin auth on all four endpoints (apply, cancel, acknowledge, log) — unlike `/admin/update/status` which is read-only and intentionally loose. POST endpoints require an authenticated `is_admin` session; the GET log endpoint requires the same.
+
+- [ ] **Step 1: Find the right hook registration site**
+
+```bash
+grep -nE "updateStatus|updater/index" src/node/utils/Settings.ts src/node/server.ts src/node/hooks src/ep.json src/static/js/pluginfw 2>/dev/null
+cat src/ep.json
+```
+
+PR 1 registered `updater/index.ts:expressCreateServer` and `hooks/express/updateStatus:expressCreateServer` in `src/ep.json`. Add `hooks/express/updateActions:expressCreateServer` in the same array.
+
+- [ ] **Step 2: Failing test (mocha)**
+
+Create `src/tests/backend/specs/updateActions.ts`:
+
+```typescript
+'use strict';
+
+const assert = require('assert').strict;
+const common = require('../common');
+const plugins = require('../../../static/js/pluginfw/plugin_defs');
+import settings from '../../../node/utils/Settings';
+import {saveState} from '../../../node/updater/state';
+import {EMPTY_STATE} from '../../../node/updater/types';
+import path from 'node:path';
+
+const statePath = () => path.join(settings.root, 'var', 'update-state.json');
+const authHookNames = ['preAuthorize', 'authenticate', 'authorize'];
+const failHookNames = ['preAuthzFailure', 'authnFailure', 'authzFailure', 'authFailure'];
+
+const installAdminAuth = () => {
+  for (const h of authHookNames.concat(failHookNames)) plugins.hooks[h] = [];
+  plugins.hooks.authenticate = [{
+    hook_fn: (_n: string, ctx: any, cb: Function) => {
+      ctx.req.session.user = {is_admin: true};
+      cb([true]);
+    },
+  }];
+  (settings as any).requireAuthentication = true;
+  (settings as any).requireAuthorization = false;
+  (settings as any).users = {admin: {password: 'admin-pw', is_admin: true}};
+};
+
+describe(__filename, function () {
+  let agent: any;
+  const backups: Record<string, any> = {};
+
+  before(async () => { agent = await common.init(); });
+
+  beforeEach(async () => {
+    backups.hooks = {};
+    for (const n of authHookNames.concat(failHookNames)) backups.hooks[n] = plugins.hooks[n];
+    backups.settings = {};
+    for (const k of ['requireAuthentication', 'requireAuthorization', 'users']) backups.settings[k] = (settings as any)[k];
+    await saveState(statePath(), {
+      ...EMPTY_STATE,
+      latest: {version: '99.0.0', tag: 'v99.0.0', body: 'release', publishedAt: '2099-01-01T00:00:00Z', prerelease: false, htmlUrl: 'https://example/'},
+    });
+  });
+
+  afterEach(() => {
+    Object.assign(plugins.hooks, backups.hooks);
+    Object.assign(settings, backups.settings);
+  });
+
+  describe('POST /admin/update/apply', () => {
+    it('rejects unauthenticated', async () => {
+      await agent.post('/admin/update/apply').expect(401);
+    });
+
+    it('rejects when policy denies (non-git install method)', async () => {
+      installAdminAuth();
+      const orig = settings.updates.installMethod;
+      settings.updates.installMethod = 'docker';
+      try {
+        await agent.post('/admin/update/apply').auth('admin', 'admin-pw').expect(409);
+      } finally { settings.updates.installMethod = orig; }
+    });
+
+    it('rejects when an execution is already in flight', async () => {
+      installAdminAuth();
+      await saveState(statePath(), {
+        ...EMPTY_STATE,
+        latest: {version: '99.0.0', tag: 'v99.0.0', body: '', publishedAt: '', prerelease: false, htmlUrl: ''},
+        execution: {status: 'executing', targetTag: 'v99.0.0', fromSha: 'x', startedAt: '2026-05-08T00:00:00Z'},
+      });
+      await agent.post('/admin/update/apply').auth('admin', 'admin-pw').expect(409);
+    });
+  });
+
+  describe('POST /admin/update/cancel', () => {
+    it('rejects when nothing is running (409)', async () => {
+      installAdminAuth();
+      await agent.post('/admin/update/cancel').auth('admin', 'admin-pw').expect(409);
+    });
+  });
+
+  describe('POST /admin/update/acknowledge', () => {
+    it('clears a terminal state to idle', async () => {
+      installAdminAuth();
+      await saveState(statePath(), {
+        ...EMPTY_STATE,
+        execution: {status: 'rollback-failed', reason: 'install-failed; rollback failed: pnpm exit 1', targetTag: 'v99.0.0', fromSha: 'x', at: '2026-05-08T00:00:00Z'},
+        lastResult: {targetTag: 'v99.0.0', fromSha: 'x', outcome: 'rollback-failed', reason: 'pnpm install failed', at: '2026-05-08T00:00:00Z'},
+      });
+      await agent.post('/admin/update/acknowledge').auth('admin', 'admin-pw').expect(200);
+      const status = await agent.get('/admin/update/status').expect(200);
+      assert.equal(status.body.execution.status, 'idle');
+    });
+
+    it('refuses to clear a non-terminal state (409)', async () => {
+      installAdminAuth();
+      await saveState(statePath(), {...EMPTY_STATE});
+      await agent.post('/admin/update/acknowledge').auth('admin', 'admin-pw').expect(409);
+    });
+  });
+
+  describe('GET /admin/update/log', () => {
+    it('requires admin auth', async () => {
+      await agent.get('/admin/update/log').expect(401);
+    });
+
+    it('returns 200 with text body for an admin', async () => {
+      installAdminAuth();
+      const res = await agent.get('/admin/update/log').auth('admin', 'admin-pw').expect(200);
+      assert.equal(typeof res.text, 'string');
+    });
+  });
+});
+```
+
+- [ ] **Step 3: Implement the route module**
+
+Create `src/node/hooks/express/updateActions.ts`:
+
+```typescript
+'use strict';
+
+import path from 'node:path';
+import fs from 'node:fs/promises';
+import {spawn} from 'node:child_process';
+import log4js from 'log4js';
+import {ArgsExpressType} from '../../types/ArgsExpressType';
+import settings, {getEpVersion} from '../../utils/Settings';
+import {getDetectedInstallMethod, stateFilePath, getRollbackDeps} from '../../updater';
+import {evaluatePolicy} from '../../updater/UpdatePolicy';
+import {loadState, saveState} from '../../updater/state';
+import {acquireLock, releaseLock, isHeld} from '../../updater/lock';
+import {executeUpdate} from '../../updater/UpdateExecutor';
+import {createDrainer} from '../../updater/SessionDrainer';
+import {runPreflight} from '../../updater/preflight';
+import {verifyReleaseTag} from '../../updater/trustedKeys';
+import {tailLines} from '../../updater/updateLog';
+import {UpdateState} from '../../updater/types';
+
+const logger = log4js.getLogger('updater');
+const lockPath = () => path.join(settings.root, 'var', 'update.lock');
+const logPath = () => path.join(settings.root, 'var', 'log', 'update.log');
+const backupDir = () => path.join(settings.root, 'var', 'update-backup');
+
+let drainer: ReturnType<typeof createDrainer> | null = null;
+
+const requireAdmin = (req: any, res: any): boolean => {
+  const u = req.session?.user;
+  if (!u) { res.status(401).send('Authentication required'); return false; }
+  if (!u.is_admin) { res.status(403).send('Forbidden'); return false; }
+  return true;
+};
+
+const wrapAsync = (fn: (req: any, res: any, next: Function) => Promise<unknown>) =>
+  (req: any, res: any, next: Function) => Promise.resolve(fn(req, res, next)).catch(next);
+
+const broadcastShout = (key: string, values: Record<string, unknown>): void => {
+  // Use the existing shout pipeline via socket.io. PR 1 uses io.sockets.emit('shout', ...).
+  // We re-import lazily to dodge a require-cycle with the socketio hook.
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    const {io} = require('../socketio');
+    if (!io) return;
+    io.sockets.emit('shout', {
+      type: 'COLLABROOM',
+      data: {type: 'shoutMessage', payload: {message: {message: key, values, sticky: false}, timestamp: Date.now()}},
+    });
+  } catch (err) {
+    logger.warn(`broadcastShout: ${(err as Error).message}`);
+  }
+};
+
+export const expressCreateServer = (
+  _hookName: string,
+  {app}: ArgsExpressType,
+  cb: Function,
+): void => {
+  if (settings.updates.tier === 'off') return cb();
+
+  app.post('/admin/update/apply', wrapAsync(async (req, res) => {
+    if (!requireAdmin(req, res)) return;
+
+    const state = await loadState(stateFilePath());
+    if (!state.latest) return res.status(409).json({error: 'no-known-latest'});
+    if (state.execution.status !== 'idle' && state.execution.status !== 'verified' &&
+        !state.execution.status.startsWith('rolled-back') && state.execution.status !== 'preflight-failed') {
+      return res.status(409).json({error: `execution-busy:${state.execution.status}`});
+    }
+
+    const installMethod = getDetectedInstallMethod();
+    const policy = evaluatePolicy({
+      installMethod, tier: settings.updates.tier,
+      current: getEpVersion(), latest: state.latest.version,
+      executionStatus: state.execution.status,
+    });
+    if (!policy.canManual) return res.status(409).json({error: 'policy-denied', reason: policy.reason});
+
+    if (!await acquireLock(lockPath())) return res.status(409).json({error: 'lock-held'});
+
+    try {
+      // Preflight
+      const targetTag = state.latest.tag;
+      const startedAt = new Date().toISOString();
+      const preState: UpdateState = {...state, execution: {status: 'preflight', targetTag, startedAt}};
+      await saveState(stateFilePath(), preState);
+
+      const pf = await runPreflight(
+        {targetTag, diskSpaceMinMB: settings.updates.diskSpaceMinMB,
+         requireSignature: settings.updates.requireSignature,
+         trustedKeysPath: settings.updates.trustedKeysPath},
+        {
+          installMethod,
+          workingTreeClean: () => new Promise((resolve) => {
+            const c = spawn('git', ['status', '--porcelain'], {cwd: settings.root});
+            let out = '';
+            c.stdout.on('data', (b) => { out += b.toString(); });
+            c.on('close', () => resolve(out.trim().length === 0));
+          }),
+          freeDiskMB: async () => {
+            const {statfs} = await import('node:fs/promises');
+            try {
+              const s = await (statfs as any)(settings.root);
+              return Math.floor((s.bavail * s.bsize) / (1024 * 1024));
+            } catch { return Number.POSITIVE_INFINITY; } // fall back to "no constraint" if statfs unsupported
+          },
+          pnpmOnPath: () => new Promise((resolve) => {
+            const c = spawn('pnpm', ['--version'], {stdio: 'ignore'});
+            c.on('close', (code) => resolve(code === 0));
+            c.on('error', () => resolve(false));
+          }),
+          lockHeld: async () => false, // we just acquired it
+          remoteHasTag: (tag) => new Promise((resolve) => {
+            const c = spawn('git', ['ls-remote', '--tags', 'origin', tag], {cwd: settings.root, stdio: ['ignore', 'pipe', 'ignore']});
+            let out = '';
+            c.stdout.on('data', (b) => { out += b.toString(); });
+            c.on('close', () => resolve(out.trim().length > 0));
+            c.on('error', () => resolve(false));
+          }),
+          verifyTag: () => verifyReleaseTag({
+            tag: targetTag, repoDir: settings.root,
+            requireSignature: settings.updates.requireSignature,
+            trustedKeysPath: settings.updates.trustedKeysPath,
+          }),
+        },
+      );
+
+      if (!pf.ok) {
+        const at = new Date().toISOString();
+        await saveState(stateFilePath(), {
+          ...preState,
+          execution: {status: 'preflight-failed', targetTag, reason: pf.reason, at},
+          lastResult: {targetTag, fromSha: '', outcome: 'preflight-failed', reason: pf.reason, at},
+        });
+        await releaseLock(lockPath());
+        return res.status(409).json({error: 'preflight-failed', reason: pf.reason});
+      }
+
+      // Drain
+      drainer = createDrainer({
+        drainSeconds: Number(settings.updates.drainSeconds) || 60,
+        broadcast: (key, values) => broadcastShout(key, values),
+      });
+      const drainEndsAt = new Date(Date.now() + (Number(settings.updates.drainSeconds) || 60) * 1000).toISOString();
+      await saveState(stateFilePath(), {
+        ...preState,
+        execution: {status: 'draining', targetTag, drainEndsAt, startedAt: new Date().toISOString()},
+      });
+
+      // Respond before drain completes — UI polls /admin/update/status + /log.
+      res.status(202).json({accepted: true, drainEndsAt});
+
+      const drainResult = await drainer.start();
+      drainer = null;
+      if (drainResult.outcome === 'cancelled') {
+        // The /admin/update/cancel handler already wrote state.execution=idle and
+        // lastResult=cancelled. Don't overwrite it here — just release the lock
+        // and return; the supervisor doesn't need to restart.
+        await releaseLock(lockPath());
+        return;
+      }
+
+      const fresh = await loadState(stateFilePath());
+      await executeUpdate({
+        repoDir: settings.root,
+        backupDir: backupDir(),
+        spawnFn: spawn as any,
+        readSha: () => new Promise((resolve, reject) => {
+          const c = spawn('git', ['rev-parse', 'HEAD'], {cwd: settings.root, stdio: ['ignore', 'pipe', 'ignore']});
+          let out = '';
+          c.stdout.on('data', (b) => { out += b.toString(); });
+          c.on('close', (code) => code === 0 ? resolve(out.trim()) : reject(new Error(`git rev-parse exit ${code}`)));
+          c.on('error', reject);
+        }),
+        copyFile: (src, dst) => fs.mkdir(path.dirname(dst), {recursive: true}).then(() => fs.copyFile(src, dst)),
+        saveState: (s) => saveState(stateFilePath(), s),
+        initialState: fresh,
+        targetTag,
+        now: () => new Date(),
+        exit: (code) => process.exit(code),
+      });
+      // executeUpdate either calls process.exit(75) (pending-verification) or returns
+      // on a failure path. Failure paths are handled by the next process boot via
+      // RollbackHandler's pending-verification check + the rolling-back path inside performRollback.
+      // If we reach here, the failure path was hit and we need to perform rollback now.
+      const afterExec = await loadState(stateFilePath());
+      if (afterExec.execution.status === 'rolling-back') {
+        const {performRollback} = await import('../../updater/RollbackHandler');
+        await performRollback(afterExec, getRollbackDeps());
+      }
+      await releaseLock(lockPath());
+    } catch (err) {
+      logger.error(`apply failed: ${(err as Error).stack || err}`);
+      try { await releaseLock(lockPath()); } catch {/* noop */}
+      if (!res.headersSent) res.status(500).json({error: 'internal'});
+    }
+  }));
+
+  app.post('/admin/update/cancel', wrapAsync(async (req, res) => {
+    if (!requireAdmin(req, res)) return;
+    const state = await loadState(stateFilePath());
+    // Cancel is allowed only during pre-execute states. Once executing begins (lockfile/SHA mutated)
+    // we either complete or rollback. Spec section "Error handling" / state machine.
+    if (state.execution.status !== 'preflight' && state.execution.status !== 'draining') {
+      return res.status(409).json({error: 'not-cancellable', status: state.execution.status});
+    }
+    if (drainer) drainer.cancel();
+    await saveState(stateFilePath(), {...state, execution: {status: 'idle'}, lastResult: {
+      targetTag: (state.execution as any).targetTag ?? '',
+      fromSha: '',
+      outcome: 'cancelled',
+      reason: 'admin-cancelled',
+      at: new Date().toISOString(),
+    }});
+    try { await releaseLock(lockPath()); } catch {/* noop */}
+    res.json({cancelled: true});
+  }));
+
+  app.post('/admin/update/acknowledge', wrapAsync(async (req, res) => {
+    if (!requireAdmin(req, res)) return;
+    const state = await loadState(stateFilePath());
+    const terminal = ['rollback-failed', 'preflight-failed', 'rolled-back'];
+    if (!terminal.some((t) => state.execution.status === t)) {
+      return res.status(409).json({error: 'not-terminal', status: state.execution.status});
+    }
+    await saveState(stateFilePath(), {...state, execution: {status: 'idle'}, bootCount: 0});
+    res.json({acknowledged: true});
+  }));
+
+  app.get('/admin/update/log', wrapAsync(async (req, res) => {
+    if (!requireAdmin(req, res)) return;
+    const lines = await tailLines(logPath(), 200);
+    res.set('Content-Type', 'text/plain; charset=utf-8');
+    res.send(lines.join('\n'));
+  }));
+
+  // Lock-held probe so isHeld is reachable. Status endpoint already calls this.
+  void isHeld;
+
+  cb();
+};
+```
+
+In `src/ep.json`, add the new hook (find the existing `expressCreateServer` block listing `updateStatus` and append):
+
+```json
+{
+  "expressCreateServer": [
+    "ep_etherpad-lite/node/updater/index",
+    "ep_etherpad-lite/node/hooks/express/updateStatus",
+    "ep_etherpad-lite/node/hooks/express/updateActions"
+  ]
+}
+```
+
+(Adjust the array structure to match the actual `ep.json` format — likely each hook is a separate object. Verify with `cat src/ep.json` first.)
+
+- [ ] **Step 4: Run — pass**
+
+```bash
+pnpm run ts-check
+pnpm run test -- --grep updateActions
+```
+
+Expected: TS clean, mocha PASS.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add src/node/hooks/express/updateActions.ts src/ep.json src/tests/backend/specs/updateActions.ts
+git commit -m "$(cat <<'EOF'
+feat(updater): apply / cancel / acknowledge / log endpoints
+
+Strict admin-only POSTs that drive Tier 2's manual-click flow:
+- /admin/update/apply: acquire lock, preflight, drain 60s, execute, exit 75
+- /admin/update/cancel: cancel a pre-execute state, release lock
+- /admin/update/acknowledge: clear terminal states (preflight-failed,
+  rolled-back, rollback-failed) back to idle
+- /admin/update/log: tail var/log/update.log for the in-progress UI
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 12: Admin UI — Apply / Cancel / Acknowledge buttons
+
+**Files:**
+- Modify: `admin/src/pages/UpdatePage.tsx`
+- Modify: `admin/src/store/store.ts`
+- Modify: `src/locales/en.json`
+
+- [ ] **Step 1: Extend the store**
+
+In `admin/src/store/store.ts`, extend `UpdateStatusPayload`:
+
+```typescript
+export type Execution =
+  | {status: 'idle'}
+  | {status: 'preflight'; targetTag: string; startedAt: string}
+  | {status: 'preflight-failed'; targetTag: string; reason: string; at: string}
+  | {status: 'draining'; targetTag: string; drainEndsAt: string; startedAt: string}
+  | {status: 'executing'; targetTag: string; fromSha: string; startedAt: string}
+  | {status: 'pending-verification'; targetTag: string; fromSha: string; deadlineAt: string}
+  | {status: 'verified'; targetTag: string; verifiedAt: string}
+  | {status: 'rolling-back'; reason: string; targetTag: string; fromSha: string; at: string}
+  | {status: 'rolled-back'; reason: string; targetTag: string; restoredSha: string; at: string}
+  | {status: 'rollback-failed'; reason: string; targetTag: string; fromSha: string; at: string};
+
+export interface UpdateStatusPayload {
+  // ...existing fields...
+  execution: Execution;
+  lastResult: null | {
+    targetTag: string; fromSha: string;
+    outcome: 'verified' | 'rolled-back' | 'rollback-failed' | 'preflight-failed' | 'cancelled';
+    reason: string | null; at: string;
+  };
+  lockHeld: boolean;
+}
+```
+
+Add a log slice:
+
+```typescript
+type StoreState = {
+  // ...existing...
+  updateLog: string;
+  setUpdateLog: (log: string) => void;
+};
+// in create():
+updateLog: '',
+setUpdateLog: (log) => set({updateLog: log}),
+```
+
+- [ ] **Step 2: Replace `UpdatePage.tsx`**
+
+Replace the `return` block of `UpdatePage` so the `ok` path renders Apply/Cancel/Acknowledge per `execution.status`:
+
+```tsx
+const apply = async () => {
+  await fetch('/admin/update/apply', {method: 'POST', credentials: 'same-origin'});
+  // Re-fetch status — server returned 202, the actual transition happened in the background.
+  const r = await fetch('/admin/update/status', {credentials: 'same-origin'});
+  if (r.ok) setUpdateStatus(await r.json());
+};
+const cancel = async () => {
+  await fetch('/admin/update/cancel', {method: 'POST', credentials: 'same-origin'});
+  const r = await fetch('/admin/update/status', {credentials: 'same-origin'});
+  if (r.ok) setUpdateStatus(await r.json());
+};
+const acknowledge = async () => {
+  await fetch('/admin/update/acknowledge', {method: 'POST', credentials: 'same-origin'});
+  const r = await fetch('/admin/update/status', {credentials: 'same-origin'});
+  if (r.ok) setUpdateStatus(await r.json());
+};
+
+const status = us.execution.status;
+const showApply = us.policy?.canManual && (status === 'idle' || status === 'verified' || status.startsWith('rolled-back') || status === 'preflight-failed') && !us.lockHeld;
+const showCancel = status === 'preflight' || status === 'draining';
+const showAcknowledge = status === 'preflight-failed' || status === 'rolled-back' || status === 'rollback-failed';
+
+return (
+  <div className="update-page">
+    <h1><Trans i18nKey="update.page.title"/></h1>
+    <dl>
+      {/* ...existing dl entries... */}
+      <dt><Trans i18nKey="update.page.execution"/></dt>
+      <dd>{t(`update.execution.${status}`, {defaultValue: status})}</dd>
+    </dl>
+    {us.lastResult && (
+      <p className={`last-result last-result-${us.lastResult.outcome}`}>
+        <Trans i18nKey={`update.page.last_result.${us.lastResult.outcome}`}
+          values={{tag: us.lastResult.targetTag, reason: us.lastResult.reason ?? ''}}/>
+      </p>
+    )}
+    {us.policy && !us.policy.canManual && (
+      <p className="policy-deny">
+        <Trans i18nKey={`update.page.policy.${us.policy.reason}`} defaults={us.policy.reason}/>
+      </p>
+    )}
+    <div className="update-actions">
+      {showApply && <button onClick={apply}>{t('update.page.apply')}</button>}
+      {showCancel && <button onClick={cancel}>{t('update.page.cancel')}</button>}
+      {showAcknowledge && <button onClick={acknowledge}>{t('update.page.acknowledge')}</button>}
+    </div>
+    {/* changelog block — keep as in PR 1 */}
+  </div>
+);
+```
+
+- [ ] **Step 3: Add the i18n keys**
+
+In `src/locales/en.json`, add:
+
+```json
+  "update.page.apply": "Apply update",
+  "update.page.cancel": "Cancel",
+  "update.page.acknowledge": "Acknowledge",
+  "update.page.execution": "Status",
+  "update.page.policy.install-method-not-writable": "Updates from the admin UI require a git install. Update via your package manager.",
+  "update.page.policy.rollback-failed-terminal": "A previous update failed and could not be rolled back. Manual intervention required; press Acknowledge to clear the lock once the install is healthy.",
+  "update.page.policy.up-to-date": "You are running the latest version.",
+  "update.page.policy.tier-off": "Updates are disabled (updates.tier = \"off\").",
+  "update.page.last_result.verified": "Last update to {{tag}} verified.",
+  "update.page.last_result.rolled-back": "Last attempted update to {{tag}} rolled back: {{reason}}.",
+  "update.page.last_result.rollback-failed": "Last update attempt failed AND rollback failed: {{reason}}. Manual intervention required.",
+  "update.page.last_result.preflight-failed": "Last attempted update to {{tag}} failed preflight: {{reason}}.",
+  "update.page.last_result.cancelled": "Last attempted update to {{tag}} cancelled by admin.",
+  "update.execution.idle": "Idle",
+  "update.execution.preflight": "Pre-flight checks",
+  "update.execution.preflight-failed": "Pre-flight failed",
+  "update.execution.draining": "Draining sessions",
+  "update.execution.executing": "Updating...",
+  "update.execution.pending-verification": "Pending verification",
+  "update.execution.verified": "Verified",
+  "update.execution.rolling-back": "Rolling back",
+  "update.execution.rolled-back": "Rolled back",
+  "update.execution.rollback-failed": "Rollback failed",
+  "update.banner.terminal.rollback-failed": "An update attempt failed and could not be rolled back. Manual intervention required.",
+  "update.drain.t60": "Etherpad will restart in 60 seconds to apply an update.",
+  "update.drain.t30": "Etherpad will restart in 30 seconds to apply an update.",
+  "update.drain.t10": "Etherpad will restart in 10 seconds to apply an update."
+```
+
+- [ ] **Step 4: Build the admin UI and visit it locally**
+
+```bash
+pnpm install   # ensure admin deps in case anything is missing
+pnpm --filter admin run build
+pnpm run dev -- --port 9003 &
+# In a browser: http://localhost.lan:9003/admin/update — log in as admin
+# Verify the Apply button renders when latest version differs from current
+kill %1
+```
+
+> Don't kill the apply manually after pressing it on a real install — the update will actually run. Use `pnpm run dev` in a disposable worktree if you want to test the full apply path.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add admin/src/pages/UpdatePage.tsx admin/src/store/store.ts src/locales/en.json
+git commit -m "$(cat <<'EOF'
+feat(updater): admin UI Apply/Cancel/Acknowledge buttons
+
+UpdatePage renders the right action set per execution.status, surfaces
+lastResult with localised copy, and shows policy denial reasons (e.g.
+install-method-not-writable, rollback-failed-terminal). Buttons round-
+trip status through /admin/update/status after each action.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 13: Admin UI — log stream view
+
+**Files:**
+- Modify: `admin/src/pages/UpdatePage.tsx`
+
+While `execution.status === 'preflight' | 'draining' | 'executing' | 'rolling-back'`, poll `/admin/update/log` once a second and render the tail in a `<pre>`. Stop polling when the status leaves the set.
+
+- [ ] **Step 1: Add the polling effect**
+
+Inside `UpdatePage`, after the existing `useEffect` for `/admin/update/status`, add:
+
+```tsx
+const log = useStore((s) => s.updateLog);
+const setLog = useStore((s) => s.setUpdateLog);
+const inFlight = ['preflight', 'draining', 'executing', 'rolling-back'].includes(us?.execution?.status ?? '');
+useEffect(() => {
+  if (!inFlight) return;
+  let cancelled = false;
+  const tick = async () => {
+    if (cancelled) return;
+    try {
+      const r = await fetch('/admin/update/log', {credentials: 'same-origin'});
+      if (r.ok) setLog(await r.text());
+      // Re-fetch status too so we know when to stop polling.
+      const s = await fetch('/admin/update/status', {credentials: 'same-origin'});
+      if (s.ok) setUpdateStatus(await s.json());
+    } catch {/* noop */}
+    if (!cancelled) setTimeout(tick, 1000);
+  };
+  tick();
+  return () => { cancelled = true; };
+}, [inFlight, setLog, setUpdateStatus]);
+```
+
+In the JSX:
+
+```tsx
+{inFlight && (
+  <section className="update-log">
+    <h2><Trans i18nKey="update.page.log"/></h2>
+    <pre style={{whiteSpace: 'pre-wrap', maxHeight: '320px', overflow: 'auto'}}>{log}</pre>
+  </section>
+)}
+```
+
+- [ ] **Step 2: Add i18n key**
+
+In `src/locales/en.json`:
+
+```json
+  "update.page.log": "Update log (last 200 lines)"
+```
+
+- [ ] **Step 3: Smoke test in a browser**
+
+Same workflow as Task 12 step 4. Trigger an Apply on a git checkout that's safe to update (e.g., a disposable worktree). Watch the log block populate.
+
+- [ ] **Step 4: Commit**
+
+```bash
+git add admin/src/pages/UpdatePage.tsx src/locales/en.json
+git commit -m "$(cat <<'EOF'
+feat(updater): admin UI streams update log while update is in flight
+
+While execution.status is preflight/draining/executing/rolling-back the
+page polls /admin/update/log + /admin/update/status once a second,
+showing the rolling tail and switching off automatically when the run
+terminates.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 14: Pad-side drain announcement
+
+**Files:**
+- Modify: `src/static/js/chat.js` or `src/static/js/pad.js` (whichever handles incoming `shoutMessage`)
+- Modify: `src/locales/en.json` (already done in Task 12 — verify keys exist)
+
+`broadcastShout` in Task 11 sends a shoutMessage payload of the form `{message: {message: 'update.drain.t60', values: {seconds: 60}}, ...}`. The pad client renders shouts via the existing chat pipeline. We need that pipeline to look up `payload.message.message` as a translation key when present and substitute `payload.message.values`.
+
+- [ ] **Step 1: Find the shout-rendering site**
+
+```bash
+grep -rn "shoutMessage\|payload.message" src/static/js/ | head -20
+```
+
+Locate the function that turns the COLLABROOM shoutMessage into chat text. In Etherpad core that lives in `src/static/js/pad.js` or `src/static/js/chat.js` — search for `shoutMessage`.
+
+- [ ] **Step 2: Extend the renderer to handle i18n keys**
+
+Wrap the existing logic so `if (typeof payload.message.message === 'string' && payload.message.message.startsWith('update.drain.'))` is rendered through `html10n.translations` lookup; otherwise fall back to current behaviour. Concrete patch (adapt to actual code):
+
+```javascript
+// existing:
+//   const text = payload.message.message;
+// becomes:
+const raw = payload.message.message;
+const values = payload.message.values || {};
+let text = raw;
+if (typeof raw === 'string' && raw.startsWith('update.drain.') && window.html10n && window.html10n.translations) {
+  const tpl = window.html10n.translations[raw];
+  if (typeof tpl === 'string') {
+    text = tpl.replace(/\{\{(\w+)\}\}/g, (_, k) => String(values[k] ?? ''));
+  }
+}
+```
+
+(`html10n.get(raw, values)` is the bound API but `window._` is unbound per memory `project_plugin_window_underscore_audit.md` — go through `window.html10n.translations` directly to dodge that bug.)
+
+- [ ] **Step 3: Add a Playwright test**
+
+In `src/tests/frontend-new/specs/`, add a spec that opens a pad, simulates a shout from the admin socket via the existing admin shout test pattern (`grep -rn "shout" src/tests/frontend-new/`) — if no harness exists, skip this Playwright test and rely on the manual smoke step below. **Do not write a fake test.**
+
+- [ ] **Step 4: Manual smoke test**
+
+```bash
+pnpm run dev -- --port 9003 &
+# Open http://localhost.lan:9003/p/test-drain in one tab
+# In another tab, log in to /admin and use the Shout feature to send "update.drain.t60"
+# Verify the pad shows "Etherpad will restart in 60 seconds..."
+kill %1
+```
+
+If the manual test fails — i.e., the pad shows the literal key — adjust the renderer in step 2 until the pad shows the localised string. Per memory `feedback_test_localized_strings`, do not declare done while the literal key shows.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add src/static/js/chat.js src/static/js/pad.js
+git commit -m "$(cat <<'EOF'
+feat(updater): pad shoutMessage renders update.drain.* via html10n
+
+When the executor's drain phase broadcasts update.drain.t60/t30/t10,
+pads render the localised string instead of the bare i18n key. Goes
+through html10n.translations directly to dodge the unbound window._
+bug documented in project_plugin_window_underscore_audit.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 15: Integration test — end-to-end against a tmp git repo
+
+**Files:**
+- Create: `src/tests/backend/specs/updater-integration.ts`
+
+This is the highest-value test in the plan: it runs `executeUpdate` against a real tmp git repo, verifying happy path + each rollback variant by stubbing only the steps that would mutate the *current* install (we replace `pnpm install` with a `bash -c 'exit 0'` and similar). The test is deliberately heavy — run it on its own, not in the unit-test loop.
+
+- [ ] **Step 1: Skeleton failing test**
+
+Create `src/tests/backend/specs/updater-integration.ts`:
+
+```typescript
+'use strict';
+
+const assert = require('assert').strict;
+import {execSync, spawn} from 'node:child_process';
+import fs from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import {executeUpdate} from '../../../node/updater/UpdateExecutor';
+import {performRollback, checkPendingVerification} from '../../../node/updater/RollbackHandler';
+import {EMPTY_STATE} from '../../../node/updater/types';
+
+const sh = (cmd: string, opts: any = {}) => execSync(cmd, {stdio: 'pipe', ...opts}).toString().trim();
+
+const buildTmpRepo = async (): Promise<string> => {
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), 'updater-it-'));
+  sh('git init -b main', {cwd: dir});
+  sh('git config user.email test@example.com', {cwd: dir});
+  sh('git config user.name test', {cwd: dir});
+  await fs.writeFile(path.join(dir, 'pnpm-lock.yaml'), 'lockfileVersion: x\n');
+  sh('git add . && git commit -m initial', {cwd: dir});
+  sh('git tag v0.0.1', {cwd: dir});
+  await fs.writeFile(path.join(dir, 'pnpm-lock.yaml'), 'lockfileVersion: y\n');
+  sh('git add . && git commit -m bump', {cwd: dir});
+  sh('git tag v0.0.2', {cwd: dir});
+  // executor expects an "origin" — point it at the same dir for the ls-remote check.
+  sh(`git remote add origin ${dir}`, {cwd: dir});
+  return dir;
+};
+
+const stubSpawn = (overrides: Record<string, number> = {}) => {
+  // Emulate spawn for everything by mapping (cmd, args) -> exit code.
+  return ((cmd: string, args: string[]) => {
+    const key = `${cmd} ${args.join(' ')}`;
+    const exit = overrides[key] ?? (cmd === 'pnpm' ? 0 : -1); // -1 means "use real git"
+    if (exit === -1) {
+      // Real git for this step.
+      const real = spawn(cmd, args, {cwd: (overrides as any).__cwd, stdio: ['ignore', 'pipe', 'pipe']});
+      return real;
+    }
+    return {
+      stdout: {on: () => {}}, stderr: {on: () => {}},
+      on: (e: string, cb: any) => e === 'close' && setImmediate(() => cb(exit)),
+    } as any;
+  }) as any;
+};
+
+describe(__filename, function () {
+  this.timeout(20_000);
+
+  it('happy path: executes against tmp repo, lands on pending-verification', async () => {
+    const repo = await buildTmpRepo();
+    const states: any[] = [];
+    let exited: number | null = null;
+    const r = await executeUpdate({
+      repoDir: repo,
+      backupDir: path.join(repo, 'var', 'update-backup'),
+      spawnFn: stubSpawn({'pnpm install --frozen-lockfile': 0, 'pnpm run build:ui': 0, __cwd: repo} as any),
+      readSha: async () => sh('git rev-parse HEAD', {cwd: repo}),
+      copyFile: (s, d) => fs.mkdir(path.dirname(d), {recursive: true}).then(() => fs.copyFile(s, d)),
+      saveState: async (s) => { states.push(structuredClone(s)); },
+      initialState: structuredClone(EMPTY_STATE),
+      targetTag: 'v0.0.2',
+      now: () => new Date(),
+      exit: (code) => { exited = code; },
+    });
+    assert.equal(r.outcome, 'pending-verification');
+    assert.equal(exited, 75);
+    assert.equal(states.at(-1).execution.status, 'pending-verification');
+    // Backup file exists.
+    await fs.access(path.join(repo, 'var', 'update-backup', 'pnpm-lock.yaml'));
+    await fs.rm(repo, {recursive: true, force: true});
+  });
+
+  it('install failure rolls back to original SHA', async () => {
+    const repo = await buildTmpRepo();
+    const original = sh('git rev-parse HEAD', {cwd: repo});
+    let exited: number | null = null;
+    const states: any[] = [];
+
+    // Phase 1: executor with failing install.
+    await executeUpdate({
+      repoDir: repo, backupDir: path.join(repo, 'var', 'update-backup'),
+      spawnFn: stubSpawn({'pnpm install --frozen-lockfile': 1, __cwd: repo} as any),
+      readSha: async () => sh('git rev-parse HEAD', {cwd: repo}),
+      copyFile: (s, d) => fs.mkdir(path.dirname(d), {recursive: true}).then(() => fs.copyFile(s, d)),
+      saveState: async (s) => { states.push(structuredClone(s)); },
+      initialState: structuredClone(EMPTY_STATE),
+      targetTag: 'v0.0.2',
+      now: () => new Date(),
+      exit: (c) => { exited = c; },
+    });
+    assert.equal(states.at(-1).execution.status, 'rolling-back');
+
+    // Phase 2: rollback.
+    await performRollback(states.at(-1), {
+      repoDir: repo, backupDir: path.join(repo, 'var', 'update-backup'),
+      spawnFn: stubSpawn({'pnpm install --frozen-lockfile': 0, __cwd: repo} as any),
+      copyFile: (s, d) => fs.copyFile(s, d),
+      saveState: async (s) => { states.push(structuredClone(s)); },
+      exit: (c) => { exited = c; },
+      now: () => new Date(),
+      rollbackHealthCheckSeconds: 60,
+    });
+    assert.equal(states.at(-1).execution.status, 'rolled-back');
+    assert.equal(sh('git rev-parse HEAD', {cwd: repo}), original);
+    assert.equal(exited, 75);
+    await fs.rm(repo, {recursive: true, force: true});
+  });
+
+  // Add: build-failure rollback (same as install-failure but with build:ui exit 1).
+  // Add: crash-loop guard (state.bootCount = 3 forces immediate rollback in checkPendingVerification).
+});
+```
+
+- [ ] **Step 2: Run — confirm fail / pass**
+
+Run: `pnpm run test -- --grep updater-integration`
+Expected: PASS for the two scenarios above; if not, debug — typical issues are `git ls-remote --tags` against a self-origin which needs `git push origin v0.0.2` first; add it inside `buildTmpRepo`.
+
+- [ ] **Step 3: Add the build-failure + crash-loop scenarios**
+
+Append:
+
+```typescript
+  it('build failure rolls back to original SHA', async () => { /* same as install but spawnFn returns build:ui=1, install=0 */ });
+
+  it('crash-loop guard forces rollback when bootCount > 2', async () => {
+    const repo = await buildTmpRepo();
+    const original = sh('git rev-parse HEAD', {cwd: repo});
+    sh('git checkout v0.0.2', {cwd: repo});
+    // pretend we're already on v0.0.2 (post-update boot) and the lockfile backup exists.
+    await fs.mkdir(path.join(repo, 'var', 'update-backup'), {recursive: true});
+    await fs.copyFile(path.join(repo, 'pnpm-lock.yaml'), path.join(repo, 'var', 'update-backup', 'pnpm-lock.yaml'));
+    sh(`git checkout ${original}`, {cwd: repo});
+    sh(`cp var/update-backup/pnpm-lock.yaml pnpm-lock.yaml`, {cwd: repo});
+    sh('git checkout v0.0.2', {cwd: repo});
+
+    let exited: number | null = null;
+    const states: any[] = [];
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {status: 'pending-verification', targetTag: 'v0.0.2', fromSha: original, deadlineAt: '2026-05-08T10:00:00Z'} as const,
+      bootCount: 3,
+    };
+    const r = checkPendingVerification(state, {
+      repoDir: repo, backupDir: path.join(repo, 'var', 'update-backup'),
+      spawnFn: stubSpawn({'pnpm install --frozen-lockfile': 0, __cwd: repo} as any),
+      copyFile: (s, d) => fs.copyFile(s, d),
+      saveState: async (s) => { states.push(structuredClone(s)); },
+      exit: (c) => { exited = c; },
+      now: () => new Date(),
+      rollbackHealthCheckSeconds: 60,
+    });
+    assert.equal(r.armed, false);
+    // Wait a tick for the async rollback to finish.
+    await new Promise((r) => setImmediate(r));
+    assert.equal(states.at(-1).execution.status, 'rolled-back');
+    assert.equal(sh('git rev-parse HEAD', {cwd: repo}), original);
+    assert.equal(exited, 75);
+    await fs.rm(repo, {recursive: true, force: true});
+  });
+```
+
+- [ ] **Step 4: Run all integration tests**
+
+Run: `pnpm run test -- --grep "updater-integration|updateActions|updateStatus"`
+Expected: PASS for everything.
+
+- [ ] **Step 5: Commit**
+
+```bash
+git add src/tests/backend/specs/updater-integration.ts
+git commit -m "$(cat <<'EOF'
+test(updater): integration suite over a tmp git repo
+
+Exercises executeUpdate + performRollback + checkPendingVerification
+end-to-end against a disposable git repo with two tagged commits:
+happy path -> pending-verification, install-fail rollback, build-fail
+rollback, crash-loop bootCount>2 forced rollback. Runs with mocha at
+20s timeout; no real pnpm/network.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 16: Playwright spec — admin Apply flow
+
+**Files:**
+- Create: `src/tests/frontend-new/admin-spec/update-page-actions.spec.ts`
+
+The Playwright spec stubs the network: it intercepts `/admin/update/status` to seed a fake `latest`, intercepts `/admin/update/apply` to return `202`, and verifies the UI transitions through the right buttons. We do *not* actually run an update — that's covered by the manual smoke runbook.
+
+- [ ] **Step 1: Failing spec**
+
+Create `src/tests/frontend-new/admin-spec/update-page-actions.spec.ts`:
+
+```typescript
+import {expect, test} from '@playwright/test';
+
+const baseStatus = {
+  currentVersion: '2.7.1',
+  latest: {version: '2.7.2', tag: 'v2.7.2', body: 'release notes', publishedAt: '2026-05-01T00:00:00Z', prerelease: false, htmlUrl: 'https://example/'},
+  lastCheckAt: '2026-05-08T00:00:00Z',
+  installMethod: 'git',
+  tier: 'manual',
+  policy: {canNotify: true, canManual: true, canAuto: false, canAutonomous: false, reason: 'ok'},
+  vulnerableBelow: [],
+  execution: {status: 'idle'},
+  lastResult: null,
+  lockHeld: false,
+};
+
+test('admin Apply button posts to /admin/update/apply and re-fetches status', async ({page}) => {
+  let posted = false;
+  await page.route('**/admin/update/status', (route) => route.fulfill({json: baseStatus}));
+  await page.route('**/admin/update/apply', (route) => { posted = true; route.fulfill({status: 202, json: {accepted: true}}); });
+  await page.goto('/admin/update');
+  await expect(page.getByRole('button', {name: /apply update/i})).toBeVisible();
+  await page.getByRole('button', {name: /apply update/i}).click();
+  await expect.poll(() => posted).toBe(true);
+});
+
+test('install-method-not-writable hides Apply and shows the policy reason', async ({page}) => {
+  const denied = {...baseStatus, installMethod: 'docker',
+    policy: {canNotify: true, canManual: false, canAuto: false, canAutonomous: false, reason: 'install-method-not-writable'}};
+  await page.route('**/admin/update/status', (route) => route.fulfill({json: denied}));
+  await page.goto('/admin/update');
+  await expect(page.getByRole('button', {name: /apply update/i})).toHaveCount(0);
+  await expect(page.getByText(/Updates from the admin UI require a git install/i)).toBeVisible();
+});
+
+test('rollback-failed shows Acknowledge button', async ({page}) => {
+  const terminal = {...baseStatus,
+    execution: {status: 'rollback-failed', reason: 'pnpm install failed; rollback failed: pnpm exit 1', targetTag: 'v2.7.2', fromSha: 'x', at: '2026-05-08T00:00:00Z'},
+    lastResult: {targetTag: 'v2.7.2', fromSha: 'x', outcome: 'rollback-failed', reason: 'pnpm install failed', at: '2026-05-08T00:00:00Z'}};
+  await page.route('**/admin/update/status', (route) => route.fulfill({json: terminal}));
+  await page.goto('/admin/update');
+  await expect(page.getByRole('button', {name: /acknowledge/i})).toBeVisible();
+});
+```
+
+- [ ] **Step 2: Run**
+
+```bash
+pnpm run test-ui -- src/tests/frontend-new/admin-spec/update-page-actions.spec.ts
+```
+
+Expected: PASS.
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add src/tests/frontend-new/admin-spec/update-page-actions.spec.ts
+git commit -m "$(cat <<'EOF'
+test(updater): Playwright admin Apply flow + policy denial + acknowledge
+
+Stubs /admin/update/status and /admin/update/apply at the route level so
+we can assert UI transitions (button visibility, policy-denial copy,
+terminal-state acknowledge) without actually running an update.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 17: Banner copy for terminal states
+
+**Files:**
+- Modify: `admin/src/components/UpdateBanner.tsx`
+
+When `execution.status === 'rollback-failed'`, the banner text should be the strong `update.banner.terminal.rollback-failed` copy and link to `/update`.
+
+- [ ] **Step 1: Patch the banner**
+
+Replace the JSX so it picks the right key:
+
+```tsx
+if (!updateStatus) return null;
+const exec = updateStatus.execution?.status;
+if (exec === 'rollback-failed') {
+  return (
+    <div className="update-banner update-banner-terminal" role="alert">
+      <strong><Trans i18nKey="update.banner.terminal.rollback-failed"/></strong>{' '}
+      <Link to="/update">{t('update.banner.cta')}</Link>
+    </div>
+  );
+}
+if (!updateStatus.latest || updateStatus.currentVersion === updateStatus.latest.version) return null;
+// existing ok-banner...
+```
+
+- [ ] **Step 2: Manual visual test**
+
+Seed the state file (`var/update-state.json`) with `execution.status: 'rollback-failed'` then load `/admin/update`. Confirm the banner copy matches `update.banner.terminal.rollback-failed`, not the literal key. Per memory `feedback_test_localized_strings`, fail the task if the literal key shows.
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add admin/src/components/UpdateBanner.tsx
+git commit -m "$(cat <<'EOF'
+feat(updater): admin banner shows rollback-failed terminal state
+
+When execution.status is rollback-failed, the banner switches to a
+role=alert with stronger copy, regardless of whether a new release is
+known. Other terminal states (preflight-failed, rolled-back) surface on
+the page itself, not the banner — they're informational, not urgent.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 18: Documentation + smoke runbook
+
+**Files:**
+- Modify: `doc/admin/updates.md`
+- Modify: `CHANGELOG.md`
+- Create: `docs/superpowers/specs/2026-04-25-auto-update-runbook.md`
+
+The spec's "Phased rollout / PR 2" entry calls out a runbook ("manual smoke runbook in `docs/superpowers/specs/2026-04-25-auto-update-runbook.md`, run before each tier ships, against a disposable VM"). This task ships it alongside the user-facing docs.
+
+- [ ] **Step 0: Write the smoke runbook**
+
+Create `docs/superpowers/specs/2026-04-25-auto-update-runbook.md` covering:
+
+1. Provisioning a disposable Ubuntu/Debian VM with systemd + a checked-out git install.
+2. Setting `updates.tier: "manual"` in `settings.json`.
+3. Booting under systemd with `Restart=on-failure` + `RestartSec=5` (sample unit file inline).
+4. Forcing a downgrade by `git checkout` of the previous tag, restart, confirm Apply button shows.
+5. Apply, observe drain broadcasts in a separate pad, observe restart, observe verified state.
+6. Forcing rollback: corrupt `pnpm-lock.yaml` between checkout and install (or pin to a tag with a known-broken build), Apply, observe rolled-back state.
+7. Forcing rollback-failed: also break the backup lockfile, Apply, observe terminal state and Acknowledge flow.
+8. Crash-loop guard: pin a tag whose code throws on boot, Apply, observe bootCount climb to 3 + forced rollback.
+9. Sign-off checklist: every observable transition matches `docs/superpowers/specs/2026-04-25-auto-update-design.md` "State machine".
+
+- [ ] **Step 1: Append Tier 2 section to `doc/admin/updates.md`**
+
+Document:
+- Activation: `updates.tier: "manual"` requires a `git` install.
+- Process supervisor required (systemd/pm2/docker restart-policy) — Etherpad exits 75 to trigger restart.
+- Apply flow: button → preflight → 60s drain (broadcasts at T-60/-30/-10) → fetch/checkout/install/build → exit → restart → 60s health check.
+- Rollback paths: install/build failure, health-check timeout, crash loop (>2 reboots).
+- Terminal states: `preflight-failed` and `rolled-back` are informational; `rollback-failed` requires `POST /admin/update/acknowledge` after manual recovery.
+- Settings: each new key with default + when to change.
+- Signature verification: opt-in via `requireSignature: true`; document GNUPGHOME path.
+- What is *not* covered: Tier 3 (auto) and Tier 4 (autonomous) ship later.
+
+- [ ] **Step 2: Add to `CHANGELOG.md` Unreleased**
+
+```markdown
+### Updater
+- Tier 2 (manual click): admins can now apply updates from `/admin/update` on git installs. Requires a process supervisor; the executor exits 75 to trigger restart, and the next boot runs a 60s health check that auto-rolls back on failure. Tags are signature-checked when `updates.requireSignature: true`. New settings: `updates.preApplyGraceMinutes`, `drainSeconds`, `rollbackHealthCheckSeconds`, `diskSpaceMinMB`, `requireSignature`, `trustedKeysPath`.
+```
+
+- [ ] **Step 3: Commit**
+
+```bash
+git add doc/admin/updates.md CHANGELOG.md docs/superpowers/specs/2026-04-25-auto-update-runbook.md
+git commit -m "$(cat <<'EOF'
+docs(updater): document Tier 2 manual-click flow + smoke runbook
+
+Adds doc/admin/updates.md Tier 2 section: prerequisites (git install +
+process supervisor), Apply flow with timings, rollback paths, terminal
+states + acknowledge, signature-verification opt-in. Ships the manual
+smoke runbook the design spec calls for: disposable VM, systemd unit,
+forced rollback / rollback-failed / crash-loop scenarios. Notes Tier 3/4
+are deferred to follow-up PRs.
+
+Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
+EOF
+)"
+```
+
+---
+
+## Task 19: Final sanity sweep + open PR
+
+**Files:** none (workflow only).
+
+- [ ] **Step 1: Full type check + tests**
+
+```bash
+pnpm run ts-check
+pnpm vitest run src/tests/backend-new/specs/updater
+pnpm run test -- --grep "updater|updateActions|updateStatus"
+pnpm run test-ui -- src/tests/frontend-new/admin-spec/update-page-actions.spec.ts
+pnpm --filter admin run build
+```
+
+Expected: every step PASS.
+
+- [ ] **Step 2: Push branch**
+
+```bash
+git push -u origin feat/7607-auto-update-tier2-manual-click
+```
+
+- [ ] **Step 3: Open PR against `develop`**
+
+```bash
+gh pr create --base develop --title "feat(updater): tier 2 — manual-click update from /admin/update (#7607)" --body "$(cat <<'EOF'
+## Summary
+
+Ships **Tier 2 (manual click)** of the four-tier auto-update design at
+`docs/superpowers/specs/2026-04-25-auto-update-design.md`. Builds on PR #7601
+(Tier 1 — notify, merged 2026-05-01).
+
+- Admins on git installs see an **Apply update** button at `/admin/update`.
+- Click flow: pre-flight checks → 60s drain (with T-60/-30/-10 pad broadcasts) → `git fetch / checkout / pnpm install --frozen-lockfile / pnpm run build:ui` → exit 75 for the supervisor to restart.
+- 60s health-check on the next boot. On crash loop (bootCount > 2) or health-check timeout we restore the prior SHA + lockfile and exit 75 again.
+- Terminal `rollback-failed` state surfaces a strong banner; admin clicks **Acknowledge** to clear after manual recovery.
+- New settings under `updates.*`: `preApplyGraceMinutes`, `drainSeconds`, `rollbackHealthCheckSeconds`, `diskSpaceMinMB`, `requireSignature`, `trustedKeysPath` (all opt-in / sane defaults).
+- Signature verification (`requireSignature`) is opt-in and stub-friendly: false → log warning and pass; true → `git verify-tag <tag>` against the user keyring (or `trustedKeysPath` via `GNUPGHOME`). Etherpad's release process does not yet sign tags consistently — turning on by default would break Tier 2 for everyone, so this is documented as follow-up.
+
+Tier 3 (auto with grace window) and Tier 4 (autonomous within maintenance window) are out of scope for this PR.
+
+## Architecture
+
+- New atomic units under `src/node/updater/`: `lock` (PID file), `trustedKeys` (gpg via git verify-tag), `preflight` (sequenced check pipeline), `UpdateExecutor` (DI-spawn pipeline), `RollbackHandler` (boot health-timer + crash-loop guard), `SessionDrainer` (timed broadcasts + accept-flag), `updateLog` (rolling appender + tail).
+- New routes in `src/node/hooks/express/updateActions.ts`: `POST /admin/update/{apply,cancel,acknowledge}`, `GET /admin/update/log` — strict admin auth.
+- `RollbackHandler.checkPendingVerification` wires into boot in `src/node/updater/index.ts`; `markBootHealthy` is called from `src/node/server.ts` after state hits `RUNNING`.
+- Admin UI: `UpdatePage` renders Apply/Cancel/Acknowledge per `execution.status`, polls `/admin/update/log` while in flight, surfaces lastResult and policy denial copy. Banner adds a terminal-state alert variant.
+- Pad UI: existing shoutMessage pipeline learns to render `update.drain.t60/t30/t10` keys via `html10n.translations` (avoids the unbound `window._` bug).
+
+## Test plan
+
+- [x] `pnpm vitest run src/tests/backend-new/specs/updater` — unit suite (lock, preflight, trustedKeys, UpdateExecutor, RollbackHandler, SessionDrainer, updateLog, drainer-handshake, UpdatePolicy, index-boot, state)
+- [x] `pnpm run test --grep updateActions` — mocha API tests for the four new endpoints (auth, policy, terminal-state acknowledge)
+- [x] `pnpm run test --grep updater-integration` — end-to-end against a tmp git repo: happy path, install-fail rollback, build-fail rollback, crash-loop forced rollback
+- [x] `pnpm run test-ui -- src/tests/frontend-new/admin-spec/update-page-actions.spec.ts` — Playwright Apply / policy denial / Acknowledge
+- [x] Manual smoke: drain announcement renders the localised string in a real pad
+- [x] `pnpm run ts-check` clean, `pnpm --filter admin run build` clean
+
+## Notes
+
+- Process supervisor is a hard requirement for Tier 2. Documented in `doc/admin/updates.md`.
+- Tag signature verification is opt-in pending a separate "sign all releases" project. Logged as a warning when skipped.
+
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
+EOF
+)"
+```
+
+- [ ] **Step 4: Wait for CI then check, fix anything that breaks**
+
+```bash
+sleep 30
+gh pr checks --watch
+```
+
+If a check fails, pull the log, fix, push. Per memory `feedback_check_ci_after_pr`, do not move on with red CI.
+
+- [ ] **Step 5: Action Qodo review**
+
+Once Qodo posts review comments, fetch and address each per memory `feedback_qodo_pr_feedback`.
+
+```bash
+gh pr view --comments | head -200
+```
+
+---
+
+## Self-review checklist (run before declaring this plan ready)
+
+- [ ] Every spec section under "Tier 2 — manual click", "Error handling", "Phased rollout / PR 2" has a corresponding task.
+- [ ] Type names / function names are consistent across tasks (e.g., `executeUpdate`, `performRollback`, `checkPendingVerification`, `runPreflight`, `acquireLock`/`releaseLock`/`isHeld`, `createDrainer`, `tailLines`, `verifyReleaseTag`).
+- [ ] No "TODO" / "TBD" / "similar to above" / "appropriate validation" placeholder steps.
+- [ ] Every `bash` snippet runs without further parameter substitution.
+- [ ] Every test step shows the actual test code, not "write a test for this".
+- [ ] Every `git commit` step lists the exact files to add and a Conventional-Commits message with the project's standard `Co-Authored-By` footer.
+- [ ] Tasks 14 and 17 require a manual visual check; that is documented as a hard gate (per memory `feedback_test_localized_strings`).
+- [ ] Tier 3 / 4 are explicitly out of scope.
diff --git a/docs/superpowers/specs/2026-04-25-auto-update-runbook.md b/docs/superpowers/specs/2026-04-25-auto-update-runbook.md
new file mode 100644
index 00000000000..84b14ff3772
--- /dev/null
+++ b/docs/superpowers/specs/2026-04-25-auto-update-runbook.md
@@ -0,0 +1,202 @@
+# Etherpad Auto-Update — Manual Smoke Runbook
+
+**Status:** required gate before each tier ships, per `2026-04-25-auto-update-design.md` § "Phased rollout".
+**Audience:** the engineer cutting a release that includes new updater code.
+**Time budget:** ~30–40 minutes for the full sweep against a disposable VM.
+
+This runbook exercises the failure paths that unit and integration tests cannot reach: a real process supervisor, a real `pnpm install` run, real session drain broadcasts to a real pad client. Run it on a throw-away VM you don't mind nuking.
+
+## 0. Provision a disposable VM
+
+Anything Linux works; the example below uses Debian/Ubuntu under systemd.
+
+```bash
+# On the VM
+sudo adduser --system --group --home /srv/etherpad --shell /bin/bash etherpad
+sudo apt update && sudo apt install -y git nodejs ca-certificates
+# Etherpad's pnpm comes from corepack — Node 22+ ships it.
+sudo -u etherpad bash -c '
+  cd /srv/etherpad
+  git clone https://github.com/ether/etherpad.git current
+  cd current
+  corepack enable && corepack prepare pnpm@latest-9 --activate
+  pnpm install
+  pnpm run build:ui
+'
+```
+
+## 1. Install Etherpad as a systemd service
+
+`/etc/systemd/system/etherpad.service`:
+
+```ini
+[Unit]
+Description=Etherpad
+After=network.target
+
+[Service]
+Type=simple
+User=etherpad
+WorkingDirectory=/srv/etherpad/current
+ExecStart=/usr/bin/pnpm run dev
+Restart=on-failure
+RestartSec=5
+SuccessExitStatus=75
+# Treat exit 75 as "intentional" so systemd doesn't escalate-restart counters.
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Then:
+
+```bash
+sudo systemctl daemon-reload
+sudo systemctl enable --now etherpad
+journalctl -u etherpad -f &  # tail the log in another terminal
+```
+
+## 2. Configure for Tier 2
+
+Edit `/srv/etherpad/current/settings.json` and set:
+
+```jsonc
+{
+  "updates": {
+    "tier": "manual",
+    "checkIntervalHours": 1,
+    "drainSeconds": 30,                 // shorten the wait during smoke testing
+    "rollbackHealthCheckSeconds": 30
+  }
+}
+```
+
+`sudo systemctl restart etherpad`. Visit `http://<vm-ip>:9001/admin/update` and log in as the admin user from `settings.json`.
+
+## 3. Force "an update is available"
+
+The simplest way: `git checkout` to a commit *before* a tagged release.
+
+```bash
+sudo -u etherpad bash -c 'cd /srv/etherpad/current && git checkout v2.7.2'
+sudo systemctl restart etherpad
+```
+
+Trigger an immediate version check (or wait an hour):
+
+```bash
+curl -fsSL http://localhost:9001/admin/update/status | jq .
+# Expect: latest.version newer than currentVersion, policy.canManual=true
+```
+
+The admin UI banner should now read **"Update available"**, and `/admin/update` should show an **"Apply update"** button.
+
+## 4. Happy path: apply, drain, restart, verify
+
+1. Open a pad in another browser tab (`http://<vm-ip>:9001/p/test`).
+2. Click **Apply update** on `/admin/update`.
+3. **Within 30 seconds** confirm:
+   - The pad shows a gritter notification "Etherpad will restart in 30 seconds…" (i18n string from `update.drain.t30`), then `update.drain.t10`.
+   - The page polls `/admin/update/log`; the `<pre>` block fills with `git fetch / checkout / pnpm install / pnpm run build:ui` output.
+4. systemd journal shows `update executed: <fromSha> -> <tag>; exiting 75 for supervisor restart`.
+5. systemd restarts the unit (~5s under `RestartSec`).
+6. Reload `/admin/update`. State should be **`verified`** with `lastResult.outcome: "verified"`.
+
+**Sign-off:** every observable transition matches the state machine in the design spec § "State machine". If any step lingers or the page shows a different status, capture `var/log/update.log` and stop.
+
+## 5. Rollback path: install failure
+
+Force a rollback by giving pnpm something it can't resolve.
+
+```bash
+# As etherpad user, in /srv/etherpad/current:
+git checkout v2.7.2
+echo 'lockfileVersion: this-is-not-real-content' >> pnpm-lock.yaml
+sudo systemctl restart etherpad
+```
+
+Visit `/admin/update` and click Apply.
+
+Expected:
+
+- Drain announcement on the pad as before.
+- Log shows `pnpm install --frozen-lockfile` exiting non-zero.
+- State goes through `rolling-back` → `rolled-back`.
+- After supervisor restart, `/admin/update` shows the **rolled-back** banner with `lastResult.reason` describing the install failure.
+- `git rev-parse HEAD` matches the pre-update SHA.
+- Click **Acknowledge** to clear the lastResult banner.
+
+## 6. Rollback path: build failure
+
+```bash
+git checkout v2.7.2
+# Break the build by introducing a syntax error:
+echo 'this is not valid TypeScript' >> src/static/js/pad.ts
+sudo systemctl restart etherpad   # confirm the broken tree still serves; we want apply to fail at build:ui, not at boot
+```
+
+Apply, observe `pnpm run build:ui` exit non-zero in the log, observe `rolling-back` → `rolled-back`. Working tree restored.
+
+Revert the syntax error before continuing.
+
+## 7. Crash-loop guard
+
+Force the new version to crash at boot more than twice. Easiest:
+
+```bash
+# As etherpad user:
+git checkout v2.7.2
+# Apply to v2.7.3, but during the apply window introduce a startup error:
+# (Edit src/node/server.ts in the v2.7.3 tag's worktree to throw immediately.)
+```
+
+Click Apply. The new boot crashes; systemd restarts; RollbackHandler increments `bootCount`. After three crashes, `bootCount > 2` triggers a forced rollback regardless of the health-check timer.
+
+Observe state lands on `rolled-back` with `reason: "health-check-failed-or-crash-loop"`. Working tree on the original SHA.
+
+## 8. Rollback-failed terminal state
+
+Hardest to set up; force `pnpm install` to fail on the rollback path too.
+
+```bash
+# Trigger a normal install-failed rollback (step 5), but BEFORE it runs the
+# rollback step, corrupt the backup lockfile:
+echo garbage > /srv/etherpad/current/var/update-backup/pnpm-lock.yaml
+# … or remove the etherpad user's permission to the install dir mid-flow.
+```
+
+Expected:
+
+- State lands on **`rollback-failed`**.
+- `/admin/update` shows the strong red banner (role=alert) with the
+  `update.banner.terminal.rollback-failed` copy.
+- `policy.canManual` stays true; `policy.canAuto` is false (terminal-blocked).
+- Manually fix the install (restore the lockfile, fix permissions), then
+  click **Acknowledge**. State returns to `idle` and Apply re-enables.
+
+## 9. Cancel during drain
+
+Click Apply. Within 30s, click Cancel.
+
+Expected:
+
+- Drain timers stop firing immediately.
+- State returns to `idle`.
+- `lastResult.outcome: "cancelled"`.
+- `var/update.lock` is gone.
+- No exit; systemd doesn't restart.
+
+## 10. Sign-off checklist
+
+Tick every line before approving the release that introduces this code:
+
+- [ ] Happy path lands on `verified` with the working tree on the new tag.
+- [ ] Install-fail and build-fail rollbacks restore the previous SHA.
+- [ ] Crash-loop guard forces rollback at `bootCount > 2`.
+- [ ] `rollback-failed` shows the strong banner and Acknowledge clears it.
+- [ ] Cancel during drain leaves no lock, returns to `idle`.
+- [ ] Pad client renders the localised drain announcement (NOT the literal i18n key).
+- [ ] systemd journal shows no unhandled rejections, no orphaned processes.
+- [ ] `var/log/update.log` is rotated when it crosses 10 MB (force this by writing >10 MB into the file and triggering an Apply).
+
+If any line is unticked, do not ship the release.
diff --git a/settings.json.docker b/settings.json.docker
index 096c722e5b2..e9815c6bed1 100644
--- a/settings.json.docker
+++ b/settings.json.docker
@@ -218,7 +218,13 @@
     "installMethod": "docker",
     "checkIntervalHours": 6,
     "githubRepo": "ether/etherpad",
-    "requireAdminForStatus": false
+    "requireAdminForStatus": false,
+    "preApplyGraceMinutes": 0,
+    "drainSeconds": 60,
+    "rollbackHealthCheckSeconds": 60,
+    "diskSpaceMinMB": 500,
+    "requireSignature": false,
+    "trustedKeysPath": null
   },
 
   /*
diff --git a/settings.json.template b/settings.json.template
index 3e477b032e9..cae83f45f1a 100644
--- a/settings.json.template
+++ b/settings.json.template
@@ -227,7 +227,22 @@
      * endpoint open (the version is already public via /health). Set true to hide
      * full update detail from non-admins without turning the updater off.
      */
-    "requireAdminForStatus": false
+    "requireAdminForStatus": false,
+    /*
+     * Tier 2+ knobs. Only meaningful at tier "manual" or higher.
+     * - preApplyGraceMinutes: tier 3 only — countdown before an auto-update applies.
+     * - drainSeconds: how long to broadcast "restart imminent" before exiting.
+     * - rollbackHealthCheckSeconds: window after restart for /health to come up.
+     * - diskSpaceMinMB: pre-flight refuses to start an update without this much free.
+     * - requireSignature: refuse updates whose tag isn't signed by a trusted key.
+     * - trustedKeysPath: override the keyring location passed to git verify-tag (GNUPGHOME).
+     */
+    "preApplyGraceMinutes": 0,
+    "drainSeconds": 60,
+    "rollbackHealthCheckSeconds": 60,
+    "diskSpaceMinMB": 500,
+    "requireSignature": false,
+    "trustedKeysPath": null
   },
 
   /*
diff --git a/src/ep.json b/src/ep.json
index 319f8f792e1..06a987d291a 100644
--- a/src/ep.json
+++ b/src/ep.json
@@ -116,6 +116,13 @@
         "expressCreateServer": "ep_etherpad-lite/node/hooks/express/updateStatus"
       }
     },
+    {
+      "name": "updateActions",
+      "post": ["ep_etherpad-lite/admin"],
+      "hooks": {
+        "expressCreateServer": "ep_etherpad-lite/node/hooks/express/updateActions"
+      }
+    },
     {
       "name": "admin",
       "hooks": {
diff --git a/src/locales/en.json b/src/locales/en.json
index a8602ad35e0..7b899881f0e 100644
--- a/src/locales/en.json
+++ b/src/locales/en.json
@@ -48,6 +48,34 @@
   "update.page.up_to_date": "You are running the latest version.",
   "update.badge.severe": "Etherpad on this server is severely outdated. Tell your admin.",
   "update.badge.vulnerable": "Etherpad on this server is running a version with known security issues. Tell your admin.",
+  "update.page.apply": "Apply update",
+  "update.page.cancel": "Cancel",
+  "update.page.acknowledge": "Acknowledge",
+  "update.page.log": "Update log (last 200 lines)",
+  "update.page.execution": "Status",
+  "update.page.policy.install-method-not-writable": "Updates from the admin UI require a git install. Update via your package manager.",
+  "update.page.policy.rollback-failed-terminal": "A previous update failed and could not be rolled back. Press Acknowledge after the install is healthy to clear the lock.",
+  "update.page.policy.up-to-date": "You are running the latest version.",
+  "update.page.policy.tier-off": "Updates are disabled (updates.tier = \"off\").",
+  "update.page.last_result.verified": "Last update to {{tag}} verified.",
+  "update.page.last_result.rolled-back": "Last attempted update to {{tag}} rolled back: {{reason}}.",
+  "update.page.last_result.rollback-failed": "Last update attempt failed AND rollback failed: {{reason}}. Manual intervention required.",
+  "update.page.last_result.preflight-failed": "Last attempted update to {{tag}} failed preflight: {{reason}}.",
+  "update.page.last_result.cancelled": "Last attempted update to {{tag}} cancelled by admin.",
+  "update.execution.idle": "Idle",
+  "update.execution.preflight": "Pre-flight checks",
+  "update.execution.preflight-failed": "Pre-flight failed",
+  "update.execution.draining": "Draining sessions",
+  "update.execution.executing": "Updating...",
+  "update.execution.pending-verification": "Pending verification",
+  "update.execution.verified": "Verified",
+  "update.execution.rolling-back": "Rolling back",
+  "update.execution.rolled-back": "Rolled back",
+  "update.execution.rollback-failed": "Rollback failed",
+  "update.banner.terminal.rollback-failed": "An update attempt failed and could not be rolled back. Manual intervention required.",
+  "update.drain.t60": "Etherpad will restart in 60 seconds to apply an update.",
+  "update.drain.t30": "Etherpad will restart in 30 seconds to apply an update.",
+  "update.drain.t10": "Etherpad will restart in 10 seconds to apply an update.",
 
   "index.newPad": "New Pad",
   "index.settings": "Settings",
diff --git a/src/node/handler/PadMessageHandler.ts b/src/node/handler/PadMessageHandler.ts
index 65ac9d7626d..22f80ea8dc6 100644
--- a/src/node/handler/PadMessageHandler.ts
+++ b/src/node/handler/PadMessageHandler.ts
@@ -37,6 +37,7 @@ import settings, {
   sofficeAvailable
 } from '../utils/Settings';
 import {anonymizeIp} from '../utils/anonymizeIp';
+import {isAcceptingConnections} from '../updater/SessionDrainer';
 const logIp = (ip: string | null | undefined) => anonymizeIp(ip, settings.ipLogging);
 const securityManager = require('../db/SecurityManager');
 const plugins = require('../../static/js/pluginfw/plugin_defs');
@@ -377,6 +378,17 @@ exports.handleMessage = async (socket:any, message: ClientVarMessage) => {
   if (!thisSession) throw new Error('message from an unknown connection');
 
   if (message.type === 'CLIENT_READY') {
+    // Refuse new joiners while the updater drainer is running. Existing sockets
+    // are unaffected — only the initial CLIENT_READY handshake is gated. The
+    // pad UI will show the drain announcement separately via shoutMessage.
+    // Use socket.emit('message', ...) for consistency with the other disconnect
+    // paths in this file (see line ~221, 569). socket.json.send is a socket.io
+    // v2/v3-era API that may not exist on v4 Socket objects.
+    if (!isAcceptingConnections()) {
+      socket.emit('message', {disconnect: 'updateInProgress'});
+      socket.disconnect(true);
+      return;
+    }
     // Prefer the HttpOnly author-token cookie over the in-message token (GDPR
     // PR3). Legacy clients (pre-PR3 browsers or API consumers) still send
     // `token` in the CLIENT_READY payload — honour it one more release, warn
diff --git a/src/node/hooks/express/socketio.ts b/src/node/hooks/express/socketio.ts
index 9184eff8831..79ef892760b 100644
--- a/src/node/hooks/express/socketio.ts
+++ b/src/node/hooks/express/socketio.ts
@@ -14,6 +14,9 @@ const padMessageHandler = require('../../handler/PadMessageHandler');
 
 let io:any;
 const logger = log4js.getLogger('socket.io');
+
+/** Returns the socket.io Server once expressCreateServer has run, or null otherwise. Used by features that need to broadcast outside the regular hook surface. */
+export const getIo = (): any => io;
 const sockets = new Set();
 const socketsEvents = new events.EventEmitter();
 
diff --git a/src/node/hooks/express/updateActions.ts b/src/node/hooks/express/updateActions.ts
new file mode 100644
index 00000000000..a951dd26b2e
--- /dev/null
+++ b/src/node/hooks/express/updateActions.ts
@@ -0,0 +1,360 @@
+'use strict';
+
+import path from 'node:path';
+import fs from 'node:fs/promises';
+import {spawn} from 'node:child_process';
+import log4js from 'log4js';
+import {ArgsExpressType} from '../../types/ArgsExpressType';
+import settings, {getEpVersion} from '../../utils/Settings';
+import {getDetectedInstallMethod, stateFilePath, getRollbackDeps} from '../../updater';
+import {evaluatePolicy} from '../../updater/UpdatePolicy';
+import {loadState, saveState} from '../../updater/state';
+import {acquireLock, releaseLock} from '../../updater/lock';
+import {executeUpdate, SpawnFn} from '../../updater/UpdateExecutor';
+import {createDrainer, DrainBroadcastKey, Drainer} from '../../updater/SessionDrainer';
+import {runPreflight} from '../../updater/preflight';
+import {verifyReleaseTag} from '../../updater/trustedKeys';
+import {tailLines, appendLine} from '../../updater/updateLog';
+import {performRollback} from '../../updater/RollbackHandler';
+import {UpdateState} from '../../updater/types';
+import {isValidTag} from '../../updater/refSafety';
+import {getIo} from './socketio';
+
+const logger = log4js.getLogger('updater');
+
+const lockPath = (): string => path.join(settings.root, 'var', 'update.lock');
+const logPath = (): string => path.join(settings.root, 'var', 'log', 'update.log');
+const backupDir = (): string => path.join(settings.root, 'var', 'update-backup');
+
+let drainer: Drainer | null = null;
+
+const requireAdmin = (req: any, res: any): boolean => {
+  const u = req.session?.user;
+  if (!u) { res.status(401).send('Authentication required'); return false; }
+  if (!u.is_admin) { res.status(403).send('Forbidden'); return false; }
+  return true;
+};
+
+const wrapAsync =
+  (fn: (req: any, res: any, next: Function) => Promise<unknown>) =>
+    (req: any, res: any, next: Function) => Promise.resolve(fn(req, res, next)).catch((err) => next(err));
+
+const broadcastShout = (key: DrainBroadcastKey, values: Record<string, unknown>): void => {
+  try {
+    const io = getIo();
+    if (!io) return;
+    // The pad-side renderer (src/static/js/pad.ts) already handles `messageKey`
+    // by routing through html10n.get(); we add a `values` field that the
+    // renderer interpolates into the localised string.
+    const message = {
+      type: 'COLLABROOM',
+      data: {
+        type: 'shoutMessage',
+        payload: {
+          message: {messageKey: key, values, sticky: false},
+          timestamp: Date.now(),
+        },
+      },
+    };
+    io.sockets.emit('shout', message);
+  } catch (err) {
+    logger.warn(`broadcastShout: ${(err as Error).message}`);
+  }
+};
+
+const buildPreflightDeps = (installMethod: ReturnType<typeof getDetectedInstallMethod>) => ({
+  installMethod,
+  workingTreeClean: () => new Promise<boolean>((resolve) => {
+    const c = spawn('git', ['status', '--porcelain'], {cwd: settings.root});
+    let out = '';
+    c.stdout.on('data', (b) => { out += b.toString(); });
+    c.on('close', () => resolve(out.trim().length === 0));
+    c.on('error', () => resolve(false));
+  }),
+  freeDiskMB: async (): Promise<number> => {
+    try {
+      const s = await (fs as any).statfs?.(settings.root);
+      if (!s) return Number.POSITIVE_INFINITY;
+      return Math.floor((Number(s.bavail) * Number(s.bsize)) / (1024 * 1024));
+    } catch {
+      // statfs unsupported on this platform — treat as "no constraint" rather than block.
+      return Number.POSITIVE_INFINITY;
+    }
+  },
+  pnpmOnPath: () => new Promise<boolean>((resolve) => {
+    const c = spawn('pnpm', ['--version'], {stdio: 'ignore'});
+    c.on('close', (code) => resolve(code === 0));
+    c.on('error', () => resolve(false));
+  }),
+  // We just acquired the lock in the apply endpoint, so don't double-check it here.
+  lockHeld: async () => false,
+  remoteHasTag: (tag: string) => new Promise<boolean>((resolve) => {
+    const c = spawn('git', ['ls-remote', '--tags', 'origin', tag],
+                    {cwd: settings.root, stdio: ['ignore', 'pipe', 'ignore']});
+    let out = '';
+    c.stdout.on('data', (b) => { out += b.toString(); });
+    c.on('close', () => resolve(out.trim().length > 0));
+    c.on('error', () => resolve(false));
+  }),
+  verifyTag: () => verifyReleaseTag({
+    tag: '', // overridden below — we close over targetTag
+    repoDir: settings.root,
+    requireSignature: settings.updates.requireSignature,
+    trustedKeysPath: settings.updates.trustedKeysPath,
+  }),
+});
+
+/**
+ * The set of update tiers at which the Tier 2 action endpoints serve.
+ * `notify` only ships read-only routes (registered in updateStatus.ts);
+ * `manual` and higher are the supersets that include manual-click. Disabled
+ * paths (off / notify) match prior behaviour: requests 404, no new attack
+ * surface vs PR 1.
+ *
+ * Read at request time (not hook-init time) so that operators flipping
+ * `updates.tier` in settings.json + reloading take effect without a full
+ * restart, and so that integration tests can drive the gate dynamically.
+ */
+const TIER2_TIERS: ReadonlySet<string> = new Set(['manual', 'auto', 'autonomous']);
+const tierAllowsActions = (): boolean => TIER2_TIERS.has(settings.updates.tier);
+
+export const expressCreateServer = (
+  _hookName: string,
+  {app}: ArgsExpressType,
+  cb: Function,
+): void => {
+  // Always register the routes; gate at request time so a runtime tier change
+  // takes effect on the next request rather than requiring a restart.
+  // The early 404 below preserves Qodo #1's "disabled path matches prior
+  // behaviour (no Tier 2 endpoints existed before this PR)" requirement.
+  const tierGate = (req: any, res: any, next: Function) => {
+    if (!tierAllowsActions()) return res.status(404).send('Not found');
+    next();
+  };
+  app.use(['/admin/update/apply', '/admin/update/cancel', '/admin/update/acknowledge', '/admin/update/log'], tierGate);
+
+  app.post('/admin/update/apply', wrapAsync(async (req: any, res: any) => {
+    if (!requireAdmin(req, res)) return;
+
+    const state = await loadState(stateFilePath());
+    if (!state.latest) return res.status(409).json({error: 'no-known-latest'});
+
+    // Defence in depth: VersionChecker validates tag_name before persisting,
+    // but a hand-edited update-state.json could still surface an unsafe tag
+    // here. Reject up-front rather than throw later when the executor calls
+    // assertValidTag, so the admin sees a clear 409 instead of a 500.
+    if (!isValidTag(state.latest.tag)) {
+      return res.status(409).json({error: 'invalid-tag-in-state'});
+    }
+
+    // Allowed entry statuses: idle / verified / preflight-failed / rolled-back.
+    // Anything else means an in-flight or terminal-needs-acknowledge state.
+    const allowedEntry = ['idle', 'verified', 'preflight-failed', 'rolled-back'];
+    if (!allowedEntry.includes(state.execution.status)) {
+      return res.status(409).json({error: `execution-busy:${state.execution.status}`});
+    }
+
+    const installMethod = getDetectedInstallMethod();
+    const policy = evaluatePolicy({
+      installMethod,
+      tier: settings.updates.tier,
+      current: getEpVersion(),
+      latest: state.latest.version,
+      executionStatus: state.execution.status,
+    });
+    if (!policy.canManual) {
+      return res.status(409).json({error: 'policy-denied', reason: policy.reason});
+    }
+
+    if (!await acquireLock(lockPath())) {
+      return res.status(409).json({error: 'lock-held'});
+    }
+
+    const targetTag = state.latest.tag;
+    let cleanupLock = true;
+
+    try {
+      // Persist preflight state.
+      const startedAt = new Date().toISOString();
+      const preState: UpdateState = {
+        ...state,
+        execution: {status: 'preflight', targetTag, startedAt},
+      };
+      await saveState(stateFilePath(), preState);
+      appendLine(logPath(), `[${startedAt}] PREFLIGHT target=${targetTag}`);
+
+      const baseDeps = buildPreflightDeps(installMethod);
+      const pf = await runPreflight(
+        {
+          targetTag,
+          diskSpaceMinMB: Number(settings.updates.diskSpaceMinMB) || 500,
+          requireSignature: settings.updates.requireSignature,
+          trustedKeysPath: settings.updates.trustedKeysPath,
+        },
+        {
+          ...baseDeps,
+          verifyTag: () => verifyReleaseTag({
+            tag: targetTag,
+            repoDir: settings.root,
+            requireSignature: settings.updates.requireSignature,
+            trustedKeysPath: settings.updates.trustedKeysPath,
+          }),
+        },
+      );
+
+      if (!pf.ok) {
+        const at = new Date().toISOString();
+        await saveState(stateFilePath(), {
+          ...preState,
+          execution: {status: 'preflight-failed', targetTag, reason: pf.reason, at},
+          lastResult: {
+            targetTag, fromSha: '',
+            outcome: 'preflight-failed', reason: pf.reason, at,
+          },
+        });
+        appendLine(logPath(), `[${at}] PREFLIGHT_FAILED ${pf.reason}`);
+        cleanupLock = true;
+        return res.status(409).json({error: 'preflight-failed', reason: pf.reason});
+      }
+
+      // Re-check state after preflight: /admin/update/cancel may have flipped
+      // execution back to 'idle' while we were running the slow checks. The
+      // cancel handler intentionally leaves the lock alone (we own it) and
+      // signals via state instead, so a stale apply can detect cancellation
+      // here before mutating the filesystem.
+      const afterPreflight = await loadState(stateFilePath());
+      if (afterPreflight.execution.status !== 'preflight'
+          || (afterPreflight.execution as {targetTag?: string}).targetTag !== targetTag) {
+        appendLine(logPath(),
+          `[${new Date().toISOString()}] APPLY aborted post-preflight (state=${afterPreflight.execution.status})`);
+        return res.status(409).json({error: 'cancelled-during-preflight'});
+      }
+
+      // Drain — respond 202 first so the UI starts polling /log without waiting.
+      const drainSeconds = Number(settings.updates.drainSeconds) || 60;
+      drainer = createDrainer({
+        drainSeconds,
+        broadcast: (key, values) => broadcastShout(key, values),
+      });
+      const drainEndsAt = new Date(Date.now() + drainSeconds * 1000).toISOString();
+      await saveState(stateFilePath(), {
+        ...preState,
+        execution: {status: 'draining', targetTag, drainEndsAt, startedAt: new Date().toISOString()},
+      });
+      appendLine(logPath(), `[${new Date().toISOString()}] DRAIN start drainSeconds=${drainSeconds}`);
+
+      res.status(202).json({accepted: true, drainEndsAt});
+
+      const drainResult = await drainer.start();
+      drainer = null;
+      if (drainResult.outcome === 'cancelled') {
+        // /admin/update/cancel already updated state and lastResult; just release the lock.
+        appendLine(logPath(), `[${new Date().toISOString()}] DRAIN cancelled by admin`);
+        return;
+      }
+
+      // Re-load state right before the executor runs so anything the cancel
+      // endpoint or another concurrent handler wrote is honoured.
+      const fresh = await loadState(stateFilePath());
+
+      const r = await executeUpdate({
+        repoDir: settings.root,
+        backupDir: backupDir(),
+        spawnFn: spawn as unknown as SpawnFn,
+        readSha: () => new Promise<string>((resolve, reject) => {
+          const c = spawn('git', ['rev-parse', 'HEAD'],
+                          {cwd: settings.root, stdio: ['ignore', 'pipe', 'ignore']});
+          let out = '';
+          c.stdout.on('data', (b) => { out += b.toString(); });
+          c.on('close', (code) => code === 0
+            ? resolve(out.trim())
+            : reject(new Error(`git rev-parse exit ${code}`)));
+          c.on('error', reject);
+        }),
+        copyFile: async (src: string, dst: string) => {
+          await fs.mkdir(path.dirname(dst), {recursive: true});
+          await fs.copyFile(src, dst);
+        },
+        saveState: (s: UpdateState) => saveState(stateFilePath(), s),
+        initialState: fresh,
+        targetTag,
+        now: () => new Date(),
+        // executeUpdate calls exit on success (75) — that takes the process down,
+        // so anything after this is the failure path.
+        exit: (code: number) => process.exit(code),
+      });
+
+      // Failure paths: executor returned without exiting, state is rolling-back.
+      if (r.outcome !== 'pending-verification') {
+        const after = await loadState(stateFilePath());
+        if (after.execution.status === 'rolling-back') {
+          // performRollback will exit 75 on either success or terminal failure.
+          // We do not release the lock — exit takes the process down and the
+          // next-boot acquireLock reaps the stale PID.
+          cleanupLock = false;
+          await performRollback(after, getRollbackDeps());
+        }
+      }
+    } catch (err) {
+      logger.error(`apply failed: ${(err as Error).stack || err}`);
+      appendLine(logPath(), `[${new Date().toISOString()}] APPLY_ERROR ${(err as Error).message}`);
+      if (!res.headersSent) res.status(500).json({error: 'internal'});
+    } finally {
+      if (cleanupLock) {
+        try { await releaseLock(lockPath()); }
+        catch (err) { logger.warn(`releaseLock: ${(err as Error).message}`); }
+      }
+    }
+  }));
+
+  app.post('/admin/update/cancel', wrapAsync(async (req: any, res: any) => {
+    if (!requireAdmin(req, res)) return;
+    const state = await loadState(stateFilePath());
+    // Cancel is allowed only during pre-execute states. Once executing begins
+    // (filesystem mutated) we either complete or rollback — see spec section
+    // "Error handling" / state machine.
+    if (state.execution.status !== 'preflight' && state.execution.status !== 'draining') {
+      return res.status(409).json({error: 'not-cancellable', status: state.execution.status});
+    }
+    if (drainer) drainer.cancel();
+    const at = new Date().toISOString();
+    await saveState(stateFilePath(), {
+      ...state,
+      execution: {status: 'idle'},
+      lastResult: {
+        targetTag: (state.execution as {targetTag?: string}).targetTag ?? '',
+        fromSha: '',
+        outcome: 'cancelled',
+        reason: 'admin-cancelled',
+        at,
+      },
+    });
+    // Intentionally do NOT release the lock here. The apply handler owns the
+    // lock for its lifetime and releases it in its finally block; releasing
+    // here would let a second apply slip in while the first is still mid-
+    // preflight, racing for the same on-disk state.
+    appendLine(logPath(), `[${at}] CANCEL by admin during status=${state.execution.status}`);
+    res.json({cancelled: true});
+  }));
+
+  app.post('/admin/update/acknowledge', wrapAsync(async (req: any, res: any) => {
+    if (!requireAdmin(req, res)) return;
+    const state = await loadState(stateFilePath());
+    const terminal: ReadonlySet<string> = new Set(['rollback-failed', 'preflight-failed', 'rolled-back']);
+    if (!terminal.has(state.execution.status)) {
+      return res.status(409).json({error: 'not-terminal', status: state.execution.status});
+    }
+    await saveState(stateFilePath(), {...state, execution: {status: 'idle'}, bootCount: 0});
+    appendLine(logPath(), `[${new Date().toISOString()}] ACKNOWLEDGE ${state.execution.status} -> idle`);
+    res.json({acknowledged: true});
+  }));
+
+  app.get('/admin/update/log', wrapAsync(async (req: any, res: any) => {
+    if (!requireAdmin(req, res)) return;
+    const lines = await tailLines(logPath(), 200);
+    res.set('Content-Type', 'text/plain; charset=utf-8');
+    res.send(lines.join('\n'));
+  }));
+
+  cb();
+};
diff --git a/src/node/hooks/express/updateStatus.ts b/src/node/hooks/express/updateStatus.ts
index db30cf52c1d..69d63d889f3 100644
--- a/src/node/hooks/express/updateStatus.ts
+++ b/src/node/hooks/express/updateStatus.ts
@@ -1,11 +1,13 @@
 'use strict';
 
+import path from 'node:path';
 import {ArgsExpressType} from '../../types/ArgsExpressType';
 import settings, {getEpVersion} from '../../utils/Settings';
 import {getDetectedInstallMethod, stateFilePath} from '../../updater';
 import {evaluatePolicy} from '../../updater/UpdatePolicy';
 import {compareSemver, isMajorBehind, isVulnerable} from '../../updater/versionCompare';
 import {loadState} from '../../updater/state';
+import {isHeld} from '../../updater/lock';
 
 
 let badgeCache: {value: 'severe' | 'vulnerable' | null; at: number} = {value: null, at: 0};
@@ -37,6 +39,23 @@ const wrapAsync = (fn: (req: any, res: any, next: Function) => Promise<unknown>)
     Promise.resolve(fn(req, res, next)).catch((err) => next(err));
   };
 
+/**
+ * Strip diagnostic strings (reason, fromSha, targetTag, build/install paths)
+ * from execution before exposing to unauthenticated callers. Status enum is
+ * preserved so the admin banner / pad-side badge can still render the right UI.
+ */
+const sanitizeExecution = (e: any): any => {
+  if (!e || typeof e !== 'object' || typeof e.status !== 'string') return {status: 'idle'};
+  return {status: e.status};
+};
+
+const sanitizeLastResult = (r: any): any => {
+  if (r === null) return null;
+  if (!r || typeof r !== 'object' || typeof r.outcome !== 'string') return null;
+  // outcome enum + at timestamp are non-sensitive. reason / fromSha / targetTag are dropped.
+  return {outcome: r.outcome, at: typeof r.at === 'string' ? r.at : null};
+};
+
 export const expressCreateServer = (
   _hookName: string,
   {app}: ArgsExpressType,
@@ -68,6 +87,7 @@ export const expressCreateServer = (
   // release. Admins who want the endpoint gated to authenticated admin sessions —
   // without disabling the updater entirely — set updates.requireAdminForStatus=true.
   app.get('/admin/update/status', wrapAsync(async (req, res) => {
+    const isAdmin = !!req.session?.user?.is_admin;
     if (settings.updates.requireAdminForStatus) {
       const user = req.session?.user;
       if (!user) return res.status(401).send('Authentication required');
@@ -77,8 +97,29 @@ export const expressCreateServer = (
     const current = getEpVersion();
     const installMethod = getDetectedInstallMethod();
     const policy = state.latest
-      ? evaluatePolicy({installMethod, tier: settings.updates.tier, current, latest: state.latest.version})
+      ? evaluatePolicy({
+          installMethod,
+          tier: settings.updates.tier,
+          current,
+          latest: state.latest.version,
+          executionStatus: state.execution.status,
+        })
       : null;
+    const lockHeld = await isHeld(path.join(settings.root, 'var', 'update.lock'));
+
+    // The Tier 2 fields (execution, lastResult) carry diagnostic strings
+    // built from git/pnpm stderr — environment-specific paths, error
+    // messages, etc. Endpoint defaults to unauthenticated; only authed
+    // admin sessions see the full diagnostic payload. Everyone else sees
+    // just the status enum + outcome enum so the pad-side / public banners
+    // can still render correctly without leaking operational detail.
+    const execution = isAdmin
+      ? state.execution
+      : sanitizeExecution(state.execution);
+    const lastResult = isAdmin
+      ? state.lastResult
+      : sanitizeLastResult(state.lastResult);
+
     res.json({
       currentVersion: current,
       latest: state.latest,
@@ -87,6 +128,10 @@ export const expressCreateServer = (
       tier: settings.updates.tier,
       policy,
       vulnerableBelow: state.vulnerableBelow,
+      // PR 2 additions:
+      execution,
+      lastResult,
+      lockHeld,
     });
   }));
 
diff --git a/src/node/server.ts b/src/node/server.ts
index 2e06cf6f26a..bef6af07017 100755
--- a/src/node/server.ts
+++ b/src/node/server.ts
@@ -177,6 +177,17 @@ exports.start = async () => {
   // @ts-ignore
   startDoneGate.resolve();
 
+  // Once the server is RUNNING, /health responds 200 — that is the implicit
+  // health signal the updater's pending-verification timer is waiting for.
+  // Wrapped in try/catch because it must never block startup on a bug here.
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    const updater = require('./updater');
+    if (typeof updater.markBootHealthy === 'function') updater.markBootHealthy();
+  } catch (err) {
+    logger.debug(`markBootHealthy: ${(err as Error).message}`);
+  }
+
   // Return the HTTP server to make it easier to write tests.
   return express.server;
 };
diff --git a/src/node/updater/RollbackHandler.ts b/src/node/updater/RollbackHandler.ts
new file mode 100644
index 00000000000..e90e8b7fd15
--- /dev/null
+++ b/src/node/updater/RollbackHandler.ts
@@ -0,0 +1,246 @@
+import path from 'node:path';
+import log4js from 'log4js';
+import {UpdateState} from './types';
+import type {SpawnFn} from './UpdateExecutor';
+import {appendLine} from './updateLog';
+
+const logger = log4js.getLogger('updater');
+
+export interface RollbackDeps {
+  /** Path of the on-disk Etherpad install (the git working tree). */
+  repoDir: string;
+  /** Where pnpm-lock.yaml was backed up by the executor. */
+  backupDir: string;
+  spawnFn: SpawnFn;
+  copyFile: (src: string, dst: string) => Promise<void>;
+  saveState: (s: UpdateState) => Promise<void>;
+  exit: (code: number) => void;
+  now: () => Date;
+  /** Health-check window after a fresh boot. Default 60s; set via updates.rollbackHealthCheckSeconds. */
+  rollbackHealthCheckSeconds: number;
+}
+
+const runStep = (
+  spawnFn: SpawnFn,
+  cwd: string,
+  logPath: string,
+  cmd: string,
+  args: string[],
+): Promise<number | null> => new Promise((resolve) => {
+  let settled = false;
+  const settle = (c: number | null) => {
+    if (settled) return;
+    settled = true;
+    resolve(c);
+  };
+  const child = spawnFn(cmd, args, {cwd, stdio: ['ignore', 'pipe', 'pipe']});
+  const tag = `${cmd} ${args.join(' ')}`;
+  child.stdout.on('data', (b: Buffer) => {
+    const t = b.toString().trimEnd();
+    logger.info(`[rollback ${tag}] ${t}`);
+    appendLine(logPath, `[${new Date().toISOString()}] rollback ${tag} | ${t}`);
+  });
+  child.stderr.on('data', (b: Buffer) => {
+    const t = b.toString().trimEnd();
+    logger.warn(`[rollback ${tag}] ${t}`);
+    appendLine(logPath, `[${new Date().toISOString()}] rollback ${tag} ERR | ${t}`);
+  });
+  // Spawn failures (binary missing, permissions) — without this listener the
+  // promise hangs forever and the rollback path never lands on terminal state.
+  child.on('error', (err: Error) => {
+    logger.error(`[rollback ${tag}] spawn error: ${err.message}`);
+    appendLine(logPath, `[${new Date().toISOString()}] rollback ${tag} SPAWN_ERR | ${err.message}`);
+    settle(1);
+  });
+  child.on('close', (c) => settle(c));
+});
+
+/**
+ * Restore the previous SHA + lockfile and exit 75 so the supervisor restarts.
+ *
+ * Lands on `rolled-back` on success, `rollback-failed` on any sub-step error.
+ * Both paths exit 75 — the supervisor restart is what brings the rolled-back
+ * (or terminal) state up where the admin UI can surface it. Rollback-failed
+ * disables auto/autonomous tiers globally (see UpdatePolicy) until an admin
+ * POSTs /admin/update/acknowledge.
+ */
+export const performRollback = async (state: UpdateState, deps: RollbackDeps): Promise<void> => {
+  const exec = state.execution;
+  if (exec.status !== 'rolling-back' && exec.status !== 'pending-verification') {
+    throw new Error(`performRollback called from unexpected status: ${exec.status}`);
+  }
+  const fromSha = (exec as {fromSha: string}).fromSha;
+  const targetTag = (exec as {targetTag: string}).targetTag;
+  const reason = exec.status === 'rolling-back'
+    ? exec.reason
+    : 'health-check-failed-or-crash-loop';
+  const logPath = path.join(deps.repoDir, 'var', 'log', 'update.log');
+
+  const failTerminal = async (subReason: string): Promise<void> => {
+    const at = deps.now().toISOString();
+    await deps.saveState({
+      ...state,
+      execution: {
+        status: 'rollback-failed',
+        reason: `${reason}; rollback also failed: ${subReason}`,
+        targetTag,
+        fromSha,
+        at,
+      },
+      lastResult: {
+        targetTag,
+        fromSha,
+        outcome: 'rollback-failed',
+        reason: `${reason}; rollback failed: ${subReason}`,
+        at,
+      },
+      bootCount: 0,
+    });
+    logger.error(
+      `rollback FAILED: ${subReason}; manual intervention required ` +
+      '(POST /admin/update/acknowledge after fixing)',
+    );
+    appendLine(logPath, `[${at}] ROLLBACK_FAILED ${subReason}`);
+    deps.exit(75);
+  };
+
+  // Force-checkout first so any partial mutation from the failed executor run
+  // (rewritten lockfile, half-installed modules) is discarded. -f overwrites
+  // tracked files from the target tree's index — without it, `git checkout`
+  // refuses when there are unstaged modifications to files it would replace.
+  const checkoutCode = await runStep(
+    deps.spawnFn, deps.repoDir, logPath, 'git', ['checkout', '-f', fromSha]);
+  if (checkoutCode !== 0) return failTerminal(`git checkout -f ${fromSha} exit ${checkoutCode}`);
+
+  // Now overlay the backed-up lockfile on top. Belt-and-braces: a force
+  // checkout already restored the lockfile to the target SHA's version; the
+  // backup wins on the rare case where the running install had a hand-edited
+  // lockfile we want to preserve.
+  try {
+    await deps.copyFile(
+      path.join(deps.backupDir, 'pnpm-lock.yaml'),
+      path.join(deps.repoDir, 'pnpm-lock.yaml'),
+    );
+  } catch (err: any) {
+    // ENOENT on the backup is acceptable — the force checkout already
+    // restored the right lockfile from the index.
+    if (err?.code !== 'ENOENT') {
+      return failTerminal(`copy lockfile: ${(err as Error).message}`);
+    }
+  }
+
+  const installCode = await runStep(deps.spawnFn, deps.repoDir, logPath, 'pnpm', ['install', '--frozen-lockfile']);
+  if (installCode !== 0) return failTerminal(`pnpm install exit ${installCode}`);
+
+  const at = deps.now().toISOString();
+  await deps.saveState({
+    ...state,
+    execution: {status: 'rolled-back', reason, targetTag, restoredSha: fromSha, at},
+    lastResult: {targetTag, fromSha, outcome: 'rolled-back', reason, at},
+    bootCount: 0,
+  });
+  logger.warn(`rolled back to ${fromSha} (reason: ${reason})`);
+  appendLine(logPath, `[${at}] ROLLED_BACK to ${fromSha}; reason=${reason}; exiting 75`);
+  deps.exit(75);
+};
+
+export interface CheckResult {
+  /** True if a health-check timer was armed and is awaiting markVerified or expiry. */
+  armed: boolean;
+  /** Cancels the timer and transitions to `verified`. No-op when armed is false. */
+  markVerified: () => void;
+}
+
+/**
+ * Inspect the persisted execution state at boot and react:
+ *  - idle / verified / etc.: no-op.
+ *  - pending-verification with bootCount > 2: force rollback (crash-loop guard).
+ *  - pending-verification otherwise: increment bootCount, persist, arm a timer.
+ */
+export const checkPendingVerification = (state: UpdateState, deps: RollbackDeps): CheckResult => {
+  const exec = state.execution;
+  if (exec.status !== 'pending-verification') return {armed: false, markVerified: () => {}};
+
+  // Fire-and-forget helpers that swallow rejections cleanly. We intentionally
+  // don't propagate — the boot sequence must proceed even if the rollback
+  // path can't write its terminal state. Worst case: the supervisor restart
+  // brings the same boot back up and the bootCount-based crash-loop guard
+  // catches it on the next attempt.
+  const fireRollback = (s: UpdateState) => {
+    void performRollback(s, deps).catch((err) => {
+      logger.error(`performRollback unhandled rejection: ${(err as Error).message}`);
+      // Best-effort: try to land on rollback-failed terminal state and exit
+      // 75 anyway. If saveState also rejects, log and exit so the supervisor
+      // restart at least re-runs checkPendingVerification with bootCount++.
+      const fb = {
+        ...s,
+        execution: {
+          status: 'rollback-failed' as const,
+          reason: `unhandled rollback rejection: ${(err as Error).message}`,
+          targetTag: (s.execution as {targetTag?: string}).targetTag ?? '',
+          fromSha: (s.execution as {fromSha?: string}).fromSha ?? '',
+          at: deps.now().toISOString(),
+        },
+        bootCount: 0,
+      };
+      void deps.saveState(fb).catch((saveErr) => {
+        logger.error(`fallback saveState rejected: ${(saveErr as Error).message}`);
+      }).finally(() => deps.exit(75));
+    });
+  };
+
+  const fireSaveState = (s: UpdateState, ctx: string) => {
+    void deps.saveState(s).catch((err) => {
+      logger.warn(`saveState (${ctx}) rejected: ${(err as Error).message}`);
+    });
+  };
+
+  if (state.bootCount > 2) {
+    // Don't await — fire and forget so the boot sequence proceeds; the rollback
+    // path will exit 75 asynchronously and the supervisor restarts on the
+    // restored SHA. Rejections caught + best-effort terminal-state write.
+    fireRollback(state);
+    return {armed: false, markVerified: () => {}};
+  }
+
+  const incremented: UpdateState = {...state, bootCount: state.bootCount + 1};
+  fireSaveState(incremented, 'bootCount-increment');
+
+  let cleared = false;
+  const timer = setTimeout(() => {
+    if (cleared) return;
+    fireRollback({
+      ...incremented,
+      execution: {
+        status: 'rolling-back',
+        reason: 'health-check-timeout',
+        targetTag: exec.targetTag,
+        fromSha: exec.fromSha,
+        at: deps.now().toISOString(),
+      },
+    });
+  }, deps.rollbackHealthCheckSeconds * 1000);
+
+  return {
+    armed: true,
+    markVerified: () => {
+      if (cleared) return;
+      cleared = true;
+      clearTimeout(timer);
+      const at = deps.now().toISOString();
+      fireSaveState({
+        ...incremented,
+        execution: {status: 'verified', targetTag: exec.targetTag, verifiedAt: at},
+        lastResult: {
+          targetTag: exec.targetTag,
+          fromSha: exec.fromSha,
+          outcome: 'verified',
+          reason: null,
+          at,
+        },
+        bootCount: 0,
+      }, 'mark-verified');
+      logger.info(`update verified after restart: ${exec.fromSha} -> ${exec.targetTag}`);
+    },
+  };
+};
diff --git a/src/node/updater/SessionDrainer.ts b/src/node/updater/SessionDrainer.ts
new file mode 100644
index 00000000000..d9df727b2c5
--- /dev/null
+++ b/src/node/updater/SessionDrainer.ts
@@ -0,0 +1,91 @@
+/**
+ * Coordinates the pre-restart drain: refuses new pad connections, broadcasts
+ * "system message" announcements at T-60 / T-30 / T-10, and resolves at T=0
+ * so the executor can take over.
+ *
+ * Per docs/superpowers/specs/2026-04-25-auto-update-design.md (section
+ * "Active sessions"). 60s default; configurable via `updates.drainSeconds`.
+ */
+
+let acceptingConnections = true;
+
+export const isAcceptingConnections = (): boolean => acceptingConnections;
+
+/** Test-only: reset the module-level flag between tests. */
+export const _resetForTests = (): void => { acceptingConnections = true; };
+
+export type DrainBroadcastKey =
+  | 'update.drain.t60'
+  | 'update.drain.t30'
+  | 'update.drain.t10';
+
+export interface DrainerOpts {
+  drainSeconds: number;
+  /** Called for every announcement; values carries timing data the i18n string can interpolate. */
+  broadcast: (i18nKey: DrainBroadcastKey, values: Record<string, unknown>) => void;
+}
+
+export interface Drainer {
+  start: () => Promise<{outcome: 'completed' | 'cancelled'}>;
+  cancel: () => void;
+}
+
+export const createDrainer = ({drainSeconds, broadcast}: DrainerOpts): Drainer => {
+  const timers: NodeJS.Timeout[] = [];
+  let resolveDone: ((r: {outcome: 'completed' | 'cancelled'}) => void) | null = null;
+  let cancelled = false;
+  let started = false;
+
+  const fire = (key: DrainBroadcastKey, secondsRemaining: number) => {
+    if (cancelled) return;
+    broadcast(key, {seconds: secondsRemaining});
+  };
+
+  const start = (): Promise<{outcome: 'completed' | 'cancelled'}> => {
+    if (started) return Promise.reject(new Error('drainer already started'));
+    started = true;
+    acceptingConnections = false;
+    return new Promise((resolve) => {
+      resolveDone = resolve;
+      const ms = drainSeconds * 1000;
+      // The opening announcement reports the actual drain length rather than a
+      // hardcoded 60, so a configured drainSeconds of e.g. 30 says "30 seconds".
+      // i18n key is still update.drain.t60 — that's the "start of drain" key in
+      // the locale file; the {{seconds}} placeholder carries the real value.
+      fire('update.drain.t60', drainSeconds);
+      // Only schedule T-30 / T-10 when the configured window can actually
+      // honour them. Firing a "30 seconds" message at zero remaining (because
+      // ms - 30_000 < 0) is misleading; admins picking a short drainSeconds
+      // get fewer announcements but each carries an accurate countdown.
+      if (drainSeconds > 30) {
+        timers.push(setTimeout(() => fire('update.drain.t30', 30), ms - 30_000));
+      }
+      if (drainSeconds > 10) {
+        timers.push(setTimeout(() => fire('update.drain.t10', 10), ms - 10_000));
+      }
+      timers.push(setTimeout(() => {
+        if (cancelled) return;
+        // Restore the gate as soon as the drain window closes. The executor
+        // takes over from here and the supervisor restart wipes module state
+        // anyway; if the executor throws and the process keeps running, we
+        // want join handshakes to recover rather than stay wedged.
+        // The lock + state.execution.status guarantee no fresh apply can race.
+        acceptingConnections = true;
+        resolveDone?.({outcome: 'completed'});
+        resolveDone = null;
+      }, ms));
+    });
+  };
+
+  const cancel = (): void => {
+    if (cancelled) return;
+    cancelled = true;
+    for (const t of timers) clearTimeout(t);
+    timers.length = 0;
+    acceptingConnections = true;
+    resolveDone?.({outcome: 'cancelled'});
+    resolveDone = null;
+  };
+
+  return {start, cancel};
+};
diff --git a/src/node/updater/UpdateExecutor.ts b/src/node/updater/UpdateExecutor.ts
new file mode 100644
index 00000000000..07881065e46
--- /dev/null
+++ b/src/node/updater/UpdateExecutor.ts
@@ -0,0 +1,219 @@
+import path from 'node:path';
+import log4js from 'log4js';
+import {SpawnOptions} from 'node:child_process';
+import {UpdateState} from './types';
+import {appendLine} from './updateLog';
+import {assertValidTag, refsTagsForm} from './refSafety';
+
+const logger = log4js.getLogger('updater');
+
+export interface SpawnedChild {
+  stdout: {on: (event: 'data', cb: (chunk: Buffer) => void) => void};
+  stderr: {on: (event: 'data', cb: (chunk: Buffer) => void) => void};
+  on: {
+    (event: 'close', cb: (code: number | null) => void): void;
+    (event: 'error', cb: (err: Error) => void): void;
+  };
+}
+
+export type SpawnFn = (cmd: string, args: string[], opts: SpawnOptions) => SpawnedChild;
+
+export interface ExecutorDeps {
+  /** Path of the on-disk Etherpad install (the git working tree). */
+  repoDir: string;
+  /** Where pnpm-lock.yaml + sha info gets backed up. */
+  backupDir: string;
+  /** Injected child_process.spawn so tests can drive the pipeline deterministically. */
+  spawnFn: SpawnFn;
+  /** Returns the current HEAD SHA. Production callers wrap `git rev-parse HEAD`. */
+  readSha: () => Promise<string>;
+  /** Plain file copy. Production callers use fs.copyFile (with mkdir-p of parent). */
+  copyFile: (src: string, dst: string) => Promise<void>;
+  /** Persist the in-flight UpdateState. Production callers use saveState(stateFilePath()). */
+  saveState: (s: UpdateState) => Promise<void>;
+  /** State as it was when Apply was clicked — preserves Tier 1 fields (latest, email, etc.). */
+  initialState: UpdateState;
+  /** Tag to update to. */
+  targetTag: string;
+  /** Clock injection for deterministic timestamps in tests. */
+  now: () => Date;
+  /** process.exit injection so tests can assert exit code without actually exiting. */
+  exit: (code: number) => void;
+}
+
+export type ExecutorResult =
+  | {outcome: 'pending-verification'}
+  | {outcome: 'failed-install'; reason: string}
+  | {outcome: 'failed-build'; reason: string}
+  | {outcome: 'failed-checkout'; reason: string};
+
+const runStep = (
+  spawnFn: SpawnFn,
+  repoDir: string,
+  logPath: string,
+  cmd: string,
+  args: string[],
+): Promise<{code: number | null; stderr: string}> => new Promise((resolve) => {
+  let stderr = '';
+  let settled = false;
+  const settle = (v: {code: number | null; stderr: string}) => {
+    if (settled) return;
+    settled = true;
+    resolve(v);
+  };
+  const child = spawnFn(cmd, args, {cwd: repoDir, stdio: ['ignore', 'pipe', 'pipe']});
+  const tag = `${cmd} ${args.join(' ')}`;
+  child.stdout.on('data', (chunk: Buffer) => {
+    const txt = chunk.toString().trimEnd();
+    logger.info(`[${tag}] ${txt}`);
+    appendLine(logPath, `[${new Date().toISOString()}] ${tag} | ${txt}`);
+  });
+  child.stderr.on('data', (chunk: Buffer) => {
+    const txt = chunk.toString();
+    stderr += txt;
+    const trimmed = txt.trimEnd();
+    logger.warn(`[${tag}] ${trimmed}`);
+    appendLine(logPath, `[${new Date().toISOString()}] ${tag} ERR | ${trimmed}`);
+  });
+  // Spawn failures (binary missing, permissions) emit 'error' and never close.
+  // Without this listener the promise hangs forever and leaves state in-flight.
+  // Treat as exit code 1 with the error message in stderr so the caller's
+  // failure-detection branch fires normally.
+  child.on('error', (err: Error) => {
+    logger.error(`[${tag}] spawn error: ${err.message}`);
+    appendLine(logPath, `[${new Date().toISOString()}] ${tag} SPAWN_ERR | ${err.message}`);
+    settle({code: 1, stderr: stderr + err.message});
+  });
+  child.on('close', (code) => settle({code, stderr}));
+});
+
+/**
+ * Run the update pipeline. Each transition writes state before/after so a hard
+ * kill mid-step lands the next boot in a known state for RollbackHandler.
+ *
+ * On install/build/checkout failure the executor transitions to `rolling-back`,
+ * persists, and returns. The route layer then runs RollbackHandler.performRollback.
+ * The executor does NOT call `exit` on failure paths — the rollback path owns
+ * that exit so we don't double-exit and lose log lines.
+ *
+ * On a thrown exception (e.g., copyFile EACCES, saveState ENOSPC) the executor
+ * also transitions to rolling-back with `failed-checkout` so the route's post-
+ * executor rollback path picks it up. The state must never get stuck at
+ * `executing` — if it does, no further updates can start until an admin
+ * acknowledges.
+ */
+export const executeUpdate = async (deps: ExecutorDeps): Promise<ExecutorResult> => {
+  const logPath = path.join(deps.repoDir, 'var', 'log', 'update.log');
+  let fromSha = '';
+
+  // Wrap the whole body so any throw — readSha, saveState, copyFile, even an
+  // unexpected synchronous error in a step — lands us at rolling-back rather
+  // than leaving execution stuck at 'executing' forever.
+  try {
+    // Reject unsafe release-tag strings (option injection guard).
+    // Tag is sourced from GitHub's tag_name and persisted into update-state.json;
+    // a tag starting with '-' would otherwise be parsed by git as an option flag.
+    const safeTag = assertValidTag(deps.targetTag);
+    fromSha = await deps.readSha();
+
+    let s: UpdateState = {
+      ...deps.initialState,
+      execution: {
+        status: 'executing',
+        targetTag: deps.targetTag,
+        fromSha,
+        startedAt: deps.now().toISOString(),
+      },
+      bootCount: 0,
+    };
+    await deps.saveState(s);
+
+    // Snapshot lockfile (SHA already captured above; the rollback handler reads
+    // execution.fromSha rather than a separate file so a successful rollback
+    // doesn't depend on /var staying writable past this point).
+    await deps.copyFile(
+      path.join(deps.repoDir, 'pnpm-lock.yaml'),
+      path.join(deps.backupDir, 'pnpm-lock.yaml'),
+    );
+
+    const fail = async (
+      outcome: 'failed-install' | 'failed-build' | 'failed-checkout',
+      reason: string,
+    ): Promise<ExecutorResult> => {
+      s = {
+        ...s,
+        execution: {
+          status: 'rolling-back',
+          reason,
+          targetTag: deps.targetTag,
+          fromSha,
+          at: deps.now().toISOString(),
+        },
+      };
+      await deps.saveState(s);
+      logger.error(`update step failed (${outcome}): ${reason}`);
+      appendLine(logPath, `[${deps.now().toISOString()}] FAIL ${outcome}: ${reason}`);
+      return {outcome, reason};
+    };
+
+    let r = await runStep(deps.spawnFn, deps.repoDir, logPath, 'git', ['fetch', '--tags', 'origin']);
+    if (r.code !== 0) return fail('failed-checkout', `git fetch exit ${r.code}: ${r.stderr.trim()}`);
+
+    // Use the refs/tags/<tag> form so even an unforeseen edge-case in the tag
+    // string can't be parsed as a git option. assertValidTag above already
+    // rules out leading '-' / whitespace / shell metacharacters.
+    r = await runStep(
+      deps.spawnFn, deps.repoDir, logPath, 'git', ['checkout', refsTagsForm(safeTag)]);
+    if (r.code !== 0) return fail('failed-checkout', `git checkout exit ${r.code}: ${r.stderr.trim()}`);
+
+    r = await runStep(deps.spawnFn, deps.repoDir, logPath, 'pnpm', ['install', '--frozen-lockfile']);
+    if (r.code !== 0) return fail('failed-install', `pnpm install exit ${r.code}: ${r.stderr.trim()}`);
+
+    r = await runStep(deps.spawnFn, deps.repoDir, logPath, 'pnpm', ['run', 'build:ui']);
+    if (r.code !== 0) return fail('failed-build', `pnpm run build:ui exit ${r.code}: ${r.stderr.trim()}`);
+
+    // pending-verification: the next boot's RollbackHandler arms the health-check timer.
+    s = {
+      ...s,
+      execution: {
+        status: 'pending-verification',
+        targetTag: deps.targetTag,
+        fromSha,
+        // Real deadline is computed at next boot using rollbackHealthCheckSeconds.
+        // We persist a placeholder here purely so the field is present.
+        deadlineAt: deps.now().toISOString(),
+      },
+      bootCount: 0,
+    };
+    await deps.saveState(s);
+    logger.info(`update executed: ${fromSha} -> ${deps.targetTag}; exiting 75 for supervisor restart`);
+    void appendLine(logPath, `[${deps.now().toISOString()}] OK pending-verification ${fromSha} -> ${deps.targetTag}; exiting 75`);
+    deps.exit(75);
+    return {outcome: 'pending-verification'};
+  } catch (err) {
+    // Unexpected throw — fs ENOSPC, EACCES on the backup dir, network blip
+    // surfaced through readSha, etc. Persist rolling-back so the route's
+    // post-executor rollback path runs and the state never wedges at 'executing'.
+    const reason = `executor exception: ${(err as Error).message}`;
+    logger.error(reason);
+    void appendLine(logPath, `[${deps.now().toISOString()}] EXECUTOR_THROW ${reason}`);
+    try {
+      await deps.saveState({
+        ...deps.initialState,
+        execution: {
+          status: 'rolling-back',
+          reason,
+          targetTag: deps.targetTag,
+          fromSha,
+          at: deps.now().toISOString(),
+        },
+        bootCount: 0,
+      });
+    } catch (saveErr) {
+      // Even saveState threw. Best-effort log, rethrow original — the route's
+      // catch will surface it. State on disk is whatever last successfully wrote.
+      logger.error(`could not persist rolling-back: ${(saveErr as Error).message}`);
+    }
+    return {outcome: 'failed-checkout', reason};
+  }
+};
diff --git a/src/node/updater/UpdatePolicy.ts b/src/node/updater/UpdatePolicy.ts
index ed00229da8e..c9ace999690 100644
--- a/src/node/updater/UpdatePolicy.ts
+++ b/src/node/updater/UpdatePolicy.ts
@@ -10,14 +10,27 @@ export interface PolicyInput {
   tier: Tier;
   current: string;
   latest: string;
+  /**
+   * Optional execution-status hint. Only `rollback-failed` materially changes
+   * policy: while it's set, canAuto / canAutonomous are denied (an admin must
+   * acknowledge first). canManual stays on because clicking Apply *is* the
+   * intervention the terminal state requires.
+   */
+  executionStatus?: string;
 }
 
 /**
- * Decide which update tiers are allowed under the given (installMethod, tier, current, latest).
- * Pure function — no I/O. The single source of truth for "what's allowed in this environment."
- * `reason` is one of: 'tier-off' | 'up-to-date' | 'install-method-not-writable' | 'ok'.
+ * Decide which update tiers are allowed under the given (installMethod, tier,
+ * current, latest, executionStatus). Pure function — no I/O. The single source
+ * of truth for "what's allowed in this environment."
+ *
+ * `reason` is one of:
+ *   'tier-off' | 'up-to-date' | 'install-method-not-writable'
+ *   | 'rollback-failed-terminal' | 'ok'.
  */
-export const evaluatePolicy = ({installMethod, tier, current, latest}: PolicyInput): PolicyResult => {
+export const evaluatePolicy = ({
+  installMethod, tier, current, latest, executionStatus,
+}: PolicyInput): PolicyResult => {
   if (tier === 'off') {
     return {canNotify: false, canManual: false, canAuto: false, canAutonomous: false, reason: 'tier-off'};
   }
@@ -32,11 +45,12 @@ export const evaluatePolicy = ({installMethod, tier, current, latest}: PolicyInp
     return {canNotify, canManual: false, canAuto: false, canAutonomous: false, reason: 'install-method-not-writable'};
   }
 
+  const terminal = executionStatus === 'rollback-failed';
   return {
     canNotify,
     canManual: tier === 'manual' || tier === 'auto' || tier === 'autonomous',
-    canAuto: tier === 'auto' || tier === 'autonomous',
-    canAutonomous: tier === 'autonomous',
-    reason: 'ok',
+    canAuto: !terminal && (tier === 'auto' || tier === 'autonomous'),
+    canAutonomous: !terminal && tier === 'autonomous',
+    reason: terminal ? 'rollback-failed-terminal' : 'ok',
   };
 };
diff --git a/src/node/updater/VersionChecker.ts b/src/node/updater/VersionChecker.ts
index 8dc1f8d5f5d..ff4b0f34a52 100644
--- a/src/node/updater/VersionChecker.ts
+++ b/src/node/updater/VersionChecker.ts
@@ -1,5 +1,6 @@
 import {ReleaseInfo, VulnerableBelowDirective} from './types';
 import {parseVulnerableBelow} from './versionCompare';
+import {isValidTag} from './refSafety';
 
 export interface FetchResult {
   status: number;
@@ -49,6 +50,15 @@ export const checkLatestRelease = async (
     return {kind: 'error', status: 200};
   }
 
+  // Reject any tag that would be unsafe to hand to git later. Validating at
+  // the persistence boundary (rather than only at the executor) means a
+  // malformed tag_name from a misconfigured fork-as-github-repo never lands
+  // in update-state.json. Treated as a fetch error so the polling loop will
+  // try again next interval.
+  if (!isValidTag(j.tag_name)) {
+    return {kind: 'error', status: 200};
+  }
+
   const tag = j.tag_name;
   const version = tag.replace(/^v/, '');
   const body: string = typeof j.body === 'string' ? j.body : '';
diff --git a/src/node/updater/index.ts b/src/node/updater/index.ts
index 475c0599231..22e08042de5 100644
--- a/src/node/updater/index.ts
+++ b/src/node/updater/index.ts
@@ -1,4 +1,6 @@
 import path from 'node:path';
+import {spawn} from 'node:child_process';
+import fs from 'node:fs/promises';
 import log4js from 'log4js';
 import settings, {getEpVersion} from '../utils/Settings';
 import {detectInstallMethod} from './InstallMethodDetector';
@@ -7,6 +9,8 @@ import {loadState, saveState} from './state';
 import {isMajorBehind, isVulnerable} from './versionCompare';
 import {evaluatePolicy} from './UpdatePolicy';
 import {decideEmails} from './Notifier';
+import {checkPendingVerification, CheckResult, RollbackDeps} from './RollbackHandler';
+import type {SpawnFn} from './UpdateExecutor';
 import {InstallMethod, UpdateState} from './types';
 
 const logger = log4js.getLogger('updater');
@@ -16,6 +20,7 @@ let timer: NodeJS.Timeout | null = null;
 let initialTimer: NodeJS.Timeout | null = null;
 let checkInFlight = false;
 let inMemoryState: UpdateState | null = null;
+let pendingVerification: CheckResult | null = null;
 
 export const stateFilePath = () => path.join(settings.root, 'var', 'update-state.json');
 
@@ -126,6 +131,21 @@ const startPolling = (): void => {
   initialTimer = setTimeout(() => { initialTimer = null; void performCheck(); }, 5000);
 };
 
+/** Build the dependency bundle RollbackHandler / UpdateExecutor expect. */
+export const getRollbackDeps = (): RollbackDeps => ({
+  repoDir: settings.root,
+  backupDir: path.join(settings.root, 'var', 'update-backup'),
+  spawnFn: spawn as unknown as SpawnFn,
+  copyFile: async (src: string, dst: string) => {
+    await fs.mkdir(path.dirname(dst), {recursive: true});
+    await fs.copyFile(src, dst);
+  },
+  saveState: (s: UpdateState) => saveState(stateFilePath(), s),
+  exit: (code: number) => process.exit(code),
+  now: () => new Date(),
+  rollbackHealthCheckSeconds: Number(settings.updates.rollbackHealthCheckSeconds) || 60,
+});
+
 /** Hook entry point — called by ep.json on createServer. */
 export const expressCreateServer = async (): Promise<void> => {
   detectedMethod = await detectInstallMethod({
@@ -133,9 +153,29 @@ export const expressCreateServer = async (): Promise<void> => {
     rootDir: settings.root,
   });
   logger.info(`updater: install method = ${detectedMethod}, tier = ${settings.updates.tier}`);
+
+  // Tier 2: if the previous boot left the state in pending-verification, arm
+  // the health-check timer (or force rollback when bootCount has climbed past
+  // the crash-loop threshold). This must run BEFORE polling starts so the
+  // rollback can fire even if the version checker is misconfigured.
+  const state = await getCurrentState();
+  pendingVerification = checkPendingVerification(state, getRollbackDeps());
+
   if (settings.updates.tier !== 'off') startPolling();
 };
 
+/**
+ * Called by the Etherpad runtime once the express stack is fully wired and
+ * /health responds — that's the implicit health signal the
+ * pending-verification timer is waiting for.
+ */
+export const markBootHealthy = (): void => {
+  if (pendingVerification) {
+    pendingVerification.markVerified();
+    pendingVerification = null;
+  }
+};
+
 /** Shutdown hook. */
 export const shutdown = async (): Promise<void> => {
   if (timer) { clearInterval(timer); timer = null; }
diff --git a/src/node/updater/lock.ts b/src/node/updater/lock.ts
new file mode 100644
index 00000000000..2dd00e5cbd2
--- /dev/null
+++ b/src/node/updater/lock.ts
@@ -0,0 +1,78 @@
+import fs from 'node:fs/promises';
+import path from 'node:path';
+
+interface LockFile {
+  pid: number;
+  at: string;
+}
+
+const isPidLive = (pid: number): boolean => {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err: any) {
+    // ESRCH = no such process (stale).
+    // EPERM = exists but we can't signal — treat as live (some other user owns it).
+    return err.code !== 'ESRCH';
+  }
+};
+
+const readIfPresent = async (lockPath: string): Promise<LockFile | null> => {
+  let raw: string;
+  try {
+    raw = await fs.readFile(lockPath, 'utf8');
+  } catch (err: any) {
+    if (err.code === 'ENOENT') return null;
+    return null;
+  }
+  let parsed: unknown;
+  try { parsed = JSON.parse(raw); } catch { return null; }
+  if (!parsed || typeof parsed !== 'object') return null;
+  const p = parsed as Record<string, unknown>;
+  if (typeof p.pid !== 'number' || typeof p.at !== 'string') return null;
+  return {pid: p.pid, at: p.at};
+};
+
+/**
+ * Atomic acquire via O_CREAT|O_EXCL. If the file already exists, the holder's
+ * PID is checked; when dead we reap it and retry once. Returns false on a live
+ * conflict — the caller is expected to surface "lock-held" to the admin.
+ */
+export const acquireLock = async (lockPath: string): Promise<boolean> => {
+  await fs.mkdir(path.dirname(lockPath), {recursive: true});
+  const payload = JSON.stringify({pid: process.pid, at: new Date().toISOString()});
+
+  const tryCreate = async (): Promise<boolean> => {
+    try {
+      const fh = await fs.open(lockPath, 'wx');
+      try { await fh.writeFile(payload); } finally { await fh.close(); }
+      return true;
+    } catch (err: any) {
+      if (err.code === 'EEXIST') return false;
+      throw err;
+    }
+  };
+
+  if (await tryCreate()) return true;
+
+  const existing = await readIfPresent(lockPath);
+  if (existing && isPidLive(existing.pid)) return false;
+
+  // Stale or unparseable — reap and retry once. A concurrent reaper may beat us,
+  // in which case the second tryCreate also returns false (correctly: someone
+  // else holds it now).
+  try { await fs.unlink(lockPath); }
+  catch (err: any) { if (err.code !== 'ENOENT') throw err; }
+  return tryCreate();
+};
+
+export const releaseLock = async (lockPath: string): Promise<void> => {
+  try { await fs.unlink(lockPath); }
+  catch (err: any) { if (err.code !== 'ENOENT') throw err; }
+};
+
+/** True iff the lock file exists *and* the recorded PID is live. Stale locks read as not-held. */
+export const isHeld = async (lockPath: string): Promise<boolean> => {
+  const f = await readIfPresent(lockPath);
+  return !!f && isPidLive(f.pid);
+};
diff --git a/src/node/updater/preflight.ts b/src/node/updater/preflight.ts
new file mode 100644
index 00000000000..f0403e186b6
--- /dev/null
+++ b/src/node/updater/preflight.ts
@@ -0,0 +1,54 @@
+import {InstallMethod} from './types';
+import type {VerifyResult} from './trustedKeys';
+
+export type PreflightReason =
+  | 'install-method-not-writable'
+  | 'dirty-working-tree'
+  | 'low-disk-space'
+  | 'pnpm-not-found'
+  | 'lock-held'
+  | 'remote-tag-missing'
+  | 'signature-verification-failed';
+
+export interface PreflightInput {
+  targetTag: string;
+  diskSpaceMinMB: number;
+  requireSignature: boolean;
+  trustedKeysPath: string | null;
+}
+
+export interface PreflightDeps {
+  installMethod: Exclude<InstallMethod, 'auto'>;
+  workingTreeClean: () => Promise<boolean>;
+  freeDiskMB: () => Promise<number>;
+  pnpmOnPath: () => Promise<boolean>;
+  lockHeld: () => Promise<boolean>;
+  remoteHasTag: (tag: string) => Promise<boolean>;
+  verifyTag: () => Promise<VerifyResult>;
+}
+
+export type PreflightResult = {ok: true} | {ok: false; reason: PreflightReason};
+
+const WRITABLE_METHODS: ReadonlySet<Exclude<InstallMethod, 'auto'>> = new Set(['git']);
+
+/**
+ * Sequenced preflight: each check is fast and reads the world. Order matters —
+ * cheap, definitive failures (install method) run before slow ones (network
+ * tag lookup, gpg). The first failure short-circuits.
+ */
+export const runPreflight = async (
+  input: PreflightInput,
+  deps: PreflightDeps,
+): Promise<PreflightResult> => {
+  if (!WRITABLE_METHODS.has(deps.installMethod)) {
+    return {ok: false, reason: 'install-method-not-writable'};
+  }
+  if (!await deps.workingTreeClean()) return {ok: false, reason: 'dirty-working-tree'};
+  if ((await deps.freeDiskMB()) < input.diskSpaceMinMB) return {ok: false, reason: 'low-disk-space'};
+  if (!await deps.pnpmOnPath()) return {ok: false, reason: 'pnpm-not-found'};
+  if (await deps.lockHeld()) return {ok: false, reason: 'lock-held'};
+  if (!await deps.remoteHasTag(input.targetTag)) return {ok: false, reason: 'remote-tag-missing'};
+  const sig = await deps.verifyTag();
+  if (!sig.ok) return {ok: false, reason: 'signature-verification-failed'};
+  return {ok: true};
+};
diff --git a/src/node/updater/refSafety.ts b/src/node/updater/refSafety.ts
new file mode 100644
index 00000000000..e837a628ad8
--- /dev/null
+++ b/src/node/updater/refSafety.ts
@@ -0,0 +1,43 @@
+/**
+ * Safety helpers for any release-tag string Etherpad's updater hands to git.
+ *
+ * The release tag originates from GitHub's `releases/latest` API (`tag_name`)
+ * and is then persisted into `var/update-state.json`. A tag that starts with
+ * `-` would be parsed by git as an option flag rather than a positional ref —
+ * `git checkout -fast-forward` and similar tricks could bypass signature
+ * verification or change checkout semantics. A tag with shell metacharacters
+ * is less of an issue under `child_process.spawn` (no shell), but we reject
+ * those too because git's own ref-name rules forbid them and a malformed tag
+ * has nowhere reasonable to be honoured anyway.
+ *
+ * Rules (a subset of git's check-ref-format spec — strict on purpose):
+ *   - Non-empty.
+ *   - Length <= 200.
+ *   - May not start with `-` (option injection) or `.` (git rejects).
+ *   - May not contain whitespace, NUL, or any of: ~ ^ : ? * [ \\
+ *   - May not contain `..` (git's own rule).
+ *
+ * Callers should also use the `refs/tags/<tag>` form when invoking git so
+ * that even an unforeseen edge-case can't be parsed as an option, and pass
+ * `--` as an end-of-options marker on commands that accept it.
+ */
+
+const FORBIDDEN_CHARS = /[\s\x00~^:?*\[\\]/;
+
+export const isValidTag = (tag: unknown): tag is string => {
+  if (typeof tag !== 'string') return false;
+  if (tag.length === 0 || tag.length > 200) return false;
+  if (tag.startsWith('-') || tag.startsWith('.')) return false;
+  if (FORBIDDEN_CHARS.test(tag)) return false;
+  if (tag.includes('..')) return false;
+  return true;
+};
+
+/** Throwing form for hot paths where invalid input is a programmer/data error. */
+export const assertValidTag = (tag: unknown): string => {
+  if (!isValidTag(tag)) throw new Error(`unsafe release tag: ${JSON.stringify(tag)}`);
+  return tag as string;
+};
+
+/** Wrap a validated tag in the `refs/tags/<tag>` form for git invocations. */
+export const refsTagsForm = (tag: string): string => `refs/tags/${tag}`;
diff --git a/src/node/updater/state.ts b/src/node/updater/state.ts
index 05f97e8ab56..be425321681 100644
--- a/src/node/updater/state.ts
+++ b/src/node/updater/state.ts
@@ -1,6 +1,6 @@
 import fs from 'node:fs/promises';
 import path from 'node:path';
-import {EMPTY_STATE, UpdateState} from './types';
+import {EMPTY_STATE, EXECUTION_STATUSES, UpdateState} from './types';
 
 const isPlainObject = (v: unknown): v is Record<string, unknown> =>
   v !== null && typeof v === 'object' && !Array.isArray(v);
@@ -8,6 +8,52 @@ const isPlainObject = (v: unknown): v is Record<string, unknown> =>
 const isStringOrNull = (v: unknown): v is string | null =>
   v === null || typeof v === 'string';
 
+// Per-status field requirements that mirror the ExecutionStatus union in types.ts.
+// Persisted-state corruption (a hand-edited file or a future schema bump that
+// missed a migration) must never reach RollbackHandler with `undefined` refs —
+// loadState resets to EMPTY_STATE when any required field is missing.
+const EXEC_REQUIRED_FIELDS: Record<string, readonly string[]> = {
+  'idle': [],
+  'preflight': ['targetTag', 'startedAt'],
+  'preflight-failed': ['targetTag', 'reason', 'at'],
+  'draining': ['targetTag', 'drainEndsAt', 'startedAt'],
+  'executing': ['targetTag', 'fromSha', 'startedAt'],
+  'pending-verification': ['targetTag', 'fromSha', 'deadlineAt'],
+  'verified': ['targetTag', 'verifiedAt'],
+  'rolling-back': ['reason', 'targetTag', 'fromSha', 'at'],
+  'rolled-back': ['reason', 'targetTag', 'restoredSha', 'at'],
+  'rollback-failed': ['reason', 'targetTag', 'fromSha', 'at'],
+};
+
+const isValidExecution = (v: unknown): boolean => {
+  if (!isPlainObject(v)) return false;
+  if (typeof v.status !== 'string') return false;
+  if (!(EXECUTION_STATUSES as readonly string[]).includes(v.status)) return false;
+  const required = EXEC_REQUIRED_FIELDS[v.status];
+  if (!required) return false; // unknown status — fail closed
+  for (const field of required) {
+    if (typeof (v as Record<string, unknown>)[field] !== 'string') return false;
+    if (((v as Record<string, unknown>)[field] as string).length === 0) return false;
+  }
+  return true;
+};
+
+// Outcomes that LastUpdateResult.outcome must match.
+const VALID_OUTCOMES: ReadonlySet<string> = new Set([
+  'verified', 'rolled-back', 'rollback-failed', 'preflight-failed', 'cancelled',
+]);
+
+const isValidLastResult = (v: unknown): boolean => {
+  if (v === null) return true;
+  if (!isPlainObject(v)) return false;
+  return typeof v.targetTag === 'string'
+    && typeof v.fromSha === 'string'
+    && typeof v.outcome === 'string'
+    && VALID_OUTCOMES.has(v.outcome)
+    && (v.reason === null || typeof v.reason === 'string')
+    && typeof v.at === 'string';
+};
+
 const isValidLatest = (v: unknown): boolean => {
   if (v === null) return true;
   if (!isPlainObject(v)) return false;
@@ -39,14 +85,23 @@ const isValidEmail = (v: unknown): boolean => {
 // Validate the full shape so loadState() actually delivers on its "safely
 // reset on malformed input" contract. Downstream code calls .trim() / semver
 // parsing on these subfields and would crash on a hand-edited file otherwise.
-const isValid = (raw: unknown): raw is UpdateState => {
+//
+// Tier 2 fields (execution, bootCount, lastResult) MAY be absent on a state
+// file written by a Tier 1 install — those are backfilled at load time.
+// Present-but-malformed values still reject so a hand-edited file with
+// e.g. execution.status="totally-bogus" can't poison RollbackHandler.
+const isValid = (raw: unknown): raw is Partial<UpdateState> & object => {
   if (!isPlainObject(raw)) return false;
-  return raw.schemaVersion === 1
-    && isStringOrNull(raw.lastCheckAt)
-    && isStringOrNull(raw.lastEtag)
-    && isValidLatest(raw.latest)
-    && isValidVulnerableBelow(raw.vulnerableBelow)
-    && isValidEmail(raw.email);
+  if (raw.schemaVersion !== 1) return false;
+  if (!isStringOrNull(raw.lastCheckAt)) return false;
+  if (!isStringOrNull(raw.lastEtag)) return false;
+  if (!isValidLatest(raw.latest)) return false;
+  if (!isValidVulnerableBelow(raw.vulnerableBelow)) return false;
+  if (!isValidEmail(raw.email)) return false;
+  if (raw.execution !== undefined && !isValidExecution(raw.execution)) return false;
+  if (raw.bootCount !== undefined && typeof raw.bootCount !== 'number') return false;
+  if (raw.lastResult !== undefined && !isValidLastResult(raw.lastResult)) return false;
+  return true;
 };
 
 /** Reads the on-disk state. Returns a fresh empty-state clone when the file is missing, malformed, or has an unknown schemaVersion. Never throws on parse errors. */
@@ -65,7 +120,17 @@ export const loadState = async (filePath: string): Promise<UpdateState> => {
     return structuredClone(EMPTY_STATE);
   }
   if (!isValid(parsed)) return structuredClone(EMPTY_STATE);
-  return parsed;
+  // Backfill Tier 2 fields on a Tier 1 state file. Spread defaults first,
+  // parsed second so explicit values win, then explicit fallback for the
+  // three fields that might be undefined.
+  const partial = parsed as Partial<UpdateState>;
+  return {
+    ...structuredClone(EMPTY_STATE),
+    ...partial,
+    execution: partial.execution ?? structuredClone(EMPTY_STATE.execution),
+    bootCount: partial.bootCount ?? 0,
+    lastResult: partial.lastResult ?? null,
+  } as UpdateState;
 };
 
 /** Atomic write via tmp-then-rename. Creates parent directories as needed. */
diff --git a/src/node/updater/trustedKeys.ts b/src/node/updater/trustedKeys.ts
new file mode 100644
index 00000000000..2d50a95c977
--- /dev/null
+++ b/src/node/updater/trustedKeys.ts
@@ -0,0 +1,75 @@
+import {spawn as realSpawn, SpawnOptions} from 'node:child_process';
+import log4js from 'log4js';
+import {isValidTag} from './refSafety';
+
+const logger = log4js.getLogger('updater');
+
+export type SpawnFn = (cmd: string, args: string[], opts: SpawnOptions) => {
+  on: {
+    (event: 'close', cb: (code: number | null) => void): void;
+    (event: 'error', cb: (err: Error) => void): void;
+  };
+};
+
+export interface VerifyArgs {
+  tag: string;
+  repoDir: string;
+  requireSignature: boolean;
+  trustedKeysPath: string | null;
+  /** Override for tests; production callers use the default `child_process.spawn`. */
+  spawnFn?: SpawnFn;
+}
+
+export type VerifyResult =
+  | {ok: true; reason: 'signature-verified' | 'signature-not-required'}
+  | {ok: false; reason: 'signature-verification-failed'};
+
+/**
+ * Verify a release tag's GPG signature via `git verify-tag <tag>`.
+ *
+ * With `requireSignature: false` (default) this is a documented no-op:
+ * Etherpad's release process does not yet sign tags consistently, and
+ * forcing verification on by default would break Tier 2 for everyone.
+ * Admins who run their own builds or who pin to signed forks set
+ * `updates.requireSignature: true` and import the trusted keys into the
+ * Etherpad user's keyring (or a dedicated keyring at
+ * `updates.trustedKeysPath`, which is passed to git via $GNUPGHOME).
+ */
+export const verifyReleaseTag = async (args: VerifyArgs): Promise<VerifyResult> => {
+  if (!args.requireSignature) {
+    logger.warn(
+      `verifyReleaseTag: signature check skipped (updates.requireSignature=false) for ${args.tag}`,
+    );
+    return {ok: true, reason: 'signature-not-required'};
+  }
+  // Reject unsafe tag strings before they ever reach git. A tag starting with
+  // '-' could otherwise be parsed as a git option, bypassing verification.
+  if (!isValidTag(args.tag)) {
+    logger.error(`verifyReleaseTag: refused unsafe tag ${JSON.stringify(args.tag)}`);
+    return {ok: false, reason: 'signature-verification-failed'};
+  }
+  const spawnFn = args.spawnFn ?? (realSpawn as unknown as SpawnFn);
+  const env: NodeJS.ProcessEnv = {...process.env};
+  if (args.trustedKeysPath) env.GNUPGHOME = args.trustedKeysPath;
+  // -- terminates options so even a future tag-validation regression can't
+  // smuggle a flag past git verify-tag.
+  const child = spawnFn('git', ['verify-tag', '--', args.tag], {
+    cwd: args.repoDir,
+    env,
+    stdio: 'ignore',
+  });
+  // Listen for both 'close' and 'error' so a missing/unexecutable git binary
+  // surfaces as verification-failure rather than a hung promise.
+  const code: number | null = await new Promise((resolve) => {
+    let settled = false;
+    const settle = (c: number | null) => { if (settled) return; settled = true; resolve(c); };
+    child.on('close', settle);
+    child.on('error', (err: Error) => {
+      logger.error(`verifyReleaseTag: git verify-tag spawn error: ${err.message}`);
+      settle(1);
+    });
+  });
+  if (code === 0) return {ok: true, reason: 'signature-verified'};
+  logger.error(`verifyReleaseTag: git verify-tag ${args.tag} exited ${code}`);
+  return {ok: false, reason: 'signature-verification-failed'};
+};
diff --git a/src/node/updater/types.ts b/src/node/updater/types.ts
index d96c8e384cc..130ab02784e 100644
--- a/src/node/updater/types.ts
+++ b/src/node/updater/types.ts
@@ -45,6 +45,45 @@ export interface EmailSendLog {
   vulnerableNewReleaseTag: string | null;
 }
 
+/**
+ * Discriminated union mirroring the state machine in
+ * docs/superpowers/specs/2026-04-25-auto-update-design.md (section "State machine").
+ *
+ * `rollback-failed` is the only terminal state that disables auto/autonomous
+ * attempts globally until POST /admin/update/acknowledge clears it. Manual
+ * remains permitted because an admin clicking Apply *is* the intervention.
+ */
+export type ExecutionStatus =
+  | {status: 'idle'}
+  | {status: 'preflight'; targetTag: string; startedAt: string}
+  | {status: 'preflight-failed'; targetTag: string; reason: string; at: string}
+  | {status: 'draining'; targetTag: string; drainEndsAt: string; startedAt: string}
+  | {status: 'executing'; targetTag: string; fromSha: string; startedAt: string}
+  | {status: 'pending-verification'; targetTag: string; fromSha: string; deadlineAt: string}
+  | {status: 'verified'; targetTag: string; verifiedAt: string}
+  | {status: 'rolling-back'; reason: string; targetTag: string; fromSha: string; at: string}
+  | {status: 'rolled-back'; reason: string; targetTag: string; restoredSha: string; at: string}
+  | {status: 'rollback-failed'; reason: string; targetTag: string; fromSha: string; at: string};
+
+/** All recognised execution statuses — used by the state validator. */
+export const EXECUTION_STATUSES = [
+  'idle', 'preflight', 'preflight-failed', 'draining', 'executing',
+  'pending-verification', 'verified', 'rolling-back', 'rolled-back', 'rollback-failed',
+] as const;
+
+export type LastUpdateResult = {
+  /** Tag we were updating to. */
+  targetTag: string;
+  /** SHA we were updating from. Empty string when the run never reached executor (e.g. preflight-failed). */
+  fromSha: string;
+  /** Outcome to surface in admin UI. */
+  outcome: 'verified' | 'rolled-back' | 'rollback-failed' | 'preflight-failed' | 'cancelled';
+  /** Human-readable reason on non-success. */
+  reason: string | null;
+  /** ISO timestamp when this result was finalised. */
+  at: string;
+} | null;
+
 export interface UpdateState {
   /** Schema version of this file. Increment when fields change. */
   schemaVersion: 1;
@@ -58,6 +97,15 @@ export interface UpdateState {
   vulnerableBelow: VulnerableBelowDirective[];
   /** Email send dedupe state. */
   email: EmailSendLog;
+  /** Current in-flight execution state. Persisted so a restart mid-update reaches RollbackHandler. */
+  execution: ExecutionStatus;
+  /**
+   * Boot counter that the RollbackHandler increments while a `pending-verification`
+   * status is live. > 2 means the new version crash-looped; force rollback regardless of timer.
+   */
+  bootCount: number;
+  /** Most recent terminal outcome, surfaced in admin UI even after `execution` returns to idle. */
+  lastResult: LastUpdateResult;
 }
 
 /** Zero-value initial state. Treat as immutable — spread before mutating: `{...EMPTY_STATE, lastCheckAt: x}`. */
@@ -72,4 +120,7 @@ export const EMPTY_STATE: UpdateState = {
     vulnerableAt: null,
     vulnerableNewReleaseTag: null,
   },
+  execution: {status: 'idle'},
+  bootCount: 0,
+  lastResult: null,
 };
diff --git a/src/node/updater/updateLog.ts b/src/node/updater/updateLog.ts
new file mode 100644
index 00000000000..f0c3b58b0f6
--- /dev/null
+++ b/src/node/updater/updateLog.ts
@@ -0,0 +1,82 @@
+import fs from 'node:fs/promises';
+import path from 'node:path';
+
+const DEFAULT_MAX_BYTES = 10 * 1024 * 1024;
+const DEFAULT_BACKUPS = 5;
+
+/**
+ * Rotate `<logPath>` when it exceeds `maxBytes`:
+ *   <logPath>.{n-1} -> .n  (oldest dropped)
+ *   <logPath>       -> .1
+ * No-op when the file is missing or under the limit.
+ */
+export const rotateIfNeeded = async (
+  logPath: string,
+  maxBytes = DEFAULT_MAX_BYTES,
+  backups = DEFAULT_BACKUPS,
+): Promise<void> => {
+  let size = 0;
+  try { size = (await fs.stat(logPath)).size; } catch (err: any) {
+    if (err.code === 'ENOENT') return;
+    throw err;
+  }
+  if (size < maxBytes) return;
+
+  // Drop the oldest. Walk from highest index down so the rename chain lands cleanly.
+  for (let i = backups - 1; i >= 1; i--) {
+    const src = `${logPath}.${i}`;
+    const dst = `${logPath}.${i + 1}`;
+    try { await fs.rename(src, dst); }
+    catch (err: any) { if (err.code !== 'ENOENT') throw err; }
+  }
+  // Current file becomes .1.
+  try { await fs.rename(logPath, `${logPath}.1`); }
+  catch (err: any) { if (err.code !== 'ENOENT') throw err; }
+};
+
+/**
+ * Append `line` to `<logPath>`, rotating first if the file is over the size cap.
+ * Creates parent directories as needed. The line is newline-terminated; do not
+ * include a trailing newline in `line`.
+ *
+ * Best-effort: swallows fs errors silently. Update logging must never break the
+ * update flow itself, and errors are already surfaced via log4js by callers.
+ */
+export const appendLine = async (
+  logPath: string,
+  line: string,
+  maxBytes = DEFAULT_MAX_BYTES,
+  backups = DEFAULT_BACKUPS,
+): Promise<void> => {
+  try {
+    await fs.mkdir(path.dirname(logPath), {recursive: true});
+    await rotateIfNeeded(logPath, maxBytes, backups);
+    await fs.appendFile(logPath, `${line}\n`);
+  } catch {
+    // ignore — caller is fire-and-forget logging
+  }
+};
+
+/** Same as appendLine but throws on error — used by tests that want to assert disk failures surface. */
+export const appendLineStrict = async (
+  logPath: string,
+  line: string,
+  maxBytes = DEFAULT_MAX_BYTES,
+  backups = DEFAULT_BACKUPS,
+): Promise<void> => {
+  await fs.mkdir(path.dirname(logPath), {recursive: true});
+  await rotateIfNeeded(logPath, maxBytes, backups);
+  await fs.appendFile(logPath, `${line}\n`);
+};
+
+/** Read the last `n` newline-separated lines from the active log file. Empty array if missing. */
+export const tailLines = async (logPath: string, n: number): Promise<string[]> => {
+  if (n <= 0) return [];
+  let raw: string;
+  try { raw = await fs.readFile(logPath, 'utf8'); }
+  catch (err: any) { if (err.code === 'ENOENT') return []; throw err; }
+  const stripped = raw.endsWith('\n') ? raw.slice(0, -1) : raw;
+  if (stripped.length === 0) return [];
+  const all = stripped.split('\n');
+  return all.slice(Math.max(0, all.length - n));
+};
diff --git a/src/node/utils/Settings.ts b/src/node/utils/Settings.ts
index 28e237073df..19c6bf7f491 100644
--- a/src/node/utils/Settings.ts
+++ b/src/node/utils/Settings.ts
@@ -331,6 +331,15 @@ export type SettingsType = {
     checkIntervalHours: number,
     githubRepo: string,
     requireAdminForStatus: boolean,
+    /** Tier 2+ knobs. Default 0 in PR 2; tier 3 makes preApplyGraceMinutes meaningful. */
+    preApplyGraceMinutes: number,
+    drainSeconds: number,
+    rollbackHealthCheckSeconds: number,
+    diskSpaceMinMB: number,
+    /** When true, refuse updates whose tag is not signed by a trusted key. */
+    requireSignature: boolean,
+    /** Override the OS keyring location (passed to git verify-tag via $GNUPGHOME). */
+    trustedKeysPath: string | null,
   },
   adminOpenAPI: {
     enabled: boolean,
@@ -518,6 +527,13 @@ const settings: SettingsType = {
     // Set true to require an authenticated admin session for the endpoint without
     // disabling the updater itself.
     requireAdminForStatus: false,
+    // Tier 2+ knobs. Only meaningful at tier "manual" or higher.
+    preApplyGraceMinutes: 0,
+    drainSeconds: 60,
+    rollbackHealthCheckSeconds: 60,
+    diskSpaceMinMB: 500,
+    requireSignature: false,
+    trustedKeysPath: null,
   },
   /**
    * Admin OpenAPI document endpoint at /admin/openapi.json.
diff --git a/src/static/js/pad.ts b/src/static/js/pad.ts
index 6070fb8944f..26234bfef17 100644
--- a/src/static/js/pad.ts
+++ b/src/static/js/pad.ts
@@ -401,13 +401,19 @@ const handshake = async () => {
       // gritter so the user doesn't see a confusing duplicate.
       if (typeof msgObj.messageKey === 'string'
           && msgObj.messageKey.startsWith('pad.deletionToken.')) return;
-      const text = msgObj.messageKey ? html10n.get(msgObj.messageKey) : msgObj.message;
+      // Updater drain announcements get their own title and dodge the generic
+      // "Admin message" framing so the user knows it's a system event.
+      const isUpdate = typeof msgObj.messageKey === 'string'
+          && msgObj.messageKey.startsWith('update.drain.');
+      const text = msgObj.messageKey
+          ? html10n.get(msgObj.messageKey, msgObj.values || {})
+          : msgObj.message;
       if (!text) return;
       const date = new Date(payload.timestamp);
       $.gritter.add({
-        title: 'Admin message',
+        title: isUpdate ? html10n.get('update.banner.title') : 'Admin message',
         text: '[' + date.toLocaleTimeString() + ']: ' + text,
-        sticky: msgObj.sticky
+        sticky: !!msgObj.sticky
       });
     }
   })
diff --git a/src/tests/backend-new/specs/updater/RollbackHandler.test.ts b/src/tests/backend-new/specs/updater/RollbackHandler.test.ts
new file mode 100644
index 00000000000..8a30cbcb769
--- /dev/null
+++ b/src/tests/backend-new/specs/updater/RollbackHandler.test.ts
@@ -0,0 +1,203 @@
+import {describe, it, expect, vi, beforeEach, afterEach} from 'vitest';
+import {checkPendingVerification, performRollback, RollbackDeps} from '../../../../node/updater/RollbackHandler';
+import {EMPTY_STATE} from '../../../../node/updater/types';
+
+const okSpawn = (exit: number) => vi.fn(() => ({
+  stdout: {on: () => {}},
+  stderr: {on: () => {}},
+  on: (e: string, cb: any) => { if (e === 'close') setImmediate(() => cb(exit)); },
+})) as any;
+
+const baseDeps = (): RollbackDeps => ({
+  repoDir: '/srv/etherpad',
+  backupDir: '/srv/etherpad/var/update-backup',
+  spawnFn: okSpawn(0),
+  copyFile: vi.fn(async () => {}),
+  saveState: vi.fn(async () => {}),
+  exit: vi.fn(),
+  now: () => new Date('2026-05-08T10:00:00Z'),
+  rollbackHealthCheckSeconds: 60,
+});
+
+describe('checkPendingVerification', () => {
+  beforeEach(() => { vi.useFakeTimers(); });
+  afterEach(() => { vi.useRealTimers(); });
+
+  it('idle state is a no-op (timer is not armed)', () => {
+    const r = checkPendingVerification(structuredClone(EMPTY_STATE), baseDeps());
+    expect(r.armed).toBe(false);
+  });
+
+  it('pending-verification with bootCount<=2 arms a timer and increments bootCount', async () => {
+    const deps = baseDeps();
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {
+        status: 'pending-verification' as const,
+        targetTag: 'v2.7.3',
+        fromSha: 'abc',
+        deadlineAt: '2026-05-08T10:00:00Z',
+      },
+      bootCount: 0,
+    };
+    const r = checkPendingVerification(state, deps);
+    expect(r.armed).toBe(true);
+    expect(deps.saveState).toHaveBeenCalledWith(expect.objectContaining({bootCount: 1}));
+    // markVerified clears the timer; advancing past the deadline does NOT trigger rollback.
+    r.markVerified();
+    await vi.advanceTimersByTimeAsync(60_000);
+    await vi.runAllTimersAsync();
+    expect(deps.exit).not.toHaveBeenCalled();
+  });
+
+  it('markVerified persists the verified state with lastResult=verified', () => {
+    const deps = baseDeps();
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {
+        status: 'pending-verification' as const,
+        targetTag: 'v2.7.3', fromSha: 'abc',
+        deadlineAt: '2026-05-08T10:00:00Z',
+      },
+      bootCount: 0,
+    };
+    const r = checkPendingVerification(state, deps);
+    r.markVerified();
+    const lastSave = (deps.saveState as any).mock.calls.at(-1)[0];
+    expect(lastSave.execution.status).toBe('verified');
+    expect(lastSave.lastResult.outcome).toBe('verified');
+    expect(lastSave.bootCount).toBe(0);
+  });
+
+  it('pending-verification with bootCount>2 forces immediate rollback', async () => {
+    const deps = baseDeps();
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {
+        status: 'pending-verification' as const,
+        targetTag: 'v2.7.3', fromSha: 'abc',
+        deadlineAt: '2026-05-08T10:00:00Z',
+      },
+      bootCount: 3,
+    };
+    const r = checkPendingVerification(state, deps);
+    expect(r.armed).toBe(false);
+    await vi.runAllTimersAsync();
+    expect(deps.exit).toHaveBeenCalledWith(75);
+  });
+
+  it('timer expiry triggers rollback when markVerified is never called', async () => {
+    const deps = baseDeps();
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {
+        status: 'pending-verification' as const,
+        targetTag: 'v2.7.3', fromSha: 'abc',
+        deadlineAt: '2026-05-08T10:00:00Z',
+      },
+      bootCount: 0,
+    };
+    const r = checkPendingVerification(state, deps);
+    expect(r.armed).toBe(true);
+    await vi.advanceTimersByTimeAsync(60_000);
+    await vi.runAllTimersAsync();
+    expect(deps.exit).toHaveBeenCalledWith(75);
+  });
+});
+
+describe('performRollback', () => {
+  it('happy path: restores lockfile, checks out fromSha, retries pnpm install, exits 75', async () => {
+    const deps = baseDeps();
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {
+        status: 'rolling-back' as const,
+        reason: 'install-failed',
+        targetTag: 'v2.7.3', fromSha: 'abc',
+        at: '2026-05-08T10:00:00Z',
+      },
+      bootCount: 0,
+    };
+    await performRollback(state, deps);
+    expect(deps.copyFile).toHaveBeenCalledWith(
+      '/srv/etherpad/var/update-backup/pnpm-lock.yaml',
+      '/srv/etherpad/pnpm-lock.yaml',
+    );
+    const lastSave = (deps.saveState as any).mock.calls.at(-1)[0];
+    expect(lastSave.execution.status).toBe('rolled-back');
+    expect(lastSave.lastResult.outcome).toBe('rolled-back');
+    expect(deps.exit).toHaveBeenCalledWith(75);
+  });
+
+  it('rollback failure (lockfile copy throws) lands on rollback-failed terminal', async () => {
+    const deps = baseDeps();
+    deps.copyFile = vi.fn(async () => { throw new Error('EACCES'); });
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {
+        status: 'rolling-back' as const,
+        reason: 'install-failed',
+        targetTag: 'v2.7.3', fromSha: 'abc',
+        at: '2026-05-08T10:00:00Z',
+      },
+      bootCount: 0,
+    };
+    await performRollback(state, deps);
+    const lastSave = (deps.saveState as any).mock.calls.at(-1)[0];
+    expect(lastSave.execution.status).toBe('rollback-failed');
+    expect(lastSave.lastResult.outcome).toBe('rollback-failed');
+    expect(deps.exit).toHaveBeenCalledWith(75);
+  });
+
+  it('rollback failure (git checkout exits non-zero) lands on rollback-failed', async () => {
+    const deps = baseDeps();
+    let calls = 0;
+    deps.spawnFn = vi.fn(() => ({
+      stdout: {on: () => {}},
+      stderr: {on: () => {}},
+      on: (e: string, cb: any) => { if (e === 'close') setImmediate(() => cb(calls++ === 0 ? 1 : 0)); },
+    })) as any;
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {
+        status: 'rolling-back' as const,
+        reason: 'build-failed',
+        targetTag: 'v2.7.3', fromSha: 'abc',
+        at: '2026-05-08T10:00:00Z',
+      },
+      bootCount: 0,
+    };
+    await performRollback(state, deps);
+    const lastSave = (deps.saveState as any).mock.calls.at(-1)[0];
+    expect(lastSave.execution.status).toBe('rollback-failed');
+  });
+
+  it('rollback failure (pnpm install exits non-zero) lands on rollback-failed', async () => {
+    const deps = baseDeps();
+    let calls = 0;
+    deps.spawnFn = vi.fn(() => ({
+      stdout: {on: () => {}},
+      stderr: {on: () => {}},
+      on: (e: string, cb: any) => { if (e === 'close') setImmediate(() => cb(calls++ === 0 ? 0 : 1)); },
+    })) as any;
+    const state = {
+      ...structuredClone(EMPTY_STATE),
+      execution: {
+        status: 'rolling-back' as const,
+        reason: 'build-failed',
+        targetTag: 'v2.7.3', fromSha: 'abc',
+        at: '2026-05-08T10:00:00Z',
+      },
+      bootCount: 0,
+    };
+    await performRollback(state, deps);
+    const lastSave = (deps.saveState as any).mock.calls.at(-1)[0];
+    expect(lastSave.execution.status).toBe('rollback-failed');
+  });
+
+  it('throws when called from an unexpected status', async () => {
+    const deps = baseDeps();
+    const state = structuredClone(EMPTY_STATE);
+    await expect(performRollback(state, deps)).rejects.toThrow();
+  });
+});
diff --git a/src/tests/backend-new/specs/updater/SessionDrainer.test.ts b/src/tests/backend-new/specs/updater/SessionDrainer.test.ts
new file mode 100644
index 00000000000..8d005035ad4
--- /dev/null
+++ b/src/tests/backend-new/specs/updater/SessionDrainer.test.ts
@@ -0,0 +1,110 @@
+import {describe, it, expect, vi, beforeEach, afterEach} from 'vitest';
+import {createDrainer, isAcceptingConnections, _resetForTests} from '../../../../node/updater/SessionDrainer';
+
+describe('SessionDrainer', () => {
+  beforeEach(() => { vi.useFakeTimers(); _resetForTests(); });
+  afterEach(() => { vi.useRealTimers(); _resetForTests(); });
+
+  it('emits T-60, T-30, T-10 in order and resolves at T=0', async () => {
+    const broadcasts: string[] = [];
+    const drainer = createDrainer({
+      drainSeconds: 60,
+      broadcast: (key) => { broadcasts.push(key); },
+    });
+    const done = drainer.start();
+    expect(broadcasts).toEqual(['update.drain.t60']);
+    await vi.advanceTimersByTimeAsync(30_000);
+    expect(broadcasts).toEqual(['update.drain.t60', 'update.drain.t30']);
+    await vi.advanceTimersByTimeAsync(20_000);
+    expect(broadcasts).toEqual(['update.drain.t60', 'update.drain.t30', 'update.drain.t10']);
+    await vi.advanceTimersByTimeAsync(10_000);
+    const r = await done;
+    expect(r).toEqual({outcome: 'completed'});
+  });
+
+  it('flips isAcceptingConnections to false during drain and back on cancel', () => {
+    const drainer = createDrainer({drainSeconds: 60, broadcast: () => {}});
+    expect(isAcceptingConnections()).toBe(true);
+    drainer.start();
+    expect(isAcceptingConnections()).toBe(false);
+    drainer.cancel();
+    expect(isAcceptingConnections()).toBe(true);
+  });
+
+  it('restores isAcceptingConnections to true on drain completion', async () => {
+    const drainer = createDrainer({drainSeconds: 60, broadcast: () => {}});
+    const done = drainer.start();
+    expect(isAcceptingConnections()).toBe(false);
+    await vi.advanceTimersByTimeAsync(60_000);
+    await done;
+    // Restored at completion so a downstream throw doesn't wedge join handshakes.
+    expect(isAcceptingConnections()).toBe(true);
+  });
+
+  it('cancel before T=0 resolves start() promise as cancelled', async () => {
+    const drainer = createDrainer({drainSeconds: 60, broadcast: () => {}});
+    const done = drainer.start();
+    await vi.advanceTimersByTimeAsync(20_000);
+    drainer.cancel();
+    const r = await done;
+    expect(r).toEqual({outcome: 'cancelled'});
+  });
+
+  it('cancel does not fire any further broadcasts', async () => {
+    const broadcasts: string[] = [];
+    const drainer = createDrainer({
+      drainSeconds: 60,
+      broadcast: (key) => { broadcasts.push(key); },
+    });
+    drainer.start();
+    expect(broadcasts).toEqual(['update.drain.t60']);
+    drainer.cancel();
+    await vi.advanceTimersByTimeAsync(60_000);
+    expect(broadcasts).toEqual(['update.drain.t60']);
+  });
+
+  it('passes seconds-remaining in broadcast values', async () => {
+    const seen: Array<{key: string; values: any}> = [];
+    const drainer = createDrainer({
+      drainSeconds: 60,
+      broadcast: (key, values) => { seen.push({key, values}); },
+    });
+    drainer.start();
+    expect(seen[0]).toEqual({key: 'update.drain.t60', values: {seconds: 60}});
+    await vi.advanceTimersByTimeAsync(30_000);
+    expect(seen[1]).toEqual({key: 'update.drain.t30', values: {seconds: 30}});
+    await vi.advanceTimersByTimeAsync(20_000);
+    expect(seen[2]).toEqual({key: 'update.drain.t10', values: {seconds: 10}});
+  });
+
+  it('drainSeconds=15 skips t30 (window too short) but still fires t10', async () => {
+    const seen: Array<{key: string; values: any}> = [];
+    const drainer = createDrainer({
+      drainSeconds: 15,
+      broadcast: (key, values) => { seen.push({key, values}); },
+    });
+    const done = drainer.start();
+    // Opening announcement reports the configured drain length, not a fixed 60.
+    expect(seen).toEqual([{key: 'update.drain.t60', values: {seconds: 15}}]);
+    // t30 is suppressed because reporting "30 seconds" would be wrong.
+    await vi.advanceTimersByTimeAsync(5_000);
+    expect(seen.map((s) => s.key)).not.toContain('update.drain.t30');
+    // t10 fires when 10 seconds remain (= 5s from start of a 15s drain).
+    expect(seen.map((s) => s.key)).toContain('update.drain.t10');
+    await vi.advanceTimersByTimeAsync(10_000);
+    await done;
+  });
+
+  it('drainSeconds=5 skips both t30 and t10', async () => {
+    const seen: string[] = [];
+    const drainer = createDrainer({
+      drainSeconds: 5,
+      broadcast: (key) => { seen.push(key); },
+    });
+    const done = drainer.start();
+    expect(seen).toEqual(['update.drain.t60']);
+    await vi.advanceTimersByTimeAsync(5_000);
+    await done;
+    expect(seen).toEqual(['update.drain.t60']); // only the opening announcement
+  });
+});
diff --git a/src/tests/backend-new/specs/updater/UpdateExecutor.test.ts b/src/tests/backend-new/specs/updater/UpdateExecutor.test.ts
new file mode 100644
index 00000000000..18fa118fc1b
--- /dev/null
+++ b/src/tests/backend-new/specs/updater/UpdateExecutor.test.ts
@@ -0,0 +1,145 @@
+import {describe, it, expect, vi, beforeEach} from 'vitest';
+import {executeUpdate, ExecutorDeps} from '../../../../node/updater/UpdateExecutor';
+import {EMPTY_STATE, UpdateState} from '../../../../node/updater/types';
+
+interface ScriptStep {cmd: string; exit: number; stderr?: string}
+
+const okSpawn = (script: ScriptStep[]) => {
+  let i = 0;
+  return vi.fn((cmd: string, args: string[]) => {
+    const step = script[i++];
+    if (!step) throw new Error(`Unexpected spawn call: ${cmd} ${args.join(' ')}`);
+    const expected = step.cmd;
+    const actual = `${cmd} ${args.join(' ')}`;
+    if (expected !== actual) {
+      throw new Error(`Spawn order mismatch: expected "${expected}", got "${actual}"`);
+    }
+    return {
+      stdout: {on: () => {}},
+      stderr: {on: (e: string, cb: any) => { if (e === 'data' && step.stderr) cb(Buffer.from(step.stderr)); }},
+      on: (e: string, cb: any) => { if (e === 'close') setImmediate(() => cb(step.exit)); },
+    };
+  });
+};
+
+const baseDeps = (): {
+  deps: ExecutorDeps;
+  states: UpdateState[];
+  copies: Array<{src: string; dst: string}>;
+  exitedWith: {code: number | null};
+  fromShaUsed: {value: string | null};
+} => {
+  const states: UpdateState[] = [];
+  const copies: Array<{src: string; dst: string}> = [];
+  const exitedWith = {code: null as number | null};
+  const fromShaUsed = {value: null as string | null};
+  return {
+    deps: {
+      repoDir: '/srv/etherpad',
+      backupDir: '/srv/etherpad/var/update-backup',
+      spawnFn: okSpawn([
+        {cmd: 'git fetch --tags origin', exit: 0},
+        {cmd: 'git checkout refs/tags/v2.7.3', exit: 0},
+        {cmd: 'pnpm install --frozen-lockfile', exit: 0},
+        {cmd: 'pnpm run build:ui', exit: 0},
+      ]) as any,
+      readSha: vi.fn(async () => { fromShaUsed.value = 'abc123'; return 'abc123'; }),
+      copyFile: vi.fn(async (src: string, dst: string) => { copies.push({src, dst}); }),
+      saveState: vi.fn(async (s: UpdateState) => { states.push(structuredClone(s)); }),
+      initialState: structuredClone(EMPTY_STATE),
+      targetTag: 'v2.7.3',
+      now: () => new Date('2026-05-08T10:00:00Z'),
+      exit: (code: number) => { exitedWith.code = code; },
+    },
+    states,
+    copies,
+    exitedWith,
+    fromShaUsed,
+  };
+};
+
+describe('executeUpdate', () => {
+  it('happy path: snapshots, runs steps, persists pending-verification, exits 75', async () => {
+    const {deps, states, copies, exitedWith} = baseDeps();
+    const r = await executeUpdate(deps);
+    expect(r).toEqual({outcome: 'pending-verification'});
+    expect(copies).toEqual([
+      {src: '/srv/etherpad/pnpm-lock.yaml', dst: '/srv/etherpad/var/update-backup/pnpm-lock.yaml'},
+    ]);
+    expect(states.at(-1)?.execution.status).toBe('pending-verification');
+    expect((states.at(-1)?.execution as any).fromSha).toBe('abc123');
+    expect(states.at(-1)?.bootCount).toBe(0);
+    expect(exitedWith.code).toBe(75);
+  });
+
+  it('records the executing -> pending-verification transition in saveState calls', async () => {
+    const {deps, states} = baseDeps();
+    await executeUpdate(deps);
+    const statuses = states.map((s) => s.execution.status);
+    expect(statuses[0]).toBe('executing');
+    expect(statuses.at(-1)).toBe('pending-verification');
+  });
+
+  it('install failure flips state to rolling-back without exiting', async () => {
+    const {deps, states, exitedWith} = baseDeps();
+    deps.spawnFn = okSpawn([
+      {cmd: 'git fetch --tags origin', exit: 0},
+      {cmd: 'git checkout refs/tags/v2.7.3', exit: 0},
+      {cmd: 'pnpm install --frozen-lockfile', exit: 1, stderr: 'resolver bork'},
+    ]) as any;
+    const r = await executeUpdate(deps);
+    expect(r.outcome).toBe('failed-install');
+    expect(states.at(-1)?.execution.status).toBe('rolling-back');
+    expect((states.at(-1)?.execution as any).reason).toContain('pnpm install exit 1');
+    expect(exitedWith.code).toBeNull(); // executor must not exit on failure paths
+  });
+
+  it('build failure flips state to rolling-back', async () => {
+    const {deps, states, exitedWith} = baseDeps();
+    deps.spawnFn = okSpawn([
+      {cmd: 'git fetch --tags origin', exit: 0},
+      {cmd: 'git checkout refs/tags/v2.7.3', exit: 0},
+      {cmd: 'pnpm install --frozen-lockfile', exit: 0},
+      {cmd: 'pnpm run build:ui', exit: 2, stderr: 'tsc bork'},
+    ]) as any;
+    const r = await executeUpdate(deps);
+    expect(r.outcome).toBe('failed-build');
+    expect(states.at(-1)?.execution.status).toBe('rolling-back');
+    expect(exitedWith.code).toBeNull();
+  });
+
+  it('checkout failure flips state to rolling-back (no copyFile? actually copies first)', async () => {
+    // copyFile is called before any spawn; checkout is the second spawn so by then the
+    // backup lockfile is in place. This matters: rollback needs the backup to exist.
+    const {deps, copies, states} = baseDeps();
+    deps.spawnFn = okSpawn([
+      {cmd: 'git fetch --tags origin', exit: 0},
+      {cmd: 'git checkout refs/tags/v2.7.3', exit: 1, stderr: 'conflict'},
+    ]) as any;
+    const r = await executeUpdate(deps);
+    expect(r.outcome).toBe('failed-checkout');
+    expect(copies.length).toBe(1); // backup taken before any mutation
+    expect(states.at(-1)?.execution.status).toBe('rolling-back');
+  });
+
+  it('git-fetch failure flips state to rolling-back', async () => {
+    const {deps, states} = baseDeps();
+    deps.spawnFn = okSpawn([
+      {cmd: 'git fetch --tags origin', exit: 128, stderr: 'cannot reach origin'},
+    ]) as any;
+    const r = await executeUpdate(deps);
+    expect(r.outcome).toBe('failed-checkout');
+    expect(states.at(-1)?.execution.status).toBe('rolling-back');
+  });
+
+  it('captures fromSha into the rolling-back state so RollbackHandler can restore it', async () => {
+    const {deps, states} = baseDeps();
+    deps.spawnFn = okSpawn([
+      {cmd: 'git fetch --tags origin', exit: 0},
+      {cmd: 'git checkout refs/tags/v2.7.3', exit: 0},
+      {cmd: 'pnpm install --frozen-lockfile', exit: 1},
+    ]) as any;
+    await executeUpdate(deps);
+    expect((states.at(-1)?.execution as any).fromSha).toBe('abc123');
+  });
+});
diff --git a/src/tests/backend-new/specs/updater/UpdatePolicy.test.ts b/src/tests/backend-new/specs/updater/UpdatePolicy.test.ts
index 6dfd0f95451..3eb74ef01bf 100644
--- a/src/tests/backend-new/specs/updater/UpdatePolicy.test.ts
+++ b/src/tests/backend-new/specs/updater/UpdatePolicy.test.ts
@@ -62,3 +62,34 @@ describe('evaluatePolicy', () => {
     expect(r.reason).toBe('up-to-date');
   });
 });
+
+describe('evaluatePolicy terminal-state gating', () => {
+  it('rollback-failed denies auto/autonomous but keeps manual on', () => {
+    const r = evaluatePolicy({
+      ...baseInput, tier: 'autonomous',
+      executionStatus: 'rollback-failed',
+    });
+    expect(r.canNotify).toBe(true);
+    expect(r.canManual).toBe(true);
+    expect(r.canAuto).toBe(false);
+    expect(r.canAutonomous).toBe(false);
+    expect(r.reason).toBe('rollback-failed-terminal');
+  });
+
+  it('idle execution behaves identically to no-status', () => {
+    const r = evaluatePolicy({...baseInput, tier: 'autonomous', executionStatus: 'idle'});
+    expect(r.canManual).toBe(true);
+    expect(r.canAuto).toBe(true);
+    expect(r.canAutonomous).toBe(true);
+    expect(r.reason).toBe('ok');
+  });
+
+  it('preflight-failed does NOT block manual / auto (it is informational only)', () => {
+    const r = evaluatePolicy({
+      ...baseInput, tier: 'autonomous', executionStatus: 'preflight-failed',
+    });
+    expect(r.canManual).toBe(true);
+    expect(r.canAuto).toBe(true);
+    expect(r.canAutonomous).toBe(true);
+  });
+});
diff --git a/src/tests/backend-new/specs/updater/lock.test.ts b/src/tests/backend-new/specs/updater/lock.test.ts
new file mode 100644
index 00000000000..adf3c61bf99
--- /dev/null
+++ b/src/tests/backend-new/specs/updater/lock.test.ts
@@ -0,0 +1,69 @@
+import {describe, it, expect, beforeEach, afterEach} from 'vitest';
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import os from 'node:os';
+import {acquireLock, releaseLock, isHeld} from '../../../../node/updater/lock';
+
+describe('update lock', () => {
+  let dir: string;
+  let lockPath: string;
+
+  beforeEach(async () => {
+    dir = await fs.mkdtemp(path.join(os.tmpdir(), 'updater-lock-'));
+    lockPath = path.join(dir, 'update.lock');
+  });
+
+  afterEach(async () => {
+    await fs.rm(dir, {recursive: true, force: true});
+  });
+
+  it('acquires and releases', async () => {
+    expect(await acquireLock(lockPath)).toBe(true);
+    expect(await isHeld(lockPath)).toBe(true);
+    await releaseLock(lockPath);
+    expect(await isHeld(lockPath)).toBe(false);
+  });
+
+  it('rejects a second acquire while live', async () => {
+    expect(await acquireLock(lockPath)).toBe(true);
+    expect(await acquireLock(lockPath)).toBe(false);
+    await releaseLock(lockPath);
+  });
+
+  it('reaps a stale lock whose PID is gone', async () => {
+    // Pick a PID that almost certainly does not exist. process.kill(pid, 0) on
+    // a free PID returns ESRCH which the implementation treats as stale.
+    await fs.writeFile(lockPath, JSON.stringify({pid: 2147483646, at: new Date().toISOString()}));
+    expect(await acquireLock(lockPath)).toBe(true);
+    await releaseLock(lockPath);
+  });
+
+  it('treats an unparseable lock file as stale', async () => {
+    await fs.writeFile(lockPath, 'garbage');
+    expect(await acquireLock(lockPath)).toBe(true);
+    await releaseLock(lockPath);
+  });
+
+  it('treats a lock missing required fields as stale', async () => {
+    await fs.writeFile(lockPath, JSON.stringify({somethingElse: true}));
+    expect(await acquireLock(lockPath)).toBe(true);
+    await releaseLock(lockPath);
+  });
+
+  it('release is idempotent (no error when file absent)', async () => {
+    await releaseLock(lockPath); // file never existed
+    expect(await isHeld(lockPath)).toBe(false);
+  });
+
+  it('isHeld returns false for a stale lock', async () => {
+    await fs.writeFile(lockPath, JSON.stringify({pid: 2147483646, at: new Date().toISOString()}));
+    expect(await isHeld(lockPath)).toBe(false);
+  });
+
+  it('creates parent directory if missing', async () => {
+    const nested = path.join(dir, 'a', 'b', 'update.lock');
+    expect(await acquireLock(nested)).toBe(true);
+    expect(await isHeld(nested)).toBe(true);
+    await releaseLock(nested);
+  });
+});
diff --git a/src/tests/backend-new/specs/updater/preflight.test.ts b/src/tests/backend-new/specs/updater/preflight.test.ts
new file mode 100644
index 00000000000..5926c7864bd
--- /dev/null
+++ b/src/tests/backend-new/specs/updater/preflight.test.ts
@@ -0,0 +1,78 @@
+import {describe, it, expect, vi} from 'vitest';
+import {runPreflight, PreflightDeps} from '../../../../node/updater/preflight';
+import type {VerifyResult} from '../../../../node/updater/trustedKeys';
+
+const baseDeps = (): PreflightDeps => ({
+  installMethod: 'git',
+  workingTreeClean: vi.fn(async () => true),
+  freeDiskMB: vi.fn(async () => 5000),
+  pnpmOnPath: vi.fn(async () => true),
+  lockHeld: vi.fn(async () => false),
+  remoteHasTag: vi.fn(async () => true),
+  verifyTag: vi.fn(async (): Promise<VerifyResult> => ({ok: true, reason: 'signature-not-required'})),
+});
+
+const baseInput = {
+  targetTag: 'v2.7.3',
+  diskSpaceMinMB: 500,
+  requireSignature: false,
+  trustedKeysPath: null as string | null,
+};
+
+describe('runPreflight', () => {
+  it('passes when all checks pass', async () => {
+    const r = await runPreflight(baseInput, baseDeps());
+    expect(r).toEqual({ok: true});
+  });
+
+  it('rejects non-writable install methods', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps(), installMethod: 'docker'});
+    expect(r).toEqual({ok: false, reason: 'install-method-not-writable'});
+  });
+
+  it('rejects npm install method too (not yet writable)', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps(), installMethod: 'npm'});
+    expect(r).toEqual({ok: false, reason: 'install-method-not-writable'});
+  });
+
+  it('rejects a dirty working tree', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps(), workingTreeClean: vi.fn(async () => false)});
+    expect(r).toEqual({ok: false, reason: 'dirty-working-tree'});
+  });
+
+  it('rejects insufficient disk space', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps(), freeDiskMB: vi.fn(async () => 100)});
+    expect(r).toEqual({ok: false, reason: 'low-disk-space'});
+  });
+
+  it('rejects when pnpm is missing', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps(), pnpmOnPath: vi.fn(async () => false)});
+    expect(r).toEqual({ok: false, reason: 'pnpm-not-found'});
+  });
+
+  it('rejects when the lock is held', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps(), lockHeld: vi.fn(async () => true)});
+    expect(r).toEqual({ok: false, reason: 'lock-held'});
+  });
+
+  it('rejects when the remote tag is missing', async () => {
+    const r = await runPreflight(baseInput, {...baseDeps(), remoteHasTag: vi.fn(async () => false)});
+    expect(r).toEqual({ok: false, reason: 'remote-tag-missing'});
+  });
+
+  it('rejects when signature verification fails', async () => {
+    const r = await runPreflight(baseInput, {
+      ...baseDeps(),
+      verifyTag: vi.fn(async (): Promise<VerifyResult> => ({ok: false, reason: 'signature-verification-failed'})),
+    });
+    expect(r).toEqual({ok: false, reason: 'signature-verification-failed'});
+  });
+
+  it('cheap-check failures short-circuit before slow checks', async () => {
+    const deps = {...baseDeps(), installMethod: 'docker' as const,
+      remoteHasTag: vi.fn(async () => true)};
+    const r = await runPreflight(baseInput, deps);
+    expect(r.ok).toBe(false);
+    expect(deps.remoteHasTag).not.toHaveBeenCalled();
+  });
+});
diff --git a/src/tests/backend-new/specs/updater/refSafety.test.ts b/src/tests/backend-new/specs/updater/refSafety.test.ts
new file mode 100644
index 00000000000..2f0032ba185
--- /dev/null
+++ b/src/tests/backend-new/specs/updater/refSafety.test.ts
@@ -0,0 +1,63 @@
+import {describe, it, expect} from 'vitest';
+import {isValidTag, assertValidTag, refsTagsForm} from '../../../../node/updater/refSafety';
+
+describe('isValidTag', () => {
+  it('accepts plain semver tags', () => {
+    expect(isValidTag('v2.7.3')).toBe(true);
+    expect(isValidTag('2.7.3')).toBe(true);
+    expect(isValidTag('2.7.3-rc.1')).toBe(true);
+  });
+
+  it('rejects tags starting with -', () => {
+    expect(isValidTag('-rf')).toBe(false);
+    expect(isValidTag('-fast-forward')).toBe(false);
+    expect(isValidTag('-no-verify')).toBe(false);
+  });
+
+  it('rejects tags starting with .', () => {
+    expect(isValidTag('.git')).toBe(false);
+  });
+
+  it('rejects empty / non-string / overlong', () => {
+    expect(isValidTag('')).toBe(false);
+    expect(isValidTag(null)).toBe(false);
+    expect(isValidTag(undefined)).toBe(false);
+    expect(isValidTag(42)).toBe(false);
+    expect(isValidTag('v' + 'a'.repeat(300))).toBe(false);
+  });
+
+  it('rejects whitespace and control characters', () => {
+    expect(isValidTag('v2.7.3 -rf')).toBe(false);
+    expect(isValidTag('v2.7.3\nrm -rf')).toBe(false);
+    expect(isValidTag('v2.7.3\trf')).toBe(false);
+    expect(isValidTag('v2.7.3\x00rf')).toBe(false);
+  });
+
+  it('rejects git ref-format violations', () => {
+    expect(isValidTag('v2.7..3')).toBe(false); // .. forbidden
+    expect(isValidTag('v2~7~3')).toBe(false);  // ~ forbidden
+    expect(isValidTag('v2:7:3')).toBe(false);  // : forbidden
+    expect(isValidTag('v2.7.3?')).toBe(false); // ? forbidden
+    expect(isValidTag('v2.7.3*')).toBe(false); // * forbidden
+    expect(isValidTag('v[7]')).toBe(false);    // [ forbidden
+    expect(isValidTag('v\\7')).toBe(false);    // \ forbidden
+    expect(isValidTag('v^7')).toBe(false);     // ^ forbidden
+  });
+});
+
+describe('assertValidTag', () => {
+  it('returns the tag when valid', () => {
+    expect(assertValidTag('v2.7.3')).toBe('v2.7.3');
+  });
+
+  it('throws on invalid input', () => {
+    expect(() => assertValidTag('-rf')).toThrow(/unsafe release tag/);
+    expect(() => assertValidTag(null)).toThrow(/unsafe release tag/);
+  });
+});
+
+describe('refsTagsForm', () => {
+  it('wraps the tag in refs/tags/<tag>', () => {
+    expect(refsTagsForm('v2.7.3')).toBe('refs/tags/v2.7.3');
+  });
+});
diff --git a/src/tests/backend-new/specs/updater/state.test.ts b/src/tests/backend-new/specs/updater/state.test.ts
index 266e895fc8c..b230319c2aa 100644
--- a/src/tests/backend-new/specs/updater/state.test.ts
+++ b/src/tests/backend-new/specs/updater/state.test.ts
@@ -117,3 +117,168 @@ describe('saveState', () => {
     expect(data.schemaVersion).toBe(1);
   });
 });
+
+describe('Tier 2 state extensions', () => {
+  it('EMPTY_STATE carries an idle execution block, bootCount 0, no lastResult', () => {
+    expect(EMPTY_STATE.execution).toEqual({status: 'idle'});
+    expect(EMPTY_STATE.bootCount).toBe(0);
+    expect(EMPTY_STATE.lastResult).toBeNull();
+  });
+
+  it('loadState backfills missing Tier 2 fields on a Tier 1 file', async () => {
+    // Hand-write a Tier 1 state file (no execution / bootCount / lastResult).
+    await fs.writeFile(statePath(), JSON.stringify({
+      schemaVersion: 1,
+      lastCheckAt: '2026-05-01T00:00:00Z',
+      lastEtag: 'W/"abc"',
+      latest: null,
+      vulnerableBelow: [],
+      email: {severeAt: null, vulnerableAt: null, vulnerableNewReleaseTag: null},
+    }));
+    const state = await loadState(statePath());
+    expect(state.execution).toEqual({status: 'idle'});
+    expect(state.bootCount).toBe(0);
+    expect(state.lastResult).toBeNull();
+    // Tier 1 fields preserved.
+    expect(state.lastCheckAt).toBe('2026-05-01T00:00:00Z');
+    expect(state.lastEtag).toBe('W/"abc"');
+  });
+
+  it('rejects a malformed execution block by resetting to EMPTY_STATE', async () => {
+    await fs.writeFile(statePath(), JSON.stringify({
+      schemaVersion: 1, lastCheckAt: null, lastEtag: null, latest: null,
+      vulnerableBelow: [],
+      email: {severeAt: null, vulnerableAt: null, vulnerableNewReleaseTag: null},
+      execution: 'not-an-object',
+    }));
+    const state = await loadState(statePath());
+    expect(state).toEqual(EMPTY_STATE);
+  });
+
+  it('rejects an unknown execution status by resetting to EMPTY_STATE', async () => {
+    await fs.writeFile(statePath(), JSON.stringify({
+      schemaVersion: 1, lastCheckAt: null, lastEtag: null, latest: null,
+      vulnerableBelow: [],
+      email: {severeAt: null, vulnerableAt: null, vulnerableNewReleaseTag: null},
+      execution: {status: 'totally-bogus'},
+    }));
+    const state = await loadState(statePath());
+    expect(state).toEqual(EMPTY_STATE);
+  });
+
+  it('rejects pending-verification missing fromSha (could break rollback)', async () => {
+    // Regression for Qodo: hand-edited state with a recognised status but
+    // missing required fields would reach RollbackHandler with undefined refs.
+    // Validator must require per-status fields, not just status enum membership.
+    await fs.writeFile(statePath(), JSON.stringify({
+      schemaVersion: 1, lastCheckAt: null, lastEtag: null, latest: null,
+      vulnerableBelow: [],
+      email: {severeAt: null, vulnerableAt: null, vulnerableNewReleaseTag: null},
+      execution: {status: 'pending-verification', targetTag: 'v2.7.3', deadlineAt: '2026-05-08T00:00:00Z'},
+      // fromSha intentionally missing
+    }));
+    const state = await loadState(statePath());
+    expect(state).toEqual(EMPTY_STATE);
+  });
+
+  it('rejects rolling-back missing reason / targetTag', async () => {
+    await fs.writeFile(statePath(), JSON.stringify({
+      schemaVersion: 1, lastCheckAt: null, lastEtag: null, latest: null,
+      vulnerableBelow: [],
+      email: {severeAt: null, vulnerableAt: null, vulnerableNewReleaseTag: null},
+      execution: {status: 'rolling-back', fromSha: 'abc', at: '2026-05-08T00:00:00Z'},
+      // reason and targetTag missing
+    }));
+    const state = await loadState(statePath());
+    expect(state).toEqual(EMPTY_STATE);
+  });
+
+  it('rejects empty-string fields for required keys', async () => {
+    await fs.writeFile(statePath(), JSON.stringify({
+      schemaVersion: 1, lastCheckAt: null, lastEtag: null, latest: null,
+      vulnerableBelow: [],
+      email: {severeAt: null, vulnerableAt: null, vulnerableNewReleaseTag: null},
+      execution: {status: 'executing', targetTag: '', fromSha: 'abc', startedAt: '2026-05-08T00:00:00Z'},
+    }));
+    const state = await loadState(statePath());
+    expect(state).toEqual(EMPTY_STATE);
+  });
+
+  it('accepts a fully-formed pending-verification', async () => {
+    const valid = {
+      schemaVersion: 1, lastCheckAt: null, lastEtag: null, latest: null,
+      vulnerableBelow: [],
+      email: {severeAt: null, vulnerableAt: null, vulnerableNewReleaseTag: null},
+      execution: {
+        status: 'pending-verification',
+        targetTag: 'v2.7.3',
+        fromSha: 'abc123',
+        deadlineAt: '2026-05-08T00:00:00Z',
+      },
+      bootCount: 1,
+      lastResult: null,
+    };
+    await fs.writeFile(statePath(), JSON.stringify(valid));
+    const state = await loadState(statePath());
+    expect(state.execution.status).toBe('pending-verification');
+  });
+
+  it('rejects lastResult with an unrecognised outcome', async () => {
+    await fs.writeFile(statePath(), JSON.stringify({
+      schemaVersion: 1, lastCheckAt: null, lastEtag: null, latest: null,
+      vulnerableBelow: [],
+      email: {severeAt: null, vulnerableAt: null, vulnerableNewReleaseTag: null},
+      execution: {status: 'idle'},
+      lastResult: {
+        targetTag: 'v2.7.3', fromSha: 'abc',
+        outcome: 'totally-made-up',
+        reason: null, at: '2026-05-08T00:00:00Z',
+      },
+    }));
+    const state = await loadState(statePath());
+    expect(state).toEqual(EMPTY_STATE);
+  });
+
+  it('rejects a non-numeric bootCount by resetting to EMPTY_STATE', async () => {
+    await fs.writeFile(statePath(), JSON.stringify({
+      schemaVersion: 1, lastCheckAt: null, lastEtag: null, latest: null,
+      vulnerableBelow: [],
+      email: {severeAt: null, vulnerableAt: null, vulnerableNewReleaseTag: null},
+      execution: {status: 'idle'},
+      bootCount: 'one',
+    }));
+    const state = await loadState(statePath());
+    expect(state).toEqual(EMPTY_STATE);
+  });
+
+  it('round-trips a pending-verification execution', async () => {
+    const s = {
+      ...EMPTY_STATE,
+      execution: {
+        status: 'pending-verification' as const,
+        targetTag: 'v2.7.3',
+        fromSha: 'abc123',
+        deadlineAt: '2026-05-08T10:00:00Z',
+      },
+      bootCount: 1,
+    };
+    await saveState(statePath(), s);
+    const loaded = await loadState(statePath());
+    expect(loaded.execution.status).toBe('pending-verification');
+    expect(loaded.bootCount).toBe(1);
+  });
+
+  it('round-trips a non-null lastResult', async () => {
+    const s = {
+      ...EMPTY_STATE,
+      lastResult: {
+        targetTag: 'v2.7.3', fromSha: 'abc',
+        outcome: 'verified' as const, reason: null,
+        at: '2026-05-08T10:00:00Z',
+      },
+    };
+    await saveState(statePath(), s);
+    const loaded = await loadState(statePath());
+    expect(loaded.lastResult?.outcome).toBe('verified');
+  });
+});
diff --git a/src/tests/backend-new/specs/updater/trustedKeys.test.ts b/src/tests/backend-new/specs/updater/trustedKeys.test.ts
new file mode 100644
index 00000000000..fc92e24af7d
--- /dev/null
+++ b/src/tests/backend-new/specs/updater/trustedKeys.test.ts
@@ -0,0 +1,98 @@
+import {describe, it, expect, vi} from 'vitest';
+import {verifyReleaseTag} from '../../../../node/updater/trustedKeys';
+
+const fakeChild = (exitCode: number) => ({
+  on: (e: string, cb: any) => { if (e === 'close') setImmediate(() => cb(exitCode)); },
+});
+
+describe('verifyReleaseTag', () => {
+  it('returns ok with reason "signature-not-required" when requireSignature is false (no spawn)', async () => {
+    const spawnFn = vi.fn();
+    const r = await verifyReleaseTag({
+      tag: 'v2.7.3',
+      repoDir: '/tmp/x',
+      requireSignature: false,
+      trustedKeysPath: null,
+      spawnFn: spawnFn as any,
+    });
+    expect(r).toEqual({ok: true, reason: 'signature-not-required'});
+    expect(spawnFn).not.toHaveBeenCalled();
+  });
+
+  it('returns ok on git verify-tag exit 0', async () => {
+    const spawnFn = vi.fn(() => fakeChild(0));
+    const r = await verifyReleaseTag({
+      tag: 'v2.7.3',
+      repoDir: '/tmp/x',
+      requireSignature: true,
+      trustedKeysPath: null,
+      spawnFn: spawnFn as any,
+    });
+    expect(r).toEqual({ok: true, reason: 'signature-verified'});
+    expect(spawnFn).toHaveBeenCalledWith(
+      'git',
+      // -- terminates options so a future tag-validation regression can't
+      // smuggle a flag past git verify-tag.
+      ['verify-tag', '--', 'v2.7.3'],
+      expect.objectContaining({cwd: '/tmp/x'}),
+    );
+  });
+
+  it('returns failure on non-zero exit', async () => {
+    const spawnFn = vi.fn(() => fakeChild(1));
+    const r = await verifyReleaseTag({
+      tag: 'v2.7.3',
+      repoDir: '/tmp/x',
+      requireSignature: true,
+      trustedKeysPath: null,
+      spawnFn: spawnFn as any,
+    });
+    expect(r).toEqual({ok: false, reason: 'signature-verification-failed'});
+  });
+
+  it('passes GNUPGHOME when trustedKeysPath is set', async () => {
+    const calls: any[] = [];
+    const spawnFn = vi.fn((cmd: string, args: string[], opts: any) => {
+      calls.push({cmd, args, env: opts.env});
+      return fakeChild(0);
+    });
+    await verifyReleaseTag({
+      tag: 'v2.7.3',
+      repoDir: '/tmp/x',
+      requireSignature: true,
+      trustedKeysPath: '/srv/etherpad/keys',
+      spawnFn: spawnFn as any,
+    });
+    expect(calls[0].env.GNUPGHOME).toBe('/srv/etherpad/keys');
+  });
+
+  it('refuses unsafe tags (option-injection guard) before spawning git', async () => {
+    const spawnFn = vi.fn();
+    const r = await verifyReleaseTag({
+      tag: '-no-verify',
+      repoDir: '/tmp/x',
+      requireSignature: true,
+      trustedKeysPath: null,
+      spawnFn: spawnFn as any,
+    });
+    expect(r).toEqual({ok: false, reason: 'signature-verification-failed'});
+    expect(spawnFn).not.toHaveBeenCalled();
+  });
+
+  it('does not set GNUPGHOME when trustedKeysPath is null', async () => {
+    const calls: any[] = [];
+    const spawnFn = vi.fn((cmd: string, args: string[], opts: any) => {
+      calls.push({cmd, args, env: opts.env});
+      return fakeChild(0);
+    });
+    delete process.env.GNUPGHOME;
+    await verifyReleaseTag({
+      tag: 'v2.7.3',
+      repoDir: '/tmp/x',
+      requireSignature: true,
+      trustedKeysPath: null,
+      spawnFn: spawnFn as any,
+    });
+    expect(calls[0].env.GNUPGHOME).toBeUndefined();
+  });
+});
diff --git a/src/tests/backend-new/specs/updater/updateLog.test.ts b/src/tests/backend-new/specs/updater/updateLog.test.ts
new file mode 100644
index 00000000000..ccb17a537ab
--- /dev/null
+++ b/src/tests/backend-new/specs/updater/updateLog.test.ts
@@ -0,0 +1,112 @@
+import {describe, it, expect, beforeEach, afterEach} from 'vitest';
+import fs from 'node:fs/promises';
+import path from 'node:path';
+import os from 'node:os';
+import {tailLines} from '../../../../node/updater/updateLog';
+
+describe('tailLines', () => {
+  let dir: string;
+  let logPath: string;
+
+  beforeEach(async () => {
+    dir = await fs.mkdtemp(path.join(os.tmpdir(), 'updater-log-'));
+    logPath = path.join(dir, 'update.log');
+  });
+
+  afterEach(async () => {
+    await fs.rm(dir, {recursive: true, force: true});
+  });
+
+  it('returns [] when file is missing', async () => {
+    expect(await tailLines(logPath, 10)).toEqual([]);
+  });
+
+  it('returns [] for an empty file', async () => {
+    await fs.writeFile(logPath, '');
+    expect(await tailLines(logPath, 10)).toEqual([]);
+  });
+
+  it('returns up to N lines when file is shorter', async () => {
+    await fs.writeFile(logPath, 'a\nb\nc\n');
+    expect(await tailLines(logPath, 10)).toEqual(['a', 'b', 'c']);
+  });
+
+  it('returns the last N when file is longer', async () => {
+    const lines = Array.from({length: 500}, (_, i) => `line-${i}`);
+    await fs.writeFile(logPath, lines.join('\n') + '\n');
+    expect(await tailLines(logPath, 5)).toEqual([
+      'line-495', 'line-496', 'line-497', 'line-498', 'line-499',
+    ]);
+  });
+
+  it('handles a final-line-without-newline', async () => {
+    await fs.writeFile(logPath, 'a\nb\nc');
+    expect(await tailLines(logPath, 10)).toEqual(['a', 'b', 'c']);
+  });
+
+  it('handles n=0', async () => {
+    await fs.writeFile(logPath, 'a\nb\nc\n');
+    expect(await tailLines(logPath, 0)).toEqual([]);
+  });
+});
+
+describe('appendLine + rotation', () => {
+  let dir: string;
+  let logPath: string;
+
+  beforeEach(async () => {
+    dir = await fs.mkdtemp(path.join(os.tmpdir(), 'updater-log-'));
+    logPath = path.join(dir, 'update.log');
+  });
+  afterEach(async () => { await fs.rm(dir, {recursive: true, force: true}); });
+
+  it('appendLine creates parent dir and writes a newline-terminated line', async () => {
+    const {appendLine} = await import('../../../../node/updater/updateLog');
+    const nested = path.join(dir, 'a', 'b', 'update.log');
+    await appendLine(nested, 'hello world');
+    expect(await fs.readFile(nested, 'utf8')).toBe('hello world\n');
+  });
+
+  it('appendLine swallows errors so the caller never breaks on a read-only fs', async () => {
+    const {appendLine} = await import('../../../../node/updater/updateLog');
+    // Make the would-be parent dir a regular file — fs.mkdir then fails with ENOTDIR
+    // (or EEXIST depending on platform), which the helper must swallow.
+    const collide = path.join(dir, 'not-a-dir');
+    await fs.writeFile(collide, 'oops');
+    const target = path.join(collide, 'inner', 'update.log');
+    await appendLine(target, 'x'); // must NOT throw
+  });
+
+  it('rotateIfNeeded shifts .1 -> .2, current -> .1 once over the size threshold', async () => {
+    const {rotateIfNeeded} = await import('../../../../node/updater/updateLog');
+    // Force rotation by passing a tiny limit; write a line above the limit.
+    await fs.writeFile(logPath, 'a'.repeat(50));
+    await rotateIfNeeded(logPath, 10, 3);
+    expect(await fs.readFile(`${logPath}.1`, 'utf8')).toBe('a'.repeat(50));
+    // Original file is gone (or empty after rotation).
+    let exists = true;
+    try { await fs.access(logPath); } catch { exists = false; }
+    expect(exists).toBe(false);
+  });
+
+  it('rotateIfNeeded preserves up to BACKUPS-1 older backups', async () => {
+    const {rotateIfNeeded} = await import('../../../../node/updater/updateLog');
+    await fs.writeFile(logPath, 'newest'.repeat(20));
+    await fs.writeFile(`${logPath}.1`, 'older-1');
+    await fs.writeFile(`${logPath}.2`, 'older-2');
+    await rotateIfNeeded(logPath, 10, 3);
+    expect(await fs.readFile(`${logPath}.1`, 'utf8')).toBe('newest'.repeat(20));
+    expect(await fs.readFile(`${logPath}.2`, 'utf8')).toBe('older-1');
+    expect(await fs.readFile(`${logPath}.3`, 'utf8')).toBe('older-2');
+  });
+
+  it('rotateIfNeeded is a no-op when under the limit', async () => {
+    const {rotateIfNeeded} = await import('../../../../node/updater/updateLog');
+    await fs.writeFile(logPath, 'small');
+    await rotateIfNeeded(logPath, 10 * 1024 * 1024, 3);
+    expect(await fs.readFile(logPath, 'utf8')).toBe('small');
+    let backupExists = true;
+    try { await fs.access(`${logPath}.1`); } catch { backupExists = false; }
+    expect(backupExists).toBe(false);
+  });
+});
diff --git a/src/tests/backend/specs/updateActions.ts b/src/tests/backend/specs/updateActions.ts
new file mode 100644
index 00000000000..6e06577cb7b
--- /dev/null
+++ b/src/tests/backend/specs/updateActions.ts
@@ -0,0 +1,196 @@
+'use strict';
+
+const assert = require('assert').strict;
+const common = require('../common');
+const plugins = require('../../../static/js/pluginfw/plugin_defs');
+import settings from '../../../node/utils/Settings';
+import {saveState} from '../../../node/updater/state';
+import {EMPTY_STATE} from '../../../node/updater/types';
+import path from 'node:path';
+
+const statePath = () => path.join(settings.root, 'var', 'update-state.json');
+const lockPath = () => path.join(settings.root, 'var', 'update.lock');
+
+const authHookNames = ['preAuthorize', 'authenticate', 'authorize'];
+const failHookNames = ['preAuthzFailure', 'authnFailure', 'authzFailure', 'authFailure'];
+
+const installAdminAuth = () => {
+  for (const h of authHookNames.concat(failHookNames)) plugins.hooks[h] = [];
+  plugins.hooks.authenticate = [{
+    hook_fn: (_n: string, ctx: any, cb: Function) => {
+      ctx.req.session.user = {is_admin: true};
+      cb([true]);
+    },
+  }];
+  (settings as any).requireAuthentication = true;
+  (settings as any).requireAuthorization = false;
+  (settings as any).users = {admin: {password: 'admin-pw', is_admin: true}};
+};
+
+describe(__filename, function () {
+  let agent: any;
+  const backups: Record<string, any> = {};
+  // Bump tier to 'manual' so the action endpoints are mounted by the hook.
+  // (At default tier 'notify' they 404 — that's the gate Qodo #1 introduced.)
+  const originalTier = settings.updates.tier;
+
+  before(async () => {
+    settings.updates.tier = 'manual';
+    agent = await common.init();
+  });
+
+  after(() => {
+    settings.updates.tier = originalTier;
+  });
+
+  beforeEach(async () => {
+    backups.hooks = {};
+    for (const n of authHookNames.concat(failHookNames)) backups.hooks[n] = plugins.hooks[n];
+    backups.settings = {};
+    for (const k of ['requireAuthentication', 'requireAuthorization', 'users']) {
+      backups.settings[k] = (settings as any)[k];
+    }
+    // Seed a known "update available" state so apply has a target tag.
+    await saveState(statePath(), {
+      ...EMPTY_STATE,
+      latest: {
+        version: '99.0.0', tag: 'v99.0.0', body: 'release notes',
+        publishedAt: '2099-01-01T00:00:00Z', prerelease: false,
+        htmlUrl: 'https://example/r/v99.0.0',
+      },
+    });
+    // Ensure no stale lock from an earlier test.
+    try { require('node:fs').unlinkSync(lockPath()); } catch {/* noop */}
+  });
+
+  afterEach(() => {
+    Object.assign(plugins.hooks, backups.hooks);
+    Object.assign(settings, backups.settings);
+  });
+
+  describe('POST /admin/update/apply', function () {
+    it('rejects unauthenticated', async () => {
+      await agent.post('/admin/update/apply').expect(401);
+    });
+
+    it('returns 409 with no-known-latest when state has no latest release', async () => {
+      installAdminAuth();
+      // Replace seeded "update available" with empty state.
+      await saveState(statePath(), {...EMPTY_STATE});
+      const r = await agent.post('/admin/update/apply')
+        .auth('admin', 'admin-pw')
+        .expect(409);
+      assert.equal(r.body.error, 'no-known-latest');
+    });
+
+    it('returns 404 when tier is "notify" (action endpoints disabled)', async () => {
+      // Regression for the Tier 2 gate (Qodo #1): disabled tiers must 404 to
+      // match prior PR-1 behaviour, not 401/403/409.
+      const orig = settings.updates.tier;
+      settings.updates.tier = 'notify';
+      try {
+        await agent.post('/admin/update/apply').expect(404);
+        await agent.post('/admin/update/cancel').expect(404);
+        await agent.post('/admin/update/acknowledge').expect(404);
+        await agent.get('/admin/update/log').expect(404);
+      } finally { settings.updates.tier = orig; }
+    });
+
+    it('rejects when execution is already in flight (409)', async () => {
+      installAdminAuth();
+      await saveState(statePath(), {
+        ...EMPTY_STATE,
+        latest: {
+          version: '99.0.0', tag: 'v99.0.0', body: '', publishedAt: '',
+          prerelease: false, htmlUrl: '',
+        },
+        execution: {
+          status: 'executing', targetTag: 'v99.0.0', fromSha: 'x',
+          startedAt: '2026-05-08T00:00:00Z',
+        },
+      });
+      const r = await agent.post('/admin/update/apply')
+        .auth('admin', 'admin-pw')
+        .expect(409);
+      assert.match(r.body.error, /execution-busy/);
+    });
+  });
+
+  describe('POST /admin/update/cancel', function () {
+    it('rejects unauthenticated', async () => {
+      await agent.post('/admin/update/cancel').expect(401);
+    });
+
+    it('returns 409 when nothing is in flight', async () => {
+      installAdminAuth();
+      await agent.post('/admin/update/cancel').auth('admin', 'admin-pw').expect(409);
+    });
+  });
+
+  describe('POST /admin/update/acknowledge', function () {
+    it('rejects unauthenticated', async () => {
+      await agent.post('/admin/update/acknowledge').expect(401);
+    });
+
+    it('clears a terminal rollback-failed state to idle', async () => {
+      installAdminAuth();
+      await saveState(statePath(), {
+        ...EMPTY_STATE,
+        execution: {
+          status: 'rollback-failed',
+          reason: 'install-failed; rollback failed: pnpm exit 1',
+          targetTag: 'v99.0.0', fromSha: 'x',
+          at: '2026-05-08T00:00:00Z',
+        },
+        lastResult: {
+          targetTag: 'v99.0.0', fromSha: 'x',
+          outcome: 'rollback-failed',
+          reason: 'pnpm install failed',
+          at: '2026-05-08T00:00:00Z',
+        },
+      });
+      await agent.post('/admin/update/acknowledge')
+        .auth('admin', 'admin-pw').expect(200);
+      const status = await agent.get('/admin/update/status').expect(200);
+      assert.equal(status.body.execution.status, 'idle');
+      // lastResult is preserved on acknowledge so the admin still sees what happened.
+      assert.equal(status.body.lastResult.outcome, 'rollback-failed');
+    });
+
+    it('clears a preflight-failed state to idle', async () => {
+      installAdminAuth();
+      await saveState(statePath(), {
+        ...EMPTY_STATE,
+        execution: {
+          status: 'preflight-failed',
+          targetTag: 'v99.0.0',
+          reason: 'low-disk-space',
+          at: '2026-05-08T00:00:00Z',
+        },
+      });
+      await agent.post('/admin/update/acknowledge')
+        .auth('admin', 'admin-pw').expect(200);
+    });
+
+    it('refuses to clear a non-terminal state (409)', async () => {
+      installAdminAuth();
+      await saveState(statePath(), {...EMPTY_STATE});
+      await agent.post('/admin/update/acknowledge')
+        .auth('admin', 'admin-pw').expect(409);
+    });
+  });
+
+  describe('GET /admin/update/log', function () {
+    it('rejects unauthenticated', async () => {
+      await agent.get('/admin/update/log').expect(401);
+    });
+
+    it('returns a text body (possibly empty) for an admin', async () => {
+      installAdminAuth();
+      const res = await agent.get('/admin/update/log')
+        .auth('admin', 'admin-pw').expect(200);
+      assert.equal(typeof res.text, 'string');
+      assert.match(res.headers['content-type'], /text\/plain/);
+    });
+  });
+});
diff --git a/src/tests/backend/specs/updateStatus.ts b/src/tests/backend/specs/updateStatus.ts
index 942f5a255c6..e8fb02fa03e 100644
--- a/src/tests/backend/specs/updateStatus.ts
+++ b/src/tests/backend/specs/updateStatus.ts
@@ -88,6 +88,40 @@ describe(__filename, function () {
       assert.ok(Array.isArray(res.body.vulnerableBelow));
     });
 
+    it('redacts execution.reason / lastResult.reason for unauth callers', async function () {
+      // Seed state with diagnostic strings that would leak environment details.
+      await saveState(statePath(), {
+        ...EMPTY_STATE,
+        execution: {
+          status: 'rollback-failed',
+          reason: 'pnpm install exit 1: ENOSPC at /srv/etherpad/v2.7.3',
+          targetTag: 'v2.7.3',
+          fromSha: 'abc123def456',
+          at: '2026-05-08T00:00:00Z',
+        },
+        lastResult: {
+          targetTag: 'v2.7.3',
+          fromSha: 'abc123def456',
+          outcome: 'rollback-failed',
+          reason: 'pnpm install failed: ENOSPC at /srv/etherpad/v2.7.3',
+          at: '2026-05-08T00:00:00Z',
+        },
+      });
+      const res = await agent.get('/admin/update/status').expect(200);
+      // Status enum + outcome enum are kept (UI needs them).
+      assert.equal(res.body.execution.status, 'rollback-failed');
+      assert.equal(res.body.lastResult.outcome, 'rollback-failed');
+      // Diagnostic fields are stripped for unauth callers.
+      assert.equal(res.body.execution.reason, undefined);
+      assert.equal(res.body.execution.fromSha, undefined);
+      assert.equal(res.body.execution.targetTag, undefined);
+      assert.equal(res.body.lastResult.reason, undefined);
+      assert.equal(res.body.lastResult.fromSha, undefined);
+      assert.equal(res.body.lastResult.targetTag, undefined);
+      // Non-sensitive fields preserved on lastResult.
+      assert.equal(res.body.lastResult.at, '2026-05-08T00:00:00Z');
+    });
+
     describe('when updates.requireAdminForStatus = true', function () {
       const restore: Record<string, any> = {};
       beforeEach(function () {
@@ -140,5 +174,43 @@ describe(__filename, function () {
           .expect(200);
       });
     });
+
+    describe('admin auth (without requireAdminForStatus)', function () {
+      // requireAdminForStatus=false (default) keeps the endpoint open for the
+      // pad-side / banner usage, but admin callers should still see full
+      // diagnostic detail (execution.reason, fromSha, etc.).
+      it('returns full diagnostic payload to authed admin sessions', async function () {
+        for (const hookName of authHookNames.concat(failHookNames)) plugins.hooks[hookName] = [];
+        plugins.hooks.authenticate = [{
+          hook_fn: (_hookName: string, ctx: any, cb: Function) => {
+            ctx.req.session.user = {is_admin: true};
+            cb([true]);
+          },
+        }];
+        (settings as any).requireAuthentication = true;
+        (settings as any).requireAuthorization = false;
+        (settings as any).users = {admin: {password: 'admin-password', is_admin: true}};
+        await saveState(statePath(), {
+          ...EMPTY_STATE,
+          execution: {
+            status: 'rollback-failed',
+            reason: 'pnpm install exit 1',
+            targetTag: 'v2.7.3', fromSha: 'abc',
+            at: '2026-05-08T00:00:00Z',
+          },
+          lastResult: {
+            targetTag: 'v2.7.3', fromSha: 'abc',
+            outcome: 'rollback-failed', reason: 'pnpm install failed',
+            at: '2026-05-08T00:00:00Z',
+          },
+        });
+        const res = await agent.get('/admin/update/status')
+          .auth('admin', 'admin-password').expect(200);
+        // Admin sees the full diagnostic detail (it's their own server).
+        assert.equal(res.body.execution.reason, 'pnpm install exit 1');
+        assert.equal(res.body.execution.fromSha, 'abc');
+        assert.equal(res.body.lastResult.reason, 'pnpm install failed');
+      });
+    });
   });
 });
diff --git a/src/tests/backend/specs/updater-integration.ts b/src/tests/backend/specs/updater-integration.ts
new file mode 100644
index 00000000000..e04a551c258
--- /dev/null
+++ b/src/tests/backend/specs/updater-integration.ts
@@ -0,0 +1,265 @@
+'use strict';
+
+const assert = require('assert').strict;
+import {execSync, spawn} from 'node:child_process';
+import fs from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import {executeUpdate} from '../../../node/updater/UpdateExecutor';
+import {performRollback, checkPendingVerification} from '../../../node/updater/RollbackHandler';
+import {EMPTY_STATE, UpdateState} from '../../../node/updater/types';
+
+const sh = (cmd: string, opts: any = {}) =>
+  execSync(cmd, {stdio: 'pipe', ...opts}).toString().trim();
+
+const buildTmpRepo = async (): Promise<{dir: string; v1Sha: string; v2Sha: string}> => {
+  const dir = await fs.mkdtemp(path.join(os.tmpdir(), 'updater-it-'));
+  sh('git init -b main', {cwd: dir});
+  sh('git config user.email test@example.com', {cwd: dir});
+  sh('git config user.name test', {cwd: dir});
+  sh('git config commit.gpgsign false', {cwd: dir});
+  sh('git config tag.gpgSign false', {cwd: dir});
+  await fs.writeFile(path.join(dir, 'pnpm-lock.yaml'), 'lockfileVersion: x\n');
+  sh('git add . && git commit -m initial', {cwd: dir});
+  sh('git tag v0.0.1', {cwd: dir});
+  const v1Sha = sh('git rev-parse HEAD', {cwd: dir});
+  await fs.writeFile(path.join(dir, 'pnpm-lock.yaml'), 'lockfileVersion: y\n');
+  sh('git add . && git commit -m bump', {cwd: dir});
+  sh('git tag v0.0.2', {cwd: dir});
+  const v2Sha = sh('git rev-parse HEAD', {cwd: dir});
+  // Reset to v1 — that's our "currently installed" version.
+  sh('git checkout v0.0.1', {cwd: dir});
+  // Add a self-pointing origin so executor's git fetch works.
+  sh(`git remote add origin ${dir}`, {cwd: dir});
+  // Pre-prime origin's tag list (git fetch from a local origin sees both).
+  return {dir, v1Sha, v2Sha};
+};
+
+/**
+ * Spawn override: route every git ... call to the real binary, but stub pnpm
+ * to a controlled exit code. Lets tests assert "git fetch + checkout actually
+ * mutated the repo" without ever invoking pnpm install for real.
+ */
+const stubSpawn = (pnpmExits: Record<string, number>) =>
+  (cmd: string, args: string[], opts: any) => {
+    if (cmd === 'pnpm') {
+      const key = `pnpm ${args.join(' ')}`;
+      const exit = pnpmExits[key];
+      if (exit === undefined) {
+        throw new Error(`Unexpected pnpm call in integration stub: ${key}`);
+      }
+      return {
+        stdout: {on: () => {}},
+        stderr: {on: () => {}},
+        on: (e: string, cb: any) => { if (e === 'close') setImmediate(() => cb(exit)); },
+      };
+    }
+    return spawn(cmd, args, opts);
+  };
+
+describe(__filename, function () {
+  this.timeout(30_000);
+
+  it('happy path: executes against tmp repo, lands on pending-verification, exits 75', async () => {
+    const {dir, v1Sha} = await buildTmpRepo();
+    try {
+      const states: UpdateState[] = [];
+      let exitedWith: number | null = null;
+      const r = await executeUpdate({
+        repoDir: dir,
+        backupDir: path.join(dir, 'var', 'update-backup'),
+        spawnFn: stubSpawn({
+          'pnpm install --frozen-lockfile': 0,
+          'pnpm run build:ui': 0,
+        }) as any,
+        readSha: async () => sh('git rev-parse HEAD', {cwd: dir}),
+        copyFile: async (s, d) => {
+          await fs.mkdir(path.dirname(d), {recursive: true});
+          await fs.copyFile(s, d);
+        },
+        saveState: async (s) => { states.push(structuredClone(s)); },
+        initialState: structuredClone(EMPTY_STATE),
+        targetTag: 'v0.0.2',
+        now: () => new Date(),
+        exit: (code) => { exitedWith = code; },
+      });
+      assert.equal(r.outcome, 'pending-verification');
+      assert.equal(exitedWith, 75);
+      assert.equal(states.at(-1)!.execution.status, 'pending-verification');
+      // Working tree is now on v0.0.2.
+      assert.equal(sh('git rev-parse HEAD', {cwd: dir}), sh('git rev-parse v0.0.2', {cwd: dir}));
+      // Backup has the v0.0.1-era lockfile.
+      const backup = await fs.readFile(path.join(dir, 'var', 'update-backup', 'pnpm-lock.yaml'), 'utf8');
+      assert.match(backup, /lockfileVersion: x/);
+      // The fromSha recorded in state matches the v0.0.1 SHA.
+      assert.equal((states.at(-1)!.execution as {fromSha: string}).fromSha, v1Sha);
+    } finally {
+      await fs.rm(dir, {recursive: true, force: true});
+    }
+  });
+
+  it('install failure rolls back to original SHA + lockfile', async () => {
+    const {dir, v1Sha} = await buildTmpRepo();
+    try {
+      const states: UpdateState[] = [];
+      let exitedWith: number | null = null;
+
+      // Phase 1: executor with failing install.
+      await executeUpdate({
+        repoDir: dir,
+        backupDir: path.join(dir, 'var', 'update-backup'),
+        spawnFn: stubSpawn({'pnpm install --frozen-lockfile': 1}) as any,
+        readSha: async () => sh('git rev-parse HEAD', {cwd: dir}),
+        copyFile: async (s, d) => {
+          await fs.mkdir(path.dirname(d), {recursive: true});
+          await fs.copyFile(s, d);
+        },
+        saveState: async (s) => { states.push(structuredClone(s)); },
+        initialState: structuredClone(EMPTY_STATE),
+        targetTag: 'v0.0.2',
+        now: () => new Date(),
+        exit: (c) => { exitedWith = c; },
+      });
+      assert.equal(states.at(-1)!.execution.status, 'rolling-back');
+
+      // Phase 2: rollback.
+      await performRollback(states.at(-1)!, {
+        repoDir: dir,
+        backupDir: path.join(dir, 'var', 'update-backup'),
+        spawnFn: stubSpawn({'pnpm install --frozen-lockfile': 0}) as any,
+        copyFile: (s, d) => fs.copyFile(s, d),
+        saveState: async (s) => { states.push(structuredClone(s)); },
+        exit: (c) => { exitedWith = c; },
+        now: () => new Date(),
+        rollbackHealthCheckSeconds: 60,
+      });
+      assert.equal(states.at(-1)!.execution.status, 'rolled-back');
+      assert.equal(sh('git rev-parse HEAD', {cwd: dir}), v1Sha);
+      assert.equal(exitedWith, 75);
+      // Working tree's pnpm-lock.yaml was restored from backup.
+      const lock = await fs.readFile(path.join(dir, 'pnpm-lock.yaml'), 'utf8');
+      assert.match(lock, /lockfileVersion: x/);
+    } finally {
+      await fs.rm(dir, {recursive: true, force: true});
+    }
+  });
+
+  it('build failure rolls back to original SHA', async () => {
+    const {dir, v1Sha} = await buildTmpRepo();
+    try {
+      const states: UpdateState[] = [];
+
+      await executeUpdate({
+        repoDir: dir,
+        backupDir: path.join(dir, 'var', 'update-backup'),
+        spawnFn: stubSpawn({
+          'pnpm install --frozen-lockfile': 0,
+          'pnpm run build:ui': 1,
+        }) as any,
+        readSha: async () => sh('git rev-parse HEAD', {cwd: dir}),
+        copyFile: async (s, d) => {
+          await fs.mkdir(path.dirname(d), {recursive: true});
+          await fs.copyFile(s, d);
+        },
+        saveState: async (s) => { states.push(structuredClone(s)); },
+        initialState: structuredClone(EMPTY_STATE),
+        targetTag: 'v0.0.2',
+        now: () => new Date(),
+        exit: () => {},
+      });
+      assert.equal(states.at(-1)!.execution.status, 'rolling-back');
+
+      await performRollback(states.at(-1)!, {
+        repoDir: dir,
+        backupDir: path.join(dir, 'var', 'update-backup'),
+        spawnFn: stubSpawn({'pnpm install --frozen-lockfile': 0}) as any,
+        copyFile: (s, d) => fs.copyFile(s, d),
+        saveState: async (s) => { states.push(structuredClone(s)); },
+        exit: () => {},
+        now: () => new Date(),
+        rollbackHealthCheckSeconds: 60,
+      });
+      assert.equal(states.at(-1)!.execution.status, 'rolled-back');
+      assert.equal(sh('git rev-parse HEAD', {cwd: dir}), v1Sha);
+    } finally {
+      await fs.rm(dir, {recursive: true, force: true});
+    }
+  });
+
+  it('crash-loop guard: bootCount=3 forces immediate rollback', async () => {
+    const {dir, v1Sha} = await buildTmpRepo();
+    try {
+      // Simulate "post-update boot": working tree on v0.0.2, backup lockfile from v0.0.1
+      // already in place, state is pending-verification with bootCount=3.
+      sh('git checkout v0.0.2', {cwd: dir});
+      await fs.mkdir(path.join(dir, 'var', 'update-backup'), {recursive: true});
+      // Backup the v0.0.1 lockfile content (we know v0.0.1's lockfile was 'x' from buildTmpRepo).
+      await fs.writeFile(path.join(dir, 'var', 'update-backup', 'pnpm-lock.yaml'), 'lockfileVersion: x\n');
+
+      const states: UpdateState[] = [];
+      let exitedWith: number | null = null;
+      const state: UpdateState = {
+        ...structuredClone(EMPTY_STATE),
+        execution: {
+          status: 'pending-verification',
+          targetTag: 'v0.0.2',
+          fromSha: v1Sha,
+          deadlineAt: '2026-05-08T10:00:00Z',
+        },
+        bootCount: 3,
+      };
+      const r = checkPendingVerification(state, {
+        repoDir: dir,
+        backupDir: path.join(dir, 'var', 'update-backup'),
+        spawnFn: stubSpawn({'pnpm install --frozen-lockfile': 0}) as any,
+        copyFile: (s, d) => fs.copyFile(s, d),
+        saveState: async (s) => { states.push(structuredClone(s)); },
+        exit: (c) => { exitedWith = c; },
+        now: () => new Date(),
+        rollbackHealthCheckSeconds: 60,
+      });
+      assert.equal(r.armed, false);
+      // Wait for the fire-and-forget rollback to finish.
+      await new Promise((resolve) => setTimeout(resolve, 250));
+      assert.equal(states.at(-1)!.execution.status, 'rolled-back');
+      assert.equal(sh('git rev-parse HEAD', {cwd: dir}), v1Sha);
+      assert.equal(exitedWith, 75);
+    } finally {
+      await fs.rm(dir, {recursive: true, force: true});
+    }
+  });
+
+  it('rollback failure (target SHA does not exist) lands on terminal rollback-failed', async () => {
+    const {dir} = await buildTmpRepo();
+    try {
+      const states: UpdateState[] = [];
+      let exitedWith: number | null = null;
+      const state: UpdateState = {
+        ...structuredClone(EMPTY_STATE),
+        execution: {
+          status: 'rolling-back',
+          reason: 'install-failed',
+          targetTag: 'v0.0.2',
+          // 40 hex chars but no such commit — git checkout -f will reject.
+          fromSha: '0000000000000000000000000000000000000000',
+          at: '2026-05-08T10:00:00Z',
+        },
+      };
+      await performRollback(state, {
+        repoDir: dir,
+        backupDir: path.join(dir, 'var', 'update-backup'),
+        spawnFn: stubSpawn({'pnpm install --frozen-lockfile': 0}) as any,
+        copyFile: (s, d) => fs.copyFile(s, d),
+        saveState: async (s) => { states.push(structuredClone(s)); },
+        exit: (c) => { exitedWith = c; },
+        now: () => new Date(),
+        rollbackHealthCheckSeconds: 60,
+      });
+      assert.equal(states.at(-1)!.execution.status, 'rollback-failed');
+      assert.equal(states.at(-1)!.lastResult!.outcome, 'rollback-failed');
+      assert.equal(exitedWith, 75);
+    } finally {
+      await fs.rm(dir, {recursive: true, force: true});
+    }
+  });
+});
diff --git a/src/tests/frontend-new/admin-spec/update-page-actions.spec.ts b/src/tests/frontend-new/admin-spec/update-page-actions.spec.ts
new file mode 100644
index 00000000000..bdca6df7e45
--- /dev/null
+++ b/src/tests/frontend-new/admin-spec/update-page-actions.spec.ts
@@ -0,0 +1,111 @@
+import {expect, test} from '@playwright/test';
+import {loginToAdmin} from '../helper/adminhelper';
+
+const baseStatus = {
+  currentVersion: '2.7.1',
+  latest: {
+    version: '2.7.2',
+    tag: 'v2.7.2',
+    body: 'release notes',
+    publishedAt: '2026-05-01T00:00:00Z',
+    prerelease: false,
+    htmlUrl: 'https://github.com/ether/etherpad/releases/tag/v2.7.2',
+  },
+  lastCheckAt: '2026-05-08T00:00:00Z',
+  installMethod: 'git',
+  tier: 'manual',
+  policy: {canNotify: true, canManual: true, canAuto: false, canAutonomous: false, reason: 'ok'},
+  vulnerableBelow: [],
+  execution: {status: 'idle'},
+  lastResult: null,
+  lockHeld: false,
+};
+
+test.describe('admin update page actions', () => {
+  test.beforeEach(async ({page}) => {
+    await loginToAdmin(page, 'admin', 'changeme1');
+  });
+
+  test('Apply button posts /admin/update/apply and re-fetches status', async ({page}) => {
+    let postedApply = false;
+    let statusFetches = 0;
+    await page.route('**/admin/update/status', async (route) => {
+      statusFetches += 1;
+      await route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        body: JSON.stringify(baseStatus),
+      });
+    });
+    await page.route('**/admin/update/apply', async (route) => {
+      postedApply = true;
+      await route.fulfill({status: 202, contentType: 'application/json', body: JSON.stringify({accepted: true})});
+    });
+
+    await page.goto('http://localhost:9001/admin/update');
+    await expect(page.getByRole('button', {name: /apply update/i})).toBeVisible({timeout: 30000});
+
+    await page.getByRole('button', {name: /apply update/i}).click();
+    await expect.poll(() => postedApply, {timeout: 15000}).toBe(true);
+    // After Apply, the page re-fetches status. Initial load = 1 fetch + Apply re-fetch >= 2.
+    await expect.poll(() => statusFetches, {timeout: 15000}).toBeGreaterThanOrEqual(2);
+  });
+
+  test('install-method-not-writable hides Apply and shows the policy-denial copy', async ({page}) => {
+    const denied = {
+      ...baseStatus,
+      installMethod: 'docker',
+      policy: {canNotify: true, canManual: false, canAuto: false, canAutonomous: false, reason: 'install-method-not-writable'},
+    };
+    await page.route('**/admin/update/status', (route) =>
+      route.fulfill({status: 200, contentType: 'application/json', body: JSON.stringify(denied)}));
+
+    await page.goto('http://localhost:9001/admin/update');
+    // Heading rendered; no Apply button.
+    await expect(page.getByRole('heading', {name: /etherpad updates/i})).toBeVisible({timeout: 30000});
+    await expect(page.getByRole('button', {name: /apply update/i})).toHaveCount(0);
+    // Localised denial copy.
+    await expect(page.getByText(/Updates from the admin UI require a git install/i)).toBeVisible();
+  });
+
+  test('rollback-failed terminal state shows Acknowledge and lastResult copy', async ({page}) => {
+    const terminal = {
+      ...baseStatus,
+      execution: {
+        status: 'rollback-failed',
+        reason: 'pnpm install failed; rollback failed: pnpm exit 1',
+        targetTag: 'v2.7.2',
+        fromSha: 'abc',
+        at: '2026-05-08T00:00:00Z',
+      },
+      lastResult: {
+        targetTag: 'v2.7.2',
+        fromSha: 'abc',
+        outcome: 'rollback-failed',
+        reason: 'pnpm install failed',
+        at: '2026-05-08T00:00:00Z',
+      },
+      policy: {canNotify: true, canManual: true, canAuto: false, canAutonomous: false, reason: 'rollback-failed-terminal'},
+    };
+    await page.route('**/admin/update/status', (route) =>
+      route.fulfill({status: 200, contentType: 'application/json', body: JSON.stringify(terminal)}));
+
+    await page.goto('http://localhost:9001/admin/update');
+    await expect(page.getByRole('button', {name: /acknowledge/i})).toBeVisible({timeout: 30000});
+    // lastResult copy uses i18n update.page.last_result.rollback-failed.
+    // Both the banner and the lastResult paragraph contain "Manual intervention
+    // required" — scope to the lastResult <p> so we get exactly one match.
+    await expect(page.locator('p.last-result-rollback-failed')).toBeVisible();
+    await expect(page.locator('p.last-result-rollback-failed')).toContainText(/Manual intervention required/i);
+  });
+
+  test('lockHeld true hides the Apply button even when policy.canManual is on', async ({page}) => {
+    const locked = {...baseStatus, lockHeld: true};
+    await page.route('**/admin/update/status', (route) =>
+      route.fulfill({status: 200, contentType: 'application/json', body: JSON.stringify(locked)}));
+
+    await page.goto('http://localhost:9001/admin/update');
+    await expect(page.getByRole('heading', {name: /etherpad updates/i})).toBeVisible({timeout: 30000});
+    await expect(page.getByRole('button', {name: /apply update/i})).toHaveCount(0);
+  });
+});

From 4c3fdaf699ad55969d2a5e261fa3f40c9eb43d2a Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sun, 10 May 2026 16:02:50 +0800
Subject: [PATCH 18/25] chore(admin): typesafe API client + TanStack Query
 rails (#7638) (#7695)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* chore(admin): typesafe API client + TanStack Query rails (#7638) (#2)

* docs(admin): design for typesafe API client + TanStack Query rails (#7638)

Rails-only scope: codegen toolchain, runtime client, and provider — no
call-site migrations. Admin endpoints are not yet covered by the OpenAPI
spec, so a separate issue will follow before any migration is useful.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): implementation plan for typesafe API client rails (#7638)

Step-by-step task breakdown for the rails-only PR: codegen toolchain,
runtime client, TanStack Query provider, CI freshness check, docs. No
call-site migrations until admin endpoints are added to the OpenAPI
spec (separate follow-up).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(api): export generateDefinitionForVersion from openapi hook

Required by the admin codegen script (#7638) to dump the OpenAPI spec
without booting Express. No behavior change for the request hook.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): add OpenAPI codegen + TanStack Query deps (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): add OpenAPI spec dump entry (#7638)

Loaded via tsx by gen-api.mjs in the next commit. Writes JSON to a file
path argument so log4js stdout output (from Settings init) does not
pollute the spec output.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): wire OpenAPI codegen into build (#7638)

Adds gen:api script and amends build/build-copy to regenerate
admin/src/api/schema.d.ts before compiling. The generated file is
checked in so it shows up in PR review and so a fresh checkout doesn't
need codegen to typecheck.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): typed openapi-fetch + react-query client (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): TanStack Query provider, dev-only devtools (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(admin): mount TanStack Query provider at root (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(admin): smoke test for typed openapi-fetch client (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(admin): verify generated OpenAPI schema is up to date (#7638)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* docs(admin): document OpenAPI codegen workflow (#7638)

Replaces the default Vite scaffold README with admin-specific scripts
table and codegen workflow notes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build(admin): exclude __tests__ from tsc include (#7638)

The smoke test imports node:test/node:assert which need @types/node.
Admin source is browser-only, so excluding __tests__ from the production
typecheck is cleaner than adding Node types to the bundle config. The
test still runs under tsx, which doesn't share this constraint.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore: regenerate lockfile with pnpm 10 to restore overrides block (#7638)

Adding admin deps with pnpm 11 stripped the top-level \`overrides:\`
section from pnpm-lock.yaml, which CI uses pnpm 10 to verify. Result:
ERR_PNPM_LOCKFILE_CONFIG_MISMATCH on every job. Re-running pnpm 10
\`install --lockfile-only\` restores the overrides block; the new admin
package entries land in the same commit. Two stale lockfile entries
not present in package.json (\`serialize-javascript\` version pin and
\`uuid@<14.0.0\`) were normalized by the regen — package.json is the
source of truth for those.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build(docker): preserve strictDepBuilds=false in trimmed workspace yaml (#7638)

Adding tsx as an admin devDep brings esbuild@0.27.x into the resolved
subgraph, and the Dockerfile's runtime stage was overwriting
pnpm-workspace.yaml with a stripped-down version that lost the
strictDepBuilds=false setting from the source repo. With pnpm 10's
default of strictDepBuilds=true, the install then errors on
ERR_PNPM_IGNORED_BUILDS for esbuild + scarf rather than warning.

Restore the strictDepBuilds=false and the @scarf/scarf ignore in the
trimmed yaml so the production install matches develop's behavior.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(admin): point client baseUrl at /api/<version> via codegen (#7638)

Qodo flagged: with baseUrl='/' and schema paths like '/createGroup',
calls landed at /createGroup, but the backend mounts the FLAT-style
spec under /api/<version>/. So once a call site lands, every request
404s.

gen:api now also emits admin/src/api/version.ts containing
LATEST_API_VERSION (read from info.version in the spec) and a derived
API_BASE_URL = `/api/<version>`. client.ts imports API_BASE_URL.
Workflow freshness check covers both generated files.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* build(admin): cross-platform spawn in gen-api.mjs (#7638)

Windows CI failed because spawnSync('pnpm', ...) cannot resolve
pnpm.cmd without a shell. Set shell:true on win32 only so Linux/macOS
runs avoid Node's DEP0190 warning. All spawn args are literal strings,
so the shell variant is not an injection risk.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(admin): gitignore generated schema/version, regen on every script (#7638)

Qodo flagged the committed admin/src/api/schema.d.ts as a build artifact
that violates the rule against committing generated files (rule 467291,
"Exclude build artifacts and runtime-generated files from version control").

This commit:
- Adds admin/src/api/{schema.d.ts,version.ts} to .gitignore.
- Removes both from VCS (the prior squash had committed them).
- Chains \`gen:api\` into the dev and test scripts so a fresh checkout
  lands a working dev server / test run without an extra step. build
  and build-copy already chained gen:api.
- Drops the now-redundant CI freshness diff step from
  frontend-admin-tests.yml — with the files no longer committed, the
  build step's gen:api invocation is the only check needed.
- Updates admin/README.md to describe the new generated-file workflow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

From 2adc228e6132e39697768522107734475da23f51 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sun, 10 May 2026 19:23:08 +0800
Subject: [PATCH 19/25] =?UTF-8?q?fix(tests):=20unblock=20CI=20=E2=80=94=20?=
 =?UTF-8?q?Windows=20updater=20paths=20+=20admin-plugins=20row=20count=20(?=
 =?UTF-8?q?#7712)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix(updater): build expected paths via path.join in updater tests

The Windows backend job has been red on develop since #7607 (tier-2
auto-update) merged: RollbackHandler.test.ts:122 and
UpdateExecutor.test.ts:66 asserted POSIX-style paths, but the
implementations build the same paths via path.join — which emits
backslashes on Windows. The tests pass on Linux/macOS only by
coincidence.

Switch the expected values to path.join(deps.repoDir, ...) /
path.join(deps.backupDir, ...) so they track whatever the
implementation produces on the host platform.

No production code changes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(admin-spec): assert installed-plugins by name, not row count

ep_set_title_on_pad@0.7.2 took on ep_plugin_helpers as a transitive
plugin dependency, so installing it now adds two rows to the
installed-plugins table (the new plugin + its helper plugin) rather
than one. The Playwright spec hard-coded `toHaveCount(2)` after install
and `toHaveCount(1)` after uninstall, so it has been red on develop
since #7705 merged the new admin bundle (every Frontend admin tests
job, every Node version).

Switch the assertions to scope by row text — `tr` containing
`ep_set_title_on_pad` — and check that exactly one such row exists
after install and zero after uninstall. This survives whatever
transitive plugin deps the chosen test plugin pulls along, which is
the only thing this spec actually cares about.

Verified locally on a fresh Etherpad install: 3/3 admin-update-plugins
tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../specs/updater/RollbackHandler.test.ts     |  5 ++--
 .../specs/updater/UpdateExecutor.test.ts      |  6 ++++-
 .../admin-spec/adminupdateplugins.spec.ts     | 23 +++++++++----------
 3 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/src/tests/backend-new/specs/updater/RollbackHandler.test.ts b/src/tests/backend-new/specs/updater/RollbackHandler.test.ts
index 8a30cbcb769..14b684989f2 100644
--- a/src/tests/backend-new/specs/updater/RollbackHandler.test.ts
+++ b/src/tests/backend-new/specs/updater/RollbackHandler.test.ts
@@ -1,3 +1,4 @@
+import path from 'node:path';
 import {describe, it, expect, vi, beforeEach, afterEach} from 'vitest';
 import {checkPendingVerification, performRollback, RollbackDeps} from '../../../../node/updater/RollbackHandler';
 import {EMPTY_STATE} from '../../../../node/updater/types';
@@ -120,8 +121,8 @@ describe('performRollback', () => {
     };
     await performRollback(state, deps);
     expect(deps.copyFile).toHaveBeenCalledWith(
-      '/srv/etherpad/var/update-backup/pnpm-lock.yaml',
-      '/srv/etherpad/pnpm-lock.yaml',
+      path.join(deps.backupDir, 'pnpm-lock.yaml'),
+      path.join(deps.repoDir, 'pnpm-lock.yaml'),
     );
     const lastSave = (deps.saveState as any).mock.calls.at(-1)[0];
     expect(lastSave.execution.status).toBe('rolled-back');
diff --git a/src/tests/backend-new/specs/updater/UpdateExecutor.test.ts b/src/tests/backend-new/specs/updater/UpdateExecutor.test.ts
index 18fa118fc1b..9ae8815dba8 100644
--- a/src/tests/backend-new/specs/updater/UpdateExecutor.test.ts
+++ b/src/tests/backend-new/specs/updater/UpdateExecutor.test.ts
@@ -1,3 +1,4 @@
+import path from 'node:path';
 import {describe, it, expect, vi, beforeEach} from 'vitest';
 import {executeUpdate, ExecutorDeps} from '../../../../node/updater/UpdateExecutor';
 import {EMPTY_STATE, UpdateState} from '../../../../node/updater/types';
@@ -64,7 +65,10 @@ describe('executeUpdate', () => {
     const r = await executeUpdate(deps);
     expect(r).toEqual({outcome: 'pending-verification'});
     expect(copies).toEqual([
-      {src: '/srv/etherpad/pnpm-lock.yaml', dst: '/srv/etherpad/var/update-backup/pnpm-lock.yaml'},
+      {
+        src: path.join(deps.repoDir, 'pnpm-lock.yaml'),
+        dst: path.join(deps.backupDir, 'pnpm-lock.yaml'),
+      },
     ]);
     expect(states.at(-1)?.execution.status).toBe('pending-verification');
     expect((states.at(-1)?.execution as any).fromSha).toBe('abc123');
diff --git a/src/tests/frontend-new/admin-spec/adminupdateplugins.spec.ts b/src/tests/frontend-new/admin-spec/adminupdateplugins.spec.ts
index 0728f6c9ef6..b426fc6f661 100644
--- a/src/tests/frontend-new/admin-spec/adminupdateplugins.spec.ts
+++ b/src/tests/frontend-new/admin-spec/adminupdateplugins.spec.ts
@@ -48,23 +48,22 @@ test.describe('Plugins page',  ()=> {
 
         // Select Installation button
         await pluginRow.locator('td').nth(4).locator('button').first().click()
-        await page.waitForTimeout(100)
         await page.waitForSelector('table tbody')
-        const installedPlugins = page.locator('table tbody').first()
-        const installedPluginsRows = installedPlugins.locator('tr')
-        await expect(installedPluginsRows).toHaveCount(2, {
-            timeout: 15000
-        })
 
-        const installedPluginRow = installedPluginsRows.nth(1)
+        // The installed-plugins table can grow by more than one row if the
+        // installed plugin pulls in transitive plugin deps (e.g.
+        // ep_set_title_on_pad depends on ep_plugin_helpers as of 0.7.2), so
+        // assert by name rather than by row count.
+        const installedPlugins = page.locator('table tbody').first()
+        const installedPluginRow = installedPlugins.locator('tr', {hasText: 'ep_set_title_on_pad'})
+        await expect(installedPluginRow).toHaveCount(1, {timeout: 15000})
 
-        await expect(installedPluginRow).toContainText('ep_set_title_on_pad')
         await installedPluginRow.locator('td').nth(2).locator('button').first().click()
 
-        // Wait for the uninstallation to complete
-        await expect(installedPluginsRows).toHaveCount(1, {
-            timeout: 15000
-        })
+        // Wait for the uninstallation to complete: the row for
+        // ep_set_title_on_pad should disappear. Other installed plugins
+        // (etherpad-lite itself, transitive plugin deps) may stay.
+        await expect(installedPluginRow).toHaveCount(0, {timeout: 15000})
         await page.waitForTimeout(5000)
     })
 })

From df0ecec834a391f4a408b0265207f6ec53eac9c4 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sun, 10 May 2026 19:23:33 +0800
Subject: [PATCH 20/25] a11y: localize aria-label on form-control elements
 (<select>, <input>, <textarea>) (#7713)

#7584 introduced auto-population of aria-label from a translation
when an element has data-l10n-id and no author-supplied aria-label.
That branch only fires for elements with no children (or with
data-l10n-id ending in a recognized attribute suffix like .title).

Form-control elements break the assumption: a <select> always has
<option> children, an <input>/<textarea> may have implicit value
content. The textContent branch handles them, but the aria-label
fallback wasn't called from there. Plugins like ep_font_size,
ep_headings2, and ep_hljs end up with a localized translation
applied to a <select> but no accessible name on the element itself.

Calls populateAriaLabel() from the textContent branch when the node
is a <select>, <input>, or <textarea>. Keeps the same
"author-supplied aria-label wins on first pass; the
data-l10n-aria-label marker lets us refresh values we wrote"
semantics from #7584.

Adds Playwright coverage in
src/tests/frontend-new/specs/html10n_form_controls_aria.spec.ts:
- aria-label is populated on <select> with data-l10n-id
- aria-label is populated on <textarea> with data-l10n-id
- author-supplied aria-label is preserved on first pass
---
 src/static/js/vendors/html10n.ts              | 41 ++++++---
 .../specs/html10n_form_controls_aria.spec.ts  | 85 +++++++++++++++++++
 2 files changed, 113 insertions(+), 13 deletions(-)
 create mode 100644 src/tests/frontend-new/specs/html10n_form_controls_aria.spec.ts

diff --git a/src/static/js/vendors/html10n.ts b/src/static/js/vendors/html10n.ts
index eaec33ddf23..821a4d0771c 100644
--- a/src/static/js/vendors/html10n.ts
+++ b/src/static/js/vendors/html10n.ts
@@ -658,24 +658,28 @@ export class Html10n {
       prop = document.body.textContent ? 'textContent' : 'innerText'
     }
 
-    // Apply translation
-    if (node.children.length === 0 || prop != 'textContent') {
-      // @ts-ignore
-      node[prop] = str.str!
-      // Populate aria-label from the translation so screen readers get a
-      // localized accessible name. Preserve an author-supplied aria-label
-      // (one present in the template without a marker), but keep our own
-      // html10n-generated values in sync across language changes by
-      // overwriting them. The `data-l10n-aria-label` marker distinguishes
-      // the two: set when we populate it, checked on subsequent passes so
-      // `pad.applyLanguage()` refreshes the accessible name.
-      // See PR #7584 review feedback.
-      const generatedMarker = 'data-l10n-aria-label';
+    // Populate aria-label from the translation so screen readers get a
+    // localized accessible name. Preserve an author-supplied aria-label
+    // (one present in the template without a marker), but keep our own
+    // html10n-generated values in sync across language changes by
+    // overwriting them. The `data-l10n-aria-label` marker distinguishes
+    // the two: set when we populate it, checked on subsequent passes so
+    // `pad.applyLanguage()` refreshes the accessible name.
+    // See PR #7584 review feedback.
+    const generatedMarker = 'data-l10n-aria-label';
+    const populateAriaLabel = () => {
       if (!node.hasAttribute('aria-label') ||
           node.getAttribute(generatedMarker) === 'true') {
         node.setAttribute('aria-label', str.str!);
         node.setAttribute(generatedMarker, 'true');
       }
+    }
+
+    // Apply translation
+    if (node.children.length === 0 || prop != 'textContent') {
+      // @ts-ignore
+      node[prop] = str.str!
+      populateAriaLabel()
     } else {
       let children = node.childNodes,
         found = false
@@ -693,6 +697,17 @@ export class Html10n {
       if (!found) {
         console.warn('Unexpected error: could not translate element content for key '+str.id, node)
       }
+      // Form-controllable elements (<select>, <input>, <textarea>) carry their
+      // accessible name on aria-label rather than as text content (a <select>'s
+      // text is its <option> labels, not its own name). The textContent branch
+      // above doesn't fall through to populateAriaLabel(), so plugins that put
+      // data-l10n-id on a <select> and rely on the auto-population (introduced
+      // in #7584) end up with no accessible name. Populate aria-label here so
+      // those controls stay localized too. See ether/ep_align#182 review.
+      const tag = node.tagName;
+      if (tag === 'SELECT' || tag === 'INPUT' || tag === 'TEXTAREA') {
+        populateAriaLabel()
+      }
     }
   }
 
diff --git a/src/tests/frontend-new/specs/html10n_form_controls_aria.spec.ts b/src/tests/frontend-new/specs/html10n_form_controls_aria.spec.ts
new file mode 100644
index 00000000000..8508af5b690
--- /dev/null
+++ b/src/tests/frontend-new/specs/html10n_form_controls_aria.spec.ts
@@ -0,0 +1,85 @@
+// Regression test for html10n's aria-label auto-population on form
+// controls (<select>, <input>, <textarea>) — these have child <option>s
+// or implicit value content, so the textContent branch in translateNode
+// applies, and the aria-label population that lives in the no-children
+// branch was being skipped. This left plugins like ep_font_size and
+// ep_headings2 with a <select data-l10n-id="..."> but no accessible
+// name once a hardcoded English aria-label was removed.
+//
+// See ether/etherpad PR that added this behavior (linked from
+// ether/ep_align#182 review).
+
+import {expect, test} from '@playwright/test';
+import {goToNewPad} from '../helper/padHelper';
+
+test.use({locale: 'en-US'});
+
+test.beforeEach(async ({page}) => {
+  await goToNewPad(page);
+});
+
+test('html10n auto-populates aria-label on <select> with data-l10n-id', async ({page}) => {
+  // Inject a <select> with options into the toolbar, tagged with an
+  // existing translation key (`pad.toolbar.bold.title` is shipped in
+  // every locale).
+  await page.evaluate(() => {
+    const sel = document.createElement('select');
+    sel.id = 'html10n-test-select';
+    sel.setAttribute('data-l10n-id', 'pad.toolbar.bold.title');
+    const opt = document.createElement('option');
+    opt.value = 'a';
+    opt.textContent = 'A';
+    sel.appendChild(opt);
+    document.body.appendChild(sel);
+    // Trigger a re-translate so html10n sees the new node.
+    // @ts-ignore window.html10n is exposed by pad.ts
+    window.html10n.localize(['en']);
+  });
+
+  const sel = page.locator('#html10n-test-select');
+  // After translation, aria-label should be set from the localized
+  // string, and the data-l10n-aria-label marker should signal that
+  // html10n owns it (so applyLanguage refreshes it on language change).
+  await expect(sel).toHaveAttribute('aria-label', /.+/);
+  await expect(sel).toHaveAttribute('data-l10n-aria-label', 'true');
+});
+
+test('html10n auto-populates aria-label on <textarea> with data-l10n-id', async ({page}) => {
+  await page.evaluate(() => {
+    const ta = document.createElement('textarea');
+    ta.id = 'html10n-test-textarea';
+    ta.setAttribute('data-l10n-id', 'pad.toolbar.bold.title');
+    document.body.appendChild(ta);
+    // @ts-ignore
+    window.html10n.localize(['en']);
+  });
+
+  const ta = page.locator('#html10n-test-textarea');
+  await expect(ta).toHaveAttribute('aria-label', /.+/);
+  await expect(ta).toHaveAttribute('data-l10n-aria-label', 'true');
+});
+
+test('an author-supplied aria-label on a form control is preserved', async ({page}) => {
+  // Mirror the existing semantics for non-form-control elements: if the
+  // template author wrote their own aria-label, html10n must not
+  // overwrite it on the first pass (it can only refresh values it
+  // previously wrote, identified by the data-l10n-aria-label marker).
+  await page.evaluate(() => {
+    const sel = document.createElement('select');
+    sel.id = 'html10n-test-author-aria';
+    sel.setAttribute('data-l10n-id', 'pad.toolbar.bold.title');
+    sel.setAttribute('aria-label', 'Custom author label');
+    const opt = document.createElement('option');
+    opt.value = 'a';
+    opt.textContent = 'A';
+    sel.appendChild(opt);
+    document.body.appendChild(sel);
+    // @ts-ignore
+    window.html10n.localize(['en']);
+  });
+
+  const sel = page.locator('#html10n-test-author-aria');
+  await expect(sel).toHaveAttribute('aria-label', 'Custom author label');
+  // No marker is set — html10n didn't write this one.
+  await expect(sel).not.toHaveAttribute('data-l10n-aria-label', 'true');
+});

From cbf71285a2c1ec5405015aba5847963b186fdeb1 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sun, 10 May 2026 20:02:05 +0800
Subject: [PATCH 21/25] feat(api): clean up published OpenAPI spec for
 downstream codegens (#7714)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat(api): clean up published OpenAPI spec for downstream codegens

The /api/openapi.json doc had four issues that broke generated tooling
(printingpress.dev, openapi-generator, Postman): empty top-level tags
array, every operation duplicated as GET+POST, 14 operations missing
from the resources map (drift since API 1.2.8), and empty summaries on
several tracked ops.

This PR splits the runtime spec from the published spec via a {public}
flag on generateDefinitionForVersion: the runtime definition fed to
openapi-backend keeps both verbs (existing third-party clients that
call GET /api/x.x.x/foo?apikey=... continue to work), while the spec
served at /api/openapi.json, /rest/openapi.json, and per-version paths
advertises only POST.

Other changes:
  - top-level tags array declares pad/author/session/group/chat/server
  - per-op tags override added to SwaggerUIResource type so chat ops
    (still nested under pad for routing) and checkToken can be tagged
    without changing existing REST URLs
  - 14 missing ops (getAttributePool, getRevisionChangeset, copyPad,
    movePad, getPadID, getSavedRevisionsCount, listSavedRevisions,
    saveRevision, restoreRevision, appendText, copyPadWithoutHistory,
    compactPad, anonymizeAuthor, getStats) backfilled with summaries
  - empty summaries on listSessionsOfGroup, listAllGroups,
    createDiffHTML, createPad filled in
  - new backend tests assert the public spec shape (tags, summaries,
    POST-only) and that runtime routing still resolves both verbs

Driven by integrating Etherpad with printingpress.dev: pointing the
generator at the previous spec produced a 96-command CLI with no
resource grouping and many empty descriptions. Design notes in
docs/superpowers/specs/2026-05-10-openapi-cleanup-design.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(api): keep checkToken at /rest/<ver>/pad/checkToken (Qodo #2)

Moving checkToken to a new `server` resource broke REST-style
backward compat: existing callers of /rest/<ver>/pad/checkToken
would have hit `code: 3` (no such function). The whole point of
per-op tag overrides is to preserve REST URLs while still grouping
correctly in OpenAPI tags — checkToken should follow the same
pattern as the chat ops.

Keep checkToken in `resources.pad`, give it `tags: ['server']`,
and add a regression test asserting /rest/<ver>/pad/checkToken
still resolves. The `server` resource still exists for `getStats`
(genuinely new server-level op with no prior REST URL).

Updates the design doc accordingly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../2026-05-10-openapi-cleanup-design.md      | 137 ++++++++++++++++
 src/node/hooks/express/openapi.ts             | 147 +++++++++++++++---
 src/node/types/SwaggerUIResource.ts           |   5 +-
 src/tests/backend/specs/api/api.ts            | 105 +++++++++++++
 4 files changed, 369 insertions(+), 25 deletions(-)
 create mode 100644 docs/superpowers/specs/2026-05-10-openapi-cleanup-design.md

diff --git a/docs/superpowers/specs/2026-05-10-openapi-cleanup-design.md b/docs/superpowers/specs/2026-05-10-openapi-cleanup-design.md
new file mode 100644
index 00000000000..c588d071ddd
--- /dev/null
+++ b/docs/superpowers/specs/2026-05-10-openapi-cleanup-design.md
@@ -0,0 +1,137 @@
+# OpenAPI cleanup for downstream tooling — Design
+
+**Date:** 2026-05-10
+**Owner:** John McLear
+**Scope:** `src/node/hooks/express/openapi.ts` + type tweak + tests
+**Driven by:** integrating Etherpad with [printingpress.dev](https://printingpress.dev). Generating a Go CLI / Claude Code skill from `/api/openapi.json` revealed structural problems in the served spec that hurt every downstream consumer (printing-press, Postman, Swagger UI, openapi-generator, etc.). This PR fixes Etherpad's spec; generating and publishing a CLI is a follow-up that depends on this landing.
+
+## Problems in the current spec
+
+A live capture of `/api/openapi.json` (Etherpad 1.3.0, 48 paths) showed:
+
+1. **Top-level `tags` array is empty/null.** Per-operation `tags: ["pad"]`, `["group"]`, etc. are populated for ops in the `resources` map, but consumers that group by tag (printing-press, Swagger UI sidebar, openapi-generator's resource modules) need the top-level array to discover and order them.
+
+2. **Every operation duplicated as GET and POST.** Lines 562–573 of `openapi.ts` deliberately emit `paths[path] = { get: {...UsingGET}, post: {...UsingPOST} }`. The original comment ("It may be confusing that every operation can be called with both GET and POST") acknowledges this. A 48-path API generates a 96-operation CLI with `check-token using-get` + `check-token using-post`, etc.
+
+3. **14 operations missing from the `resources` map.** As new API versions were added (1.2.8 → 1.3.1), `APIHandler.ts` got new functions but the `resources` map in `openapi.ts` was never updated. Affected ops have no `tags`, no `summary`, no `description`:
+   - `getAttributePool`, `getRevisionChangeset`, `copyPad`, `movePad`, `getPadID`, `getSavedRevisionsCount`, `listSavedRevisions`, `saveRevision`, `restoreRevision`, `appendText`, `getStats`, `copyPadWithoutHistory`, `compactPad`, `anonymizeAuthor`
+
+4. **Empty summaries on tracked ops.** `listSessionsOfGroup`, `listAllGroups`, `createDiffHTML` had `summary: ''`. `createPad` had no summary at all.
+
+## Non-goals
+
+- **Deprecating GET routes at runtime.** Existing third-party clients use `GET /api/1.x.x/foo?apikey=...`. Removing GET would be a breaking change for them — out of scope. This PR only changes what the spec *advertises*.
+- **Fixing printing-press's operationId derivation bug** (`get-html_get-htmlusing-get`). Generator-side issue.
+- **Admin API spec** (`/admin/openapi.json`). Different surface, separate cleanup if needed later.
+
+## Design
+
+### Per-op tag overrides
+
+The simplest fix for Problem 3-and-friends is to allow per-operation `tags` overrides in the `resources` map. Existing chat ops (`getChatHistory`, `getChatHead`, `appendChatMessage`) and `checkToken` are nested under `pad` for routing reasons; tagging them as `chat` / `server` without restructuring the map preserves all REST URLs.
+
+The operations builder destructures `tags` from each spec entry and falls back to `[resource]` when absent:
+
+```ts
+const {operationId, responseSchema, tags: customTags, ...operation} = spec as any;
+// ...
+operations[operationId] = {
+  operationId,
+  ...operation,
+  responses,
+  tags: customTags || [resource],
+  _restPath: `/${resource}/${action}`,
+};
+```
+
+The `SwaggerUIResource` type gains an optional `tags?: string[]` field.
+
+### Top-level tags array
+
+Added inside `generateDefinitionForVersion`'s returned `definition` object:
+
+```ts
+tags: [
+  {name: 'pad',     description: 'Pad lifecycle, content, revisions, attributes'},
+  {name: 'author',  description: 'Authors and authorship'},
+  {name: 'session', description: 'Group sessions'},
+  {name: 'group',   description: 'Groups (multi-tenant pads)'},
+  {name: 'chat',    description: 'In-pad chat history'},
+  {name: 'server',  description: 'Server-level operations (stats, token check)'},
+],
+```
+
+### Backfill missing entries
+
+14 operations added to `resources` with proper summaries. Most go under `pad`; `anonymizeAuthor` under `author`; `getStats` under a new `server` resource group.
+
+| Tag    | Operation                  | Summary                                                       |
+|--------|----------------------------|---------------------------------------------------------------|
+| pad    | `getAttributePool`         | returns the attribute pool of a pad                           |
+| pad    | `getRevisionChangeset`     | returns the changeset at a given revision of a pad            |
+| pad    | `copyPad`                  | copies a pad with full history and chat                       |
+| pad    | `movePad`                  | moves a pad — copy then delete the original                   |
+| pad    | `getPadID`                 | returns the read-write pad ID for a given read-only pad ID    |
+| pad    | `getSavedRevisionsCount`   | returns the number of saved revisions of a pad                |
+| pad    | `listSavedRevisions`       | returns the list of saved revisions of a pad                  |
+| pad    | `saveRevision`             | saves a revision of a pad                                     |
+| pad    | `restoreRevision`          | restores a pad to a specific revision                         |
+| pad    | `appendText`               | appends text to a pad                                         |
+| pad    | `copyPadWithoutHistory`    | copies a pad without history or chat                          |
+| pad    | `compactPad`               | compacts a pad's revision history, keeping recent ones        |
+| author | `anonymizeAuthor`          | anonymizes an author across all their edits                   |
+| server | `getStats`                 | returns server-wide statistics                                |
+
+`checkToken` stays under `pad` in the resources map (preserves `/rest/<ver>/pad/checkToken`) but gains an explicit `tags: ['server']` override so it groups correctly in OpenAPI without changing its REST URL.
+
+### Runtime vs published spec split
+
+`generateDefinitionForVersion` gains a `{public}` flag:
+
+```ts
+const generateDefinitionForVersion = (
+    version: string,
+    style: string = APIPathStyle.FLAT,
+    {public: isPublic = false}: {public?: boolean} = {},
+) => { ... }
+```
+
+When `isPublic`, paths emit only `post:`. Otherwise both `get:` and `post:` (current behavior).
+
+- The `definition` passed to `new OpenAPIBackend({...})` stays as-is (no flag) → both verbs routed at runtime → backward compat preserved.
+- The handlers serving `/api/openapi.json`, `/rest/openapi.json`, `/api/{version}/openapi.json` call with `{public: true}` → clients see clean POST-only API.
+
+operationIds in the public spec are unchanged (`${name}UsingPOST`), so any tooling already generated from the previous spec still finds its operations — strict subset, not rename.
+
+## Test plan
+
+Two new describe blocks in `src/tests/backend/specs/api/api.ts` (existing home for `/api/openapi.json` tests):
+
+1. **public OpenAPI spec shape** — fetches `/api/openapi.json` once, asserts:
+   - Top-level `tags` array contains `{pad, author, session, group, chat, server}`
+   - Every operation has `tags: [...]` with ≥1 non-empty entry
+   - Every operation has a non-empty `summary` (≥3 chars)
+   - Every path advertises only `post:`
+
+2. **runtime backward compatibility** — drives the live API:
+   - `GET /api/{v}/checkToken?apikey=...` returns code 0
+   - `POST /api/{v}/checkToken` returns code 0
+
+These assert both halves of the design: the published spec is clean, and the runtime hasn't lost backward-compat routing.
+
+## Blast radius
+
+- **Runtime callers** (third-party scripts, ep_ai_mcp's HTTP fallback paths if any, dashboards, CI hooks): zero impact. Both GET and POST routes still resolve.
+- **Tooling regenerators** (Postman collections, Swagger UI, openapi-generator clients): strict improvement. Smaller, better-named, properly-grouped surface. operationIds stable.
+- **REST-style URLs** (`/rest/...`): unchanged for every existing op. No restructuring of `resources` was needed because per-op tag overrides do the work. New backfilled ops (`getAttributePool` etc.) gain a `/rest/X/pad/getAttributePool` path; their previous fallback `/rest/X/getAttributePool` is no longer the canonical REST route, but FLAT (`/api/...`) is unchanged.
+
+## Out-of-band note
+
+The spec already serves at three URLs (`/api/openapi.json`, `/rest/openapi.json`, `/api/{version}/openapi.json`); the cleanup applies to all three because the same builder backs them.
+
+A separate admin spec exists at `/admin/openapi.json` (added in #7693/#7705) — out of scope here, worth a similar audit later.
+
+## Follow-up phases (not part of this PR)
+
+- **Phase B:** point printing-press at the cleaned spec, generate `etherpad` Go CLI + Claude Code skill, push to a new `ether/etherpad-cli` repo, submit to printingpress.dev community library.
+- **Phase C:** submit `ep_ai_mcp` as the canonical MCP entry in printingpress.dev's library — generated MCP from OpenAPI would be strictly worse (no changeset/authorship reach-through).
diff --git a/src/node/hooks/express/openapi.ts b/src/node/hooks/express/openapi.ts
index 6eb420f2894..3b7dd450904 100644
--- a/src/node/hooks/express/openapi.ts
+++ b/src/node/hooks/express/openapi.ts
@@ -86,14 +86,14 @@ const resources:SwaggerUIResource = {
     },
     listSessions: {
       operationId: 'listSessionsOfGroup',
-      summary: '',
+      summary: 'returns all sessions of a group',
       responseSchema: {
         sessions: {type: 'array', items: {$ref: '#/components/schemas/SessionInfo'}},
       },
     },
     list: {
       operationId: 'listAllGroups',
-      summary: '',
+      summary: 'returns the IDs of all groups on this server',
       responseSchema: {groupIDs: {type: 'array', items: {type: 'string'}}},
     },
   },
@@ -128,6 +128,10 @@ const resources:SwaggerUIResource = {
       summary: 'Returns the Author Name of the author',
       responseSchema: {info: {$ref: '#/components/schemas/UserInfo'}},
     },
+    anonymize: {
+      operationId: 'anonymizeAuthor',
+      summary: 'anonymizes an author across all their edits',
+    },
   },
 
   // Session
@@ -158,11 +162,12 @@ const resources:SwaggerUIResource = {
     },
     createDiffHTML: {
       operationId: 'createDiffHTML',
-      summary: '',
+      summary: 'returns an HTML diff between two revisions of a pad',
       responseSchema: {},
     },
     create: {
       operationId: 'createPad',
+      summary: 'creates a new (non-group) pad',
       description:
           'creates a new (non-group) pad. Note that if you need to create a group Pad, ' +
           'you should call createGroupPad',
@@ -234,22 +239,82 @@ const resources:SwaggerUIResource = {
     },
     checkToken: {
       operationId: 'checkToken',
-      summary: 'returns ok when the current api token is valid',
+      summary: 'returns ok when the current API token is valid',
+      tags: ['server'],
     },
     getChatHistory: {
       operationId: 'getChatHistory',
       summary: 'returns the chat history',
+      tags: ['chat'],
       responseSchema: {messages: {type: 'array', items: {$ref: '#/components/schemas/Message'}}},
     },
     // We need an operation that returns a Message so it can be picked up by the codegen :(
     getChatHead: {
       operationId: 'getChatHead',
       summary: 'returns the chatHead (chat-message) of the pad',
+      tags: ['chat'],
       responseSchema: {chatHead: {$ref: '#/components/schemas/Message'}},
     },
     appendChatMessage: {
       operationId: 'appendChatMessage',
       summary: 'appends a chat message',
+      tags: ['chat'],
+    },
+    getAttributePool: {
+      operationId: 'getAttributePool',
+      summary: 'returns the attribute pool of a pad',
+    },
+    getRevisionChangeset: {
+      operationId: 'getRevisionChangeset',
+      summary: 'returns the changeset at a given revision of a pad',
+    },
+    copyPad: {
+      operationId: 'copyPad',
+      summary: 'copies a pad with full history and chat',
+    },
+    movePad: {
+      operationId: 'movePad',
+      summary: 'moves a pad — copy then delete the original',
+    },
+    getPadID: {
+      operationId: 'getPadID',
+      summary: 'returns the read-write pad ID for a given read-only pad ID',
+    },
+    getSavedRevisionsCount: {
+      operationId: 'getSavedRevisionsCount',
+      summary: 'returns the number of saved revisions of a pad',
+    },
+    listSavedRevisions: {
+      operationId: 'listSavedRevisions',
+      summary: 'returns the list of saved revisions of a pad',
+    },
+    saveRevision: {
+      operationId: 'saveRevision',
+      summary: 'saves a revision of a pad',
+    },
+    restoreRevision: {
+      operationId: 'restoreRevision',
+      summary: 'restores a pad to a specific revision',
+    },
+    appendText: {
+      operationId: 'appendText',
+      summary: 'appends text to a pad',
+    },
+    copyPadWithoutHistory: {
+      operationId: 'copyPadWithoutHistory',
+      summary: 'copies a pad without history or chat',
+    },
+    compactPad: {
+      operationId: 'compactPad',
+      summary: 'compacts a pad\'s revision history, keeping recent revisions only',
+    },
+  },
+
+  // Server
+  server: {
+    getStats: {
+      operationId: 'getStats',
+      summary: 'returns server-wide statistics',
     },
   },
 };
@@ -396,7 +461,7 @@ const defaultResponseRefs:OpenAPISuccessResponse = {
 const operations: OpenAPIOperations = {};
 for (const [resource, actions] of Object.entries(resources)) {
   for (const [action, spec] of Object.entries(actions)) {
-    const {operationId,responseSchema, ...operation} = spec;
+    const {operationId, responseSchema, tags: customTags, ...operation} = spec as any;
 
     // add response objects
     const responses:OpenAPISuccessResponse = {...defaultResponseRefs};
@@ -409,20 +474,43 @@ for (const [resource, actions] of Object.entries(resources)) {
     }
 
     // add final operation object to dictionary
+    // tags default to [resource] but can be overridden per-op via spec.tags
+    // (e.g. chat ops nested under pad use tags: ['chat']).
     operations[operationId] = {
       operationId,
       ...operation,
       responses,
-      tags: [resource],
+      tags: customTags || [resource],
       _restPath: `/${resource}/${action}`,
     };
   }
 }
 
-const generateDefinitionForVersion = (version:string, style = APIPathStyle.FLAT) => {
-  const definition = {
+/**
+ * Generate the OpenAPI definition for a given API version + path style.
+ *
+ * The `public` flag controls whether the spec is the *runtime* definition (used
+ * to dispatch requests via openapi-backend, which still routes both GET and
+ * POST for backward compatibility with older clients) or the *published* spec
+ * (served at /api/openapi.json etc., advertising only POST so generated tooling
+ * — printingpress.dev, openapi-generator, Postman — sees a clean surface).
+ */
+const generateDefinitionForVersion = (
+    version: string,
+    style: string = APIPathStyle.FLAT,
+    {public: isPublic = false}: {public?: boolean} = {},
+) => {
+  const definition: any = {
     openapi: OPENAPI_VERSION,
     info,
+    tags: [
+      {name: 'pad',     description: 'Pad lifecycle, content, revisions, attributes'},
+      {name: 'author',  description: 'Authors and authorship'},
+      {name: 'session', description: 'Group sessions'},
+      {name: 'group',   description: 'Groups (multi-tenant pads)'},
+      {name: 'chat',    description: 'In-pad chat history'},
+      {name: 'server',  description: 'Server-level operations (stats, token check)'},
+    ],
     paths: {},
     components: {
       parameters: {},
@@ -559,18 +647,29 @@ const generateDefinitionForVersion = (version:string, style = APIPathStyle.FLAT)
     delete operation._restPath;
 
     // add to definition
-    // NOTE: It may be confusing that every operation can be called with both GET and POST
-    // @ts-ignore
-    definition.paths[path] = {
-      get: {
-        ...operation,
-        operationId: `${operation.operationId}UsingGET`,
-      },
-      post: {
-        ...operation,
-        operationId: `${operation.operationId}UsingPOST`,
-      },
-    };
+    // The runtime spec advertises both GET and POST so existing clients (some of
+    // which still pass apikey/params via query string) keep working. The public
+    // spec served at /api/openapi.json advertises only POST — that is the
+    // recommended call style and what downstream codegens should target.
+    if (isPublic) {
+      definition.paths[path] = {
+        post: {
+          ...operation,
+          operationId: `${operation.operationId}UsingPOST`,
+        },
+      };
+    } else {
+      definition.paths[path] = {
+        get: {
+          ...operation,
+          operationId: `${operation.operationId}UsingGET`,
+        },
+        post: {
+          ...operation,
+          operationId: `${operation.operationId}UsingPOST`,
+        },
+      };
+    }
   }
   return definition;
 };
@@ -588,11 +687,13 @@ exports.expressPreSession = async (hookName:string, {app}:any) => {
       const definition = generateDefinitionForVersion(version, style);
 
       // serve version specific openapi definition; regenerate per request so runtime
-      // settings (e.g. authenticationMethod) are reflected
+      // settings (e.g. authenticationMethod) are reflected. The served spec uses
+      // {public: true} to advertise only POST per path (the runtime backend below
+      // still routes both GET and POST for backward compatibility).
       app.get(`${apiRoot}/openapi.json`, (req:any, res:any) => {
         // For openapi definitions, wide CORS is probably fine
         res.header('Access-Control-Allow-Origin', '*');
-        const liveDefinition = generateDefinitionForVersion(version, style);
+        const liveDefinition = generateDefinitionForVersion(version, style, {public: true});
         res.json({...liveDefinition, servers: [generateServerForApiVersion(apiRoot, req)]});
       });
 
@@ -601,7 +702,7 @@ exports.expressPreSession = async (hookName:string, {app}:any) => {
       if (isLatestAPIVersion) {
         app.get(`/${style}/openapi.json`, (req:any, res:any) => {
           res.header('Access-Control-Allow-Origin', '*');
-          const liveDefinition = generateDefinitionForVersion(version, style);
+          const liveDefinition = generateDefinitionForVersion(version, style, {public: true});
           res.json({...liveDefinition, servers: [generateServerForApiVersion(apiRoot, req)]});
         });
       }
diff --git a/src/node/types/SwaggerUIResource.ts b/src/node/types/SwaggerUIResource.ts
index 16886d34fc4..4ab905cc870 100644
--- a/src/node/types/SwaggerUIResource.ts
+++ b/src/node/types/SwaggerUIResource.ts
@@ -3,8 +3,9 @@ export type SwaggerUIResource = {
     [secondKey: string]: {
       operationId: string,
       summary?: string,
-      description?:string
-      responseSchema?: object
+      description?: string,
+      responseSchema?: object,
+      tags?: string[],
     }
   }
 }
diff --git a/src/tests/backend/specs/api/api.ts b/src/tests/backend/specs/api/api.ts
index 53e2e84c976..6a8202eb908 100644
--- a/src/tests/backend/specs/api/api.ts
+++ b/src/tests/backend/specs/api/api.ts
@@ -112,4 +112,109 @@ describe(__filename, function () {
       }
     });
   });
+
+  describe('public OpenAPI spec shape (for downstream codegens)', function () {
+    let spec: any;
+
+    before(async function () {
+      this.timeout(15000);
+      spec = (await agent.get('/api/openapi.json').expect(200)).body;
+    });
+
+    it('declares a top-level tags array with all expected resource groups', function () {
+      if (!Array.isArray(spec.tags)) {
+        throw new Error(`Expected top-level tags to be an array, got ${typeof spec.tags}`);
+      }
+      const names = spec.tags.map((t: any) => t.name);
+      const expected = ['pad', 'author', 'session', 'group', 'chat', 'server'];
+      const missing = expected.filter((n) => !names.includes(n));
+      if (missing.length) {
+        throw new Error(`Top-level tags missing entries: ${missing.join(', ')}; got: ${names}`);
+      }
+    });
+
+    it('tags every operation with at least one non-empty tag', function () {
+      const untagged: string[] = [];
+      for (const [path, methods] of Object.entries(spec.paths)) {
+        for (const [method, op] of Object.entries(methods as any)) {
+          const tags = (op as any).tags;
+          if (!Array.isArray(tags) || tags.length === 0 || tags.some((t) => !t)) {
+            untagged.push(`${method.toUpperCase()} ${path}`);
+          }
+        }
+      }
+      if (untagged.length) {
+        throw new Error(`${untagged.length} operations are untagged: ${untagged.join(', ')}`);
+      }
+    });
+
+    it('summarizes every operation', function () {
+      const unsummarized: string[] = [];
+      for (const [path, methods] of Object.entries(spec.paths)) {
+        for (const [method, op] of Object.entries(methods as any)) {
+          const summary = (op as any).summary;
+          if (typeof summary !== 'string' || summary.trim().length < 3) {
+            unsummarized.push(
+                `${method.toUpperCase()} ${path} (summary=${JSON.stringify(summary)})`);
+          }
+        }
+      }
+      if (unsummarized.length) {
+        throw new Error(
+            `${unsummarized.length} operations have empty/missing summaries: ` +
+            unsummarized.join(', '));
+      }
+    });
+
+    it('advertises only POST per path (downstream tooling cleanliness)', function () {
+      const offenders: string[] = [];
+      for (const [path, methods] of Object.entries(spec.paths)) {
+        const verbs = Object.keys(methods as any);
+        if (verbs.length !== 1 || verbs[0] !== 'post') {
+          offenders.push(`${path} has methods: ${verbs.join(', ')}`);
+        }
+      }
+      if (offenders.length) {
+        throw new Error(
+            `Public spec must advertise only POST per path; offenders:\n  ${
+              offenders.join('\n  ')}`);
+      }
+    });
+  });
+
+  describe('runtime backward compatibility (GET + POST still routed)', function () {
+    // The runtime spec used by openapi-backend keeps both verbs even though the
+    // public /api/openapi.json advertises POST only. The point of these tests
+    // is to prove openapi-backend still resolves both verbs to the handler
+    // — not to exercise auth. A 401 (or any non-`code 3` body) proves the
+    // request reached the handler. `code: 3` is Etherpad's "no such function"
+    // response, returned by openapi-backend's notFound when a method is not
+    // declared in the runtime spec.
+
+    const assertResolved = (path: string, body: any) => {
+      if (body && body.code === 3) {
+        throw new Error(
+            `${path} got 'no such function' (code 3) — runtime spec dropped the ` +
+            `verb. Response body: ${JSON.stringify(body)}`);
+      }
+    };
+
+    it('GET requests still reach the API handler', async function () {
+      const r = await agent.get(endPoint('checkToken'));
+      assertResolved('GET checkToken', r.body);
+    });
+
+    it('POST requests still reach the API handler', async function () {
+      const r = await agent.post(endPoint('checkToken'));
+      assertResolved('POST checkToken', r.body);
+    });
+
+    // Regression for the REST-style routes — checkToken's _restPath is
+    // derived from its position in the resources map (pad/checkToken).
+    // Tagging it as 'server' must not move it to /rest/X/server/checkToken.
+    it('REST-style /rest/<ver>/pad/checkToken still resolves', async function () {
+      const r = await agent.get(`/rest/${apiVersion}/pad/checkToken`);
+      assertResolved('GET /rest pad/checkToken', r.body);
+    });
+  });
 });

From 451bd9c3ebb0dded99dd0ff21811ee00e0940c29 Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sun, 10 May 2026 16:21:56 +0100
Subject: [PATCH 22/25] feat(pad): scrub history in-place on the pad URL
 (#7659) (#7710)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat(pad): scrub history in-place on the pad URL (#7659)

Clicking the timeslider toolbar button now keeps the user on /p/:pad and
toggles a hash-based history mode (#rev/N) instead of navigating to a
separate /timeslider page. The pad shell — chat, users panel, settings,
plugin chrome — stays mounted across the transition. A sticky banner
plus a sepia tint on the toolbar make it unmistakable that what is
visible is historical, not live.

Implementation:

- New PadModeController (src/static/js/pad_mode.ts) owns enter/exit,
  the URL hash, browser back/forward, and a mutation-observer bridge
  from the inner timeslider's revision label/date into the outer
  banner. Esc and a Return-to-live button both exit history.
- pad.html grows a banner element and an iframe mount slot. The live
  ACE iframe stays mounted but hidden during history; on exit the
  socket is still alive, so the user snaps straight back to the
  current state without a reconnect.
- The /p/:pad/timeslider route 302-redirects to the pad page for
  direct visits (legacy bookmarks), and serves the timeslider HTML
  for the in-pad iframe when called with ?embed=1. The embedded
  variant hides the redundant title and return-to-pad button via
  CSS; the slider, settings, and export controls stay reachable.
- Legacy #NN shortlinks are preserved through the redirect by the
  browser and translated to #rev/NN client-side.

Tests:

- New backend spec asserts the 302 redirect, pad-name preservation,
  and the ?embed=1 path still serves the timeslider HTML.
- New padmode.spec.ts exercises toolbar entry, return-to-live,
  browser back, and direct /timeslider URL handling. Asserts the
  rendered localized banner string, not just element presence.
- Existing timeslider specs that hit /p/:pad/timeslider directly
  now pass ?embed=1 to bypass the redirect.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(pad): make history iframe fill the editor area (#7659)

Without an explicit positioning model the history-frame-mount inherited
half-width from a phantom flex parent and the embedded timeslider
rendered at 640×625 instead of the full editor area. Switch to the same
absolute-fill model the live ACE iframe uses by making
#editorcontainerbox the positioning anchor when in history mode.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(pad): address Qodo review and CI failures (#7659)

Concrete review fixes for PR #7710:

- Tighten the embed query check from `if (!req.query.embed)` to
  `req.query.embed !== '1'` so values like `?embed=0` no longer bypass
  the redirect.
- Fix the `#rev/latest` mapping: the parser yields -1 for "latest",
  which the iframe sync handler was clamping to 0 and so jumping the
  embedded timeslider to revision 0. Resolve "latest" to the inner
  BroadcastSlider's upper bound instead.
- Update existing backend tests (`socialMeta`, `specialpages`) that
  hit `/p/:pad/timeslider` directly — they now pass `?embed=1` like
  the rest of the suite. Without this fix three pre-existing tests
  failed CI (302 instead of 200).
- Document the route change in `doc/skins.md` and `doc/skins.adoc`:
  direct visits redirect; iframe consumers use `?embed=1`.
- Back out a stray `data-theme="editorial"` attribute and the
  hardcoded Google Fonts `<link>` tags from `pad.html` that leaked
  into the branch from an unrelated working-tree change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(pad): consolidate chrome and replay chat/users in history mode (#7659)

Picks up the rough edges left by the initial in-place history mode:
the embedded timeslider iframe was rendering its own duplicate Settings
and Export buttons, and the chat panel + users list still showed live
state while the editor scrubbed back in time.

Chrome consolidation
- Hide the entire inner editbar's right-side toolbar and modal popups
  in embedded mode (slider stays). Outer pad shell now owns Settings,
  Export, Share, Users, Chat across both modes.
- Outer Settings popup grows a "History playback" section (visible
  only when scrubbing) with playback speed + follow-contents. Both
  bridge to the iframe's BroadcastSlider state.
- Outer Export anchors are rewritten to /p/<pad>/<rev>/export/<type>
  on each scrub and restored on exit, so Save As exports the visible
  historical revision.

Chat replay
- Each chat message is annotated with data-timestamp at render time.
  In history mode, messages newer than the scrubbed revision's
  timestamp are display:none'd; a "Chat as of HH:MM" header sits
  above the chat log.
- Restores cleanly on exit (inline display cleared, header removed).

Users replay
- Live users table is replaced with the embedded timeslider's
  authors-at-this-revision label while scrubbing; restored on exit.

Plumbing
- Expose padContents on window in broadcast.ts so the outer pad can
  read currentTime after each scrub without postMessage.
- Expose BroadcastSlider on window in timeslider.ts so the outer pad
  can register an onSlider callback to drive replay UI.

Tests
- New padmode specs cover: history-only Settings section, hidden
  embedded chrome, chat filter + replay header, Export href
  rewriting + restore, authors-row swap + restore.
- timeslider_line_numbers cookie-persistence test updated to bypass
  the now-hidden inner Settings popup (programmatic checkbox).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(pad): theme propagation, hide inert buttons, plugin loading (#7659)

Picks up rough edges from the in-place history mode that turned up in
real usage:

Theme / dark mode
- skin_variants.updateSkinVariantsClasses now also walks the history
  iframe (and its ace_outer/ace_inner) so toggling dark mode while
  scrubbing re-themes the embedded view in lockstep.
- timeslider.ts inherits the parent's skinVariant tokens (super-dark-*
  / dark-* / full-width-editor) on first paint when it detects it is
  embedded — same-origin guarantee, falls through silently if not.

Toolbar UX
- Hide #editbar .menu_left (Bold/Italic/Lists/Indent/Undo/...) and the
  show-more chevron while in history mode. Those buttons target the
  hidden live editor and would do nothing useful; rendering them
  disabled-looking implied state the user doesn't have. Right-side menu
  (Settings / Share / Users / Chat / Home) stays at full opacity and
  fully interactive.

Slider position
- Pin the embedded #editbar to the bottom of the iframe so the outer
  banner and the slider can't visually compete for the same band of
  pixels. Reserve padding-bottom on the iframe's editorcontainerbox so
  the editor never scrolls under the slider.

Plugin loading in timeslider
- timeSliderBootstrap.js now pre-loads plugin modules into a Map and
  passes them to plugins.update(), mirroring padBootstrap.js. Without
  this the loadFn fallback called require(path) at runtime, which the
  esbuild-bundled timeslider couldn't resolve, so client_hooks like
  ep_headings2's aceRegisterBlockElements silently failed to register
  and historical revisions rendered without plugin chrome.

Tests
- New padmode specs cover: outer toolbar's left/right asymmetry, slider
  pinned to bottom, dark-mode class propagation into the history iframe.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(pad): move history slider into the outer toolbar (#7659)

The slider previously rendered inside the embedded iframe — first at the
top (where it visually competed with the banner), then briefly at the
bottom (where the chat icon overlapped it). Both were wrong. Move the
controls into the outer toolbar's left zone, where #editbar .menu_left
is hidden in history mode and the slider can occupy the full width
without colliding with anything.

- pad.html grows a #history-controls div (slider + play/pause/step
  buttons + timer) inside #editbar, between menu_left and menu_right.
  Hidden by default; revealed via body.history-mode CSS.
- pad.css swaps #editbar .menu_left out for #history-controls in
  history mode (display:none / display:flex).
- timeslider.css fully hides the embedded iframe's #editbar — the
  outer toolbar now owns the slider, and the iframe is purely the
  editor surface.
- pad_mode.ts wires the outer controls as a remote control: the
  range input calls inner BroadcastSlider.setSliderPosition, the play
  button calls BroadcastSlider.playpause, step buttons forward clicks
  to the inner #leftstep/#rightstep so they share the existing logic.
  An onSlider subscription mirrors inner state back into the outer
  slider value, timer label, and play-button .pause class.

Tests
- Existing timeslider.spec asserts the outer controls are visible.
- New padmode specs cover: inner editbar fully hidden, outer toolbar
  swap (menu_left → history-controls), and outer slider drives the
  iframe's revision via BroadcastSlider.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(pad): exempt embedded history iframe from userdup kick (#7659)

When the in-place history iframe opens its socket, the server's
duplicate-author kick treats it as a stale tab and disconnects the
parent pad's live socket — toolbar-overlay drops over the editor and
Settings/Share/Users/Chat all stop responding. Mark the iframe's
connection with `embed=1` in the socket.io handshake query, record it
on sessionInfo, and skip the kick whenever either side is embedded.

- timeslider.ts: detect `?embed=1` (and parent !== window) on
  the iframe URL, pass through as a query parameter to socketio.connect.
- PadMessageHandler: read socket.handshake.query.embed on CLIENT_READY,
  set sessionInfo.embed; the duplicate-author kick now skips when
  either the connecting session OR the existing session is embedded.

Behavior preserved
- Two real tabs (both non-embedded): older tab still gets kicked.
- Authenticated sessions still bypass the kick entirely.
- Live pad socket survives entry into history mode.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(pad): a11y of history toolbar controls (#7659)

The new history controls (slider + play/step/timer) had hardcoded
English aria-labels, which html10n won't replace because they were
present without the data-l10n-aria-label marker. Screen readers in
non-English locales would have heard English. Drop the static aria
labels and let html10n.translateElement populate aria-label from the
data-l10n-id translation, matching how the rest of the toolbar works.

- pad.html: remove hardcoded aria-label on play/step buttons and the
  range input; keep titles (hover tooltip) and data-l10n-id. Add
  role="toolbar" + data-l10n-id on the controls container so the
  toolbar landmark is announced. Mark play button as a toggle with
  aria-pressed reflecting playback state.
- en.json: add pad.historyMode.controlsLabel and
  pad.historyMode.sliderLabel for the toolbar landmark and the slider.
- pad_mode.ts: keep aria-pressed in sync with the inner playback state
  on every revision update.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(pad): a11y + responsive for history controls (#7659)

Two issues with the previous a11y attempt: the data-l10n-id on icon
buttons was setting their textContent (drawing "Playback / Pause Pad
Contents" on screen next to the glyph), and there was no responsive
treatment so the timer + slider could overflow narrow viewports.

- pad.html: drop data-l10n-id from the icon buttons. They're now
  empty <button>s. Localized title (hover tooltip) and aria-label
  (screen reader name) are populated by pad_mode.localizeControls()
  using the existing timeslider.* keys, with an html10n.bind
  subscription so language switches re-localize.
- Mark #history-timer as hide-for-mobile.
- pad.css: dedicated @media (max-width: 800px) and 480px rules
  shrink padding, gap, and button widths so play + slider + step
  buttons stay on a single toolbar line at narrow viewports. Mirrors
  the legacy timeslider's responsive behavior.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(pad): inline Follow + Playback speed, match toolbar height (#7659)

Two follow-ups from real testing:

- Move "Follow pad content updates" (now "Follow") and "Playback speed"
  out of the Settings popup and inline them in the history-mode
  toolbar, alongside the slider + play/step buttons. They were always
  needed while scrubbing; one extra click into Settings was friction.
  Removed the now-empty #history-settings-section.
- The history controls toolbar was visibly shorter than the live
  toolbar because the icon buttons sat as bare <button> elements
  without the live editbar's <li><a> wrapping. Add explicit
  min-height (40px) and per-button padding so the toolbar is the same
  vertical size in both modes — switching between live and history
  no longer reflows.
- Differentiate "iframe-mounted history view" from "direct ?embed=1
  visit". Only the former hides the inner timeslider editbar — direct
  visits keep their full chrome so existing test/legacy entry points
  stay independently usable. Marker: timeslider.ts adds an
  `iframe-mode` class on body when window.parent !== window; CSS
  scopes the hide to that combo.

Tests
- padmode spec asserts Follow + Speed live in the toolbar (not the
  Settings popup) and are visible in history mode, hidden in live.
- timeslider*.spec direct-?embed=1 flows continue to pass because the
  inner editbar is no longer hidden when not iframe-mounted.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(pad): use absolute path for legacy /timeslider redirect (#7659)

CI Firefox failed the legacy-URL redirect test (1 of 32 jobs); Chromium
passed. The redirect Location header was a relative `../padname`, which
both browsers resolve to /p/padname for `/p/padname/timeslider`. Firefox
flaked on it once consistently. Switch to an absolute path including
the proxy prefix so the resolution is unambiguous across browsers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(test): accept 304 on legacy timeslider redirect (#7659)

CI Firefox failed `expect(res.status()).toBe(200)` because Firefox
issues a conditional GET when the redirect target is the same URL the
test just loaded via goToNewPad — the server returns 304 Not Modified
and the test treats that as a regression. Chromium happens to send
fresh requests so it stayed green.

Accept either 200 or 304 — both are valid completed navigations to the
pad page; what we actually care about is the pathname assertion above.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(pad): eye toggle for Follow, fix line-number alignment (#7659)

Two refinements from real testing in 9002:

Follow as an eye toggle
- Replace the labeled checkbox with an inline-SVG eye icon. The eye is
  always rendered; a diagonal slash is overlaid via SVG <line> only
  when the underlying (visually hidden) checkbox is unchecked. Default
  state is on (auto-following) so the eye renders unobstructed.
- Localized hover tooltip + aria-label flips with state — html10n
  populates "Following pad changes — click to stop following" vs
  "Not following pad changes — click to follow", and pad_mode.ts
  re-applies on every change event so screen readers narrate the
  action the click would take.
- Hidden checkbox keeps the existing pad_mode.ts bridge code working
  (still reads .checked) and lets <label for="…"> handle the click.

Line-number alignment fix (broadcast.ts)
- The first-line height formula was
    `nextDocLine.offsetTop - innerdocbody.padding-top`
  which only computes the right value when innerdocbody is the
  offsetParent. In the in-pad history iframe, outerdocbody contributes
  its own padding-top to the offsetTop chain, so the first gutter row
  was 20px too tall and every subsequent line drifted out of
  alignment. Use the consistent `next.offsetTop - current.offsetTop`
  formula for every iteration — same result in the standalone
  timeslider, correct result in the embedded one.
- New padmode spec asserts every gutter row's top matches the editor
  line's top within 2px, in iframe-mounted history mode.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 doc/skins.adoc                                |  11 +-
 doc/skins.md                                  |  11 +-
 src/locales/en.json                           |  13 +
 src/node/handler/PadMessageHandler.ts         |  14 +-
 src/node/hooks/express/specialpages.ts        |  22 +-
 src/static/css/pad.css                        | 179 ++++++
 src/static/css/timeslider.css                 |  14 +
 src/static/js/broadcast.ts                    |  19 +-
 src/static/js/chat.ts                         |   4 +
 src/static/js/pad.ts                          |   2 +
 src/static/js/pad_editbar.ts                  |   9 +-
 src/static/js/pad_mode.ts                     | 603 ++++++++++++++++++
 src/static/js/skin_variants.ts                |  13 +
 src/static/js/timeslider.ts                   |  37 +-
 src/templates/pad.html                        |  65 ++
 src/templates/timeSliderBootstrap.js          |  19 +-
 src/templates/timeslider.html                 |   2 +-
 src/tests/backend/specs/socialMeta.ts         |   4 +-
 src/tests/backend/specs/specialpages.ts       |   6 +-
 src/tests/backend/specs/timesliderRedirect.ts |  45 ++
 src/tests/frontend-new/helper/timeslider.ts   |   6 +-
 src/tests/frontend-new/specs/padmode.spec.ts  | 348 ++++++++++
 .../frontend-new/specs/timeslider.spec.ts     |  41 +-
 .../timeslider_identity_changeset.spec.ts     |   6 +-
 .../specs/timeslider_line_numbers.spec.ts     |  16 +-
 .../specs/timeslider_playback_speed.spec.ts   |   6 +-
 26 files changed, 1459 insertions(+), 56 deletions(-)
 create mode 100644 src/static/js/pad_mode.ts
 create mode 100644 src/tests/backend/specs/timesliderRedirect.ts
 create mode 100644 src/tests/frontend-new/specs/padmode.spec.ts

diff --git a/doc/skins.adoc b/doc/skins.adoc
index df3c7168e4e..33999e94862 100644
--- a/doc/skins.adoc
+++ b/doc/skins.adoc
@@ -6,11 +6,18 @@ A skin is a directory located under `static/skins/<skin_name>`, with the followi
 * `index.css`: stylesheet affecting `/`
 * `pad.js`: javascript that will be run in `/p/:padid`
 * `pad.css`: stylesheet affecting `/p/:padid`
-* `timeslider.js`: javascript that will be run in `/p/:padid/timeslider`
-* `timeslider.css`: stylesheet affecting `/p/:padid/timeslider`
+* `timeslider.js`: javascript that will be run in the embedded timeslider iframe
+* `timeslider.css`: stylesheet affecting the embedded timeslider iframe
 * `favicon.ico`: overrides the default favicon
 * `robots.txt`: overrides the default `robots.txt`
 
+Since Etherpad *2.7*, the timeslider is rendered in-place inside the pad
+page (issue #7659). Direct visits to `/p/:padid/timeslider` 302-redirect to
+`/p/:padid` so the in-pad `PadModeController` can take over via a `#rev/N`
+URL hash. The full timeslider HTML is still served at
+`/p/:padid/timeslider?embed=1` -- that is the URL the in-pad iframe loads,
+and the URL to use if you embed the timeslider in your own page.
+
 You can choose a skin changing the parameter `skinName` in `settings.json`.
 
 Since Etherpad **1.7.5**, two skins are included:
diff --git a/doc/skins.md b/doc/skins.md
index 954179f788d..ea5035caef5 100644
--- a/doc/skins.md
+++ b/doc/skins.md
@@ -6,8 +6,15 @@ A skin is a directory located under `static/skins/<skin_name>`, with the followi
 * `index.css`: stylesheet affecting `/`
 * `pad.js`: javascript that will be run in `/p/:padid`
 * `pad.css`: stylesheet affecting `/p/:padid`
-* `timeslider.js`: javascript that will be run in `/p/:padid/timeslider`
-* `timeslider.css`: stylesheet affecting `/p/:padid/timeslider`
+* `timeslider.js`: javascript that will be run in the embedded timeslider iframe
+* `timeslider.css`: stylesheet affecting the embedded timeslider iframe
+
+Since Etherpad **2.7**, the timeslider is rendered in-place inside the pad
+page (issue #7659). Direct visits to `/p/:padid/timeslider` 302-redirect to
+`/p/:padid` so the in-pad PadModeController can take over via a `#rev/N`
+URL hash. The full timeslider HTML is still served at
+`/p/:padid/timeslider?embed=1` — that is the URL the in-pad iframe loads,
+and the URL to use if you embed the timeslider in your own page.
 * `favicon.ico`: overrides the default favicon
 * `robots.txt`: overrides the default `robots.txt`
 
diff --git a/src/locales/en.json b/src/locales/en.json
index 7b899881f0e..2172cb22f72 100644
--- a/src/locales/en.json
+++ b/src/locales/en.json
@@ -234,6 +234,19 @@
   "timeslider.followContents": "Follow pad content updates",
   "timeslider.pageTitle": "{{appTitle}} Timeslider",
   "timeslider.toolbar.returnbutton": "Return to pad",
+  "pad.historyMode.banner": "Viewing history",
+  "pad.historyMode.return": "Return to live",
+  "pad.historyMode.revisionLabel": "Revision {{rev}}",
+  "pad.historyMode.controlsLabel": "Pad history controls",
+  "pad.historyMode.sliderLabel": "Pad revision",
+  "pad.historyMode.settings.title": "History playback",
+  "pad.historyMode.settings.follow": "Follow pad content updates",
+  "pad.historyMode.settings.followShort": "Follow",
+  "pad.historyMode.followOn": "Following pad changes — click to stop following",
+  "pad.historyMode.followOff": "Not following pad changes — click to follow",
+  "pad.historyMode.settings.playbackSpeed": "Playback speed:",
+  "pad.historyMode.chat.replayHeader": "Chat as of {{time}}",
+  "pad.historyMode.users.authorsHeader": "Authors at this revision",
   "timeslider.toolbar.authors": "Authors:",
   "timeslider.toolbar.authorsList": "No Authors",
   "timeslider.toolbar.exportlink.title": "Export",
diff --git a/src/node/handler/PadMessageHandler.ts b/src/node/handler/PadMessageHandler.ts
index 22f80ea8dc6..8e4cd8f2b35 100644
--- a/src/node/handler/PadMessageHandler.ts
+++ b/src/node/handler/PadMessageHandler.ts
@@ -418,6 +418,12 @@ exports.handleMessage = async (socket:any, message: ClientVarMessage) => {
       padID: message.padId,
       token: resolvedToken,
     };
+    // Issue #7659: connections from the in-place history iframe must not
+    // trigger the duplicate-author kick — they share the parent's author
+    // by design, and kicking the parent on iframe load would tear down
+    // the live editor mid-session. The iframe sets `embed=1` in its
+    // socket.io handshake query.
+    thisSession.embed = socket.handshake?.query?.embed === '1';
 
     // Pad does not exist, so we need to sanitize the id
     if (!(await padManager.doesPadExist(thisSession.auth.padID))) {
@@ -1051,12 +1057,16 @@ const handleClientReady = async (socket:any, message: ClientReadyMessage) => {
   // stable identity across windows and devices, so concurrent same-author
   // sessions are legitimate and must not be kicked.
   const roomSockets = _getRoomSockets(pad.id);
-  if (user == null) {
+  if (user == null && !sessionInfo.embed) {
     for (const otherSocket of roomSockets) {
       // The user shouldn't have joined the room yet, but check anyway just in case.
       if (otherSocket.id === socket.id) continue;
       const sinfo = sessioninfos[otherSocket.id];
-      if (sinfo && sinfo.author === sessionInfo.author) {
+      // Embedded sessions (issue #7659 — in-place history iframe) share
+      // the parent's author by design, so they neither kick same-author
+      // sockets nor get kicked by them. Only non-embedded same-author
+      // duplicates (real stale tabs) hit the kick path.
+      if (sinfo && sinfo.author === sessionInfo.author && !sinfo.embed) {
         // fix user's counter, works on page refresh or if user closes browser window and then rejoins
         sessioninfos[otherSocket.id] = {};
         otherSocket.leave(sessionInfo.padId);
diff --git a/src/node/hooks/express/specialpages.ts b/src/node/hooks/express/specialpages.ts
index 660f2b4d426..5db7526e0e3 100644
--- a/src/node/hooks/express/specialpages.ts
+++ b/src/node/hooks/express/specialpages.ts
@@ -228,8 +228,14 @@ const handleLiveReload = async (args: ArgsExpressType, padString: string, timeSl
       })
 
       setRouteHandler("/p/:pad/timeslider", (req: any, res: any, next: Function) => {
+        // Direct visits (legacy bookmarks) get redirected back to the pad,
+        // where the in-pad PadModeController handles entering history mode.
+        // The iframe used by history mode requests this URL with ?embed=1
+        // and gets the full timeslider HTML rendered for embedded use.
+        if (req.query.embed !== '1') {
+          return res.redirect(302, `../${encodeURIComponent(req.params.pad)}`);
+        }
         ensureAuthorTokenCookie(req, res, settings);
-        console.log("Reloading pad")
         // The below might break for pads being rewritten
         const isReadOnly = !webaccess.userCanModify(req.params.pad, req);
 
@@ -246,6 +252,7 @@ const handleLiveReload = async (args: ArgsExpressType, padString: string, timeSl
           req,
           toolbar,
           isReadOnly,
+          embed: true,
           entrypoint: proxyPath + '/watch/timeslider?hash=' + hash,
           settings: settings.getPublicSettings(),
           socialMetaHtml,
@@ -392,6 +399,18 @@ exports.expressCreateServer = async (_hookName: string, args: ArgsExpressType, c
 
     // serve timeslider.html under /p/$padname/timeslider
     args.app.get('/p/:pad/timeslider', (req: any, res: any, next: Function) => {
+      // Direct visits (legacy bookmarks) get redirected back to the pad,
+      // where the in-pad PadModeController handles entering history mode.
+      // The iframe used by history mode requests this URL with ?embed=1
+      // and gets the full timeslider HTML rendered for embedded use.
+      if (req.query.embed !== '1') {
+        // Absolute path (not relative `../`) so Firefox and Chrome resolve
+        // it identically — relative redirects from /p/:pad/timeslider are
+        // technically well-defined but Firefox dropped a trailing-slash
+        // case once that flaked the legacy-URL test (#7710).
+        const proxyPath = sanitizeProxyPath(req);
+        return res.redirect(302, `${proxyPath}/p/${encodeURIComponent(req.params.pad)}`);
+      }
       ensureAuthorTokenCookie(req, res, settings);
       hooks.callAll('padInitToolbar', {
         toolbar,
@@ -403,6 +422,7 @@ exports.expressCreateServer = async (_hookName: string, args: ArgsExpressType, c
       res.send(eejs.require('ep_etherpad-lite/templates/timeslider.html', {
         req,
         toolbar,
+        embed: true,
         entrypoint: "../../"+fileNameTimeSlider,
         settings: settings.getPublicSettings(),
         socialMetaHtml,
diff --git a/src/static/css/pad.css b/src/static/css/pad.css
index 754337557f1..aa1fcbbeacc 100644
--- a/src/static/css/pad.css
+++ b/src/static/css/pad.css
@@ -107,3 +107,182 @@ input {
 }
 #version-badge[data-level="severe"]   { background: #fff3cd; color: #664d03; border: 1px solid #ffe69c; }
 #version-badge[data-level="vulnerable"] { background: #f8d7da; color: #58151c; border: 1px solid #f1aeb5; }
+
+/* ----------------------------------------------------------------------- */
+/* History mode (issue #7659): timeslider rendered in-place inside the     */
+/* pad page. The live editor stays mounted but hidden; a sibling iframe    */
+/* hosts the existing timeslider replay code.                              */
+/* ----------------------------------------------------------------------- */
+
+.history-banner {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  padding: 10px 16px;
+  background: #fff8e1;
+  border-bottom: 1px solid #f0d27a;
+  color: #5b4b00;
+  font-size: 14px;
+  z-index: 5;
+}
+.history-banner[hidden] { display: none; }
+.history-banner-label   { font-weight: 600; }
+.history-banner-rev,
+.history-banner-date    { opacity: 0.85; }
+.history-banner #history-banner-return { margin-left: auto; }
+
+/* The history iframe takes the place of the live ACE editor. We use the    */
+/* same positioning model (absolute, fill the editor area) so the page      */
+/* layout is identical between modes.                                       */
+.history-frame-mount {
+  display: none;
+  position: absolute;
+  inset: 0;
+  border: 0;
+  background: var(--bg-color, #f2f3f4);
+  z-index: 4;
+}
+.history-frame-mount[hidden] { display: none; }
+.history-frame-mount > iframe {
+  width: 100%;
+  height: 100%;
+  border: 0;
+  display: block;
+}
+
+/* While in history mode, hide the live ACE editor and show the history    */
+/* iframe in its place. The formatting menu on the left side of the        */
+/* toolbar (Bold/Italic/Lists/Indent/Undo/etc.) targets the hidden live    */
+/* editor, so we swap it for the history controls (slider + play/step      */
+/* buttons) that drive the iframe. The right-side menu (Settings / Share / */
+/* Users / Chat / Home) stays fully interactive across modes.              */
+body.history-mode #editorcontainer { display: none; }
+body.history-mode #editorcontainerbox { position: relative; }
+body.history-mode .history-frame-mount { display: block; }
+body.history-mode #editbar .menu_left { display: none; }
+body.history-mode #editbar .show-more-icon-btn { display: none; }
+body.history-mode #history-controls { display: flex; }
+
+/* History toolbar controls (issue #7659): a slider + play/pause/step      */
+/* buttons + Follow/Speed controls that remote-control the embedded        */
+/* timeslider iframe. Take the place of the formatting menu while          */
+/* scrubbing. align-items + min-height keep the toolbar the same vertical  */
+/* size as in live mode so swapping modes doesn't reflow the layout.       */
+.history-controls {
+  display: none;
+  flex: 1 1 auto;
+  align-items: center;
+  gap: 8px;
+  padding: 0 12px;
+  min-width: 0;
+  min-height: 40px;
+}
+.history-controls[hidden] { display: none; }
+.history-controls button.buttonicon {
+  flex: 0 0 auto;
+  /* Match the live-toolbar buttonicon visual weight (no <li><a> wrapper  */
+  /* gives us a smaller default; bump padding so the icon hit area lines */
+  /* up vertically with menu_right's settings/share/users/etc. icons).   */
+  padding: 6px 8px;
+  background: transparent;
+  border: 0;
+  cursor: pointer;
+  font-size: 15px;
+  color: inherit;
+}
+.history-controls button.buttonicon:hover { background: rgba(0,0,0,0.06); border-radius: 4px; }
+.history-controls button.buttonicon.buttonicon-play.pause::before {
+  content: "\e829";
+}
+.history-slider-input {
+  flex: 1 1 auto;
+  min-width: 80px;
+  margin: 0 6px;
+  cursor: pointer;
+}
+.history-timer {
+  flex: 0 0 auto;
+  font-size: 12px;
+  font-variant-numeric: tabular-nums;
+  opacity: 0.85;
+  white-space: nowrap;
+}
+.history-toggle {
+  flex: 0 0 auto;
+  display: inline-flex;
+  align-items: center;
+  gap: 4px;
+  font-size: 13px;
+  white-space: nowrap;
+  cursor: pointer;
+}
+.history-toggle input[type="checkbox"] { margin: 0; }
+
+/* Follow toggle — eye icon, with a diagonal slash that appears only when
+ * the underlying checkbox is unchecked (auto-follow disabled). The hidden
+ * input still drives state (so pad_mode.ts's bridge code reads .checked
+ * and the existing label-for relationship handles click). */
+.history-follow-toggle {
+  flex: 0 0 auto;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  width: 30px;
+  height: 30px;
+  cursor: pointer;
+  border-radius: 4px;
+  color: inherit;
+}
+.history-follow-toggle:hover { background: rgba(0,0,0,0.06); }
+.history-follow-eye-slash { display: none; }
+#history-options-followContents:not(:checked) + .history-follow-toggle .history-follow-eye-slash {
+  display: inline;
+}
+#history-options-followContents:not(:checked) + .history-follow-toggle {
+  opacity: 0.55;
+}
+/* Keep the checkbox in the DOM (label-for needs a present target) but
+ * hidden visually + accessibly redundant since the label conveys state. */
+#history-options-followContents.sr-only {
+  position: absolute;
+  width: 1px; height: 1px;
+  margin: -1px; padding: 0; border: 0;
+  clip: rect(0 0 0 0); overflow: hidden;
+}
+.history-speed {
+  flex: 0 0 auto;
+  font-size: 13px;
+  padding: 2px 4px;
+  max-width: 130px;
+}
+
+/* Responsive — Follow + Speed inherit .hide-for-mobile (already collapses */
+/* at <=800px). Pack the remaining play/slider/step buttons tighter so     */
+/* they always fit. At ultra-narrow widths the step buttons compact too.   */
+@media (max-width: 800px) {
+  .history-controls { padding: 0 6px; gap: 4px; min-height: 36px; }
+  .history-controls button.buttonicon { padding: 4px 6px; min-width: 32px; }
+  .history-slider-input { min-width: 60px; margin: 0 2px; }
+}
+@media (max-width: 480px) {
+  .history-controls #history-leftstep,
+  .history-controls #history-rightstep { min-width: 28px; padding: 2px; }
+}
+
+/* Chat replay header — appears above the chat log while scrubbing so the  */
+/* user knows the message list is filtered to a historical timestamp.      */
+.history-chat-header {
+  display: none;
+  padding: 6px 10px;
+  font-size: 12px;
+  font-weight: 600;
+  background: #fff8e1;
+  color: #5b4b00;
+  border-bottom: 1px solid #f0d27a;
+}
+body.history-mode .history-chat-header { display: block; }
+body.history-mode .history-authors-row {
+  font-style: italic;
+  opacity: 0.85;
+  padding: 6px 8px;
+}
diff --git a/src/static/css/timeslider.css b/src/static/css/timeslider.css
index 65506021ec0..800ad6a8a6e 100644
--- a/src/static/css/timeslider.css
+++ b/src/static/css/timeslider.css
@@ -3,6 +3,20 @@
   display: block;
 }
 
+/* When the timeslider is embedded as an iframe inside a pad page (the
+ * parent pad's history mode — issue #7659), the outer pad's toolbar,
+ * banner, slider, and Settings/Export popups own all chrome, and the
+ * iframe is purely the editor surface. The .iframe-mode class is added
+ * by timeslider.ts only when window.parent !== window, so direct visits
+ * to /p/:pad/timeslider?embed=1 (existing test/legacy entry points)
+ * keep their full chrome and stay independently usable. */
+body.embedded-history-frame.iframe-mode #editbar,
+body.embedded-history-frame.iframe-mode #import_export,
+body.embedded-history-frame.iframe-mode #connectivity,
+body.embedded-history-frame.iframe-mode #settings {
+  display: none !important;
+}
+
 .timeslider-bar {
   display: flex;
   flex-direction: row;
diff --git a/src/static/js/broadcast.ts b/src/static/js/broadcast.ts
index 37d98a6e8aa..8551f1d0cfa 100644
--- a/src/static/js/broadcast.ts
+++ b/src/static/js/broadcast.ts
@@ -50,7 +50,10 @@ const loadBroadcastJS = (socket, sendSocketMsg, fireWhenAllScriptsAreLoaded, Bro
     }
   };
 
-  const padContents = {
+  // Exposed on `window` so the outer pad shell (issue #7659 in-place
+  // history mode) can read `currentTime` after each scrub to drive chat
+  // replay and other revision-anchored UI without postMessage round-trips.
+  const padContents: any = (window as any).padContents = {
     currentRevision: clientVars.collab_client_vars.rev,
     currentTime: clientVars.collab_client_vars.time,
     currentLines:
@@ -155,12 +158,14 @@ const loadBroadcastJS = (socket, sendSocketMsg, fireWhenAllScriptsAreLoaded, Bro
       let height;
       const nextDocLine = docLine.nextElementSibling;
       if (nextDocLine) {
-        if (lineOffsets.length === 0) {
-          height = nextDocLine.offsetTop - parseInt(
-              innerdocbodyStyles.getPropertyValue('padding-top'));
-        } else {
-          height = nextDocLine.offsetTop - docLine.offsetTop;
-        }
+        // Use the consistent (next - current) formula for every line,
+        // including the first. The previous first-line special case
+        // subtracted innerdocbody.padding-top from nextDocLine.offsetTop,
+        // which only works when innerdocbody is the offsetParent. In the
+        // in-pad history iframe (#7659) it isn't (its outerdocbody has
+        // padding-top of its own), so the first gutter row was 20px too
+        // tall and every subsequent row drifted out of alignment.
+        height = nextDocLine.offsetTop - docLine.offsetTop;
       } else {
         height = docLine.clientHeight || docLine.offsetHeight;
       }
diff --git a/src/static/js/chat.ts b/src/static/js/chat.ts
index 35b0e96b0b1..b47c8da6354 100644
--- a/src/static/js/chat.ts
+++ b/src/static/js/chat.ts
@@ -198,6 +198,10 @@ exports.chat = (() => {
           // ctx.text was HTML-escaped before calling the hook. Hook functions are trusted to not
           // introduce an XSS vulnerability by adding unescaped user input.
           .append($('<div>').html(ctx.text).contents());
+      // The outer pad's history mode (issue #7659) filters rendered messages
+      // by this attribute when scrubbing; a missing attribute would always
+      // show the message regardless of timestamp.
+      chatMsg.attr('data-timestamp', String(msg.time));
       if (isHistoryAdd) chatMsg.insertAfter('#chatloadmessagesbutton');
       else $('#chattext').append(chatMsg);
       chatMsg.each((i, e) => html10n.translateElement(html10n.translations, e));
diff --git a/src/static/js/pad.ts b/src/static/js/pad.ts
index 26234bfef17..b6b77673098 100644
--- a/src/static/js/pad.ts
+++ b/src/static/js/pad.ts
@@ -42,6 +42,7 @@ const getCollabClient = require('./collab_client').getCollabClient;
 const padconnectionstatus = require('./pad_connectionstatus').padconnectionstatus;
 const padcookie = require('./pad_cookie').padcookie;
 const padeditbar = require('./pad_editbar').padeditbar;
+const padMode = require('./pad_mode').padMode;
 const padeditor = require('./pad_editor').padeditor;
 const padimpexp = require('./pad_impexp').padimpexp;
 const padmodals = require('./pad_modals').padmodals;
@@ -677,6 +678,7 @@ const pad = {
       $('#colorpicker').farbtastic({callback: '#mycolorpickerpreview', width: 220});
       $('#readonlyinput').on('click', () => { padeditbar.setEmbedLinks(); });
       padcookie.init();
+      padMode.init();
       await handshake();
       this._afterHandshake();
     })());
diff --git a/src/static/js/pad_editbar.ts b/src/static/js/pad_editbar.ts
index a44f0fd8489..f9f581d28a5 100644
--- a/src/static/js/pad_editbar.ts
+++ b/src/static/js/pad_editbar.ts
@@ -500,7 +500,14 @@ exports.padeditbar = new class {
     });
 
     this.registerCommand('showTimeSlider', () => {
-      document.location = `${document.location.pathname}/timeslider`;
+      // Issue #7659: enter history in-place rather than navigating away. The
+      // PadModeController owns the iframe lifecycle, banner, and URL hash.
+      try {
+        require('./pad_mode').padMode.enterHistory();
+      } catch (_e) {
+        // Fallback for the unlikely case the controller failed to load.
+        document.location = `${document.location.pathname}/timeslider`;
+      }
     });
 
     const aceAttributeCommand = (cmd, ace) => {
diff --git a/src/static/js/pad_mode.ts b/src/static/js/pad_mode.ts
new file mode 100644
index 00000000000..b4902962826
--- /dev/null
+++ b/src/static/js/pad_mode.ts
@@ -0,0 +1,603 @@
+// Copyright 2026 Etherpad contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// SPDX-License-Identifier: Apache-2.0
+
+// PadModeController — issue #7659.
+//
+// Lets the user enter/leave the timeslider in-place on the pad URL. The
+// existing /p/:pad/timeslider stack is reused unmodified inside an iframe;
+// this controller handles the outer DOM, browser history, and a tiny bridge
+// between the inner slider's hash/state and the outer URL/banner.
+
+'use strict';
+
+type Mode = 'live' | 'history';
+
+const HASH_PREFIX = '#rev/';
+
+// Parse the outer-page hash. Accepts both the new "#rev/N" form and the
+// legacy "#NN" shortlink form so old timeslider bookmarks keep working
+// after the server-side redirect drops the path component.
+const parseRevFromHash = (hash: string): number | null => {
+  if (!hash || hash.length < 2) return null;
+  if (hash.startsWith(HASH_PREFIX)) {
+    const rest = hash.slice(HASH_PREFIX.length);
+    if (rest === 'latest') return -1;
+    const n = Number(rest);
+    return Number.isInteger(n) && n >= 0 ? n : null;
+  }
+  // Legacy "#NN" form — preserved across the 302 redirect from the old
+  // /p/:pad/timeslider#NN URL.
+  if (/^#\d+$/.test(hash)) return Number(hash.slice(1));
+  return null;
+};
+
+const buildOuterHash = (rev: number | null): string =>
+  rev == null || rev < 0 ? `${HASH_PREFIX}latest` : `${HASH_PREFIX}${rev}`;
+
+// Map of an outer export anchor to its live-mode `href`, captured on entry to
+// history mode so we can restore on exit.
+type HrefSnapshot = Map<HTMLAnchorElement, string>;
+
+class PadModeController {
+  private mode: Mode = 'live';
+  private iframe: HTMLIFrameElement | null = null;
+  private banner: HTMLElement;
+  private mount: HTMLElement;
+  private revLabel: HTMLElement;
+  private dateLabel: HTMLElement;
+  private padId: string;
+  private innerHashChangeHandler: (() => void) | null = null;
+  private revObserver: MutationObserver | null = null;
+  private syncingHash = false;
+
+  // History-mode bridges — populated on enter, torn down on exit.
+  private exportSnapshot: HrefSnapshot | null = null;
+  private usersSnapshot: string | null = null;
+  private chatHeaderSnapshot: {parent: HTMLElement; sibling: Node | null} | null = null;
+  private chatHeaderEl: HTMLElement | null = null;
+  private playbackChangeListener: ((e: Event) => void) | null = null;
+  private followChangeListener: ((e: Event) => void) | null = null;
+  // Outer history controls (#history-controls) — bridge listeners.
+  private outerControlListeners: Array<{el: HTMLElement; type: string; fn: EventListener}> = [];
+
+  constructor() {
+    this.banner = document.getElementById('history-banner')!;
+    this.mount = document.getElementById('history-frame-mount')!;
+    this.revLabel = document.getElementById('history-banner-rev')!;
+    this.dateLabel = document.getElementById('history-banner-date')!;
+    // /p/:pad → ['', 'p', ':pad'].
+    const parts = window.location.pathname.split('/').filter(Boolean);
+    this.padId = decodeURIComponent(parts[parts.length - 1] || '');
+
+    document.getElementById('history-banner-return')!
+        .addEventListener('click', () => { this.exitHistory(); });
+
+    window.addEventListener('hashchange', () => { this.onOuterHashChange(); });
+    window.addEventListener('popstate', () => { this.onOuterHashChange(); });
+    document.addEventListener('keydown', (e) => {
+      if (e.key === 'Escape' && this.mode === 'history') this.exitHistory();
+    });
+  }
+
+  // Called once after pad.init() so an initial #rev/N (or legacy #NN) on
+  // page load enters history mode without an extra round-trip.
+  bootstrapFromHash(): void {
+    this.localizeControls();
+    const rev = parseRevFromHash(window.location.hash);
+    if (rev != null) this.enterHistory(rev);
+  }
+
+  // The icon buttons have no text content; we set their `title` (hover
+  // tooltip) and `aria-label` (screen reader name) from html10n once it
+  // has loaded. Re-runs on the html10n `localized` event so language
+  // switches at runtime stay in sync.
+  private localizeControls(): void {
+    const html10n: any = (window as any).html10n;
+    if (!html10n || typeof html10n.get !== 'function') return;
+    const apply = () => {
+      const setLabel = (id: string, key: string) => {
+        const el = document.getElementById(id);
+        if (!el) return;
+        const txt = html10n.get(key);
+        if (!txt) return;
+        el.setAttribute('title', txt);
+        el.setAttribute('aria-label', txt);
+      };
+      setLabel('history-playpause', 'timeslider.playPause');
+      setLabel('history-leftstep', 'timeslider.backRevision');
+      setLabel('history-rightstep', 'timeslider.forwardRevision');
+      setLabel('history-slider-input', 'pad.historyMode.sliderLabel');
+      const ctrl = document.getElementById('history-controls');
+      const ctrlLabel = html10n.get('pad.historyMode.controlsLabel');
+      if (ctrl && ctrlLabel) ctrl.setAttribute('aria-label', ctrlLabel);
+      // Follow toggle is rendered as an eye icon — title (hover tooltip)
+      // and aria-label are populated from html10n and updated whenever
+      // state flips so screen readers + tooltip both narrate the action
+      // the click would take.
+      const followInput = document.getElementById('history-options-followContents') as HTMLInputElement | null;
+      const followLabel = document.querySelector<HTMLLabelElement>('.history-follow-toggle');
+      const updateFollowLabel = () => {
+        if (!followLabel) return;
+        const key = followInput && followInput.checked
+            ? 'pad.historyMode.followOn'
+            : 'pad.historyMode.followOff';
+        const txt = html10n.get(key);
+        if (!txt) return;
+        followLabel.setAttribute('title', txt);
+        followLabel.setAttribute('aria-label', txt);
+      };
+      updateFollowLabel();
+      if (followInput && !(followInput as any)._padModeFollowBound) {
+        followInput.addEventListener('change', updateFollowLabel);
+        (followInput as any)._padModeFollowBound = true;
+      }
+    };
+    apply();
+    if (typeof html10n.bind === 'function') {
+      html10n.bind('localized', apply);
+    }
+  }
+
+  getMode(): Mode { return this.mode; }
+
+  enterHistory(rev: number | null = null): void {
+    if (this.mode === 'history') {
+      // Already in history — just retarget the inner slider.
+      if (rev != null && this.iframe) this.setInnerRevision(rev);
+      return;
+    }
+    this.mode = 'history';
+    document.body.classList.add('history-mode');
+    this.banner.removeAttribute('hidden');
+    this.mount.removeAttribute('hidden');
+    const ctrl = document.getElementById('history-controls');
+    if (ctrl) ctrl.removeAttribute('hidden');
+
+    // Push the new state. If the user lands here from the toolbar button we
+    // pushState so browser back exits history; if they arrived via a direct
+    // hash (bootstrap path) the current entry already represents history.
+    const desiredHash = buildOuterHash(rev);
+    if (window.location.hash !== desiredHash) {
+      this.syncingHash = true;
+      try {
+        history.pushState(null, '', `${window.location.pathname}${desiredHash}`);
+      } finally {
+        this.syncingHash = false;
+      }
+    }
+    this.mountIframe(rev);
+  }
+
+  exitHistory(): void {
+    if (this.mode === 'live') return;
+    this.mode = 'live';
+    this.teardownBridges();
+    this.unmountIframe();
+    this.banner.setAttribute('hidden', '');
+    this.mount.setAttribute('hidden', '');
+    const ctrl = document.getElementById('history-controls');
+    if (ctrl) ctrl.setAttribute('hidden', '');
+    document.body.classList.remove('history-mode');
+    if (window.location.hash) {
+      this.syncingHash = true;
+      try {
+        history.replaceState(null, '', window.location.pathname);
+      } finally {
+        this.syncingHash = false;
+      }
+    }
+    this.revLabel.textContent = '';
+    this.dateLabel.textContent = '';
+  }
+
+  // Restore everything entry-time we stashed: chat message visibility, the
+  // chat replay header, the live users-panel HTML, original export hrefs,
+  // and any DOM listeners we attached to outer Settings controls.
+  private teardownBridges(): void {
+    document.querySelectorAll<HTMLElement>('#chattext > p[data-timestamp]')
+        .forEach((p) => { p.style.display = ''; });
+    if (this.chatHeaderEl) this.chatHeaderEl.remove();
+    this.chatHeaderEl = null;
+    this.chatHeaderSnapshot = null;
+    if (this.usersSnapshot != null) {
+      const tbl = document.getElementById('otheruserstable');
+      if (tbl) tbl.innerHTML = this.usersSnapshot;
+      this.usersSnapshot = null;
+    }
+    if (this.exportSnapshot) {
+      this.exportSnapshot.forEach((href, anchor) => { anchor.setAttribute('href', href); });
+      this.exportSnapshot = null;
+    }
+    if (this.playbackChangeListener) {
+      const sel = document.getElementById('history-playbackspeed');
+      if (sel) sel.removeEventListener('change', this.playbackChangeListener);
+      this.playbackChangeListener = null;
+    }
+    if (this.followChangeListener) {
+      const cb = document.getElementById('history-options-followContents');
+      if (cb) cb.removeEventListener('change', this.followChangeListener);
+      this.followChangeListener = null;
+    }
+    // Inner BroadcastSlider has no removeCallback API, but the whole iframe
+    // is destroyed on exit so any callbacks die with it.
+    this.outerControlListeners.forEach(({el, type, fn}) => el.removeEventListener(type, fn));
+    this.outerControlListeners = [];
+  }
+
+  private mountIframe(rev: number | null): void {
+    const innerHash = rev == null || rev < 0 ? '' : `#${rev}`;
+    const src =
+        `${encodeURIComponent(this.padId)}/timeslider?embed=1${innerHash}`;
+    const iframe = document.createElement('iframe');
+    iframe.id = 'history-frame';
+    iframe.title = 'Pad history viewer';
+    iframe.src = src;
+    iframe.addEventListener('load', () => { this.attachInnerBridges(iframe); });
+    this.mount.appendChild(iframe);
+    this.iframe = iframe;
+  }
+
+  private unmountIframe(): void {
+    if (this.revObserver) {
+      this.revObserver.disconnect();
+      this.revObserver = null;
+    }
+    if (this.iframe) {
+      try {
+        if (this.innerHashChangeHandler && this.iframe.contentWindow) {
+          this.iframe.contentWindow.removeEventListener(
+              'hashchange', this.innerHashChangeHandler);
+        }
+      } catch (_e) { /* cross-origin shouldn't happen, but be defensive */ }
+      this.iframe.remove();
+      this.iframe = null;
+    }
+    this.innerHashChangeHandler = null;
+  }
+
+  private attachInnerBridges(iframe: HTMLIFrameElement): void {
+    const win = iframe.contentWindow;
+    const doc = iframe.contentDocument;
+    if (!win || !doc) return;
+
+    // When the inner slider moves it sets its own location.hash (#NN). Mirror
+    // the change to the outer URL so the user's address bar stays canonical.
+    this.innerHashChangeHandler = () => {
+      if (this.syncingHash) return;
+      const innerHash = win.location.hash;
+      const rev = innerHash.startsWith('#') ? Number(innerHash.slice(1)) : NaN;
+      if (Number.isFinite(rev)) this.setOuterRev(rev);
+    };
+    win.addEventListener('hashchange', this.innerHashChangeHandler);
+
+    // The inner template populates #revision_label / #revision_date from JS
+    // each time the slider moves. Mirror them into the outer banner via a
+    // MutationObserver so the user always sees the current revision.
+    const innerLabel = doc.getElementById('revision_label');
+    const innerDate = doc.getElementById('revision_date');
+    if (innerLabel || innerDate) {
+      const sync = () => {
+        if (innerLabel) this.revLabel.textContent = innerLabel.textContent || '';
+        if (innerDate) this.dateLabel.textContent = innerDate.textContent || '';
+      };
+      sync();
+      this.revObserver = new MutationObserver(sync);
+      if (innerLabel) {
+        this.revObserver.observe(innerLabel, {childList: true, subtree: true, characterData: true});
+      }
+      if (innerDate) {
+        this.revObserver.observe(innerDate, {childList: true, subtree: true, characterData: true});
+      }
+    }
+
+    // Register a single slider callback that drives the outer pad's
+    // historical-state UI: chat replay, authors-at-this-revision, and
+    // export href rewriting. The callback fires once on initial setup
+    // plus on every scrub.
+    const inner: any = win as any;
+    const registerHook = () => {
+      const BS = inner.BroadcastSlider;
+      if (!BS || typeof BS.onSlider !== 'function') {
+        // Slider not initialized yet — try again on next frame.
+        win.requestAnimationFrame(registerHook);
+        return;
+      }
+      BS.onSlider((revno: number) => { this.onRevChange(revno, win); });
+      // Drive the initial sync (the slider may have already fired before
+      // we got here on a fast load).
+      this.onRevChange(BS.getSliderPosition?.() ?? 0, win);
+    };
+    registerHook();
+
+    this.snapshotForHistory();
+    this.wireSettingsBridges(win);
+    this.wireHistoryControls(win);
+  }
+
+  // Bind the outer #history-controls (slider input + play/pause/step
+  // buttons) as a remote control for the embedded timeslider's
+  // BroadcastSlider. The inner slider DOM stays present (the embed CSS
+  // hides it) so its existing drag/click handlers continue to work — the
+  // outer controls just push state into the same BroadcastSlider via its
+  // public methods.
+  private wireHistoryControls(innerWin: Window): void {
+    const inner: any = innerWin as any;
+    const sliderInput = document.getElementById('history-slider-input') as HTMLInputElement | null;
+    const playBtn = document.getElementById('history-playpause') as HTMLButtonElement | null;
+    const leftStep = document.getElementById('history-leftstep') as HTMLButtonElement | null;
+    const rightStep = document.getElementById('history-rightstep') as HTMLButtonElement | null;
+    const timer = document.getElementById('history-timer') as HTMLElement | null;
+
+    const bind = (el: HTMLElement | null, type: string, fn: EventListener) => {
+      if (!el) return;
+      el.addEventListener(type, fn);
+      this.outerControlListeners.push({el, type, fn});
+    };
+
+    bind(sliderInput, 'input', () => {
+      if (!sliderInput) return;
+      const target = Math.max(0, Math.floor(Number(sliderInput.value) || 0));
+      try { inner.BroadcastSlider?.setSliderPosition?.(target); } catch (_e) {}
+    });
+    bind(playBtn, 'click', () => {
+      try { inner.BroadcastSlider?.playpause?.(); } catch (_e) {}
+    });
+    // Inner #leftstep / #rightstep already wire all the step logic; just
+    // forward the click so we share the same code path.
+    bind(leftStep, 'click', () => {
+      try { (innerWin.document.getElementById('leftstep') as HTMLElement | null)?.click(); }
+      catch (_e) {}
+    });
+    bind(rightStep, 'click', () => {
+      try { (innerWin.document.getElementById('rightstep') as HTMLElement | null)?.click(); }
+      catch (_e) {}
+    });
+
+    // Mirror inner state into the outer controls. We register a
+    // BroadcastSlider.onSlider callback (called on every position change)
+    // and poll the inner #playpause_button_icon.pause class for play state.
+    const sync = (revno: number) => {
+      const max = inner.BroadcastSlider?.getSliderLength?.();
+      if (sliderInput && typeof max === 'number' && Number(sliderInput.max) !== max) {
+        sliderInput.max = String(max);
+      }
+      if (sliderInput && Number(sliderInput.value) !== revno) {
+        sliderInput.value = String(revno);
+      }
+      if (timer) {
+        const innerTimer = innerWin.document.getElementById('timer');
+        if (innerTimer) timer.textContent = innerTimer.textContent || '';
+      }
+      if (playBtn) {
+        const innerPlay = innerWin.document.getElementById('playpause_button_icon');
+        const playing = !!innerPlay && innerPlay.classList.contains('pause');
+        playBtn.classList.toggle('pause', playing);
+        playBtn.setAttribute('aria-pressed', playing ? 'true' : 'false');
+      }
+    };
+    // The hook registered earlier in attachInnerBridges already calls
+    // onRevChange — piggyback on it for slider input/timer updates by
+    // chaining through the same listener path.
+    const registerSync = () => {
+      const BS = inner.BroadcastSlider;
+      if (!BS || typeof BS.onSlider !== 'function') {
+        innerWin.requestAnimationFrame(registerSync);
+        return;
+      }
+      BS.onSlider(sync);
+      sync(BS.getSliderPosition?.() ?? 0);
+    };
+    registerSync();
+  }
+
+  // Capture the live state we'll restore on exit: live chat message
+  // visibility (just the timestamps — actual messages stay), live users
+  // panel HTML, and current Export hrefs.
+  private snapshotForHistory(): void {
+    if (this.usersSnapshot == null) {
+      const tbl = document.getElementById('otheruserstable');
+      if (tbl) this.usersSnapshot = tbl.innerHTML;
+    }
+    if (this.exportSnapshot == null) {
+      this.exportSnapshot = new Map();
+      document.querySelectorAll<HTMLAnchorElement>(
+          '#exportColumn a.exportlink, #export a.exportlink',
+      ).forEach((a) => {
+        if (a.hasAttribute('href')) this.exportSnapshot!.set(a, a.getAttribute('href') || '');
+      });
+    }
+    // Inject the chat replay header above #chattext on first entry.
+    if (!this.chatHeaderEl) {
+      const chattext = document.getElementById('chattext');
+      if (chattext && chattext.parentNode) {
+        const header = document.createElement('div');
+        header.id = 'history-chat-header';
+        header.className = 'history-chat-header';
+        header.setAttribute('data-l10n-id', 'pad.historyMode.chat.replayHeader');
+        header.textContent = 'Chat as of —';
+        this.chatHeaderSnapshot = {
+          parent: chattext.parentNode as HTMLElement,
+          sibling: chattext,
+        };
+        chattext.parentNode.insertBefore(header, chattext);
+        this.chatHeaderEl = header;
+      }
+    }
+  }
+
+  // Called on every revision change while in history mode. Drives:
+  //   - chat replay (filter rendered messages by timestamp)
+  //   - authors-at-this-revision panel (mirrors inner #authorsList)
+  //   - outer Export hrefs (point at /p/PAD/<rev>/export/<type>)
+  private onRevChange(revno: number, innerWin: Window): void {
+    const inner: any = innerWin as any;
+    const ts = inner.padContents?.currentTime as number | undefined;
+    if (typeof ts === 'number') {
+      this.filterChatByTimestamp(ts);
+      this.updateChatHeader(ts);
+    }
+    this.syncAuthorsPanel(innerWin);
+    this.syncExportHrefs(revno);
+  }
+
+  private filterChatByTimestamp(asOf: number): void {
+    document.querySelectorAll<HTMLElement>('#chattext > p[data-timestamp]')
+        .forEach((p) => {
+          const t = Number(p.getAttribute('data-timestamp'));
+          p.style.display = Number.isFinite(t) && t > asOf ? 'none' : '';
+        });
+  }
+
+  private updateChatHeader(asOf: number): void {
+    if (!this.chatHeaderEl) return;
+    const d = new Date(asOf);
+    const z = (n: number) => String(n).padStart(2, '0');
+    const time = `${z(d.getHours())}:${z(d.getMinutes())}`;
+    // html10n.get is not always loaded; fall back to a literal string.
+    const html10n: any = (window as any).html10n;
+    const label = (html10n && typeof html10n.get === 'function')
+        ? html10n.get('pad.historyMode.chat.replayHeader', {time})
+        : `Chat as of ${time}`;
+    this.chatHeaderEl.textContent = label;
+  }
+
+  // Mirror the inner timeslider's #authorsList (rendered by broadcast.ts)
+  // into the outer users panel. We replace the live user table while in
+  // history mode and restore it on exit.
+  private syncAuthorsPanel(innerWin: Window): void {
+    const innerAuthors = (innerWin.document as Document).getElementById('authorsList');
+    const tbl = document.getElementById('otheruserstable');
+    if (!innerAuthors || !tbl) return;
+    const text = innerAuthors.textContent || '';
+    tbl.innerHTML = '';
+    const tr = document.createElement('tr');
+    const td = document.createElement('td');
+    td.className = 'history-authors-row';
+    td.textContent = text;
+    tr.appendChild(td);
+    tbl.appendChild(tr);
+  }
+
+  // Rewrite outer export anchors so a click downloads the historical
+  // revision instead of the live document. Etherpad already supports
+  // /p/:pad/<rev>/export/<type>.
+  private syncExportHrefs(revno: number): void {
+    if (!this.exportSnapshot) return;
+    this.exportSnapshot.forEach((origHref, anchor) => {
+      const m = origHref.match(/^(.*\/p\/[^/]+)\/export\/([^/?#]+)/);
+      if (!m) return;
+      anchor.setAttribute('href', `${m[1]}/${revno}/export/${m[2]}`);
+    });
+  }
+
+  // Outer Settings popup grew a "History playback" section. Drive the inner
+  // BroadcastSlider state from those controls so the user sees one set of
+  // controls regardless of mode.
+  private wireSettingsBridges(innerWin: Window): void {
+    const speedSel = document.getElementById('history-playbackspeed') as HTMLSelectElement | null;
+    const followCb = document.getElementById('history-options-followContents') as HTMLInputElement | null;
+    const inner: any = innerWin as any;
+
+    if (speedSel) {
+      // Initial sync: read existing inner cookie/setting if available.
+      const innerSpeed = inner.document.getElementById('playbackspeed') as HTMLSelectElement | null;
+      if (innerSpeed && innerSpeed.value) speedSel.value = innerSpeed.value;
+      this.playbackChangeListener = () => {
+        const v = speedSel.value || '100';
+        try {
+          inner.BroadcastSlider?.setPlaybackSpeed?.(v);
+          if (innerSpeed) {
+            innerSpeed.value = v;
+            innerSpeed.dispatchEvent(new Event('change'));
+          }
+        } catch (_e) {}
+      };
+      speedSel.addEventListener('change', this.playbackChangeListener);
+    }
+
+    if (followCb) {
+      const innerFollow = inner.document.getElementById('options-followContents') as HTMLInputElement | null;
+      if (innerFollow) followCb.checked = !!innerFollow.checked;
+      this.followChangeListener = () => {
+        if (!innerFollow) return;
+        innerFollow.checked = followCb.checked;
+        innerFollow.dispatchEvent(new Event('change'));
+      };
+      followCb.addEventListener('change', this.followChangeListener);
+    }
+  }
+
+  private setInnerRevision(rev: number): void {
+    if (!this.iframe || !this.iframe.contentWindow) return;
+    // The embedded timeslider treats #N as "go to revision N", so we must
+    // NOT write #-1 (or #0 as a stand-in for "latest"); for "latest" we
+    // jump to the slider's current upper bound, which broadcast_slider
+    // exposes via its sliderLength on the iframe's `BroadcastSlider`.
+    try {
+      if (rev < 0) {
+        const inner: any = this.iframe.contentWindow as any;
+        const upper = inner?.BroadcastSlider?.getSliderLength?.();
+        if (typeof upper === 'number') {
+          this.iframe.contentWindow.location.hash = `#${upper}`;
+        }
+        // If BroadcastSlider isn't ready yet, leave the iframe alone — its
+        // own init reads its hash and starts at the latest revision.
+        return;
+      }
+      this.iframe.contentWindow.location.hash = `#${rev}`;
+    } catch (_e) { /* same-origin guaranteed; ignore the unlikely failure */ }
+  }
+
+  private setOuterRev(rev: number): void {
+    const desired = buildOuterHash(rev);
+    if (window.location.hash === desired) return;
+    this.syncingHash = true;
+    try {
+      history.replaceState(null, '', `${window.location.pathname}${desired}`);
+    } finally {
+      this.syncingHash = false;
+    }
+  }
+
+  private onOuterHashChange(): void {
+    if (this.syncingHash) return;
+    const rev = parseRevFromHash(window.location.hash);
+    if (rev == null) {
+      if (this.mode === 'history') this.exitHistory();
+      return;
+    }
+    if (this.mode === 'live') {
+      this.enterHistory(rev);
+    } else {
+      this.setInnerRevision(rev);
+    }
+  }
+}
+
+let singleton: PadModeController | null = null;
+
+export const padMode = {
+  init(): void {
+    if (singleton) return;
+    singleton = new PadModeController();
+    singleton.bootstrapFromHash();
+  },
+  enterHistory(rev: number | null = null): void {
+    singleton?.enterHistory(rev);
+  },
+  exitHistory(): void {
+    singleton?.exitHistory();
+  },
+  getMode(): 'live' | 'history' {
+    return singleton ? singleton.getMode() : 'live';
+  },
+};
+
+export default padMode;
diff --git a/src/static/js/skin_variants.ts b/src/static/js/skin_variants.ts
index 99d6af3b6ec..22c055bf817 100644
--- a/src/static/js/skin_variants.ts
+++ b/src/static/js/skin_variants.ts
@@ -30,6 +30,19 @@ const updateSkinVariantsClasses = (newClasses) => {
     $('iframe[name=ace_outer]').contents().find('iframe[name=ace_inner]').contents().find('html'),
   ];
 
+  // Issue #7659: when in-place history mode is active, the historical pad
+  // renders inside #history-frame (its own document, with its own
+  // ace_outer/ace_inner). Propagate skin tokens through the same path so a
+  // user toggling dark mode while scrubbing sees the iframe re-theme.
+  const $hist = $('#history-frame');
+  if ($hist.length) {
+    domsToUpdate.push($hist.contents().find('html'));
+    domsToUpdate.push($hist.contents().find('iframe[name=ace_outer]').contents().find('html'));
+    domsToUpdate.push(
+        $hist.contents().find('iframe[name=ace_outer]').contents()
+            .find('iframe[name=ace_inner]').contents().find('html'));
+  }
+
   colors.forEach((color) => {
     containers.forEach((container) => {
       domsToUpdate.forEach((el) => { el.removeClass(`${color}-${container}`); });
diff --git a/src/static/js/timeslider.ts b/src/static/js/timeslider.ts
index ac15aca2388..5b2f1e79ade 100644
--- a/src/static/js/timeslider.ts
+++ b/src/static/js/timeslider.ts
@@ -73,6 +73,26 @@ const init = () => {
     // start the custom js
     if (typeof customStart === 'function') customStart(); // eslint-disable-line no-undef
 
+    // Issue #7659: when this timeslider is mounted as the in-place history
+    // iframe inside a pad page, mark the body so CSS can hide the inner
+    // editbar (the outer pad's toolbar owns the slider) and inherit the
+    // parent's skin tokens so dark mode (and any other skinVariants the
+    // user toggled at runtime) is applied immediately on first paint.
+    // Direct visits to /p/:pad/timeslider?embed=1 (existing test/legacy
+    // entry points) keep their full chrome because parent === window.
+    try {
+      if (window.parent !== window) {
+        document.body.classList.add('iframe-mode');
+        const parentClasses = window.parent.document.documentElement.className || '';
+        const tokens = parentClasses.split(/\s+/).filter((c) =>
+            /^(super-light|light|dark|super-dark)-(toolbar|editor|background)$/.test(c) ||
+            c === 'full-width-editor');
+        if (tokens.length) {
+          document.documentElement.classList.add(...tokens);
+        }
+      }
+    } catch (_e) { /* cross-origin parent — leave defaults */ }
+
     // get the padId out of the url
     const urlParts = document.location.pathname.split('/');
     padId = decodeURIComponent(urlParts[urlParts.length - 2]);
@@ -85,7 +105,19 @@ const init = () => {
     // or writes it; the server picks it up from the socket.io handshake.
     cp = (window as any).clientVars?.cookiePrefix || '';
 
-    socket = socketio.connect(exports.baseURL, '/', {query: {padId}});
+    // Pass `embed` to the server when this timeslider is the in-place
+    // history iframe inside a pad page (issue #7659). Without this the
+    // server's duplicate-author kick treats the iframe's connection as a
+    // stale tab and disconnects the parent pad's live socket.
+    const embed = (() => {
+      try {
+        if (window.parent === window) return false;
+        const params = new URLSearchParams(window.location.search);
+        return params.get('embed') === '1';
+      } catch (_e) { return false; }
+    })();
+    socket = socketio.connect(
+        exports.baseURL, '/', {query: embed ? {padId, embed: '1'} : {padId}});
 
     // send the ready message once we're connected
     socket.on('connect', () => {
@@ -159,6 +191,9 @@ const handleClientVars = (message) => {
   // load all script that doesn't work without the clientVars
   BroadcastSlider = require('./broadcast_slider')
       .loadBroadcastSliderJS(fireWhenAllScriptsAreLoaded);
+  // Exposed on window so the outer pad shell (issue #7659 in-place history
+  // mode) can subscribe to slider movement without postMessage round-trips.
+  (window as any).BroadcastSlider = BroadcastSlider;
 
   require('./broadcast_revisions').loadBroadcastRevisionsJS();
   changesetLoader = require('./broadcast')
diff --git a/src/templates/pad.html b/src/templates/pad.html
index 8a4e3ac3c80..adc9df0cf11 100644
--- a/src/templates/pad.html
+++ b/src/templates/pad.html
@@ -78,6 +78,55 @@
           <%- toolbar.menu(settings.toolbar.left, isReadOnly, 'left', 'pad') %>
           <% e.end_block(); %>
       </ul>
+      <!-- HISTORY-MODE CONTROLS — slider + play/step buttons swap into the
+           toolbar's left zone while scrubbing pad history. The formatting
+           menu_left is hidden in history mode so this fills its space. The
+           outer slider is just a remote control for the embedded
+           timeslider iframe's BroadcastSlider; pad_mode.ts owns the
+           bridging.
+
+           Accessible names + tooltip titles are populated by pad_mode.ts
+           after html10n is ready, reusing the existing `timeslider.*`
+           translation keys. We deliberately do NOT put data-l10n-id on
+           the icon buttons — that would set their textContent, which on
+           a buttonicon glyph would draw the localized string on screen. -->
+      <div id="history-controls" class="history-controls" role="toolbar" hidden>
+        <button type="button" id="history-playpause" class="buttonicon buttonicon-play"
+                aria-pressed="false"></button>
+        <button type="button" id="history-leftstep" class="buttonicon buttonicon-step-backward">
+        </button>
+        <button type="button" id="history-rightstep" class="buttonicon buttonicon-step-forward">
+        </button>
+        <input type="range" id="history-slider-input" class="history-slider-input"
+               min="0" max="0" value="0" step="1">
+        <span id="history-timer" class="history-timer hide-for-mobile" aria-live="polite"></span>
+        <!-- Follow toggle: an icon-only button. The eye is always rendered;
+             the diagonal slash overlay is shown only when aria-pressed is
+             false. Backed by a hidden checkbox so existing pad_mode.ts
+             bridge code (which reads .checked) keeps working. -->
+        <input type="checkbox" id="history-options-followContents" class="sr-only" checked>
+        <label for="history-options-followContents" class="history-follow-toggle hide-for-mobile"
+               aria-hidden="true">
+          <svg class="history-follow-eye" width="16" height="16" viewBox="0 0 16 16"
+               aria-hidden="true" focusable="false">
+            <path class="history-follow-eye-shape"
+                  d="M1.2 8C2.7 4.4 5.1 2.5 8 2.5s5.3 1.9 6.8 5.5c-1.5 3.6-3.9 5.5-6.8 5.5S2.7 11.6 1.2 8z"
+                  fill="none" stroke="currentColor" stroke-width="1.4"/>
+            <circle class="history-follow-eye-pupil" cx="8" cy="8" r="2.3" fill="currentColor"/>
+            <line class="history-follow-eye-slash" x1="2" y1="14" x2="14" y2="2"
+                  stroke="currentColor" stroke-width="1.6" stroke-linecap="round"/>
+          </svg>
+        </label>
+        <select id="history-playbackspeed" class="history-speed hide-for-mobile"
+                aria-label="Playback speed"
+                data-l10n-aria-label="true">
+          <option value="100" data-l10n-id="timeslider.settings.playbackSpeed.original">Original speed</option>
+          <option value="realtime" data-l10n-id="timeslider.settings.playbackSpeed.realtime">Realtime</option>
+          <option value="200" data-l10n-id="timeslider.settings.playbackSpeed.200ms">200 ms</option>
+          <option value="500" data-l10n-id="timeslider.settings.playbackSpeed.500ms">500 ms</option>
+          <option value="1000" data-l10n-id="timeslider.settings.playbackSpeed.1000ms">1000 ms</option>
+        </select>
+      </div>
       <ul class="menu_right" role="toolbar">
           <% e.begin_block("editbarMenuRight"); %>
           <%- toolbar.menu(settings.toolbar.right, isReadOnly, 'right', 'pad') %>
@@ -88,6 +137,17 @@
 
   <% e.begin_block("afterEditbar"); %><% e.end_block(); %>
 
+  <!--------------------------------------------------------------->
+  <!-- HISTORY-MODE BANNER (visible only when scrubbing history) -->
+  <!--------------------------------------------------------------->
+  <div id="history-banner" class="history-banner" role="status" aria-live="polite" hidden>
+    <span class="history-banner-label" data-l10n-id="pad.historyMode.banner">Viewing history</span>
+    <span class="history-banner-rev" id="history-banner-rev"></span>
+    <span class="history-banner-date" id="history-banner-date"></span>
+    <button type="button" id="history-banner-return" class="btn btn-primary"
+            data-l10n-id="pad.historyMode.return">Return to live</button>
+  </div>
+
   <div id="editorcontainerbox" class="flex-layout">
 
       <% e.begin_block("editorContainerBox"); %>
@@ -98,6 +158,11 @@
 
       <div id="editorcontainer" class="editorcontainer" aria-label="Document editor"></div>
 
+      <!--------------------------------------------------------------------->
+      <!-- HISTORY-MODE IFRAME (mounted only while scrubbing pad history) -->
+      <!--------------------------------------------------------------------->
+      <div id="history-frame-mount" class="history-frame-mount" hidden></div>
+
       <div id="editorloadingbox">
         <% e.begin_block("permissionDenied"); %>
         <div id="permissionDenied">
diff --git a/src/templates/timeSliderBootstrap.js b/src/templates/timeSliderBootstrap.js
index b0cbe3e7e4f..f16a3dd06d8 100644
--- a/src/templates/timeSliderBootstrap.js
+++ b/src/templates/timeSliderBootstrap.js
@@ -8,7 +8,7 @@ window.clientVars = {
 let BroadcastSlider;
 
 
-(function () {
+(async function () {
   const timeSlider = require('ep_etherpad-lite/static/js/timeslider')
   const pathComponents = location.pathname.split('/');
 
@@ -24,12 +24,17 @@ let BroadcastSlider;
   const socket = timeSlider.socket;
   BroadcastSlider = timeSlider.BroadcastSlider;
   plugins.baseURL = baseURL;
-  plugins.update(function () {
-
-
-    /* TODO: These globals shouldn't exist. */
-
-  });
+  // Pre-load plugin modules so client_hooks resolve (issue #7659): without
+  // a populated Map the loadFn fallback calls require(path) which the
+  // esbuild-bundled timeslider can't resolve at runtime, so plugins like
+  // ep_headings2 silently fail to register their aceRegisterBlockElements
+  // hook and historical revisions render without plugin chrome. Mirrors
+  // padBootstrap.js — same pluginModules list, same per-module require.
+  await plugins.update(new Map([
+    <% for (const module of pluginModules) { %>
+    [<%- JSON.stringify(module) %>, require("../../src/plugin_packages/"+<%- JSON.stringify(module) %>)],
+    <% } %>
+  ]));
   const padeditbar = require('ep_etherpad-lite/static/js/pad_editbar').padeditbar;
   const padimpexp = require('ep_etherpad-lite/static/js/pad_impexp').padimpexp;
   timeSlider.baseURL = baseURL;
diff --git a/src/templates/timeslider.html b/src/templates/timeslider.html
index 6223a8964b9..24bf2c912ec 100644
--- a/src/templates/timeslider.html
+++ b/src/templates/timeslider.html
@@ -56,7 +56,7 @@
 </head>
 
 <% e.begin_block("timesliderBody"); %>
-<body id="padbody" class="timeslider limwidth">
+<body id="padbody" class="timeslider limwidth<% if (typeof embed !== 'undefined' && embed) { %> embedded-history-frame<% } %>">
 
   <!----------------------------->
   <!--------- TOOLBAR ----------->
diff --git a/src/tests/backend/specs/socialMeta.ts b/src/tests/backend/specs/socialMeta.ts
index 34596e87996..667b3ea73ef 100644
--- a/src/tests/backend/specs/socialMeta.ts
+++ b/src/tests/backend/specs/socialMeta.ts
@@ -112,7 +112,9 @@ describe(__filename, function () {
 
   describe('timeslider', function () {
     it('og:title contains the (history) marker', async function () {
-      const res = await agent.get('/p/TestPad7599/timeslider').expect(200);
+      // Issue #7659: /p/:pad/timeslider redirects unless ?embed=1 — that
+      // query is the iframe path that still serves the timeslider HTML.
+      const res = await agent.get('/p/TestPad7599/timeslider?embed=1').expect(200);
       const title = ogTag(res.text, 'og:title');
       assert.ok(title && title.includes('(history)'),
           `unexpected timeslider og:title: ${title}`);
diff --git a/src/tests/backend/specs/specialpages.ts b/src/tests/backend/specs/specialpages.ts
index d41aade6446..17b7c49a86a 100644
--- a/src/tests/backend/specs/specialpages.ts
+++ b/src/tests/backend/specs/specialpages.ts
@@ -93,7 +93,9 @@ describe(__filename, function () {
     it('timeslider page emits theme-color matching the configured toolbar', async function () {
       settings.skinName = 'colibris';
       settings.skinVariants = 'super-dark-toolbar super-dark-editor dark-background';
-      const res = await agent.get('/p/testpad/timeslider').expect(200);
+      // Issue #7659: /p/:pad/timeslider redirects unless ?embed=1 — that
+      // query is the iframe path that still serves the timeslider HTML.
+      const res = await agent.get('/p/testpad/timeslider?embed=1').expect(200);
       assert.match(res.text, /<meta name="theme-color" content="#485365">/);
       assert.doesNotMatch(res.text, /prefers-color-scheme/);
     });
@@ -101,7 +103,7 @@ describe(__filename, function () {
     it('timeslider page omits theme-color for non-colibris skins', async function () {
       settings.skinName = 'no-skin';
       settings.skinVariants = 'super-light-toolbar';
-      const res = await agent.get('/p/testpad/timeslider').expect(200);
+      const res = await agent.get('/p/testpad/timeslider?embed=1').expect(200);
       assert.doesNotMatch(res.text, /theme-color/);
     });
   });
diff --git a/src/tests/backend/specs/timesliderRedirect.ts b/src/tests/backend/specs/timesliderRedirect.ts
new file mode 100644
index 00000000000..22ea3f70c3b
--- /dev/null
+++ b/src/tests/backend/specs/timesliderRedirect.ts
@@ -0,0 +1,45 @@
+'use strict';
+
+// Issue #7659 — direct visits to /p/:pad/timeslider should now 302-redirect
+// to the pad page; the pad's PadModeController handles entering history mode
+// from the URL hash. Iframe consumers pass ?embed=1 and still receive the
+// timeslider HTML for embedded use.
+
+const assert = require('assert').strict;
+const common = require('../common');
+
+describe(__filename, function () {
+  let agent: any;
+
+  before(async function () {
+    agent = await common.init();
+  });
+
+  describe('/p/:pad/timeslider', function () {
+    it('redirects (302) direct visits to the pad page', async function () {
+      const res = await agent.get('/p/testRedirect-7659/timeslider').expect(302);
+      assert.match(res.headers.location, /testRedirect-7659/);
+      // Must not point back at /timeslider — that would loop.
+      assert.doesNotMatch(res.headers.location, /\/timeslider(\?|$)/);
+    });
+
+    it('preserves the pad name in the redirect target', async function () {
+      // Etherpad normalizes spaces to underscores in pad names; the
+      // redirect target should match whatever the route handler resolved
+      // req.params.pad to, percent-escaped where needed.
+      const padName = 'Pad-With-Hyphens-7659';
+      const res = await agent
+          .get(`/p/${encodeURIComponent(padName)}/timeslider`)
+          .expect(302);
+      assert.match(res.headers.location, /Pad-With-Hyphens-7659/);
+    });
+
+    it('serves the timeslider HTML when embed=1 (iframe path)', async function () {
+      const res = await agent
+          .get('/p/testEmbed-7659/timeslider?embed=1')
+          .expect(200);
+      assert.match(res.headers['content-type'], /text\/html/);
+      assert.match(res.text, /class="[^"]*embedded-history-frame/);
+    });
+  });
+});
diff --git a/src/tests/frontend-new/helper/timeslider.ts b/src/tests/frontend-new/helper/timeslider.ts
index e193048e01f..536a4462d79 100644
--- a/src/tests/frontend-new/helper/timeslider.ts
+++ b/src/tests/frontend-new/helper/timeslider.ts
@@ -15,6 +15,10 @@ import {Page} from "@playwright/test";
  */
 export const gotoTimeslider = async (page: Page, revision: number): Promise<any> => {
     let revisionString = Number.isInteger(revision) ? `#${revision}` : '';
-    await page.goto(`${page.url()}/timeslider${revisionString}`);
+    // Issue #7659: /p/:pad/timeslider now 302-redirects to the pad page so the
+    // in-pad PadModeController owns history mode. Tests that target the
+    // timeslider DOM directly bypass the redirect by passing ?embed=1, the
+    // same query the in-pad iframe uses.
+    await page.goto(`${page.url()}/timeslider?embed=1${revisionString}`);
     await page.waitForSelector('#timer')
 };
diff --git a/src/tests/frontend-new/specs/padmode.spec.ts b/src/tests/frontend-new/specs/padmode.spec.ts
new file mode 100644
index 00000000000..b8e2451d8b8
--- /dev/null
+++ b/src/tests/frontend-new/specs/padmode.spec.ts
@@ -0,0 +1,348 @@
+import {expect, test} from '@playwright/test';
+import {clearPadContent, goToNewPad, writeToPad} from '../helper/padHelper';
+
+// Issue #7659 — in-pad history mode.
+//
+// The pad and timeslider used to be on different URLs. Clicking the history
+// toolbar button now keeps the user on the same URL and toggles a hash-based
+// state instead. This spec exercises the entry, exit, direct-load, and
+// browser-back paths, and asserts the rendered (localized) banner string
+// rather than just element presence.
+
+test.describe('in-pad history mode', () => {
+  test('toolbar button enters history without leaving the pad URL', async ({page}) => {
+    const padId = await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'Hello');
+    await page.waitForTimeout(500);
+    await writeToPad(page, ' world');
+    await page.waitForTimeout(500);
+
+    const padPath = new URL(page.url()).pathname;
+
+    await page.locator('.buttonicon-history').click();
+
+    await expect(page.locator('body.history-mode')).toBeVisible();
+    const banner = page.locator('#history-banner');
+    await expect(banner).toBeVisible();
+
+    // Banner is localized — assert the rendered string, not just presence.
+    await expect(banner.locator('.history-banner-label'))
+        .toHaveText('Viewing history');
+    await expect(banner.locator('#history-banner-return'))
+        .toHaveText('Return to live');
+
+    // Pathname unchanged; only the hash is added.
+    expect(new URL(page.url()).pathname).toBe(padPath);
+    expect(page.url()).toMatch(/#rev\//);
+
+    // The iframe mounted with the embedded timeslider markup; its own
+    // editbar is hidden because the slider lives in the outer toolbar
+    // (#history-controls).
+    const frame = page.frameLocator('#history-frame');
+    await expect(frame.locator('body.embedded-history-frame')).toBeVisible();
+    await expect(frame.locator('#editbar')).toBeHidden();
+    await expect(page.locator('#history-slider-input')).toBeVisible();
+    expect(padId).toBeTruthy();
+  });
+
+  test('Return-to-live exits history and clears the hash', async ({page}) => {
+    await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'A');
+    await page.waitForTimeout(300);
+    await writeToPad(page, 'B');
+    await page.waitForTimeout(300);
+
+    await page.locator('.buttonicon-history').click();
+    await expect(page.locator('body.history-mode')).toBeVisible();
+
+    await page.locator('#history-banner-return').click();
+    await expect(page.locator('body.history-mode')).toHaveCount(0);
+    await expect(page.locator('#history-banner')).toBeHidden();
+    expect(new URL(page.url()).hash).toBe('');
+  });
+
+  test('browser back exits history mode', async ({page}) => {
+    await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'X');
+    await page.waitForTimeout(300);
+
+    await page.locator('.buttonicon-history').click();
+    await expect(page.locator('body.history-mode')).toBeVisible();
+
+    await page.goBack();
+    await expect(page.locator('body.history-mode')).toHaveCount(0);
+    await expect(page.locator('#history-banner')).toBeHidden();
+  });
+
+  test('legacy /p/:pad/timeslider URL redirects to the pad page', async ({page}) => {
+    const padId = await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'Y');
+    await page.waitForTimeout(300);
+
+    const res = await page.goto(`http://localhost:9001/p/${padId}/timeslider`);
+    // Final landing URL is the pad page, not /timeslider.
+    expect(new URL(page.url()).pathname).toBe(`/p/${padId}`);
+    // Accept 304 — Firefox issues a conditional GET because goToNewPad
+    // already loaded the same URL and the response is identical.
+    expect([200, 304]).toContain(res?.status());
+  });
+
+  // Phase B — chrome consolidation, chat replay, authors panel, exports.
+
+  test('Follow + Playback speed are inline in the toolbar in history mode', async ({page}) => {
+    await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'one');
+    await page.waitForTimeout(300);
+
+    // Live mode: history-controls hidden, so Follow + Speed are not visible.
+    await expect(page.locator('#history-options-followContents')).toBeHidden();
+    await expect(page.locator('#history-playbackspeed')).toBeHidden();
+
+    await page.locator('.buttonicon-history').click();
+    await expect(page.locator('body.history-mode')).toBeVisible();
+
+    // Both controls live inside #history-controls in the toolbar — no need
+    // to open the Settings popup.
+    await expect(page.locator('#history-controls #history-options-followContents'))
+        .toBeAttached();
+    await expect(page.locator('#history-controls #history-playbackspeed'))
+        .toBeAttached();
+  });
+
+  test('embedded iframe shows only the editor surface (no inner editbar)', async ({page}) => {
+    await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'A');
+    await page.waitForTimeout(300);
+
+    await page.locator('.buttonicon-history').click();
+    await expect(page.locator('body.history-mode')).toBeVisible();
+
+    const frame = page.frameLocator('#history-frame');
+    // The whole inner editbar is hidden — slider + play buttons live in
+    // the outer pad's toolbar now (#history-controls). Iframe is editor.
+    await expect(frame.locator('#editbar')).toBeHidden();
+    // Editor body itself is still rendered.
+    await expect(frame.locator('#outerdocbody')).toBeVisible();
+  });
+
+  test('outer toolbar swaps formatting menu for history controls', async ({page}) => {
+    await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'A');
+    await page.waitForTimeout(300);
+
+    // Live mode: history-controls is in DOM but hidden; menu_left visible.
+    await expect(page.locator('#history-controls')).toBeHidden();
+    await expect(page.locator('#editbar .menu_left')).toBeVisible();
+
+    await page.locator('.buttonicon-history').click();
+    await expect(page.locator('body.history-mode')).toBeVisible();
+
+    // History mode: menu_left hidden, history-controls + slider visible.
+    const leftDisplay = await page.locator('#editbar .menu_left').evaluate(
+        (el) => getComputedStyle(el).display);
+    expect(leftDisplay).toBe('none');
+    await expect(page.locator('#history-controls')).toBeVisible();
+    await expect(page.locator('#history-slider-input')).toBeVisible();
+    // Right-side menu (Settings/Share/Users/Chat/Home) stays fully active.
+    await expect(page.locator('button[data-l10n-id=\'pad.toolbar.settings.title\']'))
+        .toBeVisible();
+  });
+
+  test('outer slider drives the embedded timeslider revision', async ({page}) => {
+    await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'one');
+    await page.waitForTimeout(300);
+    await writeToPad(page, ' two');
+    await page.waitForTimeout(300);
+    await writeToPad(page, ' three');
+    await page.waitForTimeout(800);
+
+    await page.locator('.buttonicon-history').click();
+    await expect(page.locator('body.history-mode')).toBeVisible();
+    // Wait until BroadcastSlider has populated the outer slider's max.
+    await page.waitForFunction(() => {
+      const i = document.getElementById('history-slider-input') as HTMLInputElement | null;
+      return !!i && Number(i.max) > 0;
+    }, {timeout: 10_000});
+
+    // Move the outer slider to revision 0 and assert the iframe followed.
+    await page.locator('#history-slider-input').evaluate((el: HTMLInputElement) => {
+      el.value = '0';
+      el.dispatchEvent(new Event('input', {bubbles: true}));
+    });
+    await page.waitForFunction(() => {
+      const f = document.getElementById('history-frame') as HTMLIFrameElement | null;
+      const win: any = f && f.contentWindow;
+      return !!win?.BroadcastSlider && win.BroadcastSlider.getSliderPosition() === 0;
+    }, {timeout: 5_000});
+
+    expect(page.url()).toMatch(/#rev\/0$/);
+  });
+
+  test('dark mode propagates into the history iframe', async ({page}) => {
+    await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'A');
+    await page.waitForTimeout(300);
+
+    // Apply dark-mode skin tokens directly to the outer <html>; this
+    // mirrors what the dark-mode checkbox does at runtime. The iframe
+    // should inherit them on first paint via timeslider.ts's
+    // parent-class lookup.
+    await page.evaluate(() => {
+      const html = document.documentElement;
+      ['super-dark-editor', 'dark-background', 'super-dark-toolbar']
+          .forEach((c) => html.classList.add(c));
+    });
+
+    await page.locator('.buttonicon-history').click();
+    await expect(page.locator('body.history-mode')).toBeVisible();
+    await page.waitForTimeout(800);
+
+    const innerClasses = await page.locator('#history-frame').evaluate(
+        (iframe: any) => iframe.contentDocument!.documentElement.className);
+    expect(innerClasses).toMatch(/super-dark-editor/);
+    expect(innerClasses).toMatch(/dark-background/);
+    expect(innerClasses).toMatch(/super-dark-toolbar/);
+  });
+
+  test('chat panel is filtered to messages newer than the historical revision', async ({page}) => {
+    await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'rev1');
+    await page.waitForTimeout(400);
+
+    // Inject two chat messages with controlled timestamps so we can assert
+    // filtering deterministically without driving the chat widget. The chat
+    // panel is closed by default so we read display style directly rather
+    // than relying on Playwright's visibility (which considers ancestors).
+    await page.evaluate(() => {
+      const ct = document.getElementById('chattext')!;
+      const earlier = document.createElement('p');
+      earlier.setAttribute('data-timestamp', String(Date.now() - 60_000));
+      earlier.classList.add('chat-msg-test-earlier');
+      earlier.textContent = 'old';
+      const later = document.createElement('p');
+      later.setAttribute('data-timestamp', String(Date.now() + 60_000));
+      later.classList.add('chat-msg-test-later');
+      later.textContent = 'future';
+      ct.append(earlier, later);
+    });
+
+    await page.locator('.buttonicon-history').click();
+    await expect(page.locator('body.history-mode')).toBeVisible();
+    // Wait for the inner BroadcastSlider hook to fire at least once.
+    await page.waitForFunction(() => {
+      const p = document.querySelector('.chat-msg-test-later') as HTMLElement | null;
+      return !!p && p.style.display === 'none';
+    }, {timeout: 10_000});
+
+    // Earlier message has its inline display cleared (still rendered);
+    // later message has display:none injected by the filter.
+    const earlierDisplay = await page.locator('.chat-msg-test-earlier').evaluate(
+        (el) => (el as HTMLElement).style.display);
+    expect(earlierDisplay).not.toBe('none');
+    const laterDisplay = await page.locator('.chat-msg-test-later').evaluate(
+        (el) => (el as HTMLElement).style.display);
+    expect(laterDisplay).toBe('none');
+    // Chat replay header has the localized prefix.
+    const headerText = await page.locator('#history-chat-header').textContent();
+    expect(headerText).toMatch(/Chat as of/);
+  });
+
+  test('outer Export hrefs point at the historical revision in history mode', async ({page}) => {
+    const padId = await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'one');
+    await page.waitForTimeout(400);
+    await writeToPad(page, ' two');
+    await page.waitForTimeout(800);
+
+    await page.locator('.buttonicon-history').click();
+    await expect(page.locator('body.history-mode')).toBeVisible();
+    await page.waitForTimeout(700);
+
+    const href = await page.locator('#exporthtmla').getAttribute('href');
+    expect(href).not.toBeNull();
+    // Format is /p/<padId>/<rev>/export/html — assert the revision segment.
+    expect(href).toMatch(new RegExp(`/p/${padId}/\\d+/export/html`));
+
+    await page.locator('#history-banner-return').click();
+    await expect(page.locator('body.history-mode')).toHaveCount(0);
+    const restored = await page.locator('#exporthtmla').getAttribute('href');
+    expect(restored).toMatch(new RegExp(`/p/${padId}/export/html$`));
+  });
+
+  test('line numbers align with each line of text in history mode', async ({page}) => {
+    await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'one');
+    await page.keyboard.press('Enter');
+    await writeToPad(page, 'two');
+    await page.keyboard.press('Enter');
+    await writeToPad(page, 'three');
+    await page.waitForTimeout(800);
+
+    await page.locator('.buttonicon-history').click();
+    await expect(page.locator('body.history-mode')).toBeVisible();
+
+    // Wait for the iframe's broadcast.ts to populate #sidedivinner with
+    // line-number children and align them to the editor body.
+    const frame = page.frameLocator('#history-frame');
+    await frame.locator('#sidediv.sidedivdelayed').waitFor({state: 'attached', timeout: 10_000});
+    await page.waitForTimeout(500);
+
+    const counts = await page.locator('#history-frame').evaluate((iframe: any) => {
+      const idoc = iframe.contentDocument!;
+      return {
+        editorLines: idoc.querySelector('#innerdocbody')?.children.length ?? 0,
+        gutterLines: idoc.querySelector('#sidedivinner')?.children.length ?? 0,
+      };
+    });
+    expect(counts.editorLines).toBeGreaterThan(0);
+    expect(counts.gutterLines).toBe(counts.editorLines);
+
+    // Vertical alignment: every gutter row's top should match its
+    // corresponding editor row's top within a small tolerance (line-height
+    // rounding can introduce sub-pixel drift).
+    const offsets = await page.locator('#history-frame').evaluate((iframe: any) => {
+      const idoc = iframe.contentDocument!;
+      const editor = [...idoc.querySelectorAll('#innerdocbody > div')];
+      const gutter = [...idoc.querySelectorAll('#sidedivinner > div')];
+      return editor.map((e: HTMLElement, i: number) => ({
+        diff: Math.abs(e.offsetTop - (gutter[i] as HTMLElement).offsetTop),
+      }));
+    });
+    for (const {diff} of offsets) {
+      expect(diff).toBeLessThanOrEqual(2);
+    }
+  });
+
+  test('users panel shows authors-at-this-revision in history mode', async ({page}) => {
+    await goToNewPad(page);
+    await clearPadContent(page);
+    await writeToPad(page, 'hello');
+    await page.waitForTimeout(400);
+
+    await page.locator('.buttonicon-history').click();
+    await expect(page.locator('body.history-mode')).toBeVisible();
+    await page.waitForTimeout(700);
+
+    // The authors row replaces the live-users table contents while in
+    // history mode. Restored on exit.
+    const tbl = page.locator('#otheruserstable');
+    await expect(tbl.locator('.history-authors-row')).toBeAttached();
+
+    await page.locator('#history-banner-return').click();
+    await expect(page.locator('body.history-mode')).toHaveCount(0);
+    await expect(tbl.locator('.history-authors-row')).toHaveCount(0);
+  });
+});
diff --git a/src/tests/frontend-new/specs/timeslider.spec.ts b/src/tests/frontend-new/specs/timeslider.spec.ts
index feb6a2b1636..34fb1f7b15c 100644
--- a/src/tests/frontend-new/specs/timeslider.spec.ts
+++ b/src/tests/frontend-new/specs/timeslider.spec.ts
@@ -7,31 +7,38 @@ test.beforeEach(async ({ page })=>{
 })
 
 
-// deactivated, we need a nice way to get the timeslider, this is ugly
-test.describe('timeslider button takes you to the timeslider of a pad', function () {
+// Issue #7659: clicking the history toolbar button enters history mode
+// in-place. The pad URL stays the same; only the hash changes to #rev/...
+test.describe('history toolbar button enters in-pad history mode', function () {
 
-  test('timeslider contained in URL', async function ({page}) {
+  test('history mode mounts iframe and sets #rev/ hash', async function ({page}) {
     const padBody = await getPadBody(page);
     await clearPadContent(page)
-    await writeToPad(page, 'Foo'); // send line 1 to the pad
+    await writeToPad(page, 'Foo');
 
-    // get the first text element inside the editable space
     const $firstTextElement = padBody.locator('div span').first();
-    const originalValue = await $firstTextElement.textContent(); // get the original value
+    const originalValue = await $firstTextElement.textContent();
     await $firstTextElement.click()
-    await writeToPad(page, 'Testing'); // send line 1 to the pad
+    await writeToPad(page, 'Testing');
 
-    const modifiedValue = await $firstTextElement.textContent(); // get the modified value
-    expect(modifiedValue).not.toBe(originalValue); // expect the value to change
+    const modifiedValue = await $firstTextElement.textContent();
+    expect(modifiedValue).not.toBe(originalValue);
 
     const $timesliderButton = page.locator('.buttonicon-history');
-    await $timesliderButton.click(); // So click the timeslider link
-
-    await page.waitForSelector('#timeslider-wrapper')
-
-    const iFrameURL = page.url(); // get the url
-    const inTimeslider = iFrameURL.indexOf('timeslider') !== -1;
-
-    expect(inTimeslider).toBe(true); // expect the value to change
+    await $timesliderButton.click();
+
+    // Banner appears, body gets the history-mode class, hash is #rev/...
+    await expect(page.locator('#history-banner')).toBeVisible();
+    await expect(page.locator('body.history-mode')).toBeVisible();
+    expect(page.url()).toMatch(/#rev\//);
+    // The pad URL itself never changes to /timeslider — that route is
+    // reserved for the embedded iframe.
+    expect(new URL(page.url()).pathname).not.toContain('timeslider');
+
+    // The iframe is mounted and the outer history-controls (slider, play,
+    // step buttons) take over the toolbar's left zone.
+    await expect(page.locator('#history-controls')).toBeVisible();
+    await expect(page.locator('#history-slider-input')).toBeVisible();
+    await expect(page.locator('#history-playpause')).toBeVisible();
   });
 });
diff --git a/src/tests/frontend-new/specs/timeslider_identity_changeset.spec.ts b/src/tests/frontend-new/specs/timeslider_identity_changeset.spec.ts
index 22eb6f65287..22c0587313e 100644
--- a/src/tests/frontend-new/specs/timeslider_identity_changeset.spec.ts
+++ b/src/tests/frontend-new/specs/timeslider_identity_changeset.spec.ts
@@ -40,7 +40,7 @@ test.describe('Timeslider with identity changesets (bug #5214)', function () {
     await page.waitForTimeout(1000);
 
     // Navigate to timeslider at revision 0 so playback has revisions to advance through
-    await page.goto(`http://localhost:9001/p/${padId}/timeslider#0`);
+    await page.goto(`http://localhost:9001/p/${padId}/timeslider?embed=1#0`);
     await page.waitForSelector('#timeslider-slider', {timeout: 10000});
     await page.waitForTimeout(1000);
 
@@ -82,7 +82,7 @@ test.describe('Timeslider with identity changesets (bug #5214)', function () {
     await page.waitForTimeout(1000);
 
     // Go to timeslider
-    await page.goto(`http://localhost:9001/p/${padId}/timeslider`);
+    await page.goto(`http://localhost:9001/p/${padId}/timeslider?embed=1`);
     await page.waitForSelector('#timeslider-slider', {timeout: 10000});
 
     // Get the total number of revisions from the slider
@@ -92,7 +92,7 @@ test.describe('Timeslider with identity changesets (bug #5214)', function () {
 
     // Scrub through each revision from 0 to latest
     for (let rev = 0; rev <= sliderLength; rev++) {
-      await page.goto(`http://localhost:9001/p/${padId}/timeslider#${rev}`);
+      await page.goto(`http://localhost:9001/p/${padId}/timeslider?embed=1#${rev}`);
       await page.waitForTimeout(300);
 
       // Check no errors appeared
diff --git a/src/tests/frontend-new/specs/timeslider_line_numbers.spec.ts b/src/tests/frontend-new/specs/timeslider_line_numbers.spec.ts
index 86037269961..e5edad30028 100644
--- a/src/tests/frontend-new/specs/timeslider_line_numbers.spec.ts
+++ b/src/tests/frontend-new/specs/timeslider_line_numbers.spec.ts
@@ -1,6 +1,5 @@
 import {expect, test} from "@playwright/test";
 import {clearPadContent, goToNewPad, writeToPad} from "../helper/padHelper";
-import {showSettings} from "../helper/settingsHelper";
 
 test.describe('timeslider line numbers', function () {
   test.beforeEach(async ({context}) => {
@@ -13,7 +12,7 @@ test.describe('timeslider line numbers', function () {
     await writeToPad(page, 'One\nTwo\nThree');
     await page.waitForTimeout(1000);
 
-    await page.goto(`http://localhost:9001/p/${padId}/timeslider`);
+    await page.goto(`http://localhost:9001/p/${padId}/timeslider?embed=1`);
     await page.waitForSelector('#timeslider-wrapper', {state: 'visible'});
     await page.waitForSelector('#sidediv.sidedivdelayed', {state: 'attached'});
     await page.waitForTimeout(1000);
@@ -53,14 +52,21 @@ test.describe('timeslider line numbers', function () {
       url: 'http://localhost:9001',
     }]);
 
-    await page.goto(`http://localhost:9001/p/${padId}/timeslider`);
+    await page.goto(`http://localhost:9001/p/${padId}/timeslider?embed=1`);
     await page.waitForSelector('#timeslider-wrapper', {state: 'visible'});
-    await showSettings(page);
 
+    // Issue #7659: in embedded mode the outer pad owns the Settings popup,
+    // so the inner #settings popup is hidden via CSS. The cookie-driven
+    // initial state still applies to the iframe's body and checkbox; this
+    // test verifies that contract by reading state without opening the
+    // popup, then flipping the checkbox programmatically.
     await expect(page.locator('#options-linenoscheck')).not.toBeChecked();
     await expect(page.locator('body')).toHaveClass(/line-numbers-hidden/);
 
-    await page.locator('label[for="options-linenoscheck"]').click();
+    await page.locator('#options-linenoscheck').evaluate((el: HTMLInputElement) => {
+      el.checked = true;
+      el.dispatchEvent(new Event('change'));
+    });
     await expect(page.locator('#options-linenoscheck')).toBeChecked();
     await expect(page.locator('body')).not.toHaveClass(/line-numbers-hidden/);
 
diff --git a/src/tests/frontend-new/specs/timeslider_playback_speed.spec.ts b/src/tests/frontend-new/specs/timeslider_playback_speed.spec.ts
index 4167801de45..9a017165d4b 100644
--- a/src/tests/frontend-new/specs/timeslider_playback_speed.spec.ts
+++ b/src/tests/frontend-new/specs/timeslider_playback_speed.spec.ts
@@ -21,7 +21,7 @@ test.describe('timeslider playback speed', function () {
     await writeToPad(page, 'One');
     await page.waitForTimeout(1000);
 
-    await page.goto(`http://localhost:9001/p/${padId}/timeslider#0`);
+    await page.goto(`http://localhost:9001/p/${padId}/timeslider?embed=1#0`);
     await waitForTimesliderReady(page);
 
     await expect.poll(async () => await page.evaluate(() => {
@@ -46,7 +46,7 @@ test.describe('timeslider playback speed', function () {
     await writeToPad(page, ' Two');
     await page.waitForTimeout(1000);
 
-    await page.goto(`http://localhost:9001/p/${padId}/timeslider#1`);
+    await page.goto(`http://localhost:9001/p/${padId}/timeslider?embed=1#1`);
     await waitForTimesliderReady(page);
 
     await page.evaluate(() => {
@@ -79,7 +79,7 @@ test.describe('timeslider playback speed', function () {
     await writeToPad(page, 'A');
     await page.waitForTimeout(1000);
 
-    await page.goto(`http://localhost:9001/p/${padId}/timeslider#0`);
+    await page.goto(`http://localhost:9001/p/${padId}/timeslider?embed=1#0`);
     await waitForTimesliderReady(page);
 
     const scheduledDelays = await page.evaluate(() => {

From 41d10ecae534e74208187f4d79384bfbab0277a6 Mon Sep 17 00:00:00 2001
From: SamTV12345 <40429738+SamTV12345@users.noreply.github.com>
Date: Sun, 10 May 2026 18:01:07 +0200
Subject: [PATCH 23/25] chore: fixed admin design rework (#7716)

* chore: fixed admin design rework

* chore:  fixed qodoos remarks
---
 admin/package.json                            |    1 +
 admin/src/App.tsx                             |  165 ++-
 admin/src/index.css                           | 1110 +++++++++++++++--
 admin/src/pages/HelpPage.tsx                  |  271 +++-
 admin/src/pages/HomePage.tsx                  |  569 +++++----
 admin/src/pages/PadPage.tsx                   |  617 +++++----
 admin/src/pages/Plugin.ts                     |    6 +-
 .../admin-spec/admintroubleshooting.spec.ts   |   21 +-
 .../admin-spec/adminupdateplugins.spec.ts     |   39 +-
 9 files changed, 2084 insertions(+), 715 deletions(-)

diff --git a/admin/package.json b/admin/package.json
index cd5cb440907..e906c119b19 100644
--- a/admin/package.json
+++ b/admin/package.json
@@ -5,6 +5,7 @@
   "type": "module",
   "scripts": {
     "dev": "pnpm gen:api && vite",
+    "dev:only": "vite",
     "gen:api": "node scripts/gen-api.mjs",
     "build": "pnpm gen:api && tsc && vite build",
     "lint": "eslint . --ext ts,tsx --report-unused-disable-directives --max-warnings 0",
diff --git a/admin/src/App.tsx b/admin/src/App.tsx
index 27d5a2ae367..a4aecedcc96 100644
--- a/admin/src/App.tsx
+++ b/admin/src/App.tsx
@@ -10,41 +10,32 @@ import {Cable, Construction, Crown, NotepadText, Wrench, PhoneCall, LucideMenu,
 import {UpdateBanner} from "./components/UpdateBanner";
 
 const WS_URL = import.meta.env.DEV ? 'http://localhost:9001' : ''
+
 export const App = () => {
   const setSettings = useStore(state => state.setSettings);
   const {t} = useTranslation()
   const navigate = useNavigate()
   const [sidebarOpen, setSidebarOpen] = useState<boolean>(true)
+  const updateStatus = useStore(state => state.updateStatus)
+  const version = updateStatus?.currentVersion ?? null
 
   useEffect(() => {
-    fetch('/admin-auth/', {
-      method: 'POST'
-    }).then((value) => {
-      if (!value.ok) {
-        navigate('/login')
-      }
-    }).catch(() => {
-      navigate('/login')
-    })
+    fetch('/admin-auth/', {method: 'POST'}).then((value) => {
+      if (!value.ok) navigate('/login')
+    }).catch(() => navigate('/login'))
   }, []);
 
   useEffect(() => {
     document.title = t('admin.page-title')
-
     useStore.getState().setShowLoading(true);
-    const settingSocket = connect(`${WS_URL}/settings`, {
-      transports: ['websocket'],
-    });
 
-    const pluginsSocket = connect(`${WS_URL}/pluginfw/installer`, {
-      transports: ['websocket'],
-    })
+    const settingSocket = connect(`${WS_URL}/settings`, {transports: ['websocket']});
+    const pluginsSocket = connect(`${WS_URL}/pluginfw/installer`, {transports: ['websocket']})
 
     pluginsSocket.on('connect', () => {
       useStore.getState().setPluginsSocket(pluginsSocket);
     });
 
-
     settingSocket.on('connect', () => {
       useStore.getState().setSettingsSocket(settingSocket);
       useStore.getState().setShowLoading(false)
@@ -53,33 +44,21 @@ export const App = () => {
     });
 
     settingSocket.on('disconnect', (reason) => {
-      // The settingSocket.io client will automatically try to reconnect for all reasons other than "io
-      // server disconnect".
       useStore.getState().setShowLoading(true)
-      if (reason === 'io server disconnect') {
-        settingSocket.connect();
-      }
+      if (reason === 'io server disconnect') settingSocket.connect();
     });
 
     settingSocket.on('settings', (settings) => {
-      /* Check whether the settings.json is authorized to be viewed */
       if (settings.results === 'NOT_ALLOWED') {
         console.log('Not allowed to view settings.json')
         return;
       }
-
-      /* Check to make sure the JSON is clean before proceeding */
-      if (isJSONClean(settings.results)) {
-        setSettings(settings.results);
-      } else {
-        alert('Invalid JSON');
-      }
+      if (isJSONClean(settings.results)) setSettings(settings.results);
+      else alert('Invalid JSON');
       useStore.getState().setShowLoading(false);
     });
 
-    settingSocket.on('saveprogress', (status) => {
-      console.log(status)
-    })
+    settingSocket.on('saveprogress', (status) => console.log(status))
 
     return () => {
       settingSocket.disconnect();
@@ -87,37 +66,99 @@ export const App = () => {
     }
   }, []);
 
-  return <div id="wrapper" className={`${sidebarOpen ? '': 'closed' }`}>
-    <LoadingScreen/>
-    <div className="menu">
-      <div className="inner-menu">
-        <span>
-                    <Crown width={40} height={40}/>
-                    <h1>Etherpad</h1>
-                </span>
-        <ul onClick={()=>{
-          if (window.innerWidth < 768) {
-            setSidebarOpen(false)
-          }
-        }}>
-          <li><NavLink to="/plugins"><Cable/><Trans i18nKey="admin_plugins"/></NavLink></li>
-          <li><NavLink to={"/settings"}><Wrench/><Trans i18nKey="admin_settings"/></NavLink></li>
-          <li><NavLink to={"/help"}> <Construction/> <Trans i18nKey="admin_plugins_info"/></NavLink></li>
-          <li><NavLink to={"/pads"}><NotepadText/><Trans
-            i18nKey="ep_admin_pads:ep_adminpads2_manage-pads"/></NavLink></li>
-          <li><NavLink to={"/shout"}><PhoneCall/>Communication</NavLink></li>
-          <li><NavLink to={"/update"}><Bell/><Trans i18nKey="update.page.title"/></NavLink></li>
-        </ul>
+  const closeOnMobile = () => {
+    if (window.innerWidth < 768) setSidebarOpen(false)
+  }
+
+  return (
+    <div id="wrapper" className={sidebarOpen ? '' : 'closed'}>
+      <LoadingScreen/>
+      <div className="menu">
+        <div className="inner-menu">
+          <div className="sidebar-top">
+            <button
+              className="sidebar-burger"
+              onClick={() => setSidebarOpen(!sidebarOpen)}
+              aria-label="Toggle sidebar"
+            >
+              <LucideMenu size={20}/>
+            </button>
+            {sidebarOpen && (
+              <div className="sidebar-brand">
+                <div className="sidebar-brand-mark"><Crown size={20} strokeWidth={1.8}/></div>
+                <span className="sidebar-brand-name">Etherpad</span>
+              </div>
+            )}
+          </div>
+
+          <nav className="sidebar-nav" onClick={closeOnMobile}>
+            <NavLink
+              to="/plugins"
+              className={({isActive}) => `sidebar-nav-item${isActive ? ' is-active' : ''}`}
+              title={sidebarOpen ? undefined : t('admin_plugins')}
+            >
+              <span className="sidebar-nav-icon"><Cable size={18}/></span>
+              {sidebarOpen && <span className="sidebar-nav-label"><Trans i18nKey="admin_plugins"/></span>}
+            </NavLink>
+            <NavLink
+              to="/settings"
+              className={({isActive}) => `sidebar-nav-item${isActive ? ' is-active' : ''}`}
+              title={sidebarOpen ? undefined : t('admin_settings')}
+            >
+              <span className="sidebar-nav-icon"><Wrench size={18}/></span>
+              {sidebarOpen && <span className="sidebar-nav-label"><Trans i18nKey="admin_settings"/></span>}
+            </NavLink>
+            <NavLink
+              to="/help"
+              className={({isActive}) => `sidebar-nav-item${isActive ? ' is-active' : ''}`}
+              title={sidebarOpen ? undefined : t('admin_plugins_info')}
+            >
+              <span className="sidebar-nav-icon"><Construction size={18}/></span>
+              {sidebarOpen && <span className="sidebar-nav-label"><Trans i18nKey="admin_plugins_info"/></span>}
+            </NavLink>
+            <NavLink
+              to="/pads"
+              className={({isActive}) => `sidebar-nav-item${isActive ? ' is-active' : ''}`}
+              title={sidebarOpen ? undefined : undefined}
+            >
+              <span className="sidebar-nav-icon"><NotepadText size={18}/></span>
+              {sidebarOpen && <span className="sidebar-nav-label"><Trans i18nKey="ep_admin_pads:ep_adminpads2_manage-pads"/></span>}
+            </NavLink>
+            <NavLink
+              to="/shout"
+              className={({isActive}) => `sidebar-nav-item${isActive ? ' is-active' : ''}`}
+              title={sidebarOpen ? undefined : 'Communication'}
+            >
+              <span className="sidebar-nav-icon"><PhoneCall size={18}/></span>
+              {sidebarOpen && <span className="sidebar-nav-label">Communication</span>}
+            </NavLink>
+            <NavLink
+              to="/update"
+              className={({isActive}) => `sidebar-nav-item${isActive ? ' is-active' : ''}`}
+              title={sidebarOpen ? undefined : t('update.page.title')}
+            >
+              <span className="sidebar-nav-icon"><Bell size={18}/></span>
+              {sidebarOpen && <span className="sidebar-nav-label"><Trans i18nKey="update.page.title"/></span>}
+            </NavLink>
+          </nav>
+
+          {sidebarOpen && (
+            <div className="sidebar-footer">
+              <div className="sidebar-footer-row">
+                <span className="sidebar-status-dot"/>
+                <span>{version ? `v${version}` : 'Etherpad'}</span>
+              </div>
+            </div>
+          )}
+        </div>
+      </div>
+
+      <div className="innerwrapper">
+        <UpdateBanner/>
+        <Outlet/>
       </div>
     </div>
-      <button id="icon-button" onClick={() => {
-        setSidebarOpen(!sidebarOpen)
-      }}><LucideMenu/></button>
-    <div className="innerwrapper">
-      <UpdateBanner/>
-      <Outlet/>
-    </div>
-  </div>
+  )
 }
 
 export default App
diff --git a/admin/src/index.css b/admin/src/index.css
index 64eae3ccc4f..936aaf8401f 100644
--- a/admin/src/index.css
+++ b/admin/src/index.css
@@ -1,8 +1,29 @@
 :root {
-  --etherpad-color: #0f775b;
-  --etherpad-comp: #9C8840;
+  /* Etherpad green design system */
+  --ep-accent:       #149474;
+  --ep-accent-h:     #1AAA85;
+  --ep-accent-d:     #0E7257;
+  --ep-accent-tint:  #E6F5F0;
+  --ep-accent-tint2: #D1ECDF;
+  --ep-forest:       #0E3D32;
+  --ep-forest-d:     #082A22;
+  --ep-forest-l:     #155144;
+  --ink:             rgba(0,0,0,.88);
+  --ink-2:           rgba(0,0,0,.65);
+  --ink-3:           rgba(0,0,0,.45);
+  --ink-4:           rgba(0,0,0,.25);
+  --bg:              #F5F7F6;
+  --panel:           #FFFFFF;
+  --line:            #E7EAE8;
+  --line-2:          #F0F2F1;
+  --hover:           #F7FAF8;
+  --r:               6px;
+  --r-lg:            10px;
+  /* Legacy aliases kept for other pages */
+  --etherpad-color: #149474;
+  --etherpad-comp:  #0E3D32;
   --etherpad-light: #99FF99;
-  --sidebar-width: 20em;
+  --sidebar-width: 248px;
 }
 
 @font-face {
@@ -32,11 +53,8 @@ div.menu {
   left: 0;
   transition: left .3s;
   height: 100vh;
-  font-size: 16px;
-  font-weight: bolder;
   display: flex;
-  align-items: center;
-  justify-content: center;
+  align-items: stretch;
   width: var(--sidebar-width);
   z-index: 99;
   position: fixed;
@@ -86,62 +104,22 @@ div.menu {
 }
 
 
-div.menu span:first-child {
-  display: flex;
-  justify-content: center;
-}
-
-div.menu span:first-child svg {
-  margin-right: 10px;
-  align-self: center;
-}
-
-
-div.menu h1 {
-  font-size: 50px;
-  text-align: center;
-}
+/* sidebar brand header handled by .sidebar-* classes below */
 
 .inner-menu {
-  border-radius: 0 20px 20px 0;
-  padding: 10px;
-  flex-grow: 100;
-  background-color: var(--etherpad-comp);
-  color: white;
+  flex-grow: 1;
+  background-color: var(--ep-forest);
+  color: rgba(255,255,255,.92);
   height: 100vh;
-}
-
-div.menu ul {
-  color: white;
-  padding: 0;
-}
-
-div.menu li a {
   display: flex;
-  gap: 10px;
-  margin-bottom: 20px;
-}
-
-div.menu svg {
-  align-self: center;
-}
-
-div.menu li {
-  padding: 10px;
-  color: white;
-  list-style: none;
-  margin-left: 3px;
-  line-height: 3;
-}
-
-
-div.menu li:has(.active) {
-  background-color: #9C885C;
+  flex-direction: column;
+  overflow: hidden;
 }
 
-div.menu li a {
-  color: lightgray;
-}
+/* legacy menu rules kept for fallback */
+div.menu ul { color: white; padding: 0; }
+div.menu svg { align-self: center; }
+div.menu li { list-style: none; }
 
 
 div.innerwrapper {
@@ -152,7 +130,7 @@ div.innerwrapper {
   height: 100vh;
   flex-grow: 100;
   margin-left: var(--sidebar-width);
-  padding: 20px 20px 20px;
+  padding: 16px 12px;
 }
 
 div.innerwrapper-err {
@@ -342,34 +320,18 @@ pre {
 }
 
 
-#icon-button {
-  color: var(--etherpad-color);
-  top: 10px;
-  background-color: transparent;
-  border: none;
-  z-index: 99;
-  position: absolute;
-  left: 10px;
-}
+/* #icon-button removed — burger is now inside .sidebar-top */
+#icon-button { display: none; }
 
 
-.inner-menu span:nth-child(2) {
-  display: flex;
-  margin-top: 30px;
-}
+/* sidebar footer handled by .sidebar-footer below */
 
-#wrapper.closed .menu {
-  left: calc(-1 * var(--sidebar-width));
-}
-
-#wrapper.closed .innerwrapper {
-  margin-left: 0;
-}
+/* collapsed state handled by the rules at the bottom of this file */
 
 @media (max-width: 800px) {
 
   div.innerwrapper {
-    margin-left: 0;
+    margin-left: 64px;
   }
 
   .inner-menu {
@@ -377,10 +339,9 @@ pre {
   }
 
   div.menu {
-    height: auto;
+    height: 100vh;
     border-right: none;
-    --sidebar-width: 100%;
-    float: left;
+    width: 64px;
   }
 
   table {
@@ -922,3 +883,988 @@ input, button, select, optgroup, textarea {
 .update-page dt { font-weight: 600; color: #555; }
 .update-page dd { margin: 0; }
 .update-page pre { background: #f6f8fa; border: 1px solid #d0d7de; border-radius: 4px; padding: 12px; font-size: 13px; max-height: 400px; overflow: auto; }
+
+
+/* ═══════════════════════════════════════════════════════════════════════════
+   SIDEBAR — new forest-green design
+   ═══════════════════════════════════════════════════════════════════════════ */
+
+.sidebar-top {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  padding: 16px 14px 14px;
+  border-bottom: 1px solid rgba(255,255,255,.08);
+  flex-shrink: 0;
+}
+
+.sidebar-burger {
+  appearance: none;
+  border: 0;
+  width: 32px;
+  height: 32px;
+  border-radius: var(--r);
+  background: transparent;
+  color: rgba(255,255,255,.9);
+  display: grid;
+  place-items: center;
+  cursor: pointer;
+  flex-shrink: 0;
+  transition: background .15s;
+}
+.sidebar-burger:hover { background: rgba(255,255,255,.1); }
+
+.sidebar-brand {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  overflow: hidden;
+}
+
+.sidebar-brand-mark {
+  width: 32px;
+  height: 32px;
+  border-radius: var(--r);
+  background: rgba(255,255,255,.12);
+  color: #fff;
+  display: grid;
+  place-items: center;
+  flex-shrink: 0;
+}
+
+.sidebar-brand-name {
+  font-size: 17px;
+  font-weight: 600;
+  letter-spacing: -.01em;
+  color: #fff;
+  white-space: nowrap;
+}
+
+.sidebar-nav {
+  display: flex;
+  flex-direction: column;
+  gap: 2px;
+  padding: 12px 10px;
+  flex: 1;
+  overflow-y: auto;
+}
+
+.sidebar-nav .sidebar-nav-item,
+.sidebar-nav .sidebar-nav-item:link,
+.sidebar-nav .sidebar-nav-item:visited {
+  position: relative;
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  padding: 9px 12px;
+  border-radius: var(--r);
+  color: rgba(255,255,255,.55);
+  font-size: 13.5px;
+  font-weight: 500;
+  text-decoration: none;
+  transition: background .15s, color .15s;
+  white-space: nowrap;
+  overflow: hidden;
+}
+.sidebar-nav .sidebar-nav-item:hover {
+  background: rgba(255,255,255,.08);
+  color: #fff;
+  text-decoration: none;
+}
+.sidebar-nav .sidebar-nav-item.is-active {
+  background: rgba(255,255,255,.12);
+  color: #fff;
+}
+.sidebar-nav .sidebar-nav-item.is-active::before {
+  content: '';
+  position: absolute;
+  left: 0;
+  top: 8px;
+  bottom: 8px;
+  width: 3px;
+  border-radius: 0 3px 3px 0;
+  background: var(--ep-accent-h);
+}
+
+.sidebar-nav-icon {
+  display: grid;
+  place-items: center;
+  flex-shrink: 0;
+  opacity: .85;
+}
+.sidebar-nav-item.is-active .sidebar-nav-icon { opacity: 1; }
+
+.sidebar-nav-label {
+  overflow: hidden;
+  text-overflow: ellipsis;
+}
+
+.sidebar-footer {
+  padding: 14px 16px;
+  border-top: 1px solid rgba(255,255,255,.08);
+  font-size: 12px;
+  flex-shrink: 0;
+}
+
+.sidebar-footer-row {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  color: rgba(255,255,255,.8);
+}
+
+.sidebar-status-dot {
+  width: 7px;
+  height: 7px;
+  border-radius: 50%;
+  background: #5EE3B5;
+  box-shadow: 0 0 0 3px rgba(94,227,181,.2);
+  flex-shrink: 0;
+}
+
+/* collapsed sidebar — icon-only at 64px */
+#wrapper.closed .menu {
+  width: 64px;
+  left: 0;
+}
+#wrapper.closed .innerwrapper {
+  margin-left: 64px;
+}
+#wrapper.closed .sidebar-top {
+  justify-content: center;
+  padding: 16px 0;
+}
+#wrapper.closed .sidebar-nav-item {
+  justify-content: center;
+  padding: 9px 0;
+}
+#wrapper.closed .sidebar-nav-icon {
+  opacity: .85;
+}
+
+
+/* ═══════════════════════════════════════════════════════════════════════════
+   PLUGIN MANAGER PAGE  (pm-* classes)
+   ═══════════════════════════════════════════════════════════════════════════ */
+
+.pm-page {
+  padding: 8px 8px 40px;
+}
+
+/* Header */
+.pm-header {
+  display: flex;
+  justify-content: space-between;
+  align-items: flex-end;
+  gap: 24px;
+  margin-bottom: 24px;
+}
+
+.pm-crumbs {
+  font-size: 12px;
+  color: var(--ink-3);
+  display: flex;
+  align-items: center;
+  gap: 6px;
+  margin-bottom: 4px;
+}
+.pm-crumbs-sep { color: var(--ink-4); }
+
+.pm-title {
+  font-size: 26px;
+  font-weight: 600;
+  letter-spacing: -.015em;
+  margin: 0 0 4px;
+  color: var(--ink);
+  line-height: 1.2;
+}
+
+.pm-subtitle {
+  font-size: 13.5px;
+  color: var(--ink-2);
+  margin: 0;
+  max-width: 60ch;
+}
+
+.pm-header-actions {
+  display: flex;
+  gap: 8px;
+  flex-shrink: 0;
+}
+
+/* Buttons */
+.pm-btn {
+  appearance: none;
+  border: 1px solid transparent;
+  height: 32px;
+  padding: 0 12px;
+  border-radius: var(--r);
+  font-size: 13px;
+  font-weight: 500;
+  cursor: pointer;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  gap: 6px;
+  transition: all .15s;
+  white-space: nowrap;
+  text-decoration: none;
+  font-family: inherit;
+}
+.pm-btn--sm { height: 28px; padding: 0 10px; font-size: 12px; }
+
+.pm-btn-primary {
+  background: var(--ep-accent);
+  color: #fff;
+}
+.pm-btn-primary:hover { background: var(--ep-accent-h); }
+.pm-btn-primary:active { background: var(--ep-accent-d); }
+a.pm-btn-primary:link, a.pm-btn-primary:visited { color: #fff; }
+
+.pm-btn-ghost {
+  background: var(--panel);
+  border-color: var(--line);
+  color: var(--ink);
+}
+.pm-btn-ghost:hover { border-color: var(--ep-accent); color: var(--ep-accent-d); }
+
+/* Stats row */
+.pm-stats {
+  display: grid;
+  grid-template-columns: repeat(4, 1fr);
+  gap: 12px;
+  margin-bottom: 24px;
+}
+
+.pm-stat {
+  background: var(--panel);
+  border: 1px solid var(--line);
+  border-radius: var(--r-lg);
+  padding: 16px 18px;
+  position: relative;
+  overflow: hidden;
+}
+
+.pm-stat--primary {
+  border-color: var(--ep-accent-tint2);
+  background: linear-gradient(135deg, var(--ep-accent-tint) 0%, #fff 60%);
+}
+.pm-stat--primary .pm-stat-value { color: var(--ep-accent-d); }
+
+.pm-stat--warn {
+  border-color: #FFE7BA;
+  background: linear-gradient(135deg, #FFFBEB 0%, #fff 60%);
+}
+.pm-stat--warn .pm-stat-value { color: #B45309; }
+
+.pm-stat-label {
+  font-size: 11.5px;
+  color: var(--ink-3);
+  text-transform: uppercase;
+  letter-spacing: .04em;
+  font-weight: 600;
+}
+
+.pm-stat-value {
+  font-size: 30px;
+  font-weight: 600;
+  letter-spacing: -.02em;
+  color: var(--ink);
+  margin: 4px 0 2px;
+  font-variant-numeric: tabular-nums;
+  line-height: 1.1;
+}
+.pm-stat-value--sm { font-size: 18px; }
+
+.pm-stat-hint {
+  font-size: 12px;
+  color: var(--ink-3);
+}
+
+.pm-stat-action {
+  appearance: none;
+  border: 0;
+  background: transparent;
+  color: #B45309;
+  font-size: 12px;
+  font-weight: 600;
+  padding: 0;
+  margin-top: 6px;
+  cursor: pointer;
+  display: block;
+  font-family: inherit;
+}
+.pm-stat-action:hover { text-decoration: underline; }
+
+/* Sections */
+.pm-section { margin-bottom: 32px; }
+
+.pm-section-header {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  margin-bottom: 12px;
+}
+.pm-section-header h2 {
+  font-size: 17px;
+  font-weight: 600;
+  letter-spacing: -.01em;
+  margin: 0;
+  color: var(--ink);
+}
+
+.pm-count-badge {
+  font-size: 11px;
+  font-weight: 600;
+  padding: 3px 8px;
+  border-radius: 999px;
+  background: var(--ep-accent-tint);
+  color: var(--ep-accent-d);
+}
+
+.pm-spacer { flex: 1; }
+
+/* Installed list */
+.pm-installed {
+  background: var(--panel);
+  border: 1px solid var(--line);
+  border-radius: var(--r-lg);
+  overflow: hidden;
+}
+
+.pm-installed-row {
+  display: grid;
+  grid-template-columns: 36px 1fr auto;
+  gap: 14px;
+  align-items: center;
+  padding: 13px 18px;
+  border-bottom: 1px solid var(--line-2);
+  transition: background .15s;
+}
+.pm-installed-row:last-child { border-bottom: 0; }
+.pm-installed-row:hover { background: var(--hover); }
+
+.pm-installed-icon {
+  width: 36px;
+  height: 36px;
+  border-radius: var(--r);
+  background: var(--ep-accent-tint);
+  color: var(--ep-accent-d);
+  display: grid;
+  place-items: center;
+  flex-shrink: 0;
+}
+
+.pm-installed-main {
+  min-width: 0;
+}
+
+.pm-installed-title {
+  display: flex;
+  align-items: center;
+  gap: 7px;
+  flex-wrap: wrap;
+}
+
+.pm-installed-desc {
+  font-size: 12.5px;
+  color: var(--ink-3);
+  margin-top: 2px;
+}
+
+.pm-installed-actions { display: flex; gap: 6px; }
+
+/* Tags */
+.pm-tag {
+  display: inline-flex;
+  align-items: center;
+  font-size: 10.5px;
+  font-weight: 600;
+  padding: 2px 7px;
+  border-radius: 4px;
+  letter-spacing: .02em;
+  text-transform: uppercase;
+  white-space: nowrap;
+}
+.pm-tag--core {
+  background: rgba(20,148,116,.12);
+  color: var(--ep-accent-d);
+  border: 1px solid rgba(20,148,116,.3);
+}
+.pm-tag--ver {
+  background: var(--line-2);
+  color: var(--ink-2);
+  font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+  text-transform: none;
+  letter-spacing: 0;
+  font-weight: 500;
+}
+.pm-tag--popular {
+  background: rgba(20,148,116,.12);
+  color: var(--ep-accent-d);
+  border: 1px solid rgba(20,148,116,.25);
+}
+
+/* Toolbar (search + sort) */
+.pm-toolbar {
+  display: flex;
+  gap: 8px;
+  align-items: center;
+}
+
+.pm-search {
+  position: relative;
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  width: 260px;
+  height: 32px;
+  padding: 0 10px;
+  border-radius: var(--r);
+  background: var(--panel);
+  border: 1px solid var(--line);
+  transition: border-color .15s, box-shadow .15s;
+}
+.pm-search:focus-within {
+  border-color: var(--ep-accent);
+  box-shadow: 0 0 0 2px rgba(20,148,116,.15);
+}
+
+.pm-search-icon { color: var(--ink-3); flex-shrink: 0; }
+.pm-search:focus-within .pm-search-icon { color: var(--ep-accent-d); }
+
+.pm-search-input {
+  flex: 1;
+  min-width: 0;
+  border: 0;
+  outline: 0;
+  background: transparent;
+  font-size: 13px;
+  color: var(--ink);
+  padding: 0;
+  height: auto;
+  font-weight: normal;
+  box-shadow: none;
+}
+
+.pm-search-clear {
+  appearance: none;
+  border: 0;
+  width: 18px;
+  height: 18px;
+  border-radius: 4px;
+  background: rgba(0,0,0,.06);
+  display: grid;
+  place-items: center;
+  cursor: pointer;
+  color: var(--ink-3);
+  flex-shrink: 0;
+  padding: 0;
+}
+
+.pm-select {
+  appearance: none;
+  height: 32px;
+  padding: 0 28px 0 10px;
+  border-radius: var(--r);
+  border: 1px solid var(--line);
+  background: var(--panel);
+  font-size: 13px;
+  color: var(--ink);
+  cursor: pointer;
+  font-family: inherit;
+  background-image: url("data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='10' height='6' viewBox='0 0 10 6'><path fill='rgba(0,0,0,.45)' d='M0 0h10L5 6z'/></svg>");
+  background-repeat: no-repeat;
+  background-position: right 10px center;
+}
+.pm-select:hover { border-color: var(--ep-accent); }
+
+/* Mono name */
+.pm-mono {
+  font-family: ui-monospace, SFMono-Regular, Menlo, Consolas, monospace;
+  font-size: 13px;
+}
+
+/* Available table — all rules scoped under .pm-table-wrap to beat global table styles */
+.pm-table-wrap {
+  background: var(--panel);
+  border: 1px solid var(--line);
+  border-radius: var(--r-lg);
+  overflow-x: auto;
+}
+
+.pm-table-wrap table {
+  width: 100%;
+  border-collapse: separate;
+  border-spacing: 0;
+  font-size: 13px;
+  box-shadow: none;
+  margin: 0;
+  min-width: 0;
+  font-family: inherit;
+}
+
+.pm-table-wrap table thead tr {
+  font-size: 12px;
+  background-color: #FAFBFA;
+  color: var(--ink-2);
+}
+
+.pm-table-wrap table thead th {
+  text-align: left;
+  font-size: 12px;
+  font-weight: 600;
+  color: var(--ink-2);
+  background: #FAFBFA;
+  padding: 10px 14px;
+  border-bottom: 1px solid var(--line);
+  letter-spacing: .01em;
+  border-radius: 0;
+}
+
+.pm-table-wrap table th:first-child { border-top-left-radius: 0; }
+.pm-table-wrap table th:last-child  { border-top-right-radius: 0; }
+
+.pm-table-wrap table tbody tr {
+  border-bottom: none;
+  background-color: var(--panel);
+}
+
+.pm-table-wrap table tbody tr:nth-child(even),
+.pm-table-wrap table tbody tr:nth-of-type(even) {
+  background-color: var(--panel);
+}
+
+.pm-table-wrap table tbody tr:last-of-type {
+  border-bottom: none;
+}
+
+.pm-table-wrap table tbody td {
+  padding: 13px 14px;
+  border-bottom: 1px solid var(--line-2);
+  vertical-align: middle;
+  color: var(--ink);
+  background: var(--panel);
+}
+
+.pm-table-wrap table tbody tr:last-child td { border-bottom: 0; }
+.pm-table-wrap table tr:nth-child(even) td  { background-color: var(--panel); }
+.pm-table-wrap table tbody tr:hover td      { background: var(--hover); }
+
+.pm-table-wrap .pm-cell-name {
+  display: flex;
+  gap: 10px;
+  align-items: center;
+}
+
+.pm-table-wrap .pm-cell-icon {
+  width: 26px;
+  height: 26px;
+  border-radius: var(--r);
+  background: var(--ep-accent-tint);
+  color: var(--ep-accent-d);
+  display: grid;
+  place-items: center;
+  flex-shrink: 0;
+}
+
+.pm-table-wrap .pm-cell-title {
+  display: flex;
+  align-items: center;
+  gap: 6px;
+  flex-wrap: wrap;
+}
+
+.pm-table-wrap .pm-cell-desc { color: var(--ink-2); }
+
+.pm-table-wrap .pm-num {
+  font-variant-numeric: tabular-nums;
+  text-align: right;
+  color: var(--ink-2);
+}
+
+.pm-table-wrap .pm-cell-date { color: var(--ink-3); font-size: 12.5px; font-variant-numeric: tabular-nums; }
+
+.pm-table-wrap .pm-cell-action { text-align: right; }
+
+/* Empty state */
+.pm-empty {
+  text-align: center;
+  padding: 56px 20px;
+  background: var(--panel);
+  border: 1px dashed var(--line);
+  border-radius: var(--r-lg);
+}
+.pm-empty-icon { font-size: 44px; color: var(--ink-4); margin-bottom: 10px; }
+.pm-empty-title { font-size: 15px; font-weight: 500; color: var(--ink); }
+
+/* Responsive */
+@media (max-width: 1100px) {
+  .pm-stats { grid-template-columns: repeat(2, 1fr); }
+}
+@media (max-width: 760px) {
+  .pm-page { padding: 16px 16px 40px; }
+  .pm-header { flex-direction: column; align-items: flex-start; }
+  .pm-stats { grid-template-columns: 1fr 1fr; }
+  .pm-toolbar { flex-wrap: wrap; }
+  .pm-search { width: 100%; }
+}
+
+/* ═══════════════════════════════════════════════════════════════════════════
+   Pads page — pm-* extensions
+   ═══════════════════════════════════════════════════════════════════════════ */
+
+/* Filter chips */
+.pm-chips {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 6px;
+  padding: 0 0 12px;
+}
+.pm-chip {
+  height: 28px;
+  padding: 0 12px;
+  border-radius: 14px;
+  border: 1px solid var(--line-1);
+  background: transparent;
+  color: var(--ink-2);
+  font-size: 12px;
+  font-weight: 500;
+  cursor: pointer;
+  transition: background .15s, color .15s, border-color .15s;
+}
+.pm-chip:hover { background: var(--ep-accent-tint); border-color: var(--ep-accent); color: var(--ep-accent); }
+.pm-chip.is-on { background: var(--ep-accent); border-color: var(--ep-accent); color: #fff; }
+
+/* Bulk action bar */
+.pm-bulk {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  padding: 8px 14px;
+  margin-bottom: 8px;
+  background: var(--ep-accent-tint);
+  border: 1px solid color-mix(in srgb, var(--ep-accent) 30%, transparent);
+  border-radius: 8px;
+  font-size: 13px;
+}
+.pm-bulk-count { font-weight: 600; color: var(--ep-accent); }
+
+/* Danger button */
+.pm-btn-danger {
+  background: transparent;
+  color: #c0392b;
+  border: 1px solid #f5c0bb;
+}
+.pm-btn-danger:hover { background: #fdf2f2; border-color: #c0392b; }
+
+/* Icon-only button */
+.pm-btn-icon {
+  width: 30px;
+  height: 30px;
+  padding: 0;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  border-radius: 6px;
+  border: 1px solid var(--line-1);
+  background: transparent;
+  color: var(--ink-2);
+  cursor: pointer;
+  transition: background .15s, color .15s;
+}
+.pm-btn-icon:hover { background: var(--panel); color: var(--ink-1); }
+.pm-btn-icon--danger:hover { background: #fdf2f2; color: #c0392b; border-color: #f5c0bb; }
+
+/* Custom checkbox */
+.pm-check {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  cursor: pointer;
+}
+.pm-check input[type="checkbox"] {
+  width: 15px;
+  height: 15px;
+  accent-color: var(--ep-accent);
+  cursor: pointer;
+}
+
+/* Pad name cell */
+.pm-pad-name {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+}
+.pm-pad-mark {
+  flex-shrink: 0;
+  width: 28px;
+  height: 28px;
+  border-radius: 6px;
+  background: color-mix(in srgb, var(--ep-accent) 15%, transparent);
+  color: var(--ep-accent);
+  display: flex;
+  align-items: center;
+  justify-content: center;
+}
+.pm-pad-mark[data-empty] {
+  background: var(--panel);
+  color: var(--ink-3);
+}
+.pm-pad-title {
+  font-size: 13px;
+  font-weight: 500;
+  color: var(--ink-1);
+  font-family: 'JetBrains Mono', 'Fira Mono', monospace;
+}
+.pm-pad-sub {
+  font-size: 11px;
+  color: var(--ink-3);
+  margin-top: 1px;
+}
+
+/* Users pill */
+.pm-users-pill {
+  display: inline-flex;
+  align-items: center;
+  gap: 5px;
+  padding: 2px 8px;
+  border-radius: 10px;
+  background: color-mix(in srgb, var(--ep-accent) 12%, transparent);
+  color: var(--ep-accent);
+  font-size: 12px;
+  font-weight: 600;
+}
+.pm-users-pill.is-muted { background: var(--panel); color: var(--ink-3); font-weight: 400; }
+.pm-users-dot {
+  width: 6px;
+  height: 6px;
+  border-radius: 50%;
+  background: var(--ep-accent);
+  animation: pm-pulse 2s ease-in-out infinite;
+}
+@keyframes pm-pulse {
+  0%, 100% { opacity: 1; }
+  50% { opacity: .4; }
+}
+
+/* Timestamp cell */
+.pm-time {
+  display: flex;
+  flex-direction: column;
+  gap: 2px;
+}
+.pm-time-rel { font-size: 13px; color: var(--ink-1); }
+.pm-time-abs { font-size: 11px; color: var(--ink-3); }
+
+/* Row actions */
+.pm-row-actions {
+  display: flex;
+  align-items: center;
+  gap: 6px;
+  justify-content: flex-end;
+}
+
+/* Selected / empty row tinting */
+.pm-table-wrap table tbody tr.is-sel td { background: color-mix(in srgb, var(--ep-accent) 6%, transparent) !important; }
+.pm-table-wrap table tbody tr.is-empty .pm-pad-title { color: var(--ink-3); }
+
+/* Pagination */
+.pm-pagination {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  padding: 16px 0 0;
+  justify-content: center;
+}
+.pm-pagination-info { font-size: 13px; color: var(--ink-2); min-width: 60px; text-align: center; }
+
+/* ═══════════════════════════════════════════════════════════════════════════
+   Help page (Hilfestellung) — pm-* extensions
+   ═══════════════════════════════════════════════════════════════════════════ */
+
+/* Version hero block */
+.pm-help-version {
+  display: grid;
+  grid-template-columns: 280px 1fr;
+  gap: 24px;
+  background: var(--panel);
+  border: 1px solid var(--line);
+  border-radius: var(--r-lg);
+  padding: 22px 24px;
+  margin-bottom: 24px;
+  position: relative;
+  overflow: hidden;
+}
+.pm-help-version::before {
+  content: "";
+  position: absolute; left: 0; top: 0; bottom: 0; width: 4px;
+  background: linear-gradient(180deg, var(--ep-accent) 0%, var(--ep-accent-d) 100%);
+}
+.pm-hv-main { display: flex; flex-direction: column; gap: 4px; }
+.pm-hv-lbl {
+  font-size: 11px; font-weight: 600;
+  text-transform: uppercase; letter-spacing: .06em;
+  color: var(--ink-3);
+}
+.pm-hv-num {
+  font-size: 42px; font-weight: 600; line-height: 1.05;
+  letter-spacing: -.025em;
+  color: var(--ink);
+  font-variant-numeric: tabular-nums;
+  margin: 4px 0 8px;
+}
+.pm-hv-status {
+  display: inline-flex; align-items: center; gap: 6px;
+  font-size: 12.5px; font-weight: 500;
+  padding: 5px 10px;
+  border-radius: 999px;
+  width: fit-content;
+}
+.pm-hv-status.is-ok   { background: var(--ep-accent-tint); color: var(--ep-accent-d); }
+.pm-hv-status.is-warn { background: #FEF3C7; color: #92400E; }
+.pm-hv-dot { width: 6px; height: 6px; border-radius: 50%; background: currentColor; flex-shrink: 0; }
+.pm-hv-meta {
+  display: grid;
+  grid-template-columns: repeat(5, 1fr);
+  gap: 16px;
+  align-content: center;
+  border-left: 1px solid var(--line);
+  padding-left: 24px;
+}
+.pm-hv-cell-lbl {
+  font-size: 11px; font-weight: 600;
+  text-transform: uppercase; letter-spacing: .04em;
+  color: var(--ink-3); margin-bottom: 4px;
+}
+.pm-hv-cell-val {
+  font-size: 18px; font-weight: 600; line-height: 1.2;
+  color: var(--ink);
+  display: inline-flex; align-items: center; gap: 6px;
+  font-variant-numeric: tabular-nums;
+}
+.pm-mono { font-family: ui-monospace, 'JetBrains Mono', Consolas, monospace; font-size: 14px; }
+.pm-mini-btn {
+  appearance: none; border: 0;
+  background: var(--line-2);
+  color: var(--ink-3);
+  border-radius: 4px;
+  width: 20px; height: 20px;
+  display: inline-flex; align-items: center; justify-content: center;
+  cursor: pointer;
+  transition: background .15s, color .15s;
+}
+.pm-mini-btn:hover { background: var(--ep-accent-tint); color: var(--ep-accent-d); }
+
+/* Plugins + Parts two-column grid */
+.pm-help-grid {
+  display: grid;
+  grid-template-columns: 1fr 2fr;
+  gap: 16px;
+  align-items: start;
+}
+.pm-help-card {
+  background: var(--panel);
+  border: 1px solid var(--line);
+  border-radius: var(--r-lg);
+  padding: 18px 20px;
+}
+.pm-sec-tight { margin-bottom: 14px; padding-bottom: 0; border-bottom: none; }
+.pm-sec-tight h2 { font-size: 14px; }
+
+/* Tag cloud */
+.pm-tag-cloud { display: flex; flex-wrap: wrap; gap: 6px; }
+
+/* Pills */
+.pm-pill {
+  display: inline-flex; align-items: center; gap: 5px;
+  font-size: 12px; font-weight: 500;
+  padding: 5px 10px;
+  border-radius: 6px;
+  background: var(--line-2);
+  color: var(--ink-2);
+  border: 1px solid transparent;
+  transition: background .15s, color .15s, border-color .15s;
+}
+.pm-pill:hover { background: var(--ep-accent-tint); color: var(--ep-accent-d); border-color: var(--ep-accent-tint2); }
+.pm-pill-mono { font-family: ui-monospace, 'JetBrains Mono', Consolas, monospace; font-size: 11.5px; }
+.pm-pill-sm   { padding: 3px 8px; font-size: 11px; }
+.pm-pill-ico {
+  width: 14px; height: 14px;
+  display: grid; place-items: center;
+  border-radius: 3px;
+  background: var(--ep-accent);
+  color: #fff;
+  flex-shrink: 0;
+}
+.pm-pill-ns  { color: var(--ink-3); }
+.pm-pill-sep { color: var(--ink-4); margin: 0 1px; }
+.pm-pill:hover .pm-pill-ns { color: var(--ep-accent-d); opacity: .7; }
+
+/* Server/Client tab switcher */
+.pm-tabs {
+  display: inline-flex;
+  background: var(--line-2);
+  border-radius: var(--r);
+  padding: 3px;
+  gap: 2px;
+}
+.pm-tab {
+  appearance: none; border: 0;
+  background: transparent;
+  height: 26px; padding: 0 12px;
+  border-radius: 4px;
+  font-size: 12.5px; font-weight: 500;
+  color: var(--ink-2);
+  cursor: pointer;
+  display: inline-flex; align-items: center; gap: 6px;
+  transition: background .15s, color .15s, box-shadow .15s;
+}
+.pm-tab:hover { color: var(--ink); }
+.pm-tab.is-on {
+  background: var(--panel);
+  color: var(--ep-accent-d);
+  box-shadow: 0 1px 4px rgba(0,0,0,.1);
+}
+.pm-tab-n {
+  font-size: 10.5px; font-weight: 600;
+  padding: 1px 5px;
+  border-radius: 999px;
+  background: rgba(0,0,0,.06);
+  color: var(--ink-3);
+}
+.pm-tab.is-on .pm-tab-n { background: var(--ep-accent-tint); color: var(--ep-accent-d); }
+
+/* Hooks list */
+.pm-hooks {
+  background: var(--panel);
+  border: 1px solid var(--line);
+  border-radius: var(--r-lg);
+  overflow: hidden;
+}
+.pm-hook {
+  padding: 14px 20px;
+  border-bottom: 1px solid var(--line-2);
+  display: grid;
+  grid-template-columns: 220px 1fr;
+  gap: 18px;
+  align-items: start;
+}
+.pm-hook:last-child { border-bottom: 0; }
+.pm-hook:hover { background: var(--hover); }
+.pm-hook-h { display: flex; flex-direction: column; gap: 3px; }
+.pm-hook-name {
+  font-family: ui-monospace, 'JetBrains Mono', Consolas, monospace;
+  font-size: 13.5px; font-weight: 600;
+  color: var(--ink);
+  word-break: break-all;
+}
+.pm-hook-count { font-size: 11px; color: var(--ink-3); }
+.pm-hook-parts { display: flex; flex-wrap: wrap; gap: 4px; }
+
+@media (max-width: 1100px) {
+  .pm-help-version { grid-template-columns: 1fr; }
+  .pm-hv-meta { border-left: 0; padding-left: 0; padding-top: 16px; border-top: 1px solid var(--line); grid-template-columns: repeat(3, 1fr); }
+  .pm-help-grid { grid-template-columns: 1fr; }
+  .pm-hook { grid-template-columns: 1fr; }
+}
diff --git a/admin/src/pages/HelpPage.tsx b/admin/src/pages/HelpPage.tsx
index 13454742096..7d649742d4c 100644
--- a/admin/src/pages/HelpPage.tsx
+++ b/admin/src/pages/HelpPage.tsx
@@ -1,70 +1,225 @@
-import {Trans} from "react-i18next";
+import {Trans, useTranslation} from "react-i18next";
 import {useStore} from "../store/store.ts";
-import {useEffect, useState} from "react";
+import {useEffect, useMemo, useState} from "react";
 import {HelpObj} from "./Plugin.ts";
+import {Copy, Search, X, Plug} from "lucide-react";
 
 export const HelpPage = () => {
-  const settingsSocket = useStore(state=>state.settingsSocket)
-  const [helpData, setHelpData] = useState<HelpObj>();
+  const settingsSocket = useStore(state => state.settingsSocket)
+  const {t} = useTranslation()
+  const [helpData, setHelpData] = useState<HelpObj>()
+  const [tab, setTab] = useState<'server' | 'client'>('server')
+  const [q, setQ] = useState('')
 
   useEffect(() => {
-    if(!settingsSocket) return;
-    settingsSocket?.on('reply:help', (data) => {
-      setHelpData(data)
-    });
-
-    settingsSocket?.emit('help');
-  }, [settingsSocket]);
-
-  const renderHooks = (hooks:Record<string, Record<string, string>>) => {
-    return Object.keys(hooks).map((hookName, i) => {
-      return <div key={hookName+i}>
-        <h3>{hookName}</h3>
-        <ul>
-          {Object.keys(hooks[hookName]).map((hook, i) => <li key={hook+i}>{hook}
-            <ul key={hookName+hook+i}>
-              {Object.keys(hooks[hookName][hook]).map((subHook, i) => <li key={i}>{subHook}</li>)}
-            </ul>
-          </li>)}
-        </ul>
-      </div>
-    })
+    if (!settingsSocket) return
+    settingsSocket.on('reply:help', (data) => setHelpData(data))
+    settingsSocket.emit('help')
+  }, [settingsSocket])
+
+  const serverHooks = useMemo(() => {
+    if (!helpData) return []
+    return Object.keys(helpData.installedServerHooks).map(hookName => ({
+      name: hookName,
+      parts: Object.keys((helpData.installedServerHooks as Record<string, Record<string, unknown>>)[hookName] ?? {}),
+    }))
+  }, [helpData])
+
+  const clientHooks = useMemo(() => {
+    if (!helpData) return []
+    return Object.keys(helpData.installedClientHooks).map(hookName => ({
+      name: hookName,
+      parts: Object.keys(helpData.installedClientHooks[hookName] ?? {}),
+    }))
+  }, [helpData])
+
+  const hooks = tab === 'server' ? serverHooks : clientHooks
+
+  const filteredHooks = useMemo(() => {
+    if (!q.trim()) return hooks
+    const s = q.toLowerCase()
+    return hooks.filter(h =>
+      h.name.toLowerCase().includes(s) || h.parts.some(p => p.toLowerCase().includes(s))
+    )
+  }, [hooks, q])
+
+  const totalBindings = hooks.reduce((n, h) => n + h.parts.length, 0)
+
+  const updateAvailable = helpData
+    ? helpData.epVersion.localeCompare(helpData.latestVersion, undefined, {numeric: true}) < 0
+    : false
+
+  const copyDiag = () => {
+    if (!helpData) return
+    navigator.clipboard?.writeText(JSON.stringify({
+      version: helpData.epVersion,
+      latestVersion: helpData.latestVersion,
+      gitCommit: helpData.gitCommit,
+      plugins: helpData.installedPlugins.length,
+      parts: helpData.installedParts.length,
+      hookBindings: totalBindings,
+    }, null, 2))
   }
 
+  if (!helpData) return (
+    <div className="pm-page">
+      <div className="pm-empty"><div className="pm-empty-icon">⋯</div></div>
+    </div>
+  )
+
+  return (
+    <div className="pm-page">
+
+      {/* ── Page header ── */}
+      <div className="pm-header">
+        <div>
+          <div className="pm-crumbs">Admin <span className="pm-crumbs-sep">›</span> <Trans i18nKey="admin_plugins_info"/></div>
+          <h1 className="pm-title"><Trans i18nKey="admin_plugins_info"/></h1>
+          <p className="pm-subtitle">System-Diagnose: installierte Version, registrierte Teile und Hooks.</p>
+        </div>
+        <div className="pm-header-actions">
+          <button className="pm-btn pm-btn-ghost" onClick={copyDiag}>
+            <Copy size={14}/> Diagnose kopieren
+          </button>
+        </div>
+      </div>
+
+      {/* ── Version block ── */}
+      <section className="pm-help-version">
+        <div className="pm-hv-main">
+          <div className="pm-hv-lbl"><Trans i18nKey="admin_plugins_info.version"/></div>
+          <div className="pm-hv-num">{helpData.epVersion}</div>
+          <div className={`pm-hv-status${updateAvailable ? ' is-warn' : ' is-ok'}`}>
+            <span className="pm-hv-dot"/>
+            {updateAvailable
+              ? `Update verfügbar: ${helpData.latestVersion}`
+              : 'Auf dem neuesten Stand'}
+          </div>
+        </div>
+        <div className="pm-hv-meta">
+          <div className="pm-hv-cell">
+            <div className="pm-hv-cell-lbl"><Trans i18nKey="admin_plugins_info.version_latest"/></div>
+            <div className="pm-hv-cell-val">{helpData.latestVersion}</div>
+          </div>
+          <div className="pm-hv-cell">
+            <div className="pm-hv-cell-lbl">Git SHA</div>
+            <div className="pm-hv-cell-val pm-mono">
+              {helpData.gitCommit}
+              <button
+                className="pm-mini-btn"
+                onClick={() => navigator.clipboard?.writeText(helpData.gitCommit)}
+                title={t('admin_plugins_info.version') + ' kopieren'}
+              >
+                <Copy size={11}/>
+              </button>
+            </div>
+          </div>
+          <div className="pm-hv-cell">
+            <div className="pm-hv-cell-lbl"><Trans i18nKey="admin_plugins.installed"/></div>
+            <div className="pm-hv-cell-val">{helpData.installedPlugins.length}</div>
+          </div>
+          <div className="pm-hv-cell">
+            <div className="pm-hv-cell-lbl"><Trans i18nKey="admin_plugins_info.parts"/></div>
+            <div className="pm-hv-cell-val">{helpData.installedParts.length}</div>
+          </div>
+          <div className="pm-hv-cell">
+            <div className="pm-hv-cell-lbl">Hook-Bindings</div>
+            <div className="pm-hv-cell-val">{totalBindings}</div>
+          </div>
+        </div>
+      </section>
+
+      {/* ── Plugins + Parts ── */}
+      <section className="pm-section">
+        <div className="pm-help-grid">
+          <div className="pm-help-card">
+            <div className="pm-section-header pm-sec-tight">
+              <h2><Trans i18nKey="admin_plugins.installed"/></h2>
+              <span className="pm-count-badge">{helpData.installedPlugins.length}</span>
+            </div>
+            <div className="pm-tag-cloud">
+              {helpData.installedPlugins.map(p => (
+                <span key={p} className="pm-pill pm-pill-mono">
+                  <span className="pm-pill-ico"><Plug size={11}/></span>
+                  {p}
+                </span>
+              ))}
+            </div>
+          </div>
+
+          <div className="pm-help-card">
+            <div className="pm-section-header pm-sec-tight">
+              <h2><Trans i18nKey="admin_plugins_info.parts"/></h2>
+              <span className="pm-count-badge">{helpData.installedParts.length}</span>
+            </div>
+            <div className="pm-tag-cloud">
+              {helpData.installedParts.map(p => {
+                const slash = p.indexOf('/')
+                const ns   = slash >= 0 ? p.slice(0, slash) : p
+                const name = slash >= 0 ? p.slice(slash + 1) : ''
+                return (
+                  <span key={p} className="pm-pill pm-pill-mono" title={p}>
+                    <span className="pm-pill-ns">{ns}</span>
+                    {name && <><span className="pm-pill-sep">/</span><span>{name}</span></>}
+                  </span>
+                )
+              })}
+            </div>
+          </div>
+        </div>
+      </section>
 
-  if (!helpData) return <div></div>
+      {/* ── Hooks ── */}
+      <section className="pm-section">
+        <div className="pm-section-header">
+          <h2><Trans i18nKey="admin_plugins_info.hooks"/></h2>
+          <span className="pm-count-badge">{filteredHooks.length}</span>
+          <div className="pm-spacer"/>
+          <div className="pm-toolbar">
+            <div className="pm-tabs">
+              <button className={`pm-tab${tab === 'server' ? ' is-on' : ''}`} onClick={() => setTab('server')}>
+                Server <span className="pm-tab-n">{serverHooks.length}</span>
+              </button>
+              <button className={`pm-tab${tab === 'client' ? ' is-on' : ''}`} onClick={() => setTab('client')}>
+                Client <span className="pm-tab-n">{clientHooks.length}</span>
+              </button>
+            </div>
+            <div className="pm-search">
+              <Search size={14} className="pm-search-icon"/>
+              <input
+                className="pm-search-input"
+                value={q}
+                onChange={e => setQ(e.target.value)}
+                placeholder="Hook oder Teil suchen…"
+              />
+              {q && <button className="pm-search-clear" onClick={() => setQ('')}><X size={12}/></button>}
+            </div>
+          </div>
+        </div>
 
-  return <div>
-    <h1><Trans i18nKey="admin_plugins_info.version"/></h1>
-    <div className="help-block">
-      <div><Trans i18nKey="admin_plugins_info.version_number"/></div>
-      <div>{helpData?.epVersion}</div>
-      <div><Trans i18nKey="admin_plugins_info.version_latest"/></div>
-      <div>{helpData.latestVersion}</div>
-      <div>Git sha</div>
-      <div>{helpData.gitCommit}</div>
+        {filteredHooks.length > 0 ? (
+          <div className="pm-hooks">
+            {filteredHooks.map(h => (
+              <div key={h.name} className="pm-hook">
+                <div className="pm-hook-h">
+                  <span className="pm-hook-name">{h.name}</span>
+                  <span className="pm-hook-count">{h.parts.length} Bindings</span>
+                </div>
+                <div className="pm-hook-parts">
+                  {h.parts.map(p => (
+                    <span key={p} className="pm-pill pm-pill-mono pm-pill-sm">{p}</span>
+                  ))}
+                </div>
+              </div>
+            ))}
+          </div>
+        ) : (
+          <div className="pm-empty">
+            <div className="pm-empty-icon">∅</div>
+            <div className="pm-empty-title">Keine Hooks gefunden</div>
+          </div>
+        )}
+      </section>
     </div>
-    <h2><Trans i18nKey="admin_plugins.installed"/></h2>
-    <ul>
-      {helpData.installedPlugins.map((plugin, i) => <li key={plugin+i}>{plugin}</li>)}
-    </ul>
-
-    <h2><Trans i18nKey="admin_plugins_info.parts"/></h2>
-    <ul>
-      {helpData.installedParts.map((part, i) => <li key={part+i}>{part}</li>)}
-    </ul>
-
-    <h2><Trans i18nKey="admin_plugins_info.hooks"/></h2>
-    {
-      renderHooks(helpData.installedServerHooks)
-    }
-
-    <h2>
-      <Trans i18nKey="admin_plugins_info.hooks_client"/>
-      {
-        renderHooks(helpData.installedClientHooks)
-      }
-    </h2>
-
-  </div>
+  )
 }
diff --git a/admin/src/pages/HomePage.tsx b/admin/src/pages/HomePage.tsx
index 244f3490571..307769352c7 100644
--- a/admin/src/pages/HomePage.tsx
+++ b/admin/src/pages/HomePage.tsx
@@ -3,269 +3,362 @@ import {useEffect, useMemo, useState} from "react";
 import {InstalledPlugin, PluginDef, SearchParams} from "./Plugin.ts";
 import {useDebounce} from "../utils/useDebounce.ts";
 import {Trans, useTranslation} from "react-i18next";
-import {SearchField} from "../components/SearchField.tsx";
-import {ArrowUpFromDot, Download, Trash} from "lucide-react";
+import {ArrowUpFromDot, Download, ExternalLink, Plug, RefreshCw, Search, Trash, X} from "lucide-react";
 import {IconButton} from "../components/IconButton.tsx";
-import {determineSorting} from "../utils/sorting.ts";
 
+const POPULAR_THRESHOLD = 10_000
+
+const fmtDownloads = (n: number): string => {
+  if (n >= 10_000) return `${Math.round(n / 1000)}k`
+  if (n >= 1_000) return `${(n / 1000).toFixed(1)}k`
+  return String(n)
+}
 
 export const HomePage = () => {
-    const pluginsSocket = useStore(state=>state.pluginsSocket)
-    const [plugins,setPlugins] = useState<PluginDef[]>([])
-  const installedPlugins = useStore(state=>state.installedPlugins)
-  const setInstalledPlugins = useStore(state=>state.setInstalledPlugins)
+  const pluginsSocket = useStore(state => state.pluginsSocket)
+  const [plugins, setPlugins] = useState<PluginDef[]>([])
+  const installedPlugins = useStore(state => state.installedPlugins)
+  const setInstalledPlugins = useStore(state => state.setInstalledPlugins)
   const [searchParams, setSearchParams] = useState<SearchParams>({
     offset: 0,
     limit: 99999,
-    sortBy: 'name',
-    sortDir: 'asc',
-    searchTerm: ''
+    sortBy: 'downloads',
+    sortDir: 'desc',
+    searchTerm: '',
   })
-
-  const filteredInstallablePlugins = useMemo(()=>{
-    return plugins.sort((a, b)=>{
-      if(searchParams.sortBy === "version"){
-        if(searchParams.sortDir === "asc"){
-          return a.version.localeCompare(b.version)
-        }
-        return b.version.localeCompare(a.version)
+  const [searchTerm, setSearchTerm] = useState<string>('')
+  const {t} = useTranslation()
+
+  const updatableCount = useMemo(
+    () => installedPlugins.filter(p => p.updatable).length,
+    [installedPlugins]
+  )
+
+  const sortedInstalledPlugins = useMemo(
+    () => [...installedPlugins].sort((a, b) => a.name.localeCompare(b.name)),
+    [installedPlugins]
+  )
+
+  const filteredInstallablePlugins = useMemo(() => {
+    return [...plugins].sort((a, b) => {
+      const dir = searchParams.sortDir === 'asc' ? 1 : -1
+      if (searchParams.sortBy === 'downloads') {
+        return ((b.downloads ?? 0) - (a.downloads ?? 0)) * (dir * -1)
       }
-
-      if(searchParams.sortBy === "last-updated"){
-        if(searchParams.sortDir === "asc"){
-          return a.time.localeCompare(b.time)
-        }
-        return b.time.localeCompare(a.time)
+      if (searchParams.sortBy === 'version') {
+        return a.version.localeCompare(b.version) * dir
       }
-
-
-      if (searchParams.sortBy === "name") {
-        if(searchParams.sortDir === "asc"){
-          return a.name.localeCompare(b.name)
-        }
-        return b.name.localeCompare(a.name)
+      if (searchParams.sortBy === 'last-updated') {
+        return a.time.localeCompare(b.time) * dir
       }
-      return 0
+      return a.name.localeCompare(b.name) * dir
     })
   }, [plugins, searchParams])
 
-    const sortedInstalledPlugins = useMemo(()=>{
-        return useStore.getState().installedPlugins.sort((a, b)=>{
-
-            if(a.name < b.name){
-                return -1
-            }
-            if(a.name > b.name){
-                return 1
-            }
-            return 0
-        })
-
-    } ,[installedPlugins, searchParams])
-
-    const [searchTerm, setSearchTerm] = useState<string>('')
-    const {t} = useTranslation()
-
-
-    useEffect(() => {
-        if(!pluginsSocket){
-            return
-        }
-
-        pluginsSocket.on('results:installed', (data:{
-            installed: InstalledPlugin[]
-        })=>{
-            setInstalledPlugins(data.installed)
-        })
-
-        pluginsSocket.on('results:updatable', (data) => {
-          const newInstalledPlugins = useStore.getState().installedPlugins.map(plugin => {
-            if (data.updatable.includes(plugin.name)) {
-              return {
-                ...plugin,
-                updatable: true
-              }
-            }
-            return plugin
-          })
-         setInstalledPlugins(newInstalledPlugins)
-        })
-
-        pluginsSocket.on('finished:install', () => {
-            pluginsSocket!.emit('getInstalled');
-        })
-
-        pluginsSocket.on('finished:uninstall', () => {
-            console.log("Finished uninstall")
-        })
-
-
-        // Reload on reconnect
-        pluginsSocket.on('connect', ()=>{
-            // Initial retrieval of installed plugins
-            pluginsSocket.emit('getInstalled');
-            pluginsSocket.emit('search', searchParams)
-        })
-
-        pluginsSocket.emit('getInstalled');
-
-        // check for updates every 5mins
-        const interval = setInterval(() => {
-            pluginsSocket.emit('checkUpdates');
-        }, 1000 * 60 * 5);
+  useEffect(() => {
+    if (!pluginsSocket) return
 
-        return ()=>{
-            clearInterval(interval)
-        }
-        }, [pluginsSocket]);
+    const onInstalled = (data: {installed: InstalledPlugin[]}) => {
+      setInstalledPlugins(data.installed)
+    }
+    const onUpdatable = (data: {updatable: string[]}) => {
+      const updated = useStore.getState().installedPlugins.map(plugin =>
+        data.updatable.includes(plugin.name) ? {...plugin, updatable: true} : plugin
+      )
+      setInstalledPlugins(updated)
+    }
+    const onFinishedInstall = () => {
+      pluginsSocket.emit('getInstalled')
+    }
+    const onFinishedUninstall = () => {
+      console.log('Finished uninstall')
+    }
+    const onConnect = () => {
+      pluginsSocket.emit('getInstalled')
+      pluginsSocket.emit('search', searchParams)
+    }
 
+    pluginsSocket.on('results:installed', onInstalled)
+    pluginsSocket.on('results:updatable', onUpdatable)
+    pluginsSocket.on('finished:install', onFinishedInstall)
+    pluginsSocket.on('finished:uninstall', onFinishedUninstall)
+    pluginsSocket.on('connect', onConnect)
+
+    pluginsSocket.emit('getInstalled')
+
+    const interval = setInterval(() => pluginsSocket.emit('checkUpdates'), 1000 * 60 * 5)
+    return () => {
+      clearInterval(interval)
+      pluginsSocket.off('results:installed', onInstalled)
+      pluginsSocket.off('results:updatable', onUpdatable)
+      pluginsSocket.off('finished:install', onFinishedInstall)
+      pluginsSocket.off('finished:uninstall', onFinishedUninstall)
+      pluginsSocket.off('connect', onConnect)
+    }
+  }, [pluginsSocket])
 
-    useEffect(() => {
-        if (!pluginsSocket) {
-            return
-        }
-        pluginsSocket?.emit('search', searchParams)
-        pluginsSocket!.on('results:search', (data: {
-            results: PluginDef[]
-        }) => {
-            setPlugins(data.results)
-        })
-        pluginsSocket!.on('results:searcherror', (data: {error: string}) => {
-            console.log(data.error)
-            useStore.getState().setToastState({
-                open: true,
-                title: "Error retrieving plugins",
-                success: false
-            })
-        })
-    }, [searchParams, pluginsSocket]);
+  useEffect(() => {
+    if (!pluginsSocket) return
 
-    const uninstallPlugin  = (pluginName: string)=>{
-        pluginsSocket!.emit('uninstall', pluginName);
-        // Remove plugin
-        setInstalledPlugins(installedPlugins.filter(i=>i.name !== pluginName))
+    const onSearchResults = (data: {results: PluginDef[]}) => {
+      setPlugins(data.results)
     }
-
-    const installPlugin = (pluginName: string)=>{
-        pluginsSocket!.emit('install', pluginName);
-        setPlugins(plugins.filter(plugin=>plugin.name !== pluginName))
+    const onSearchError = () => {
+      useStore.getState().setToastState({open: true, title: 'Error retrieving plugins', success: false})
     }
 
-    useDebounce(()=>{
-        setSearchParams({
-            ...searchParams,
-            offset: 0,
-            searchTerm: searchTerm
-        })
-    }, 500, [searchTerm])
+    pluginsSocket.emit('search', searchParams)
+    pluginsSocket.on('results:search', onSearchResults)
+    pluginsSocket.on('results:searcherror', onSearchError)
 
+    return () => {
+      pluginsSocket.off('results:search', onSearchResults)
+      pluginsSocket.off('results:searcherror', onSearchError)
+    }
+  }, [searchParams, pluginsSocket])
+
+  const uninstallPlugin = (pluginName: string) => {
+    pluginsSocket!.emit('uninstall', pluginName)
+    setInstalledPlugins(installedPlugins.filter(i => i.name !== pluginName))
+  }
+
+  const installPlugin = (pluginName: string) => {
+    pluginsSocket!.emit('install', pluginName)
+    setPlugins(plugins.filter(p => p.name !== pluginName))
+  }
+
+  useDebounce(() => {
+    setSearchParams({...searchParams, offset: 0, searchTerm})
+  }, 500, [searchTerm])
+
+  return (
+    <div className="pm-page">
+
+      {/* ── Page header ────────────────────────────────────────────────── */}
+      <div className="pm-header">
+        <div>
+          <div className="pm-crumbs">
+            Admin <span className="pm-crumbs-sep">›</span> Plugins
+          </div>
+          <h1 className="pm-title">{t('admin_plugins')}</h1>
+          <p className="pm-subtitle">
+            Installiere, aktualisiere und entferne Etherpad-Plugins.
+            Änderungen erfordern einen Server-Neustart.
+          </p>
+        </div>
+        <div className="pm-header-actions">
+          <button
+            className="pm-btn pm-btn-ghost"
+            onClick={() => pluginsSocket?.emit('search', searchParams)}
+          >
+            <RefreshCw size={14}/> Katalog neu laden
+          </button>
+          <a
+            className="pm-btn pm-btn-primary pm-btn-link"
+            href={`//www.npmjs.com/search?q=${encodeURIComponent(searchTerm ? `keywords:etherpad ${searchTerm}` : 'keywords:etherpad')}`}
+            target="_blank"
+            rel="noreferrer"
+          >
+            <ExternalLink size={14}/> Auf npm suchen
+          </a>
+        </div>
+      </div>
 
-    return <div>
-        <h1><Trans i18nKey="admin_plugins"/></h1>
-
-        <h2><Trans i18nKey="admin_plugins.installed"/></h2>
+      {/* ── Stats row ──────────────────────────────────────────────────── */}
+      <div className="pm-stats">
+        <div className="pm-stat pm-stat--primary">
+          <div className="pm-stat-label"><Trans i18nKey="admin_plugins.installed"/></div>
+          <div className="pm-stat-value">{installedPlugins.length}</div>
+          <div className="pm-stat-hint">Davon 1 Core</div>
+        </div>
+        <div className="pm-stat">
+          <div className="pm-stat-label"><Trans i18nKey="admin_plugins.available"/></div>
+          <div className="pm-stat-value">{plugins.length}</div>
+        </div>
+        <div className={`pm-stat${updatableCount > 0 ? ' pm-stat--warn' : ''}`}>
+          <div className="pm-stat-label">Updates verfügbar</div>
+          <div className="pm-stat-value">{updatableCount}</div>
+          {updatableCount > 0 && (
+            <button
+              className="pm-stat-action"
+              onClick={() => pluginsSocket?.emit('checkUpdates')}
+            >
+              Aktualisieren →
+            </button>
+          )}
+        </div>
+        <div className="pm-stat">
+          <div className="pm-stat-label">Plugin-Quelle</div>
+          <div className="pm-stat-value pm-stat-value--sm">npm</div>
+          <div className="pm-stat-hint">registry.npmjs.org</div>
+        </div>
+      </div>
 
-        <table id="installed-plugins">
-            <thead>
-            <tr>
-                <th><Trans i18nKey="admin_plugins.name"/></th>
-                <th><Trans i18nKey="admin_plugins.version"/></th>
-                <th><Trans i18nKey="ep_admin_pads:ep_adminpads2_action"/></th>
-            </tr>
-            </thead>
-            <tbody style={{overflow: 'auto'}}>
-            {sortedInstalledPlugins.map((plugin, index) => {
-                return <tr key={index}>
-                    <td><a rel="noopener noreferrer" href={`https://npmjs.com/${plugin.name}`} target="_blank">{plugin.name}</a></td>
-                    <td>{plugin.version}</td>
+      {/* ── Installed plugins ──────────────────────────────────────────── */}
+      <section className="pm-section">
+        <div className="pm-section-header">
+          <h2><Trans i18nKey="admin_plugins.installed"/></h2>
+          <span className="pm-count-badge">{installedPlugins.length}</span>
+          <div className="pm-spacer"/>
+          <button
+            className="pm-btn pm-btn-ghost"
+            onClick={() => pluginsSocket?.emit('checkUpdates')}
+          >
+            <RefreshCw size={14}/> Nach Updates suchen
+          </button>
+        </div>
+
+        <div className="pm-installed">
+          {sortedInstalledPlugins.map(plugin => (
+            <div key={plugin.name} className="pm-installed-row">
+              <div className="pm-installed-icon">
+                <Plug size={16}/>
+              </div>
+              <div className="pm-installed-main">
+                <div className="pm-installed-title">
+                  <span className="pm-mono">{plugin.name}</span>
+                  {plugin.name === 'ep_etherpad-lite' && (
+                    <span className="pm-tag pm-tag--core">Core</span>
+                  )}
+                  <span className="pm-tag pm-tag--ver">v{plugin.version}</span>
+                </div>
+                {plugin.description && (
+                  <div className="pm-installed-desc">{plugin.description}</div>
+                )}
+              </div>
+              <div className="pm-installed-actions">
+                {plugin.updatable ? (
+                  <IconButton
+                    onClick={() => installPlugin(plugin.name)}
+                    icon={<ArrowUpFromDot size={14}/>}
+                    title="Update"
+                  />
+                ) : (
+                  <IconButton
+                    disabled={plugin.name === 'ep_etherpad-lite'}
+                    icon={<Trash size={14}/>}
+                    title={<Trans i18nKey="admin_plugins.installed_uninstall.value"/>}
+                    onClick={() => uninstallPlugin(plugin.name)}
+                  />
+                )}
+              </div>
+            </div>
+          ))}
+        </div>
+      </section>
+
+      {/* ── Available plugins ──────────────────────────────────────────── */}
+      <section className="pm-section">
+        <div className="pm-section-header">
+          <h2><Trans i18nKey="admin_plugins.available"/></h2>
+          <span className="pm-count-badge">{filteredInstallablePlugins.length}</span>
+          <div className="pm-spacer"/>
+          <div className="pm-toolbar">
+            <div className="pm-search">
+              <Search size={14} className="pm-search-icon"/>
+              <input
+                className="pm-search-input"
+                value={searchTerm}
+                onChange={e => setSearchTerm(e.target.value)}
+                placeholder={t('admin_plugins.available_search.placeholder')}
+              />
+              {searchTerm && (
+                <button className="pm-search-clear" onClick={() => setSearchTerm('')}>
+                  <X size={12}/>
+                </button>
+              )}
+            </div>
+            <select
+              className="pm-select"
+              value={searchParams.sortBy}
+              onChange={e => {
+                const sortBy = e.target.value as SearchParams['sortBy']
+                setSearchParams({
+                  ...searchParams,
+                  sortBy,
+                  sortDir: sortBy === 'downloads' ? 'desc' : 'asc',
+                })
+              }}
+            >
+              <option value="downloads">Beliebteste</option>
+              <option value="name">Name (A–Z)</option>
+              <option value="version">Version</option>
+              <option value="last-updated">Zuletzt aktualisiert</option>
+            </select>
+          </div>
+        </div>
+
+        {filteredInstallablePlugins.length > 0 ? (
+          <div className="pm-table-wrap">
+            <table className="pm-table">
+              <thead>
+                <tr>
+                  <th><Trans i18nKey="admin_plugins.name"/></th>
+                  <th><Trans i18nKey="admin_plugins.description"/></th>
+                  <th style={{width: 62, textAlign: 'right'}}><Trans i18nKey="admin_plugins.version"/></th>
+                  <th style={{width: 96}}><Trans i18nKey="admin_plugins.last-update"/></th>
+                  <th style={{width: 68, textAlign: 'right'}}>Downloads</th>
+                  <th style={{width: 108, textAlign: 'right'}}></th>
+                </tr>
+              </thead>
+              <tbody>
+                {filteredInstallablePlugins.map(plugin => (
+                  <tr key={plugin.name}>
                     <td>
-                    {
-                        plugin.updatable ?
-                            <IconButton onClick={() => installPlugin(plugin.name)} icon={<ArrowUpFromDot/>} title="Update"></IconButton>
-                            : <IconButton disabled={plugin.name == "ep_etherpad-lite"} icon={<Trash/>} title={<Trans i18nKey="admin_plugins.installed_uninstall.value"/>} onClick={() => uninstallPlugin(plugin.name)}/>
-                    }
+                      <div className="pm-cell-name">
+                        <span className="pm-cell-icon"><Plug size={13}/></span>
+                        <div className="pm-cell-title">
+                          <span className="pm-mono">{plugin.name}</span>
+                          {(plugin.downloads ?? 0) >= POPULAR_THRESHOLD && (
+                            <span className="pm-tag pm-tag--popular">Beliebt</span>
+                          )}
+                        </div>
+                      </div>
                     </td>
-                        </tr>
-                    })}
-            </tbody>
-        </table>
-
-
-        <h2><Trans i18nKey="admin_plugins.available"/></h2>
-        <SearchField onChange={v=>{setSearchTerm(v.target.value)}} placeholder={t('admin_plugins.available_search.placeholder')} value={searchTerm}/>
-
-      <div className="table-container">
-        <table id="available-plugins">
-            <thead>
-            <tr>
-                <th className={determineSorting(searchParams.sortBy, searchParams.sortDir == "asc", 'name')} onClick={()=>{
-                  setSearchParams({
-                    ...searchParams,
-                    sortBy: 'name',
-                    sortDir: searchParams.sortDir === "asc"? "desc": "asc"
-                  })
-                }}>
-                  <Trans i18nKey="admin_plugins.name" /></th>
-                <th style={{width: '30%'}}><Trans i18nKey="admin_plugins.description"/></th>
-                <th className={determineSorting(searchParams.sortBy, searchParams.sortDir == "asc", 'version')} onClick={()=>{
-                  setSearchParams({
-                    ...searchParams,
-                    sortBy: 'version',
-                    sortDir: searchParams.sortDir === "asc"? "desc": "asc"
-                  })
-                }}><Trans i18nKey="admin_plugins.version"/></th>
-                <th className={determineSorting(searchParams.sortBy, searchParams.sortDir == "asc", 'last-updated')} onClick={()=>{
-                  setSearchParams({
-                    ...searchParams,
-                    sortBy: 'last-updated',
-                    sortDir: searchParams.sortDir === "asc"? "desc": "asc"
-                  })
-                }}><Trans i18nKey="admin_plugins.last-update"/></th>
-                <th><Trans i18nKey="ep_admin_pads:ep_adminpads2_action"/></th>
-            </tr>
-            </thead>
-            <tbody style={{overflow: 'auto'}}>
-            {(filteredInstallablePlugins.length > 0) ?
-              filteredInstallablePlugins.map((plugin) => {
-                        return <tr key={plugin.name}>
-                            <td><a rel="noopener noreferrer" href={`https://npmjs.com/${plugin.name}`} target="_blank">{plugin.name}</a></td>
-                            <td>
-                              {plugin.description}
-                              {plugin.disables && plugin.disables.length > 0 && (
-                                <div
-                                  className="plugin-disables"
-                                  role="alert"
-                                  title={t('admin_plugins.disables.warning_title')}
-                                  style={{
-                                    marginTop: '0.25rem',
-                                    padding: '0.2rem 0.5rem',
-                                    borderRadius: '4px',
-                                    fontSize: '0.85em',
-                                    background: 'rgba(180, 83, 9, 0.15)',
-                                    border: '1px solid rgba(180, 83, 9, 0.4)',
-                                    color: '#92400e',
-                                    display: 'inline-block',
-                                  }}
-                                >
-                                  <strong><Trans i18nKey="admin_plugins.disables.label"/></strong>{' '}
-                                  {plugin.disables
-                                      .map((tag) => tag.replace(/^@feature:/, ''))
-                                      .join(', ')}
-                                </div>
-                              )}
-                            </td>
-                            <td>{plugin.version}</td>
-                            <td>{plugin.time}</td>
-                            <td>
-                                <IconButton icon={<Download/>} onClick={() => installPlugin(plugin.name)} title={<Trans i18nKey="admin_plugins.available_install.value"/>}/>
-                            </td>
-                        </tr>
-                    })
-                :
-                <tr><td colSpan={5}>{searchTerm == '' ? <Trans i18nKey="pad.loading"/>: <Trans i18nKey="admin_plugins.available_not-found"/>}</td></tr>
-            }
-            </tbody>
-        </table>
-      </div>
+                    <td className="pm-cell-desc">
+                      {plugin.description}
+                      {plugin.disables && plugin.disables.length > 0 && (
+                        <div
+                          className="plugin-disables"
+                          role="alert"
+                          title={t('admin_plugins.disables.warning_title')}
+                        >
+                          <strong><Trans i18nKey="admin_plugins.disables.label"/></strong>{' '}
+                          {plugin.disables
+                            .map(tag => tag.replace(/^@feature:/, ''))
+                            .join(', ')}
+                        </div>
+                      )}
+                    </td>
+                    <td className="pm-num">{plugin.version}</td>
+                    <td className="pm-cell-date">{plugin.time}</td>
+                    <td className="pm-num">
+                      {plugin.downloads != null ? fmtDownloads(plugin.downloads) : '—'}
+                    </td>
+                    <td className="pm-cell-action">
+                      <button
+                        className="pm-btn pm-btn-primary pm-btn--sm"
+                        onClick={() => installPlugin(plugin.name)}
+                      >
+                        <Download size={13}/> <Trans i18nKey="admin_plugins.available_install.value"/>
+                      </button>
+                    </td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          </div>
+        ) : (
+          <div className="pm-empty">
+            <div className="pm-empty-icon">∅</div>
+            <div className="pm-empty-title">
+              {searchTerm === ''
+                ? <Trans i18nKey="pad.loading"/>
+                : <Trans i18nKey="admin_plugins.available_not-found"/>}
+            </div>
+          </div>
+        )}
+      </section>
     </div>
+  )
 }
diff --git a/admin/src/pages/PadPage.tsx b/admin/src/pages/PadPage.tsx
index cedef1157f5..92509a584bc 100644
--- a/admin/src/pages/PadPage.tsx
+++ b/admin/src/pages/PadPage.tsx
@@ -3,282 +3,419 @@ import {useEffect, useMemo, useState} from "react";
 import {useStore} from "../store/store.ts";
 import {PadSearchQuery, PadSearchResult} from "../utils/PadSearch.ts";
 import {useDebounce} from "../utils/useDebounce.ts";
-import {determineSorting} from "../utils/sorting.ts";
 import * as Dialog from "@radix-ui/react-dialog";
-import {IconButton} from "../components/IconButton.tsx";
-import {ChevronLeft, ChevronRight, Eye, Trash2, FileStack, PlusIcon} from "lucide-react";
-import {SearchField} from "../components/SearchField.tsx";
+import {ChevronLeft, ChevronRight, Eye, Trash2, FileStack, PlusIcon, Search, X, RefreshCw, History} from "lucide-react";
 import {useForm} from "react-hook-form";
 
-type PadCreateProps = {
-  padName: string
+type PadCreateProps = { padName: string }
+type FilterId = 'all' | 'active' | 'recent' | 'empty' | 'stale'
+
+const PAD_FILTERS: {id: FilterId, label: string}[] = [
+  {id: 'all',    label: 'Alle'},
+  {id: 'active', label: 'Aktiv'},
+  {id: 'recent', label: 'Diese Woche'},
+  {id: 'empty',  label: 'Leer'},
+  {id: 'stale',  label: 'Veraltet (>1J)'},
+]
+
+const isRecent = (ts: number) => (Date.now() - ts) < 86_400_000 * 7
+const isStale  = (ts: number) => (Date.now() - ts) > 86_400_000 * 365
+
+function relativeTime(ts: number): string {
+  const d = (Date.now() - ts) / 1000
+  if (d < 60)        return 'gerade eben'
+  if (d < 3600)      return `vor ${Math.floor(d / 60)} Min`
+  if (d < 86400)     return `vor ${Math.floor(d / 3600)} Std`
+  if (d < 86400 * 7) return `vor ${Math.floor(d / 86400)} Tagen`
+  if (d < 86400 * 30) return `vor ${Math.floor(d / 86400 / 7)} Wo`
+  if (d < 86400 * 365) return `vor ${Math.floor(d / 86400 / 30)} Mon`
+  return `vor ${Math.floor(d / 86400 / 365)} J`
+}
+
+function fmtDate(ts: number): string {
+  const d = new Date(ts)
+  return (
+    d.toLocaleDateString('de-DE', {day: '2-digit', month: 'short', year: 'numeric'}) +
+    ' · ' +
+    d.toLocaleTimeString('de-DE', {hour: '2-digit', minute: '2-digit'})
+  )
 }
 
-export const PadPage = ()=>{
-  const settingsSocket = useStore(state=>state.settingsSocket)
+export const PadPage = () => {
+  const settingsSocket = useStore(state => state.settingsSocket)
   const [searchParams, setSearchParams] = useState<PadSearchQuery>({
-    offset: 0,
-    limit: 12,
-    pattern: '',
-    sortBy: 'padName',
-    ascending: true
+    offset: 0, limit: 12, pattern: '', sortBy: 'lastEdited', ascending: false,
   })
   const {t} = useTranslation()
-  const [searchTerm, setSearchTerm] = useState<string>('')
-  const pads = useStore(state=>state.pads)
-  const [currentPage, setCurrentPage] = useState<number>(0)
-  const [deleteDialog, setDeleteDialog] = useState<boolean>(false)
-  const [errorText, setErrorText] = useState<string|null>(null)
-  const [padToDelete, setPadToDelete] = useState<string>('')
-  const [createPadDialogOpen, setCreatePadDialogOpen] = useState<boolean>(false)
+  const [searchTerm, setSearchTerm] = useState('')
+  const [filter, setFilter] = useState<FilterId>('all')
+  const [selected, setSelected] = useState<Set<string>>(new Set())
+  const pads = useStore(state => state.pads)
+  const [currentPage, setCurrentPage] = useState(0)
+  const [deleteDialog, setDeleteDialog] = useState(false)
+  const [errorText, setErrorText] = useState<string | null>(null)
+  const [padToDelete, setPadToDelete] = useState('')
+  const [createPadDialogOpen, setCreatePadDialogOpen] = useState(false)
   const {register, handleSubmit} = useForm<PadCreateProps>()
-  const pages = useMemo(()=>{
-    if(!pads){
-      return 0;
-    }
 
-    return Math.ceil(pads!.total / searchParams.limit)
-  },[pads, searchParams.limit])
+  const pages = useMemo(
+    () => pads ? Math.ceil(pads.total / searchParams.limit) : 0,
+    [pads, searchParams.limit]
+  )
 
-  useDebounce(()=>{
-    setSearchParams({
-      ...searchParams,
-      pattern: searchTerm
-    })
+  const filteredResults = useMemo(() => {
+    const r = pads?.results ?? []
+    if (filter === 'active') return r.filter(p => p.userCount > 0)
+    if (filter === 'recent') return r.filter(p => isRecent(p.lastEdited))
+    if (filter === 'empty')  return r.filter(p => p.revisionNumber === 0)
+    if (filter === 'stale')  return r.filter(p => isStale(p.lastEdited))
+    return r
+  }, [pads, filter])
+
+  const totalUsers  = useMemo(() => (pads?.results ?? []).reduce((s, p) => s + p.userCount, 0), [pads])
+  const activeCount = useMemo(() => (pads?.results ?? []).filter(p => p.userCount > 0).length, [pads])
+  const emptyCount  = useMemo(() => (pads?.results ?? []).filter(p => p.revisionNumber === 0).length, [pads])
+  const lastActivity = useMemo(() => {
+    const r = pads?.results ?? []
+    return r.length ? Math.max(...r.map(p => p.lastEdited)) : null
+  }, [pads])
+
+  const allSelected = filteredResults.length > 0 && filteredResults.every(p => selected.has(p.padName))
+  const toggleAll = () => {
+    const s = new Set(selected)
+    if (allSelected) filteredResults.forEach(p => s.delete(p.padName))
+    else filteredResults.forEach(p => s.add(p.padName))
+    setSelected(s)
+  }
+  const toggleOne = (name: string) => {
+    const s = new Set(selected)
+    s.has(name) ? s.delete(name) : s.add(name)
+    setSelected(s)
+  }
 
+  useDebounce(() => {
+    setSearchParams({...searchParams, pattern: searchTerm})
   }, 500, [searchTerm])
 
   useEffect(() => {
-    if(!settingsSocket){
-      return
-    }
-
+    if (!settingsSocket) return
     settingsSocket.emit('padLoad', searchParams)
-
-  }, [settingsSocket, searchParams]);
+  }, [settingsSocket, searchParams])
 
   useEffect(() => {
-    if(!settingsSocket){
-      return
-    }
+    if (!settingsSocket) return
 
-    settingsSocket.on('results:padLoad', (data: PadSearchResult)=>{
-      useStore.getState().setPads(data);
+    settingsSocket.on('results:padLoad', (data: PadSearchResult) => {
+      useStore.getState().setPads(data)
     })
 
+    settingsSocket.on('results:deletePad', (padID: string) => {
+      const newPads = useStore.getState().pads?.results?.filter(p => p.padName !== padID)
+      useStore.getState().setPads({total: useStore.getState().pads!.total - 1, results: newPads})
+    })
 
-    settingsSocket.on('results:deletePad', (padID: string)=>{
-      const newPads = useStore.getState().pads?.results?.filter((pad)=>{
-        return pad.padName !== padID
-      })
-      useStore.getState().setPads({
-        total: useStore.getState().pads!.total-1,
-        results: newPads
-      })
+    type CreateResponse = {error: string} | {success: string}
+    settingsSocket.on('results:createPad', (rep: CreateResponse) => {
+      if ('error' in rep) {
+        useStore.getState().setToastState({open: true, title: rep.error, success: false})
+      } else {
+        useStore.getState().setToastState({open: true, title: rep.success, success: true})
+        setCreatePadDialogOpen(false)
+        settingsSocket.emit('padLoad', searchParams)
+      }
     })
 
-   type SettingsSocketCreateReponse = {
-     error: string
-   } | {
-    success: string
-   }
+    settingsSocket.on('results:cleanupPadRevisions', (data) => {
+      const newPads = useStore.getState().pads?.results ?? []
+      if (data.error) { setErrorText(data.error); return }
+      newPads.forEach(p => { if (p.padName === data.padId) p.revisionNumber = data.keepRevisions })
+      useStore.getState().setPads({results: newPads, total: useStore.getState().pads!.total})
+    })
+  }, [settingsSocket, pads])
 
-   settingsSocket.on('results:createPad', (rep: SettingsSocketCreateReponse)=>{
-    if ('error' in rep) {
-     useStore.getState().setToastState({
-      open: true,
-      title: rep.error,
-      success: false
-     })
-    } else {
-     useStore.getState().setToastState({
-      open: true,
-      title: rep.success,
-      success: true
-     })
-     setCreatePadDialogOpen(false)
-     // reload pads
-     settingsSocket.emit('padLoad', searchParams)
-    }
-   })
+  const deletePad  = (id: string) => settingsSocket?.emit('deletePad', id)
+  const cleanupPad = (id: string) => settingsSocket?.emit('cleanupPadRevisions', id)
+  const onPadCreate = (data: PadCreateProps) => settingsSocket?.emit('createPad', {padName: data.padName})
 
-    settingsSocket.on('results:cleanupPadRevisions', (data)=>{
-     const newPads = useStore.getState().pads?.results ?? []
+  return (
+    <div className="pm-page">
 
-     if (data.error) {
-      setErrorText(data.error)
-      return
-     }
+      {/* ── Dialogs ── */}
+      <Dialog.Root open={deleteDialog}>
+        <Dialog.Portal>
+          <Dialog.Overlay className="dialog-confirm-overlay"/>
+          <Dialog.Content className="dialog-confirm-content">
+            <div>{t('ep_admin_pads:ep_adminpads2_confirm', {padID: padToDelete})}</div>
+            <div className="settings-button-bar">
+              <button onClick={() => setDeleteDialog(false)}>Abbrechen</button>
+              <button onClick={() => { deletePad(padToDelete); setDeleteDialog(false) }}>OK</button>
+            </div>
+          </Dialog.Content>
+        </Dialog.Portal>
+      </Dialog.Root>
 
-     newPads.forEach((pad)=>{
-      if (pad.padName === data.padId) {
-       pad.revisionNumber = data.keepRevisions
-      }
-     })
+      <Dialog.Root open={errorText !== null}>
+        <Dialog.Portal>
+          <Dialog.Overlay className="dialog-confirm-overlay"/>
+          <Dialog.Content className="dialog-confirm-content">
+            <div>Fehler: {errorText}</div>
+            <div className="settings-button-bar">
+              <button onClick={() => setErrorText(null)}>OK</button>
+            </div>
+          </Dialog.Content>
+        </Dialog.Portal>
+      </Dialog.Root>
 
-     useStore.getState().setPads({
-      results: newPads,
-      total: useStore.getState().pads!.total
-     })
-    })
-  }, [settingsSocket, pads]);
+      <Dialog.Root open={createPadDialogOpen}>
+        <Dialog.Portal>
+          <Dialog.Overlay className="dialog-confirm-overlay"/>
+          <Dialog.Content className="dialog-confirm-content">
+            <Dialog.Title className="dialog-confirm-title"><Trans i18nKey="index.newPad"/></Dialog.Title>
+            <form onSubmit={handleSubmit(onPadCreate)}>
+              <button className="dialog-close-button" type="button" onClick={() => setCreatePadDialogOpen(false)}>×</button>
+              <div style={{display: 'grid', gap: '10px', gridTemplateColumns: 'auto auto', marginBottom: '1rem'}}>
+                <label><Trans i18nKey="ep_admin_pads:ep_adminpads2_padname"/></label>
+                <input {...register('padName', {required: true})}/>
+              </div>
+              <input type="submit" value={t('admin_settings.createPad')} className="login-button"/>
+            </form>
+          </Dialog.Content>
+        </Dialog.Portal>
+      </Dialog.Root>
 
-  const deletePad = (padID: string)=>{
-    settingsSocket?.emit('deletePad', padID)
-  }
+      {/* ── Page header ── */}
+      <div className="pm-header">
+        <div>
+          <div className="pm-crumbs">Admin <span className="pm-crumbs-sep">›</span> Pads</div>
+          <h1 className="pm-title"><Trans i18nKey="ep_admin_pads:ep_adminpads2_manage-pads"/></h1>
+          <p className="pm-subtitle">Übersicht aller Pads dieser Etherpad-Instanz. Suchen, aufräumen, öffnen.</p>
+        </div>
+        <div className="pm-header-actions">
+          <button className="pm-btn pm-btn-ghost" onClick={() => settingsSocket?.emit('padLoad', searchParams)}>
+            <RefreshCw size={14}/> Aktualisieren
+          </button>
+          <button className="pm-btn pm-btn-primary" onClick={() => setCreatePadDialogOpen(true)}>
+            <PlusIcon size={14}/> <Trans i18nKey="index.newPad"/>
+          </button>
+        </div>
+      </div>
 
-  const cleanupPad = (padID: string)=>{
-    settingsSocket?.emit('cleanupPadRevisions', padID)
-  }
+      {/* ── Stats ── */}
+      <div className="pm-stats">
+        <div className="pm-stat pm-stat--primary">
+          <div className="pm-stat-label">Pads gesamt</div>
+          <div className="pm-stat-value">{pads?.total ?? '—'}</div>
+          <div className="pm-stat-hint">{activeCount > 0 ? `${activeCount} gerade aktiv` : 'Keine aktiven Nutzer'}</div>
+        </div>
+        <div className="pm-stat">
+          <div className="pm-stat-label">Aktive Nutzer</div>
+          <div className="pm-stat-value">{totalUsers}</div>
+          <div className="pm-stat-hint">über alle Pads hinweg</div>
+        </div>
+        <div className={`pm-stat${emptyCount > 0 ? ' pm-stat--warn' : ''}`}>
+          <div className="pm-stat-label">Leere Pads</div>
+          <div className="pm-stat-value">{emptyCount}</div>
+          <div className="pm-stat-hint">0 Revisionen</div>
+          {emptyCount > 0 && (
+            <button className="pm-stat-action" onClick={() => setFilter('empty')}>Anzeigen →</button>
+          )}
+        </div>
+        <div className="pm-stat">
+          <div className="pm-stat-label">Letzte Aktivität</div>
+          <div className="pm-stat-value pm-stat-value--sm">
+            {lastActivity ? relativeTime(lastActivity) : '—'}
+          </div>
+          <div className="pm-stat-hint">{pads?.results?.[0]?.padName ?? ''}</div>
+        </div>
+      </div>
 
-  const onPadCreate = (data: PadCreateProps)=>{
-   settingsSocket?.emit('createPad', {
-    padName: data.padName
-   })
-  }
+      {/* ── Pads section ── */}
+      <section className="pm-section">
+        <div className="pm-section-header">
+          <h2>Alle Pads</h2>
+          <span className="pm-count-badge">{filteredResults.length}</span>
+          <div className="pm-spacer"/>
+          <div className="pm-toolbar">
+            <div className="pm-search">
+              <Search size={14} className="pm-search-icon"/>
+              <input
+                className="pm-search-input"
+                value={searchTerm}
+                onChange={e => setSearchTerm(e.target.value)}
+                placeholder={t('ep_admin_pads:ep_adminpads2_search-heading')}
+              />
+              {searchTerm && (
+                <button className="pm-search-clear" onClick={() => setSearchTerm('')}><X size={12}/></button>
+              )}
+            </div>
+            <select
+              className="pm-select"
+              value={searchParams.sortBy}
+              onChange={e => setSearchParams({
+                ...searchParams,
+                sortBy: e.target.value,
+                ascending: e.target.value === 'padName',
+              })}
+            >
+              <option value="lastEdited">Zuletzt bearbeitet</option>
+              <option value="padName">Name (A–Z)</option>
+              <option value="userCount">Nutzer</option>
+              <option value="revisionNumber">Revisionen</option>
+            </select>
+          </div>
+        </div>
 
+        {/* Filter chips */}
+        <div className="pm-chips">
+          {PAD_FILTERS.map(f => (
+            <button key={f.id} className={`pm-chip${filter === f.id ? ' is-on' : ''}`} onClick={() => setFilter(f.id)}>
+              {f.label}
+            </button>
+          ))}
+        </div>
 
-  return <div>
-    <Dialog.Root open={deleteDialog}><Dialog.Portal>
-      <Dialog.Overlay className="dialog-confirm-overlay" />
-      <Dialog.Content  className="dialog-confirm-content">
-        <div className="">
-          <div className=""></div>
-          <div className="">
-            {t("ep_admin_pads:ep_adminpads2_confirm", {
-            padID: padToDelete,
-            })}
+        {/* Bulk bar */}
+        {selected.size > 0 && (
+          <div className="pm-bulk">
+            <span className="pm-bulk-count">{selected.size} ausgewählt</span>
+            <div className="pm-spacer"/>
+            <button className="pm-btn pm-btn-ghost" onClick={() => {
+              selected.forEach(name => cleanupPad(name))
+              setSelected(new Set())
+            }}>
+              <History size={14}/> Historie aufräumen
+            </button>
+            <button className="pm-btn pm-btn-danger" onClick={() => {
+              selected.forEach(name => deletePad(name))
+              setSelected(new Set())
+            }}>
+              <Trash2 size={14}/> Löschen
+            </button>
+            <button className="pm-btn pm-btn-icon" onClick={() => setSelected(new Set())} title="Auswahl aufheben">
+              <X size={14}/>
+            </button>
           </div>
-          <div className="settings-button-bar">
-            <button onClick={()=>{
-              setDeleteDialog(false)
-            }}>Cancel</button>
-            <button onClick={()=>{
-              deletePad(padToDelete)
-              setDeleteDialog(false)
-            }}>Ok</button>
+        )}
+
+        {filteredResults.length > 0 ? (
+          <div className="pm-table-wrap">
+            <table>
+              <thead>
+                <tr>
+                  <th style={{width: 40}}>
+                    <label className="pm-check">
+                      <input type="checkbox" checked={allSelected} onChange={toggleAll}/>
+                    </label>
+                  </th>
+                  <th>Pad</th>
+                  <th style={{width: 100, textAlign: 'center'}}>Nutzer</th>
+                  <th style={{width: 110, textAlign: 'right'}}>Revisionen</th>
+                  <th style={{width: 210}}>Zuletzt bearbeitet</th>
+                  <th style={{width: 170, textAlign: 'right'}}>Aktion</th>
+                </tr>
+              </thead>
+              <tbody>
+                {filteredResults.map(pad => {
+                  const isEmpty = pad.revisionNumber === 0
+                  const isSel = selected.has(pad.padName)
+                  return (
+                    <tr key={pad.padName} className={`${isSel ? 'is-sel' : ''} ${isEmpty ? 'is-empty' : ''}`}>
+                      <td>
+                        <label className="pm-check">
+                          <input type="checkbox" checked={isSel} onChange={() => toggleOne(pad.padName)}/>
+                        </label>
+                      </td>
+                      <td>
+                        <div className="pm-pad-name">
+                          <span className="pm-pad-mark" data-empty={isEmpty || undefined}>
+                            <FileStack size={13}/>
+                          </span>
+                          <div>
+                            <div className="pm-pad-title">{pad.padName}</div>
+                            <div className="pm-pad-sub">
+                              {isEmpty ? 'leer · noch nie bearbeitet' : `${pad.revisionNumber} Revisionen`}
+                            </div>
+                          </div>
+                        </div>
+                      </td>
+                      <td style={{textAlign: 'center'}}>
+                        {pad.userCount > 0 ? (
+                          <span className="pm-users-pill"><span className="pm-users-dot"/> {pad.userCount}</span>
+                        ) : (
+                          <span className="pm-users-pill is-muted">0</span>
+                        )}
+                      </td>
+                      <td className="pm-num">{pad.revisionNumber.toLocaleString('de-DE')}</td>
+                      <td>
+                        <div className="pm-time">
+                          <span className="pm-time-rel">{relativeTime(pad.lastEdited)}</span>
+                          <span className="pm-time-abs">{fmtDate(pad.lastEdited)}</span>
+                        </div>
+                      </td>
+                      <td className="pm-cell-action">
+                        <div className="pm-row-actions">
+                          <button
+                            className="pm-btn-icon"
+                            title={t('ep_admin_pads:ep_adminpads2_cleanup')}
+                            onClick={() => cleanupPad(pad.padName)}
+                          >
+                            <History size={14}/>
+                          </button>
+                          <button
+                            className="pm-btn-icon pm-btn-icon--danger"
+                            title={t('ep_admin_pads:ep_adminpads2_delete.value')}
+                            onClick={() => { setPadToDelete(pad.padName); setDeleteDialog(true) }}
+                          >
+                            <Trash2 size={14}/>
+                          </button>
+                          <button
+                            className="pm-btn pm-btn-primary pm-btn--sm"
+                            onClick={() => window.open(`../../p/${pad.padName}`, '_blank')}
+                          >
+                            <Eye size={13}/> Öffnen
+                          </button>
+                        </div>
+                      </td>
+                    </tr>
+                  )
+                })}
+              </tbody>
+            </table>
           </div>
+        ) : (
+          <div className="pm-empty">
+            <div className="pm-empty-icon">∅</div>
+            <div className="pm-empty-title">Keine Pads gefunden</div>
+          </div>
+        )}
+
+        {/* Pagination */}
+        <div className="pm-pagination">
+          <button
+            className="pm-btn pm-btn-ghost"
+            disabled={currentPage === 0}
+            onClick={() => {
+              const p = currentPage - 1
+              setCurrentPage(p)
+              setSearchParams({...searchParams, offset: p * searchParams.limit})
+            }}
+          >
+            <ChevronLeft size={14}/> Zurück
+          </button>
+          <span className="pm-pagination-info">{currentPage + 1} / {pages || 1}</span>
+          <button
+            className="pm-btn pm-btn-ghost"
+            disabled={pages === 0 || pages === currentPage + 1}
+            onClick={() => {
+              const p = currentPage + 1
+              setCurrentPage(p)
+              setSearchParams({...searchParams, offset: p * searchParams.limit})
+            }}
+          >
+            Weiter <ChevronRight size={14}/>
+          </button>
         </div>
-      </Dialog.Content>
-    </Dialog.Portal>
-    </Dialog.Root>
-    <Dialog.Root open={errorText !== null}>
-     <Dialog.Portal>
-      <Dialog.Overlay className="dialog-confirm-overlay"/>
-      <Dialog.Content className="dialog-confirm-content">
-       <div>
-        <div>Error occured: {errorText}</div>
-        <div className="settings-button-bar">
-         <button onClick={() => {
-          setErrorText(null)
-         }}>OK</button>
-        </div>
-       </div>
-      </Dialog.Content>
-     </Dialog.Portal>
-    </Dialog.Root>
-   <Dialog.Root open={createPadDialogOpen}>
-    <Dialog.Portal>
-    <Dialog.Overlay className="dialog-confirm-overlay" />
-    <Dialog.Content  className="dialog-confirm-content">
-     <Dialog.Title className="dialog-confirm-title"><Trans i18nKey="index.newPad"/></Dialog.Title>
-     <form  onSubmit={handleSubmit(onPadCreate)}>
-      <button className="dialog-close-button" onClick={()=>{
-       setCreatePadDialogOpen(false);
-      }}>x</button>
-       <div style={{display: 'grid', gap: '10px', gridTemplateColumns: 'auto auto', marginBottom: '1rem'}}>
-        <label><Trans i18nKey="ep_admin_pads:ep_adminpads2_padname"/></label>
-        <input {...register('padName', {
-         required: true
-        })}/>
-       </div>
-      <input type="submit" value={t('admin_settings.createPad')} className="login-button" />
-     </form>
-    </Dialog.Content>
-   </Dialog.Portal>
-   </Dialog.Root>
-   <span className="manage-pads-header">
-        <h1><Trans i18nKey="ep_admin_pads:ep_adminpads2_manage-pads"/></h1>
-    <span style={{width: '29px', marginBottom: 'auto', marginTop: 'auto', flexGrow: 1}}><IconButton style={{float: 'right'}} icon={<PlusIcon/>} title={<Trans i18nKey="index.newPad"/>} onClick={()=>{
-     setCreatePadDialogOpen(true)
-    }}/></span>
-   </span>
-    <SearchField value={searchTerm} onChange={v=>setSearchTerm(v.target.value)} placeholder={t('ep_admin_pads:ep_adminpads2_search-heading')}/>
-    <table>
-      <thead>
-      <tr className="search-pads">
-        <th className={determineSorting(searchParams.sortBy, searchParams.ascending, 'padName')} onClick={()=>{
-          setSearchParams({
-            ...searchParams,
-            sortBy: 'padName',
-            ascending: !searchParams.ascending
-          })
-        }}><Trans i18nKey="ep_admin_pads:ep_adminpads2_padname"/></th>
-        <th className={determineSorting(searchParams.sortBy, searchParams.ascending, 'userCount')} onClick={()=>{
-          setSearchParams({
-            ...searchParams,
-            sortBy: 'userCount',
-            ascending: !searchParams.ascending
-          })
-        }}><Trans i18nKey="ep_admin_pads:ep_adminpads2_pad-user-count"/></th>
-        <th className={determineSorting(searchParams.sortBy, searchParams.ascending, 'lastEdited')} onClick={()=>{
-          setSearchParams({
-            ...searchParams,
-            sortBy: 'lastEdited',
-            ascending: !searchParams.ascending
-          })
-        }}><Trans i18nKey="ep_admin_pads:ep_adminpads2_last-edited"/></th>
-        <th className={determineSorting(searchParams.sortBy, searchParams.ascending, 'revisionNumber')} onClick={()=>{
-          setSearchParams({
-            ...searchParams,
-            sortBy: 'revisionNumber',
-            ascending: !searchParams.ascending
-          })
-        }}>Revision number</th>
-        <th><Trans i18nKey="ep_admin_pads:ep_adminpads2_action"/></th>
-      </tr>
-      </thead>
-      <tbody className="search-pads-body">
-      {
-        pads?.results?.map((pad)=>{
-          return <tr key={pad.padName}>
-            <td style={{textAlign: 'center'}}>{pad.padName}</td>
-            <td style={{textAlign: 'center'}}>{pad.userCount}</td>
-            <td style={{textAlign: 'center'}}>{new Date(pad.lastEdited).toLocaleString()}</td>
-            <td style={{textAlign: 'center'}}>{pad.revisionNumber}</td>
-            <td>
-              <div className="settings-button-bar">
-                <IconButton icon={<Trash2/>} title={<Trans i18nKey="ep_admin_pads:ep_adminpads2_delete.value"/>} onClick={()=>{
-                  setPadToDelete(pad.padName)
-                  setDeleteDialog(true)
-                }}/>
-                <IconButton icon={<FileStack/>} title={<Trans i18nKey="ep_admin_pads:ep_adminpads2_cleanup"/>} onClick={()=>{
-                 cleanupPad(pad.padName)
-                }}/>
-                <IconButton icon={<Eye/>} title={<Trans i18nKey="index.createOpenPad"/>} onClick={()=>window.open(`../../p/${pad.padName}`, '_blank')}/>
-              </div>
-            </td>
-          </tr>
-        })
-      }
-      </tbody>
-    </table>
-    <div className="settings-button-bar pad-pagination">
-      <button disabled={currentPage == 0} onClick={()=>{
-        setCurrentPage(currentPage-1)
-          setSearchParams({
-            ...searchParams,
-            offset: (Number(currentPage)-1)*searchParams.limit})
-      }}><ChevronLeft/><span>Previous Page</span></button>
-      <span>{currentPage+1} out of {pages}</span>
-      <button disabled={pages == 0 || pages == currentPage+1} onClick={()=>{
-       const newCurrentPage = currentPage+1
-        setCurrentPage(newCurrentPage)
-        setSearchParams({
-          ...searchParams,
-          offset: (Number(newCurrentPage))*searchParams.limit
-        })
-      }}><span>Next Page</span><ChevronRight/></button>
+      </section>
     </div>
-  </div>
+  )
 }
diff --git a/admin/src/pages/Plugin.ts b/admin/src/pages/Plugin.ts
index 72c768c5307..e33f4ec495d 100644
--- a/admin/src/pages/Plugin.ts
+++ b/admin/src/pages/Plugin.ts
@@ -4,6 +4,7 @@ export type PluginDef = {
   version: string,
   time: string,
   official: boolean,
+  downloads?: number,
   /**
    * `@feature:*` Playwright tags for core specs the plugin intentionally
    * disables. See doc/PLUGIN_FEATURE_DISABLES.md. May be undefined for
@@ -17,7 +18,8 @@ export type InstalledPlugin = {
   name: string,
   path: string,
   realPath: string,
-  version:string,
+  version: string,
+  description?: string,
   updatable?: boolean
 }
 
@@ -26,7 +28,7 @@ export type SearchParams = {
   searchTerm: string,
   offset: number,
   limit: number,
-  sortBy: 'name'|'version'|'last-updated',
+  sortBy: 'name'|'version'|'last-updated'|'downloads',
   sortDir: 'asc'|'desc'
 }
 
diff --git a/src/tests/frontend-new/admin-spec/admintroubleshooting.spec.ts b/src/tests/frontend-new/admin-spec/admintroubleshooting.spec.ts
index 57518e3fe1d..e5d56bdd25e 100644
--- a/src/tests/frontend-new/admin-spec/admintroubleshooting.spec.ts
+++ b/src/tests/frontend-new/admin-spec/admintroubleshooting.spec.ts
@@ -15,30 +15,27 @@ test('Shows troubleshooting page manager', async ({page}) => {
   await page.waitForSelector('.menu')
   const menu =  page.locator('.menu');
   // Sidebar nav: plugins, settings, help, pads, shout, update.
-  await expect(menu.locator('li')).toHaveCount(6);
+  await expect(menu.locator('.sidebar-nav-item')).toHaveCount(6);
 })
 
 test('Shows a version number', async function ({page}) {
   await page.goto('http://localhost:9001/admin/help')
-  await page.waitForSelector('.menu')
-  const helper = page.locator('.help-block').locator('div').nth(1)
-  const version = (await helper.textContent())!.split('.');
+  await page.waitForSelector('.pm-hv-num')
+  const version = (await page.locator('.pm-hv-num').textContent())!.split('.');
   expect(version.length).toBe(3)
 });
 
 test('Lists installed parts', async function ({page}) {
   await page.goto('http://localhost:9001/admin/help')
-  await page.waitForSelector('.menu')
-  await page.waitForSelector('.innerwrapper ul')
-  const parts = page.locator('.innerwrapper ul').nth(1);
+  await page.waitForSelector('.pm-tag-cloud')
+  // First tag cloud = installed plugins, second = installed parts
+  const parts = page.locator('.pm-tag-cloud').nth(1);
   expect(await parts.textContent()).toContain('ep_etherpad-lite/adminsettings');
 });
 
 test('Lists installed hooks', async function ({page}) {
   await page.goto('http://localhost:9001/admin/help')
-  await page.waitForSelector('.menu')
-  await page.waitForSelector('.innerwrapper ul')
-  const helper = page.locator('.innerwrapper ul').nth(2);
-  expect(await helper.textContent()).toContain('express');
+  await page.waitForSelector('.pm-hooks')
+  const hooks = page.locator('.pm-hooks');
+  expect(await hooks.textContent()).toContain('express');
 });
-
diff --git a/src/tests/frontend-new/admin-spec/adminupdateplugins.spec.ts b/src/tests/frontend-new/admin-spec/adminupdateplugins.spec.ts
index b426fc6f661..9056dc4f22d 100644
--- a/src/tests/frontend-new/admin-spec/adminupdateplugins.spec.ts
+++ b/src/tests/frontend-new/admin-spec/adminupdateplugins.spec.ts
@@ -15,30 +15,31 @@ test.beforeEach(async ({ page })=>{
 test.describe('Plugins page',  ()=> {
 
     test('List some plugins', async ({page}) => {
-        await page.waitForSelector('.search-field');
-        const pluginTable =  page.locator('table tbody').nth(1);
+        await page.waitForSelector('.pm-search-input');
+        // Installed plugins are now a flex list; available plugins are in the sole <table>
+        const pluginTable = page.locator('table tbody').first();
         await expect(pluginTable).not.toBeEmpty()
     })
 
     test('Searches for a plugin', async ({page}) => {
-        await page.waitForSelector('.search-field');
-        await page.click('.search-field')
+        await page.waitForSelector('.pm-search-input');
+        await page.click('.pm-search-input')
         await page.keyboard.type('ep_set_title_on_pad')
-        const pluginTable =  page.locator('table tbody').nth(1);
+        const pluginTable = page.locator('table tbody').first();
         await expect(pluginTable.locator('tr').first()).toContainText('ep_set_title_on_pad', {timeout: 60000})
     })
 
 
     test('Attempt to Install and Uninstall a plugin', async ({page}) => {
-        await page.waitForSelector('.search-field');
-        const pluginTable =  page.locator('table tbody').nth(1);
+        await page.waitForSelector('.pm-search-input');
+        const pluginTable = page.locator('table tbody').first();
         await expect(pluginTable).not.toBeEmpty({
             timeout: 15000
         })
 
         // Now everything is loaded, lets install a plugin
 
-        await page.click('.search-field')
+        await page.click('.pm-search-input')
         await page.keyboard.type('ep_set_title_on_pad')
         await page.keyboard.press('Enter')
 
@@ -46,23 +47,19 @@ test.describe('Plugins page',  ()=> {
         const pluginRow = pluginTable.locator('tr').first()
         await expect(pluginRow).toContainText('ep_set_title_on_pad', {timeout: 60000})
 
-        // Select Installation button
-        await pluginRow.locator('td').nth(4).locator('button').first().click()
-        await page.waitForSelector('table tbody')
+        // Install button is in the last table cell
+        await pluginRow.locator('td').last().locator('button').first().click()
+        await page.waitForSelector('.pm-installed')
 
-        // The installed-plugins table can grow by more than one row if the
-        // installed plugin pulls in transitive plugin deps (e.g.
-        // ep_set_title_on_pad depends on ep_plugin_helpers as of 0.7.2), so
-        // assert by name rather than by row count.
-        const installedPlugins = page.locator('table tbody').first()
-        const installedPluginRow = installedPlugins.locator('tr', {hasText: 'ep_set_title_on_pad'})
+        // Installed plugins are now in .pm-installed-row flex items (not a table).
+        // Assert by name rather than by row count — transitive deps may also appear.
+        const installedPluginRow = page.locator('.pm-installed-row', {hasText: 'ep_set_title_on_pad'})
         await expect(installedPluginRow).toHaveCount(1, {timeout: 15000})
 
-        await installedPluginRow.locator('td').nth(2).locator('button').first().click()
+        // Uninstall button is inside .pm-installed-actions
+        await installedPluginRow.locator('.pm-installed-actions button').first().click()
 
-        // Wait for the uninstallation to complete: the row for
-        // ep_set_title_on_pad should disappear. Other installed plugins
-        // (etherpad-lite itself, transitive plugin deps) may stay.
+        // Wait for the uninstallation to complete: the row should disappear.
         await expect(installedPluginRow).toHaveCount(0, {timeout: 15000})
         await page.waitForTimeout(5000)
     })

From 49466a2870b2da850dbb835e980a81f2f16a8f4c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sun, 10 May 2026 20:38:58 +0200
Subject: [PATCH 24/25] build(deps): bump undici from 7.25.0 to 8.2.0 (#7701)

Bumps [undici](https://github.com/nodejs/undici) from 7.25.0 to 8.2.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v7.25.0...v8.2.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 8.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 pnpm-lock.yaml   | 10 ++++++++--
 src/package.json |  2 +-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index d8dff4f8f77..145e67c6129 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -356,8 +356,8 @@ importers:
         specifier: 1.13.8
         version: 1.13.8
       undici:
-        specifier: ^7.16.0
-        version: 7.25.0
+        specifier: ^8.2.0
+        version: 8.2.0
       unorm:
         specifier: 1.6.0
         version: 1.6.0
@@ -5696,6 +5696,10 @@ packages:
     resolution: {integrity: sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==}
     engines: {node: '>=20.18.1'}
 
+  undici@8.2.0:
+    resolution: {integrity: sha512-Z+4Hx9GE26Lh9Upwfnc8C7SsrpBPGaM/Gm6kMFtiG7c+5IvQKlXi/t+9x9DrrCh29cww5TSP9YdVaBcnLDs5fQ==}
+    engines: {node: '>=22.19.0'}
+
   unicode-properties@1.4.1:
     resolution: {integrity: sha512-CLjCCLQ6UuMxWnbIylkisbRj31qxHPAurvena/0iwSVbQ2G1VY5/HjV0IRabOEbDHlzZlRdCrD4NhB0JtU40Pg==}
 
@@ -11638,6 +11642,8 @@ snapshots:
 
   undici@7.25.0: {}
 
+  undici@8.2.0: {}
+
   unicode-properties@1.4.1:
     dependencies:
       base64-js: 1.5.1
diff --git a/src/package.json b/src/package.json
index aa345d391a3..edf72e6caa6 100644
--- a/src/package.json
+++ b/src/package.json
@@ -88,7 +88,7 @@
     "tsx": "4.21.0",
     "ueberdb2": "^5.0.48",
     "underscore": "1.13.8",
-    "undici": "^7.16.0",
+    "undici": "^8.2.0",
     "unorm": "1.6.0",
     "wtfnode": "^0.10.1"
   },

From d6a55c2283a3bc9c15a4e4518a5644c8809bdd7c Mon Sep 17 00:00:00 2001
From: John McLear <john@mclear.co.uk>
Date: Sun, 10 May 2026 21:41:52 +0100
Subject: [PATCH 25/25] =?UTF-8?q?feat(7642):=20bin/compactStalePads=20?=
 =?UTF-8?q?=E2=80=94=20staleness-gated=20bulk=20compaction=20(#7708)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat(7642): bin/compactStalePads — staleness-gated bulk compaction

Adds bin/compactStalePads with --older-than / --keep / --dry-run.
Composes listAllPads → getLastEdited → compactPad so hot pads in
active timeslider use are left alone and only the cold tail is
compacted. Targeting stays a CLI concern; compactPad's API surface
is unchanged.

Per-pad failures (including a getLastEdited fault) don't stop the
run — same error-tolerance shape as compactAllPads. End-to-end test
plumbs through the real /api/1.3.1/getLastEdited + compactPad
endpoints to lock the adapter contract.

Daily-cron variant (cleanup.compactOlderThanDays setting) deferred
to a follow-up so this PR stays focused on the on-demand operator
tool from the issue's primary acceptance bullet.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(7642): TOCTOU recheck before compaction + admin CLI docs

Qodo flagged two real issues:

1. Race window between staleness selection and compaction. On a long
   bulk run a pad could become active between first-pass filtering and
   compactPad, which would then kick those sessions. Added a getLastEdited
   recheck right before each compact call; if the pad is now fresh it's
   reclassified as skippedFresh rather than failed (the user did the
   right thing — edited it — and we bow out).

2. doc/cli.md had nothing on pad compaction at all (gap predates this
   PR; #6194 landed without doc updates). Added a Pad compaction section
   covering all three CLIs — compactPad, compactAllPads, compactStalePads
   — so the toolset is discoverable as a unit.

Tests cover both the recheck-skip path and a recheck-failure path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.md                          |   1 +
 bin/compactStalePads.ts               | 328 ++++++++++++++++++++++++++
 doc/cli.md                            |  39 +++
 src/tests/backend/specs/compactPad.ts | 314 ++++++++++++++++++++++++
 4 files changed, 682 insertions(+)
 create mode 100644 bin/compactStalePads.ts

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 346603d950d..86c67795906 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,7 @@
   - Tier 1 ships in this release. Tiers 2 (manual click), 3 (auto with grace window) and 4 (autonomous in maintenance window) are designed and will land in subsequent releases.
   - See `doc/admin/updates.md` for full configuration.
 - **Pad compaction.** New `compactPad` HTTP API plus `bin/compactPad` and `bin/compactAllPads` CLIs to reclaim database space on long-lived pads with heavy edit history (issue #6194). `--keep N` retains the last N revisions; `--dry-run` previews per-pad rev counts before writing. Per-pad failures don't stop the bulk run.
+  - `bin/compactStalePads` (issue #7642) targets only pads not edited in the last `--older-than N` days, so hot pads in active timeslider use are left alone. Same `--keep` / `--dry-run` shape as `bin/compactAllPads`. Targeting is deliberately a CLI concern — the `compactPad` API surface stays unchanged.
 - **New packaging targets.**
   - Etherpad is now published as a **Snap** package.
   - **Debian (.deb)** packages are built via nfpm with a systemd unit, and a signed apt repository is published to `etherpad.org/apt`.
diff --git a/bin/compactStalePads.ts b/bin/compactStalePads.ts
new file mode 100644
index 00000000000..df52cac3a35
--- /dev/null
+++ b/bin/compactStalePads.ts
@@ -0,0 +1,328 @@
+'use strict';
+
+/*
+ * Compact every pad on the instance that has not been edited recently.
+ *
+ * Usage:
+ *   node bin/compactStalePads.js --older-than 90              # collapse history on pads not edited in 90 days
+ *   node bin/compactStalePads.js --older-than 90 --keep 50    # keep last 50 revisions
+ *   node bin/compactStalePads.js --older-than 90 --dry-run    # list, don't write
+ *
+ * Composes `listAllPads` → `getLastEdited` → `compactPad`. Same shape as
+ * `bin/compactAllPads` (per-pad error tolerance, dry-run, tally), but
+ * filters by edit-recency before touching anything. Targeting which pads
+ * to compact is deliberately a CLI concern and not a `compactPad` API
+ * param — staleness changes from one run to the next, the compaction
+ * primitive does not.
+ *
+ * Destructive — `getEtherpad`-export anything you can't afford to lose
+ * before running.
+ *
+ * Issue #7642: long-lived instances accumulate cold pads whose history
+ * nobody is navigating any more. Hot pads should be left alone; this
+ * tool is the brick for reclaiming space on the cold tail.
+ */
+import path from 'node:path';
+import fs from 'node:fs';
+import process from 'node:process';
+
+export type CompactStaleOpts = {
+  olderThanDays: number;
+  keepRevisions: number | null;
+  dryRun: boolean;
+};
+
+// Minimal interface mirroring the API endpoints the script needs. Tests
+// substitute their own implementation that goes through supertest+JWT
+// instead of fetch+APIKEY, so the loop logic is exercised against a real
+// running server without dragging in apikey-file or fetch setup.
+export type CompactStaleApi = {
+  listAllPads(): Promise<string[]>;
+  getLastEdited(padId: string): Promise<number>;
+  getRevisionsCount(padId: string): Promise<number>;
+  compactPad(padId: string, keepRevisions: number | null): Promise<void>;
+};
+
+export type CompactStaleReport = {
+  total: number;
+  stale: number;
+  ok: number;
+  failed: number;
+  skippedFresh: number;
+  totalRevsBefore: number;
+  totalRevsAfter: number;
+};
+
+export type CompactStaleLogger = {
+  info(msg: string): void;
+  error(msg: string): void;
+};
+
+const defaultLogger: CompactStaleLogger = {
+  info: (m) => console.log(m),
+  error: (m) => console.error(m),
+};
+
+const DAY_MS = 24 * 60 * 60 * 1000;
+
+// Pure-ish core: compose listAllPads → getLastEdited → compactPad with
+// the same per-pad error tolerance + dry-run + tally as compactAllPads.
+// `now` is injected so tests can pin the wall clock.
+export const runCompactStale = async (
+  api: CompactStaleApi, opts: CompactStaleOpts,
+  logger: CompactStaleLogger = defaultLogger,
+  now: () => number = Date.now,
+): Promise<CompactStaleReport> => {
+  const cutoff = now() - opts.olderThanDays * DAY_MS;
+
+  let padIds: string[];
+  try {
+    padIds = await api.listAllPads();
+  } catch (e: any) {
+    logger.error(`listAllPads failed: ${e.message ?? e}`);
+    return {
+      total: 0, stale: 0, ok: 0, failed: 1, skippedFresh: 0,
+      totalRevsBefore: 0, totalRevsAfter: 0,
+    };
+  }
+
+  if (padIds.length === 0) {
+    logger.info('No pads on this instance.');
+    return {
+      total: 0, stale: 0, ok: 0, failed: 0, skippedFresh: 0,
+      totalRevsBefore: 0, totalRevsAfter: 0,
+    };
+  }
+
+  const strategy = opts.keepRevisions == null
+    ? 'collapse all history'
+    : `keep last ${opts.keepRevisions} revisions`;
+  logger.info(
+      `Found ${padIds.length} pad(s). Filter: not edited in ` +
+      `${opts.olderThanDays} day(s). Strategy: ${strategy}` +
+      `${opts.dryRun ? ' (dry run — no writes)' : ''}.`);
+
+  const report: CompactStaleReport = {
+    total: padIds.length, stale: 0, ok: 0, failed: 0, skippedFresh: 0,
+    totalRevsBefore: 0, totalRevsAfter: 0,
+  };
+
+  // First pass: figure out which pads are actually stale. A getLastEdited
+  // failure on a pad is counted as a failure (we can't decide), but does
+  // not stop the run.
+  const stalePads: string[] = [];
+  for (const padId of padIds) {
+    let lastEdited: number;
+    try {
+      lastEdited = await api.getLastEdited(padId);
+    } catch (e: any) {
+      logger.error(`${padId}: getLastEdited failed: ${e.message ?? e}`);
+      report.failed++;
+      continue;
+    }
+    if (lastEdited > cutoff) {
+      report.skippedFresh++;
+      continue;
+    }
+    stalePads.push(padId);
+  }
+  report.stale = stalePads.length;
+
+  if (stalePads.length === 0) {
+    logger.info(
+        `No stale pads (${report.skippedFresh} fresh, ${report.failed} unreadable).`);
+    return report;
+  }
+
+  logger.info(
+      `${stalePads.length} stale pad(s) to process ` +
+      `(${report.skippedFresh} fresh skipped).`);
+
+  for (let i = 0; i < stalePads.length; i++) {
+    const padId = stalePads[i];
+    const idx = `[${i + 1}/${stalePads.length}]`;
+
+    let before: number;
+    try {
+      before = await api.getRevisionsCount(padId);
+    } catch (e: any) {
+      logger.error(`${idx} ${padId}: getRevisionsCount failed: ${e.message ?? e}`);
+      report.failed++;
+      continue;
+    }
+
+    if (opts.dryRun) {
+      logger.info(`${idx} ${padId}: ${before + 1} revision(s) — would compact`);
+      report.totalRevsBefore += before + 1;
+      continue;
+    }
+
+    // Re-check staleness right before compacting. Without this the
+    // first-pass selection is a TOCTOU window: on a long bulk run a
+    // pad can become active between selection and compaction, and
+    // compactPad would then kick those sessions. Re-checking here
+    // shrinks the window to one round-trip and treats the pad as
+    // freshened (skipped, not failed).
+    let lastEditedNow: number;
+    try {
+      lastEditedNow = await api.getLastEdited(padId);
+    } catch (e: any) {
+      logger.error(`${idx} ${padId}: getLastEdited recheck failed: ${e.message ?? e}`);
+      report.failed++;
+      continue;
+    }
+    if (lastEditedNow > cutoff) {
+      logger.info(`${idx} ${padId}: edited during run — skipping (now fresh)`);
+      report.skippedFresh++;
+      report.stale--;
+      continue;
+    }
+
+    try {
+      await api.compactPad(padId, opts.keepRevisions);
+    } catch (e: any) {
+      logger.error(`${idx} ${padId}: compactPad failed: ${e.message ?? e}`);
+      report.failed++;
+      continue;
+    }
+
+    let after: number | undefined;
+    try { after = await api.getRevisionsCount(padId); }
+    catch { /* main op already succeeded; post-count is informational */ }
+
+    if (after != null) {
+      logger.info(`${idx} ${padId}: ${before + 1} → ${after + 1} revision(s)`);
+      report.totalRevsBefore += before + 1;
+      report.totalRevsAfter += after + 1;
+    } else {
+      logger.info(`${idx} ${padId}: compacted (post-count unavailable)`);
+    }
+    report.ok++;
+  }
+
+  if (opts.dryRun) {
+    logger.info('');
+    logger.info(
+        `Dry run complete. ${stalePads.length} stale pad(s), ` +
+        `${report.totalRevsBefore} total revision(s) — re-run ` +
+        'without --dry-run to compact.');
+  } else {
+    logger.info('');
+    logger.info(
+        `Done. ${report.ok} pad(s) compacted, ${report.failed} failed, ` +
+        `${report.skippedFresh} fresh skipped. ` +
+        `Revisions: ${report.totalRevsBefore} → ${report.totalRevsAfter} ` +
+        `(reclaimed ${report.totalRevsBefore - report.totalRevsAfter}).`);
+  }
+
+  return report;
+};
+
+export const parseArgs = (argv: string[]): CompactStaleOpts | null => {
+  const opts: CompactStaleOpts = {
+    olderThanDays: NaN, keepRevisions: null, dryRun: false,
+  };
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (a === '--dry-run') {
+      opts.dryRun = true;
+    } else if (a === '--older-than') {
+      const v = argv[++i];
+      const n = Number(v);
+      if (!Number.isInteger(n) || n < 0) {
+        console.error(`--older-than expects a non-negative integer; got ${v}`);
+        return null;
+      }
+      opts.olderThanDays = n;
+    } else if (a === '--keep') {
+      const v = argv[++i];
+      const n = Number(v);
+      if (!Number.isInteger(n) || n < 0) {
+        console.error(`--keep expects a non-negative integer; got ${v}`);
+        return null;
+      }
+      opts.keepRevisions = n;
+    } else {
+      return null;
+    }
+  }
+  if (!Number.isFinite(opts.olderThanDays)) {
+    console.error('--older-than is required');
+    return null;
+  }
+  return opts;
+};
+
+const usage = () => {
+  console.error('Usage:');
+  console.error('  node bin/compactStalePads.js --older-than <days>');
+  console.error('  node bin/compactStalePads.js --older-than <days> --keep <N>');
+  console.error('  node bin/compactStalePads.js --older-than <days> --dry-run');
+  process.exit(2);
+};
+
+const isMain = require.main === module;
+if (isMain) {
+  process.on('unhandledRejection', (err) => { throw err; });
+
+  const settings = require('ep_etherpad-lite/tests/container/loadSettings').loadSettings();
+  const baseURL = `${settings.ssl ? 'https' : 'http'}://${settings.ip}:${settings.port}`;
+
+  const apiGet = async (p: string): Promise<any> => {
+    const r = await fetch(baseURL + p);
+    if (!r.ok) throw new Error(`HTTP ${r.status} ${r.statusText}`);
+    return r.json();
+  };
+  const apiPost = async (p: string): Promise<any> => {
+    const r = await fetch(baseURL + p, {method: 'POST'});
+    if (!r.ok) throw new Error(`HTTP ${r.status} ${r.statusText}`);
+    return r.json();
+  };
+
+  const opts = parseArgs(process.argv.slice(2));
+  if (!opts) usage();
+
+  const apikey = fs.readFileSync(
+      path.join(__dirname, '../APIKEY.txt'), {encoding: 'utf-8'}).trim();
+
+  // Bind the abstract API to fetch + APIKEY auth for the CLI shell.
+  const cliApi: CompactStaleApi = {
+    async listAllPads() {
+      const apiInfo = await apiGet('/api/');
+      const apiVersion: string | undefined = apiInfo.currentVersion;
+      if (!apiVersion) throw new Error('No version set in API');
+      (cliApi as any)._apiVersion = apiVersion;
+      const r = await apiGet(`/api/${apiVersion}/listAllPads?apikey=${apikey}`);
+      if (r.code !== 0) throw new Error(JSON.stringify(r));
+      return r.data.padIDs ?? [];
+    },
+    async getLastEdited(padId: string) {
+      const v = (cliApi as any)._apiVersion;
+      const r = await apiGet(
+          `/api/${v}/getLastEdited?apikey=${apikey}` +
+          `&padID=${encodeURIComponent(padId)}`);
+      if (r.code !== 0) throw new Error(JSON.stringify(r));
+      return r.data.lastEdited;
+    },
+    async getRevisionsCount(padId: string) {
+      const v = (cliApi as any)._apiVersion;
+      const r = await apiGet(
+          `/api/${v}/getRevisionsCount?apikey=${apikey}` +
+          `&padID=${encodeURIComponent(padId)}`);
+      if (r.code !== 0) throw new Error(JSON.stringify(r));
+      return r.data.revisions;
+    },
+    async compactPad(padId: string, keepRevisions: number | null) {
+      const v = (cliApi as any)._apiVersion;
+      const params = new URLSearchParams({apikey, padID: padId});
+      if (keepRevisions != null) params.set('keepRevisions', String(keepRevisions));
+      const r = await apiPost(`/api/${v}/compactPad?${params.toString()}`);
+      if (r.code !== 0) throw new Error(JSON.stringify(r));
+    },
+  };
+
+  (async () => {
+    const report = await runCompactStale(cliApi, opts!);
+    if (report.failed > 0) process.exit(1);
+  })();
+}
diff --git a/doc/cli.md b/doc/cli.md
index 59f2c3ed298..aa46bb65a17 100644
--- a/doc/cli.md
+++ b/doc/cli.md
@@ -27,3 +27,42 @@ In this example we migrate from the old dirty db to the new rustydb engine. So w
 
 After that we need to move the data from dirty to rustydb.
 Therefore, we call `pnpm run --filter bin migrateDB --file1 test1.json --file2 test2.json` with these two files in our root directories. After some time the data should be copied over to the new database.
+
+## Pad compaction
+
+Long-lived pads with heavy edit history accumulate revisions in the database. Three CLIs reclaim that space, in increasing scope:
+
+| Tool | Targets | When to use |
+| --- | --- | --- |
+| `bin/compactPad.js <padID>` | one pad | you know which pad is fat |
+| `bin/compactAllPads.js` | every pad | bulk reclaim across the whole instance |
+| `bin/compactStalePads.js --older-than N` | pads not edited in N days | reclaim the cold tail without touching pads still in active use |
+
+All three are gated on `cleanup.enabled = true` in `settings.json` and are **destructive**: history is collapsed (or trimmed). Export anything you can't afford to lose with `getEtherpad` first.
+
+Common flags:
+
+- `--keep N` — retain the last N revisions instead of collapsing all history.
+- `--dry-run` — list pads and revision counts without writing.
+
+### Examples
+
+````
+# Compact a specific pad, collapsing all history.
+node bin/compactPad.js my-pad
+
+# Keep only the last 50 revisions of one pad.
+node bin/compactPad.js my-pad --keep 50
+
+# Compact every pad on the instance (per-pad failures don't stop the run).
+node bin/compactAllPads.js
+node bin/compactAllPads.js --dry-run
+
+# Compact only pads not edited in the last 90 days, keeping the last 50 revisions.
+node bin/compactStalePads.js --older-than 90 --keep 50
+node bin/compactStalePads.js --older-than 90 --dry-run
+````
+
+`bin/compactStalePads.js` is the right tool for periodic operator runs on long-lived instances — hot pads that users are still navigating in timeslider stay untouched, and only the cold tail is rewritten. Per-pad failures (including a `getLastEdited` fault) are counted but do not abort the bulk run; the exit code reflects whether anything failed.
+
+See the `compactPad` HTTP API in `doc/api/http_api.md` for the same primitive over the wire (issues #6194, #7642).
diff --git a/src/tests/backend/specs/compactPad.ts b/src/tests/backend/specs/compactPad.ts
index 96886d1ad23..426103f1289 100644
--- a/src/tests/backend/specs/compactPad.ts
+++ b/src/tests/backend/specs/compactPad.ts
@@ -344,4 +344,318 @@ describe(__filename, function () {
       assert.ok(reB.getHeadRevisionNumber() <= 1);
     });
   });
+
+  // Coverage for the staleness-gated bulk loop in
+  // bin/compactStalePads.ts (issue #7642). Same pattern as the
+  // compactAllPads tests above: stub api + `now` injection so we don't
+  // need real wall-clock drift, plus one end-to-end run through the
+  // real /api/1.3.1/getLastEdited + compactPad endpoints to prove the
+  // CLI's adapter shape doesn't lie.
+  describe('runCompactStale (bin/compactStalePads loop)', function () {
+    // eslint-disable-next-line @typescript-eslint/no-var-requires
+    const {runCompactStale, parseArgs} =
+        require('../../../../bin/compactStalePads');
+
+    const silent = {info: () => {}, error: () => {}};
+    const NOW = 1_700_000_000_000;
+    const day = 24 * 60 * 60 * 1000;
+    const fixedNow = () => NOW;
+
+    type StubFails = {
+      list?: boolean;
+      lastEdited?: Set<string>;
+      count?: Set<string>;
+      compact?: Set<string>;
+    };
+    const makeApi = (
+      pads: Array<{id: string, ageDays: number}>, fails: StubFails = {},
+    ) => {
+      const counts = new Map<string, number>();
+      const ages = new Map<string, number>();
+      pads.forEach((p) => {
+        counts.set(p.id, 5);
+        ages.set(p.id, NOW - p.ageDays * day);
+      });
+      return {
+        async listAllPads() {
+          if (fails.list) throw new Error('boom');
+          return pads.map((p) => p.id);
+        },
+        async getLastEdited(padId: string) {
+          if (fails.lastEdited?.has(padId)) throw new Error('lastEdited-boom');
+          const t = ages.get(padId);
+          if (t == null) throw new Error('unknown pad');
+          return t;
+        },
+        async getRevisionsCount(padId: string) {
+          if (fails.count?.has(padId)) throw new Error('count-boom');
+          const c = counts.get(padId);
+          if (c == null) throw new Error('unknown pad');
+          return c;
+        },
+        async compactPad(padId: string, keepRevisions: number | null) {
+          if (fails.compact?.has(padId)) throw new Error('compact-boom');
+          counts.set(padId,
+              keepRevisions == null ? 0 : Math.min(counts.get(padId)!, keepRevisions));
+        },
+      };
+    };
+
+    it('parses --older-than / --keep / --dry-run', function () {
+      assert.deepStrictEqual(parseArgs(['--older-than', '90']),
+          {olderThanDays: 90, keepRevisions: null, dryRun: false});
+      assert.deepStrictEqual(parseArgs(['--older-than', '30', '--keep', '50']),
+          {olderThanDays: 30, keepRevisions: 50, dryRun: false});
+      assert.deepStrictEqual(
+          parseArgs(['--older-than', '7', '--keep', '10', '--dry-run']),
+          {olderThanDays: 7, keepRevisions: 10, dryRun: true});
+    });
+
+    it('rejects missing / invalid --older-than and unknown args', function () {
+      assert.strictEqual(parseArgs([]), null);
+      assert.strictEqual(parseArgs(['--keep', '10']), null);
+      assert.strictEqual(parseArgs(['--older-than', 'abc']), null);
+      assert.strictEqual(parseArgs(['--older-than', '-1']), null);
+      assert.strictEqual(parseArgs(['--older-than', '7', '--unknown']), null);
+    });
+
+    it('only compacts pads older than the cutoff', async function () {
+      const compacted: string[] = [];
+      const api = {
+        async listAllPads() { return ['fresh', 'stale-a', 'stale-b']; },
+        async getLastEdited(padId: string) {
+          if (padId === 'fresh') return NOW - 5 * day;
+          return NOW - 120 * day;
+        },
+        async getRevisionsCount() { return 3; },
+        async compactPad(padId: string) { compacted.push(padId); },
+      };
+      const report = await runCompactStale(api,
+          {olderThanDays: 90, keepRevisions: null, dryRun: false},
+          silent, fixedNow);
+      assert.strictEqual(report.total, 3);
+      assert.strictEqual(report.stale, 2);
+      assert.strictEqual(report.skippedFresh, 1);
+      assert.strictEqual(report.ok, 2);
+      assert.deepStrictEqual(compacted.sort(), ['stale-a', 'stale-b']);
+    });
+
+    it('honours --keep N for stale pads', async function () {
+      const seen: Array<[string, number | null]> = [];
+      const api = {
+        async listAllPads() { return ['p1', 'p2']; },
+        async getLastEdited() { return NOW - 200 * day; },
+        async getRevisionsCount() { return 5; },
+        async compactPad(padId: string, k: number | null) {
+          seen.push([padId, k]);
+        },
+      };
+      const report = await runCompactStale(api,
+          {olderThanDays: 90, keepRevisions: 3, dryRun: false},
+          silent, fixedNow);
+      assert.strictEqual(report.ok, 2);
+      assert.deepStrictEqual(seen, [['p1', 3], ['p2', 3]]);
+    });
+
+    it('--dry-run does not call compactPad on stale pads', async function () {
+      let compactCalls = 0;
+      const api = {
+        async listAllPads() { return ['old-1', 'old-2', 'fresh']; },
+        async getLastEdited(padId: string) {
+          return padId === 'fresh' ? NOW - 1 * day : NOW - 365 * day;
+        },
+        async getRevisionsCount() { return 4; },
+        async compactPad() { compactCalls++; },
+      };
+      const report = await runCompactStale(api,
+          {olderThanDays: 90, keepRevisions: null, dryRun: true},
+          silent, fixedNow);
+      assert.strictEqual(compactCalls, 0);
+      assert.strictEqual(report.stale, 2);
+      assert.strictEqual(report.skippedFresh, 1);
+      assert.strictEqual(report.totalRevsBefore, 10); // 2 stale × (4+1)
+      assert.strictEqual(report.totalRevsAfter, 0);
+    });
+
+    it('keeps going when one stale pad fails to compact', async function () {
+      const api = makeApi(
+          [{id: 'ok-1', ageDays: 100}, {id: 'broken', ageDays: 200},
+            {id: 'ok-2', ageDays: 365}],
+          {compact: new Set(['broken'])});
+      const report = await runCompactStale(api,
+          {olderThanDays: 90, keepRevisions: null, dryRun: false},
+          silent, fixedNow);
+      assert.strictEqual(report.stale, 3);
+      assert.strictEqual(report.ok, 2);
+      assert.strictEqual(report.failed, 1);
+    });
+
+    it('counts a getLastEdited failure as a failure but keeps going',
+        async function () {
+          const api = makeApi(
+              [{id: 'a', ageDays: 100}, {id: 'unreadable', ageDays: 0},
+                {id: 'b', ageDays: 200}],
+              {lastEdited: new Set(['unreadable'])});
+          const report = await runCompactStale(api,
+              {olderThanDays: 90, keepRevisions: null, dryRun: false},
+              silent, fixedNow);
+          assert.strictEqual(report.total, 3);
+          assert.strictEqual(report.stale, 2);
+          assert.strictEqual(report.ok, 2);
+          assert.strictEqual(report.failed, 1);
+        });
+
+    it('reports listAllPads failure without iterating', async function () {
+      const api = makeApi([{id: 'a', ageDays: 100}], {list: true});
+      const report = await runCompactStale(api,
+          {olderThanDays: 90, keepRevisions: null, dryRun: false},
+          silent, fixedNow);
+      assert.strictEqual(report.total, 0);
+      assert.strictEqual(report.failed, 1);
+    });
+
+    it('handles an empty instance', async function () {
+      const api = makeApi([]);
+      const report = await runCompactStale(api,
+          {olderThanDays: 90, keepRevisions: null, dryRun: false},
+          silent, fixedNow);
+      assert.strictEqual(report.total, 0);
+      assert.strictEqual(report.stale, 0);
+      assert.strictEqual(report.ok, 0);
+      assert.strictEqual(report.failed, 0);
+    });
+
+    it('handles an instance where every pad is fresh', async function () {
+      const api = makeApi(
+          [{id: 'a', ageDays: 1}, {id: 'b', ageDays: 5}]);
+      const report = await runCompactStale(api,
+          {olderThanDays: 90, keepRevisions: null, dryRun: false},
+          silent, fixedNow);
+      assert.strictEqual(report.stale, 0);
+      assert.strictEqual(report.skippedFresh, 2);
+      assert.strictEqual(report.ok, 0);
+    });
+
+    it('skips a pad that gets edited between selection and compaction',
+        async function () {
+          // Two getLastEdited calls per pad: the first-pass selection,
+          // and the right-before-compact recheck. We answer "old" the
+          // first time and "fresh" the second to simulate an edit
+          // landing during the run.
+          const calls: Record<string, number> = {p1: 0, p2: 0};
+          let compactCalls = 0;
+          const api = {
+            async listAllPads() { return ['p1', 'p2']; },
+            async getLastEdited(padId: string) {
+              calls[padId]++;
+              if (padId === 'p1' && calls.p1 === 2) return NOW - 1 * day;
+              return NOW - 200 * day;
+            },
+            async getRevisionsCount() { return 4; },
+            async compactPad() { compactCalls++; },
+          };
+          const report = await runCompactStale(api,
+              {olderThanDays: 90, keepRevisions: null, dryRun: false},
+              silent, fixedNow);
+          assert.strictEqual(report.total, 2);
+          assert.strictEqual(report.stale, 1, 'p1 reclassified to fresh');
+          assert.strictEqual(report.skippedFresh, 1);
+          assert.strictEqual(report.ok, 1);
+          assert.strictEqual(compactCalls, 1);
+        });
+
+    it('counts a getLastEdited recheck failure as a failure', async function () {
+      let compactCalls = 0;
+      const callCount: Record<string, number> = {p1: 0};
+      const api = {
+        async listAllPads() { return ['p1']; },
+        async getLastEdited(padId: string) {
+          callCount[padId]++;
+          if (callCount[padId] === 2) throw new Error('recheck-boom');
+          return NOW - 200 * day;
+        },
+        async getRevisionsCount() { return 5; },
+        async compactPad() { compactCalls++; },
+      };
+      const report = await runCompactStale(api,
+          {olderThanDays: 90, keepRevisions: null, dryRun: false},
+          silent, fixedNow);
+      assert.strictEqual(report.failed, 1);
+      assert.strictEqual(report.ok, 0);
+      assert.strictEqual(compactCalls, 0);
+    });
+
+    it('--older-than 0 treats every pad as stale', async function () {
+      const api = makeApi(
+          [{id: 'a', ageDays: 0}, {id: 'b', ageDays: 0}]);
+      const report = await runCompactStale(api,
+          {olderThanDays: 0, keepRevisions: null, dryRun: false},
+          silent, fixedNow);
+      assert.strictEqual(report.stale, 2);
+      assert.strictEqual(report.ok, 2);
+    });
+
+    // Plumbs the loop through the real /api/1.3.1/getLastEdited +
+    // compactPad endpoints so we know the CLI's adapter shape doesn't
+    // lie about its contract. Two pads, both old (the test instance
+    // wall-clock is "now"), with --older-than 0 to force both stale.
+    it('end-to-end against the real HTTP handler', async function () {
+      const padA = common.randomString();
+      const padB = common.randomString();
+      const padObjA = await padManager.getPad(padA);
+      const padObjB = await padManager.getPad(padB);
+      for (let i = 0; i < 4; i++) await padObjA.appendText(`a-${i}\n`);
+      for (let i = 0; i < 4; i++) await padObjB.appendText(`b-${i}\n`);
+      const beforeA = padObjA.getHeadRevisionNumber();
+      const beforeB = padObjB.getHeadRevisionNumber();
+      assert.ok(beforeA >= 4 && beforeB >= 4);
+
+      const allowed = new Set([padA, padB]);
+      const httpApi = {
+        // Scope to just the pads this test created — the test DB is
+        // shared across describes.
+        async listAllPads() { return [padA, padB]; },
+        async getLastEdited(padId: string) {
+          const r = await agent.get(
+              `/api/1.3.1/getLastEdited?padID=${padId}`)
+              .set('authorization', await generateJWTToken())
+              .expect(200);
+          if (r.body.code !== 0) throw new Error(JSON.stringify(r.body));
+          return r.body.data.lastEdited;
+        },
+        async getRevisionsCount(padId: string) {
+          const r = await agent.get(
+              `/api/1.3.1/getRevisionsCount?padID=${padId}`)
+              .set('authorization', await generateJWTToken())
+              .expect(200);
+          if (r.body.code !== 0) throw new Error(JSON.stringify(r.body));
+          return r.body.data.revisions;
+        },
+        async compactPad(padId: string, keepRevisions: number | null) {
+          assert.ok(allowed.has(padId));
+          const url = keepRevisions == null
+            ? `/api/1.3.1/compactPad?padID=${padId}`
+            : `/api/1.3.1/compactPad?padID=${padId}&keepRevisions=${keepRevisions}`;
+          const r = await agent.get(url)
+              .set('authorization', await generateJWTToken())
+              .expect(200);
+          if (r.body.code !== 0) throw new Error(JSON.stringify(r.body));
+        },
+      };
+
+      // --older-than 0 → cutoff == now → both freshly-edited test pads
+      // are >= cutoff and considered stale.
+      const report = await runCompactStale(httpApi,
+          {olderThanDays: 0, keepRevisions: null, dryRun: false}, silent);
+      assert.strictEqual(report.total, 2);
+      assert.strictEqual(report.stale, 2);
+      assert.strictEqual(report.ok, 2);
+      assert.strictEqual(report.failed, 0);
+
+      const reA = await padManager.getPad(padA);
+      const reB = await padManager.getPad(padB);
+      assert.ok(reA.getHeadRevisionNumber() <= 1);
+      assert.ok(reB.getHeadRevisionNumber() <= 1);
+    });
+  });
 });