diff --git a/.github/actions/docker-build-platform/action.yml b/.github/actions/docker-build-platform/action.yml
new file mode 100644
index 0000000..1ad27ff
--- /dev/null
+++ b/.github/actions/docker-build-platform/action.yml
@@ -0,0 +1,70 @@
+name: 'Docker Build Platform'
+description: 'Builds and pushes a single-platform Docker image by digest.'
+runs:
+  using: 'composite'
+  steps:
+    - name: Prepare platform pair
+      id: prepare
+      shell: bash
+      run: |
+        platform="${{ inputs.platform }}"
+        echo "platform_pair=${platform//\//-}" >> $GITHUB_OUTPUT
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Log in to GHCR
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ inputs.ghcr_username }}
+        password: ${{ inputs.ghcr_token }}
+
+    - name: Build and push by digest
+      id: build
+      uses: docker/build-push-action@v6
+      env:
+        BUILDKIT_PROGRESS: plain
+      with:
+        context: ${{ inputs.context }}
+        file: ${{ inputs.file }}
+        platforms: ${{ inputs.platform }}
+        outputs: type=image,"name=${{ inputs.image_name }}",push-by-digest=true,name-canonical=true,push=true
+        cache-from: type=gha,scope=build-${{ steps.prepare.outputs.platform_pair }}
+        cache-to: type=gha,mode=max,scope=build-${{ steps.prepare.outputs.platform_pair }}
+
+    - name: Export digest
+      shell: bash
+      run: |
+        mkdir -p "${{ runner.temp }}/digests"
+        digest="${{ steps.build.outputs.digest }}"
+        touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+    - name: Upload digest
+      uses: actions/upload-artifact@v7
+      with:
+        name: digests-${{ steps.prepare.outputs.platform_pair }}
+        path: ${{ runner.temp }}/digests/*
+        if-no-files-found: error
+        retention-days: 1
+
+inputs:
+  ghcr_username:
+    required: true
+    description: 'GHCR username'
+  ghcr_token:
+    required: true
+    description: 'GHCR token'
+  context:
+    required: true
+    description: 'Build context'
+  file:
+    required: true
+    description: 'Dockerfile path'
+  platform:
+    required: true
+    description: 'Target platform (e.g. linux/amd64)'
+  image_name:
+    required: true
+    description: 'Image name without tag (e.g. ghcr.io/gameyfin/gameyfin)'
+
diff --git a/.github/actions/docker-build-push/action.yml b/.github/actions/docker-create-manifest/action.yml
similarity index 53%
rename from .github/actions/docker-build-push/action.yml
rename to .github/actions/docker-create-manifest/action.yml
index a2c2177..a0a3e33 100644
--- a/.github/actions/docker-build-push/action.yml
+++ b/.github/actions/docker-create-manifest/action.yml
@@ -1,8 +1,15 @@
-name: 'Docker Build and Push'
-description: 'Builds and pushes Docker images to GHCR with flexible tagging.'
+name: 'Docker Create Manifest'
+description: 'Creates and pushes a multi-arch manifest from per-platform digests.'
 runs:
   using: 'composite'
   steps:
+    - name: Download digests
+      uses: actions/download-artifact@v8
+      with:
+        path: ${{ runner.temp }}/digests
+        pattern: digests-*
+        merge-multiple: true
+
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
 
@@ -24,16 +31,19 @@ runs:
         COMBINED_TAGS="$DEFAULT_TAGS,$UBUNTU_TAGS"
         echo "combined_tags=$COMBINED_TAGS" >> $GITHUB_OUTPUT
 
-    - name: Build and push Docker image (Ubuntu)
-      uses: docker/build-push-action@v5
-      with:
-        context: ${{ inputs.context }}
-        file: docker/Dockerfile.ubuntu
-        platforms: ${{ inputs.platforms }}
-        push: true
-        tags: ${{ steps.combined_tags.outputs.combined_tags }}
-        cache-from: type=gha
-        cache-to: type=gha
+    - name: Create manifest list and push
+      shell: bash
+      working-directory: ${{ runner.temp }}/digests
+      run: |
+        TAG_ARGS=$(echo "${{ steps.combined_tags.outputs.combined_tags }}" | tr ',' '\n' | xargs -I {} echo "-t {}" | tr '\n' ' ')
+        docker buildx imagetools create $TAG_ARGS \
+          $(printf '${{ inputs.image_name }}@sha256:%s ' *)
+
+    - name: Inspect image
+      shell: bash
+      run: |
+        TAG=$(echo "${{ inputs.tags }}" | cut -d',' -f1)
+        docker buildx imagetools inspect "$TAG"
 
 inputs:
   ghcr_username:
@@ -42,16 +52,10 @@ inputs:
   ghcr_token:
     required: true
     description: 'GHCR token'
-  context:
-    required: true
-    description: 'Build context'
-  dockerfile:
-    required: true
-    description: 'Dockerfile path'
-  platforms:
-    required: true
-    description: 'Platforms to build for'
   tags:
     required: true
     description: 'Comma-separated list of image tags'
+  image_name:
+    required: true
+    description: 'Image name without tag (e.g. ghcr.io/gameyfin/gameyfin)'
 
diff --git a/.github/prompts/sonar.prompt.md b/.github/prompts/sonar.prompt.md
new file mode 100644
index 0000000..a245bd8
--- /dev/null
+++ b/.github/prompts/sonar.prompt.md
@@ -0,0 +1,7 @@
+---
+description: Analyze and fix Sonar issues reported in this file
+---
+
+Sonar reported some issues in this file, please fix them.
+Use the "list warnings/errors" command to get the list of issues, and then fix them one by one.
+
diff --git a/.github/workflows/docker-fix.yml b/.github/workflows/docker-fix.yml
index fe6cef5..2b421b6 100644
--- a/.github/workflows/docker-fix.yml
+++ b/.github/workflows/docker-fix.yml
@@ -34,16 +34,24 @@ jobs:
           report_paths: '**/build/test-results/test/TEST-*.xml'
 
       - name: Upload build outputs
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: build-outputs
           path: |
             app/build/libs/**
             plugins/**/build/libs/**/*.jar
 
-  docker:
+  docker-build:
     needs: build
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-24.04
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
     permissions:
       packages: write
     steps:
@@ -51,11 +59,30 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Download build outputs
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           name: build-outputs
           path: .
 
+      - name: Build platform image
+        uses: ./.github/actions/docker-build-platform
+        with:
+          ghcr_username: ${{ github.actor }}
+          ghcr_token: ${{ secrets.GITHUB_TOKEN }}
+          context: .
+          file: docker/Dockerfile.ubuntu
+          platform: ${{ matrix.platform }}
+          image_name: ghcr.io/gameyfin/gameyfin
+
+  docker-merge:
+    needs: [build, docker-build]
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
       - name: Extract tag from branch name
         id: extract_tag
         run: |
@@ -63,12 +90,10 @@ jobs:
           TAG="${BRANCH_NAME#fix/}"
           echo "tag=$TAG" >> $GITHUB_OUTPUT
 
-      - name: Build and push Docker image
-        uses: ./.github/actions/docker-build-push
+      - name: Create and push manifest
+        uses: ./.github/actions/docker-create-manifest
         with:
           ghcr_username: ${{ github.actor }}
           ghcr_token: ${{ secrets.GITHUB_TOKEN }}
-          context: .
-          dockerfile: docker/Dockerfile
-          platforms: linux/arm64/v8,linux/amd64
           tags: ghcr.io/gameyfin/gameyfin:${{ steps.extract_tag.outputs.tag }}
+          image_name: ghcr.io/gameyfin/gameyfin
diff --git a/.github/workflows/docker-preview.yml b/.github/workflows/docker-preview.yml
index b3fbe77..f30c4b6 100644
--- a/.github/workflows/docker-preview.yml
+++ b/.github/workflows/docker-preview.yml
@@ -64,16 +64,24 @@ jobs:
           report_paths: '**/build/test-results/test/TEST-*.xml'
 
       - name: Upload build outputs
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: build-outputs
           path: |
             app/build/libs/**
             plugins/**/build/libs/**/*.jar
 
-  docker:
+  docker-build:
     needs: build
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-24.04
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
     permissions:
       packages: write
     steps:
@@ -83,17 +91,36 @@ jobs:
           fetch-depth: 0
 
       - name: Download build outputs
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           name: build-outputs
           path: .
 
-      - name: Build and push Docker image
-        uses: ./.github/actions/docker-build-push
+      - name: Build platform image
+        uses: ./.github/actions/docker-build-platform
         with:
           ghcr_username: ${{ github.actor }}
           ghcr_token: ${{ secrets.GITHUB_TOKEN }}
           context: .
-          dockerfile: docker/Dockerfile
-          platforms: linux/arm64/v8,linux/amd64
+          file: docker/Dockerfile.ubuntu
+          platform: ${{ matrix.platform }}
+          image_name: ghcr.io/gameyfin/gameyfin
+
+  docker-merge:
+    needs: [build, docker-build]
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Create and push manifest
+        uses: ./.github/actions/docker-create-manifest
+        with:
+          ghcr_username: ${{ github.actor }}
+          ghcr_token: ${{ secrets.GITHUB_TOKEN }}
           tags: ghcr.io/gameyfin/gameyfin:${{ needs.build.outputs.version }}
+          image_name: ghcr.io/gameyfin/gameyfin
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9675e7a..aa92261 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -50,7 +50,7 @@ jobs:
           jq ".version = \"$RELEASE_VERSION\"" app/package.json > app/package.json.tmp && mv app/package.json.tmp app/package.json
 
       - name: Upload modified files
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: modified-files
           path: |
@@ -71,7 +71,7 @@ jobs:
           fetch-depth: 0
 
       - name: Download modified files
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           name: modified-files
 
@@ -95,16 +95,24 @@ jobs:
           report_paths: '**/build/test-results/test/TEST-*.xml'
 
       - name: Upload build outputs
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: build-outputs
           path: |
             app/build/libs/**
             plugins/**/build/libs/**/*.jar
 
-  docker:
-    needs: [ setup, build ]
-    runs-on: ubuntu-latest
+  docker-build:
+    needs: [setup, build]
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - platform: linux/amd64
+            runner: ubuntu-24.04
+          - platform: linux/arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
     permissions:
       packages: write
     steps:
@@ -114,16 +122,37 @@ jobs:
           fetch-depth: 0
 
       - name: Download modified files
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           name: modified-files
 
       - name: Download build outputs
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           name: build-outputs
           path: .
 
+      - name: Build platform image
+        uses: ./.github/actions/docker-build-platform
+        with:
+          ghcr_username: ${{ github.actor }}
+          ghcr_token: ${{ secrets.GITHUB_TOKEN }}
+          context: .
+          file: docker/Dockerfile.ubuntu
+          platform: ${{ matrix.platform }}
+          image_name: ghcr.io/gameyfin/gameyfin
+
+  docker-merge:
+    needs: [setup, docker-build]
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
       - name: Generate container image tags
         id: docker_tags
         run: |
@@ -138,15 +167,13 @@ jobs:
           TAGS="$GHCR_TAGS"
           echo "tags=$TAGS" >> $GITHUB_OUTPUT
 
-      - name: Build and push Docker image
-        uses: ./.github/actions/docker-build-push
+      - name: Create and push manifest
+        uses: ./.github/actions/docker-create-manifest
         with:
           ghcr_username: ${{ github.actor }}
           ghcr_token: ${{ secrets.GITHUB_TOKEN }}
-          context: .
-          dockerfile: docker/Dockerfile
-          platforms: linux/arm64/v8,linux/amd64
           tags: ${{ steps.docker_tags.outputs.tags }}
+          image_name: ghcr.io/gameyfin/gameyfin
 
   plugin_api:
     needs: setup
@@ -158,7 +185,7 @@ jobs:
           fetch-depth: 0
 
       - name: Download modified files
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           name: modified-files
 
@@ -180,7 +207,7 @@ jobs:
           ORG_GRADLE_PROJECT_mavenCentralPassword: ${{ secrets.MAVENCENTRAL_PASSWORD }}
 
   finalize:
-    needs: [ docker, plugin_api ]
+    needs: [ docker-merge, plugin_api ]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -189,7 +216,7 @@ jobs:
           fetch-depth: 0
 
       - name: Download modified files
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           name: modified-files
 
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
index 2044cb6..18dea99 100644
--- a/.github/workflows/sonar.yml
+++ b/.github/workflows/sonar.yml
@@ -28,7 +28,7 @@ jobs:
         uses: gradle/actions/setup-gradle@v5
 
       - name: Cache SonarCloud packages
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
diff --git a/.gitignore b/.gitignore
index 4104262..2ad9e91 100644
--- a/.gitignore
+++ b/.gitignore
@@ -57,5 +57,6 @@ out/
 *.state.json
 /plugins/data/
 /plugins/state/
+/plugins/**/*.jar
 /plugindata/
 /docker-debug/
diff --git a/.run/Gameyfin.run.xml b/.run/Gameyfin.run.xml
index a58e849..b193d89 100644
--- a/.run/Gameyfin.run.xml
+++ b/.run/Gameyfin.run.xml
@@ -9,7 +9,7 @@
     <module name="Gameyfin.app.main" />
     <option name="SHORTEN_COMMAND_LINE" value="ARGS_FILE" />
     <option name="SPRING_BOOT_MAIN_CLASS" value="org.gameyfin.app.GameyfinApplication" />
-    <option name="VM_PARAMETERS" value="-Dpf4j.mode=development -Djava.net.preferIPv4Stack=true" />
+    <option name="VM_PARAMETERS" value="-Dpf4j.mode=development -Djava.net.preferIPv4Stack=true -Dvaadin.frontend.hotdeploy=true -Dvaadin.copilot.enable=false" />
     <extension name="coverage">
       <pattern>
         <option name="PATTERN" value="org.gameyfin.app.*" />
diff --git a/.sonarlint/connectedMode.json b/.sonarlint/connectedMode.json
new file mode 100644
index 0000000..0879ebb
--- /dev/null
+++ b/.sonarlint/connectedMode.json
@@ -0,0 +1,5 @@
+{
+    "sonarCloudOrganization": "gameyfin",
+    "projectKey": "gameyfin_gameyfin",
+    "region": "EU"
+}
\ No newline at end of file
diff --git a/README.md b/README.md
index 61ff4c5..eefe54c 100644
--- a/README.md
+++ b/README.md
@@ -2,6 +2,13 @@
     <a href="https://gameyfin.org">
         <img src="assets/v2/Banner.svg" width="auto" alt="Gameyfin Logo">
     </a>
+
+[![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=gameyfin_gameyfin&metric=sqale_rating)](https://sonarcloud.io/summary/new_code?id=gameyfin_gameyfin)
+[![Reliability Rating](https://sonarcloud.io/api/project_badges/measure?project=gameyfin_gameyfin&metric=reliability_rating)](https://sonarcloud.io/summary/new_code?id=gameyfin_gameyfin)
+[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=gameyfin_gameyfin&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=gameyfin_gameyfin)
+[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=gameyfin_gameyfin&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=gameyfin_gameyfin)
+</div>
+<div align="center">
     <h2>Gameyfin</h2>
     <h4>Manage your video games.</h4>
     <p>simple / fast / <a href="https://gameyfin.org/blog/2025/12/22/why-gameyfin-is-foss/">FOSS</a></p>
@@ -11,9 +18,12 @@
 
 Name and functionality inspired by [Jellyfin](https://jellyfin.org/).
 
-Gameyfin will turn your disorganized collection of video games into a beautiful, easy-to-navigate library that you can access from any device with a web browser.  
-It will automatically scan your game folders, download metadata and cover images, and present everything in a user-friendly interface.  
-Download your game files directly from the web UI, share your library with friends, and enjoy your games like never before.  
+Gameyfin will turn your disorganized collection of video games into a beautiful, easy-to-navigate library that you can
+access from any device with a web browser.  
+It will automatically scan your game folders, download metadata and cover images, and present everything in a
+user-friendly interface.  
+Download your game files directly from the web UI, share your library with friends, and enjoy your games like never
+before.
 
 ### Documentation
 
@@ -47,7 +57,8 @@ Gameyfin v2 is written in Kotlin and uses the following libraries/frameworks:
 * H2 database for persistence
 
 ### Acknowledgements
- 
 
 [![YourKit Logo](https://www.yourkit.com/images/yklogo.png)](https://www.yourkit.com/)  
-Gameyfin is supported by [YourKit](https://www.yourkit.com/), the makers of [YourKit Java Profiler](https://yourkit.com/java/profiler/), a powerful tool for profiling Java and Kotlin applications.
+Gameyfin is supported by [YourKit](https://www.yourkit.com/), the makers
+of [YourKit Java Profiler](https://yourkit.com/java/profiler/), a powerful tool for profiling Java and Kotlin
+applications.
diff --git a/app/build.gradle.kts b/app/build.gradle.kts
index ab31d45..824a7d9 100644
--- a/app/build.gradle.kts
+++ b/app/build.gradle.kts
@@ -1,6 +1,7 @@
 import org.apache.tools.ant.filters.ReplaceTokens
 
 group = "org.gameyfin"
+version = rootProject.version
 val appMainClass = "org.gameyfin.app.GameyfinApplicationKt"
 
 plugins {
@@ -20,6 +21,10 @@ application {
     mainClass.set(appMainClass)
 }
 
+springBoot {
+    buildInfo()
+}
+
 allOpen {
     annotations("javax.persistence.Entity", "javax.persistence.MappedSuperclass", "javax.persistence.Embedabble")
 }
@@ -44,10 +49,7 @@ dependencies {
     implementation(kotlin("reflect"))
 
     // Reactive
-    implementation("org.springframework.boot:spring-boot-starter-webflux") {
-        exclude(group = "org.springframework.boot", module = "spring-boot-starter-reactor-netty")
-    }
-    implementation("org.springframework.boot:spring-boot-starter-jetty")
+    implementation("org.springframework.boot:spring-boot-starter-webflux")
     implementation("io.projectreactor.kotlin:reactor-kotlin-extensions")
     implementation("org.jetbrains.kotlinx:kotlinx-coroutines-reactor")
 
@@ -55,9 +57,7 @@ dependencies {
     implementation("com.vaadin:vaadin-core") {
         exclude("com.vaadin:flow-react")
     }
-    implementation("com.vaadin:vaadin-spring-boot-starter") {
-        exclude(group = "org.springframework.boot", module = "spring-boot-starter-tomcat")
-    }
+    implementation("com.vaadin:vaadin-spring-boot-starter")
     implementation("com.vaadin:hilla-spring-boot-starter")
 
     // Logging
@@ -81,6 +81,9 @@ dependencies {
     // Plugins
     implementation(project(":plugin-api"))
 
+    // Caching
+    implementation("com.github.ben-manes.caffeine:caffeine:${rootProject.extra["caffeineVersion"]}")
+
     // Utils
     implementation("org.apache.tika:tika-core:${rootProject.extra["tikaVersion"]}")
     implementation("me.xdrop:fuzzywuzzy:${rootProject.extra["fuzzywuzzyVersion"]}")
diff --git a/app/package-lock.json b/app/package-lock.json
index b01b630..10658fe 100644
--- a/app/package-lock.json
+++ b/app/package-lock.json
@@ -1,32 +1,32 @@
 {
   "name": "gameyfin",
-  "version": "2.3.3",
+  "version": "2.4.0-preview",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "gameyfin",
-      "version": "2.3.3",
+      "version": "2.4.0-preview",
       "dependencies": {
         "@heroui/react": "^2.8.7",
         "@phosphor-icons/react": "^2.1.10",
         "@react-stately/data": "^3.12.2",
         "@react-types/shared": "^3.28.0",
         "@tailwindcss/vite": "4.1.13",
-        "@vaadin/aura": "25.0.3",
+        "@vaadin/aura": "25.0.4",
         "@vaadin/common-frontend": "0.0.19",
-        "@vaadin/hilla-file-router": "25.0.4",
-        "@vaadin/hilla-frontend": "25.0.4",
-        "@vaadin/hilla-lit-form": "25.0.4",
-        "@vaadin/hilla-react-auth": "25.0.4",
-        "@vaadin/hilla-react-crud": "25.0.4",
-        "@vaadin/hilla-react-form": "25.0.4",
-        "@vaadin/hilla-react-i18n": "25.0.4",
-        "@vaadin/hilla-react-signals": "25.0.4",
-        "@vaadin/react-components": "25.0.3",
+        "@vaadin/hilla-file-router": "25.0.5",
+        "@vaadin/hilla-frontend": "25.0.5",
+        "@vaadin/hilla-lit-form": "25.0.5",
+        "@vaadin/hilla-react-auth": "25.0.5",
+        "@vaadin/hilla-react-crud": "25.0.5",
+        "@vaadin/hilla-react-form": "25.0.5",
+        "@vaadin/hilla-react-i18n": "25.0.5",
+        "@vaadin/hilla-react-signals": "25.0.5",
+        "@vaadin/react-components": "25.0.4",
         "@vaadin/vaadin-development-mode-detector": "2.0.7",
-        "@vaadin/vaadin-lumo-styles": "25.0.3",
-        "@vaadin/vaadin-themable-mixin": "25.0.3",
+        "@vaadin/vaadin-lumo-styles": "25.0.4",
+        "@vaadin/vaadin-themable-mixin": "25.0.4",
         "@vaadin/vaadin-usage-statistics": "2.1.3",
         "blurhash": "^2.0.5",
         "classnames": "^2.5.1",
@@ -42,11 +42,11 @@
         "postcss": "^8.5.6",
         "postcss-import": "^16.1.1",
         "rand-seed": "^2.1.7",
-        "react": "19.2.3",
+        "react": "19.2.4",
         "react-accessible-treeview": "^2.11.1",
         "react-aria-components": "^1.7.1",
         "react-confetti-boom": "^1.0.0",
-        "react-dom": "19.2.3",
+        "react-dom": "19.2.4",
         "react-markdown": "^10.1.0",
         "react-player": "^2.16.0",
         "react-realtime-chart": "^0.8.1",
@@ -63,21 +63,21 @@
         "@preact/signals-react-transform": "0.6.0",
         "@rollup/plugin-replace": "6.0.3",
         "@rollup/pluginutils": "5.3.0",
-        "@types/node": "25.0.3",
-        "@types/react": "19.2.7",
+        "@types/node": "25.0.10",
+        "@types/react": "19.2.9",
         "@types/react-dom": "19.2.3",
         "@types/react-window": "^1.8.8",
-        "@vaadin/hilla-generator-cli": "25.0.4",
-        "@vaadin/hilla-generator-core": "25.0.4",
-        "@vaadin/hilla-generator-plugin-backbone": "25.0.4",
-        "@vaadin/hilla-generator-plugin-barrel": "25.0.4",
-        "@vaadin/hilla-generator-plugin-client": "25.0.4",
-        "@vaadin/hilla-generator-plugin-model": "25.0.4",
-        "@vaadin/hilla-generator-plugin-push": "25.0.4",
-        "@vaadin/hilla-generator-plugin-signals": "25.0.4",
-        "@vaadin/hilla-generator-plugin-subtypes": "25.0.4",
-        "@vaadin/hilla-generator-plugin-transfertypes": "25.0.4",
-        "@vaadin/hilla-generator-utils": "25.0.4",
+        "@vaadin/hilla-generator-cli": "25.0.5",
+        "@vaadin/hilla-generator-core": "25.0.5",
+        "@vaadin/hilla-generator-plugin-backbone": "25.0.5",
+        "@vaadin/hilla-generator-plugin-barrel": "25.0.5",
+        "@vaadin/hilla-generator-plugin-client": "25.0.5",
+        "@vaadin/hilla-generator-plugin-model": "25.0.5",
+        "@vaadin/hilla-generator-plugin-push": "25.0.5",
+        "@vaadin/hilla-generator-plugin-signals": "25.0.5",
+        "@vaadin/hilla-generator-plugin-subtypes": "25.0.5",
+        "@vaadin/hilla-generator-plugin-transfertypes": "25.0.5",
+        "@vaadin/hilla-generator-utils": "25.0.5",
         "@vitejs/plugin-react": "5.1.2",
         "@vitejs/plugin-react-swc": "^3.7.0",
         "baseline-browser-mapping": "^2.9.19",
@@ -10964,9 +10964,9 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.0.3.tgz",
-      "integrity": "sha512-W609buLVRVmeW693xKfzHeIV6nJGGz98uCPfeXI1ELMLXVeKYZ9m15fAMSaUPBHYLGFsVRcMmSCksQOrZV9BYA==",
+      "version": "25.0.10",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.0.10.tgz",
+      "integrity": "sha512-zWW5KPngR/yvakJgGOmZ5vTBemDoSqF3AcV/LrO5u5wTWyEAVVh+IT39G4gtyAkh3CtTZs8aX/yRM82OfzHJRg==",
       "devOptional": true,
       "license": "MIT",
       "peer": true,
@@ -10975,9 +10975,9 @@
       }
     },
     "node_modules/@types/react": {
-      "version": "19.2.7",
-      "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.7.tgz",
-      "integrity": "sha512-MWtvHrGZLFttgeEj28VXHxpmwYbor/ATPYbBfSFZEIRK0ecCFLl2Qo55z52Hss+UV9CRN7trSeq1zbgx7YDWWg==",
+      "version": "19.2.9",
+      "resolved": "https://registry.npmjs.org/@types/react/-/react-19.2.9.tgz",
+      "integrity": "sha512-Lpo8kgb/igvMIPeNV2rsYKTgaORYdO1XGVZ4Qz3akwOj0ySGYMPlQWa8BaLn0G63D1aSaAQ5ldR06wCpChQCjA==",
       "license": "MIT",
       "peer": true,
       "dependencies": {
@@ -11036,12 +11036,154 @@
       "integrity": "sha512-g7f0IkJdPW2xhY7H4iE72DAsIyfuwEFc6JWc2tYFwKDMWWAF699vGjrM348cwQuOXgHpe1gWFe+Eiyjx/ewvvw==",
       "license": "ISC"
     },
+    "node_modules/@vaadin/a11y-base": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/a11y-base/-/a11y-base-25.0.4.tgz",
+      "integrity": "sha512-I3Qyw5JhdOzUs5rGcOcwMWj878VtRBB1feGGEzv8oNcftuzubehXu1FD6iHI/S+/ljjpNZ39FOQqR2JSi5P3pA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/component-base": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/accordion": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/accordion/-/accordion-25.0.4.tgz",
+      "integrity": "sha512-mB4iWgAYj8Fg57rYF1anROm6ES8VOKynRKczmvKrIgNmD2Mhc6zBaiZge72QBJsJN8b6vsK/dryD2lvyBUdVXg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/details": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/app-layout": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/app-layout/-/app-layout-25.0.4.tgz",
+      "integrity": "sha512-SB+VlCwP2Z1ffPMub0Pbasr/GZk2DTTf/Vfhf3ASt8XAT2bCJs6dj43/2FKPejKYiGlKZOYwDgNMpwXcw4t/yA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/button": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
     "node_modules/@vaadin/aura": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/aura/-/aura-25.0.3.tgz",
-      "integrity": "sha512-+YvapYD82RCjPfNBeBCQMpE1VD3I8ebognuJCysGjMncA38OfToVn92ONsYZfkUBSdNH7GZditk7vnkQhpeZkQ==",
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/aura/-/aura-25.0.4.tgz",
+      "integrity": "sha512-+UySnqJPyRfDed1QH96sfXcEzQTux81PLWPK6id6qL8xFqtOX+df0l9xBet+D+4WlT3yp52tIKCcIz1thyiRjQ==",
       "license": "Apache-2.0"
     },
+    "node_modules/@vaadin/avatar": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/avatar/-/avatar-25.0.4.tgz",
+      "integrity": "sha512-UpTNNHEMSrYs+VwM26ZJxEsd2Xjl9y2LDpe/vrw/PJTnSX7m9Jjflp4D3ytOQWdcIH4cKB5a7UhWsF7/9INQVQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/tooltip": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/avatar-group": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/avatar-group/-/avatar-group-25.0.4.tgz",
+      "integrity": "sha512-iHTjoVUXySpgt43JXl6CYiLNtnXfUS8X2oBjQ4y81mxNlRHHYxQqbjpWQ3htRG+/phKRybM9qP6zBdesg4PiRg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/avatar": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/item": "~25.0.4",
+        "@vaadin/list-box": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/tooltip": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/button": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/button/-/button-25.0.4.tgz",
+      "integrity": "sha512-v8crgoBXuY7FjVV30pY6jU7ISBqSarfly/eICDOvTrAQwGpZSRwOr6s8T2n/lf2Hk8pUKMNYnDXJjd0pFJh7gA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/card": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/card/-/card-25.0.4.tgz",
+      "integrity": "sha512-W9Dmis7081YSdQ1vgpbneUunSIhB0GkKcMEHB6qU3HHqwPERxBYM743RzrOmxb5SgeqWH6UBHkEnmBNbIjkMCA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/checkbox": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/checkbox/-/checkbox-25.0.4.tgz",
+      "integrity": "sha512-f6dRaJaOOok+O5g0RK7BoWdx75fYfE2R60FnAr8f8W1e+Fq/is5jtRjan8G6XvGZ+4M2xwsuab5muAZrpl3DOg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/checkbox-group": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/checkbox-group/-/checkbox-group-25.0.4.tgz",
+      "integrity": "sha512-9R6AIjjWt410Qb0m4NkhXhKUxY2bpN4x8Nmz7Q8eQyKYMu8gwOFwEC6BxV02cML3lz3VgXlltmTWCHIVhCHVdA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/checkbox": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/combo-box": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/combo-box/-/combo-box-25.0.4.tgz",
+      "integrity": "sha512-mSAXeh16DraxakSMFBOilVS1Nz1kryQtCZwYX2KJiul2SSCA16hKE02IzaAyZi2xOjqF4ERPK6+6nLxQb634zA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/input-container": "~25.0.4",
+        "@vaadin/item": "~25.0.4",
+        "@vaadin/lit-renderer": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
     "node_modules/@vaadin/common-frontend": {
       "version": "0.0.19",
       "resolved": "https://registry.npmjs.org/@vaadin/common-frontend/-/common-frontend-0.0.19.tgz",
@@ -11054,16 +11196,202 @@
         "lit": "^3.0.0"
       }
     },
-    "node_modules/@vaadin/hilla-file-router": {
+    "node_modules/@vaadin/component-base": {
       "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-file-router/-/hilla-file-router-25.0.4.tgz",
-      "integrity": "sha512-XTkBz0uCwH4qJNSUz2XmVcaEfZZu+1tU+S1RikeUgc1wpFTwIlmxyj1uF4EfJsALgkGmtKiyTLQZjVX2zeBIJg==",
+      "resolved": "https://registry.npmjs.org/@vaadin/component-base/-/component-base-25.0.4.tgz",
+      "integrity": "sha512-SQ7+3y/DdEzfWancMaOKpQ3O6lwXnVGbmLVMEiVfYrLU+LM+AaFm6EXKlUvUf16C4FPhaOdJjzcswmXOjCLQjA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/vaadin-development-mode-detector": "^2.0.0",
+        "@vaadin/vaadin-usage-statistics": "^2.1.0",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/confirm-dialog": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/confirm-dialog/-/confirm-dialog-25.0.4.tgz",
+      "integrity": "sha512-0d32Dcby4dbXC6zZUcMw2CYPOC/DWLjLuDS01lWlfhwDbSsRPOy82TNj5/WnEuGt8il5Onswt1Ih4iNcCufhQg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/button": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/dialog": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/context-menu": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/context-menu/-/context-menu-25.0.4.tgz",
+      "integrity": "sha512-BqH4D7OiiHbhvHGUqfvBdGzuyN9B9rQLHYYWwt7aR6bXC2Oer7FB66lxYsR0JvwkV/UwbTi1adHeUuaPjFTTCQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/item": "~25.0.4",
+        "@vaadin/list-box": "~25.0.4",
+        "@vaadin/lit-renderer": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/custom-field": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/custom-field/-/custom-field-25.0.4.tgz",
+      "integrity": "sha512-wFSYVeX9M884O+SfZ/NludNo49RnQHx8QfPknQ8d+QfaFWA/AEmJFkObekVFOUNgwfPZMckhVlXPoeSVbUeOCw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/date-picker": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/date-picker/-/date-picker-25.0.4.tgz",
+      "integrity": "sha512-6aewWzdRvFTcIEAThxK/FjlPob2PKyFD7MbOAiC4Q9QMvjmlprChsTYmtzlBVHsG+U/CPD4XBcjJPlHCC27UBg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/button": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/input-container": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/date-time-picker": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/date-time-picker/-/date-time-picker-25.0.4.tgz",
+      "integrity": "sha512-PE3Cb0IneMAcHu5qg8defI08qMbxJ1tX93bTdDiz0Cx+HNJfkEIxZKPQkHkbVjPvpsTogDmdCuWj+ziF4X5PTg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/custom-field": "~25.0.4",
+        "@vaadin/date-picker": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/time-picker": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/details": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/details/-/details-25.0.4.tgz",
+      "integrity": "sha512-K9lTGImhYiT4CIc+1gvpM9ZBcbR8ZZ50IsIo9oQnahtpSpL8b9eZF+qG/iiTRCRjQU2QcQy6xZdFI5saunmgGw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/button": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/dialog": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/dialog/-/dialog-25.0.4.tgz",
+      "integrity": "sha512-PJwvBD2Pj+YAbJyvwxvlEBtOHJuJTQhn1Sl92VapibDoUvuH8tAm/iqHss7UQh7rWiJ+MBfsUMSgmtQryZKVmQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/lit-renderer": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/email-field": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/email-field/-/email-field-25.0.4.tgz",
+      "integrity": "sha512-EHQyZCPVYnH3N6q3FtH584l0P8MJuh8xn7ML6WGDNMaQTQZXKzxXTW0lTCY471a0f53GVULPEArAqxwpVz+ASw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/text-field": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/field-base": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/field-base/-/field-base-25.0.4.tgz",
+      "integrity": "sha512-Uz0Yusz219uOxmYmznOvcr5JizAfCHKWYYN/hh8KgnvY2n4JUGrQ5kb9LIN1Z/aqxIQkCKECvNl4EsmlQ5Wi/w==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/field-highlighter": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/field-highlighter/-/field-highlighter-25.0.4.tgz",
+      "integrity": "sha512-76SpmbsbvrI7S++mZqYWL7nwE09VOy7p+wR5MSKmBVCVWndVKDOixVwjzGmlR6jWYe55O/hQ1HY6o7jL8eoLZQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/form-layout": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/form-layout/-/form-layout-25.0.4.tgz",
+      "integrity": "sha512-b1aITHusuExl3sd+MiOr54c0Em88Dz/aql+RUlcb8tyzXwn1EwTBpLNqzggf9cTgEvJFF8WN8mvj0NM42zNyIw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/grid": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/grid/-/grid-25.0.4.tgz",
+      "integrity": "sha512-FbG8c50fhJbB34dLvXg9cCcs9sYQK7ZHTVaZb6xCwY2sLoMtL76mVtKoeDwwpZEDcvB/uRXJc4xfPD47gLLb1g==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/checkbox": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/lit-renderer": "~25.0.4",
+        "@vaadin/text-field": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/hilla-file-router": {
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-file-router/-/hilla-file-router-25.0.5.tgz",
+      "integrity": "sha512-aU61HBP3uhYS8pGzO0Ds1I+6OHjUxbVvxgTLqDuYT2NgKs0N7UhLNOYhBUGxQljzuYDOY8d9a5jUyiKXaazt9A==",
       "license": "Apache-2.0",
       "dependencies": {
         "@ungap/with-resolvers": "0.1.0",
-        "@vaadin/hilla-generator-utils": "25.0.4",
-        "@vaadin/hilla-react-auth": "25.0.4",
-        "@vaadin/hilla-react-signals": "25.0.4",
+        "@vaadin/hilla-generator-utils": "25.0.5",
+        "@vaadin/hilla-react-auth": "25.0.5",
+        "@vaadin/hilla-react-signals": "25.0.5",
         "tsc-template": "0.2.3",
         "typescript": "5.9.3"
       },
@@ -11074,9 +11402,9 @@
       }
     },
     "node_modules/@vaadin/hilla-frontend": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-frontend/-/hilla-frontend-25.0.4.tgz",
-      "integrity": "sha512-/GCV/OLRessUZ+mtfQYrSLMkJF0XE5PcgDOYznsQ5C+3F53hBcK/GKr/wKmGnhUuzSZJUJyLrkwUPHanH8oYEg==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-frontend/-/hilla-frontend-25.0.5.tgz",
+      "integrity": "sha512-CIHeLGSFGyKJQPN0VtjUQSrPiTh+9BInONkCYA+5OOF3Pojs9NScLRrU+YBcoAylA7O760mTJ0sKxSvccRSXUg==",
       "license": "Apache-2.0",
       "dependencies": {
         "@vaadin/common-frontend": "0.0.19",
@@ -11088,14 +11416,14 @@
       }
     },
     "node_modules/@vaadin/hilla-generator-cli": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-cli/-/hilla-generator-cli-25.0.4.tgz",
-      "integrity": "sha512-ksrGGMeF2CG50GAsFatIUMFQ5cV+cFHa9IaKyAJg6baH2Fe154W4dlm4ykqhUKuTJQ0iAyuBaIeL8WjWV+4hqA==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-cli/-/hilla-generator-cli-25.0.5.tgz",
+      "integrity": "sha512-4nktK3ft0Ru1IWz5Drbr9NUZO6ZU6ilWzsCmIeRwHc3xWzI6DtoT9kazL1aWIOKEM6NulI7L4U6MVN6IRZ32BQ==",
       "dev": true,
       "license": "Apache 2.0",
       "dependencies": {
-        "@vaadin/hilla-generator-core": "25.0.4",
-        "@vaadin/hilla-generator-utils": "25.0.4"
+        "@vaadin/hilla-generator-core": "25.0.5",
+        "@vaadin/hilla-generator-utils": "25.0.5"
       },
       "bin": {
         "tsgen": "bin/index.js"
@@ -11105,14 +11433,14 @@
       }
     },
     "node_modules/@vaadin/hilla-generator-core": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-core/-/hilla-generator-core-25.0.4.tgz",
-      "integrity": "sha512-nsfvoNV0EPR5zDWJOdTctXmmOJsGacIAjAkJZEhpjLhdTKGVZL90YUo9YaD0wHO3CRr2HbG8JqquGQmcR/14ag==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-core/-/hilla-generator-core-25.0.5.tgz",
+      "integrity": "sha512-P2vgyTvun1sYe777f+ZvuCrWB0mtwEOhbq6gxrv6QO4IL6zlmqBeEE2TCNyMlp3fl1ViGYUq1NDRyyYLs6e0vA==",
       "dev": true,
       "license": "Apache 2.0",
       "dependencies": {
         "@apidevtools/swagger-parser": "10.1.1",
-        "@vaadin/hilla-generator-utils": "25.0.4",
+        "@vaadin/hilla-generator-utils": "25.0.5",
         "meow": "13.2.0",
         "openapi-types": "12.1.3",
         "typescript": "5.9.3"
@@ -11122,15 +11450,15 @@
       }
     },
     "node_modules/@vaadin/hilla-generator-plugin-backbone": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-backbone/-/hilla-generator-plugin-backbone-25.0.4.tgz",
-      "integrity": "sha512-u2BZ2QpXXqc94Dd93Vgc9gW9ZUt8oJZJuGo2AA/nbVUAChnIaaPtTRmHoTbeGUbanCBVmE6z2t6WKnDhla2rOA==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-backbone/-/hilla-generator-plugin-backbone-25.0.5.tgz",
+      "integrity": "sha512-MEJqwZ7xzPFNz5UnGI6qtv+6D0yWV8kdN9NtMUZrsAA6E8TLfbVFPsz7JdIqPgweeerIx6UNmb5XjJmQ0yJQbQ==",
       "dev": true,
       "license": "Apache 2.0",
       "dependencies": {
-        "@vaadin/hilla-generator-core": "25.0.4",
-        "@vaadin/hilla-generator-plugin-client": "25.0.4",
-        "@vaadin/hilla-generator-utils": "25.0.4",
+        "@vaadin/hilla-generator-core": "25.0.5",
+        "@vaadin/hilla-generator-plugin-client": "25.0.5",
+        "@vaadin/hilla-generator-utils": "25.0.5",
         "fast-deep-equal": "3.1.3",
         "openapi-types": "12.1.3",
         "typescript": "5.9.3"
@@ -11140,15 +11468,15 @@
       }
     },
     "node_modules/@vaadin/hilla-generator-plugin-barrel": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-barrel/-/hilla-generator-plugin-barrel-25.0.4.tgz",
-      "integrity": "sha512-jJEthR8pOIyKfnF/seWBb6ZaF+/ytBOkp2g+qDSybirhjsmn4yRetx9jKvwrVnpVRTprhqZ/2jxVHE09kqW5rw==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-barrel/-/hilla-generator-plugin-barrel-25.0.5.tgz",
+      "integrity": "sha512-8Te56mf8K/MFl/r80R0hFXKZkQ0KQFlVeR2Wd0G+pWNbsTRjgVUlHMPH4WUuKS73JulMOurzCajEv+ObTKkpEA==",
       "dev": true,
       "license": "Apache 2.0",
       "dependencies": {
-        "@vaadin/hilla-generator-core": "25.0.4",
-        "@vaadin/hilla-generator-plugin-backbone": "25.0.4",
-        "@vaadin/hilla-generator-utils": "25.0.4",
+        "@vaadin/hilla-generator-core": "25.0.5",
+        "@vaadin/hilla-generator-plugin-backbone": "25.0.5",
+        "@vaadin/hilla-generator-utils": "25.0.5",
         "typescript": "5.9.3"
       },
       "engines": {
@@ -11156,14 +11484,14 @@
       }
     },
     "node_modules/@vaadin/hilla-generator-plugin-client": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-client/-/hilla-generator-plugin-client-25.0.4.tgz",
-      "integrity": "sha512-kLHssF339KPE+FtOLOt9LqcvKzWDIfwL6Dkcb+sdy0hQ3rmamHsG89wUiFqAGt4WIRQmmKTjsDprL+hub9r7LA==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-client/-/hilla-generator-plugin-client-25.0.5.tgz",
+      "integrity": "sha512-IhgN7VcZFxmAs6OSRmM1qIaEgQH6KcHI2VNqKKy1pS9tznu7PeHzfB1BqhGDmmkDHSXfqFkP0xnmqc0n7vzXKA==",
       "dev": true,
       "license": "Apache 2.0",
       "dependencies": {
-        "@vaadin/hilla-generator-core": "25.0.4",
-        "@vaadin/hilla-generator-utils": "25.0.4",
+        "@vaadin/hilla-generator-core": "25.0.5",
+        "@vaadin/hilla-generator-utils": "25.0.5",
         "typescript": "5.9.3"
       },
       "engines": {
@@ -11171,16 +11499,16 @@
       }
     },
     "node_modules/@vaadin/hilla-generator-plugin-model": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-model/-/hilla-generator-plugin-model-25.0.4.tgz",
-      "integrity": "sha512-hsu1LkOu/8Ceuij2T2dfgtGCwjWfCzD/eHvymeh2mtMf3hyrknvvFHbZVOMQB1ucHXtlnq5rcSZ370iDxWwqSw==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-model/-/hilla-generator-plugin-model-25.0.5.tgz",
+      "integrity": "sha512-jMAQJdu4A8lY6SO41YYr1c/VQ4JDzaKiGeq8ebhLWTyPnydaIXDH5Li7duFw6S6f29Fa0oxyvuNFW39mFCWmcA==",
       "dev": true,
       "license": "Apache 2.0",
       "dependencies": {
-        "@vaadin/hilla-generator-core": "25.0.4",
-        "@vaadin/hilla-generator-plugin-backbone": "25.0.4",
-        "@vaadin/hilla-generator-utils": "25.0.4",
-        "@vaadin/hilla-lit-form": "25.0.4",
+        "@vaadin/hilla-generator-core": "25.0.5",
+        "@vaadin/hilla-generator-plugin-backbone": "25.0.5",
+        "@vaadin/hilla-generator-utils": "25.0.5",
+        "@vaadin/hilla-lit-form": "25.0.5",
         "fast-deep-equal": "3.1.3",
         "openapi-types": "12.1.3",
         "typescript": "5.9.3"
@@ -11190,15 +11518,15 @@
       }
     },
     "node_modules/@vaadin/hilla-generator-plugin-push": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-push/-/hilla-generator-plugin-push-25.0.4.tgz",
-      "integrity": "sha512-6ivbRjEGbhaq8t8dbn8EfOwHa8sC2YblPxO/hUz6PWAXJfxuT67VtGtk+g5OMWvrQ7HUId3nTFvKYJj/F7eOBw==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-push/-/hilla-generator-plugin-push-25.0.5.tgz",
+      "integrity": "sha512-HW7pCDiDPw90Uphy17mvnJ3tHxgsZkY9Eh8KIw9PRpd1/7GPCwNlF9v+YJ/gEj9Web6/Dd5prGonA11MCIEP4Q==",
       "dev": true,
       "license": "Apache 2.0",
       "dependencies": {
-        "@vaadin/hilla-generator-core": "25.0.4",
-        "@vaadin/hilla-generator-plugin-client": "25.0.4",
-        "@vaadin/hilla-generator-utils": "25.0.4",
+        "@vaadin/hilla-generator-core": "25.0.5",
+        "@vaadin/hilla-generator-plugin-client": "25.0.5",
+        "@vaadin/hilla-generator-utils": "25.0.5",
         "fast-deep-equal": "3.1.3",
         "openapi-types": "12.1.3",
         "typescript": "5.9.3"
@@ -11208,14 +11536,14 @@
       }
     },
     "node_modules/@vaadin/hilla-generator-plugin-signals": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-signals/-/hilla-generator-plugin-signals-25.0.4.tgz",
-      "integrity": "sha512-N5qJeO9Fer5ll+n4BguPZ6hPwCPiDHPBavxU6REUWNAOGX6J9pxpsR3zag/NuqFU1L4ybxPgDuPpxF1roDJJwg==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-signals/-/hilla-generator-plugin-signals-25.0.5.tgz",
+      "integrity": "sha512-wxEy5akB9U3/07URI8XpUMNLSi/GYIp+maoJOWrTVOoLCMfuQQtwjMHXuS9q+sn5R/5bOvZW85OjfsCkgScPCA==",
       "dev": true,
       "license": "Apache 2.0",
       "dependencies": {
-        "@vaadin/hilla-generator-core": "25.0.4",
-        "@vaadin/hilla-generator-utils": "25.0.4",
+        "@vaadin/hilla-generator-core": "25.0.5",
+        "@vaadin/hilla-generator-utils": "25.0.5",
         "fast-deep-equal": "3.1.3",
         "iterator-helpers-polyfill": "3.0.1",
         "openapi-types": "12.1.3",
@@ -11227,16 +11555,16 @@
       }
     },
     "node_modules/@vaadin/hilla-generator-plugin-subtypes": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-subtypes/-/hilla-generator-plugin-subtypes-25.0.4.tgz",
-      "integrity": "sha512-NeRjxBeosxarsxLmclDt1z2Fc2WhZLgdmDYDWhi8DJMNo1IzH9DnqEuAkGRij9CmbcYqD5g2CxZPBYswY5e1zQ==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-subtypes/-/hilla-generator-plugin-subtypes-25.0.5.tgz",
+      "integrity": "sha512-Qhd0VTHESt0Bo0QL3wlbwbVje24OA3BaYjhuYWz4Jy/G5XRuL2+ehFEMOdH1SJjRcO0ABfzhwAS7NzeF7vAYUA==",
       "dev": true,
       "license": "Apache 2.0",
       "dependencies": {
-        "@vaadin/hilla-generator-core": "25.0.4",
-        "@vaadin/hilla-generator-plugin-client": "25.0.4",
-        "@vaadin/hilla-generator-plugin-model": "25.0.4",
-        "@vaadin/hilla-generator-utils": "25.0.4",
+        "@vaadin/hilla-generator-core": "25.0.5",
+        "@vaadin/hilla-generator-plugin-client": "25.0.5",
+        "@vaadin/hilla-generator-plugin-model": "25.0.5",
+        "@vaadin/hilla-generator-utils": "25.0.5",
         "fast-deep-equal": "^3.1.3",
         "openapi-types": "^12.1.3",
         "typescript": "5.9.3"
@@ -11246,16 +11574,16 @@
       }
     },
     "node_modules/@vaadin/hilla-generator-plugin-transfertypes": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-transfertypes/-/hilla-generator-plugin-transfertypes-25.0.4.tgz",
-      "integrity": "sha512-eJ8EhmC/THSLNsl7FXzGWg0c6qKl9U9Bp9zLP1RI7BJX7s43sOFXH8TKSqnPShf6RReqIUV5UKoGLdvWO/xrIQ==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-plugin-transfertypes/-/hilla-generator-plugin-transfertypes-25.0.5.tgz",
+      "integrity": "sha512-NedyIUn1s7I+QnneTffPOjQoakwQnFHcj3YF8NEQzow82Ef/VEn9vqVfOR5+k/ffYcTeA5AXQ/g52lzK23CSzQ==",
       "dev": true,
       "license": "Apache 2.0",
       "dependencies": {
-        "@vaadin/hilla-generator-core": "25.0.4",
-        "@vaadin/hilla-generator-plugin-client": "25.0.4",
-        "@vaadin/hilla-generator-plugin-model": "25.0.4",
-        "@vaadin/hilla-generator-utils": "25.0.4",
+        "@vaadin/hilla-generator-core": "25.0.5",
+        "@vaadin/hilla-generator-plugin-client": "25.0.5",
+        "@vaadin/hilla-generator-plugin-model": "25.0.5",
+        "@vaadin/hilla-generator-utils": "25.0.5",
         "fast-deep-equal": "3.1.3",
         "openapi-types": "12.1.3",
         "typescript": "5.9.3"
@@ -11265,9 +11593,9 @@
       }
     },
     "node_modules/@vaadin/hilla-generator-utils": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-utils/-/hilla-generator-utils-25.0.4.tgz",
-      "integrity": "sha512-YHVv87fzHfSzBSBoFTt8RpeOPopvEtU+zPwE3SwvD40iHlWr5JaElyAUpGAXu7BksV0E/h58Q6HZV/oM2ms07w==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-generator-utils/-/hilla-generator-utils-25.0.5.tgz",
+      "integrity": "sha512-LzpfBndzcudS44JA+11jpELLcfcjgNxOtEFGS2KuvbBUICM0+VJ/pW0usVExbk0dhD48sb53FJ7IhxJIJsrmrg==",
       "license": "Apache 2.0",
       "dependencies": {
         "pino": "9.6.0",
@@ -11279,12 +11607,12 @@
       }
     },
     "node_modules/@vaadin/hilla-lit-form": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-lit-form/-/hilla-lit-form-25.0.4.tgz",
-      "integrity": "sha512-+1GapkJdHew/Y9aqb6GWUIca1mD/fTm291PV/j89X0UbLbAAnqJpD3lZBraBpjwDoLLN0+Ed5ShSigE7KNcbLQ==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-lit-form/-/hilla-lit-form-25.0.5.tgz",
+      "integrity": "sha512-oQ9UQmkLn6dpa/4MykCRGAQ8CCzDp8y1jFi4M+ip4Ke6JJLIIVgjX87cJL/p9+fqYswp4fdcpDz9EovBXLvV/w==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@vaadin/hilla-frontend": "25.0.4",
+        "@vaadin/hilla-frontend": "25.0.5",
         "validator": "13.15.22"
       },
       "peerDependencies": {
@@ -11292,12 +11620,12 @@
       }
     },
     "node_modules/@vaadin/hilla-react-auth": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-react-auth/-/hilla-react-auth-25.0.4.tgz",
-      "integrity": "sha512-14wYCS/Ne9oLEEf9j8pcsS7qFGwzLfxglM5ryvN5M3XUi21Nvy558CA1FgVCenjZLa4763Tc0Ay6Z58nwPG1PA==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-react-auth/-/hilla-react-auth-25.0.5.tgz",
+      "integrity": "sha512-96mxC0qbuTL1H411YLd8cAiz1i8qA+OwToqgw6TH8ZzQEWnus92cr5D2IlnNwWJXldPBVI7gn9WaaMNnd207Mw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@vaadin/hilla-frontend": "25.0.4"
+        "@vaadin/hilla-frontend": "25.0.5"
       },
       "peerDependencies": {
         "react": "18 || 19",
@@ -11306,16 +11634,16 @@
       }
     },
     "node_modules/@vaadin/hilla-react-crud": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-react-crud/-/hilla-react-crud-25.0.4.tgz",
-      "integrity": "sha512-V8H1kimuwikXYr9EqZEmzPLOHvQJCHznmPhMe1o4XAsx7fWO4QzX9RIu9zMWWHQpJeIkaz93rQfVy8Qsm7RNyg==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-react-crud/-/hilla-react-crud-25.0.5.tgz",
+      "integrity": "sha512-Q+vWVYhovutZ130B3XWNqa+lPTunELcY2l1AA45YSo+UaLbr6ie+2z318DK+pVwtNy+ERZnSTiP4YX5ZfYxnvA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@vaadin/hilla-frontend": "25.0.4",
-        "@vaadin/hilla-lit-form": "25.0.4",
-        "@vaadin/hilla-react-form": "25.0.4",
-        "@vaadin/react-components": "25.0.3",
-        "@vaadin/vaadin-lumo-styles": "25.0.3",
+        "@vaadin/hilla-frontend": "25.0.5",
+        "@vaadin/hilla-lit-form": "25.0.5",
+        "@vaadin/hilla-react-form": "25.0.5",
+        "@vaadin/react-components": "25.0.4",
+        "@vaadin/vaadin-lumo-styles": "25.0.4",
         "type-fest": "4.35.0"
       },
       "peerDependencies": {
@@ -11324,12 +11652,12 @@
       }
     },
     "node_modules/@vaadin/hilla-react-form": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-react-form/-/hilla-react-form-25.0.4.tgz",
-      "integrity": "sha512-OAQN8q8EWgUqcklzSrYOnmp7+3OHzCHZggmn3I5Ix869R9PtvZ/p41aUiXYxXj1ILbVnNzzIHUZUEOIyrHBzyw==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-react-form/-/hilla-react-form-25.0.5.tgz",
+      "integrity": "sha512-o0axojR41SV1hz+2u/5cRuhmKlIPxAU5nZ8QlI32S3VDXm+8hKnNMJ8K40dQBVYVjFF+/EKF73nHaFyYyr/t7Q==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@vaadin/hilla-lit-form": "25.0.4"
+        "@vaadin/hilla-lit-form": "25.0.5"
       },
       "peerDependencies": {
         "react": "18 || 19",
@@ -11337,13 +11665,13 @@
       }
     },
     "node_modules/@vaadin/hilla-react-i18n": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-react-i18n/-/hilla-react-i18n-25.0.4.tgz",
-      "integrity": "sha512-JI57/9IkluxKYSIBM0e1q/+H02ZUYWpMxsyGZSDZkPYHZstKEbwQboXB0NQPllBsFYPEcPEVKzq2Dl4u9sSOxQ==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-react-i18n/-/hilla-react-i18n-25.0.5.tgz",
+      "integrity": "sha512-Owc0GHJuRKAhZW8K0ZN8g0LtWTKZD3+nIBtidvTuvRqzzHrk4IC7kpp3NWnuGxFQFDSXwDZ2pdXw2rOpMTEwSw==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@vaadin/hilla-frontend": "25.0.4",
-        "@vaadin/hilla-react-signals": "25.0.4",
+        "@vaadin/hilla-frontend": "25.0.5",
+        "@vaadin/hilla-react-signals": "25.0.5",
         "intl-messageformat": "10.7.11"
       },
       "peerDependencies": {
@@ -11415,13 +11743,13 @@
       }
     },
     "node_modules/@vaadin/hilla-react-signals": {
-      "version": "25.0.4",
-      "resolved": "https://registry.npmjs.org/@vaadin/hilla-react-signals/-/hilla-react-signals-25.0.4.tgz",
-      "integrity": "sha512-mWIZgZgOMN269garnXGaNG3xqgLs6imeiE5rHpcau+p/yeUpkaE2LFcdUq1Se8cOszfAXcIchK4aG/OVrpIn8g==",
+      "version": "25.0.5",
+      "resolved": "https://registry.npmjs.org/@vaadin/hilla-react-signals/-/hilla-react-signals-25.0.5.tgz",
+      "integrity": "sha512-VKvzEdjaNTyD7M6HfbxuAm+JzKxxtdiduupUIuJGovmNGhqxD9FdO5y+MK/M/bPB6kEnW5qNlbjGBXbO5aW1rQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@preact/signals-react": "3.0.1",
-        "@vaadin/hilla-frontend": "25.0.4",
+        "@vaadin/hilla-frontend": "25.0.5",
         "nanoid": "5.0.9"
       },
       "peerDependencies": {
@@ -11446,73 +11774,369 @@
         "react": "^16.14.0 || 17.x || 18.x || 19.x"
       }
     },
+    "node_modules/@vaadin/horizontal-layout": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/horizontal-layout/-/horizontal-layout-25.0.4.tgz",
+      "integrity": "sha512-INsX8HMKCwqTPs/ikyt+xsdxgRoezxRJrGPVXvK0cuLtjW4RVpDwJhHXBSPEY89/oEgWBC+TQK7XteF5ElRr2Q==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/icon": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/icon/-/icon-25.0.4.tgz",
+      "integrity": "sha512-1RNMVpB9OOqxCx/FcrE2ds1NMzh5Qs3A2zWfaePffeaFUEvjFjIv+LovcjNbQWfKd4af04DKGStRaACzpgQL8A==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/icons": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/icons/-/icons-25.0.4.tgz",
+      "integrity": "sha512-RWCH9rMjJMIzpcVklhn0DZwHG+9TWnYoUD+/O6KXdBcpK3X5G/qghJYfh9XpJrv+7eyJYDkUfX91uRwcOtObjw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@vaadin/icon": "~25.0.4"
+      }
+    },
+    "node_modules/@vaadin/input-container": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/input-container/-/input-container-25.0.4.tgz",
+      "integrity": "sha512-yLV7Yr8hhWAUZYVkNgasr5b/v5UdBd0DKkYzgvbFo/Vz7Ew4au+st3ID/30xvLj4f84qoDB0wmtPw6PJZ10rEA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/integer-field": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/integer-field/-/integer-field-25.0.4.tgz",
+      "integrity": "sha512-O3ZPvA5YyfiOb6mixSjCZb7BqfUAs0vKyPDWR/1URTZJfplXwHC4WokYrBx/sGy1Ya7cJkUNCz0dK20zaGybYA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/number-field": "~25.0.4"
+      }
+    },
+    "node_modules/@vaadin/item": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/item/-/item-25.0.4.tgz",
+      "integrity": "sha512-UGrZ2RfnlqoI5LqLhwB/gpED4vULnoH1S/9LrQTMZl5NS6EKTyzghJ//LtgTCstP4H11jalAHDLzv9O1es5A7w==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/list-box": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/list-box/-/list-box-25.0.4.tgz",
+      "integrity": "sha512-BQ7iG40lOKqfPPwjxBGPMENYWYpyCbo1yB1CIoCGxEHx340c3q2TTf8NgldZ4dgu1/f8mDsKtz3qnoghXgU1EA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/item": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/lit-renderer": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/lit-renderer/-/lit-renderer-25.0.4.tgz",
+      "integrity": "sha512-Kpc69Uv/TNTX3izdu8F9rI+h16znKrRZntvIr4Cs9PeG6hWWlszf2NZmcLJZGLFK7/OYGM50bELYWPiP3hhvyw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/login": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/login/-/login-25.0.4.tgz",
+      "integrity": "sha512-mQdNhIeMGFwjsokaEgx5dFXGPv2IPhY72lCgJ8azrgcxJ90vzn5o4qjNM36+O+CD24GQHRHySOaiNKVgp9bllg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/button": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/password-field": "~25.0.4",
+        "@vaadin/text-field": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/markdown": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/markdown/-/markdown-25.0.4.tgz",
+      "integrity": "sha512-J4RiVOqiigRlhk4wMYF8bYDmtU/eOLQ/TAWPIn0KdmNPCKEKcXoEICTzzIu69LC2HtDeCQnP0d0utyNTFZI1Wg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "dompurify": "^3.2.5",
+        "lit": "^3.0.0",
+        "marked": "^16.0.0"
+      }
+    },
+    "node_modules/@vaadin/master-detail-layout": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/master-detail-layout/-/master-detail-layout-25.0.4.tgz",
+      "integrity": "sha512-0REKkTojK9Vw7B81YChDkBRUxo63If6lIy4JzltPLwZPnNsWXQw2O2f/QpWfutg+jxv1rNZ1vpl15rK2egMOTQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/menu-bar": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/menu-bar/-/menu-bar-25.0.4.tgz",
+      "integrity": "sha512-Yse/eX6eanlScZ0AJWfGxio47ufaOq5Tw10/XRmzXTVYsem7wW9v8dmIliTNP00jF5mYJwm96bWB79tliCmKNw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/button": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/context-menu": "~25.0.4",
+        "@vaadin/item": "~25.0.4",
+        "@vaadin/list-box": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/message-input": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/message-input/-/message-input-25.0.4.tgz",
+      "integrity": "sha512-qhQjxJmTwo09HtLU4eJE260Klq/Lr5SmvbcqrQPwGsOiI8KwDsJolljiXwCjUBgfaaVgbkYhF6Yt5IffFBNoKg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/button": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/text-area": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/message-list": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/message-list/-/message-list-25.0.4.tgz",
+      "integrity": "sha512-NQgO9hpf6fbBRcjoHDHhs615x7WpEa/K9ShyiXF6VbnH32ycEjy4GR2gRPfdY9V29fh5Mt1WXtQ0aStIovBBxQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/avatar": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/markdown": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/multi-select-combo-box": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/multi-select-combo-box/-/multi-select-combo-box-25.0.4.tgz",
+      "integrity": "sha512-NcEjV2Nbut+SgC83Ut3KEkXy0VaV0hilnTTU78pRD0162M3m9aEXBRVIjH12N/mUDfAqoiFDoopiOu7Vm3hwhA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/combo-box": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/input-container": "~25.0.4",
+        "@vaadin/item": "~25.0.4",
+        "@vaadin/lit-renderer": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/notification": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/notification/-/notification-25.0.4.tgz",
+      "integrity": "sha512-UJW3NnVGVV+Qs4HRm+30A4kMFSEqg9WyZvzxfjjs68c0p72af8ZOlhU2OywrUI4zhOLFU8c5WvAySxjy7EOOvg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/lit-renderer": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/number-field": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/number-field/-/number-field-25.0.4.tgz",
+      "integrity": "sha512-KSL9w1gk45wrLOTZyAnj2dBcKoyU9lA9wz6fYqnc2MP05H05l3fOvW0Luq6F5s/oWtIK4Rb0ymlAMH1ABN7stw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/input-container": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/overlay": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/overlay/-/overlay-25.0.4.tgz",
+      "integrity": "sha512-mcbZAkUO13xAI2Edmrcms1yMFOeTcoHuEJvFljIb5OYSMtsBTrfTSS6xi6517MXkatAt74dwk5KXJT/u5JvzZA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/password-field": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/password-field/-/password-field-25.0.4.tgz",
+      "integrity": "sha512-76dXdHXDGZD/9lCzdgzK8nw0Hkp0hEDQBgYvY9Q3p9fRkTqsj/x+C6SIr8Gv4L2dLJuD900VVNNjkbn2R0u7Gw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/button": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/text-field": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/popover": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/popover/-/popover-25.0.4.tgz",
+      "integrity": "sha512-HjefWWWeerjvPihDK6NH99jzL+9++GqZbMgV24YhsBKppJ8OvNvtjFwfjp9cSgQyp2G1pM+UsA5TrVMhUdE1KA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/lit-renderer": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/progress-bar": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/progress-bar/-/progress-bar-25.0.4.tgz",
+      "integrity": "sha512-pzA9hNrJJ09K0GcUHtbou3CbBvTplnMt220tPsmGgyqVKQX+nCVVFlqsC9rgFR2CNk1u79+r5sYEjRF03QL/+Q==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/radio-group": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/radio-group/-/radio-group-25.0.4.tgz",
+      "integrity": "sha512-HzMVVqDuAAtOvXrgAjeglr3m1LtvqSY+sHCwm0xVDKwwRg2i4DKWccrNOcLS4iH83PyHV8LEllaKHKyON9ymYw==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
     "node_modules/@vaadin/react-components": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/react-components/-/react-components-25.0.3.tgz",
-      "integrity": "sha512-7cA3/unDmyUFGvsvmGiLKVvEYQHGyQJoa9aL4pfYgkgK+A+7sw6AOcOEX8W+czOoR/d2XcFAy9qcq7kkWPMoSA==",
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/react-components/-/react-components-25.0.4.tgz",
+      "integrity": "sha512-yLzKxOvzQd8iWIFAuzBXTml1pU1fp/NrY0tDt8npFgMVLOvED1EUAuCeif3sxH7YIGSpzJXohPYC7UNhL45JEQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@lit/react": "^1.0.7",
-        "@vaadin/a11y-base": "25.0.3",
-        "@vaadin/accordion": "25.0.3",
-        "@vaadin/app-layout": "25.0.3",
-        "@vaadin/avatar": "25.0.3",
-        "@vaadin/avatar-group": "25.0.3",
-        "@vaadin/button": "25.0.3",
-        "@vaadin/card": "25.0.3",
-        "@vaadin/checkbox": "25.0.3",
-        "@vaadin/checkbox-group": "25.0.3",
-        "@vaadin/combo-box": "25.0.3",
-        "@vaadin/component-base": "25.0.3",
-        "@vaadin/confirm-dialog": "25.0.3",
-        "@vaadin/context-menu": "25.0.3",
-        "@vaadin/custom-field": "25.0.3",
-        "@vaadin/date-picker": "25.0.3",
-        "@vaadin/date-time-picker": "25.0.3",
-        "@vaadin/details": "25.0.3",
-        "@vaadin/dialog": "25.0.3",
-        "@vaadin/email-field": "25.0.3",
-        "@vaadin/field-base": "25.0.3",
-        "@vaadin/field-highlighter": "25.0.3",
-        "@vaadin/form-layout": "25.0.3",
-        "@vaadin/grid": "25.0.3",
-        "@vaadin/horizontal-layout": "25.0.3",
-        "@vaadin/icon": "25.0.3",
-        "@vaadin/icons": "25.0.3",
-        "@vaadin/input-container": "25.0.3",
-        "@vaadin/integer-field": "25.0.3",
-        "@vaadin/item": "25.0.3",
-        "@vaadin/list-box": "25.0.3",
-        "@vaadin/lit-renderer": "25.0.3",
-        "@vaadin/login": "25.0.3",
-        "@vaadin/markdown": "25.0.3",
-        "@vaadin/master-detail-layout": "25.0.3",
-        "@vaadin/menu-bar": "25.0.3",
-        "@vaadin/message-input": "25.0.3",
-        "@vaadin/message-list": "25.0.3",
-        "@vaadin/multi-select-combo-box": "25.0.3",
-        "@vaadin/notification": "25.0.3",
-        "@vaadin/number-field": "25.0.3",
-        "@vaadin/overlay": "25.0.3",
-        "@vaadin/password-field": "25.0.3",
-        "@vaadin/popover": "25.0.3",
-        "@vaadin/progress-bar": "25.0.3",
-        "@vaadin/radio-group": "25.0.3",
-        "@vaadin/scroller": "25.0.3",
-        "@vaadin/select": "25.0.3",
-        "@vaadin/side-nav": "25.0.3",
-        "@vaadin/split-layout": "25.0.3",
-        "@vaadin/tabs": "25.0.3",
-        "@vaadin/tabsheet": "25.0.3",
-        "@vaadin/text-area": "25.0.3",
-        "@vaadin/text-field": "25.0.3",
-        "@vaadin/time-picker": "25.0.3",
-        "@vaadin/tooltip": "25.0.3",
-        "@vaadin/upload": "25.0.3",
-        "@vaadin/vaadin-lumo-styles": "25.0.3",
-        "@vaadin/vaadin-themable-mixin": "25.0.3",
-        "@vaadin/vertical-layout": "25.0.3",
-        "@vaadin/virtual-list": "25.0.3"
+        "@vaadin/a11y-base": "25.0.4",
+        "@vaadin/accordion": "25.0.4",
+        "@vaadin/app-layout": "25.0.4",
+        "@vaadin/avatar": "25.0.4",
+        "@vaadin/avatar-group": "25.0.4",
+        "@vaadin/button": "25.0.4",
+        "@vaadin/card": "25.0.4",
+        "@vaadin/checkbox": "25.0.4",
+        "@vaadin/checkbox-group": "25.0.4",
+        "@vaadin/combo-box": "25.0.4",
+        "@vaadin/component-base": "25.0.4",
+        "@vaadin/confirm-dialog": "25.0.4",
+        "@vaadin/context-menu": "25.0.4",
+        "@vaadin/custom-field": "25.0.4",
+        "@vaadin/date-picker": "25.0.4",
+        "@vaadin/date-time-picker": "25.0.4",
+        "@vaadin/details": "25.0.4",
+        "@vaadin/dialog": "25.0.4",
+        "@vaadin/email-field": "25.0.4",
+        "@vaadin/field-base": "25.0.4",
+        "@vaadin/field-highlighter": "25.0.4",
+        "@vaadin/form-layout": "25.0.4",
+        "@vaadin/grid": "25.0.4",
+        "@vaadin/horizontal-layout": "25.0.4",
+        "@vaadin/icon": "25.0.4",
+        "@vaadin/icons": "25.0.4",
+        "@vaadin/input-container": "25.0.4",
+        "@vaadin/integer-field": "25.0.4",
+        "@vaadin/item": "25.0.4",
+        "@vaadin/list-box": "25.0.4",
+        "@vaadin/lit-renderer": "25.0.4",
+        "@vaadin/login": "25.0.4",
+        "@vaadin/markdown": "25.0.4",
+        "@vaadin/master-detail-layout": "25.0.4",
+        "@vaadin/menu-bar": "25.0.4",
+        "@vaadin/message-input": "25.0.4",
+        "@vaadin/message-list": "25.0.4",
+        "@vaadin/multi-select-combo-box": "25.0.4",
+        "@vaadin/notification": "25.0.4",
+        "@vaadin/number-field": "25.0.4",
+        "@vaadin/overlay": "25.0.4",
+        "@vaadin/password-field": "25.0.4",
+        "@vaadin/popover": "25.0.4",
+        "@vaadin/progress-bar": "25.0.4",
+        "@vaadin/radio-group": "25.0.4",
+        "@vaadin/scroller": "25.0.4",
+        "@vaadin/select": "25.0.4",
+        "@vaadin/side-nav": "25.0.4",
+        "@vaadin/split-layout": "25.0.4",
+        "@vaadin/tabs": "25.0.4",
+        "@vaadin/tabsheet": "25.0.4",
+        "@vaadin/text-area": "25.0.4",
+        "@vaadin/text-field": "25.0.4",
+        "@vaadin/time-picker": "25.0.4",
+        "@vaadin/tooltip": "25.0.4",
+        "@vaadin/upload": "25.0.4",
+        "@vaadin/vaadin-lumo-styles": "25.0.4",
+        "@vaadin/vaadin-themable-mixin": "25.0.4",
+        "@vaadin/vertical-layout": "25.0.4",
+        "@vaadin/virtual-list": "25.0.4"
       },
       "peerDependencies": {
         "@types/react": "^19.0.0",
@@ -11529,830 +12153,170 @@
         }
       }
     },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/a11y-base": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/a11y-base/-/a11y-base-25.0.3.tgz",
-      "integrity": "sha512-p/GQKPHSvaoG02kaQfUyzQkN2+zlskKPXo/5pFRO7zTYhCGcfFkDDBIq4fjr7kFd9RH1FqRKhB6X8Fw2QOLH5w==",
+    "node_modules/@vaadin/scroller": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/scroller/-/scroller-25.0.4.tgz",
+      "integrity": "sha512-8LeOgjPa7L68IK9mfEO0bhQ7yv8495/SJ9b+Bi0gjoKaqVoy6t4OrN8K3cDhPfX7sNLpLkZBUD5B+TOu+up2RA==",
       "license": "Apache-2.0",
       "dependencies": {
         "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/component-base": "~25.0.3",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
         "lit": "^3.0.0"
       }
     },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/accordion": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/accordion/-/accordion-25.0.3.tgz",
-      "integrity": "sha512-8DsWWkLVC3igYnfepb1yd9Z/xZYp5Lvr0s75bMQyK0zqqjIhwLVpTVfHzaaMcmidFRwfOmFIyumZaBAOBS6HVQ==",
+    "node_modules/@vaadin/select": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/select/-/select-25.0.4.tgz",
+      "integrity": "sha512-+rM18OR/iv++baXZw9yqnl+WzTJ10sM6VvB+g/HxGtsRhRF6WXpuZS7FKZMPLQy7U1X9089rQz+G6cbCtyxUFQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/details": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/button": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/input-container": "~25.0.4",
+        "@vaadin/item": "~25.0.4",
+        "@vaadin/list-box": "~25.0.4",
+        "@vaadin/lit-renderer": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
         "lit": "^3.0.0"
       }
     },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/app-layout": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/app-layout/-/app-layout-25.0.3.tgz",
-      "integrity": "sha512-3EgIsveq/gKpxr6hChJL6ZOY+wHB/UbcQkF6PjHg/LBFIPG3CIeOgRyHPJgnB0FCra6E8zOjo9j4sy/HyoXdCg==",
+    "node_modules/@vaadin/side-nav": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/side-nav/-/side-nav-25.0.4.tgz",
+      "integrity": "sha512-8++0khPM9cIqNn7fCIyp/3TD3liFQu/kveYd/s474KDl2ZXrWrFSIgjtGwWu5OxO+SbjRjFgc7VS+T2pJq881A==",
       "license": "Apache-2.0",
       "dependencies": {
         "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/button": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
         "lit": "^3.0.0"
       }
     },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/avatar": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/avatar/-/avatar-25.0.3.tgz",
-      "integrity": "sha512-LGKXpeGKnO1cQcYOXwak66mXPw9271MLQk0DN9SoRbRASKLAfsEvSan83dIYxozz+HFmgKkL0DTYvilLWvsd6g==",
+    "node_modules/@vaadin/split-layout": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/split-layout/-/split-layout-25.0.4.tgz",
+      "integrity": "sha512-kAH5Ep6pSOsVTKvP936QHgJAO6hRV4/mg+4Y5z4qaJ+1bz4ECSCL+EEz+iZP9MI8Dk9MhxCr8DhxHnyFVA5WVg==",
       "license": "Apache-2.0",
       "dependencies": {
         "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/tooltip": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
         "lit": "^3.0.0"
       }
     },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/avatar-group": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/avatar-group/-/avatar-group-25.0.3.tgz",
-      "integrity": "sha512-B9fFJSckCvn+SOfX7dYXw+NcXPAjNchMrrqU3h987OcyYPVsySt0kSdxS61SAn6KqHQk/NVzLAdKD+RiWvoDNQ==",
+    "node_modules/@vaadin/tabs": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/tabs/-/tabs-25.0.4.tgz",
+      "integrity": "sha512-AFhhhAbMUNA3NGfga/P3nas0BzkNe/jzwt34iT/b6mW3xcyoKJ2if615R3AxQC6pSp6ZowuA81kqUOiRrbBYoQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/avatar": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/item": "~25.0.3",
-        "@vaadin/list-box": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/tooltip": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/item": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
         "lit": "^3.0.0"
       }
     },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/button": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/button/-/button-25.0.3.tgz",
-      "integrity": "sha512-hupuX+6IfvBCGq10OLlNyfeoKLoJ+/y7yZHdCKmFI64dSHdR66uN++WREyys/x9q2Es1fjbmbZWCF4y5PYXnfA==",
+    "node_modules/@vaadin/tabsheet": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/tabsheet/-/tabsheet-25.0.4.tgz",
+      "integrity": "sha512-KgFuCkgrJwE11PqU9JzZgg+x6QNNGATvZalXimeyzhwp5cvQRPUKd6zD3jLGY2ED8f/F5WB4DCgcfF6wur5BAQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/scroller": "~25.0.4",
+        "@vaadin/tabs": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
         "lit": "^3.0.0"
       }
     },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/card": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/card/-/card-25.0.3.tgz",
-      "integrity": "sha512-shaCD9TaMZxtL3GMaE8wrpgJ1RGGthe/DpvyL1iyUmE+6YweGrEml1CBo1WalqfJalYHjnYwMav4TOiGicPDow==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/checkbox": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/checkbox/-/checkbox-25.0.3.tgz",
-      "integrity": "sha512-U4kgpckPAbufK1eLoVl3glh8m7NqaMLSlukVKfq6Mn3kvTrIf7i3LWbcqMZFuUrK+KphD91ZQMjF3z/qWMzQFw==",
+    "node_modules/@vaadin/text-area": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/text-area/-/text-area-25.0.4.tgz",
+      "integrity": "sha512-FJAzip5XRf3rjXU8ABoRQ8vdHHPrqUzUMKTJlHCPSzkX00+Vq9JPL6X9dXd6WMunFdaImufeq6UbnnY1ZodMvQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/input-container": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
         "lit": "^3.0.0"
       }
     },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/checkbox-group": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/checkbox-group/-/checkbox-group-25.0.3.tgz",
-      "integrity": "sha512-v58pFRcwiM3j0YO44Wc8jlD3LSyTDKoeM3km0LTT1wPn9OnPPigubSbgvy0IRsnKEA/pigyaQ5BPro71wtbKTA==",
+    "node_modules/@vaadin/text-field": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/text-field/-/text-field-25.0.4.tgz",
+      "integrity": "sha512-c8ZLg8AwbUTYONUjI7WPTNs7YMY7gg6ofVTIoZcQSFMQ+bHD1v0ThjWWEsLvuPN2OHQLCxJln5m2CVUUGVDh2A==",
       "license": "Apache-2.0",
       "dependencies": {
         "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/checkbox": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/input-container": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
         "lit": "^3.0.0"
       }
     },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/combo-box": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/combo-box/-/combo-box-25.0.3.tgz",
-      "integrity": "sha512-akcRfefGhc7jG46ySp677oJOaE3BeiaSCMNoaRiOAdu6uja+hytWvAcu3f63GB71RU87+W2nkQtPf5Sk7MAa8g==",
+    "node_modules/@vaadin/time-picker": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/time-picker/-/time-picker-25.0.4.tgz",
+      "integrity": "sha512-VBKI1QjX6hjtW8t0ryB85WUx+4r0oQOtgpioNNLkXQ6C8ULRk2nEJLBKbk32aiujoJ5nmourqn5EKD/3iYMewA==",
       "license": "Apache-2.0",
       "dependencies": {
         "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/input-container": "~25.0.3",
-        "@vaadin/item": "~25.0.3",
-        "@vaadin/lit-renderer": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
+        "@vaadin/combo-box": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/field-base": "~25.0.4",
+        "@vaadin/input-container": "~25.0.4",
+        "@vaadin/item": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
         "lit": "^3.0.0"
       }
     },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/component-base": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/component-base/-/component-base-25.0.3.tgz",
-      "integrity": "sha512-/q4bPX1dVtHqxNqFIMHDepLrrMkYO/0K1LNyXePVYZFE2gqyfC4WCLvTGNnKEeiCH9nfQSyZn81Zh03SvKrmJA==",
+    "node_modules/@vaadin/tooltip": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/tooltip/-/tooltip-25.0.4.tgz",
+      "integrity": "sha512-sVP7uFSfQ45to8BRnhYjf7NImaDRj9K2Da+Ah7abOVjBh9EZZQra5oPGRzwmBSR5MqrHrGM21WFkmwmTioWJKA==",
       "license": "Apache-2.0",
       "dependencies": {
         "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/vaadin-development-mode-detector": "^2.0.0",
-        "@vaadin/vaadin-usage-statistics": "^2.1.0",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/markdown": "~25.0.4",
+        "@vaadin/overlay": "~25.0.4",
+        "@vaadin/popover": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
         "lit": "^3.0.0"
       }
     },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/confirm-dialog": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/confirm-dialog/-/confirm-dialog-25.0.3.tgz",
-      "integrity": "sha512-9r2OKhW2mt9LcJuFBlR48J2aD5OlRsBKt+CdKdaz3AQ1iwRhR9CxZw/LQubHEQuBPZ7WUz/cYoZ2fwhaYwj/6Q==",
+    "node_modules/@vaadin/upload": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/upload/-/upload-25.0.4.tgz",
+      "integrity": "sha512-RpXO9wu9UwZqfpCY9gKzI6UGuiAGa6KA45be0/z1HKNmfdBj9tSGcGv+7lhd+7MyH1sUOrI/YFCy+I8JMohdDQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/button": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/dialog": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
+        "@vaadin/a11y-base": "~25.0.4",
+        "@vaadin/button": "~25.0.4",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/progress-bar": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
         "lit": "^3.0.0"
       }
     },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/context-menu": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/context-menu/-/context-menu-25.0.3.tgz",
-      "integrity": "sha512-wjRg2PqAcSvoyqL9IE57KGT2QL8xjZ0P11RPDymB+hUChlTbxiGBnG+7P60a7RNaQGsVzGOamdlV+++ElR0tSw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/item": "~25.0.3",
-        "@vaadin/list-box": "~25.0.3",
-        "@vaadin/lit-renderer": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/custom-field": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/custom-field/-/custom-field-25.0.3.tgz",
-      "integrity": "sha512-AEUPMmPiF1h/urTj9PKHqJMlzs/ZnoymxS7bm3bWti/ii1fSohfcgsziRh/od7eZe2HGoDyRx+149q44YYVE0g==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/date-picker": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/date-picker/-/date-picker-25.0.3.tgz",
-      "integrity": "sha512-HkUdjQh3gf0P+fX675Zketm/updDjvkUEYZqlOLpJreUP3BwltCLX4eX1ZGXzF26ZM42FpnlDyvwP9uOWmGj5g==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/button": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/input-container": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/date-time-picker": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/date-time-picker/-/date-time-picker-25.0.3.tgz",
-      "integrity": "sha512-TAS5jB/2xcPdmA1FZhk7O/nb95O1QF3H0YwMERhxRO/uRicqLsURlnfOCXUjg5oee2kpggMJuaFaJJjPWeEIdw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/custom-field": "~25.0.3",
-        "@vaadin/date-picker": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/time-picker": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/details": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/details/-/details-25.0.3.tgz",
-      "integrity": "sha512-3gG13dlXPsf3vGZam7HL5zTsYWcY2FU3QBAx20NNjj66uhP20BoFUXuBS3nnkmKISRofXxWR+tpupBDRJ8fzfw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/button": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/dialog": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/dialog/-/dialog-25.0.3.tgz",
-      "integrity": "sha512-yxL7dhLMOv/V3d6bFl4X+h56bP75ntQJc7+eD9tSBr9qGa2WntLDzeliL8GUk7LYwH9AIcyCbSJjChsVDGoxtg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/lit-renderer": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/email-field": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/email-field/-/email-field-25.0.3.tgz",
-      "integrity": "sha512-6l3QW7Trg4vRIZ+zK/II9C/NFLdtPyblnTBavkrP2eLJN2qz8X2jKNc/Mc2nwIY8rffRKknzBfG6QtuhIKfLNg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/text-field": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/field-base": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/field-base/-/field-base-25.0.3.tgz",
-      "integrity": "sha512-jzcsSAQNOHTKuvwru80p8EJWlPdnIb/vdgKGUfQUw5eCmyRUTyzYjpOABdJLSrXeNgXKLzb/gp1Svkx/zOUyTw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/field-highlighter": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/field-highlighter/-/field-highlighter-25.0.3.tgz",
-      "integrity": "sha512-Leqx6dHh/o4Jye3LLOn1KP96dwBN1MIWADszX9HX2DNifmZcteqogRtZUOW68tMlYpIpfWWvZjNdXFFrrYrLrw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/form-layout": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/form-layout/-/form-layout-25.0.3.tgz",
-      "integrity": "sha512-CA82pf96UHLJ8Pdr4iAjYot4DDoJXdnmRfJoEllT4dCeEljTddNLLVIDHVwW9RfCkNoV8QWmdFWE+YI4MQlDjQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/grid": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/grid/-/grid-25.0.3.tgz",
-      "integrity": "sha512-sI+ZHAz4vTuzedCDRt96H7HCXrkeyz7uEr8K+YcxPxK9WAAm0rPeInX+EXVx0sbyzi2/rJaxfrEcsHyy3lHxeA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/checkbox": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/lit-renderer": "~25.0.3",
-        "@vaadin/text-field": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/horizontal-layout": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/horizontal-layout/-/horizontal-layout-25.0.3.tgz",
-      "integrity": "sha512-i3j2P0hL34LOf4kWK40f7gFTTG5t5iC45+595xIlaZ6uRET3peRJbSZBAvbgmGioIPN5vtouUUyxo0UrhUXkFw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/icon": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/icon/-/icon-25.0.3.tgz",
-      "integrity": "sha512-BaLoZYUPAMCh9rSA46tb6FCLlRAkWgWj4wRF0tiaAXyQXZXgAU6oTumxRgZLFuJu091lJ17Sg8Fpnes0fuDSdg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/icons": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/icons/-/icons-25.0.3.tgz",
-      "integrity": "sha512-Nlla0Tuhe5kD1JbqgTbu2HoAcxGmCNV47jUS/uEK+xleXC3IkNC50oHR9o7uWB8FvzOhutkIkwTIIJ0rhWFd5A==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@vaadin/icon": "~25.0.3"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/input-container": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/input-container/-/input-container-25.0.3.tgz",
-      "integrity": "sha512-9JLqoZObZQDXFi3ZCdSnwYi/LAN5RwiSE707NtoILW9I9scVW3/s1VLcXHuD/+F96ILqz4P7Q1ebxGzFBj1QRA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/integer-field": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/integer-field/-/integer-field-25.0.3.tgz",
-      "integrity": "sha512-0yhd3hqudXbQS6wmyuja76ijrhU+iJnx5ncY14CkTvgjVzkSQY0Sa6zHMHScrjW/gj5I/pMRyKFS/iER4Mj/pQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/number-field": "~25.0.3"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/item": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/item/-/item-25.0.3.tgz",
-      "integrity": "sha512-Wqa4FLmCZQ+keo6MOpEH2HP8S8r+4oUGNRFzpmBE3JHKjajEupEBigMST9uzKrqx0L7Wrs9ffKl7WT9ka1WQkA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/list-box": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/list-box/-/list-box-25.0.3.tgz",
-      "integrity": "sha512-JSix38Yd6Wips4RmVOI4Ga9G6Hy9Eg+0XJ37F2QuqLQlBS0ToS4P2/PXrPsAq9/BYgDvadsSiUKB2vXEjGtLcg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/item": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/lit-renderer": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/lit-renderer/-/lit-renderer-25.0.3.tgz",
-      "integrity": "sha512-hWhQ/+b9AspNvZHTPsJYgCNH1/1fXwtDRvDEuyuu3pkSgS9S5bylq5yOTEsSW7bq2kJJ2tJnzBgsn97avJ7tNA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/login": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/login/-/login-25.0.3.tgz",
-      "integrity": "sha512-Pg+SWsg+7Bghz18VFmvpK+jeZIE4wUfP+dKnZ+1o/etZVH9J99qKF422d7mMeTmUTTof+TF0l8HKlW77k3Qqxw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/button": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/password-field": "~25.0.3",
-        "@vaadin/text-field": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/markdown": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/markdown/-/markdown-25.0.3.tgz",
-      "integrity": "sha512-YXIlVDGoboY4d/41vflQTJlrnRFlmEbTpvC9MgGuwoQdNTqO5Vw8v7k2X88SfdYcZ9mQaNJg8LUW3R+OfbFdYw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "dompurify": "^3.2.5",
-        "lit": "^3.0.0",
-        "marked": "^16.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/master-detail-layout": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/master-detail-layout/-/master-detail-layout-25.0.3.tgz",
-      "integrity": "sha512-49zQkWjvptpQgPVa7BqC6i8yReVjw6U9jqEajwWz5xWaxwyZKKFFRDf6jbqBs55NOKLZzmLTypp99R0Qm+KVEg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/menu-bar": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/menu-bar/-/menu-bar-25.0.3.tgz",
-      "integrity": "sha512-He4p4IGk9XF8TgOpAz8jsszfz0b/PmkUDh2WQnEALgDGlzn+CmclZ8QRs3KLMmDnFOeAZ+85TEgPFCjnfXBbeA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/button": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/context-menu": "~25.0.3",
-        "@vaadin/item": "~25.0.3",
-        "@vaadin/list-box": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/message-input": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/message-input/-/message-input-25.0.3.tgz",
-      "integrity": "sha512-C2CG2RbEVPaX9TNthDGyVGZLVX0/fVBLwz4Hodjzt55Q9UMbZvEvxE3o7dZU0iwbsvWxGLyqcDiGaVeps4cWzw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/button": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/text-area": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/message-list": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/message-list/-/message-list-25.0.3.tgz",
-      "integrity": "sha512-07gRb2HSZMNiwUnW8lyPCYPxmIKi18NGk8S0lstdH2wAzrZ4TXaRfbGTo9pKPKQVS1/G3rn5LCztFHuPwSScBQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/avatar": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/markdown": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/multi-select-combo-box": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/multi-select-combo-box/-/multi-select-combo-box-25.0.3.tgz",
-      "integrity": "sha512-2+Jw4+2k24oBT2CcGCvfHI2ZAIV0agfDluwK4tsOfIw3cTXP1yF/M+s7xbW6yP84aPkwIsEPp9R4zqgy6j2JYQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/combo-box": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/input-container": "~25.0.3",
-        "@vaadin/item": "~25.0.3",
-        "@vaadin/lit-renderer": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/notification": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/notification/-/notification-25.0.3.tgz",
-      "integrity": "sha512-hcRhd2gMARWu6NGIB2hSmBpnil83sobNsALTsnjPN+nUS7KCqcSTw7rHLJh1DaUAA/5ZdG7lB8ebKa4sXVEyCg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/lit-renderer": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/number-field": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/number-field/-/number-field-25.0.3.tgz",
-      "integrity": "sha512-hJgajOStyKORW/VSXJnrQjp8x9nmbjjFnDlEJuf5enKHix1nIG2Ory7BN7cdRiFLH51VZxPcQ3NMUi3C43YvRg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/input-container": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/overlay": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/overlay/-/overlay-25.0.3.tgz",
-      "integrity": "sha512-O0+MyQ5YHnz1QVzjnwzm3WCOMEEcXVaFJm1VnmIW+7o113fRtFglVOPrKpUPR8yOCiJ6wvLfLOzXf1SFjxNgmw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/password-field": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/password-field/-/password-field-25.0.3.tgz",
-      "integrity": "sha512-JPsyfmbp4EpkpN6VhrwaZMJVT2Z8GkPcnRe7tY6STXfcqTm7Ioc8BbtMsaIzo9zv8JCz8RB5zgUTN5iLp8hWYg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/button": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/text-field": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/popover": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/popover/-/popover-25.0.3.tgz",
-      "integrity": "sha512-SWrwb2A0481IPK/qffYUVBiLPILJgHM63tho9fAZuOt0SulCssyLBxXbnuUP7Ds0RCc25vLR62F8C/nu3BTrpg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/lit-renderer": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/progress-bar": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/progress-bar/-/progress-bar-25.0.3.tgz",
-      "integrity": "sha512-3P2MhwWaiLAsDC6ZHBGnF7lovsAQv/FV2wyUvXEirqW/bKsLEsLW6zo3WEsxoG2AMd+tJ2+CUkUmqI5zNRmuTw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/radio-group": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/radio-group/-/radio-group-25.0.3.tgz",
-      "integrity": "sha512-JB/Gr8IPPVDoOQNOj7yXmKbubRBW7NYDRipC5nvAIJr1bcZf2caRBHFWvmyH5Laib9oYtZ6nTsoIl2G3Y195Pw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/scroller": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/scroller/-/scroller-25.0.3.tgz",
-      "integrity": "sha512-fWXMZKgV+K8bwqespzeKXZUZ7oUPSWjEn7riq1nAYE/vEkO+fgWE2XsF7rQwJH/ZT6wP2bh7d6Q+AQx1WFL+gg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/select": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/select/-/select-25.0.3.tgz",
-      "integrity": "sha512-CJz+kYJXb2q0oxPwDN/G9PdLqUk2fdFUc8A144202u4jUkPwGTsKonZoYZrB1i33peLFpWSNGsq60e0gLPxapw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/button": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/input-container": "~25.0.3",
-        "@vaadin/item": "~25.0.3",
-        "@vaadin/list-box": "~25.0.3",
-        "@vaadin/lit-renderer": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/side-nav": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/side-nav/-/side-nav-25.0.3.tgz",
-      "integrity": "sha512-1Dx1x039tn3BxDpNYrt8nfnbq5Y99I7Ytybupa0XcsIAOl5ofnLsE0jCxdcv2tT2LS4RDBITPch4f5eLgQrfLw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/split-layout": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/split-layout/-/split-layout-25.0.3.tgz",
-      "integrity": "sha512-m/Ax9ydn3Aogk1h2f9FXrB+/vV7VCM/kIDDV5fa70koXJLMiA62MGIkwxwIuGYcXtTcPDlJ5x+YyCjlN6Sx4VQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/tabs": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/tabs/-/tabs-25.0.3.tgz",
-      "integrity": "sha512-ZazOrjPWkUtsYD64vzHRmbK2kxA1OYZUiLG7pDE4TDoObhtnaXz6fk89yfcKiXjDAcG5yL7aDvbKnGrNMCoOfg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/item": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/tabsheet": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/tabsheet/-/tabsheet-25.0.3.tgz",
-      "integrity": "sha512-SCRmQpa2ZoXIJXPcPSQpo/J//QUqIgMxwkKiJFCG308UVPgu/sq8AIY1LZiI4p+JFGj4br3cm8pdc6huTD3aAw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/scroller": "~25.0.3",
-        "@vaadin/tabs": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/text-area": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/text-area/-/text-area-25.0.3.tgz",
-      "integrity": "sha512-zecn1Gx6mQ3xbhmn8NIC2U/gh+4FdVM04r+YGdaC+KE2HZLziIpnIDUdkFaiVoB4KqPMl+ApTv3wOFNdWfuukw==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/input-container": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/text-field": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/text-field/-/text-field-25.0.3.tgz",
-      "integrity": "sha512-51AhGhXyN/RiGDgGQf509WQ89h1Lw2RpKiwQmIRwfoypGKga9gS3W69Wghyd9mBNlc2RvVGpK47qDyofM2ppjg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/input-container": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/time-picker": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/time-picker/-/time-picker-25.0.3.tgz",
-      "integrity": "sha512-BjHWIq4ZYT/WChxT/Bwd8QAiBY0+EjLo9hdrOg6o5l9hiKzTV7UDUpXpWHF3K7y+vWDSttDU7mxDcwnRlCSd9w==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/combo-box": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/field-base": "~25.0.3",
-        "@vaadin/input-container": "~25.0.3",
-        "@vaadin/item": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/tooltip": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/tooltip/-/tooltip-25.0.3.tgz",
-      "integrity": "sha512-ZsiojadHzj0uMFXFaSm84yLJginguC1A2KQh9OSN/EelWzL+6rBbQS4pG/VXzASu4adU5ANSZpLvg5+AJcm9/A==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/markdown": "~25.0.3",
-        "@vaadin/overlay": "~25.0.3",
-        "@vaadin/popover": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/upload": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/upload/-/upload-25.0.3.tgz",
-      "integrity": "sha512-mBkHSJxGhrfa0+svpPTsh7rEuJ4CpHNV43MhagKSGykTtqcPk6Z09ttKsH2Hb0IJMbwVuFchSu7W3R7URy3nLQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/a11y-base": "~25.0.3",
-        "@vaadin/button": "~25.0.3",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/progress-bar": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/vertical-layout": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/vertical-layout/-/vertical-layout-25.0.3.tgz",
-      "integrity": "sha512-aMjyjZX5gvj9Z/DTWIHaWmKkcbdv6bsbyBB9A4U974OmWkcr427T0otko8xjASj90pmgJvUOGhrUkiJ+UhocYQ==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/@vaadin/virtual-list": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/virtual-list/-/virtual-list-25.0.3.tgz",
-      "integrity": "sha512-1ZyFQelh1ZLdF1LtF3D/+HkSf7bD81KV1udyr2Q0VPIPExLs+MSlao43W678qvg46udhi5bvARS4TvqA+8CIFg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/lit-renderer": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/react-components/node_modules/marked": {
-      "version": "16.4.2",
-      "resolved": "https://registry.npmjs.org/marked/-/marked-16.4.2.tgz",
-      "integrity": "sha512-TI3V8YYWvkVf3KJe1dRkpnjs68JUPyEa5vjKrp1XEEJUAOaQc+Qj+L1qWbPd0SJuAdQkFU0h73sXXqwDYxsiDA==",
-      "license": "MIT",
-      "bin": {
-        "marked": "bin/marked.js"
-      },
-      "engines": {
-        "node": ">= 20"
-      }
-    },
     "node_modules/@vaadin/vaadin-development-mode-detector": {
       "version": "2.0.7",
       "resolved": "https://registry.npmjs.org/@vaadin/vaadin-development-mode-detector/-/vaadin-development-mode-detector-2.0.7.tgz",
@@ -12360,60 +12324,24 @@
       "license": "Apache-2.0"
     },
     "node_modules/@vaadin/vaadin-lumo-styles": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/vaadin-lumo-styles/-/vaadin-lumo-styles-25.0.3.tgz",
-      "integrity": "sha512-XOJHw1amOmDp0ZLy1klbgoCNz0oHwebr/bEbA51wTgNTZwa0oH3MbUUkdnBOvqxO0G/rrmg0sVrf2WmM8BEBKQ==",
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/vaadin-lumo-styles/-/vaadin-lumo-styles-25.0.4.tgz",
+      "integrity": "sha512-lQZMOdQJprmOUL5VRux+35ttaOgFlFPEgJiiNJI9EShgCJkulEEumgExfRcQDhPbxA3dugQxAZfXjXE/AQ+MFA==",
       "license": "Apache-2.0",
       "dependencies": {
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/icon": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3"
-      }
-    },
-    "node_modules/@vaadin/vaadin-lumo-styles/node_modules/@vaadin/component-base": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/component-base/-/component-base-25.0.3.tgz",
-      "integrity": "sha512-/q4bPX1dVtHqxNqFIMHDepLrrMkYO/0K1LNyXePVYZFE2gqyfC4WCLvTGNnKEeiCH9nfQSyZn81Zh03SvKrmJA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/vaadin-development-mode-detector": "^2.0.0",
-        "@vaadin/vaadin-usage-statistics": "^2.1.0",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/vaadin-lumo-styles/node_modules/@vaadin/icon": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/icon/-/icon-25.0.3.tgz",
-      "integrity": "sha512-BaLoZYUPAMCh9rSA46tb6FCLlRAkWgWj4wRF0tiaAXyQXZXgAU6oTumxRgZLFuJu091lJ17Sg8Fpnes0fuDSdg==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/component-base": "~25.0.3",
-        "@vaadin/vaadin-themable-mixin": "~25.0.3",
-        "lit": "^3.0.0"
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/icon": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4"
       }
     },
     "node_modules/@vaadin/vaadin-themable-mixin": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/vaadin-themable-mixin/-/vaadin-themable-mixin-25.0.3.tgz",
-      "integrity": "sha512-oLut3CB4MuMopjHtRvcSvtTYHpA5qHeK7HNz5FMeWSUqnxtI1/AuyfqPFrpkHi682DXPrlrNcqplCy5Vp54StA==",
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/vaadin-themable-mixin/-/vaadin-themable-mixin-25.0.4.tgz",
+      "integrity": "sha512-4RxJy2Kj59Kqak+0cJtiLcpGfXJVumhnEOiZVyZM02wzDkj5hXfvNj0zYVtV2izvq2fsb6n5BJYaCJASiN0jdg==",
       "license": "Apache-2.0",
       "dependencies": {
         "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/component-base": "~25.0.3",
-        "lit": "^3.0.0"
-      }
-    },
-    "node_modules/@vaadin/vaadin-themable-mixin/node_modules/@vaadin/component-base": {
-      "version": "25.0.3",
-      "resolved": "https://registry.npmjs.org/@vaadin/component-base/-/component-base-25.0.3.tgz",
-      "integrity": "sha512-/q4bPX1dVtHqxNqFIMHDepLrrMkYO/0K1LNyXePVYZFE2gqyfC4WCLvTGNnKEeiCH9nfQSyZn81Zh03SvKrmJA==",
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@open-wc/dedupe-mixin": "^1.3.0",
-        "@vaadin/vaadin-development-mode-detector": "^2.0.0",
-        "@vaadin/vaadin-usage-statistics": "^2.1.0",
+        "@vaadin/component-base": "~25.0.4",
         "lit": "^3.0.0"
       }
     },
@@ -12430,6 +12358,30 @@
         "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
       }
     },
+    "node_modules/@vaadin/vertical-layout": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/vertical-layout/-/vertical-layout-25.0.4.tgz",
+      "integrity": "sha512-r5KxHoyXq9g6yRGHHujfnro3/VP+VVh0S2lujsSMD90cJlg2iEl3vECEVqFuOl4fpxqmALkr2Z8W/dUu79iZcg==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
+    "node_modules/@vaadin/virtual-list": {
+      "version": "25.0.4",
+      "resolved": "https://registry.npmjs.org/@vaadin/virtual-list/-/virtual-list-25.0.4.tgz",
+      "integrity": "sha512-KFJIXCBt8Vs78yA87exgvDcYhIBK9mSEQVFkJ8oHj1pIPmTQ7zoJ7et59ycbCqizQ/c+fhYHe01Htct1ad4RMA==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@open-wc/dedupe-mixin": "^1.3.0",
+        "@vaadin/component-base": "~25.0.4",
+        "@vaadin/lit-renderer": "~25.0.4",
+        "@vaadin/vaadin-themable-mixin": "~25.0.4",
+        "lit": "^3.0.0"
+      }
+    },
     "node_modules/@vitejs/plugin-react": {
       "version": "5.1.2",
       "resolved": "https://registry.npmjs.org/@vitejs/plugin-react/-/plugin-react-5.1.2.tgz",
@@ -16035,6 +15987,18 @@
         "@jridgewell/sourcemap-codec": "^1.5.5"
       }
     },
+    "node_modules/marked": {
+      "version": "16.4.2",
+      "resolved": "https://registry.npmjs.org/marked/-/marked-16.4.2.tgz",
+      "integrity": "sha512-TI3V8YYWvkVf3KJe1dRkpnjs68JUPyEa5vjKrp1XEEJUAOaQc+Qj+L1qWbPd0SJuAdQkFU0h73sXXqwDYxsiDA==",
+      "license": "MIT",
+      "bin": {
+        "marked": "bin/marked.js"
+      },
+      "engines": {
+        "node": ">= 20"
+      }
+    },
     "node_modules/math-intrinsics": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
@@ -17399,9 +17363,9 @@
       }
     },
     "node_modules/react": {
-      "version": "19.2.3",
-      "resolved": "https://registry.npmjs.org/react/-/react-19.2.3.tgz",
-      "integrity": "sha512-Ku/hhYbVjOQnXDZFv2+RibmLFGwFdeeKHFcOTlrt7xplBnya5OGn/hIRDsqDiSUcfORsDC7MPxwork8jBwsIWA==",
+      "version": "19.2.4",
+      "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz",
+      "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==",
       "license": "MIT",
       "peer": true,
       "engines": {
@@ -17529,16 +17493,16 @@
       }
     },
     "node_modules/react-dom": {
-      "version": "19.2.3",
-      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.3.tgz",
-      "integrity": "sha512-yELu4WmLPw5Mr/lmeEpox5rw3RETacE++JgHqQzd2dg+YbJuat3jH4ingc+WPZhxaoFzdv9y33G+F7Nl5O0GBg==",
+      "version": "19.2.4",
+      "resolved": "https://registry.npmjs.org/react-dom/-/react-dom-19.2.4.tgz",
+      "integrity": "sha512-AXJdLo8kgMbimY95O2aKQqsz2iWi9jMgKJhRBAxECE4IFxfcazB2LmzloIoibJI3C12IlY20+KFaLv+71bUJeQ==",
       "license": "MIT",
       "peer": true,
       "dependencies": {
         "scheduler": "^0.27.0"
       },
       "peerDependencies": {
-        "react": "^19.2.3"
+        "react": "^19.2.4"
       }
     },
     "node_modules/react-fast-compare": {
@@ -18360,9 +18324,9 @@
       "license": "MIT"
     },
     "node_modules/sonic-boom": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/sonic-boom/-/sonic-boom-4.2.0.tgz",
-      "integrity": "sha512-INb7TM37/mAcsGmc9hyyI6+QR3rR1zVRu36B0NeGXKnOOLiZOfER5SA+N7X7k3yUYRzLWafduTDvJAfDswwEww==",
+      "version": "4.2.1",
+      "resolved": "https://registry.npmjs.org/sonic-boom/-/sonic-boom-4.2.1.tgz",
+      "integrity": "sha512-w6AxtubXa2wTXAUsZMMWERrsIRAdrK0Sc+FUytWvYAhBJLyuI4llrMIC1DtlNSdI99EI86KZum2MMq3EAZlF9Q==",
       "license": "MIT",
       "dependencies": {
         "atomic-sleep": "^1.0.0"
diff --git a/app/package.json b/app/package.json
index fc55707..e1b8799 100644
--- a/app/package.json
+++ b/app/package.json
@@ -1,6 +1,6 @@
 {
   "name": "gameyfin",
-  "version": "2.3.3",
+  "version": "2.4.0-preview",
   "type": "module",
   "dependencies": {
     "@heroui/react": "^2.8.7",
@@ -8,20 +8,20 @@
     "@react-stately/data": "^3.12.2",
     "@react-types/shared": "^3.28.0",
     "@tailwindcss/vite": "4.1.13",
-    "@vaadin/aura": "25.0.3",
+    "@vaadin/aura": "25.0.4",
     "@vaadin/common-frontend": "0.0.19",
-    "@vaadin/hilla-file-router": "25.0.4",
-    "@vaadin/hilla-frontend": "25.0.4",
-    "@vaadin/hilla-lit-form": "25.0.4",
-    "@vaadin/hilla-react-auth": "25.0.4",
-    "@vaadin/hilla-react-crud": "25.0.4",
-    "@vaadin/hilla-react-form": "25.0.4",
-    "@vaadin/hilla-react-i18n": "25.0.4",
-    "@vaadin/hilla-react-signals": "25.0.4",
-    "@vaadin/react-components": "25.0.3",
+    "@vaadin/hilla-file-router": "25.0.5",
+    "@vaadin/hilla-frontend": "25.0.5",
+    "@vaadin/hilla-lit-form": "25.0.5",
+    "@vaadin/hilla-react-auth": "25.0.5",
+    "@vaadin/hilla-react-crud": "25.0.5",
+    "@vaadin/hilla-react-form": "25.0.5",
+    "@vaadin/hilla-react-i18n": "25.0.5",
+    "@vaadin/hilla-react-signals": "25.0.5",
+    "@vaadin/react-components": "25.0.4",
     "@vaadin/vaadin-development-mode-detector": "2.0.7",
-    "@vaadin/vaadin-lumo-styles": "25.0.3",
-    "@vaadin/vaadin-themable-mixin": "25.0.3",
+    "@vaadin/vaadin-lumo-styles": "25.0.4",
+    "@vaadin/vaadin-themable-mixin": "25.0.4",
     "@vaadin/vaadin-usage-statistics": "2.1.3",
     "blurhash": "^2.0.5",
     "classnames": "^2.5.1",
@@ -37,11 +37,11 @@
     "postcss": "^8.5.6",
     "postcss-import": "^16.1.1",
     "rand-seed": "^2.1.7",
-    "react": "19.2.3",
+    "react": "19.2.4",
     "react-accessible-treeview": "^2.11.1",
     "react-aria-components": "^1.7.1",
     "react-confetti-boom": "^1.0.0",
-    "react-dom": "19.2.3",
+    "react-dom": "19.2.4",
     "react-markdown": "^10.1.0",
     "react-player": "^2.16.0",
     "react-realtime-chart": "^0.8.1",
@@ -58,21 +58,21 @@
     "@preact/signals-react-transform": "0.6.0",
     "@rollup/plugin-replace": "6.0.3",
     "@rollup/pluginutils": "5.3.0",
-    "@types/node": "25.0.3",
-    "@types/react": "19.2.7",
+    "@types/node": "25.0.10",
+    "@types/react": "19.2.9",
     "@types/react-dom": "19.2.3",
     "@types/react-window": "^1.8.8",
-    "@vaadin/hilla-generator-cli": "25.0.4",
-    "@vaadin/hilla-generator-core": "25.0.4",
-    "@vaadin/hilla-generator-plugin-backbone": "25.0.4",
-    "@vaadin/hilla-generator-plugin-barrel": "25.0.4",
-    "@vaadin/hilla-generator-plugin-client": "25.0.4",
-    "@vaadin/hilla-generator-plugin-model": "25.0.4",
-    "@vaadin/hilla-generator-plugin-push": "25.0.4",
-    "@vaadin/hilla-generator-plugin-signals": "25.0.4",
-    "@vaadin/hilla-generator-plugin-subtypes": "25.0.4",
-    "@vaadin/hilla-generator-plugin-transfertypes": "25.0.4",
-    "@vaadin/hilla-generator-utils": "25.0.4",
+    "@vaadin/hilla-generator-cli": "25.0.5",
+    "@vaadin/hilla-generator-core": "25.0.5",
+    "@vaadin/hilla-generator-plugin-backbone": "25.0.5",
+    "@vaadin/hilla-generator-plugin-barrel": "25.0.5",
+    "@vaadin/hilla-generator-plugin-client": "25.0.5",
+    "@vaadin/hilla-generator-plugin-model": "25.0.5",
+    "@vaadin/hilla-generator-plugin-push": "25.0.5",
+    "@vaadin/hilla-generator-plugin-signals": "25.0.5",
+    "@vaadin/hilla-generator-plugin-subtypes": "25.0.5",
+    "@vaadin/hilla-generator-plugin-transfertypes": "25.0.5",
+    "@vaadin/hilla-generator-utils": "25.0.5",
     "@vitejs/plugin-react": "5.1.2",
     "@vitejs/plugin-react-swc": "^3.7.0",
     "baseline-browser-mapping": "^2.9.19",
@@ -137,87 +137,87 @@
     "react-window": "$react-window",
     "blurhash": "$blurhash",
     "@vaadin/aura": "$@vaadin/aura",
-    "@vaadin/a11y-base": "25.0.3",
-    "@vaadin/accordion": "25.0.3",
-    "@vaadin/app-layout": "25.0.3",
-    "@vaadin/avatar": "25.0.3",
-    "@vaadin/avatar-group": "25.0.3",
-    "@vaadin/button": "25.0.3",
-    "@vaadin/card": "25.0.3",
-    "@vaadin/checkbox": "25.0.3",
-    "@vaadin/checkbox-group": "25.0.3",
-    "@vaadin/combo-box": "25.0.3",
-    "@vaadin/component-base": "25.0.3",
-    "@vaadin/confirm-dialog": "25.0.3",
-    "@vaadin/context-menu": "25.0.3",
-    "@vaadin/custom-field": "25.0.3",
-    "@vaadin/date-picker": "25.0.3",
-    "@vaadin/date-time-picker": "25.0.3",
-    "@vaadin/details": "25.0.3",
-    "@vaadin/dialog": "25.0.3",
-    "@vaadin/email-field": "25.0.3",
-    "@vaadin/field-base": "25.0.3",
-    "@vaadin/field-highlighter": "25.0.3",
-    "@vaadin/form-layout": "25.0.3",
-    "@vaadin/grid": "25.0.3",
-    "@vaadin/horizontal-layout": "25.0.3",
-    "@vaadin/icon": "25.0.3",
-    "@vaadin/icons": "25.0.3",
-    "@vaadin/input-container": "25.0.3",
-    "@vaadin/integer-field": "25.0.3",
-    "@vaadin/item": "25.0.3",
-    "@vaadin/list-box": "25.0.3",
-    "@vaadin/lit-renderer": "25.0.3",
-    "@vaadin/login": "25.0.3",
-    "@vaadin/markdown": "25.0.3",
-    "@vaadin/master-detail-layout": "25.0.3",
-    "@vaadin/menu-bar": "25.0.3",
-    "@vaadin/message-input": "25.0.3",
-    "@vaadin/message-list": "25.0.3",
-    "@vaadin/multi-select-combo-box": "25.0.3",
-    "@vaadin/notification": "25.0.3",
-    "@vaadin/number-field": "25.0.3",
-    "@vaadin/overlay": "25.0.3",
-    "@vaadin/password-field": "25.0.3",
-    "@vaadin/popover": "25.0.3",
-    "@vaadin/progress-bar": "25.0.3",
-    "@vaadin/radio-group": "25.0.3",
-    "@vaadin/scroller": "25.0.3",
-    "@vaadin/select": "25.0.3",
-    "@vaadin/side-nav": "25.0.3",
-    "@vaadin/split-layout": "25.0.3",
-    "@vaadin/tabs": "25.0.3",
-    "@vaadin/tabsheet": "25.0.3",
-    "@vaadin/text-area": "25.0.3",
-    "@vaadin/text-field": "25.0.3",
-    "@vaadin/time-picker": "25.0.3",
-    "@vaadin/tooltip": "25.0.3",
-    "@vaadin/upload": "25.0.3",
     "@vaadin/router": "2.0.1",
-    "@vaadin/vertical-layout": "25.0.3",
-    "@vaadin/virtual-list": "25.0.3"
+    "@vaadin/a11y-base": "25.0.4",
+    "@vaadin/accordion": "25.0.4",
+    "@vaadin/app-layout": "25.0.4",
+    "@vaadin/avatar": "25.0.4",
+    "@vaadin/avatar-group": "25.0.4",
+    "@vaadin/button": "25.0.4",
+    "@vaadin/card": "25.0.4",
+    "@vaadin/checkbox": "25.0.4",
+    "@vaadin/checkbox-group": "25.0.4",
+    "@vaadin/combo-box": "25.0.4",
+    "@vaadin/component-base": "25.0.4",
+    "@vaadin/confirm-dialog": "25.0.4",
+    "@vaadin/context-menu": "25.0.4",
+    "@vaadin/custom-field": "25.0.4",
+    "@vaadin/date-picker": "25.0.4",
+    "@vaadin/date-time-picker": "25.0.4",
+    "@vaadin/details": "25.0.4",
+    "@vaadin/dialog": "25.0.4",
+    "@vaadin/email-field": "25.0.4",
+    "@vaadin/field-base": "25.0.4",
+    "@vaadin/field-highlighter": "25.0.4",
+    "@vaadin/form-layout": "25.0.4",
+    "@vaadin/grid": "25.0.4",
+    "@vaadin/horizontal-layout": "25.0.4",
+    "@vaadin/icon": "25.0.4",
+    "@vaadin/icons": "25.0.4",
+    "@vaadin/input-container": "25.0.4",
+    "@vaadin/integer-field": "25.0.4",
+    "@vaadin/item": "25.0.4",
+    "@vaadin/list-box": "25.0.4",
+    "@vaadin/lit-renderer": "25.0.4",
+    "@vaadin/login": "25.0.4",
+    "@vaadin/markdown": "25.0.4",
+    "@vaadin/master-detail-layout": "25.0.4",
+    "@vaadin/menu-bar": "25.0.4",
+    "@vaadin/message-input": "25.0.4",
+    "@vaadin/message-list": "25.0.4",
+    "@vaadin/multi-select-combo-box": "25.0.4",
+    "@vaadin/notification": "25.0.4",
+    "@vaadin/number-field": "25.0.4",
+    "@vaadin/overlay": "25.0.4",
+    "@vaadin/password-field": "25.0.4",
+    "@vaadin/popover": "25.0.4",
+    "@vaadin/progress-bar": "25.0.4",
+    "@vaadin/radio-group": "25.0.4",
+    "@vaadin/scroller": "25.0.4",
+    "@vaadin/select": "25.0.4",
+    "@vaadin/side-nav": "25.0.4",
+    "@vaadin/split-layout": "25.0.4",
+    "@vaadin/tabs": "25.0.4",
+    "@vaadin/tabsheet": "25.0.4",
+    "@vaadin/text-area": "25.0.4",
+    "@vaadin/text-field": "25.0.4",
+    "@vaadin/time-picker": "25.0.4",
+    "@vaadin/tooltip": "25.0.4",
+    "@vaadin/upload": "25.0.4",
+    "@vaadin/vertical-layout": "25.0.4",
+    "@vaadin/virtual-list": "25.0.4"
   },
   "vaadin": {
     "dependencies": {
-      "@vaadin/aura": "25.0.3",
+      "@vaadin/aura": "25.0.4",
       "@vaadin/common-frontend": "0.0.19",
-      "@vaadin/hilla-file-router": "25.0.4",
-      "@vaadin/hilla-frontend": "25.0.4",
-      "@vaadin/hilla-lit-form": "25.0.4",
-      "@vaadin/hilla-react-auth": "25.0.4",
-      "@vaadin/hilla-react-crud": "25.0.4",
-      "@vaadin/hilla-react-form": "25.0.4",
-      "@vaadin/hilla-react-i18n": "25.0.4",
-      "@vaadin/hilla-react-signals": "25.0.4",
-      "@vaadin/react-components": "25.0.3",
+      "@vaadin/hilla-file-router": "25.0.5",
+      "@vaadin/hilla-frontend": "25.0.5",
+      "@vaadin/hilla-lit-form": "25.0.5",
+      "@vaadin/hilla-react-auth": "25.0.5",
+      "@vaadin/hilla-react-crud": "25.0.5",
+      "@vaadin/hilla-react-form": "25.0.5",
+      "@vaadin/hilla-react-i18n": "25.0.5",
+      "@vaadin/hilla-react-signals": "25.0.5",
+      "@vaadin/react-components": "25.0.4",
       "@vaadin/vaadin-development-mode-detector": "2.0.7",
-      "@vaadin/vaadin-lumo-styles": "25.0.3",
-      "@vaadin/vaadin-themable-mixin": "25.0.3",
+      "@vaadin/vaadin-lumo-styles": "25.0.4",
+      "@vaadin/vaadin-themable-mixin": "25.0.4",
       "@vaadin/vaadin-usage-statistics": "2.1.3",
       "date-fns": "4.1.0",
       "lit": "3.3.2",
-      "react": "19.2.3",
-      "react-dom": "19.2.3",
+      "react": "19.2.4",
+      "react-dom": "19.2.4",
       "react-router": "7.12.0"
     },
     "devDependencies": {
@@ -225,20 +225,20 @@
       "@preact/signals-react-transform": "0.6.0",
       "@rollup/plugin-replace": "6.0.3",
       "@rollup/pluginutils": "5.3.0",
-      "@types/node": "25.0.3",
-      "@types/react": "19.2.7",
+      "@types/node": "25.0.10",
+      "@types/react": "19.2.9",
       "@types/react-dom": "19.2.3",
-      "@vaadin/hilla-generator-cli": "25.0.4",
-      "@vaadin/hilla-generator-core": "25.0.4",
-      "@vaadin/hilla-generator-plugin-backbone": "25.0.4",
-      "@vaadin/hilla-generator-plugin-barrel": "25.0.4",
-      "@vaadin/hilla-generator-plugin-client": "25.0.4",
-      "@vaadin/hilla-generator-plugin-model": "25.0.4",
-      "@vaadin/hilla-generator-plugin-push": "25.0.4",
-      "@vaadin/hilla-generator-plugin-signals": "25.0.4",
-      "@vaadin/hilla-generator-plugin-subtypes": "25.0.4",
-      "@vaadin/hilla-generator-plugin-transfertypes": "25.0.4",
-      "@vaadin/hilla-generator-utils": "25.0.4",
+      "@vaadin/hilla-generator-cli": "25.0.5",
+      "@vaadin/hilla-generator-core": "25.0.5",
+      "@vaadin/hilla-generator-plugin-backbone": "25.0.5",
+      "@vaadin/hilla-generator-plugin-barrel": "25.0.5",
+      "@vaadin/hilla-generator-plugin-client": "25.0.5",
+      "@vaadin/hilla-generator-plugin-model": "25.0.5",
+      "@vaadin/hilla-generator-plugin-push": "25.0.5",
+      "@vaadin/hilla-generator-plugin-signals": "25.0.5",
+      "@vaadin/hilla-generator-plugin-subtypes": "25.0.5",
+      "@vaadin/hilla-generator-plugin-transfertypes": "25.0.5",
+      "@vaadin/hilla-generator-utils": "25.0.5",
       "@vitejs/plugin-react": "5.1.2",
       "magic-string": "0.30.21",
       "rollup-plugin-brotli": "3.1.0",
@@ -251,6 +251,6 @@
       "workbox-build": "7.4.0"
     },
     "disableUsageStatistics": true,
-    "hash": "d2c583f908a126db3f53ccbc87688b5089107afb58a87159631dc257a3a279ae"
+    "hash": "812856fcd393a00f84011d76741a6665711ccb1b42be83fab6d8f480425a45da"
   }
 }
\ No newline at end of file
diff --git a/app/src/main/bundles/prod.bundle b/app/src/main/bundles/prod.bundle
index fa09a70..02a7252 100644
Binary files a/app/src/main/bundles/prod.bundle and b/app/src/main/bundles/prod.bundle differ
diff --git a/app/src/main/frontend/App.tsx b/app/src/main/frontend/App.tsx
index 9248d2d..d277170 100644
--- a/app/src/main/frontend/App.tsx
+++ b/app/src/main/frontend/App.tsx
@@ -14,7 +14,7 @@ import {ToastProvider} from "@heroui/toast";
 import {initializePluginState} from "Frontend/state/PluginState";
 import {isAdmin} from "Frontend/util/utils";
 import {useRouteMetadata} from "Frontend/util/routing";
-import {useEffect} from "react";
+import {useCallback, useEffect} from "react";
 import {initializeGameRequestState} from "Frontend/state/GameRequestState";
 import {initializePlatformState} from "Frontend/state/PlatformState";
 import {initializeDownloadSessionState} from "Frontend/state/DownloadSessionState";
@@ -25,6 +25,12 @@ export default function App() {
     client.middlewares = [ErrorHandlingMiddleware];
 
     const navigate = useNavigate();
+    const reactRouterUseHref = useHref;
+    // Fixes an issue where external links would be treated as internal links
+    const safeUseHref = useCallback(
+        (href: string) => /^https?:\/\//i.test(href) ? href : reactRouterUseHref(href),
+        [reactRouterUseHref]
+    );
     const routeMetadata = useRouteMetadata();
 
     useEffect(() => {
@@ -32,7 +38,7 @@ export default function App() {
     }, [routeMetadata, window.location.href]);
 
     return (
-        <HeroUIProvider className="size-full" navigate={navigate} useHref={useHref}>
+        <HeroUIProvider className="size-full" navigate={navigate} useHref={safeUseHref}>
             <NextThemesProvider attribute="class" themes={themeNames()} defaultTheme="gameyfin-violet-dark">
                 <AuthProvider>
                     <ViewWithAuth/>
diff --git a/app/src/main/frontend/components/administration/ConfigFormField.tsx b/app/src/main/frontend/components/administration/ConfigFormField.tsx
index d9c7623..52f8ca4 100644
--- a/app/src/main/frontend/components/administration/ConfigFormField.tsx
+++ b/app/src/main/frontend/components/administration/ConfigFormField.tsx
@@ -7,48 +7,68 @@ import ArrayInput from "Frontend/components/general/input/ArrayInput";
 import NumberInput from "Frontend/components/general/input/NumberInput";
 import SliderInput from "Frontend/components/general/input/SliderInput";
 
-export default function ConfigFormField({configElement, ...props}: any) {
+interface ConfigFormFieldProps {
+    configElement?: ConfigEntryDto;
+    className?: string;
+    isDisabled?: boolean;
+    type?: string;
+}
+
+type CommonInputProps = Pick<ConfigFormFieldProps, "className" | "isDisabled">;
+
+export default function ConfigFormField({configElement, type: inputType, className, isDisabled}: ConfigFormFieldProps) {
     function inputElement(configElement: ConfigEntryDto) {
+        const commonProps: CommonInputProps = {className, isDisabled};
+        const description = configElement.description;
+        const defaultValue = configElement.defaultValue;
 
         if (configElement.allowedValues != null && configElement.allowedValues.length > 0) {
             return (
-                <SelectInput label={configElement.description} name={configElement.key}
-                             values={configElement.allowedValues} {...props}/>
+                <SelectInput label={configElement.name} name={configElement.key}
+                             description={description} resetValue={defaultValue}
+                             values={configElement.allowedValues} {...commonProps}/>
             );
         }
 
         switch (configElement.type.toLowerCase()) {
             case "boolean":
                 return (
-                    <CheckboxInput label={configElement.description} name={configElement.key} {...props}/>
+                    <CheckboxInput label={configElement.name} name={configElement.key}
+                                   description={description} resetValue={defaultValue} {...commonProps}/>
                 );
             case "string":
                 return (
-                    <Input label={configElement.description} name={configElement.key}
-                           type={props.type && "text"} {...props}/>
+                    <Input label={configElement.name} name={configElement.key}
+                           description={description} resetValue={defaultValue}
+                           type={inputType ?? "text"} {...commonProps}/>
                 );
             case "float":
                 return (
-                    <NumberInput label={configElement.description} name={configElement.key}
-                                 step={0.1} {...props}/>
+                    <NumberInput label={configElement.name} name={configElement.key}
+                                 description={description} resetValue={defaultValue}
+                                 step={0.1} {...commonProps}/>
                 );
             case "int":
                 if (configElement.min != null && configElement.max != null) {
                     return (
-                        <SliderInput label={configElement.description} name={configElement.key}
-                                     min={configElement.min}
-                                     max={configElement.max}
-                                     step={configElement.step ?? 1}
-                                     {...props}/>
+                        <SliderInput label={configElement.name} name={configElement.key}
+                                     description={description} resetValue={defaultValue}
+                                     minValue={configElement.min as number}
+                                     maxValue={configElement.max as number}
+                                     step={(configElement.step as number) ?? 1}
+                                     {...commonProps}/>
                     );
                 }
                 return (
-                    <NumberInput label={configElement.description} name={configElement.key}
-                                 step={1} {...props}/>
+                    <NumberInput label={configElement.name} name={configElement.key}
+                                 description={description} resetValue={defaultValue}
+                                 step={1} {...commonProps}/>
                 );
             case "array":
                 return (
-                    <ArrayInput label={configElement.description} name={configElement.key} type="text" {...props}/>
+                    <ArrayInput label={configElement.name} name={configElement.key}
+                                description={description} resetValue={defaultValue}
+                                type="text" {...commonProps}/>
                 );
             default:
                 return <pre>Unsupported type: {configElement.type} for key {configElement.key}</pre>;
@@ -56,4 +76,4 @@ export default function ConfigFormField({configElement, ...props}: any) {
     }
 
     return inputElement(configElement!);
-}
\ No newline at end of file
+}
diff --git a/app/src/main/frontend/components/administration/GameManagement.tsx b/app/src/main/frontend/components/administration/GameManagement.tsx
index ac94a8b..04abffa 100644
--- a/app/src/main/frontend/components/administration/GameManagement.tsx
+++ b/app/src/main/frontend/components/administration/GameManagement.tsx
@@ -1,11 +1,13 @@
 import React from "react";
+import {LibraryEndpoint} from "Frontend/generated/endpoints";
+import ScanType from "Frontend/generated/org/gameyfin/app/libraries/enums/ScanType";
 import ConfigFormField from "Frontend/components/administration/ConfigFormField";
 import withConfigPage from "Frontend/components/administration/withConfigPage";
 import Section from "Frontend/components/general/Section";
 import * as Yup from 'yup';
 import "Frontend/util/yup-extensions";
 import {Button, Divider, Tooltip, useDisclosure} from "@heroui/react";
-import {ListNumbersIcon, PlusIcon} from "@phosphor-icons/react";
+import {ListNumbersIcon, MagnifyingGlassIcon, MagnifyingGlassPlusIcon, PlusIcon} from "@phosphor-icons/react";
 import {LibraryOverviewCard} from "Frontend/components/general/cards/LibraryOverviewCard";
 import LibraryCreationModal from "Frontend/components/general/modals/LibraryCreationModal";
 import {useSnapshot} from "valtio/react";
@@ -15,6 +17,7 @@ import {collectionState} from "Frontend/state/CollectionState";
 import {CollectionOverviewCard} from "Frontend/components/general/cards/CollectionOverviewCard";
 import CollectionCreationModal from "Frontend/components/general/modals/CollectionCreationModal";
 import CollectionPrioritiesModal from "Frontend/components/general/modals/CollectionPrioritiesModal";
+import {pluginState} from "Frontend/state/PluginState";
 
 function GameManagementLayout({getConfig, formik}: any) {
     const libraries = useSnapshot(libraryState);
@@ -25,11 +28,31 @@ function GameManagementLayout({getConfig, formik}: any) {
     const collectionCreationModal = useDisclosure();
     const collectionOrderModal = useDisclosure();
 
+    const hasActiveMetadataPlugins = useSnapshot(pluginState).hasActiveMetadataPlugins;
+
+    async function triggerScan(scanType: ScanType) {
+        await LibraryEndpoint.triggerScan(scanType, undefined);
+    }
+
     return (
         <div className="flex flex-col">
             <div className="flex flex-row items-baseline justify-between">
                 <h2 className="text-xl font-bold mt-8 mb-1">Libraries</h2>
                 <div className="flex flex-row gap-2">
+                    <Tooltip content="Scan all libraries (quick)">
+                        <Button isIconOnly variant="flat"
+                                isDisabled={!hasActiveMetadataPlugins}
+                                onPress={() => triggerScan(ScanType.QUICK)}>
+                            <MagnifyingGlassIcon/>
+                        </Button>
+                    </Tooltip>
+                    <Tooltip content="Scan all libraries (full)">
+                        <Button isIconOnly variant="flat"
+                                isDisabled={!hasActiveMetadataPlugins}
+                                onPress={() => triggerScan(ScanType.FULL)}>
+                            <MagnifyingGlassPlusIcon/>
+                        </Button>
+                    </Tooltip>
                     <Tooltip content="Change library order">
                         <Button isIconOnly variant="flat" onPress={libraryOrderModal.onOpen}>
                             <ListNumbersIcon/>
@@ -92,6 +115,7 @@ function GameManagementLayout({getConfig, formik}: any) {
                 </div>
                 <ConfigFormField configElement={getConfig("library.scan.title-match-min-ratio")}/>
                 <ConfigFormField configElement={getConfig("library.scan.game-file-extensions")}/>
+                <ConfigFormField configElement={getConfig("library.scan.max-concurrency")}/>
             </div>
 
             <Section title="Metadata"/>
diff --git a/app/src/main/frontend/components/administration/InfoPopup.tsx b/app/src/main/frontend/components/administration/InfoPopup.tsx
new file mode 100644
index 0000000..741273a
--- /dev/null
+++ b/app/src/main/frontend/components/administration/InfoPopup.tsx
@@ -0,0 +1,33 @@
+import {Link, Tooltip} from "@heroui/react";
+import {InfoIcon} from "@phosphor-icons/react";
+import Markdown from "react-markdown";
+import remarkBreaks from "remark-breaks";
+import React from "react";
+
+interface InfoPopupProps {
+    content: string;
+}
+
+export default function InfoPopup({content}: InfoPopupProps) {
+    return (
+        <Tooltip placement="right" content={
+            <Markdown
+                remarkPlugins={[remarkBreaks]}
+                components={{
+                    a(props) {
+                        return <Link isExternal
+                                     showAnchorIcon
+                                     color="foreground"
+                                     underline="always"
+                                     href={props.href}
+                                     size="sm">
+                            {props.children}
+                        </Link>
+                    }
+                }}
+            >{content}</Markdown>
+        }>
+            <InfoIcon size={16} weight="fill" className="ml-1 z-50"/>
+        </Tooltip>
+    )
+}
\ No newline at end of file
diff --git a/app/src/main/frontend/components/administration/ProfileManagement.tsx b/app/src/main/frontend/components/administration/ProfileManagement.tsx
index fa240a6..ab54fdc 100644
--- a/app/src/main/frontend/components/administration/ProfileManagement.tsx
+++ b/app/src/main/frontend/components/administration/ProfileManagement.tsx
@@ -1,8 +1,8 @@
 import Section from "Frontend/components/general/Section";
 import Input from "Frontend/components/general/input/Input";
 import {addToast, Button, Input as NextUiInput, Tooltip} from "@heroui/react";
-import {Form, Formik} from "formik";
-import { ArrowCounterClockwiseIcon, CheckIcon, InfoIcon, TrashIcon } from "@phosphor-icons/react";
+import {Form, Formik, FormikProps} from "formik";
+import {ArrowCounterClockwiseIcon, CheckIcon, InfoIcon, TrashIcon} from "@phosphor-icons/react";
 import React, {useEffect, useState} from "react";
 import {useAuth} from "Frontend/util/auth";
 import * as Yup from "yup";
@@ -12,9 +12,16 @@ import {SmallInfoField} from "Frontend/components/general/SmallInfoField";
 import {removeAvatar, uploadAvatar} from "Frontend/endpoints/AvatarEndpoint";
 import Avatar from "Frontend/components/general/Avatar";
 
+interface ProfileFormValues {
+    username: string | undefined;
+    email: string | undefined;
+    newPassword: string;
+    passwordRepeat: string;
+}
+
 export default function ProfileManagement() {
     const auth = useAuth();
-    const [avatar, setAvatar] = useState<any>();
+    const [avatar, setAvatar] = useState<File>();
     const [configSaved, setConfigSaved] = useState(false);
     const [messagesEnabled, setMessagesEnabled] = useState(false);
 
@@ -29,11 +36,11 @@ export default function ProfileManagement() {
     }, [configSaved])
 
 
-    function onFileSelected(event: any) {
-        setAvatar(event.target.files[0]);
+    function onFileSelected(event: React.ChangeEvent<HTMLInputElement>) {
+        setAvatar(event.target.files?.[0]);
     }
 
-    async function handleSubmit(values: any) {
+    async function handleSubmit(values: ProfileFormValues) {
         const userUpdate: UserUpdateDto = {
             username: values.username,
             email: values.email
@@ -80,7 +87,7 @@ export default function ProfileManagement() {
                         .equals([Yup.ref('newPassword')], 'Passwords do not match')
                 })}
             >
-                {(formik: { values: any; isSubmitting: any; dirty: boolean; }) => (
+                {(formik: FormikProps<ProfileFormValues>) => (
                     <Form>
                         <div className="flex flex-row grow justify-between mb-8">
                             <h2 className="text-2xl font-bold">My Profile</h2>
@@ -124,10 +131,10 @@ export default function ProfileManagement() {
 
                             <div className="flex flex-col grow">
                                 <Section title="Personal information"/>
-                                <Input name="username" label="Username" type="text" autocomplete="username"
+                                <Input name="username" label="Username" type="text" autoComplete="username"
                                        isDisabled={auth.state.user?.managedBySso}/>
                                 <div className="flex flex-row gap-4">
-                                    <Input name="email" label="Email" type="email" autocomplete="email"
+                                    <Input name="email" label="Email" type="email" autoComplete="email"
                                            isDisabled={auth.state.user?.managedBySso || !messagesEnabled}/>
                                     {(auth.state.user?.emailConfirmed === false && !auth.state.user.managedBySso) &&
                                         <Tooltip content="Resend email confirmation message">
@@ -160,9 +167,9 @@ export default function ProfileManagement() {
                                 }
                                 <Section title="Security"/>
                                 <Input name="newPassword" label="New Password" type="password"
-                                       autocomplete="new-password" isDisabled={auth.state.user?.managedBySso}/>
+                                       autoComplete="new-password" isDisabled={auth.state.user?.managedBySso}/>
                                 <Input name="passwordRepeat" label="Repeat password" type="password"
-                                       autocomplete="new-password" isDisabled={auth.state.user?.managedBySso}/>
+                                       autoComplete="new-password" isDisabled={auth.state.user?.managedBySso}/>
                             </div>
                         </div>
                     </Form>
diff --git a/app/src/main/frontend/components/administration/ResetToDefaultButton.tsx b/app/src/main/frontend/components/administration/ResetToDefaultButton.tsx
new file mode 100644
index 0000000..18a42c9
--- /dev/null
+++ b/app/src/main/frontend/components/administration/ResetToDefaultButton.tsx
@@ -0,0 +1,47 @@
+import {Button, Tooltip} from "@heroui/react";
+import {ArrowUUpLeftIcon} from "@phosphor-icons/react";
+import {useFormikContext} from "formik";
+
+interface ResetToDefaultButtonProps {
+    fieldName: string;
+    defaultValue: unknown;
+}
+
+function valuesEqual(a: unknown, b: unknown): boolean {
+    if (a === b) return true;
+    if (Array.isArray(a) && Array.isArray(b)) {
+        if (a.length !== b.length) return false;
+        return a.every((val, i) => valuesEqual(val, b[i]));
+    }
+    return false;
+}
+
+function formatDefaultValue(value: unknown): string {
+    const str = Array.isArray(value) ? value.join(", ") : String(value ?? "");
+    return str.length > 25 ? str.substring(0, 25) + "…" : str;
+}
+
+export default function ResetToDefaultButton({fieldName, defaultValue}: ResetToDefaultButtonProps) {
+    const {setFieldValue, getFieldMeta} = useFormikContext();
+    const currentValue = getFieldMeta(fieldName).value;
+    const isDefault = valuesEqual(currentValue, defaultValue);
+
+    return (
+        <Tooltip placement="right" content={
+            <span>Reset to default: <pre className="inline">{formatDefaultValue(defaultValue)}</pre></span>
+        }>
+            <Button
+                isIconOnly
+                size="sm"
+                variant="light"
+                radius="full"
+                isDisabled={isDefault}
+                className="-ml-2 z-50"
+                onPress={() => setFieldValue(fieldName, defaultValue)}
+            >
+                <ArrowUUpLeftIcon size={16}/>
+            </Button>
+        </Tooltip>
+    );
+}
+
diff --git a/app/src/main/frontend/components/administration/SecurityManagement.tsx b/app/src/main/frontend/components/administration/SecurityManagement.tsx
index 3edd725..858d612 100644
--- a/app/src/main/frontend/components/administration/SecurityManagement.tsx
+++ b/app/src/main/frontend/components/administration/SecurityManagement.tsx
@@ -51,11 +51,12 @@ function SecurityManagementLayout({getConfig, formik, setSaveMessage}: any) {
             <div className="flex flex-row items-start gap-8">
                 <div className="flex flex-col">
                     <h2 className="text-xl font-bold mb-4">General configuration</h2>
-                    <ConfigFormField className="mb-4"
-                                     configElement={getConfig("sso.oidc.enabled")}/>
+                    <ConfigFormField className="mb-4" configElement={getConfig("sso.oidc.enabled")}/>
+
                     <ConfigFormField configElement={getConfig("sso.oidc.match-existing-users-by")}
                                      isDisabled={!formik.values.sso.oidc.enabled}/>
-
+                    <ConfigFormField configElement={getConfig("sso.oidc.username-claim")}
+                                     isDisabled={!formik.values.sso.oidc.enabled}/>
                     <ConfigFormField configElement={getConfig("sso.oidc.roles-claim")}
                                      isDisabled={!formik.values.sso.oidc.enabled}/>
                     <ConfigFormField configElement={getConfig("sso.oidc.oauth-scopes")}
diff --git a/app/src/main/frontend/components/administration/withConfigPage.tsx b/app/src/main/frontend/components/administration/withConfigPage.tsx
index f461314..9f93633 100644
--- a/app/src/main/frontend/components/administration/withConfigPage.tsx
+++ b/app/src/main/frontend/components/administration/withConfigPage.tsx
@@ -1,15 +1,22 @@
 import React, {useEffect, useState} from "react";
 import {ConfigEndpoint} from "Frontend/generated/endpoints";
 import ConfigEntryDto from "Frontend/generated/org/gameyfin/app/config/dto/ConfigEntryDto";
-import {Form, Formik} from "formik";
+import {Form, Formik, FormikProps} from "formik";
 import {Button, Skeleton} from "@heroui/react";
 import {CheckIcon, InfoIcon} from "@phosphor-icons/react";
 import {SmallInfoField} from "Frontend/components/general/SmallInfoField";
 import {configState, initializeConfigState, NestedConfig} from "Frontend/state/ConfigState";
 import {useSnapshot} from "valtio/react";
+import * as Yup from "yup";
 
-export default function withConfigPage(WrappedComponent: React.ComponentType<any>, title: String, validationSchema?: any) {
-    return function ConfigPage(props: any) {
+export interface ConfigPageProps {
+    getConfig: (key: string) => ConfigEntryDto | undefined;
+    formik: FormikProps<NestedConfig>;
+    setSaveMessage: (message: string | undefined) => void;
+}
+
+export default function withConfigPage(WrappedComponent: React.ComponentType<ConfigPageProps>, title: string, validationSchema?: Yup.ObjectSchema<Record<string, unknown>>) {
+    return function ConfigPage(props: Record<string, never>) {
         const [configSaved, setConfigSaved] = useState(false);
         const [saveMessage, setSaveMessage] = useState<string>();
 
@@ -35,14 +42,14 @@ export default function withConfigPage(WrappedComponent: React.ComponentType<any
             return state.state[key];
         }
 
-        function getChangedValues(initial: NestedConfig, current: NestedConfig): Record<string, any> {
-            const flatten = (obj: NestedConfig, parentKey = ''): Record<string, any> => {
-                let result: Record<string, any> = {};
+        function getChangedValues(initial: NestedConfig, current: NestedConfig): Record<string, NestedConfig[string]> {
+            const flatten = (obj: NestedConfig, parentKey = ''): Record<string, NestedConfig[string]> => {
+                let result: Record<string, NestedConfig[string]> = {};
                 for (const key in obj) {
                     if (obj.hasOwnProperty(key)) {
                         const newKey = parentKey ? `${parentKey}.${key}` : key;
                         if (typeof obj[key] === 'object' && obj[key] !== null && !Array.isArray(obj[key])) {
-                            Object.assign(result, flatten(obj[key], newKey));
+                            Object.assign(result, flatten(obj[key] as NestedConfig, newKey));
                         } else {
                             result[newKey] = obj[key];
                         }
@@ -51,11 +58,11 @@ export default function withConfigPage(WrappedComponent: React.ComponentType<any
                 return result;
             };
 
-            const arraysEqual = (a: any[], b: any[]): boolean => {
+            const arraysEqual = (a: unknown[], b: unknown[]): boolean => {
                 if (a.length !== b.length) return false;
                 for (let i = 0; i < a.length; i++) {
                     if (Array.isArray(a[i]) && Array.isArray(b[i])) {
-                        if (!arraysEqual(a[i], b[i])) return false;
+                        if (!arraysEqual(a[i] as unknown[], b[i] as unknown[])) return false;
                     } else if (a[i] !== b[i]) {
                         return false;
                     }
@@ -66,7 +73,7 @@ export default function withConfigPage(WrappedComponent: React.ComponentType<any
             const flatInitial = flatten(initial);
             const flatCurrent = flatten(current);
 
-            const changed: Record<string, any> = {};
+            const changed: Record<string, NestedConfig[string]> = {};
             for (const key in flatCurrent) {
                 const valA = flatCurrent[key];
                 const valB = flatInitial[key];
diff --git a/app/src/main/frontend/components/general/ScanProgressPopover.tsx b/app/src/main/frontend/components/general/ScanProgressPopover.tsx
index 82d7d0e..c5e2709 100644
--- a/app/src/main/frontend/components/general/ScanProgressPopover.tsx
+++ b/app/src/main/frontend/components/general/ScanProgressPopover.tsx
@@ -15,7 +15,8 @@ import {libraryState} from "Frontend/state/LibraryState";
 import {TargetIcon, WarningIcon} from "@phosphor-icons/react";
 import {timeBetween, timeUntil, toTitleCase} from "Frontend/util/utils";
 import LibraryScanStatus from "Frontend/generated/org/gameyfin/app/libraries/dto/LibraryScanStatus";
-import {useEffect, useState} from "react";
+import type LibraryScanProgress from "Frontend/generated/org/gameyfin/app/libraries/dto/LibraryScanProgress";
+import {useEffect, useRef, useState} from "react";
 
 export default function ScanProgressPopover() {
     const libraries = useSnapshot(libraryState).state;
@@ -23,7 +24,10 @@ export default function ScanProgressPopover() {
     const scanInProgress = useSnapshot(scanState).isScanning;
 
     // Add state to track current time and force re-renders
-    const [currentTime, setCurrentTime] = useState(Date.now());
+    const [_currentTime, setCurrentTime] = useState(Date.now());
+
+    // Cache ETAs per scanId: { eta: string | null, computedAt: number }
+    const etaCacheRef = useRef<Record<string, { eta: string | null; computedAt: number }>>({});
 
     // Set up an interval to update the time every second
     useEffect(() => {
@@ -35,6 +39,42 @@ export default function ScanProgressPopover() {
         return () => clearInterval(intervalId);
     }, []);
 
+    function estimateTimeLeft(scan: LibraryScanProgress): string | null {
+        const now = Date.now();
+        const cached = etaCacheRef.current[scan.scanId];
+        // Only recompute every 5 seconds
+        if (cached && now - cached.computedAt < 5000) {
+            return cached.eta;
+        }
+
+        const current = scan.currentStep.current;
+        const total = scan.currentStep.total;
+        if (!current || !total || current <= 0 || total <= 0) {
+            etaCacheRef.current[scan.scanId] = {eta: null, computedAt: now};
+            return null;
+        }
+
+        const elapsed = (now - new Date(scan.startedAt).getTime()) / 1000;
+        if (elapsed <= 0) {
+            etaCacheRef.current[scan.scanId] = {eta: null, computedAt: now};
+            return null;
+        }
+
+        const rate = current / elapsed; // items per second
+        const remaining = total - current;
+        const secondsLeft = Math.round(remaining / rate);
+        if (secondsLeft < 0) {
+            etaCacheRef.current[scan.scanId] = {eta: null, computedAt: now};
+            return null;
+        }
+
+        const mins = Math.floor(secondsLeft / 60);
+        const secs = secondsLeft % 60;
+        const eta = `${mins}:${secs.toString().padStart(2, "0")} min left`;
+        etaCacheRef.current[scan.scanId] = {eta, computedAt: now};
+        return eta;
+    }
+
     return (
         <Popover placement="bottom-end" showArrow={true}>
             <PopoverTrigger>
@@ -79,9 +119,14 @@ export default function ScanProgressPopover() {
                                     {scan.status === LibraryScanStatus.IN_PROGRESS &&
                                         (scan.currentStep.current && scan.currentStep.total ?
                                                 <div className="flex flex-col gap-1">
-                                                    <p className="text-default-500">
-                                                        {`${scan.currentStep.description} (${scan.currentStep.current}/${scan.currentStep.total})`}
-                                                    </p>
+                                                    <div className="flex flex-row justify-between">
+                                                        <p className="text-default-500">
+                                                            {`${scan.currentStep.description} (${scan.currentStep.current}/${scan.currentStep.total})`}
+                                                        </p>
+                                                        <p className="text-default-500">
+                                                            {estimateTimeLeft(scan)}
+                                                        </p>
+                                                    </div>
                                                     <Progress
                                                         value={scan.currentStep.current / scan.currentStep.total * 100}
                                                         size="sm"/>
diff --git a/app/src/main/frontend/components/general/cards/LibraryOverviewCard.tsx b/app/src/main/frontend/components/general/cards/LibraryOverviewCard.tsx
index 8bc7e91..abd4bba 100644
--- a/app/src/main/frontend/components/general/cards/LibraryOverviewCard.tsx
+++ b/app/src/main/frontend/components/general/cards/LibraryOverviewCard.tsx
@@ -10,6 +10,7 @@ import {gameState} from "Frontend/state/GameState";
 import IconBackgroundPattern from "Frontend/components/general/IconBackgroundPattern";
 import LibraryAdminDto from "Frontend/generated/org/gameyfin/app/libraries/dto/LibraryAdminDto";
 import ChipList from "Frontend/components/general/ChipList";
+import {pluginState} from "Frontend/state/PluginState";
 
 interface LibraryOverviewCardProps {
     library: LibraryAdminDto;
@@ -20,6 +21,7 @@ export function LibraryOverviewCard({library}: LibraryOverviewCardProps) {
     const navigate = useNavigate();
     const state = useSnapshot(gameState);
     const randomGames = getRandomGames();
+    const hasActiveMetadataPlugins = useSnapshot(pluginState).hasActiveMetadataPlugins;
 
     function getRandomGames() {
         if (!state.randomlyOrderedGamesByLibraryId[library.id]) return [];
@@ -47,16 +49,20 @@ export function LibraryOverviewCard({library}: LibraryOverviewCardProps) {
                     }
                 </div>
 
-                <p className="absolute text-2xl font-bold">{library.name}</p>
+                <p className="mt-6 absolute text-2xl text-center font-bold">{library.name}</p>
 
                 <div className="absolute right-0 top-0 flex flex-row">
                     <Tooltip content="Scan library (quick)" placement="bottom" color="foreground">
-                        <Button isIconOnly variant="light" onPress={() => triggerScan(ScanType.QUICK)}>
+                        <Button isIconOnly variant="light"
+                                isDisabled={!hasActiveMetadataPlugins}
+                                onPress={() => triggerScan(ScanType.QUICK)}>
                             <MagnifyingGlassIcon/>
                         </Button>
                     </Tooltip>
                     <Tooltip content="Scan library (full)" placement="bottom" color="foreground">
-                        <Button isIconOnly variant="light" onPress={() => triggerScan(ScanType.FULL)}>
+                        <Button isIconOnly variant="light"
+                                isDisabled={!hasActiveMetadataPlugins}
+                                onPress={() => triggerScan(ScanType.FULL)}>
                             <MagnifyingGlassPlusIcon/>
                         </Button>
                     </Tooltip>
diff --git a/app/src/main/frontend/components/general/input/ArrayInput.tsx b/app/src/main/frontend/components/general/input/ArrayInput.tsx
index 3073e73..a8a1fd5 100644
--- a/app/src/main/frontend/components/general/input/ArrayInput.tsx
+++ b/app/src/main/frontend/components/general/input/ArrayInput.tsx
@@ -2,11 +2,20 @@ import {FieldArray, useField} from "formik";
 import {Button, Chip, Input, Popover, PopoverContent, PopoverTrigger} from "@heroui/react";
 import {KeyboardEvent, useState} from "react";
 import {PlusIcon} from "@phosphor-icons/react";
+import InfoPopup from "Frontend/components/administration/InfoPopup";
+import ResetToDefaultButton from "Frontend/components/administration/ResetToDefaultButton";
 
-// @ts-ignore
-const ArrayInput = ({label, ...props}) => {
-    // @ts-ignore
-    const [field, meta] = useField(props);
+interface ArrayInputProps {
+    label: string;
+    name: string;
+    type?: string;
+    description?: string;
+    resetValue?: unknown;
+    isDisabled?: boolean;
+}
+
+export default function ArrayInput({label, description, resetValue, ...props}: ArrayInputProps) {
+    const [field, meta] = useField<string[]>(props.name);
     const [newElementValue, setNewElementValue] = useState<string>("");
 
     return (
@@ -29,12 +38,17 @@ const ArrayInput = ({label, ...props}) => {
                         return (
                             <div className="flex flex-col flex-1 gap-2">
                                 <div className="flex flex-row justify-between">
-                                    <p>{label}</p>
+                                    <span className="flex items-center gap-1">
+                                        <p>{label}</p>
+                                        {description && <InfoPopup content={description}/>}
+                                        {resetValue !== undefined &&
+                                            <ResetToDefaultButton fieldName={field.name} defaultValue={resetValue}/>}
+                                    </span>
                                     <small>{field.value.length} {field.value.length == 1 ? "element" : "elements"}</small>
                                 </div>
 
                                 <div className="flex flex-row flex-wrap gap-2 items-center">
-                                    {field.value.map((element: any, index: number) => (
+                                    {field.value.map((element: string, index: number) => (
                                         <Chip key={index}
                                               onClose={() => arrayHelpers.remove(index)}
                                               isDisabled={props.isDisabled}
@@ -76,5 +90,3 @@ const ArrayInput = ({label, ...props}) => {
         />
     );
 }
-
-export default ArrayInput;
\ No newline at end of file
diff --git a/app/src/main/frontend/components/general/input/CheckboxInput.tsx b/app/src/main/frontend/components/general/input/CheckboxInput.tsx
index 7e972f5..b746637 100644
--- a/app/src/main/frontend/components/general/input/CheckboxInput.tsx
+++ b/app/src/main/frontend/components/general/input/CheckboxInput.tsx
@@ -1,29 +1,39 @@
 import {useField} from "formik";
-import {Checkbox, CheckboxGroup} from "@heroui/react";
+import {Checkbox, CheckboxGroup, CheckboxProps} from "@heroui/react";
+import InfoPopup from "Frontend/components/administration/InfoPopup";
+import ResetToDefaultButton from "Frontend/components/administration/ResetToDefaultButton";
 
-// @ts-ignore
-const CheckboxInput = ({label, ...props}) => {
-    // @ts-ignore
-    const [field, meta] = useField(props);
+interface CheckboxInputProps extends Omit<CheckboxProps, "name"> {
+    label: string;
+    name: string;
+    description?: string;
+    resetValue?: unknown;
+}
+
+export default function CheckboxInput({label, description, resetValue, className, ...props}: CheckboxInputProps) {
+    const [field, meta] = useField({name: props.name, type: "checkbox"});
 
     return (
         <CheckboxGroup
-            className="flex flex-row flex-1 items-baseline gap-2"
+            className={`flex flex-row flex-1 gap-2 ${className ?? ""}`}
             isInvalid={!!meta.error}
             errorMessage={meta.initialError || meta.error}
             value={field.value ? [field.name] : []}
         >
-            <Checkbox
-                className="items-baseline"
-                {...field}
-                {...props}
-                // @ts-ignore
-                value={field.name}
-            >
-                {label}
-            </Checkbox>
+            <span className="flex items-center gap-1">
+                <Checkbox
+                    {...field}
+                    {...props}
+                    className="items-center"
+                    value={field.name}
+                >
+                    {label}
+                </Checkbox>
+                {description && <InfoPopup content={description}/>}
+                {resetValue !== undefined &&
+                    <ResetToDefaultButton fieldName={field.name} defaultValue={resetValue}/>}
+            </span>
         </CheckboxGroup>
     );
 }
 
-export default CheckboxInput;
\ No newline at end of file
diff --git a/app/src/main/frontend/components/general/input/DatePickerInput.tsx b/app/src/main/frontend/components/general/input/DatePickerInput.tsx
index f89126b..17d1659 100644
--- a/app/src/main/frontend/components/general/input/DatePickerInput.tsx
+++ b/app/src/main/frontend/components/general/input/DatePickerInput.tsx
@@ -1,12 +1,15 @@
 import {useField} from "formik";
-import {DatePicker, DateValue} from "@heroui/react";
+import {DatePicker, DatePickerProps, DateValue} from "@heroui/react";
 import {parseDate} from "@internationalized/date";
 import {useState} from "react";
 
-// @ts-ignore
-export default function DatePickerInput({label, showErrorUntouched = false, ...props}) {
-    // @ts-ignore
-    const [field, meta] = useField(props);
+interface DatePickerInputProps extends Omit<DatePickerProps, "name"> {
+    name: string;
+    showErrorUntouched?: boolean;
+}
+
+export default function DatePickerInput({label, showErrorUntouched = false, ...props}: DatePickerInputProps) {
+    const [field, meta] = useField(props.name);
     const [value, setValue] = useState<DateValue | null>(field.value ? parseDate(field.value) : null);
 
     return (
@@ -26,7 +29,7 @@ export default function DatePickerInput({label, showErrorUntouched = false, ...p
                     }
                 });
             }}
-            id={label}
+            id={label as string}
             label={label}
             isInvalid={(meta.touched || showErrorUntouched) && !!meta.error}
             errorMessage={meta.initialError || meta.error}
diff --git a/app/src/main/frontend/components/general/input/GameCoverPicker.tsx b/app/src/main/frontend/components/general/input/GameCoverPicker.tsx
index d4cbb8f..3b7f71b 100644
--- a/app/src/main/frontend/components/general/input/GameCoverPicker.tsx
+++ b/app/src/main/frontend/components/general/input/GameCoverPicker.tsx
@@ -3,13 +3,17 @@ import React from "react";
 import {useField} from "formik";
 import {GameCoverPickerModal} from "Frontend/components/general/modals/GameCoverPickerModal";
 import {ImageBrokenIcon, PencilIcon} from "@phosphor-icons/react";
+import GameDto from "Frontend/generated/org/gameyfin/app/games/dto/GameDto";
 
+interface GameCoverPickerProps {
+    game: GameDto;
+    name: string;
+    showErrorUntouched?: boolean;
+}
 
-// @ts-ignore
-export default function GameCoverPicker({game, showErrorUntouched = false, ...props}) {
+export default function GameCoverPicker({game, showErrorUntouched = false, ...props}: GameCoverPickerProps) {
 
-    // @ts-ignore
-    const [field] = useField(props);
+    const [field] = useField(props.name);
 
     const gameCoverPickerModal = useDisclosure();
 
diff --git a/app/src/main/frontend/components/general/input/GameHeaderPicker.tsx b/app/src/main/frontend/components/general/input/GameHeaderPicker.tsx
index 7fbba69..d7d444a 100644
--- a/app/src/main/frontend/components/general/input/GameHeaderPicker.tsx
+++ b/app/src/main/frontend/components/general/input/GameHeaderPicker.tsx
@@ -3,13 +3,17 @@ import React from "react";
 import {useField} from "formik";
 import {ImageBrokenIcon, PencilIcon} from "@phosphor-icons/react";
 import {GameHeaderPickerModal} from "Frontend/components/general/modals/GameHeaderPickerModal";
+import GameDto from "Frontend/generated/org/gameyfin/app/games/dto/GameDto";
 
+interface GameHeaderPickerProps {
+    game: GameDto;
+    name: string;
+    showErrorUntouched?: boolean;
+}
 
-// @ts-ignore
-export default function GameHeaderPicker({game, showErrorUntouched = false, ...props}) {
+export default function GameHeaderPicker({game, showErrorUntouched = false, ...props}: GameHeaderPickerProps) {
 
-    // @ts-ignore
-    const [field] = useField(props);
+    const [field] = useField(props.name);
 
     const gameHeaderPickerModal = useDisclosure();
 
diff --git a/app/src/main/frontend/components/general/input/Input.tsx b/app/src/main/frontend/components/general/input/Input.tsx
index e4a5c11..99ab1bc 100644
--- a/app/src/main/frontend/components/general/input/Input.tsx
+++ b/app/src/main/frontend/components/general/input/Input.tsx
@@ -1,23 +1,43 @@
 import {useField} from "formik";
-import {Input as HeroUiInput} from "@heroui/react";
+import {Input as HeroUiInput, InputProps} from "@heroui/react";
+import InfoPopup from "Frontend/components/administration/InfoPopup";
+import ResetToDefaultButton from "Frontend/components/administration/ResetToDefaultButton";
 
-// @ts-ignore
-const Input = ({label, showErrorUntouched = false, ...props}) => {
-    // @ts-ignore
-    const [field, meta] = useField(props);
+interface CustomInputProps extends Omit<InputProps, "name"> {
+    name: string;
+    showErrorUntouched?: boolean;
+    resetValue?: unknown;
+}
+
+export default function Input({
+                                  label,
+                                  showErrorUntouched = false,
+                                  description,
+                                  className,
+                                  resetValue,
+                                  ...props
+                              }: CustomInputProps) {
+    const [field, meta] = useField(props.name);
 
     return (
         <HeroUiInput
-            className="min-h-20 grow"
             fullWidth={false}
             {...props}
             {...field}
-            id={label}
+            className={`min-h-20 grow ${className ?? ""}`}
+            id={label as string}
             label={label}
+            endContent={
+                (description || resetValue !== undefined) ? (
+                    <span className="flex items-center gap-1">
+                        {description && <InfoPopup content={description as string}/>}
+                        {resetValue !== undefined &&
+                            <ResetToDefaultButton fieldName={field.name} defaultValue={resetValue}/>}
+                    </span>
+                ) : undefined
+            }
             isInvalid={(meta.touched || showErrorUntouched) && !!meta.error}
             errorMessage={meta.initialError || meta.error}
         />
     );
-}
-
-export default Input;
\ No newline at end of file
+}
\ No newline at end of file
diff --git a/app/src/main/frontend/components/general/input/NumberInput.tsx b/app/src/main/frontend/components/general/input/NumberInput.tsx
index e8441fa..388adb4 100644
--- a/app/src/main/frontend/components/general/input/NumberInput.tsx
+++ b/app/src/main/frontend/components/general/input/NumberInput.tsx
@@ -1,26 +1,46 @@
 import {useField} from "formik";
-import {NumberInput as HeroUiNumberInput} from "@heroui/react";
+import {NumberInput as HeroUiNumberInput, NumberInputProps} from "@heroui/react";
+import InfoPopup from "Frontend/components/administration/InfoPopup";
+import ResetToDefaultButton from "Frontend/components/administration/ResetToDefaultButton";
 
-// @ts-ignore
-const NumberInput = ({label, showErrorUntouched = false, ...props}) => {
-    // @ts-ignore
-    const [field, meta, helpers] = useField(props);
+interface CustomNumberInputProps extends Omit<NumberInputProps, "name"> {
+    name: string;
+    showErrorUntouched?: boolean;
+    resetValue?: unknown;
+}
+
+export default function NumberInput({
+                                        label,
+                                        showErrorUntouched = false,
+                                        description,
+                                        className,
+                                        resetValue,
+                                        ...props
+                                    }: CustomNumberInputProps) {
+    const [field, meta, helpers] = useField<number>(props.name);
 
     return (
         <HeroUiNumberInput
-            className="min-h-20 grow"
             fullWidth={false}
             {...props}
+            className={`min-h-20 grow ${className ?? ""}`}
             value={field.value}
             onValueChange={(value) => helpers.setValue(value)}
             onBlur={field.onBlur}
             name={field.name}
-            id={label}
+            id={label as string}
             label={label}
+            endContent={
+                (description || resetValue !== undefined) ? (
+                    <span className="flex items-center gap-1">
+                        {description && <InfoPopup content={description as string}/>}
+                        {resetValue !== undefined &&
+                            <ResetToDefaultButton fieldName={field.name} defaultValue={resetValue}/>}
+                    </span>
+                ) : undefined
+            }
             isInvalid={(meta.touched || showErrorUntouched) && !!meta.error}
             errorMessage={meta.initialError || meta.error}
         />
     );
 }
-
-export default NumberInput;
\ No newline at end of file
diff --git a/app/src/main/frontend/components/general/input/SelectInput.tsx b/app/src/main/frontend/components/general/input/SelectInput.tsx
index 2ecdfdd..c21bbf1 100644
--- a/app/src/main/frontend/components/general/input/SelectInput.tsx
+++ b/app/src/main/frontend/components/general/input/SelectInput.tsx
@@ -1,10 +1,18 @@
 import {useField} from "formik";
-import {Select, SelectItem} from "@heroui/react";
+import {Select, SelectItem, SelectProps} from "@heroui/react";
+import InfoPopup from "Frontend/components/administration/InfoPopup";
+import ResetToDefaultButton from "Frontend/components/administration/ResetToDefaultButton";
 
-// @ts-ignore
-const SelectInput = ({label, values, ...props}) => {
-    // @ts-ignore
-    const [field, meta] = useField(props);
+interface SelectInputProps extends Omit<SelectProps, "name" | "children"> {
+    label: string;
+    name: string;
+    values: string[];
+    description?: string;
+    resetValue?: unknown;
+}
+
+export default function SelectInput({label, values, description, resetValue, ...props}: SelectInputProps) {
+    const [field, meta] = useField(props.name);
 
     const items = values.map((v: string) => ({key: v, label: v}));
 
@@ -17,6 +25,15 @@ const SelectInput = ({label, values, ...props}) => {
                 label={label}
                 items={items}
                 selectedKeys={[field.value]}
+                endContent={
+                    (description || resetValue !== undefined) ? (
+                        <span className="flex items-center">
+                            {description && <InfoPopup content={description}/>}
+                            {resetValue !== undefined &&
+                                <ResetToDefaultButton fieldName={field.name} defaultValue={resetValue}/>}
+                        </span>
+                    ) : undefined
+                }
                 isInvalid={!!meta.error}
                 errorMessage={meta.initialError || meta.error}
                 disallowEmptySelection
@@ -26,5 +43,3 @@ const SelectInput = ({label, values, ...props}) => {
         </div>
     );
 }
-
-export default SelectInput;
\ No newline at end of file
diff --git a/app/src/main/frontend/components/general/input/SliderInput.tsx b/app/src/main/frontend/components/general/input/SliderInput.tsx
index 22a27d4..52cdc54 100644
--- a/app/src/main/frontend/components/general/input/SliderInput.tsx
+++ b/app/src/main/frontend/components/general/input/SliderInput.tsx
@@ -1,23 +1,41 @@
 import {useField} from "formik";
-import {Slider as HeroUiSlider} from "@heroui/react";
+import {Slider as HeroUiSlider, SliderProps} from "@heroui/react";
+import InfoPopup from "Frontend/components/administration/InfoPopup";
+import ResetToDefaultButton from "Frontend/components/administration/ResetToDefaultButton";
 
-// @ts-ignore
-const SliderInput = ({label, showErrorUntouched = false, ...props}) => {
-    // @ts-ignore
-    const [field, meta, helpers] = useField(props);
+interface SliderInputProps extends Omit<SliderProps, "name"> {
+    name: string;
+    description?: string;
+    showErrorUntouched?: boolean;
+    resetValue?: unknown;
+}
+
+export default function SliderInput({
+                                        label,
+                                        showErrorUntouched = false,
+                                        description,
+                                        resetValue,
+                                        ...props
+                                    }: SliderInputProps) {
+    const [field, , helpers] = useField<number>(props.name);
 
     return (
         <HeroUiSlider
             className="min-h-20 grow"
             {...props}
             value={field.value}
-            onChange={(value) => helpers.setValue(value)}
+            onChange={(value) => helpers.setValue(value as number)}
             onBlur={field.onBlur}
             name={field.name}
-            id={label}
-            label={label}
+            id={label as string}
+            label={
+                <span className="flex items-center gap-1">
+                    {label}
+                    {description && <InfoPopup content={description}/>}
+                    {resetValue !== undefined &&
+                        <ResetToDefaultButton fieldName={field.name} defaultValue={resetValue}/>}
+                </span>
+            }
         />
     );
 }
-
-export default SliderInput;
\ No newline at end of file
diff --git a/app/src/main/frontend/components/general/input/TextAreaInput.tsx b/app/src/main/frontend/components/general/input/TextAreaInput.tsx
index 19f3b5b..ce17747 100644
--- a/app/src/main/frontend/components/general/input/TextAreaInput.tsx
+++ b/app/src/main/frontend/components/general/input/TextAreaInput.tsx
@@ -1,10 +1,13 @@
 import {useField} from "formik";
-import {Textarea} from "@heroui/react";
+import {Textarea, TextAreaProps} from "@heroui/react";
 
-// @ts-ignore
-export default function TextAreaInput({label, showErrorUntouched = false, ...props}) {
-    // @ts-ignore
-    const [field, meta] = useField(props);
+interface TextAreaInputProps extends Omit<TextAreaProps, "name"> {
+    name: string;
+    showErrorUntouched?: boolean;
+}
+
+export default function TextAreaInput({label, showErrorUntouched = false, ...props}: TextAreaInputProps) {
+    const [field, meta] = useField(props.name);
 
     return (
         <Textarea
@@ -12,7 +15,7 @@ export default function TextAreaInput({label, showErrorUntouched = false, ...pro
             fullWidth={false}
             {...props}
             {...field}
-            id={label}
+            id={label as string}
             label={label}
             isInvalid={(meta.touched || showErrorUntouched) && !!meta.error}
             errorMessage={meta.initialError || meta.error}
diff --git a/app/src/main/frontend/components/general/modals/LibraryCreationModal.tsx b/app/src/main/frontend/components/general/modals/LibraryCreationModal.tsx
index e8293c9..9913046 100644
--- a/app/src/main/frontend/components/general/modals/LibraryCreationModal.tsx
+++ b/app/src/main/frontend/components/general/modals/LibraryCreationModal.tsx
@@ -1,5 +1,16 @@
 import React, {useState} from "react";
-import {addToast, Button, Checkbox, Modal, ModalBody, ModalContent, ModalFooter, ModalHeader} from "@heroui/react";
+import {
+    addToast,
+    Alert,
+    Button,
+    Checkbox,
+    Link,
+    Modal,
+    ModalBody,
+    ModalContent,
+    ModalFooter,
+    ModalHeader
+} from "@heroui/react";
 import {Form, Formik} from "formik";
 import {LibraryEndpoint} from "Frontend/generated/endpoints";
 import Input from "Frontend/components/general/input/Input";
@@ -9,6 +20,7 @@ import ArrayInputAutocomplete from "Frontend/components/general/input/ArrayInput
 import {useSnapshot} from "valtio/react";
 import {platformState} from "Frontend/state/PlatformState";
 import LibraryAdminDto from "Frontend/generated/org/gameyfin/app/libraries/dto/LibraryAdminDto";
+import {pluginState} from "Frontend/state/PluginState";
 
 interface LibraryCreationModalProps {
     isOpen: boolean;
@@ -22,9 +34,10 @@ export default function LibraryCreationModal({
 
     const [scanAfterCreation, setScanAfterCreation] = useState<boolean>(true);
     const availablePlatforms = useSnapshot(platformState).available;
+    const hasActiveMetadataPlugins = useSnapshot(pluginState).hasActiveMetadataPlugins;
 
     async function createLibrary(library: LibraryAdminDto) {
-        await LibraryEndpoint.createLibrary(library, scanAfterCreation);
+        await LibraryEndpoint.createLibrary(library, hasActiveMetadataPlugins && scanAfterCreation);
 
         addToast({
             title: "New library created",
@@ -77,10 +90,21 @@ export default function LibraryCreationModal({
                                             />
                                             <DirectoryMappingInput name="directories"/>
                                         </div>
+                                        {!hasActiveMetadataPlugins &&
+                                            <Alert color="warning">
+                                                <p>No metadata plugins are currently enabled.</p>
+                                                <p>Go to <Link underline="always" color="foreground"
+                                                               href="/administration/plugins">Plugins</Link> and enable
+                                                    at least one metadata plugin in order to scan your library.</p>
+                                            </Alert>
+                                        }
                                     </ModalBody>
                                     <ModalFooter className="flex flex-row justify-between">
-                                        <Checkbox isSelected={scanAfterCreation} onValueChange={setScanAfterCreation}>Scan
-                                            after creation?</Checkbox>
+                                        <Checkbox
+                                            isSelected={hasActiveMetadataPlugins && scanAfterCreation}
+                                            isDisabled={!hasActiveMetadataPlugins}
+                                            onValueChange={setScanAfterCreation}
+                                        >Scan after creation?</Checkbox>
                                         <div className="flex flex-row">
                                             <Button variant="light" onPress={onClose}>
                                                 Cancel
diff --git a/app/src/main/frontend/components/general/modals/PluginDetailsModal.tsx b/app/src/main/frontend/components/general/modals/PluginDetailsModal.tsx
index 123ab75..e5c669b 100644
--- a/app/src/main/frontend/components/general/modals/PluginDetailsModal.tsx
+++ b/app/src/main/frontend/components/general/modals/PluginDetailsModal.tsx
@@ -6,7 +6,7 @@ import Markdown from "react-markdown";
 import remarkBreaks from "remark-breaks";
 import {PluginEndpoint} from "Frontend/generated/endpoints";
 import PluginDto from "Frontend/generated/org/gameyfin/app/core/plugins/dto/PluginDto";
-import { ArrowClockwiseIcon } from "@phosphor-icons/react";
+import {ArrowClockwiseIcon} from "@phosphor-icons/react";
 import PluginConfigMetadataDto from "Frontend/generated/org/gameyfin/app/core/plugins/dto/PluginConfigMetadataDto";
 import PluginConfigFormField from "Frontend/components/general/plugin/PluginConfigFormField";
 
diff --git a/app/src/main/frontend/state/PluginState.ts b/app/src/main/frontend/state/PluginState.ts
index e74b6f9..f64086a 100644
--- a/app/src/main/frontend/state/PluginState.ts
+++ b/app/src/main/frontend/state/PluginState.ts
@@ -3,6 +3,12 @@ import PluginDto from "Frontend/generated/org/gameyfin/app/core/plugins/dto/Plug
 import PluginUpdateDto from "Frontend/generated/org/gameyfin/app/core/plugins/dto/PluginUpdateDto";
 import {proxy} from "valtio/index";
 import {PluginEndpoint} from "Frontend/generated/endpoints";
+import Pf4jPluginState from "Frontend/generated/org/pf4j/PluginState";
+
+export enum PluginType {
+    GameMetadataProvider = "GameMetadataProvider",
+    DownloadProvider = "DownloadProvider",
+}
 
 type PluginState = {
     subscription?: Subscription<PluginUpdateDto[]>;
@@ -10,6 +16,7 @@ type PluginState = {
     state: Record<string, PluginDto>;
     plugins: PluginDto[];
     sortedByType: Record<string, PluginDto[]>;
+    hasActiveMetadataPlugins: boolean;
 };
 
 export const pluginState = proxy<PluginState>({
@@ -22,6 +29,11 @@ export const pluginState = proxy<PluginState>({
     },
     get sortedByType() {
         return sortPluginsByType(this.state);
+    },
+    get hasActiveMetadataPlugins() {
+        return this.sortedByType[PluginType.GameMetadataProvider]
+            ?.filter((p: PluginDto) => p.state == Pf4jPluginState.STARTED)
+            .length > 0;
     }
 });
 
@@ -53,7 +65,10 @@ export async function initializePluginState() {
 /** Computed **/
 
 function sortPluginsByType(pluginsMap: Record<string, PluginDto>): Record<string, PluginDto[]> {
-    const pluginsByType: Record<string, PluginDto[]> = {};
+    // Initialize with empty arrays for all known plugin types so consumers never get undefined
+    const pluginsByType: Record<string, PluginDto[]> = Object.fromEntries(
+        Object.values(PluginType).map(type => [type, []])
+    );
 
     // Convert map to array of plugins
     const plugins = Object.values(pluginsMap);
diff --git a/app/src/main/frontend/views/AdministrationView.tsx b/app/src/main/frontend/views/AdministrationView.tsx
index 3d21676..d120b1e 100644
--- a/app/src/main/frontend/views/AdministrationView.tsx
+++ b/app/src/main/frontend/views/AdministrationView.tsx
@@ -59,5 +59,4 @@ const menuItems: MenuItem[] = [
     }
 ]
 
-export const AdministrationView = withSideMenu("/administration", menuItems);
-export default AdministrationView;
\ No newline at end of file
+export const AdministrationView = withSideMenu("/administration", menuItems);
\ No newline at end of file
diff --git a/app/src/main/frontend/views/HomeView.tsx b/app/src/main/frontend/views/HomeView.tsx
index daad9a9..8383c63 100644
--- a/app/src/main/frontend/views/HomeView.tsx
+++ b/app/src/main/frontend/views/HomeView.tsx
@@ -2,42 +2,41 @@ import {CoverRow} from "Frontend/components/general/covers/CoverRow";
 import {useSnapshot} from "valtio/react";
 import {libraryState} from "Frontend/state/LibraryState";
 import {gameState} from "Frontend/state/GameState";
-import React, {useEffect, useState} from "react";
+import React, {useMemo} from "react";
 import LibraryDto from "Frontend/generated/org/gameyfin/app/libraries/dto/LibraryDto";
 import {collectionState} from "Frontend/state/CollectionState";
 import CollectionDto from "Frontend/generated/org/gameyfin/app/collections/dto/CollectionDto";
 import {StartPageDisplayCard} from "Frontend/components/general/cards/StartPageDisplayCard";
-import {Link} from "@heroui/react";
-import {CaretRightIcon} from "@phosphor-icons/react";
+import {Link, Spinner} from "@heroui/react";
+import {CaretRightIcon, FolderOpenIcon} from "@phosphor-icons/react";
+import {useAuth} from "Frontend/util/auth";
+import {isAdmin} from "Frontend/util/utils";
 
 export default function HomeView() {
+    const auth = useAuth();
     const librariesState = useSnapshot(libraryState);
     const collectionsState = useSnapshot(collectionState);
     const gamesState = useSnapshot(gameState);
     const gamesByLibrary = gamesState.gamesByLibraryId;
     const gamesByCollection = gamesState.gamesByCollectionId;
 
-    const [filteredAndSortedLibraries, setFilteredAndSortedLibraries] = useState<LibraryDto[]>([]);
-    const [filteredAndSortedCollections, setFilteredAndSortedCollections] = useState<CollectionDto[]>([]);
-
-    useEffect(() => {
-        const libraries = librariesState.sorted
+    const filteredAndSortedLibraries = useMemo(() =>
+        librariesState.sorted
             .filter(library => library.metadata!.displayOnHomepage)
             .filter(library =>
                 gamesByLibrary[library.id] && gamesByLibrary[library.id].length > 0
-            );
+            ),
+        [librariesState.sorted, gamesByLibrary]
+    );
 
-        setFilteredAndSortedLibraries(libraries);
-
-        const collections = collectionsState.sorted
+    const filteredAndSortedCollections = useMemo(() =>
+        collectionsState.sorted
             .filter(collection => collection.metadata!.displayOnHomepage)
             .filter(collection =>
                 gamesByCollection[collection.id] && gamesByCollection[collection.id].length > 0
-            );
-
-        setFilteredAndSortedCollections(collections);
-
-    }, [librariesState.sorted, collectionsState.sorted, gamesByLibrary, gamesByCollection]);
+            ),
+        [collectionsState.sorted, gamesByCollection]
+    );
 
     // Sort games by date added (newest first) for libraries
     const getSortedLibraryGames = (libraryId: number) => {
@@ -65,6 +64,43 @@ export default function HomeView() {
         });
     };
 
+    const hasNoContent = filteredAndSortedLibraries.length === 0 && filteredAndSortedCollections.length === 0;
+    const allStatesLoaded = librariesState.isLoaded && collectionsState.isLoaded && gamesState.isLoaded;
+
+    if (!allStatesLoaded) {
+        return (
+            <div className="flex flex-col items-center justify-center h-[70vh] text-center gap-4">
+                <Spinner size="lg"/>
+                <p className="text-xl font-semibold text-default-600">Loading...</p>
+            </div>
+        );
+    }
+
+    if (hasNoContent) {
+        return (
+            <div className="flex flex-col items-center justify-center h-[70vh] text-center gap-4">
+                <FolderOpenIcon size={64} className="text-default-300"/>
+                <p className="text-xl font-semibold text-default-600">Nothing here yet</p>
+                {isAdmin(auth) ? (
+                    <>
+                        <p className="text-default-400 max-w-lg">
+                            Get started by adding libraries and games in the{" "}
+                            <Link href="/administration/games" underline="always">
+                                administration panel
+                            </Link>.
+                        </p>
+                    </>
+                ) : (
+                    <>
+                        <p className="text-default-400 max-w-md">
+                            There is currently no content available. Check back later!
+                        </p>
+                    </>
+                )}
+            </div>
+        );
+    }
+
     return (
         <div className="w-full">
             <div className="flex flex-col gap-4">
diff --git a/app/src/main/kotlin/org/gameyfin/app/collections/CollectionEndpoint.kt b/app/src/main/kotlin/org/gameyfin/app/collections/CollectionEndpoint.kt
index 07320c5..6d24e15 100644
--- a/app/src/main/kotlin/org/gameyfin/app/collections/CollectionEndpoint.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/collections/CollectionEndpoint.kt
@@ -50,13 +50,13 @@ class CollectionEndpoint(
     @RolesAllowed(Role.Names.ADMIN)
     fun deleteCollection(collectionId: Long) = collectionService.delete(collectionId)
 
-    /* Unused endpoints for Hilla to generate typescript classes */
+    /* Unused endpoints for Hilla to generate TypeScript classes */
 
-    @Suppress("Unused", "FunctionName")
+    @Suppress("Unused", "FunctionName", "kotlin:S100")
     @RolesAllowed(Role.Names.ADMIN)
     fun _getAdminDto(id: Long): CollectionAdminDto = collectionService.getById(id).toAdminDto()
 
-    @Suppress("Unused", "FunctionName")
+    @Suppress("Unused", "FunctionName", "kotlin:S100")
     @RolesAllowed(Role.Names.ADMIN)
     fun _getUserDto(id: Long): CollectionUserDto = collectionService.getById(id).toUserDto()
 }
diff --git a/app/src/main/kotlin/org/gameyfin/app/collections/CollectionService.kt b/app/src/main/kotlin/org/gameyfin/app/collections/CollectionService.kt
index 40c7224..97a7a72 100644
--- a/app/src/main/kotlin/org/gameyfin/app/collections/CollectionService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/collections/CollectionService.kt
@@ -70,8 +70,8 @@ class CollectionService(
 
     @Transactional
     fun create(dto: CollectionCreateDto) {
-        if (collectionRepository.findByName(dto.name) != null) {
-            throw IllegalArgumentException("Collection with name '${dto.name}' already exists")
+        require(collectionRepository.findByName(dto.name) == null) {
+            "Collection with name '${dto.name}' already exists"
         }
         val entity = dto.toEntity()
         dto.gameIds?.let { ids ->
@@ -87,8 +87,8 @@ class CollectionService(
     fun update(dto: CollectionUpdateDto): CollectionDto {
         val collection = getById(dto.id)
         dto.name?.let { newName ->
-            if (newName != collection.name && collectionRepository.findByName(newName) != null) {
-                throw IllegalArgumentException("Collection with name '$newName' already exists")
+            require(collectionRepository.findByName(dto.name) == null) {
+                "Collection with name '${dto.name}' already exists"
             }
             collection.name = newName
         }
diff --git a/app/src/main/kotlin/org/gameyfin/app/config/ConfigProperties.kt b/app/src/main/kotlin/org/gameyfin/app/config/ConfigProperties.kt
index c296eb6..d82a3ab 100644
--- a/app/src/main/kotlin/org/gameyfin/app/config/ConfigProperties.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/config/ConfigProperties.kt
@@ -7,6 +7,7 @@ import kotlin.reflect.KClass
 sealed class ConfigProperties<T : Serializable>(
     val type: KClass<T>,
     val key: String,
+    val name: String,
     val description: String,
     val default: T? = null,
     val allowedValues: List<T>? = null,
@@ -21,6 +22,7 @@ sealed class ConfigProperties<T : Serializable>(
             Boolean::class,
             "security.allow-public-access",
             "Allow access to Gameyfin without login",
+            "When enabled, anyone can browse (and potentially download) games **without logging in**.",
             false
         )
     }
@@ -32,6 +34,7 @@ sealed class ConfigProperties<T : Serializable>(
                 Boolean::class,
                 "library.scan.enable-filesystem-watcher",
                 "Enable automatic library scanning using file system watchers",
+                "Watches your library folders for file changes and **updates this specific folder** when files are added, removed, or renamed.",
                 false
             )
 
@@ -39,6 +42,7 @@ sealed class ConfigProperties<T : Serializable>(
                 Boolean::class,
                 "library.scan.scan-empty-directories",
                 "Scan empty directories",
+                "When enabled, empty folders inside a library path are also reported during a scan.",
                 false
             )
 
@@ -46,6 +50,7 @@ sealed class ConfigProperties<T : Serializable>(
                 Boolean::class,
                 "library.scan.extract-title-using-regex",
                 "Extract title from file names using regex",
+                "Uses the regex defined in **Title Extraction Regex** to strip unwanted parts (e.g. release tags) from file names before matching.",
                 false
             )
 
@@ -53,6 +58,7 @@ sealed class ConfigProperties<T : Serializable>(
                 String::class,
                 "library.scan.title-extraction-regex",
                 "Regex to extract title from file names",
+                "Java-compatible regular expression used to extract the game title from a file name. The first captured group (or full match) is used as the title.",
                 "^[^\\[]+"
             )
 
@@ -60,6 +66,8 @@ sealed class ConfigProperties<T : Serializable>(
                 Int::class,
                 "library.scan.title-match-min-ratio",
                 "Minimum ratio for title matching. Higher values mean stricter matching.",
+                """Used to match titles **across different metadata sources (plugins)**.
+                    |Raise this value to reduce false positives; lower it to match more liberally.""".trimMargin(),
                 default = 90,
                 min = 0,
                 max = 100,
@@ -70,6 +78,7 @@ sealed class ConfigProperties<T : Serializable>(
                 Array<String>::class,
                 "library.scan.game-file-extensions",
                 "File extensions to consider as games",
+                "Only files whose extension appears in this list are treated as games during a library scan. Add custom extensions to support additional formats.",
                 arrayOf(
                     "zip",
                     "tar",
@@ -93,6 +102,19 @@ sealed class ConfigProperties<T : Serializable>(
                     "elf"
                 )
             )
+
+            data object MaxConcurrency : ConfigProperties<Int>(
+                Int::class,
+                "library.scan.max-concurrency",
+                "Scan concurrency",
+                """Controls how many games are processed simultaneously during a library scan (metadata fetching, image downloading, etc.).
+                    |Lower values reduce peak memory usage; higher values speed up large scans.
+                    |Does **not** affect already running scans.""".trimMargin(),
+                default = 4,
+                min = 1,
+                max = 16,
+                step = 1
+            )
         }
 
         sealed class Metadata {
@@ -100,6 +122,7 @@ sealed class ConfigProperties<T : Serializable>(
                 Boolean::class,
                 "library.metadata.update.enabled",
                 "Enable periodic refresh of video game metadata",
+                "When enabled, Gameyfin periodically re-fetches metadata (cover art, descriptions, genres, …) according to the configured schedule.",
                 true
             )
 
@@ -107,6 +130,7 @@ sealed class ConfigProperties<T : Serializable>(
                 String::class,
                 "library.metadata.update.schedule",
                 "Schedule for periodic metadata refresh in Spring cron format",
+                "Controls **when** the automatic metadata refresh runs. Accepts [Spring cron expressions](https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/scheduling/support/CronExpression.html) or shortcuts such as `@daily`.",
                 "@daily"
             )
         }
@@ -119,6 +143,7 @@ sealed class ConfigProperties<T : Serializable>(
                 Boolean::class,
                 "requests.games.enabled",
                 "Enable submission of game requests",
+                "Allows users to submit requests for games they would like to see added to the library.",
                 true
             )
 
@@ -126,6 +151,7 @@ sealed class ConfigProperties<T : Serializable>(
                 Boolean::class,
                 "requests.games.allow-guests-to-request-games",
                 "Allow guests (not logged in) to create game requests",
+                "When enabled, visitors who are **not logged in** can also submit game requests.",
                 false
             )
 
@@ -133,6 +159,7 @@ sealed class ConfigProperties<T : Serializable>(
                 Int::class,
                 "requests.games.max-open-requests-per-user",
                 "Maximum number of pending requests per user. Set to 0 for unlimited.",
+                "Caps the number of **open (unresolved) requests** a single user can have at any time. Set to `0` to remove the limit.",
                 10
             )
         }
@@ -144,6 +171,7 @@ sealed class ConfigProperties<T : Serializable>(
             Boolean::class,
             "downloads.bandwidth-limit.enabled",
             "Enable per-user bandwidth limiting for downloads",
+            "When enabled, each user's download speed is capped at the value specified in **Bandwidth Limit (Mbps)**.",
             false
         )
 
@@ -151,6 +179,7 @@ sealed class ConfigProperties<T : Serializable>(
             Int::class,
             "downloads.bandwidth-limit.mbps",
             "Maximum download speed in Megabits per second (Mbps)",
+            "The maximum allowed download speed **per user** in Megabits per second. Only takes effect when bandwidth limiting is enabled.",
             100
         )
     }
@@ -162,6 +191,7 @@ sealed class ConfigProperties<T : Serializable>(
                 Boolean::class,
                 "users.sign-ups.allow",
                 "Allow new users to sign up by themselves",
+                "When enabled, a **Register** button is shown on the login page so anyone can create an account.",
                 false
             )
 
@@ -169,6 +199,7 @@ sealed class ConfigProperties<T : Serializable>(
                 Boolean::class,
                 "users.sign-ups.confirmation-required",
                 "Admins need to confirm new users",
+                "When enabled, newly registered accounts are **inactive** until an administrator explicitly approves them.",
                 true
             )
         }
@@ -181,6 +212,7 @@ sealed class ConfigProperties<T : Serializable>(
                 Boolean::class,
                 "sso.oidc.enabled",
                 "Enable SSO via OIDC/OAuth2",
+                "Activates the **OpenID Connect / OAuth 2.0** single sign-on integration. All other OIDC settings below are required when this is turned on.",
                 false
             )
 
@@ -188,14 +220,26 @@ sealed class ConfigProperties<T : Serializable>(
                 MatchUsersBy::class,
                 "sso.oidc.match-existing-users-by",
                 "Match existing users by",
+                "Determines which field (`username` or `email`) is used to link an incoming SSO identity to an **existing Gameyfin account**.",
                 MatchUsersBy.username,
                 MatchUsersBy.entries
             )
 
+            data object UsernameClaim : ConfigProperties<String>(
+                String::class,
+                "sso.oidc.username-claim",
+                "Username claim",
+                """Name of the OIDC / userinfo claim used as the Gameyfin username (e.g. `preferred_username`, `name`, `email`).
+                    |If the claim is absent or blank, Gameyfin falls back through `preferred_username` → `nickname` → `name` → `email` → `sub` automatically.""".trimMargin(),
+                "preferred_username"
+            )
+
             data object RolesClaim : ConfigProperties<String>(
                 String::class,
                 "sso.oidc.roles-claim",
-                "JWT claim to extract roles from",
+                "Role claim",
+                """Name of the OIDC / userinfo claim that contains the user's roles.
+                    |Gameyfin maps these roles to its own permission system.""".trimMargin(),
                 "roles"
             )
 
@@ -203,55 +247,64 @@ sealed class ConfigProperties<T : Serializable>(
                 Array<String>::class,
                 "sso.oidc.oauth-scopes",
                 "OAuth2 scopes to request",
+                "List of [OAuth 2.0 scopes](https://oauth.net/2/scope/) sent in the authorization request. Must include at least `openid`.",
                 arrayOf("openid", "profile", "email", "roles")
             )
 
             data object ClientId : ConfigProperties<String>(
                 String::class,
                 "sso.oidc.client-id",
-                "Client ID"
+                "Client ID",
+                "The **client identifier** issued by your identity provider when you registered Gameyfin as an OAuth 2.0 application."
             )
 
             data object ClientSecret : ConfigProperties<String>(
                 String::class,
                 "sso.oidc.client-secret",
-                "Client secret"
+                "Client secret",
+                "The **client secret** issued by your identity provider. Keep this value confidential."
             )
 
             data object IssuerUrl : ConfigProperties<String>(
                 String::class,
                 "sso.oidc.issuer-url",
-                "Issuer URL"
+                "Issuer URL",
+                "The base URL of your identity provider (e.g. `https://auth.example.com/realms/myrealm`). Used for OIDC discovery."
             )
 
             data object AuthorizeUrl : ConfigProperties<String>(
                 String::class,
                 "sso.oidc.authorize-url",
-                "Authorize URL"
+                "Authorize URL",
+                "The **authorization endpoint** of your identity provider. Required when OIDC auto-discovery is not available."
             )
 
             data object TokenUrl : ConfigProperties<String>(
                 String::class,
                 "sso.oidc.token-url",
-                "Token URL"
+                "Token URL",
+                "The **token endpoint** used to exchange an authorization code for access and ID tokens."
             )
 
             data object UserInfoUrl : ConfigProperties<String>(
                 String::class,
                 "sso.oidc.userinfo-url",
-                "Userinfo URL"
+                "Userinfo URL",
+                "The **userinfo endpoint** from which Gameyfin retrieves profile claims (name, email, roles, …) after a successful login."
             )
 
             data object JwksUrl : ConfigProperties<String>(
                 String::class,
                 "sso.oidc.jwks-url",
-                "JWKS URL"
+                "JWKS URL",
+                "The **JSON Web Key Set endpoint** used to verify the signature of JWTs issued by your identity provider."
             )
 
             data object LogoutUrl : ConfigProperties<String>(
                 String::class,
                 "sso.oidc.logout-url",
-                "Logout URL"
+                "Logout URL",
+                "The **end-session endpoint** to which Gameyfin redirects users after they log out, ensuring they are also signed out from the identity provider."
             )
         }
     }
@@ -264,32 +317,37 @@ sealed class ConfigProperties<T : Serializable>(
                     Boolean::class,
                     "messages.providers.email.enabled",
                     "Enable E-Mail notifications",
+                    "When enabled, Gameyfin can send **e-mail notifications** (e.g. sign-up confirmations, request updates) via the configured SMTP server.",
                     false
                 )
 
                 data object Host : ConfigProperties<String>(
                     String::class,
                     "messages.providers.email.host",
-                    "URL of the email server"
+                    "URL of the email server",
+                    "Hostname or IP address of the **SMTP server** used to dispatch outgoing e-mails (e.g. `smtp.gmail.com`)."
                 )
 
                 data object Port : ConfigProperties<Int>(
                     Int::class,
                     "messages.providers.email.port",
                     "Port of the email server",
+                    "TCP port of the SMTP server. Common values: `587` (STARTTLS), `465` (SSL/TLS), `25` (unencrypted).",
                     587
                 )
 
                 data object Username : ConfigProperties<String>(
                     String::class,
                     "messages.providers.email.username",
-                    "Username for the email account"
+                    "Username for the email account",
+                    "The username (usually the full e-mail address) used to **authenticate** with the SMTP server."
                 )
 
                 data object Password : ConfigProperties<String>(
                     String::class,
                     "messages.providers.email.password",
-                    "Password for the email account"
+                    "Password for the email account",
+                    "The password used to **authenticate** with the SMTP server. Keep this value confidential."
                 )
             }
         }
@@ -301,6 +359,7 @@ sealed class ConfigProperties<T : Serializable>(
             String::class,
             "logs.folder",
             "Storage folder for log files",
+            "Path to the directory where Gameyfin writes its **log files**. Can be absolute or relative to the working directory.",
             "./logs"
         )
 
@@ -308,6 +367,7 @@ sealed class ConfigProperties<T : Serializable>(
             Int::class,
             "logs.max-history-days",
             "Log retention in days",
+            "Number of days log files are kept before being **automatically deleted**. Set to `0` to disable automatic clean-up.",
             30
         )
 
@@ -316,6 +376,7 @@ sealed class ConfigProperties<T : Serializable>(
                 LogLevel::class,
                 "logs.level.gameyfin",
                 "Log level (Gameyfin)",
+                "Minimum severity level for Gameyfin's own log messages. Use `DEBUG` or `TRACE` for detailed troubleshooting output.",
                 LogLevel.INFO,
                 LogLevel.entries
             )
@@ -324,6 +385,7 @@ sealed class ConfigProperties<T : Serializable>(
                 LogLevel::class,
                 "logs.level.root",
                 "Log level (Root)",
+                "Minimum severity level for **all other libraries and frameworks** (Spring, Hibernate, …). It is recommended to keep this at `WARN` or `ERROR` in production.",
                 LogLevel.WARN,
                 LogLevel.entries
             )
diff --git a/app/src/main/kotlin/org/gameyfin/app/config/ConfigService.kt b/app/src/main/kotlin/org/gameyfin/app/config/ConfigService.kt
index d79a3f1..5c8187f 100644
--- a/app/src/main/kotlin/org/gameyfin/app/config/ConfigService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/config/ConfigService.kt
@@ -94,6 +94,7 @@ class ConfigService(
                 value = get(configProperty),
                 defaultValue = configProperty.default,
                 type = configProperty.type.simpleName ?: "Unknown",
+                name = configProperty.name,
                 description = configProperty.description,
                 elementType = configProperty.type.java.componentType?.simpleName,
                 allowedValues = configProperty.allowedValues?.map { it.toString() },
diff --git a/app/src/main/kotlin/org/gameyfin/app/config/dto/ConfigEntryDto.kt b/app/src/main/kotlin/org/gameyfin/app/config/dto/ConfigEntryDto.kt
index a18b575..6efa97f 100644
--- a/app/src/main/kotlin/org/gameyfin/app/config/dto/ConfigEntryDto.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/config/dto/ConfigEntryDto.kt
@@ -6,6 +6,7 @@ import java.io.Serializable
 @JsonInclude(JsonInclude.Include.ALWAYS)
 data class ConfigEntryDto(
     val key: String,
+    val name: String,
     val description: String,
     val value: Serializable?,
     val defaultValue: Serializable?,
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/Utils.kt b/app/src/main/kotlin/org/gameyfin/app/core/Utils.kt
index 6b41004..61be357 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/Utils.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/Utils.kt
@@ -20,7 +20,8 @@ class Utils {
         val jvmNanoTimeDiff: Long = System.currentTimeMillis() * 1_000_000 - System.nanoTime()
 
         fun maskEmail(email: String): String {
-            val regex = """(?:\G(?!^)|(?<=^[^@]{2}|@))[^@](?!\.[^.]+$)""".toRegex()
+            @Suppress("RegExpUnnecessaryNonCapturingGroup")
+            val regex = """(?:\G(?!^)|(?<=(?:^[^@]{2})|(?:@)))[^@](?!\.[^.]+$)""".toRegex()
             return email.replace(regex, "*")
         }
 
@@ -101,10 +102,7 @@ fun String.replaceRomanNumerals(): String {
         return sum
     }
 
-    val regex = Regex(
-        """(?<=\s|^)(M{0,4}(CM|CD|D?C{0,3})?(XC|XL|L?X{0,3})?(IX|IV|V?I{0,3})?)(?=\b|\s|$)""",
-        RegexOption.IGNORE_CASE
-    )
+    val regex = Regex("""(?<=\s|^)([MDCLXVI]+)(?=\s|$)""", RegexOption.IGNORE_CASE)
 
     return regex.replace(this) { match ->
         val roman = match.value.uppercase()
@@ -133,35 +131,29 @@ fun HttpServletRequest.getRemoteIp(lookupPolicy: LookupPolicy = LookupPolicy.ANY
     // Add the direct remote address
     this.remoteAddr?.let { candidateIps.add(it) }
 
-    when (lookupPolicy) {
+    return when (lookupPolicy) {
         LookupPolicy.IPV4_ONLY -> {
-            val ipv4Address = candidateIps.firstOrNull { isIpv4(it) }
-            return ipv4Address ?: "unknown"
+            candidateIps.firstOrNull { isIpv4(it) } ?: "unknown"
         }
 
         LookupPolicy.IPV6_ONLY -> {
-            val ipv6Address = candidateIps.firstOrNull { isIpv6(it) }
-            return ipv6Address ?: "unknown"
+            candidateIps.firstOrNull { isIpv6(it) } ?: "unknown"
         }
 
         LookupPolicy.IPV4_PREFERRED -> {
-            val ipv4Address = candidateIps.firstOrNull { isIpv4(it) }
-            return ipv4Address ?: run {
-                val ipv6Address = candidateIps.firstOrNull { isIpv6(it) }
-                ipv6Address ?: "unknown"
-            }
+            candidateIps.firstOrNull { isIpv4(it) }
+                ?: candidateIps.firstOrNull { isIpv6(it) }
+                ?: "unknown"
         }
 
         LookupPolicy.IPV6_PREFERRED -> {
-            val ipv6Address = candidateIps.firstOrNull { isIpv6(it) }
-            return ipv6Address ?: run {
-                val ipv4Address = candidateIps.firstOrNull { isIpv4(it) }
-                ipv4Address ?: "unknown"
-            }
+            candidateIps.firstOrNull { isIpv6(it) }
+                ?: candidateIps.firstOrNull { isIpv4(it) }
+                ?: "unknown"
         }
 
         LookupPolicy.ANY -> {
-            return candidateIps.firstOrNull() ?: "unknown"
+            candidateIps.firstOrNull() ?: "unknown"
         }
     }
 }
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/config/CacheConfig.kt b/app/src/main/kotlin/org/gameyfin/app/core/config/CacheConfig.kt
new file mode 100644
index 0000000..efe9c78
--- /dev/null
+++ b/app/src/main/kotlin/org/gameyfin/app/core/config/CacheConfig.kt
@@ -0,0 +1,24 @@
+package org.gameyfin.app.core.config
+
+import com.github.benmanes.caffeine.cache.Cache
+import com.github.benmanes.caffeine.cache.Caffeine
+import org.gameyfin.app.media.Image
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import java.util.concurrent.TimeUnit
+
+@Configuration
+class CacheConfig {
+
+    /**
+     * Cache for Image entities keyed by ID.
+     */
+    @Bean
+    fun imageCache(): Cache<Long, Image> {
+        return Caffeine.newBuilder()
+            .maximumSize(10_000)
+            .expireAfterWrite(15, TimeUnit.MINUTES)
+            .build()
+    }
+}
+
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/config/JpaConfiguration.kt b/app/src/main/kotlin/org/gameyfin/app/core/config/JpaConfig.kt
similarity index 96%
rename from app/src/main/kotlin/org/gameyfin/app/core/config/JpaConfiguration.kt
rename to app/src/main/kotlin/org/gameyfin/app/core/config/JpaConfig.kt
index d781090..07c3d1b 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/config/JpaConfiguration.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/config/JpaConfig.kt
@@ -7,7 +7,7 @@ import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 
 @Configuration
-class JpaConfiguration {
+class JpaConfig {
 
     @Bean
     fun hibernatePropertiesCustomizer(entityUpdateInterceptor: EntityUpdateInterceptor): HibernatePropertiesCustomizer {
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/download/bandwidth/SessionMonitoredOutputStream.kt b/app/src/main/kotlin/org/gameyfin/app/core/download/bandwidth/SessionMonitoredOutputStream.kt
index 5f5f69c..b3a02be 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/download/bandwidth/SessionMonitoredOutputStream.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/download/bandwidth/SessionMonitoredOutputStream.kt
@@ -1,5 +1,6 @@
 package org.gameyfin.app.core.download.bandwidth
 
+import java.io.FilterOutputStream
 import java.io.OutputStream
 
 /**
@@ -13,12 +14,12 @@ import java.io.OutputStream
  * @param remoteIp The remote IP address of the client (optional)
  */
 class SessionMonitoredOutputStream(
-    private val outputStream: OutputStream,
+    outputStream: OutputStream,
     private val sessionTracker: SessionBandwidthTracker,
     private val gameId: Long? = null,
     private val username: String? = null,
     private val remoteIp: String? = null
-) : OutputStream() {
+) : FilterOutputStream(outputStream) {
 
     init {
         sessionTracker.downloadStarted(gameId, username, remoteIp)
@@ -26,25 +27,17 @@ class SessionMonitoredOutputStream(
 
     override fun write(b: Int) {
         sessionTracker.recordBytes(1)
-        outputStream.write(b)
-    }
-
-    override fun write(b: ByteArray) {
-        write(b, 0, b.size)
+        out.write(b)
     }
 
     override fun write(b: ByteArray, off: Int, len: Int) {
         sessionTracker.recordBytes(len.toLong())
-        outputStream.write(b, off, len)
-    }
-
-    override fun flush() {
-        outputStream.flush()
+        out.write(b, off, len)
     }
 
     override fun close() {
         try {
-            outputStream.close()
+            super.close()
         } finally {
             sessionTracker.downloadCompleted(gameId)
         }
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/download/bandwidth/SessionThrottledOutputStream.kt b/app/src/main/kotlin/org/gameyfin/app/core/download/bandwidth/SessionThrottledOutputStream.kt
index e30c638..d20c335 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/download/bandwidth/SessionThrottledOutputStream.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/download/bandwidth/SessionThrottledOutputStream.kt
@@ -1,5 +1,6 @@
 package org.gameyfin.app.core.download.bandwidth
 
+import java.io.FilterOutputStream
 import java.io.OutputStream
 
 /**
@@ -13,12 +14,12 @@ import java.io.OutputStream
  * @param remoteIp The remote IP address of the client (optional)
  */
 class SessionThrottledOutputStream(
-    private val outputStream: OutputStream,
+    outputStream: OutputStream,
     private val sessionTracker: SessionBandwidthTracker,
     private val gameId: Long? = null,
     private val username: String? = null,
     private val remoteIp: String? = null
-) : OutputStream() {
+) : FilterOutputStream(outputStream) {
 
     init {
         sessionTracker.downloadStarted(gameId, username, remoteIp)
@@ -26,27 +27,17 @@ class SessionThrottledOutputStream(
 
     override fun write(b: Int) {
         sessionTracker.throttle(1)
-        outputStream.write(b)
-    }
-
-    override fun write(b: ByteArray) {
-        write(b, 0, b.size)
+        out.write(b)
     }
 
     override fun write(b: ByteArray, off: Int, len: Int) {
-        // Throttle first, then write - this provides smoother bandwidth control
-        // by acquiring permits before the actual write operation
         sessionTracker.throttle(len.toLong())
-        outputStream.write(b, off, len)
-    }
-
-    override fun flush() {
-        outputStream.flush()
+        out.write(b, off, len)
     }
 
     override fun close() {
         try {
-            outputStream.close()
+            super.close()
         } finally {
             sessionTracker.downloadCompleted(gameId)
         }
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/download/files/DownloadService.kt b/app/src/main/kotlin/org/gameyfin/app/core/download/files/DownloadService.kt
index 3d97ced..2582dfa 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/download/files/DownloadService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/download/files/DownloadService.kt
@@ -7,6 +7,7 @@ import org.gameyfin.app.core.download.bandwidth.SessionBandwidthManager
 import org.gameyfin.app.core.download.bandwidth.SessionMonitoredOutputStream
 import org.gameyfin.app.core.download.bandwidth.SessionThrottledOutputStream
 import org.gameyfin.app.core.download.provider.DownloadProviderDto
+import org.gameyfin.app.core.metrics.DownloadMetrics
 import org.gameyfin.app.core.plugins.management.GameyfinPluginDescriptor
 import org.gameyfin.app.core.plugins.management.GameyfinPluginManager
 import org.gameyfin.app.games.entities.Game
@@ -25,6 +26,7 @@ class DownloadService(
     private val pluginManager: GameyfinPluginManager,
     private val configService: ConfigService,
     private val sessionBandwidthManager: SessionBandwidthManager,
+    private val downloadMetrics: DownloadMetrics,
 ) {
 
     companion object {
@@ -80,7 +82,9 @@ class DownloadService(
         // Always get a tracker to enable stats monitoring, even without throttling
         val tracker = sessionBandwidthManager.getTracker(sessionId, maxBytesPerSecond)
 
-        val finalOutputStream = if (maxBytesPerSecond > 0) {
+        val throttled = maxBytesPerSecond > 0
+
+        val finalOutputStream = if (throttled) {
             log.debug {
                 "Applying session-based bandwidth limit of $bandwidthLimitMbps Mbps ($maxBytesPerSecond bytes/sec) " +
                         "for download of '${game.title}' (active downloads for this session: ${tracker.activeDownloads.get()})"
@@ -94,6 +98,8 @@ class DownloadService(
             SessionMonitoredOutputStream(outputStream, tracker, game.id, username, remoteIp)
         }
 
+        downloadMetrics.recordDownloadStarted(throttled)
+
         try {
             finalOutputStream.use {
                 val timeTaken = measureTime {
@@ -101,12 +107,17 @@ class DownloadService(
                     finalOutputStream.flush()
                 }
 
+                val bytesWritten = tracker.totalBytesTransferred
+                downloadMetrics.recordDownloadCompleted(bytesWritten)
+
                 log.debug {
                     "Download of game '${game.title}' [ID ${game.id}] by user '${username ?: "anonymous user"}' " +
                             "(session: $sessionId) completed in ${timeTaken.toString(DurationUnit.SECONDS)}"
                 }
             }
         } catch (e: IOException) {
+            downloadMetrics.recordDownloadFailed()
+
             // Client disconnected (cancelled download, network error, etc.)
             // This is expected behavior, log at debug level instead of error
             log.debug {
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/filesystem/FilesystemService.kt b/app/src/main/kotlin/org/gameyfin/app/core/filesystem/FilesystemService.kt
index 7502a86..25a3f22 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/filesystem/FilesystemService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/filesystem/FilesystemService.kt
@@ -100,11 +100,11 @@ class FilesystemService(
                     if (!it.isDirectory()) return@filter true
 
                     val contents = safeReadDirectoryContents(it)
-                    if (contents.isEmpty() && !config.get(ConfigProperties.Libraries.Scan.ScanEmptyDirectories)!!) {
+                    return@filter if (contents.isEmpty() && !config.get(ConfigProperties.Libraries.Scan.ScanEmptyDirectories)!!) {
                         log.debug { "Directory '$it' is empty and will be ignored" }
-                        return@filter false
+                        false
                     } else {
-                        return@filter true
+                        true
                     }
                 }
         }
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/logging/LogService.kt b/app/src/main/kotlin/org/gameyfin/app/core/logging/LogService.kt
index 3518963..48247ae 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/logging/LogService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/logging/LogService.kt
@@ -2,9 +2,9 @@ package org.gameyfin.app.core.logging
 
 import ch.qos.logback.classic.LoggerContext
 import ch.qos.logback.classic.joran.JoranConfigurator
-import org.gameyfin.app.config.ConfigService
 import io.github.oshai.kotlinlogging.KotlinLogging
 import org.gameyfin.app.config.ConfigProperties
+import org.gameyfin.app.config.ConfigService
 import org.gameyfin.app.core.logging.util.AsyncFileTailer
 import org.slf4j.LoggerFactory
 import org.springframework.boot.context.event.ApplicationStartedEvent
@@ -27,7 +27,7 @@ class LogService(
         private const val LOG_CONFIG_TEMPLATE = "templates/log-config-template.xml"
         private const val LOG_FILE_NAME = "gameyfin"
         private val LOG_REFRESH_INTERVAL = 5.seconds
-        private const val LOG_STREAM_RETENTION = 1000
+        private const val LOG_STREAM_RETENTION = 500
     }
 
     private val log = KotlinLogging.logger {}
@@ -80,7 +80,7 @@ class LogService(
         levelRoot: LogLevel
     ): InputStream {
         val template = javaClass.classLoader.getResourceAsStream(LOG_CONFIG_TEMPLATE)
-            ?: throw IllegalStateException("Log config template not found")
+            ?: error("Log config template not found")
 
         val templateString = template.bufferedReader().use { it.readText() }
         return templateString
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/metrics/DownloadMetrics.kt b/app/src/main/kotlin/org/gameyfin/app/core/metrics/DownloadMetrics.kt
new file mode 100644
index 0000000..7559ac5
--- /dev/null
+++ b/app/src/main/kotlin/org/gameyfin/app/core/metrics/DownloadMetrics.kt
@@ -0,0 +1,84 @@
+package org.gameyfin.app.core.metrics
+
+import io.micrometer.core.instrument.Counter
+import io.micrometer.core.instrument.MeterRegistry
+import org.gameyfin.app.core.download.bandwidth.SessionBandwidthManager
+import org.springframework.stereotype.Component
+import java.util.concurrent.atomic.AtomicInteger
+
+/**
+ * Prometheus metrics for game downloads.
+ *
+ * Exported metrics:
+ * - `gameyfin_downloads_started_total`       – counter of downloads started (tags: throttled)
+ * - `gameyfin_downloads_completed_total`     – counter of downloads completed successfully
+ * - `gameyfin_downloads_failed_total`        – counter of downloads that failed / were cancelled
+ * - `gameyfin_downloads_active`              – gauge of currently active downloads
+ * - `gameyfin_downloads_bytes_total`         – counter of total bytes streamed to clients
+ * - `gameyfin_downloads_active_sessions`     – gauge of sessions with at least one active download
+ * - `gameyfin_downloads_bandwidth_bytes_per_second` – gauge of aggregate current bandwidth across all sessions
+ */
+@Component
+class DownloadMetrics(
+    registry: MeterRegistry,
+    sessionBandwidthManager: SessionBandwidthManager
+) {
+
+    private val activeDownloads = AtomicInteger(0)
+
+    private val downloadsStartedThrottled: Counter = Counter.builder("gameyfin.downloads.started")
+        .description("Total number of downloads started")
+        .tag("throttled", "true")
+        .register(registry)
+
+    private val downloadsStartedUnthrottled: Counter = Counter.builder("gameyfin.downloads.started")
+        .description("Total number of downloads started")
+        .tag("throttled", "false")
+        .register(registry)
+
+    private val downloadsCompleted: Counter = Counter.builder("gameyfin.downloads.completed")
+        .description("Total number of downloads completed successfully")
+        .register(registry)
+
+    private val downloadsFailed: Counter = Counter.builder("gameyfin.downloads.failed")
+        .description("Total number of downloads that failed or were cancelled")
+        .register(registry)
+
+    private val bytesTransferred: Counter = Counter.builder("gameyfin.downloads.bytes")
+        .description("Total bytes streamed to clients")
+        .baseUnit("bytes")
+        .register(registry)
+
+    init {
+        registry.gauge("gameyfin.downloads.active", activeDownloads) { it.get().toDouble() }
+
+        registry.gauge("gameyfin.downloads.active.sessions", sessionBandwidthManager) {
+            it.getStats().values.count { s -> s.activeDownloads > 0 }.toDouble()
+        }
+
+        registry.gauge("gameyfin.downloads.bandwidth.bytes.per.second", sessionBandwidthManager) {
+            it.getStats().values.sumOf { s -> s.currentBytesPerSecond }.toDouble()
+        }
+    }
+
+    /** Call when a download starts. */
+    fun recordDownloadStarted(throttled: Boolean) {
+        activeDownloads.incrementAndGet()
+        if (throttled) downloadsStartedThrottled.increment() else downloadsStartedUnthrottled.increment()
+    }
+
+    /** Call when a download completes successfully. */
+    fun recordDownloadCompleted(bytesWritten: Long) {
+        activeDownloads.decrementAndGet()
+        downloadsCompleted.increment()
+        bytesTransferred.increment(bytesWritten.toDouble())
+    }
+
+    /** Call when a download fails or is cancelled by the client. */
+    fun recordDownloadFailed() {
+        activeDownloads.decrementAndGet()
+        downloadsFailed.increment()
+    }
+}
+
+
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/metrics/ScanMetrics.kt b/app/src/main/kotlin/org/gameyfin/app/core/metrics/ScanMetrics.kt
new file mode 100644
index 0000000..139a93c
--- /dev/null
+++ b/app/src/main/kotlin/org/gameyfin/app/core/metrics/ScanMetrics.kt
@@ -0,0 +1,110 @@
+package org.gameyfin.app.core.metrics
+
+import io.micrometer.core.instrument.Counter
+import io.micrometer.core.instrument.MeterRegistry
+import io.micrometer.core.instrument.Timer
+import org.gameyfin.app.libraries.enums.ScanType
+import org.springframework.stereotype.Component
+import java.util.concurrent.TimeUnit
+import java.util.concurrent.atomic.AtomicInteger
+
+/**
+ * Prometheus metrics for library scanning.
+ *
+ * Exported metrics:
+ * - `gameyfin_scans_started_total`        – counter of scans started (tags: type)
+ * - `gameyfin_scans_completed_total`      – counter of scans completed (tags: type)
+ * - `gameyfin_scans_failed_total`         – counter of scans that failed (tags: type)
+ * - `gameyfin_scans_active`               – gauge of currently running scans
+ * - `gameyfin_scans_duration_seconds`     – timer of scan duration (tags: type)
+ * - `gameyfin_scans_games_new_total`      – counter of newly matched games
+ * - `gameyfin_scans_games_removed_total`  – counter of removed games
+ * - `gameyfin_scans_games_updated_total`  – counter of updated games
+ * - `gameyfin_scans_games_unmatched_total`– counter of unmatched paths
+ */
+@Component
+class ScanMetrics(private val registry: MeterRegistry) {
+
+    private val activeScans = AtomicInteger(0)
+
+    // Pre-register per-type counters & timers
+    private val scansStarted = ScanType.entries.associateWith { type ->
+        Counter.builder("gameyfin.scans.started")
+            .description("Total number of library scans started")
+            .tag("type", type.name.lowercase())
+            .register(registry)
+    }
+
+    private val scansCompleted = ScanType.entries.associateWith { type ->
+        Counter.builder("gameyfin.scans.completed")
+            .description("Total number of library scans completed successfully")
+            .tag("type", type.name.lowercase())
+            .register(registry)
+    }
+
+    private val scansFailed = ScanType.entries.associateWith { type ->
+        Counter.builder("gameyfin.scans.failed")
+            .description("Total number of library scans that failed")
+            .tag("type", type.name.lowercase())
+            .register(registry)
+    }
+
+    private val scanDuration = ScanType.entries.associateWith { type ->
+        Timer.builder("gameyfin.scans.duration")
+            .description("Duration of library scans")
+            .tag("type", type.name.lowercase())
+            .register(registry)
+    }
+
+    private val gamesNew: Counter = Counter.builder("gameyfin.scans.games.new")
+        .description("Total number of new games found during scans")
+        .register(registry)
+
+    private val gamesRemoved: Counter = Counter.builder("gameyfin.scans.games.removed")
+        .description("Total number of games removed during scans")
+        .register(registry)
+
+    private val gamesUpdated: Counter = Counter.builder("gameyfin.scans.games.updated")
+        .description("Total number of games updated during scans")
+        .register(registry)
+
+    private val gamesUnmatched: Counter = Counter.builder("gameyfin.scans.games.unmatched")
+        .description("Total number of unmatched paths during scans")
+        .register(registry)
+
+    init {
+        registry.gauge("gameyfin.scans.active", activeScans) { it.get().toDouble() }
+    }
+
+    /** Call when a scan starts. */
+    fun recordScanStarted(type: ScanType) {
+        activeScans.incrementAndGet()
+        scansStarted.getValue(type).increment()
+    }
+
+    /** Call when a scan completes successfully. */
+    fun recordScanCompleted(
+        type: ScanType,
+        durationMillis: Long,
+        newGames: Int,
+        removedGames: Int,
+        unmatchedPaths: Int,
+        updatedGames: Int = 0
+    ) {
+        activeScans.decrementAndGet()
+        scansCompleted.getValue(type).increment()
+        scanDuration.getValue(type).record(durationMillis, TimeUnit.MILLISECONDS)
+
+        if (newGames > 0) gamesNew.increment(newGames.toDouble())
+        if (removedGames > 0) gamesRemoved.increment(removedGames.toDouble())
+        if (updatedGames > 0) gamesUpdated.increment(updatedGames.toDouble())
+        if (unmatchedPaths > 0) gamesUnmatched.increment(unmatchedPaths.toDouble())
+    }
+
+    /** Call when a scan fails. */
+    fun recordScanFailed(type: ScanType, durationMillis: Long) {
+        activeScans.decrementAndGet()
+        scansFailed.getValue(type).increment()
+        scanDuration.getValue(type).record(durationMillis, TimeUnit.MILLISECONDS)
+    }
+}
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/plugins/PluginService.kt b/app/src/main/kotlin/org/gameyfin/app/core/plugins/PluginService.kt
index 45ebb7b..581d0d9 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/plugins/PluginService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/plugins/PluginService.kt
@@ -21,6 +21,7 @@ import org.springframework.data.repository.findByIdOrNull
 import org.springframework.stereotype.Service
 import reactor.core.publisher.Flux
 import reactor.core.publisher.Sinks
+import kotlin.reflect.KClass
 import kotlin.time.Duration.Companion.milliseconds
 import kotlin.time.toJavaDuration
 
@@ -70,6 +71,12 @@ class PluginService(
             .map { toDto(it) }
     }
 
+    fun getAllByTypeAndState(type: KClass<out ExtensionPoint>, state: PluginState): List<PluginDto> {
+        return pluginManager.getPluginsForExtension(type)
+            .filter { it.pluginState == state }
+            .map { toDto(it) }
+    }
+
     fun getPluginManagementEntry(clazz: Class<out ExtensionPoint>): PluginManagementEntry {
         val pluginWrapper = pluginManager.whichPlugin(clazz)
         return pluginManagementRepository.findByIdOrNull(pluginWrapper.pluginId)
@@ -158,14 +165,15 @@ class PluginService(
     }
 
     fun validatePluginConfig(pluginId: String, forceRevalidation: Boolean = false): PluginConfigValidationResult {
-        if (forceRevalidation || !pluginConfigValidationCache.containsKey(pluginId)) {
+        return if (forceRevalidation || !pluginConfigValidationCache.containsKey(pluginId)) {
             log.debug { "Validating config for plugin $pluginId" }
             val result = pluginManager.validatePluginConfig(pluginId)
             pluginConfigValidationCache[pluginId] = result
-            return result
+            result
         } else {
             log.debug { "Using cached validation result for plugin $pluginId" }
-            return pluginConfigValidationCache[pluginId]!!
+            pluginConfigValidationCache[pluginId]
+                ?: error("Plugin with id $pluginId not found in validation cache")
         }
     }
 
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/plugins/config/PluginConfigEntry.kt b/app/src/main/kotlin/org/gameyfin/app/core/plugins/config/PluginConfigEntry.kt
index 87c2174..f982ffb 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/plugins/config/PluginConfigEntry.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/plugins/config/PluginConfigEntry.kt
@@ -10,6 +10,7 @@ data class PluginConfigEntry(
     @EmbeddedId
     val id: PluginConfigEntryKey,
 
+    @Lob
     @Column(name = "`value`")
     @Convert(converter = EncryptionConverter::class)
     val value: String
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinJarPluginLoader.kt b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinJarPluginLoader.kt
index c0b1abd..d328790 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinJarPluginLoader.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinJarPluginLoader.kt
@@ -20,9 +20,7 @@ class GameyfinJarPluginLoader(
     }
 
     override fun loadPlugin(pluginPath: Path, pluginDescriptor: PluginDescriptor?): ClassLoader {
-        if (pluginDescriptor == null) {
-            throw IllegalArgumentException("Plugin descriptor cannot be null")
-        }
+        requireNotNull(pluginDescriptor) { "Plugin descriptor cannot be null" }
 
         val pluginClassLoader = GameyfinPluginClassLoader(
             pluginManager,
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinManifestPluginDescriptorFinder.kt b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinManifestPluginDescriptorFinder.kt
index 37b3be3..3f234b9 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinManifestPluginDescriptorFinder.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinManifestPluginDescriptorFinder.kt
@@ -13,7 +13,7 @@ class GameyfinManifestPluginDescriptorFinder : ManifestPluginDescriptorFinder()
     }
 
     public override fun createPluginDescriptor(manifest: Manifest?): GameyfinPluginDescriptor {
-        if (manifest == null) throw IllegalArgumentException("Manifest cannot be null")
+        requireNotNull(manifest) { "Manifest cannot be null" }
 
         val pluginDescriptor = super.createPluginDescriptor(manifest)
 
@@ -22,10 +22,10 @@ class GameyfinManifestPluginDescriptorFinder : ManifestPluginDescriptorFinder()
         return GameyfinPluginDescriptor(
             descriptor = pluginDescriptor,
             name = attributes.getValue(PLUGIN_NAME)
-                ?: throw IllegalStateException("Plugin-Name not found in manifest"),
+                ?: error("Plugin-Name not found in manifest"),
             shortDescription = attributes.getValue(PLUGIN_SHORT_DESCRIPTION),
             author = attributes.getValue(PLUGIN_AUTHOR)
-                ?: throw IllegalStateException("Plugin-Author not found in manifest"),
+                ?: error("Plugin-Author not found in manifest"),
             url = attributes.getValue(PLUGIN_URL),
         )
     }
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginClassLoader.kt b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginClassLoader.kt
index e67b2a5..18f84d2 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginClassLoader.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginClassLoader.kt
@@ -19,6 +19,8 @@ class GameyfinPluginClassLoader(
         try {
             return super.loadClass(className)
         } catch (_: SecurityException) {
+            // This can happen when the plugin JAR is signed but the signature is invalid (e.g. due to file corruption or tampering).
+            // In this case, we want to catch the exception and return null to indicate that the class could not be loaded, instead of crashing the entire plugin loading process.
         }
 
         return null
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginDescriptor.kt b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginDescriptor.kt
index c9f952e..984b4e1 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginDescriptor.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginDescriptor.kt
@@ -38,7 +38,7 @@ data class GameyfinPluginDescriptor(
         // This is because the internal (List<PluginDependency>) and external (List<String>) representation of the field differ
         this.javaClass.superclass.getDeclaredField("dependencies").let {
             it.isAccessible = true
-            it.set(this, descriptor.dependencies)
+            it[this] = descriptor.dependencies
         }
     }
 
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginManager.kt b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginManager.kt
index 3de55c1..bbf4b52 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginManager.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginManager.kt
@@ -8,12 +8,10 @@ import org.gameyfin.pluginapi.core.config.PluginConfigValidationResultType
 import org.pf4j.*
 import org.springframework.data.repository.findByIdOrNull
 import org.springframework.stereotype.Component
-import java.io.InputStream
 import java.nio.file.Path
 import java.security.PublicKey
 import java.security.cert.CertificateFactory
 import java.security.cert.X509Certificate
-import java.util.jar.JarFile
 import kotlin.io.path.Path
 import kotlin.io.path.extension
 import kotlin.reflect.KClass
@@ -32,10 +30,11 @@ class GameyfinPluginManager(
 
     companion object {
         private const val PUBLIC_KEY_FILE = "certificates/gameyfin-plugins.pem"
+        private val log = KotlinLogging.logger {}
     }
-
-    private val log = KotlinLogging.logger {}
+    
     private val publicKey: PublicKey = loadPluginSignaturePublicKey()
+    private val signatureVerifier = PluginSignatureVerifier(publicKey)
 
     init {
         // This took me way too long to figure out...
@@ -59,10 +58,24 @@ class GameyfinPluginManager(
     }
 
     override fun createPluginLoader(): PluginLoader {
-        return when (this.isDevelopment) {
-            true -> GameyfinDevelopmentPluginLoader(this, javaClass.classLoader)
-            false -> GameyfinJarPluginLoader(this)
+        val pluginLoader = CompoundPluginLoader()
+
+        val jarPluginLoader = GameyfinJarPluginLoader(this)
+        pluginLoader.add(jarPluginLoader)
+
+        if (this.isDevelopment) {
+            val classPluginLoader = GameyfinDevelopmentPluginLoader(this, javaClass.classLoader)
+            pluginLoader.add(classPluginLoader)
         }
+
+        return pluginLoader
+    }
+
+    override fun createPluginRepository(): PluginRepository? {
+        return CompoundPluginRepository()
+            .add(JarPluginRepository(getPluginsRoots()))
+            .add(DefaultPluginRepository(getPluginsRoots()))
+            .add(DevelopmentPluginRepository(getPluginsRoots())) { this.isDevelopment }
     }
 
     override fun createPluginStatusProvider(): PluginStatusProvider {
@@ -83,11 +96,7 @@ class GameyfinPluginManager(
         return extensionFinder
     }
 
-    public override fun checkPluginId(pluginId: String) {
-        super.checkPluginId(pluginId)
-    }
-
-    override fun loadPluginFromPath(pluginPath: Path): PluginWrapper? {
+    public override fun loadPluginFromPath(pluginPath: Path): PluginWrapper? {
 
         if (pluginPath.endsWith("data") || pluginPath.endsWith("state")) {
             log.info { "Skipping non-plugin path '$pluginPath'" }
@@ -95,7 +104,7 @@ class GameyfinPluginManager(
         }
 
         val pluginWrapper = try {
-            super.loadPluginFromPath(pluginPath)
+            superLoadPluginFromPath(pluginPath)
         } catch (e: Exception) {
             log.error { "Failed to load plugin '$pluginPath': ${e.message}" }
             null
@@ -115,7 +124,7 @@ class GameyfinPluginManager(
                 PluginManagementEntry(pluginId = pluginWrapper.pluginId, priority = currentMaxPriority + 1)
 
             pluginManagementEntry.trustLevel = when (pluginPath.extension) {
-                "jar" -> verifyPluginSignature(pluginPath)
+                "jar" -> signatureVerifier.verifyPluginSignature(pluginPath)
                 else -> PluginTrustLevel.BUNDLED
             }
 
@@ -125,12 +134,14 @@ class GameyfinPluginManager(
             ) {
                 pluginManagementEntry.enabled = true
                 log.info { "Plugin ${pluginWrapper.pluginId} verified, starting" }
+                // Save management entry before starting, so startPlugin can find it in the database
+                pluginManagementRepository.save(pluginManagementEntry)
                 startPlugin(pluginWrapper.pluginId)
             }
         } else {
             // Just re-verify the plugin if it was already in the database
             pluginManagementEntry.trustLevel = when (pluginPath.extension) {
-                "jar" -> verifyPluginSignature(pluginPath)
+                "jar" -> signatureVerifier.verifyPluginSignature(pluginPath)
                 else -> PluginTrustLevel.BUNDLED
             }
         }
@@ -155,12 +166,21 @@ class GameyfinPluginManager(
         if (pluginId == null) return PluginState.FAILED
 
         val trustLevel = pluginManagementRepository.findByIdOrNull(pluginId)?.trustLevel ?: PluginTrustLevel.UNKNOWN
-        if (trustLevel == PluginTrustLevel.UNTRUSTED) {
-            val pluginWrapper = getPlugin(pluginId)
-            val pluginState = PluginState.UNLOADED
+        when (trustLevel) {
+            PluginTrustLevel.UNTRUSTED -> {
+                val pluginWrapper = getPlugin(pluginId)
+                val pluginState = PluginState.UNLOADED
+                this.firePluginStateEvent(PluginStateEvent(this, pluginWrapper, pluginState))
+                return pluginState
+            }
 
-            this.firePluginStateEvent(PluginStateEvent(this, pluginWrapper, pluginState))
-            return pluginState
+            PluginTrustLevel.UNKNOWN -> {
+                val pluginWrapper = getPlugin(pluginId)
+                log.warn { "Plugin $pluginId has unknown trust level, not starting" }
+                return pluginWrapper?.pluginState
+            }
+
+            else -> Unit
         }
 
         // Validate config before starting the plugin
@@ -233,12 +253,16 @@ class GameyfinPluginManager(
             .map { it.simpleName }
     }
 
-    fun getPluginForExtension(extensionClass: Class<ExtensionPoint>): PluginWrapper? {
-        return getPlugins().firstOrNull { pluginWrapper ->
-            getExtensionClasses(pluginWrapper.pluginId).any { it == extensionClass }
+    fun getPluginsForExtension(extensionClass: KClass<out ExtensionPoint>): List<PluginWrapper> {
+        return getPlugins().filter { pluginWrapper ->
+            supportsExtensionType(pluginWrapper.pluginId, extensionClass)
         }
     }
 
+    fun getPluginForExtension(extensionClass: KClass<out ExtensionPoint>): PluginWrapper? {
+        return getPluginsForExtension(extensionClass).firstOrNull()
+    }
+
     fun getManagementEntry(pluginId: String): PluginManagementEntry {
         return pluginManagementRepository.findByIdOrNull(pluginId)
             ?: throw IllegalArgumentException("Plugin with ID $pluginId not found")
@@ -264,48 +288,9 @@ class GameyfinPluginManager(
         return cert.publicKey
     }
 
-    private fun verifyPluginSignature(pluginPath: Path): PluginTrustLevel {
-        val jarFile = JarFile(pluginPath.toFile(), true)
-        val entries = jarFile.entries()
 
-        while (entries.hasMoreElements()) {
-            val entry = entries.nextElement()
-            if (entry.isDirectory || entry.name.startsWith("META-INF/")) continue
-
-            try {
-                val buffer = ByteArray(8192)
-                val entryInputStream: InputStream = jarFile.getInputStream(entry)
-                while ((entryInputStream.read(buffer, 0, buffer.size)) != -1) {
-                    // We just read
-                    // This will throw a SecurityException if a signature/digest check fails
-                }
-            } catch (_: SecurityException) {
-                // Signature verification failed
-                return PluginTrustLevel.UNTRUSTED
-            }
-
-            val codeSigners = entry.codeSigners
-
-            if (codeSigners == null || codeSigners.isEmpty()) {
-                // No code signers, so we can't verify the signature
-                return PluginTrustLevel.THIRD_PARTY
-            }
-
-            for (codeSigner in codeSigners) {
-                val certs = codeSigner.signerCertPath.certificates
-
-                for (cert in certs) {
-                    if (cert is X509Certificate) {
-                        try {
-                            cert.verify(publicKey)
-                        } catch (_: Exception) {
-                            // Signature verification failed
-                            return PluginTrustLevel.UNTRUSTED
-                        }
-                    }
-                }
-            }
-        }
-        return PluginTrustLevel.OFFICIAL
+    // Needed for unit testing since super.loadPluginFromPath is protected
+    internal fun superLoadPluginFromPath(pluginPath: Path): PluginWrapper? {
+        return super.loadPluginFromPath(pluginPath)
     }
 }
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/PluginManagerConfig.kt b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/PluginManagerConfig.kt
index 73dca2e..265d4ff 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/PluginManagerConfig.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/PluginManagerConfig.kt
@@ -8,7 +8,8 @@ import org.springframework.scheduling.annotation.Async
 
 @Configuration
 class PluginManagerConfig(
-    private val pluginManager: GameyfinPluginManager
+    private val pluginManager: GameyfinPluginManager,
+    private val pluginsLoadedIndicator: PluginsLoadedIndicator
 ) {
     private val log = KotlinLogging.logger {}
 
@@ -18,5 +19,6 @@ class PluginManagerConfig(
         pluginManager.loadPlugins()
         pluginManager.startPlugins()
         log.info { "Loaded plugins: ${pluginManager.plugins.map { it.pluginId }}" }
+        pluginsLoadedIndicator.markReady()
     }
 }
\ No newline at end of file
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/PluginSignatureVerifier.kt b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/PluginSignatureVerifier.kt
new file mode 100644
index 0000000..63e89d5
--- /dev/null
+++ b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/PluginSignatureVerifier.kt
@@ -0,0 +1,77 @@
+package org.gameyfin.app.core.plugins.management
+
+import java.io.InputStream
+import java.nio.file.Path
+import java.security.CodeSigner
+import java.security.PublicKey
+import java.security.cert.Certificate
+import java.security.cert.X509Certificate
+import java.util.jar.JarEntry
+import java.util.jar.JarFile
+
+/**
+ * Verifies JAR plugin signatures against a trusted public key.
+ */
+class PluginSignatureVerifier(private val publicKey: PublicKey) {
+
+    fun verifyPluginSignature(pluginPath: Path): PluginTrustLevel {
+        val jarFile = JarFile(pluginPath.toFile(), true)
+        val entries = jarFile.entries()
+
+        while (entries.hasMoreElements()) {
+            val entry = entries.nextElement()
+            if (entry.isDirectory || entry.name.startsWith("META-INF/")) continue
+
+            if (!verifyEntryDigest(jarFile, entry)) return PluginTrustLevel.UNTRUSTED
+
+            val codeSigners = entry.codeSigners
+            if (codeSigners.isNullOrEmpty()) return PluginTrustLevel.THIRD_PARTY
+
+            val signersTrustLevel = verifyCodeSigners(codeSigners)
+            if (signersTrustLevel != PluginTrustLevel.OFFICIAL) return signersTrustLevel
+        }
+        return PluginTrustLevel.OFFICIAL
+    }
+
+    /**
+     * Reads the full entry stream to trigger JAR signature/digest verification.
+     * Returns `true` if the entry is valid, `false` if signature verification failed.
+     */
+    fun verifyEntryDigest(jarFile: JarFile, entry: JarEntry): Boolean {
+        return try {
+            val buffer = ByteArray(8192)
+            val entryInputStream: InputStream = jarFile.getInputStream(entry)
+            while (entryInputStream.read(buffer, 0, buffer.size) != -1) {
+                // Reading to trigger SecurityException on digest mismatch
+            }
+            true
+        } catch (_: SecurityException) {
+            false
+        }
+    }
+
+    /**
+     * Verifies that all code signers' certificates are signed with the expected public key.
+     */
+    fun verifyCodeSigners(codeSigners: Array<CodeSigner>): PluginTrustLevel {
+        for (codeSigner in codeSigners) {
+            val certs = codeSigner.signerCertPath.certificates.toList()
+            val trustLevel = verifyCertificates(certs)
+            if (trustLevel != PluginTrustLevel.OFFICIAL) return trustLevel
+        }
+        return PluginTrustLevel.OFFICIAL
+    }
+
+    fun verifyCertificates(certs: List<Certificate>): PluginTrustLevel {
+        for (cert in certs) {
+            if (cert !is X509Certificate) continue
+            try {
+                cert.verify(publicKey)
+            } catch (_: Exception) {
+                return PluginTrustLevel.UNTRUSTED
+            }
+        }
+        return PluginTrustLevel.OFFICIAL
+    }
+}
+
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/PluginsLoadedIndicator.kt b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/PluginsLoadedIndicator.kt
new file mode 100644
index 0000000..d7f13cd
--- /dev/null
+++ b/app/src/main/kotlin/org/gameyfin/app/core/plugins/management/PluginsLoadedIndicator.kt
@@ -0,0 +1,25 @@
+package org.gameyfin.app.core.plugins.management
+
+import org.springframework.boot.health.contributor.Health
+import org.springframework.boot.health.contributor.HealthIndicator
+import org.springframework.stereotype.Component
+import java.util.concurrent.atomic.AtomicBoolean
+
+@Component("pluginsLoaded")
+class PluginsLoadedIndicator : HealthIndicator {
+
+    private val ready = AtomicBoolean(false)
+
+    fun markReady() {
+        ready.set(true)
+    }
+
+    override fun health(): Health {
+        return if (ready.get()) {
+            Health.up().withDetail("plugins", "loaded").build()
+        } else {
+            Health.outOfService().withDetail("plugins", "loading").build()
+        }
+    }
+}
+
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/security/EncryptionUtils.kt b/app/src/main/kotlin/org/gameyfin/app/core/security/EncryptionUtils.kt
index 604d034..d0c4a5e 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/security/EncryptionUtils.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/security/EncryptionUtils.kt
@@ -4,6 +4,10 @@ import java.util.*
 import javax.crypto.Cipher
 import javax.crypto.spec.SecretKeySpec
 
+// Suppress warnings about use of AES/ECB mode.
+// DB lookups (SQL WHERE) need deterministic values which is only possible when using a mode without IV.
+// This is a trade-off between security and practicability.
+@Suppress("kotlin:S5542")
 class EncryptionUtils {
     companion object {
         private const val ALGORITHM = "AES"
@@ -16,7 +20,7 @@ class EncryptionUtils {
         // Extracted for testability
         internal fun getAppKey(): String {
             return System.getenv("APP_KEY")
-                ?: throw IllegalStateException("APP_KEY environment variable is not set or empty")
+                ?: error("APP_KEY environment variable is not set or empty")
         }
 
         fun encrypt(value: String): String {
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/security/OidcUserExtensions.kt b/app/src/main/kotlin/org/gameyfin/app/core/security/OidcUserExtensions.kt
new file mode 100644
index 0000000..b94d2d3
--- /dev/null
+++ b/app/src/main/kotlin/org/gameyfin/app/core/security/OidcUserExtensions.kt
@@ -0,0 +1,25 @@
+package org.gameyfin.app.core.security
+
+import org.springframework.security.oauth2.core.oidc.user.OidcUser
+
+/**
+ * Resolves the username from an OidcUser, using [attributeName] as the primary claim.
+ *
+ * Falls back through the following chain when the preferred claim is absent or blank:
+ *   1. `preferred_username`
+ *   2. `nickname`
+ *   3. `name`
+ *   4. `email`
+ *   5. `sub` (always present, used as last resort)
+ */
+fun OidcUser.resolvedUsername(attributeName: String = "preferred_username"): String {
+    // Try the configured attribute first, then fall through the standard fallback chain
+    val candidates = linkedSetOf(attributeName, "preferred_username", "nickname", "name", "email")
+    for (claim in candidates) {
+        val value = getClaim<String>(claim)
+        if (!value.isNullOrBlank()) return value
+    }
+    // `sub` is mandatory in OIDC and always present
+    return subject
+}
+
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt b/app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt
index f7d6949..a2dd692 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/security/SecurityConfig.kt
@@ -7,6 +7,7 @@ import org.gameyfin.app.config.ConfigService
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Conditional
 import org.springframework.context.annotation.Configuration
+import org.springframework.core.annotation.Order
 import org.springframework.core.env.Environment
 import org.springframework.http.HttpStatus
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
@@ -32,15 +33,26 @@ class SecurityConfig(
 
     companion object {
         const val SSO_PROVIDER_KEY = "oidc"
+        const val LOGIN_URL = "/login"
     }
 
+    @Order(1)
+    @Bean
+    fun actuatorFilterChain(http: HttpSecurity): SecurityFilterChain {
+        http.securityMatcher("/actuator/**")
+            .authorizeHttpRequests { auth -> auth.anyRequest().permitAll() }
+            .csrf { csrf -> csrf.disable() }
+        return http.build()
+    }
+
+    @Order(2)
     @Bean
     fun filterChain(http: HttpSecurity, routeUtil: RouteUtil): SecurityFilterChain {
         // Apply Vaadin configuration first to properly configure CSRF and request matchers
         if (config.get(ConfigProperties.SSO.OIDC.Enabled) == true) {
             http.with(VaadinSecurityConfigurer.vaadin()) { configurer ->
                 // Redirect to SSO provider on logout
-                configurer.loginView("/login", config.get(ConfigProperties.SSO.OIDC.LogoutUrl))
+                configurer.loginView(LOGIN_URL, config.get(ConfigProperties.SSO.OIDC.LogoutUrl))
             }
 
             // Use custom success handler to handle user registration
@@ -57,7 +69,7 @@ class SecurityConfig(
         } else {
             // Use default Vaadin login URLs
             http.with(VaadinSecurityConfigurer.vaadin()) { configurer ->
-                configurer.loginView("/login")
+                configurer.loginView(LOGIN_URL)
             }
         }
 
@@ -66,7 +78,7 @@ class SecurityConfig(
             auth.requestMatchers(routeUtil::isRouteAllowed).permitAll()
                 // Gameyfin static resources and public endpoints
                 .requestMatchers(
-                    "/login",
+                    LOGIN_URL,
                     "/loginredirect",
                     "/setup",
                     "/reset-password",
@@ -120,7 +132,7 @@ class SecurityConfig(
             .clientId(config.get(ConfigProperties.SSO.OIDC.ClientId))
             .clientSecret(config.get(ConfigProperties.SSO.OIDC.ClientSecret))
             .scope(config.get(ConfigProperties.SSO.OIDC.OAuthScopes)?.toList())
-            .userNameAttributeName("preferred_username")
+            .userNameAttributeName(config.get(ConfigProperties.SSO.OIDC.UsernameClaim))
             .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE)
             .issuerUri(config.get(ConfigProperties.SSO.OIDC.IssuerUrl))
             .authorizationUri(config.get(ConfigProperties.SSO.OIDC.AuthorizeUrl))
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/security/SsoAuthenticationSuccessHandler.kt b/app/src/main/kotlin/org/gameyfin/app/core/security/SsoAuthenticationSuccessHandler.kt
index cfee1ab..7f6b2b6 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/security/SsoAuthenticationSuccessHandler.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/security/SsoAuthenticationSuccessHandler.kt
@@ -35,6 +35,10 @@ class SsoAuthenticationSuccessHandler(
     ) {
         val oidcUser = authentication.principal as OidcUser
 
+        // Resolve the username using the configured claim with automatic fallback
+        val usernameAttributeName = config.get(ConfigProperties.SSO.OIDC.UsernameClaim) ?: "preferred_username"
+        val resolvedUsername = oidcUser.resolvedUsername(usernameAttributeName)
+
         // Check if user is already registered via SSO
         var matchedUser = userService.findByOidcProviderId(oidcUser.subject)
 
@@ -42,27 +46,19 @@ class SsoAuthenticationSuccessHandler(
         // This is meant to map existing users to SSO users
         if (matchedUser == null) {
             matchedUser = when (config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy)) {
-                MatchUsersBy.username -> userService.getByUsername(oidcUser.preferredUsername)
+                MatchUsersBy.username -> userService.getByUsername(resolvedUsername)
                 MatchUsersBy.email -> userService.getByEmail(oidcUser.email)
-                else -> throw IllegalStateException("Unknown 'match users by' configuration")
+                else -> error("Unknown 'match users by' configuration")
             }
         }
 
         // User could not be found in the database
         if (matchedUser == null) {
-            // TODO: User registration is currently forced, but this should be configurable.
-            //  However, this causes conflict with user preferences and game entities (since both reference the user entity)
-            // Check if new user registration is enabled
-            //if (config.get(ConfigProperties.SSO.OIDC.AutoRegisterNewUsers) == false) {
-            //    response.sendRedirect("/")
-            //    return
-            //
-
             // Register as new user
-            matchedUser = User(oidcUser)
+            matchedUser = User(oidcUser, resolvedUsername)
         } else {
             // Update user with new SSO data
-            matchedUser.username = oidcUser.preferredUsername
+            matchedUser.username = resolvedUsername
             matchedUser.email = oidcUser.email
             matchedUser.emailConfirmed = true
             matchedUser.oidcProviderId = oidcUser.subject
diff --git a/app/src/main/kotlin/org/gameyfin/app/core/serialization/DisplayableSerializer.kt b/app/src/main/kotlin/org/gameyfin/app/core/serialization/DisplayableSerializer.kt
index a4cf047..90f3a83 100644
--- a/app/src/main/kotlin/org/gameyfin/app/core/serialization/DisplayableSerializer.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/core/serialization/DisplayableSerializer.kt
@@ -18,7 +18,7 @@ class DisplayableSerializer : ValueSerializer<Any>() {
         // Use reflection to get the displayName property
         val displayName = value::class.java.getDeclaredField("displayName").apply {
             isAccessible = true
-        }.get(value) as String
+        }[value] as String
 
         gen.writeString(displayName)
     }
diff --git a/app/src/main/kotlin/org/gameyfin/app/games/GameService.kt b/app/src/main/kotlin/org/gameyfin/app/games/GameService.kt
index 64f4828..a5b40cc 100644
--- a/app/src/main/kotlin/org/gameyfin/app/games/GameService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/games/GameService.kt
@@ -103,7 +103,7 @@ class GameService(
 
 
     fun getAll(): List<GameDto> {
-        val entities = gameRepository.findAll()
+        val entities = gameRepository.findAll().toList()
         return entities.toDtos()
     }
 
@@ -148,6 +148,7 @@ class GameService(
         return gameRepository.saveAll(gamesToBePersisted)
     }
 
+    @Transactional
     fun edit(gameUpdateDto: GameUpdateDto) {
         val existingGame = gameRepository.findByIdOrNull(gameUpdateDto.id)
             ?: throw IllegalArgumentException("Game with ID $gameUpdateDto.id not found")
@@ -155,7 +156,7 @@ class GameService(
         val user = when (val userDetails = getCurrentAuth()?.principal) {
             is UserDetails -> userService.getByUsernameNonNull(userDetails.username)
             is OidcUser -> userService.getByUsernameNonNull(userDetails.preferredUsername)
-            else -> throw IllegalStateException("Unkown user type: ${userDetails?.javaClass?.name}")
+            else -> error("Unknown user type: ${userDetails?.javaClass?.name}")
         }
 
         // Update only non-null fields
@@ -466,7 +467,7 @@ class GameService(
                 try {
                     plugin.fetchByTitle(searchTerm, platformFilter, 10).map { plugin to it }
                 } catch (e: Exception) {
-                    val pluginWrapper = pluginManager.getPluginForExtension(plugin.javaClass)
+                    val pluginWrapper = pluginManager.getPluginForExtension(plugin::class)
                     log.warn { "Error fetching metadata for searchterm '$searchTerm' with plugin '${(pluginWrapper?.descriptor as GameyfinPluginDescriptor?)?.pluginName ?: pluginWrapper?.pluginId ?: plugin.javaClass.name}': ${e.message}" }
                     log.debug(e) {}
                     emptyList()
@@ -601,7 +602,7 @@ class GameService(
                         try {
                             return@async plugin.fetchById(originalId)
                         } catch (e: Exception) {
-                            val pluginWrapper = pluginManager.getPluginForExtension(plugin.javaClass)
+                            val pluginWrapper = pluginManager.getPluginForExtension(plugin::class)
                             log.warn { "Error fetching metadata for game [id: $originalId] with plugin '${(pluginWrapper?.descriptor as GameyfinPluginDescriptor?)?.pluginName ?: pluginWrapper?.pluginId ?: plugin.javaClass.name}': ${e.message}" }
                             log.debug(e) {}
                             null
@@ -749,7 +750,7 @@ class GameService(
                 try {
                     plugin.fetchByTitle(gameTitle, platforms).firstOrNull()
                 } catch (e: Exception) {
-                    val pluginWrapper = pluginManager.getPluginForExtension(plugin.javaClass)
+                    val pluginWrapper = pluginManager.getPluginForExtension(plugin::class)
                     log.warn { "Error fetching metadata for game title '$gameTitle' with plugin '${(pluginWrapper?.descriptor as GameyfinPluginDescriptor?)?.pluginName ?: pluginWrapper?.pluginId ?: plugin.javaClass.name}': ${e.message}" }
                     log.debug(e) {}
                     null
@@ -807,138 +808,10 @@ class GameService(
 
         sortedResults.forEach { (provider, metadata) ->
             val sourcePlugin = providerToManagementEntry[provider] ?: return@forEach
+            if (metadata == null) return@forEach
 
-            metadata?.let { metadata ->
-                originalIdsMap[sourcePlugin] = metadata.originalId
-
-                metadata.platforms?.takeIf { it.isNotEmpty() }?.let { platforms ->
-                    if (!metadataMap.containsKey("platforms")) {
-                        mergedGame.platforms = platforms.toMutableList()
-                        metadataMap["platforms"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.title.takeIf { it.isNotBlank() }?.let { title ->
-                    if (!metadataMap.containsKey("title")) {
-                        mergedGame.title = title
-                        metadataMap["title"] = GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.description?.takeIf { it.isNotBlank() }?.let { description ->
-                    if (!metadataMap.containsKey("summary")) {
-                        mergedGame.summary = description
-                        metadataMap["summary"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.coverUrls?.firstOrNull()?.let { coverUrl ->
-                    if (!metadataMap.containsKey("coverImage")) {
-                        mergedGame.coverImage = imageService.createOrGet(
-                            Image(originalUrl = coverUrl.toString(), type = ImageType.COVER)
-                        )
-                        metadataMap["coverImage"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.headerUrls?.firstOrNull()?.let { headerUrl ->
-                    if (!metadataMap.containsKey("headerImage")) {
-                        mergedGame.headerImage = imageService.createOrGet(
-                            Image(originalUrl = headerUrl.toString(), type = ImageType.HEADER)
-                        )
-                        metadataMap["headerImage"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.release?.let { release ->
-                    if (!metadataMap.containsKey("release")) {
-                        mergedGame.release = release
-                        metadataMap["release"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.userRating?.let { userRating ->
-                    if (!metadataMap.containsKey("userRating")) {
-                        mergedGame.userRating = userRating
-                        metadataMap["userRating"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.criticRating?.let { criticRating ->
-                    if (!metadataMap.containsKey("criticRating")) {
-                        mergedGame.criticRating = criticRating
-                        metadataMap["criticRating"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.publishedBy?.takeIf { it.isNotEmpty() }?.let { publishedBy ->
-                    if (!metadataMap.containsKey("publishers")) {
-                        mergedGame.publishers =
-                            publishedBy.map { Company(name = it, type = CompanyType.PUBLISHER) }.toMutableList()
-                        metadataMap["publishers"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.developedBy?.takeIf { it.isNotEmpty() }?.let { developedBy ->
-                    if (!metadataMap.containsKey("developers")) {
-                        mergedGame.developers =
-                            developedBy.map { Company(name = it, type = CompanyType.DEVELOPER) }.toMutableList()
-                        metadataMap["developers"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.genres?.takeIf { it.isNotEmpty() }?.let { genres ->
-                    if (!metadataMap.containsKey("genres")) {
-                        mergedGame.genres = genres.toList()
-                        metadataMap["genres"] = GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.themes?.takeIf { it.isNotEmpty() }?.let { themes ->
-                    if (!metadataMap.containsKey("themes")) {
-                        mergedGame.themes = themes.toList()
-                        metadataMap["themes"] = GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.keywords?.takeIf { it.isNotEmpty() }?.let { keywords ->
-                    if (!metadataMap.containsKey("keywords")) {
-                        mergedGame.keywords = keywords.toList()
-                        metadataMap["keywords"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.features?.takeIf { it.isNotEmpty() }?.let { features ->
-                    if (!metadataMap.containsKey("features")) {
-                        mergedGame.features = features.toList()
-                        metadataMap["features"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.perspectives?.takeIf { it.isNotEmpty() }?.let { perspectives ->
-                    if (!metadataMap.containsKey("perspectives")) {
-                        mergedGame.perspectives = perspectives.toList()
-                        metadataMap["perspectives"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.screenshotUrls?.takeIf { it.isNotEmpty() }?.let { screenshotUrls ->
-                    if (!metadataMap.containsKey("images")) {
-                        mergedGame.images = runBlocking {
-                            screenshotUrls.map {
-                                imageService.createOrGet(
-                                    Image(originalUrl = it.toString(), type = ImageType.SCREENSHOT)
-                                )
-                            }.toMutableList()
-                        }
-                        metadataMap["images"] = GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-                metadata.videoUrls?.takeIf { it.isNotEmpty() }?.let { videoUrls ->
-                    if (!metadataMap.containsKey("videoUrls")) {
-                        mergedGame.videoUrls = videoUrls.toList()
-                        metadataMap["videoUrls"] =
-                            GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
-                    }
-                }
-            }
+            originalIdsMap[sourcePlugin] = metadata.originalId
+            applyMetadataFields(metadata, sourcePlugin, mergedGame, metadataMap)
         }
 
         mergedGame.metadata.fields = metadataMap
@@ -947,6 +820,102 @@ class GameService(
         return mergedGame
     }
 
+    /**
+     * Sets a field on the merged game if it has not already been set by a higher-priority plugin.
+     */
+    private fun <T> setFieldIfAbsent(
+        fieldName: String,
+        value: T?,
+        metadataMap: MutableMap<String, GameFieldMetadata>,
+        sourcePlugin: PluginManagementEntry,
+        setter: (T) -> Unit
+    ) {
+        if (value != null && !metadataMap.containsKey(fieldName)) {
+            setter(value)
+            metadataMap[fieldName] = GameFieldMetadata(source = GameFieldPluginSource(plugin = sourcePlugin))
+        }
+    }
+
+    /**
+     * Applies all metadata fields from a single plugin result onto the merged game,
+     * respecting the first-write-wins rule via [setFieldIfAbsent].
+     */
+    private fun applyMetadataFields(
+        metadata: PluginApiMetadata,
+        sourcePlugin: PluginManagementEntry,
+        mergedGame: Game,
+        metadataMap: MutableMap<String, GameFieldMetadata>
+    ) {
+        setFieldIfAbsent("platforms", metadata.platforms?.takeIf { it.isNotEmpty() }, metadataMap, sourcePlugin) {
+            mergedGame.platforms = it.toMutableList()
+        }
+        setFieldIfAbsent("title", metadata.title.takeIf { it.isNotBlank() }, metadataMap, sourcePlugin) {
+            mergedGame.title = it
+        }
+        setFieldIfAbsent("summary", metadata.description?.takeIf { it.isNotBlank() }, metadataMap, sourcePlugin) {
+            mergedGame.summary = it
+        }
+        setFieldIfAbsent("coverImage", metadata.coverUrls?.firstOrNull(), metadataMap, sourcePlugin) {
+            mergedGame.coverImage = imageService.createOrGet(
+                Image(originalUrl = it.toString(), type = ImageType.COVER)
+            )
+        }
+        setFieldIfAbsent("headerImage", metadata.headerUrls?.firstOrNull(), metadataMap, sourcePlugin) {
+            mergedGame.headerImage = imageService.createOrGet(
+                Image(originalUrl = it.toString(), type = ImageType.HEADER)
+            )
+        }
+        setFieldIfAbsent("release", metadata.release, metadataMap, sourcePlugin) {
+            mergedGame.release = it
+        }
+        setFieldIfAbsent("userRating", metadata.userRating, metadataMap, sourcePlugin) {
+            mergedGame.userRating = it
+        }
+        setFieldIfAbsent("criticRating", metadata.criticRating, metadataMap, sourcePlugin) {
+            mergedGame.criticRating = it
+        }
+        setFieldIfAbsent("publishers", metadata.publishedBy?.takeIf { it.isNotEmpty() }, metadataMap, sourcePlugin) {
+            mergedGame.publishers =
+                it.map { name -> Company(name = name, type = CompanyType.PUBLISHER) }.toMutableList()
+        }
+        setFieldIfAbsent("developers", metadata.developedBy?.takeIf { it.isNotEmpty() }, metadataMap, sourcePlugin) {
+            mergedGame.developers =
+                it.map { name -> Company(name = name, type = CompanyType.DEVELOPER) }.toMutableList()
+        }
+        setFieldIfAbsent("genres", metadata.genres?.takeIf { it.isNotEmpty() }, metadataMap, sourcePlugin) {
+            mergedGame.genres = it.toList()
+        }
+        setFieldIfAbsent("themes", metadata.themes?.takeIf { it.isNotEmpty() }, metadataMap, sourcePlugin) {
+            mergedGame.themes = it.toList()
+        }
+        setFieldIfAbsent("keywords", metadata.keywords?.takeIf { it.isNotEmpty() }, metadataMap, sourcePlugin) {
+            mergedGame.keywords = it.toList()
+        }
+        setFieldIfAbsent("features", metadata.features?.takeIf { it.isNotEmpty() }, metadataMap, sourcePlugin) {
+            mergedGame.features = it.toList()
+        }
+        setFieldIfAbsent("perspectives", metadata.perspectives?.takeIf { it.isNotEmpty() }, metadataMap, sourcePlugin) {
+            mergedGame.perspectives = it.toList()
+        }
+        setFieldIfAbsent(
+            "images",
+            metadata.screenshotUrls?.takeIf { it.isNotEmpty() },
+            metadataMap,
+            sourcePlugin
+        ) { screenshotUrls ->
+            mergedGame.images = runBlocking {
+                screenshotUrls.map {
+                    imageService.createOrGet(
+                        Image(originalUrl = it.toString(), type = ImageType.SCREENSHOT)
+                    )
+                }.toMutableList()
+            }
+        }
+        setFieldIfAbsent("videoUrls", metadata.videoUrls?.takeIf { it.isNotEmpty() }, metadataMap, sourcePlugin) {
+            mergedGame.videoUrls = it.toList()
+        }
+    }
+
     private fun String.fuzzyMatchTitle(other: String): Boolean {
         val minRatio = config.get(ConfigProperties.Libraries.Scan.TitleMatchMinRatio)!!
         return FuzzySearch.ratio(this.normalizeGameTitle(), other.normalizeGameTitle()) > minRatio
diff --git a/app/src/main/kotlin/org/gameyfin/app/games/entities/Game.kt b/app/src/main/kotlin/org/gameyfin/app/games/entities/Game.kt
index 7050ccb..13e932c 100644
--- a/app/src/main/kotlin/org/gameyfin/app/games/entities/Game.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/games/entities/Game.kt
@@ -79,7 +79,7 @@ class Game(
     @ManyToMany(cascade = [PERSIST, MERGE, REFRESH], fetch = FetchType.EAGER)
     var images: MutableList<Image> = mutableListOf(),
 
-    @ElementCollection
+    @ElementCollection(fetch = FetchType.EAGER)
     var videoUrls: List<URI> = emptyList(),
 
     @ManyToMany(mappedBy = "games", fetch = FetchType.EAGER)
diff --git a/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryCoreService.kt b/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryCoreService.kt
index c7ae2c2..61facd9 100644
--- a/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryCoreService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryCoreService.kt
@@ -11,6 +11,7 @@ import org.gameyfin.app.libraries.entities.Library
 import org.gameyfin.app.users.UserService
 import org.gameyfin.pluginapi.gamemetadata.GameMetadataProvider
 import org.springframework.stereotype.Service
+import org.springframework.transaction.annotation.Transactional
 import java.time.Instant
 
 /**
@@ -52,6 +53,7 @@ class LibraryCoreService(
         return library
     }
 
+    @Transactional
     fun deleteGameFromLibrary(gameId: Long) {
         val game = gameService.getById(gameId)
         val library = game.library
diff --git a/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryScanService.kt b/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryScanService.kt
index 37bb6c0..2696c42 100644
--- a/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryScanService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryScanService.kt
@@ -1,7 +1,10 @@
 package org.gameyfin.app.libraries
 
 import io.github.oshai.kotlinlogging.KotlinLogging
+import org.gameyfin.app.config.ConfigProperties
+import org.gameyfin.app.config.ConfigService
 import org.gameyfin.app.core.filesystem.FilesystemService
+import org.gameyfin.app.core.metrics.ScanMetrics
 import org.gameyfin.app.core.plugins.PluginService
 import org.gameyfin.app.games.entities.Game
 import org.gameyfin.app.games.repositories.GameRepository
@@ -16,14 +19,14 @@ import org.gameyfin.app.libraries.scan.MatchNewGamesResult
 import org.gameyfin.app.libraries.scan.UpdateExistingGamesResult
 import org.gameyfin.app.libraries.scan.UpdateLibraryResult
 import org.gameyfin.pluginapi.gamemetadata.GameMetadataProvider
+import org.pf4j.PluginState
 import org.springframework.stereotype.Service
 import reactor.core.publisher.Flux
 import reactor.core.publisher.Sinks
 import java.nio.file.Path
 import java.time.Instant
-import java.util.concurrent.Callable
-import java.util.concurrent.ConcurrentHashMap
-import java.util.concurrent.Executors
+import java.util.*
+import java.util.concurrent.*
 import java.util.concurrent.atomic.AtomicInteger
 import kotlin.time.Duration.Companion.hours
 import kotlin.time.Duration.Companion.seconds
@@ -37,18 +40,30 @@ class LibraryScanService(
     private val libraryGameProcessor: LibraryGameProcessor,
     private val gameRepository: GameRepository,
     private val ignoredPathRepository: IgnoredPathRepository,
-    private val pluginService: PluginService
+    private val pluginService: PluginService,
+    private val configService: ConfigService,
+    private val scanMetrics: ScanMetrics
 ) {
 
     companion object {
         private val log = KotlinLogging.logger {}
 
-        private val SCAN_RESULT_TTL = 24.hours.toJavaDuration()
-        private val scanProgressEvents = Sinks.many().replay().limit<LibraryScanProgress>(SCAN_RESULT_TTL)
+        private val SCAN_PROGRESS_RETENTION = 24.hours.toJavaDuration()
+
+        /**
+         * Keeps only the **most recent** progress event per scan (keyed by scanId).
+         */
+        private val latestProgressPerScan = ConcurrentHashMap<UUID, LibraryScanProgress>()
+        private val scanProgressEvents = Sinks.many().multicast().onBackpressureBuffer<LibraryScanProgress>(1024, false)
 
         fun subscribeToScanProgressEvents(): Flux<List<LibraryScanProgress>> {
             log.debug { "New subscription for scanProgressEvents" }
-            return scanProgressEvents.asFlux()
+
+            // Replay the current snapshot first, then stream live updates
+            val snapshot = Flux.fromIterable(latestProgressPerScan.values.toList())
+            val live = scanProgressEvents.asFlux()
+
+            return Flux.concat(snapshot, live)
                 .buffer(1.seconds.toJavaDuration())
                 .doOnSubscribe {
                     log.debug { "Subscriber added to scanProgressEvents [${scanProgressEvents.currentSubscriberCount()}]" }
@@ -59,18 +74,47 @@ class LibraryScanService(
         }
 
         fun emit(scanProgressDto: LibraryScanProgress) {
+            latestProgressPerScan[scanProgressDto.scanId] = scanProgressDto
             scanProgressEvents.tryEmitNext(scanProgressDto)
         }
 
-        private val executor = Executors.newFixedThreadPool(16)
+        /** Remove scans which are not running and have finished longer ago than the retention. */
+        private fun evictStaleScanProgress() {
+            val cutoff = Instant.now().minus(SCAN_PROGRESS_RETENTION)
+            latestProgressPerScan.values.removeIf { it.finishedAt?.isBefore(cutoff) == true }
+        }
+
+        @Volatile
+        private var scanSemaphore = Semaphore(ConfigProperties.Libraries.Scan.MaxConcurrency.default!!)
+        private val executor: ExecutorService = Executors.newVirtualThreadPerTaskExecutor()
         private val scansInProgress = ConcurrentHashMap<Long, Boolean>()
     }
 
+    /**
+     * Re-creates the concurrency semaphore from the current config value.
+     * Called once at the start of each scan so that config changes take
+     * effect without restarting the application.
+     */
+    private fun refreshScanSemaphore() {
+        val permits = configService.get(ConfigProperties.Libraries.Scan.MaxConcurrency)!!
+        scanSemaphore = Semaphore(permits)
+    }
+
     /**
      * Wrapper function to trigger a scan for a list of libraries.
      */
     fun triggerScan(scanType: ScanType, libraryIds: Collection<Long>?) {
-        val libraries = libraryIds?.let { libraryRepository.findAllById(libraryIds) } ?: libraryRepository.findAll()
+        check(pluginService.getAllByTypeAndState(GameMetadataProvider::class, PluginState.STARTED).isNotEmpty()) {
+            "At least one metadata plugin must be enabled to perform a scan."
+        }
+
+        refreshScanSemaphore()
+        evictStaleScanProgress()
+
+        val libraries =
+            if (libraryIds.isNullOrEmpty()) libraryRepository.findAll().toList()
+            else libraryRepository.findAllById(libraryIds).toList()
+
         libraries.forEach { library ->
             val libraryId = library.id!!
             if (scansInProgress.putIfAbsent(libraryId, true) == null) {
@@ -100,6 +144,8 @@ class LibraryScanService(
             )
         )
         emit(progress)
+        scanMetrics.recordScanStarted(ScanType.QUICK)
+        val scanStartTime = System.currentTimeMillis()
 
         try {
             val scanData = performFilesystemScan(library)
@@ -131,20 +177,32 @@ class LibraryScanService(
                     unmatched = newUnmatchedPaths.size
                 )
             )
+
+            scanMetrics.recordScanCompleted(
+                type = ScanType.QUICK,
+                durationMillis = System.currentTimeMillis() - scanStartTime,
+                newGames = persistedNewGames.size,
+                removedGames = removedGames.size,
+                unmatchedPaths = newUnmatchedPaths.size
+            )
         } catch (e: Exception) {
+            scanMetrics.recordScanFailed(ScanType.QUICK, System.currentTimeMillis() - scanStartTime)
             handleScanError(e, library, progress, "quick scan")
         }
     }
 
     private fun fullScan(library: Library, triggeredBySchedule: Boolean) {
+        val scanType = if (triggeredBySchedule) ScanType.SCHEDULED else ScanType.FULL
         val progress = LibraryScanProgress(
             libraryId = library.id!!,
-            type = if (triggeredBySchedule) ScanType.SCHEDULED else ScanType.FULL,
+            type = scanType,
             currentStep = LibraryScanStep(
                 description = "Scanning filesystem"
             )
         )
         emit(progress)
+        scanMetrics.recordScanStarted(scanType)
+        val scanStartTime = System.currentTimeMillis()
 
         try {
             val scanData = performFilesystemScan(library)
@@ -186,7 +244,17 @@ class LibraryScanService(
                     updated = updatedGames.size
                 )
             )
+
+            scanMetrics.recordScanCompleted(
+                type = scanType,
+                durationMillis = System.currentTimeMillis() - scanStartTime,
+                newGames = persistedNewGames.size,
+                removedGames = removedGames.size,
+                unmatchedPaths = newUnmatchedPaths.size,
+                updatedGames = updatedGames.size
+            )
         } catch (e: Exception) {
+            scanMetrics.recordScanFailed(scanType, System.currentTimeMillis() - scanStartTime)
             handleScanError(e, library, progress, "full scan")
         }
     }
@@ -273,6 +341,7 @@ class LibraryScanService(
 
         val tasks = gamePaths.map { path ->
             Callable<Game?> {
+                scanSemaphore.acquire()
                 try {
                     val persisted = libraryGameProcessor.processNewGame(path, library)
 
@@ -305,6 +374,7 @@ class LibraryScanService(
 
                     return@Callable null
                 } finally {
+                    scanSemaphore.release()
                     progress.currentStep.current = completed.incrementAndGet()
                     emit(progress)
                 }
@@ -374,6 +444,7 @@ class LibraryScanService(
 
         val updateTasks = games.map { game ->
             Callable<Game?> {
+                scanSemaphore.acquire()
                 try {
                     val updated = libraryGameProcessor.processExistingGame(game)
                     return@Callable updated
@@ -382,6 +453,7 @@ class LibraryScanService(
                     log.debug(e) {}
                     return@Callable null
                 } finally {
+                    scanSemaphore.release()
                     progress.currentStep.current = completedUpdates.incrementAndGet()
                     emit(progress)
                 }
diff --git a/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryService.kt b/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryService.kt
index 32f4a0b..49849e6 100644
--- a/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryService.kt
@@ -13,6 +13,7 @@ import org.gameyfin.app.libraries.extensions.toEntity
 import org.gameyfin.app.users.UserService
 import org.springframework.data.repository.findByIdOrNull
 import org.springframework.stereotype.Service
+import org.springframework.transaction.annotation.Transactional
 import reactor.core.publisher.Flux
 import reactor.core.publisher.Sinks
 import java.time.Instant
@@ -72,7 +73,7 @@ class LibraryService(
      * Retrieves all libraries from the repository.
      */
     fun getAll(): List<LibraryDto> {
-        val entities = libraryRepository.findAll()
+        val entities = libraryRepository.findAll().toList()
         return entities.toDtos()
     }
 
@@ -119,6 +120,7 @@ class LibraryService(
      * @return The updated LibraryDto.
      * @throws IllegalArgumentException if the library ID is null or the library is not found.
      */
+    @Transactional
     fun update(libraryUpdateDto: LibraryUpdateDto) {
         val library = libraryRepository.findByIdOrNull(libraryUpdateDto.id)
             ?: throw IllegalArgumentException("Library with ID $libraryUpdateDto.id not found")
@@ -196,6 +198,7 @@ class LibraryService(
     /**
      * Updates multiple libraries in the repository.
      */
+    @Transactional
     fun update(libraries: Collection<LibraryUpdateDto>) {
         libraries.forEach { update(it) }
     }
diff --git a/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryWatcherService.kt b/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryWatcherService.kt
index cc65fe3..e238482 100644
--- a/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryWatcherService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/libraries/LibraryWatcherService.kt
@@ -80,7 +80,7 @@ class LibraryWatcherService(
         running.set(true)
 
         // Start watching all existing libraries
-        val libraries = libraryRepository.findAll()
+        val libraries = libraryRepository.findAll().toList()
         libraries.forEach { library ->
             startWatchingLibrary(library)
         }
@@ -231,7 +231,7 @@ class LibraryWatcherService(
                 val watchKey = watchService?.poll(1, TimeUnit.SECONDS) ?: continue
                 val watchInfo = watchKeys[watchKey] ?: continue
 
-                val events = watchKey.pollEvents()
+                val events = watchKey.pollEvents().toList()
                 if (events.isEmpty()) {
                     watchKey.reset()
                     continue
diff --git a/app/src/main/kotlin/org/gameyfin/app/libraries/entities/IgnoredPath.kt b/app/src/main/kotlin/org/gameyfin/app/libraries/entities/IgnoredPath.kt
index 1afac88..07634c3 100644
--- a/app/src/main/kotlin/org/gameyfin/app/libraries/entities/IgnoredPath.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/libraries/entities/IgnoredPath.kt
@@ -21,7 +21,7 @@ class IgnoredPath(
         return when (source) {
             is IgnoredPathPluginSource -> IgnoredPathSourceType.PLUGIN
             is IgnoredPathUserSource -> IgnoredPathSourceType.USER
-            else -> throw IllegalStateException("Unknown IgnoredPathSource type")
+            else -> error("Unknown IgnoredPathSource type")
         }
     }
 }
@@ -41,7 +41,7 @@ abstract class IgnoredPathSource(
 
 @Entity
 class IgnoredPathPluginSource(
-    @ManyToMany
+    @ManyToMany(fetch = FetchType.EAGER)
     val plugins: MutableList<PluginManagementEntry>
 ) : IgnoredPathSource()
 
diff --git a/app/src/main/kotlin/org/gameyfin/app/libraries/extensions/IgnoredPathExtensions.kt b/app/src/main/kotlin/org/gameyfin/app/libraries/extensions/IgnoredPathExtensions.kt
index a680809..27ada61 100644
--- a/app/src/main/kotlin/org/gameyfin/app/libraries/extensions/IgnoredPathExtensions.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/libraries/extensions/IgnoredPathExtensions.kt
@@ -17,7 +17,7 @@ fun IgnoredPath.toDto(): IgnoredPathDto {
         source = when (val source = this.source) {
             is IgnoredPathPluginSource -> source.plugins.joinToString("\", \"", "[\"", "\"]") { it.pluginId }
             is IgnoredPathUserSource -> source.user.id.toString()
-            else -> throw IllegalStateException("Unknown IgnoredPathSource type")
+            else -> error("Unknown IgnoredPathSource type")
         }
     )
 }
diff --git a/app/src/main/kotlin/org/gameyfin/app/media/FileStorageService.kt b/app/src/main/kotlin/org/gameyfin/app/media/FileStorageService.kt
index 9d17826..459eb9f 100644
--- a/app/src/main/kotlin/org/gameyfin/app/media/FileStorageService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/media/FileStorageService.kt
@@ -80,6 +80,16 @@ class FileStorageService(
         }
     }
 
+    /**
+     * Resolves the file path for a given content ID.
+     * Returns null if the content ID is null or the file doesn't exist.
+     */
+    fun getFilePath(contentId: String?): Path? {
+        if (contentId == null) return null
+        val filePath = rootPath.resolve(contentId)
+        return if (filePath.exists()) filePath else null
+    }
+
     /**
      * Checks if a file exists for the given content ID.
      */
diff --git a/app/src/main/kotlin/org/gameyfin/app/media/Image.kt b/app/src/main/kotlin/org/gameyfin/app/media/Image.kt
index be72ce9..b404ceb 100644
--- a/app/src/main/kotlin/org/gameyfin/app/media/Image.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/media/Image.kt
@@ -1,8 +1,10 @@
 package org.gameyfin.app.media
 
 import jakarta.persistence.*
+import org.hibernate.annotations.BatchSize
 
 @Entity
+@BatchSize(size = 100)
 class Image(
     @Id
     @GeneratedValue(strategy = GenerationType.AUTO)
diff --git a/app/src/main/kotlin/org/gameyfin/app/media/ImageEndpoint.kt b/app/src/main/kotlin/org/gameyfin/app/media/ImageEndpoint.kt
index c6501cf..5119f7c 100644
--- a/app/src/main/kotlin/org/gameyfin/app/media/ImageEndpoint.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/media/ImageEndpoint.kt
@@ -3,6 +3,7 @@ package org.gameyfin.app.media
 import com.vaadin.flow.server.auth.AnonymousAllowed
 import jakarta.annotation.security.PermitAll
 import jakarta.annotation.security.RolesAllowed
+import jakarta.servlet.http.HttpServletRequest
 import org.gameyfin.app.core.Role
 import org.gameyfin.app.core.Utils
 import org.gameyfin.app.core.annotations.DynamicPublicAccess
@@ -10,12 +11,13 @@ import org.gameyfin.app.core.plugins.PluginService
 import org.gameyfin.app.core.security.getCurrentAuth
 import org.gameyfin.app.users.UserService
 import org.springframework.core.io.ByteArrayResource
-import org.springframework.core.io.InputStreamResource
-import org.springframework.http.HttpHeaders
-import org.springframework.http.MediaType
-import org.springframework.http.ResponseEntity
+import org.springframework.core.io.FileSystemResource
+import org.springframework.core.io.Resource
+import org.springframework.http.*
 import org.springframework.web.bind.annotation.*
 import org.springframework.web.multipart.MultipartFile
+import java.nio.file.Files
+import java.util.concurrent.TimeUnit
 
 @RestController
 @RequestMapping("/images")
@@ -28,18 +30,18 @@ class ImageEndpoint(
 ) {
 
     @GetMapping("/screenshot/{id}")
-    fun getScreenshot(@PathVariable id: Long): ResponseEntity<InputStreamResource>? {
-        return getImageContent(id)
+    fun getScreenshot(@PathVariable id: Long, request: HttpServletRequest): ResponseEntity<Resource>? {
+        return getImageContent(id, request)
     }
 
     @GetMapping("/cover/{id}")
-    fun getCover(@PathVariable id: Long): ResponseEntity<InputStreamResource>? {
-        return getImageContent(id)
+    fun getCover(@PathVariable id: Long, request: HttpServletRequest): ResponseEntity<Resource>? {
+        return getImageContent(id, request)
     }
 
     @GetMapping("/header/{id}")
-    fun getHeader(@PathVariable id: Long): ResponseEntity<InputStreamResource>? {
-        return getImageContent(id)
+    fun getHeader(@PathVariable id: Long, request: HttpServletRequest): ResponseEntity<Resource>? {
+        return getImageContent(id, request)
     }
 
     @GetMapping("/plugins/{pluginId}/logo")
@@ -49,16 +51,16 @@ class ImageEndpoint(
     }
 
     @GetMapping("/avatar")
-    fun getAvatarByUsername(@RequestParam username: String): ResponseEntity<InputStreamResource>? {
+    fun getAvatarByUsername(@RequestParam username: String, request: HttpServletRequest): ResponseEntity<Resource>? {
         val avatar = userService.getAvatar(username) ?: return ResponseEntity.notFound().build()
         if (avatar.id == null) return ResponseEntity.notFound().build()
-        return getImageContent(avatar.id!!)
+        return getImageContent(avatar.id!!, request)
     }
 
     @PermitAll
     @PostMapping("/avatar/upload")
     fun uploadAvatar(@RequestParam("file") file: MultipartFile) {
-        val auth = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
+        val auth = getCurrentAuth() ?: error("No authentication found")
 
         val image: Image = if (!userService.hasAvatar(auth.name)) {
             imageService.createFromInputStream(ImageType.AVATAR, file.inputStream, file.contentType!!)
@@ -73,7 +75,7 @@ class ImageEndpoint(
     @PermitAll
     @PostMapping("/avatar/delete")
     fun deleteAvatar() {
-        val auth = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
+        val auth = getCurrentAuth() ?: error("No authentication found")
         userService.deleteAvatar(auth.name)
     }
 
@@ -83,21 +85,44 @@ class ImageEndpoint(
         userService.deleteAvatar(name)
     }
 
-    private fun getImageContent(id: Long): ResponseEntity<InputStreamResource> {
+    private fun getImageContent(id: Long, request: HttpServletRequest): ResponseEntity<Resource> {
         val image = imageService.getImage(id) ?: return ResponseEntity.notFound().build()
 
-        val file = image.let { imageService.getFileContent(it) }
+        // Use contentId as ETag — it changes whenever the file content changes
+        val etag = image.contentId?.let { "\"$it\"" }
 
-        if (file == null) return ResponseEntity.notFound().build()
+        // Check If-None-Match for conditional requests (304 Not Modified)
+        if (etag != null) {
+            val ifNoneMatch = request.getHeader(HttpHeaders.IF_NONE_MATCH)
+            if (ifNoneMatch != null && (ifNoneMatch == etag || ifNoneMatch == "W/$etag")) {
+                return ResponseEntity.status(HttpStatus.NOT_MODIFIED)
+                    .eTag(etag)
+                    .cacheControl(CacheControl.maxAge(7, TimeUnit.DAYS))
+                    .build()
+            }
+        }
 
-        val inputStreamResource = InputStreamResource(file)
+        // Resolve the file path on disk for efficient zero-copy serving
+        val filePath = imageService.getFilePath(image) ?: return ResponseEntity.notFound().build()
+
+        val resource = FileSystemResource(filePath)
 
         val headers = HttpHeaders()
         image.contentLength?.let { headers.contentLength = it }
         image.mimeType?.let { headers.contentType = MediaType.parseMediaType(it) }
+        headers.cacheControl = CacheControl.maxAge(7, TimeUnit.DAYS).headerValue
+        etag?.let { headers.eTag = it }
+
+        // Add Last-Modified from the file's modification time
+        try {
+            val lastModified = Files.getLastModifiedTime(filePath).toInstant()
+            headers.lastModified = lastModified.toEpochMilli()
+        } catch (_: Exception) {
+            // Ignore — Last-Modified is optional
+        }
 
         return ResponseEntity.ok()
             .headers(headers)
-            .body(inputStreamResource)
+            .body(resource)
     }
 }
\ No newline at end of file
diff --git a/app/src/main/kotlin/org/gameyfin/app/media/ImageService.kt b/app/src/main/kotlin/org/gameyfin/app/media/ImageService.kt
index f02b24b..d0325eb 100644
--- a/app/src/main/kotlin/org/gameyfin/app/media/ImageService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/media/ImageService.kt
@@ -1,6 +1,8 @@
 package org.gameyfin.app.media
 
+import com.github.benmanes.caffeine.cache.Cache
 import com.vanniktech.blurhash.BlurHash
+import io.github.oshai.kotlinlogging.KotlinLogging
 import org.apache.tika.Tika
 import org.apache.tika.io.TikaInputStream
 import org.gameyfin.app.core.events.GameDeletedEvent
@@ -10,6 +12,8 @@ import org.gameyfin.app.core.events.UserUpdatedEvent
 import org.gameyfin.app.games.repositories.GameRepository
 import org.gameyfin.app.games.repositories.ImageRepository
 import org.gameyfin.app.users.persistence.UserRepository
+import org.springframework.boot.context.event.ApplicationReadyEvent
+import org.springframework.context.event.EventListener
 import org.springframework.dao.DataIntegrityViolationException
 import org.springframework.data.repository.findByIdOrNull
 import org.springframework.scheduling.annotation.Async
@@ -19,9 +23,11 @@ import org.springframework.transaction.event.TransactionPhase
 import org.springframework.transaction.event.TransactionalEventListener
 import java.awt.RenderingHints
 import java.awt.image.BufferedImage
-import java.io.ByteArrayInputStream
 import java.io.InputStream
 import java.net.URI
+import java.nio.file.Files
+import java.nio.file.Path
+import java.nio.file.StandardCopyOption
 import javax.imageio.ImageIO
 
 @Service
@@ -29,9 +35,12 @@ class ImageService(
     private val imageRepository: ImageRepository,
     private val fileStorageService: FileStorageService,
     private val gameRepository: GameRepository,
-    private val userRepository: UserRepository
+    private val userRepository: UserRepository,
+    private val imageCache: Cache<Long, Image>
 ) {
     companion object {
+        private val log = KotlinLogging.logger { }
+
         private val tika = Tika()
 
         /**
@@ -66,15 +75,24 @@ class ImageService(
         }
     }
 
+    /**
+     * Pre-populate the image cache at startup
+     */
+    @EventListener(ApplicationReadyEvent::class)
+    fun prePopulateImageCache() {
+        val images = imageRepository.findAll().toList()
+        images.forEach { image -> image.id?.let { imageCache.put(it, image) } }
+        log.debug { "Pre-populated image cache with ${images.size} entries" }
+    }
+
     @Async
     @TransactionalEventListener(
         classes = [GameDeletedEvent::class],
         phase = TransactionPhase.AFTER_COMPLETION
     )
     fun onGameDeleted(event: GameDeletedEvent) {
-        val imagesToDelete = listOfNotNull(event.game.coverImage, event.game.headerImage)
-            .toMutableList()
-            .apply { addAll(event.game.images) }
+        val imagesToDelete = listOfNotNull(event.game.coverImage, event.game.headerImage) +
+                event.game.images
 
         imagesToDelete.forEach { deleteImageIfUnused(it) }
     }
@@ -84,14 +102,12 @@ class ImageService(
         phase = TransactionPhase.AFTER_COMPLETION
     )
     fun onGameUpdated(event: GameUpdatedEvent) {
-        val imagesBeforeUpdate = listOfNotNull(event.previousState.coverImage, event.previousState.headerImage)
-            .toMutableList()
-            .apply { addAll(event.previousState.images) }
+        val imagesBeforeUpdate = (listOfNotNull(event.previousState.coverImage, event.previousState.headerImage) +
+                event.previousState.images)
             .toSet()
 
-        val imagesStillInUse = listOfNotNull(event.currentState.coverImage, event.currentState.headerImage)
-            .toMutableList()
-            .apply { addAll(event.currentState.images) }
+        val imagesStillInUse = (listOfNotNull(event.currentState.coverImage, event.currentState.headerImage) +
+                event.currentState.images)
             .toSet()
 
         imagesBeforeUpdate.minus(imagesStillInUse).forEach { deleteImageIfUnused(it) }
@@ -122,7 +138,7 @@ class ImageService(
         val url = image.originalUrl
         if (url.isNullOrBlank()) {
             // No original URL => cannot dedupe by URL; just persist as-is
-            return imageRepository.save(image)
+            return imageRepository.save(image).also { saved -> saved.id?.let { imageCache.put(it, saved) } }
         }
 
         // Prefer a list lookup to avoid IncorrectResultSizeDataAccessException if duplicates exist pre-migration
@@ -131,7 +147,7 @@ class ImageService(
 
         return try {
             val toSave = Image(originalUrl = url, type = image.type)
-            imageRepository.save(toSave)
+            imageRepository.save(toSave).also { saved -> saved.id?.let { imageCache.put(it, saved) } }
         } catch (e: DataIntegrityViolationException) {
             // Unique (original_url) might have been inserted concurrently; fetch and return
             imageRepository.findAllByOriginalUrl(url).firstOrNull()
@@ -140,7 +156,7 @@ class ImageService(
     }
 
     fun downloadIfNew(image: Image) {
-        if (image.originalUrl == null) throw IllegalArgumentException("Image must have an original URL")
+        requireNotNull(image.originalUrl) { "Image must have an original URL" }
 
         // Always try to get existing image first to avoid detached entity issues and duplicate lookups
         val existingImage = imageRepository.findAllByOriginalUrl(image.originalUrl).firstOrNull()
@@ -165,7 +181,7 @@ class ImageService(
 
         // Save or update the image to ensure it's persisted
         try {
-            imageRepository.save(image)
+            imageRepository.save(image).also { saved -> saved.id?.let { imageCache.put(it, saved) } }
         } catch (_: DataIntegrityViolationException) {
             // If another thread saved the same URL meanwhile, just ignore and proceed
         }
@@ -174,23 +190,31 @@ class ImageService(
     fun createFromInputStream(type: ImageType, content: InputStream, mimeType: String): Image {
         val image = Image(type = type, mimeType = mimeType)
         processImageContent(image, content)
-        return imageRepository.save(image)
+        return imageRepository.save(image).also { saved -> saved.id?.let { imageCache.put(it, saved) } }
     }
 
     fun getImage(id: Long): Image? {
-        return imageRepository.findByIdOrNull(id)
+        imageCache.getIfPresent(id)?.let { return it }
+        val image = imageRepository.findByIdOrNull(id)
+        if (image != null) imageCache.put(id, image)
+        return image
     }
 
     fun getFileContent(image: Image): InputStream? {
         return fileStorageService.getFile(image.contentId)
     }
 
+    fun getFilePath(image: Image): Path? {
+        return fileStorageService.getFilePath(image.contentId)
+    }
+
     fun deleteImageIfUnused(image: Image) {
         val imageId = image.id ?: return
 
         val isImageStillInUse = gameRepository.existsByImage(imageId) || userRepository.existsByAvatar(imageId)
 
         if (!isImageStillInUse) {
+            imageCache.invalidate(imageId)
             imageRepository.delete(image)
             fileStorageService.deleteFile(image.contentId)
         }
@@ -205,6 +229,9 @@ class ImageService(
         // Process and store new content
         processImageContent(image, content)
 
+        // Invalidate cache so the next read picks up fresh data
+        image.id?.let { imageCache.invalidate(it) }
+
         return imageRepository.save(image)
     }
 
@@ -216,40 +243,57 @@ class ImageService(
     }
 
     private fun processImageContent(image: Image, content: InputStream) {
-        // Read the input stream into a byte array so we can use it twice
-        val imageBytes = content.readBytes()
+        // Stream to a temp file to avoid holding the full image bytes on the heap.
+        // This is critical during library scans where multiple images are processed
+        // concurrently — buffering each one as a byte[] can easily cause OOM.
+        val tempFile = Files.createTempFile("gf-img-", ".tmp")
+        try {
+            // 1. Write the stream to disk
+            content.use { input ->
+                Files.copy(input, tempFile, StandardCopyOption.REPLACE_EXISTING)
+            }
 
-        // Calculate blurhash
-        ByteArrayInputStream(imageBytes).use { blurhashStream ->
-            image.blurhash = calculateBlurhash(blurhashStream)
-        }
+            val fileSize = Files.size(tempFile)
 
-        // Store content
-        ByteArrayInputStream(imageBytes).use { contentStream ->
-            image.contentId = fileStorageService.saveFile(contentStream)
-            image.contentLength = imageBytes.size.toLong()
+            // 2. Calculate blurhash from the temp file
+            Files.newInputStream(tempFile).use { blurhashStream ->
+                image.blurhash = calculateBlurhash(blurhashStream)
+            }
+
+            // 3. Store content from the temp file
+            Files.newInputStream(tempFile).use { contentStream ->
+                image.contentId = fileStorageService.saveFile(contentStream)
+                image.contentLength = fileSize
+            }
+        } finally {
+            Files.deleteIfExists(tempFile)
         }
     }
 
     private fun calculateBlurhash(inputStream: InputStream): String? {
         return try {
-            val originalImage = ImageIO.read(inputStream)
-            if (originalImage != null) {
-                // Scale down for much faster processing
+            val originalImage = ImageIO.read(inputStream) ?: return null
+            try {
+                // Scale down for much faster processing and less memory
                 val scaledImage = scaleImageForBlurhash(originalImage)
-
-                return if (scaledImage.width > scaledImage.height) {
-                    // Landscape
-                    BlurHash.encode(scaledImage, componentX = 4, componentY = 3)
-                } else if (scaledImage.width < scaledImage.height) {
-                    // Portrait
-                    BlurHash.encode(scaledImage, componentX = 3, componentY = 4)
-                } else {
-                    // Square
-                    BlurHash.encode(scaledImage, componentX = 3, componentY = 3)
+                try {
+                    return if (scaledImage.width > scaledImage.height) {
+                        // Landscape
+                        BlurHash.encode(scaledImage, componentX = 4, componentY = 3)
+                    } else if (scaledImage.width < scaledImage.height) {
+                        // Portrait
+                        BlurHash.encode(scaledImage, componentX = 3, componentY = 4)
+                    } else {
+                        // Square
+                        BlurHash.encode(scaledImage, componentX = 3, componentY = 3)
+                    }
+                } finally {
+                    // Release scaled image native memory immediately
+                    if (scaledImage !== originalImage) scaledImage.flush()
                 }
-            } else {
-                null
+            } finally {
+                // Release original image native memory immediately
+                originalImage.flush()
             }
         } catch (_: Exception) {
             null
diff --git a/app/src/main/kotlin/org/gameyfin/app/messages/MessageService.kt b/app/src/main/kotlin/org/gameyfin/app/messages/MessageService.kt
index bf08d33..714bcd2 100644
--- a/app/src/main/kotlin/org/gameyfin/app/messages/MessageService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/messages/MessageService.kt
@@ -61,8 +61,8 @@ class MessageService(
         }
 
         try {
-            val auth = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
-            val user = userService.getByUsername(auth.name) ?: throw IllegalStateException("User not found")
+            val auth = getCurrentAuth() ?: error("No authentication found")
+            val user = userService.getByUsername(auth.name) ?: error("User not found")
             val template = templateService.getMessageTemplate(templateKey)
             sendNotification(user.email, "[Gameyfin] Test Notification", template, placeholders)
         } catch (e: Exception) {
diff --git a/app/src/main/kotlin/org/gameyfin/app/messages/templates/MessageTemplateService.kt b/app/src/main/kotlin/org/gameyfin/app/messages/templates/MessageTemplateService.kt
index 99ee372..0a70987 100644
--- a/app/src/main/kotlin/org/gameyfin/app/messages/templates/MessageTemplateService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/messages/templates/MessageTemplateService.kt
@@ -40,8 +40,8 @@ class MessageTemplateService {
     }
 
     fun fillMessageTemplate(template: MessageTemplates, type: TemplateType, placeholders: Map<String, String>): String {
-        if (placeholders.keys != template.availablePlaceholders.toSet()) {
-            throw IllegalArgumentException("Placeholders do not match available placeholders for template '${template.key}'")
+        require(placeholders.keys == template.availablePlaceholders.toSet()) {
+            "Placeholders do not match available placeholders for template '${template.key}'"
         }
 
         val content = getMessageTemplateContent(template.key, type)
@@ -82,7 +82,7 @@ class MessageTemplateService {
     private fun getDefaultTemplateFile(key: String, type: TemplateType): Path {
         log.debug { "No custom message template found for '$key.${type.extension}', returning default" }
         val resourceUrl = javaClass.classLoader.getResource("$DEFAULT_TEMPLATE_PATH/$key.${type.extension}")
-            ?: throw IllegalStateException("Default template file not found for '$key.${type.extension}'")
+            ?: error("Default template file not found for '$key.${type.extension}'")
         return Paths.get(resourceUrl.toURI())
     }
 
diff --git a/app/src/main/kotlin/org/gameyfin/app/requests/GameRequestService.kt b/app/src/main/kotlin/org/gameyfin/app/requests/GameRequestService.kt
index f9b3aa8..00c0401 100644
--- a/app/src/main/kotlin/org/gameyfin/app/requests/GameRequestService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/requests/GameRequestService.kt
@@ -78,7 +78,7 @@ class GameRequestService(
     }
 
     fun getAll(): List<GameRequestDto> {
-        val entities = gameRequestRepository.findAll()
+        val entities = gameRequestRepository.findAll().toList()
         return entities.toDtos()
     }
 
@@ -177,9 +177,9 @@ class GameRequestService(
 
     @Transactional
     fun toggleRequestVote(id: Long) {
-        val auth = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
+        val auth = getCurrentAuth() ?: error("No authentication found")
         val currentUser =
-            userService.getByUsername(auth.name) ?: throw IllegalStateException("Current user not found")
+            userService.getByUsername(auth.name) ?: error("Current user not found")
         val gameRequest = gameRequestRepository.findById(id)
             .orElseThrow { NoSuchElementException("No game request found with id $id") }
 
@@ -192,8 +192,6 @@ class GameRequestService(
         }
         gameRequest.voters = updatedVoters
 
-        // Ensure the entity is marked as dirty
-        gameRequest.status = gameRequest.status
 
         gameRequestRepository.save(gameRequest)
     }
@@ -201,7 +199,7 @@ class GameRequestService(
     private fun completeMatchingRequests(game: Game) {
         val gameTitle = game.title
         val gameRelease = game.release
-        val gamePlatforms = game.platforms
+        val gamePlatforms = game.platforms.toList()
 
         if (gameTitle == null) {
             log.warn { "Game '${game.id}' is missing title, cannot complete matching requests" }
diff --git a/app/src/main/kotlin/org/gameyfin/app/users/UserEndpoint.kt b/app/src/main/kotlin/org/gameyfin/app/users/UserEndpoint.kt
index b1712ff..d99f283 100644
--- a/app/src/main/kotlin/org/gameyfin/app/users/UserEndpoint.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/users/UserEndpoint.kt
@@ -17,6 +17,11 @@ class UserEndpoint(
     private val userService: UserService,
     private val roleService: RoleService
 ) {
+
+    companion object {
+        private const val NO_AUTH_FOUND = "No authentication found"
+    }
+
     @AnonymousAllowed
     fun getUserInfo(): ExtendedUserInfoDto? {
         val auth = getCurrentAuth()
@@ -26,7 +31,7 @@ class UserEndpoint(
 
     @PermitAll
     fun updateUser(updates: UserUpdateDto) {
-        val auth = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
+        val auth = getCurrentAuth() ?: error(NO_AUTH_FOUND)
         userService.updateUser(auth.name, updates)
     }
 
@@ -57,7 +62,7 @@ class UserEndpoint(
 
     @PermitAll
     fun deleteUser() {
-        val auth: Authentication = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
+        val auth: Authentication = getCurrentAuth() ?: error(NO_AUTH_FOUND)
         userService.deleteUser(auth.name)
     }
 
@@ -73,7 +78,7 @@ class UserEndpoint(
 
     @RolesAllowed(Role.Names.ADMIN)
     fun getRolesBelow(): List<String> {
-        val auth: Authentication = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
+        val auth: Authentication = getCurrentAuth() ?: error(NO_AUTH_FOUND)
         return roleService.getRolesBelowAuth(auth).map { it.roleName }
     }
 
diff --git a/app/src/main/kotlin/org/gameyfin/app/users/UserService.kt b/app/src/main/kotlin/org/gameyfin/app/users/UserService.kt
index 8de596b..8bbded3 100644
--- a/app/src/main/kotlin/org/gameyfin/app/users/UserService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/users/UserService.kt
@@ -42,8 +42,12 @@ class UserService(
     private val eventPublisher: ApplicationEventPublisher
 ) : UserDetailsService {
 
-    private val log = KotlinLogging.logger {}
+    companion object {
+        private const val NO_AUTH_FOUND = "No authentication found"
 
+        private val log = KotlinLogging.logger {}
+    }
+    
     val selfRegistrationAllowed: Boolean
         get() = config.get(ConfigProperties.Users.SignUps.Allow) == true
 
@@ -106,7 +110,7 @@ class UserService(
     }
 
     fun getUserInfo(): ExtendedUserInfoDto {
-        val auth = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
+        val auth = getCurrentAuth() ?: error(NO_AUTH_FOUND)
         val principal = auth.principal
 
         if (principal is OidcUser) {
@@ -159,13 +163,8 @@ class UserService(
     }
 
     fun selfRegisterUser(registration: UserRegistrationDto) {
-        if (!selfRegistrationAllowed) {
-            throw IllegalStateException("Sign ups are not allowed")
-        }
-
-        if (existsByUsername(registration.username)) {
-            throw IllegalStateException("User with username '${registration.username}' already exists")
-        }
+        check(selfRegistrationAllowed) { "Sign ups are not allowed" }
+        check(!existsByUsername(registration.username)) { "User with username '${registration.username}' already exists" }
 
         userRepository.findByEmail(registration.email)?.let {
             eventPublisher.publishEvent(
@@ -216,7 +215,7 @@ class UserService(
         )
 
         if (existsByUsername(user.username)) {
-            throw IllegalStateException("User with username '${user.username}' already exists")
+            error("User with username '${user.username}' already exists")
         }
 
         return userRepository.save(user)
@@ -252,7 +251,7 @@ class UserService(
             return RoleAssignmentResult.NO_ROLES_PROVIDED
         }
 
-        val currentUser = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
+        val currentUser = getCurrentAuth() ?: error(NO_AUTH_FOUND)
         val targetUser = getByUsernameNonNull(username)
 
         if (!canManage(targetUser)) {
@@ -280,7 +279,7 @@ class UserService(
     }
 
     fun canManage(targetUser: org.gameyfin.app.users.entities.User): Boolean {
-        val currentUser = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
+        val currentUser = getCurrentAuth() ?: error(NO_AUTH_FOUND)
         val currentUserLevel = roleService.getHighestRoleFromAuthorities(currentUser.authorities).powerLevel
         val targetUserLevel = roleService.getHighestRole(targetUser.roles).powerLevel
         return currentUserLevel > targetUserLevel
diff --git a/app/src/main/kotlin/org/gameyfin/app/users/emailconfirmation/EmailConfirmationEndpoint.kt b/app/src/main/kotlin/org/gameyfin/app/users/emailconfirmation/EmailConfirmationEndpoint.kt
index fe0f9d1..db85910 100644
--- a/app/src/main/kotlin/org/gameyfin/app/users/emailconfirmation/EmailConfirmationEndpoint.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/users/emailconfirmation/EmailConfirmationEndpoint.kt
@@ -19,7 +19,7 @@ class EmailConfirmationEndpoint(
 
     @PermitAll
     fun resendEmailConfirmation() {
-        val auth = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
+        val auth = getCurrentAuth() ?: error("No authentication found")
         userService.getByUsername(auth.name)?.let {
             emailConfirmationService.resendEmailConfirmation(it)
         }
diff --git a/app/src/main/kotlin/org/gameyfin/app/users/entities/User.kt b/app/src/main/kotlin/org/gameyfin/app/users/entities/User.kt
index c6a93b8..994f4bf 100644
--- a/app/src/main/kotlin/org/gameyfin/app/users/entities/User.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/users/entities/User.kt
@@ -46,4 +46,12 @@ class User(
         enabled = true,
         oidcProviderId = oidcUser.subject
     )
+
+    constructor(oidcUser: OidcUser, resolvedUsername: String) : this(
+        username = resolvedUsername,
+        email = oidcUser.email,
+        emailConfirmed = true,
+        enabled = true,
+        oidcProviderId = oidcUser.subject
+    )
 }
\ No newline at end of file
diff --git a/app/src/main/kotlin/org/gameyfin/app/users/entities/UserEntityListener.kt b/app/src/main/kotlin/org/gameyfin/app/users/entities/UserEntityListener.kt
index 5fbba23..0fb534b 100644
--- a/app/src/main/kotlin/org/gameyfin/app/users/entities/UserEntityListener.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/users/entities/UserEntityListener.kt
@@ -19,7 +19,7 @@ class UserEntityListener {
         val gameRequests = entityManager.createQuery(
             "SELECT gr FROM GameRequest gr WHERE :user MEMBER OF gr.voters OR gr.requester = :user",
             GameRequest::class.java
-        ).setParameter("user", user).resultList
+        ).setParameter("user", user).resultList.toList()
         for (gr in gameRequests) {
             gr.voters.remove(user)
             if (gr.requester == user) gr.requester = null
diff --git a/app/src/main/kotlin/org/gameyfin/app/users/passwordreset/PasswordResetService.kt b/app/src/main/kotlin/org/gameyfin/app/users/passwordreset/PasswordResetService.kt
index 992fa68..1ead57f 100644
--- a/app/src/main/kotlin/org/gameyfin/app/users/passwordreset/PasswordResetService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/users/passwordreset/PasswordResetService.kt
@@ -26,10 +26,7 @@ class PasswordResetService(
     private val secureRandom = SecureRandom()
 
     override fun generate(user: User): Token<TokenType.PasswordReset> {
-        if (user.oidcProviderId != null) {
-            throw IllegalStateException("Cannot create password reset token for user '${user.username}' because user is managed externally")
-        }
-
+        check(user.oidcProviderId == null) { "Cannot create password reset token for user '${user.username}' because user is managed externally" }
         return super.generate(user)
     }
 
@@ -44,9 +41,7 @@ class PasswordResetService(
         val user = userService.getByUsername(username)
             ?: throw IllegalArgumentException("Cannot create password reset token for user '$username' because user does not exist")
 
-        if (messageService.enabled && user.emailConfirmed) {
-            throw IllegalStateException("Cannot create password reset token for user '$username' because self-service is enabled")
-        }
+        check(!(messageService.enabled && user.emailConfirmed)) { "Cannot create password reset token for user '$username' because self-service is enabled" }
 
         val token = generate(user)
         return TokenDto(token)
diff --git a/app/src/main/kotlin/org/gameyfin/app/users/preferences/UserPreferencesService.kt b/app/src/main/kotlin/org/gameyfin/app/users/preferences/UserPreferencesService.kt
index 0d9a392..8897d47 100644
--- a/app/src/main/kotlin/org/gameyfin/app/users/preferences/UserPreferencesService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/users/preferences/UserPreferencesService.kt
@@ -135,7 +135,7 @@ class UserPreferencesService(
     }
 
     private fun id(key: String): UserPreferenceKey {
-        val auth = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
+        val auth = getCurrentAuth() ?: error("No authentication found")
         val user = userService.getByUsernameNonNull(auth.name)
         return UserPreferenceKey(key, user.id!!)
     }
diff --git a/app/src/main/kotlin/org/gameyfin/app/users/registration/InvitationService.kt b/app/src/main/kotlin/org/gameyfin/app/users/registration/InvitationService.kt
index ee5710d..a76fb34 100644
--- a/app/src/main/kotlin/org/gameyfin/app/users/registration/InvitationService.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/users/registration/InvitationService.kt
@@ -26,11 +26,10 @@ class InvitationService(
     }
 
     fun createInvitation(email: String): TokenDto {
-        if (userService.existsByEmail(email))
-            throw IllegalStateException("User with email ${Utils.maskEmail(email)} is already registered")
+        check(!(userService.existsByEmail(email))) { "User with email ${Utils.maskEmail(email)} is already registered" }
 
-        val auth = getCurrentAuth() ?: throw IllegalStateException("No authentication found")
-        val user = userService.getByUsername(auth.name) ?: throw IllegalStateException("User not found")
+        val auth = getCurrentAuth() ?: error("No authentication found")
+        val user = userService.getByUsername(auth.name) ?: error("User not found")
         val payload = mapOf(EMAIL_KEY to email)
         val token = super.generateWithPayload(user, payload)
 
diff --git a/app/src/main/kotlin/org/gameyfin/app/util/EntityManagerHolder.kt b/app/src/main/kotlin/org/gameyfin/app/util/EntityManagerHolder.kt
index bc17988..3c9f11a 100644
--- a/app/src/main/kotlin/org/gameyfin/app/util/EntityManagerHolder.kt
+++ b/app/src/main/kotlin/org/gameyfin/app/util/EntityManagerHolder.kt
@@ -15,6 +15,6 @@ object EntityManagerHolder : ApplicationContextAware {
     }
 
     fun getEntityManager(): EntityManager {
-        return entityManager ?: throw IllegalStateException("EntityManager not set")
+        return entityManager ?: error("EntityManager not set")
     }
 }
\ No newline at end of file
diff --git a/app/src/main/kotlin/org/gameyfin/db/h2/BlurhashMigration.kt b/app/src/main/kotlin/org/gameyfin/db/h2/BlurhashMigration.kt
index 6aae9c6..a9f5ebb 100644
--- a/app/src/main/kotlin/org/gameyfin/db/h2/BlurhashMigration.kt
+++ b/app/src/main/kotlin/org/gameyfin/db/h2/BlurhashMigration.kt
@@ -54,6 +54,7 @@ object BlurhashMigration {
      * This method is called from Flyway migration V2.3.0.6.
      * Uses multithreading and batch updates for performance.
      */
+    @Suppress("kotlin:S3776")
     @JvmStatic
     fun calculateBlurhashesForAllImages(conn: Connection, dataPath: String) {
         val startTime = System.currentTimeMillis()
diff --git a/app/src/main/resources/application-aot-training.yml b/app/src/main/resources/application-aot-training.yml
new file mode 100644
index 0000000..3b033fb
--- /dev/null
+++ b/app/src/main/resources/application-aot-training.yml
@@ -0,0 +1,24 @@
+# ── Spring profile activated only during AOT cache training ────────────
+# Overrides that let the app boot from scratch in an ephemeral container
+# without a pre-existing database or real external services.
+
+logging.level:
+  root: warn
+  org.gameyfin: info
+
+spring:
+  jpa:
+    hibernate:
+      ddl-auto: none
+  flyway:
+    baseline-on-migrate: true
+    baseline-version: 0
+
+server:
+  shutdown: graceful
+
+spring.lifecycle:
+  timeout-per-shutdown-phase: 15s
+
+
+
diff --git a/app/src/main/resources/application-dev.yml b/app/src/main/resources/application-dev.yml
index d8103d5..2e92803 100644
--- a/app/src/main/resources/application-dev.yml
+++ b/app/src/main/resources/application-dev.yml
@@ -1,6 +1,8 @@
 logging.level:
   root: info
-  org.gameyfin.GameyfinApplicationKt: info
+  org.gameyfin: debug
+  org.gameyfin.app.GameyfinApplicationKt: info
+  org.flywaydb.core.internal.database.base: warn
 
 spring:
   datasource:
diff --git a/app/src/main/resources/application.yml b/app/src/main/resources/application.yml
index a185a03..773d0ee 100644
--- a/app/src/main/resources/application.yml
+++ b/app/src/main/resources/application.yml
@@ -4,7 +4,8 @@ logging.level:
   org.gameyfin: info
   org.flywaydb.core.internal.command: info
   org.flywaydb.core.internal.sqlscript: warn
-  org.gameyfin.GameyfinApplicationKt: warn
+  org.flywaydb.core.internal.database.base: error
+  org.gameyfin.app.GameyfinApplicationKt: warn
   # Suppress false positive warnings from Spring Security 6
   org.springframework.security.config.annotation.authentication.configuration.InitializeUserDetailsBeanManagerConfigurer: error
 
@@ -13,12 +14,19 @@ server:
   servlet:
     session:
       tracking-modes: cookie
-      timeout: 24h
+      timeout: 4h
   forward-headers-strategy: framework
-  jetty:
+  tomcat:
+    remoteip:
+      protocol-header: X-Forwarded-Proto
+      remote-ip-header: X-Forwarded-For
     threads:
       max: 200
-      min: 8
+      min-spare: 10
+    max-connections: 10_000
+    max-keep-alive-requests: 100
+    connection-timeout: 10m
+    keep-alive-timeout: 10m
 
 management:
   server:
@@ -26,42 +34,49 @@ management:
   endpoints:
     web:
       exposure:
-        include: restart, health, info, metrics, prometheus
+        include: restart, health, metrics, prometheus, info
   endpoint:
     pause:
       enabled: false
     restart:
       access: unrestricted
+    health:
+      group:
+        readiness:
+          include: pluginsLoaded
 
 spring:
-  # Workaround for https://github.com/vaadin/hilla/issues/842
-  devtools.restart.additional-exclude: dev/hilla/openapi.json
-  jpa:
-    # defer-datasource-initialization: true
-    hibernate:
-      ddl-auto: validate
-    open-in-view: true
-  mustache:
-    check-template-location: false
-  sql.init.mode: always
-  datasource:
-    username: gfadmin
-    password: gameyfin
-    db-name: gameyfin_db
-    url: jdbc:h2:file:./db/${spring.datasource.db-name}
-    driverClassName: org.h2.Driver
-  content:
-    fs.filesystem-root: ./data/
   application:
     name: Gameyfin
     version: @project.version@
   threads:
     virtual.enabled: true
-  mvc:
-    async.request-timeout: 0
+  sql.init.mode: always
+  datasource:
+    username: gfadmin
+    password: gameyfin
+    db-name: gameyfin_db
+    url: jdbc:h2:file:./db/${spring.datasource.db-name};CACHE_SIZE=16384
+    driverClassName: org.h2.Driver
+    hikari:
+      maximum-pool-size: 10
+      connection-timeout: 60_000
   flyway:
     baseline-on-migrate: true
     baseline-version: 2.0.0
+  jpa:
+    hibernate:
+      ddl-auto: validate
+    open-in-view: false
+    properties:
+      hibernate:
+        jdbc.batch_size: 25
+        order_inserts: true
+        order_updates: true
+  content:
+    fs.filesystem-root: ./data/
+  mvc:
+    async.request-timeout: 0
 
 vaadin:
   # To improve the performance during development.
diff --git a/app/src/main/resources/db/migration/V2.4.0__Refactor_token_primary_key_for_encryption.sql b/app/src/main/resources/db/migration/V2.4.0.1__Refactor_token_primary_key_for_encryption.sql
similarity index 73%
rename from app/src/main/resources/db/migration/V2.4.0__Refactor_token_primary_key_for_encryption.sql
rename to app/src/main/resources/db/migration/V2.4.0.1__Refactor_token_primary_key_for_encryption.sql
index 13e307b..d5549c3 100644
--- a/app/src/main/resources/db/migration/V2.4.0__Refactor_token_primary_key_for_encryption.sql
+++ b/app/src/main/resources/db/migration/V2.4.0.1__Refactor_token_primary_key_for_encryption.sql
@@ -1,4 +1,4 @@
--- Flyway Migration: V2.4.0
+-- Flyway Migration: V2.4.0.1
 -- Purpose: Refactor TOKEN table to support encryption on secret field by separating primary key from secret.
 -- Context: Hibernate 6.x (Spring Boot 4) does not allow AttributeConverter on @Id fields.
 --          The secret field contains sensitive token data (password reset tokens, etc.) that needs encryption.
@@ -6,25 +6,32 @@
 --   Modify the existing TOKEN table in-place by adding a new ID column and restructuring constraints.
 
 -- Step 1: Add new ID column (nullable initially to allow data population)
-ALTER TABLE TOKEN ADD COLUMN ID CHARACTER VARYING(255);
+ALTER TABLE TOKEN
+    ADD COLUMN ID CHARACTER VARYING(255);
 
 -- Step 2: Populate ID column with new UUIDs for existing rows
-UPDATE TOKEN SET ID = RANDOM_UUID() WHERE ID IS NULL;
+UPDATE TOKEN
+SET ID = RANDOM_UUID()
+WHERE ID IS NULL;
 
 -- Step 3: Make ID column non-null now that it has values
-ALTER TABLE TOKEN ALTER COLUMN ID SET NOT NULL;
+ALTER TABLE TOKEN
+    ALTER COLUMN ID SET NOT NULL;
 
 -- Step 4: Drop the primary key constraint on SECRET
 -- H2 uses auto-generated constraint names, so we need to find and drop it
 -- The primary key constraint is typically named PRIMARY_KEY_XXX or CONSTRAINT_XXX
-ALTER TABLE TOKEN DROP PRIMARY KEY;
+ALTER TABLE TOKEN
+    DROP PRIMARY KEY;
 
 -- Step 5: Add primary key constraint on ID
-ALTER TABLE TOKEN ADD PRIMARY KEY (ID);
+ALTER TABLE TOKEN
+    ADD PRIMARY KEY (ID);
 
 -- Step 6: Add unique constraint on SECRET (it was previously the primary key, so it was already unique)
 -- The SECRET column should remain unique for lookups
-ALTER TABLE TOKEN ADD CONSTRAINT UK_TOKEN_SECRET UNIQUE (SECRET);
+ALTER TABLE TOKEN
+    ADD CONSTRAINT UK_TOKEN_SECRET UNIQUE (SECRET);
 
 -- Step 7: Create index on SECRET for fast lookups
-CREATE INDEX IDX_TOKEN_SECRET ON TOKEN(SECRET);
+CREATE INDEX IDX_TOKEN_SECRET ON TOKEN (SECRET);
diff --git a/app/src/main/resources/db/migration/V2.4.0.2__Disable_length_limit_for_plugin_config_value.sql b/app/src/main/resources/db/migration/V2.4.0.2__Disable_length_limit_for_plugin_config_value.sql
new file mode 100644
index 0000000..66f885a
--- /dev/null
+++ b/app/src/main/resources/db/migration/V2.4.0.2__Disable_length_limit_for_plugin_config_value.sql
@@ -0,0 +1,7 @@
+-- Flyway Migration: V2.4.0.2
+-- Purpose: Make PLUGIN_CONFIG.value column unbounded to avoid length errors when storing large values.
+-- Context: Previously defined as CHARACTER VARYING(255); H2 raised 22001 (value too long).
+-- Strategy: Alter column type to CLOB (unlimited length in H2). This matches other large text usages (e.g., COMMENT, SUMMARY) which use CHARACTER LARGE OBJECT.
+
+ALTER TABLE PLUGIN_CONFIG
+    ALTER COLUMN "value" CLOB;
\ No newline at end of file
diff --git a/app/src/test/kotlin/org/gameyfin/app/config/ConfigServiceTest.kt b/app/src/test/kotlin/org/gameyfin/app/config/ConfigServiceTest.kt
index 9de60cc..dcb3d7d 100644
--- a/app/src/test/kotlin/org/gameyfin/app/config/ConfigServiceTest.kt
+++ b/app/src/test/kotlin/org/gameyfin/app/config/ConfigServiceTest.kt
@@ -330,7 +330,7 @@ class ConfigServiceTest {
         result.forEach { entry ->
             assertNotNull(entry.key)
             assertNotNull(entry.type)
-            assertNotNull(entry.description)
+            assertNotNull(entry.name)
         }
     }
 
diff --git a/app/src/test/kotlin/org/gameyfin/app/core/download/files/DownloadServiceTest.kt b/app/src/test/kotlin/org/gameyfin/app/core/download/files/DownloadServiceTest.kt
index 312e3bd..73c48a1 100644
--- a/app/src/test/kotlin/org/gameyfin/app/core/download/files/DownloadServiceTest.kt
+++ b/app/src/test/kotlin/org/gameyfin/app/core/download/files/DownloadServiceTest.kt
@@ -1,10 +1,12 @@
 package org.gameyfin.app.core.download.files
 
 import io.mockk.*
+import io.micrometer.core.instrument.simple.SimpleMeterRegistry
 import org.gameyfin.app.config.ConfigProperties
 import org.gameyfin.app.config.ConfigService
 import org.gameyfin.app.core.download.bandwidth.SessionBandwidthManager
 import org.gameyfin.app.core.download.bandwidth.SessionBandwidthTracker
+import org.gameyfin.app.core.metrics.DownloadMetrics
 import org.gameyfin.app.core.plugins.management.GameyfinPluginDescriptor
 import org.gameyfin.app.core.plugins.management.GameyfinPluginManager
 import org.gameyfin.app.games.entities.Game
@@ -35,7 +37,8 @@ class DownloadServiceTest {
         pluginManager = mockk<GameyfinPluginManager>(relaxed = true)
         configService = mockk<ConfigService>(relaxed = true)
         sessionBandwidthManager = mockk<SessionBandwidthManager>(relaxed = true)
-        service = DownloadService(pluginManager, configService, sessionBandwidthManager)
+        val downloadMetrics = DownloadMetrics(SimpleMeterRegistry(), sessionBandwidthManager)
+        service = DownloadService(pluginManager, configService, sessionBandwidthManager, downloadMetrics)
     }
 
     @AfterEach
diff --git a/app/src/test/kotlin/org/gameyfin/app/core/plugins/PluginServiceTest.kt b/app/src/test/kotlin/org/gameyfin/app/core/plugins/PluginServiceTest.kt
index e69de29..1c7bdc1 100644
--- a/app/src/test/kotlin/org/gameyfin/app/core/plugins/PluginServiceTest.kt
+++ b/app/src/test/kotlin/org/gameyfin/app/core/plugins/PluginServiceTest.kt
@@ -0,0 +1,528 @@
+package org.gameyfin.app.core.plugins
+
+import io.mockk.*
+import org.gameyfin.app.core.plugins.config.PluginConfigEntry
+import org.gameyfin.app.core.plugins.config.PluginConfigEntryKey
+import org.gameyfin.app.core.plugins.config.PluginConfigRepository
+import org.gameyfin.app.core.plugins.dto.PluginUpdateDto
+import org.gameyfin.app.core.plugins.management.*
+import org.gameyfin.pluginapi.core.config.ConfigMetadata
+import org.gameyfin.pluginapi.core.config.Configurable
+import org.gameyfin.pluginapi.core.config.PluginConfigValidationResult
+import org.gameyfin.pluginapi.core.config.PluginConfigValidationResultType
+import org.gameyfin.pluginapi.core.wrapper.GameyfinPlugin
+import org.junit.jupiter.api.AfterEach
+import org.junit.jupiter.api.Assertions.assertDoesNotThrow
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.Test
+import org.pf4j.ExtensionPoint
+import org.pf4j.Plugin
+import org.pf4j.PluginState
+import org.pf4j.PluginWrapper
+import org.springframework.data.repository.findByIdOrNull
+import reactor.test.StepVerifier
+import kotlin.test.*
+
+class PluginServiceTest {
+
+    private lateinit var pluginManager: GameyfinPluginManager
+    private lateinit var pluginManagementRepository: PluginManagementRepository
+    private lateinit var pluginConfigRepository: PluginConfigRepository
+    private lateinit var service: PluginService
+
+    @BeforeEach
+    fun setup() {
+        pluginManager = mockk(relaxed = true)
+        pluginManagementRepository = mockk(relaxed = true)
+        pluginConfigRepository = mockk(relaxed = true)
+
+        // Default stubs
+        every { pluginManager.plugins } returns emptyList()
+        every { pluginConfigRepository.findAllByPluginId(any()) } returns emptyList()
+        every { pluginManagementRepository.findByIdOrNull(any()) } returns null
+
+        service = PluginService(pluginManager, pluginManagementRepository, pluginConfigRepository)
+    }
+
+    @AfterEach
+    fun tearDown() {
+        unmockkAll()
+        clearAllMocks()
+    }
+
+    // -----------------------------------------------------------------------
+    // subscribe / emit
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `subscribe should return a flux that receives emitted updates`() {
+        val update = PluginUpdateDto("plugin1", PluginState.STARTED)
+
+        val flux = PluginService.subscribe()
+        PluginService.emit(update)
+
+        StepVerifier.create(flux.take(1))
+            .assertNext { batch -> assertTrue(batch.contains(update)) }
+            .verifyComplete()
+    }
+
+    // -----------------------------------------------------------------------
+    // getSupportedPluginTypes
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `getSupportedPluginTypes should aggregate extension types from all plugins`() {
+        val wrapper1 = mockPluginWrapper("p1")
+        val wrapper2 = mockPluginWrapper("p2")
+
+        every { pluginManager.plugins } returns listOf(wrapper1, wrapper2)
+        every { pluginManager.getExtensionTypes("p1") } returns listOf("DownloadProvider")
+        every { pluginManager.getExtensionTypes("p2") } returns listOf("GameMetadataProvider")
+
+        val result = service.getSupportedPluginTypes()
+
+        assertEquals(listOf("DownloadProvider", "GameMetadataProvider"), result)
+    }
+
+    @Test
+    fun `getSupportedPluginTypes should return empty list when no plugins are registered`() {
+        every { pluginManager.plugins } returns emptyList()
+
+        val result = service.getSupportedPluginTypes()
+
+        assertTrue(result.isEmpty())
+    }
+
+    // -----------------------------------------------------------------------
+    // getAll
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `getAll should return a PluginDto for every loaded plugin`() {
+        val wrapper = buildFullPluginWrapper("my-plugin")
+        every { pluginManager.plugins } returns listOf(wrapper)
+
+        val result = service.getAll()
+
+        assertEquals(1, result.size)
+        assertEquals("my-plugin", result[0].id)
+    }
+
+    @Test
+    fun `getAll should return empty list when no plugins are loaded`() {
+        every { pluginManager.plugins } returns emptyList()
+
+        assertTrue(service.getAll().isEmpty())
+    }
+
+    // -----------------------------------------------------------------------
+    // getAllByTypeAndState
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `getAllByTypeAndState should only return plugins matching the given state`() {
+        val startedWrapper = buildFullPluginWrapper("started-plugin", PluginState.STARTED)
+        val stoppedWrapper = buildFullPluginWrapper("stopped-plugin", PluginState.STOPPED)
+
+        every { pluginManager.getPluginsForExtension(GameMetadataProviderStub::class) } returns
+                listOf(startedWrapper, stoppedWrapper)
+
+        val result = service.getAllByTypeAndState(GameMetadataProviderStub::class, PluginState.STARTED)
+
+        assertEquals(1, result.size)
+        assertEquals("started-plugin", result[0].id)
+    }
+
+    @Test
+    fun `getAllByTypeAndState should return empty list when no plugins match`() {
+        every { pluginManager.getPluginsForExtension(GameMetadataProviderStub::class) } returns emptyList()
+
+        val result = service.getAllByTypeAndState(GameMetadataProviderStub::class, PluginState.STARTED)
+
+        assertTrue(result.isEmpty())
+    }
+
+    // -----------------------------------------------------------------------
+    // getPluginManagementEntry
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `getPluginManagementEntry should return entry for the plugin owning the class`() {
+        val wrapper = mockPluginWrapper("owner-plugin")
+        val entry = PluginManagementEntry("owner-plugin", enabled = true)
+
+        every { pluginManager.whichPlugin(GameMetadataProviderStub::class.java) } returns wrapper
+        every { pluginManagementRepository.findByIdOrNull("owner-plugin") } returns entry
+
+        val result = service.getPluginManagementEntry(GameMetadataProviderStub::class.java)
+
+        assertEquals(entry, result)
+    }
+
+    @Test
+    fun `getPluginManagementEntry should throw when no management entry exists`() {
+        val wrapper = mockPluginWrapper("missing-plugin")
+        every { pluginManager.whichPlugin(GameMetadataProviderStub::class.java) } returns wrapper
+        every { pluginManagementRepository.findByIdOrNull("missing-plugin") } returns null
+
+        assertFailsWith<IllegalArgumentException> {
+            service.getPluginManagementEntry(GameMetadataProviderStub::class.java)
+        }
+    }
+
+    // -----------------------------------------------------------------------
+    // getPluginManagementEntries
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `getPluginManagementEntries should return entries for started plugins with matching type`() {
+        val wrapper = buildFullPluginWrapper("started-plugin", PluginState.STARTED)
+        val entry = PluginManagementEntry("started-plugin", enabled = true)
+
+        every { pluginManager.plugins } returns listOf(wrapper)
+        every { pluginManager.getExtensionTypes("started-plugin") } returns listOf("GameMetadataProviderStub")
+        every { pluginManagementRepository.findByIdOrNull("started-plugin") } returns entry
+
+        val result = service.getPluginManagementEntries(GameMetadataProviderStub::class.java, enabledOnly = true)
+
+        assertEquals(1, result.size)
+        assertEquals(entry, result[0])
+    }
+
+    @Test
+    fun `getPluginManagementEntries with enabledOnly false should include non-started plugins`() {
+        val stoppedWrapper = buildFullPluginWrapper("stopped-plugin", PluginState.STOPPED)
+        val entry = PluginManagementEntry("stopped-plugin", enabled = false)
+
+        every { pluginManager.plugins } returns listOf(stoppedWrapper)
+        every { pluginManager.getExtensionTypes("stopped-plugin") } returns listOf("GameMetadataProviderStub")
+        every { pluginManagementRepository.findByIdOrNull("stopped-plugin") } returns entry
+
+        val result = service.getPluginManagementEntries(GameMetadataProviderStub::class.java, enabledOnly = false)
+
+        assertEquals(1, result.size)
+        assertEquals(entry, result[0])
+    }
+
+    @Test
+    fun `getPluginManagementEntries should throw when management entry is missing`() {
+        val wrapper = buildFullPluginWrapper("no-entry-plugin", PluginState.STARTED)
+
+        every { pluginManager.plugins } returns listOf(wrapper)
+        every { pluginManager.getExtensionTypes("no-entry-plugin") } returns listOf("GameMetadataProviderStub")
+        every { pluginManagementRepository.findByIdOrNull("no-entry-plugin") } returns null
+
+        assertFailsWith<IllegalArgumentException> {
+            service.getPluginManagementEntries(GameMetadataProviderStub::class.java, enabledOnly = true)
+        }
+    }
+
+    // -----------------------------------------------------------------------
+    // enablePlugin / disablePlugin
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `enablePlugin should delegate to pluginManager`() {
+        service.enablePlugin("my-plugin")
+        verify(exactly = 1) { pluginManager.enablePlugin("my-plugin") }
+    }
+
+    @Test
+    fun `disablePlugin should delegate to pluginManager`() {
+        service.disablePlugin("my-plugin")
+        verify(exactly = 1) { pluginManager.disablePlugin("my-plugin") }
+    }
+
+    // -----------------------------------------------------------------------
+    // setPluginPriorities
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `setPluginPriorities should persist updated priorities for each plugin`() {
+        val entry1 = PluginManagementEntry("p1", priority = 1)
+        val entry2 = PluginManagementEntry("p2", priority = 2)
+
+        every { pluginManager.getManagementEntry("p1") } returns entry1
+        every { pluginManager.getManagementEntry("p2") } returns entry2
+        every { pluginManagementRepository.save(any()) } returnsArgument 0
+
+        service.setPluginPriorities(mapOf("p1" to 10, "p2" to 5))
+
+        verify(exactly = 1) { pluginManagementRepository.save(match { it.pluginId == "p1" && it.priority == 10 }) }
+        verify(exactly = 1) { pluginManagementRepository.save(match { it.pluginId == "p2" && it.priority == 5 }) }
+    }
+
+    @Test
+    fun `setPluginPriorities with empty map should not call save`() {
+        service.setPluginPriorities(emptyMap())
+        verify(exactly = 0) { pluginManagementRepository.save(any()) }
+    }
+
+    // -----------------------------------------------------------------------
+    // getLogo
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `getLogo should return bytes from plugin`() {
+        val logoBytes = byteArrayOf(1, 2, 3)
+        val gameyfinPlugin = mockk<GameyfinPlugin>()
+        val wrapper = mockPluginWrapper("logo-plugin")
+
+        every { wrapper.plugin } returns gameyfinPlugin
+        every { pluginManager.getPlugin("logo-plugin") } returns wrapper
+        every { gameyfinPlugin.getLogo() } returns logoBytes
+
+        val result = service.getLogo("logo-plugin")
+
+        assertContentEquals(logoBytes, result)
+    }
+
+    @Test
+    fun `getLogo should return null when plugin has no logo`() {
+        val gameyfinPlugin = mockk<GameyfinPlugin>()
+        val wrapper = mockPluginWrapper("no-logo-plugin")
+
+        every { wrapper.plugin } returns gameyfinPlugin
+        every { pluginManager.getPlugin("no-logo-plugin") } returns wrapper
+        every { gameyfinPlugin.getLogo() } returns null
+
+        assertNull(service.getLogo("no-logo-plugin"))
+    }
+
+    // -----------------------------------------------------------------------
+    // getConfigMetadata
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `getConfigMetadata should return null for non-configurable plugin`() {
+        val wrapper = mockPluginWrapper("plain-plugin")
+        every { wrapper.plugin } returns mockk<Plugin>(relaxed = true)
+
+        assertNull(service.getConfigMetadata(wrapper))
+    }
+
+    @Test
+    fun `getConfigMetadata should return metadata for configurable plugin`() {
+        val meta = ConfigMetadata(
+            key = "apiKey",
+            type = String::class.java,
+            label = "API Key",
+            description = "Your API key",
+            isSecret = true,
+            isRequired = true,
+        )
+
+        val configurablePlugin = mockk<TestConfigurablePlugin>()
+        every { configurablePlugin.configMetadata } returns listOf(meta)
+
+        val wrapper = mockPluginWrapper("configurable-plugin")
+        every { wrapper.plugin } returns configurablePlugin
+
+        val result = service.getConfigMetadata(wrapper)
+
+        assertNotNull(result)
+        assertEquals(1, result.size)
+        with(result[0]) {
+            assertEquals("apiKey", key)
+            assertEquals("String", type)
+            assertEquals("API Key", label)
+            assertEquals("Your API key", description)
+            assertTrue(secret)
+            assertTrue(required)
+            assertNull(allowedValues)
+        }
+    }
+
+    @Test
+    fun `getConfigMetadata should include allowed values for enum-typed config entries`() {
+        val meta = ConfigMetadata(
+            key = "mode",
+            type = TestMode::class.java,
+            label = "Mode",
+            description = "Operation mode",
+        )
+
+        val configurablePlugin = mockk<TestConfigurablePlugin>()
+        every { configurablePlugin.configMetadata } returns listOf(meta)
+
+        val wrapper = mockPluginWrapper("enum-config-plugin")
+        every { wrapper.plugin } returns configurablePlugin
+
+        val result = service.getConfigMetadata(wrapper)
+
+        assertNotNull(result)
+        assertEquals(listOf("FAST", "SLOW"), result[0].allowedValues)
+    }
+
+    // -----------------------------------------------------------------------
+    // getConfig
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `getConfig should return key-value map from repository`() {
+        val wrapper = mockPluginWrapper("cfg-plugin")
+        val entries = listOf(
+            PluginConfigEntry(PluginConfigEntryKey("cfg-plugin", "host"), "localhost"),
+            PluginConfigEntry(PluginConfigEntryKey("cfg-plugin", "port"), "8080")
+        )
+        every { pluginConfigRepository.findAllByPluginId("cfg-plugin") } returns entries
+
+        val result = service.getConfig(wrapper)
+
+        assertEquals(mapOf("host" to "localhost", "port" to "8080"), result)
+    }
+
+    @Test
+    fun `getConfig should return empty map when no config entries exist`() {
+        val wrapper = mockPluginWrapper("empty-cfg-plugin")
+        every { pluginConfigRepository.findAllByPluginId("empty-cfg-plugin") } returns emptyList()
+
+        assertTrue(service.getConfig(wrapper).isEmpty())
+    }
+
+    // -----------------------------------------------------------------------
+    // updateConfig
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `updateConfig should persist entries, restart plugin, validate and emit update`() {
+        val pluginId = "upd-plugin"
+        val config = mapOf("key1" to "val1")
+        val validationResult = PluginConfigValidationResult(PluginConfigValidationResultType.VALID)
+
+        every { pluginConfigRepository.saveAll(any<List<PluginConfigEntry>>()) } returns emptyList()
+        every { pluginManager.restart(pluginId) } just Runs
+        every { pluginManager.validatePluginConfig(pluginId) } returns validationResult
+
+        mockkObject(PluginService.Companion)
+        every { PluginService.emit(any()) } just Runs
+
+        assertDoesNotThrow { service.updateConfig(pluginId, config) }
+
+        verify(exactly = 1) { pluginConfigRepository.saveAll(any<List<PluginConfigEntry>>()) }
+        verify(exactly = 1) { pluginManager.restart(pluginId) }
+        verify(exactly = 1) { PluginService.emit(match { it.id == pluginId && it.config == config }) }
+
+        unmockkObject(PluginService.Companion)
+    }
+
+    // -----------------------------------------------------------------------
+    // validatePluginConfig (by pluginId)
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `validatePluginConfig should return cached result on second call`() {
+        val pluginId = "cache-plugin"
+        val result = PluginConfigValidationResult(PluginConfigValidationResultType.VALID)
+
+        every { pluginManager.validatePluginConfig(pluginId) } returns result
+
+        service.validatePluginConfig(pluginId)
+        service.validatePluginConfig(pluginId)
+
+        // Second call should use cache – manager is called only once
+        verify(exactly = 1) { pluginManager.validatePluginConfig(pluginId) }
+    }
+
+    @Test
+    fun `validatePluginConfig with forceRevalidation should bypass cache`() {
+        val pluginId = "force-plugin"
+        val result = PluginConfigValidationResult(PluginConfigValidationResultType.VALID)
+
+        every { pluginManager.validatePluginConfig(pluginId) } returns result
+
+        service.validatePluginConfig(pluginId, forceRevalidation = false)
+        service.validatePluginConfig(pluginId, forceRevalidation = true)
+
+        verify(exactly = 2) { pluginManager.validatePluginConfig(pluginId) }
+    }
+
+    @Test
+    fun `validatePluginConfig should return INVALID result when config is invalid`() {
+        val pluginId = "invalid-plugin"
+        val result = PluginConfigValidationResult(
+            PluginConfigValidationResultType.INVALID,
+            mapOf("apiKey" to "Required")
+        )
+        every { pluginManager.validatePluginConfig(pluginId) } returns result
+
+        val actual = service.validatePluginConfig(pluginId)
+
+        assertEquals(PluginConfigValidationResultType.INVALID, actual.result)
+        assertEquals("Required", actual.errors?.get("apiKey"))
+    }
+
+    // -----------------------------------------------------------------------
+    // validatePluginConfig (with config map)
+    // -----------------------------------------------------------------------
+
+    @Test
+    fun `validatePluginConfig with config map should delegate to pluginManager`() {
+        val pluginId = "map-plugin"
+        val config = mapOf("key" to "value")
+        val result = PluginConfigValidationResult(PluginConfigValidationResultType.VALID)
+
+        every { pluginManager.validatePluginConfig(pluginId, config) } returns result
+
+        val actual = service.validatePluginConfig(pluginId, config)
+
+        assertEquals(result, actual)
+        verify(exactly = 1) { pluginManager.validatePluginConfig(pluginId, config) }
+    }
+
+    // -----------------------------------------------------------------------
+    // Helpers
+    // -----------------------------------------------------------------------
+
+    /** Creates a minimal PluginWrapper mock with a given ID and state. */
+    private fun mockPluginWrapper(pluginId: String, state: PluginState = PluginState.STARTED): PluginWrapper {
+        val wrapper = mockk<PluginWrapper>(relaxed = true)
+        every { wrapper.pluginId } returns pluginId
+        every { wrapper.pluginState } returns state
+        return wrapper
+    }
+
+    /**
+     * Builds a PluginWrapper mock that satisfies the full toDto() path inside PluginService,
+     * including descriptor, management entry, and validation.
+     */
+    private fun buildFullPluginWrapper(
+        pluginId: String,
+        state: PluginState = PluginState.STARTED
+    ): PluginWrapper {
+        val wrapper = mockPluginWrapper(pluginId, state)
+
+        val descriptor = mockk<GameyfinPluginDescriptor>()
+        every { descriptor.pluginId } returns pluginId
+        every { descriptor.pluginName } returns "Test Plugin"
+        every { descriptor.pluginDescription } returns "Description"
+        every { descriptor.pluginShortDescription } returns null
+        every { descriptor.version } returns "1.0.0"
+        every { descriptor.author } returns "Author"
+        every { descriptor.license } returns null
+        every { descriptor.pluginUrl } returns null
+        every { wrapper.descriptor } returns descriptor
+
+        // Non-GameyfinPlugin so hasLogo = false
+        every { wrapper.plugin } returns mockk<Plugin>(relaxed = true)
+
+        val managementEntry = PluginManagementEntry(pluginId, priority = 1, trustLevel = PluginTrustLevel.OFFICIAL)
+        every { pluginManager.getManagementEntry(pluginId) } returns managementEntry
+        every { pluginManager.getExtensionTypes(pluginId) } returns emptyList()
+        every { pluginConfigRepository.findAllByPluginId(pluginId) } returns emptyList()
+        every { pluginManager.validatePluginConfig(pluginId) } returns
+                PluginConfigValidationResult(PluginConfigValidationResultType.VALID)
+
+        return wrapper
+    }
+
+    // Stub types used in tests
+    interface GameMetadataProviderStub : ExtensionPoint
+
+    @Suppress("deprecation", "redundantSuppression")
+    abstract class TestConfigurablePlugin : Plugin(mockk(relaxed = true)), Configurable
+
+    @Suppress("unused")
+    enum class TestMode { FAST, SLOW }
+}
+
diff --git a/app/src/test/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginManagerTest.kt b/app/src/test/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginManagerTest.kt
index e92af1d..6cb8a74 100644
--- a/app/src/test/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginManagerTest.kt
+++ b/app/src/test/kotlin/org/gameyfin/app/core/plugins/management/GameyfinPluginManagerTest.kt
@@ -12,12 +12,12 @@ import org.junit.jupiter.api.Assertions.assertDoesNotThrow
 import org.junit.jupiter.api.BeforeEach
 import org.junit.jupiter.api.Test
 import org.junit.jupiter.api.io.TempDir
-import org.pf4j.ExtensionPoint
-import org.pf4j.Plugin
-import org.pf4j.PluginState
-import org.pf4j.PluginWrapper
+import org.pf4j.*
 import org.springframework.data.repository.findByIdOrNull
 import java.nio.file.Path
+import java.util.jar.JarEntry
+import java.util.jar.JarOutputStream
+import java.util.jar.Manifest
 import kotlin.test.*
 
 class GameyfinPluginManagerTest {
@@ -391,8 +391,7 @@ class GameyfinPluginManagerTest {
         every { pluginManager.getPlugins() } returns listOf(pluginWrapper)
         every { pluginManager.getExtensionClasses("test-plugin") } returns extensionClasses
 
-        @Suppress("UNCHECKED_CAST")
-        val result = pluginManager.getPluginForExtension(TestExtension1::class.java as Class<ExtensionPoint>)
+        val result = pluginManager.getPluginForExtension(TestExtensionPoint1::class)
 
         assertNotNull(result)
         assertEquals("test-plugin", result.pluginId)
@@ -418,8 +417,7 @@ class GameyfinPluginManagerTest {
         every { pluginManager.getPlugins() } returns listOf(pluginWrapper)
         every { pluginManager.getExtensionClasses("test-plugin") } returns extensionClasses
 
-        @Suppress("UNCHECKED_CAST")
-        val result = pluginManager.getPluginForExtension(TestExtension2::class.java as Class<ExtensionPoint>)
+        val result = pluginManager.getPluginForExtension(TestExtensionPoint2::class)
 
         assertNull(result)
     }
@@ -518,22 +516,12 @@ class GameyfinPluginManagerTest {
             )
         )
 
-        val entry = PluginManagementEntry("unknown-plugin", enabled = false, priority = 1)
-        entry.trustLevel = PluginTrustLevel.UNTRUSTED
-
         val pluginWrapper = mockk<PluginWrapper>()
-        val pluginDescriptor = mockk<GameyfinPluginDescriptor>()
 
         every { pluginWrapper.pluginId } returns "unknown-plugin"
         every { pluginWrapper.pluginState } returns PluginState.RESOLVED
-        every { pluginWrapper.pluginClassLoader } returns mockk<ClassLoader>()
-        every { pluginWrapper.plugin } returns mockk<Plugin>()
-        every { pluginWrapper.descriptor } returns pluginDescriptor
-        every { pluginDescriptor.pluginId } returns "unknown-plugin"
-        every { pluginDescriptor.version } returns "unknown_version"
         every { pluginManagementRepository.findByIdOrNull("unknown-plugin") } returns null
         every { pluginManager.getPlugin("unknown-plugin") } returns pluginWrapper
-        every { pluginManager.checkPluginId("unknown-plugin") } just runs
 
         val result = pluginManager.startPlugin("unknown-plugin")
 
@@ -559,6 +547,98 @@ class GameyfinPluginManagerTest {
         assertNotNull(pluginManager.pluginsRoot)
     }
 
+    @Test
+    fun `createPluginLoader should return CompoundPluginLoader containing only GameyfinJarPluginLoader in non-development mode`() {
+        System.setProperty("pf4j.pluginsDir", tempPluginsDir.toString())
+        System.clearProperty("pf4j.mode")
+
+        pluginManager = GameyfinPluginManager(
+            forwardingPluginStateListener,
+            dbPluginStatusProvider,
+            pluginConfigRepository,
+            pluginManagementRepository
+        )
+
+        val loader = invokeCreatePluginLoader(pluginManager)
+
+        assertIs<CompoundPluginLoader>(loader)
+        val loaders = getLoadersFromCompound(loader)
+
+        assertEquals(1, loaders.size, "Expected exactly one loader in non-development mode")
+        assertIs<GameyfinJarPluginLoader>(loaders[0])
+    }
+
+    @Test
+    fun `createPluginLoader should return CompoundPluginLoader containing GameyfinJarPluginLoader and GameyfinDevelopmentPluginLoader in development mode`() {
+        System.setProperty("pf4j.pluginsDir", tempPluginsDir.toString())
+        System.setProperty("pf4j.mode", "development")
+
+        try {
+            pluginManager = GameyfinPluginManager(
+                forwardingPluginStateListener,
+                dbPluginStatusProvider,
+                pluginConfigRepository,
+                pluginManagementRepository
+            )
+
+            val loader = invokeCreatePluginLoader(pluginManager)
+
+            assertIs<CompoundPluginLoader>(loader)
+            val loaders = getLoadersFromCompound(loader)
+
+            assertEquals(2, loaders.size, "Expected two loaders in development mode")
+            assertIs<GameyfinJarPluginLoader>(loaders[0])
+            assertIs<GameyfinDevelopmentPluginLoader>(loaders[1])
+        } finally {
+            System.clearProperty("pf4j.mode")
+        }
+    }
+
+    @Test
+    fun `loadPluginFromPath should save management entry before starting a new bundled plugin`() {
+        System.setProperty("pf4j.pluginsDir", tempPluginsDir.toString())
+
+        pluginManager = spyk(
+            GameyfinPluginManager(
+                forwardingPluginStateListener,
+                dbPluginStatusProvider,
+                pluginConfigRepository,
+                pluginManagementRepository
+            )
+        )
+
+        val pluginWrapper = mockk<PluginWrapper>(relaxed = true)
+        val plugin = mockk<Plugin>(relaxed = true)
+
+        every { pluginWrapper.pluginId } returns "my-bundled-plugin"
+        every { pluginWrapper.plugin } returns plugin
+
+        // Plugin is not yet in the database (new plugin)
+        every { pluginManagementRepository.findByIdOrNull("my-bundled-plugin") } returns null
+        every { pluginManagementRepository.findMaxPriority() } returns 5
+        every { pluginManager.startPlugin("my-bundled-plugin") } returns PluginState.STARTED
+
+        // Mock the super.loadPluginFromPath to return our pluginWrapper
+        every { pluginManager.superLoadPluginFromPath(any()) } returns pluginWrapper
+
+        // Create a fake non-jar plugin path (non-jar extension → BUNDLED trust level)
+        val fakePath = tempPluginsDir.resolve("my-plugin")
+        fakePath.toFile().mkdirs()
+
+        // Call our override
+        val result = pluginManager.loadPluginFromPath(fakePath)
+
+        assertNotNull(result)
+
+        // Verify that save was called before startPlugin (line 139 followed by line 140)
+        verifyOrder {
+            pluginManagementRepository.save(match {
+                it.pluginId == "my-bundled-plugin" && it.enabled && it.trustLevel == PluginTrustLevel.BUNDLED
+            })
+            pluginManager.startPlugin("my-bundled-plugin")
+        }
+    }
+
     @Test
     fun `getExtensionTypeClasses should return empty list for plugin with no extensions`() {
         System.setProperty("pf4j.pluginsDir", tempPluginsDir.toString())
@@ -589,5 +669,117 @@ class GameyfinPluginManagerTest {
 
     @Suppress("DEPRECATION")
     abstract class TestConfigurablePlugin(wrapper: PluginWrapper) : Plugin(wrapper), Configurable
+
+    private fun invokeCreatePluginLoader(manager: GameyfinPluginManager): PluginLoader {
+        val method = DefaultPluginManager::class.java.getDeclaredMethod("createPluginLoader")
+        method.isAccessible = true
+        return method.invoke(manager) as PluginLoader
+    }
+
+    private fun getLoadersFromCompound(compoundLoader: CompoundPluginLoader): List<*> {
+        val loadersField = CompoundPluginLoader::class.java.getDeclaredField("loaders")
+        loadersField.isAccessible = true
+        @Suppress("UNCHECKED_CAST")
+        return loadersField.get(compoundLoader) as List<*>
+    }
+
+    // ========================================================================================
+    // Integration tests for loadPluginFromPath with JAR signature verification
+    // ========================================================================================
+
+    @Test
+    fun `loadPluginFromPath should set THIRD_PARTY trust level for unsigned JAR plugin`() {
+        System.setProperty("pf4j.pluginsDir", tempPluginsDir.toString())
+
+        pluginManager = spyk(
+            GameyfinPluginManager(
+                forwardingPluginStateListener,
+                dbPluginStatusProvider,
+                pluginConfigRepository,
+                pluginManagementRepository
+            )
+        )
+
+        val pluginWrapper = mockk<PluginWrapper>(relaxed = true)
+        val plugin = mockk<Plugin>(relaxed = true)
+
+        every { pluginWrapper.pluginId } returns "unsigned-plugin"
+        every { pluginWrapper.plugin } returns plugin
+        every { pluginManagementRepository.findByIdOrNull("unsigned-plugin") } returns null
+        every { pluginManagementRepository.findMaxPriority() } returns 0
+        every { pluginManager.superLoadPluginFromPath(any()) } returns pluginWrapper
+
+        // Create an unsigned JAR with actual content entries
+        val jarPath = createUnsignedJar("unsigned-plugin.jar", mapOf("com/example/MyClass.class" to "dummy"))
+
+        pluginManager.loadPluginFromPath(jarPath)
+
+        // Unsigned JAR → THIRD_PARTY trust level, which means not auto-enabled, not auto-started
+        verify {
+            pluginManagementRepository.save(match {
+                it.pluginId == "unsigned-plugin" && it.trustLevel == PluginTrustLevel.THIRD_PARTY && !it.enabled
+            })
+        }
+        // THIRD_PARTY plugins should NOT be auto-started
+        verify(exactly = 0) { pluginManager.startPlugin("unsigned-plugin") }
+    }
+
+    @Test
+    fun `loadPluginFromPath should re-verify existing plugin as THIRD_PARTY for unsigned JAR`() {
+        System.setProperty("pf4j.pluginsDir", tempPluginsDir.toString())
+
+        pluginManager = spyk(
+            GameyfinPluginManager(
+                forwardingPluginStateListener,
+                dbPluginStatusProvider,
+                pluginConfigRepository,
+                pluginManagementRepository
+            )
+        )
+
+        val pluginWrapper = mockk<PluginWrapper>(relaxed = true)
+        val plugin = mockk<Plugin>(relaxed = true)
+        val existingEntry = PluginManagementEntry("re-verified-plugin", enabled = true, priority = 1)
+        existingEntry.trustLevel = PluginTrustLevel.OFFICIAL
+
+        every { pluginWrapper.pluginId } returns "re-verified-plugin"
+        every { pluginWrapper.plugin } returns plugin
+        every { pluginManagementRepository.findByIdOrNull("re-verified-plugin") } returns existingEntry
+        every { pluginManager.superLoadPluginFromPath(any()) } returns pluginWrapper
+
+        val jarPath = createUnsignedJar("re-verified-plugin.jar", mapOf("com/example/MyClass.class" to "dummy"))
+
+        pluginManager.loadPluginFromPath(jarPath)
+
+        // Re-verification of an unsigned JAR should update trust level to THIRD_PARTY
+        verify {
+            pluginManagementRepository.save(match {
+                it.pluginId == "re-verified-plugin" && it.trustLevel == PluginTrustLevel.THIRD_PARTY
+            })
+        }
+    }
+
+    // ========================================================================================
+    // JAR creation helpers
+    // ========================================================================================
+
+    /**
+     * Creates an unsigned JAR file with the given entries at the temp directory.
+     */
+    private fun createUnsignedJar(fileName: String, entries: Map<String, String>): Path {
+        val jarPath = tempPluginsDir.resolve(fileName)
+        val manifest = Manifest()
+        manifest.mainAttributes.putValue("Manifest-Version", "1.0")
+
+        JarOutputStream(jarPath.toFile().outputStream(), manifest).use { jos ->
+            for ((name, content) in entries) {
+                jos.putNextEntry(JarEntry(name))
+                jos.write(content.toByteArray())
+                jos.closeEntry()
+            }
+        }
+
+        return jarPath
+    }
 }
 
diff --git a/app/src/test/kotlin/org/gameyfin/app/core/plugins/management/PluginManagerConfigTest.kt b/app/src/test/kotlin/org/gameyfin/app/core/plugins/management/PluginManagerConfigTest.kt
index 1554762..cae3272 100644
--- a/app/src/test/kotlin/org/gameyfin/app/core/plugins/management/PluginManagerConfigTest.kt
+++ b/app/src/test/kotlin/org/gameyfin/app/core/plugins/management/PluginManagerConfigTest.kt
@@ -13,11 +13,13 @@ class PluginManagerConfigTest {
 
     private lateinit var pluginManager: GameyfinPluginManager
     private lateinit var pluginManagerConfig: PluginManagerConfig
+    private lateinit var pluginsLoadedIndicator: PluginsLoadedIndicator
 
     @BeforeEach
     fun setup() {
         pluginManager = mockk(relaxed = true)
-        pluginManagerConfig = PluginManagerConfig(pluginManager)
+        pluginsLoadedIndicator = mockk(relaxed = true)
+        pluginManagerConfig = PluginManagerConfig(pluginManager, pluginsLoadedIndicator)
     }
 
     @AfterEach
diff --git a/app/src/test/kotlin/org/gameyfin/app/core/plugins/management/PluginSignatureVerifierTest.kt b/app/src/test/kotlin/org/gameyfin/app/core/plugins/management/PluginSignatureVerifierTest.kt
new file mode 100644
index 0000000..9087cf0
--- /dev/null
+++ b/app/src/test/kotlin/org/gameyfin/app/core/plugins/management/PluginSignatureVerifierTest.kt
@@ -0,0 +1,220 @@
+package org.gameyfin.app.core.plugins.management
+
+import io.mockk.Runs
+import io.mockk.every
+import io.mockk.just
+import io.mockk.mockk
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.io.TempDir
+import java.nio.file.Path
+import java.security.CodeSigner
+import java.security.KeyPairGenerator
+import java.security.PublicKey
+import java.security.cert.CertPath
+import java.security.cert.Certificate
+import java.security.cert.X509Certificate
+import java.util.jar.JarEntry
+import java.util.jar.JarFile
+import java.util.jar.JarOutputStream
+import java.util.jar.Manifest
+import kotlin.test.assertEquals
+import kotlin.test.assertTrue
+
+class PluginSignatureVerifierTest {
+
+    private lateinit var publicKey: PublicKey
+    private lateinit var verifier: PluginSignatureVerifier
+
+    @TempDir
+    lateinit var tempDir: Path
+
+    @BeforeEach
+    fun setup() {
+        val keyPairGenerator = KeyPairGenerator.getInstance("RSA")
+        keyPairGenerator.initialize(2048)
+        publicKey = keyPairGenerator.generateKeyPair().public
+        verifier = PluginSignatureVerifier(publicKey)
+    }
+
+    // ========================================================================================
+    // verifyPluginSignature tests
+    // ========================================================================================
+
+    @Test
+    fun `verifyPluginSignature should return THIRD_PARTY for unsigned JAR`() {
+        val jarPath = createUnsignedJar("unsigned-plugin.jar", mapOf("com/example/MyClass.class" to "dummy content"))
+
+        val result = verifier.verifyPluginSignature(jarPath)
+
+        assertEquals(PluginTrustLevel.THIRD_PARTY, result)
+    }
+
+    @Test
+    fun `verifyPluginSignature should return OFFICIAL for JAR with only META-INF entries`() {
+        val jarPath = createUnsignedJar("meta-only.jar", mapOf("META-INF/services/some.service" to "org.example.Impl"))
+
+        val result = verifier.verifyPluginSignature(jarPath)
+
+        assertEquals(PluginTrustLevel.OFFICIAL, result)
+    }
+
+    @Test
+    fun `verifyPluginSignature should return OFFICIAL for empty JAR`() {
+        val jarPath = createUnsignedJar("empty.jar", emptyMap())
+
+        val result = verifier.verifyPluginSignature(jarPath)
+
+        assertEquals(PluginTrustLevel.OFFICIAL, result)
+    }
+
+    // ========================================================================================
+    // verifyEntryDigest tests
+    // ========================================================================================
+
+    @Test
+    fun `verifyEntryDigest should return true for valid JAR entry`() {
+        val jarPath = createUnsignedJar("valid-entry.jar", mapOf("test.txt" to "hello world"))
+        val jarFile = JarFile(jarPath.toFile())
+        val entry = jarFile.getJarEntry("test.txt")
+
+        val result = verifier.verifyEntryDigest(jarFile, entry)
+
+        assertTrue(result)
+    }
+
+    // ========================================================================================
+    // verifyCertificates tests
+    // ========================================================================================
+
+    @Test
+    fun `verifyCertificates should return OFFICIAL for empty certificate list`() {
+        val result = verifier.verifyCertificates(emptyList())
+
+        assertEquals(PluginTrustLevel.OFFICIAL, result)
+    }
+
+    @Test
+    fun `verifyCertificates should return OFFICIAL for non-X509 certificates`() {
+        val nonX509Cert = mockk<Certificate>()
+
+        val result = verifier.verifyCertificates(listOf(nonX509Cert))
+
+        assertEquals(PluginTrustLevel.OFFICIAL, result)
+    }
+
+    @Test
+    fun `verifyCertificates should return UNTRUSTED when certificate verification fails`() {
+        val badCert = mockk<X509Certificate>()
+        every { badCert.verify(any()) } throws java.security.SignatureException("bad signature")
+
+        val result = verifier.verifyCertificates(listOf(badCert))
+
+        assertEquals(PluginTrustLevel.UNTRUSTED, result)
+    }
+
+    @Test
+    fun `verifyCertificates should return OFFICIAL when certificate verification succeeds`() {
+        val goodCert = mockk<X509Certificate>()
+        every { goodCert.verify(any()) } just Runs
+
+        val result = verifier.verifyCertificates(listOf(goodCert))
+
+        assertEquals(PluginTrustLevel.OFFICIAL, result)
+    }
+
+    @Test
+    fun `verifyCertificates should return UNTRUSTED if any certificate in list fails`() {
+        val goodCert = mockk<X509Certificate>()
+        every { goodCert.verify(any()) } just Runs
+
+        val badCert = mockk<X509Certificate>()
+        every { badCert.verify(any()) } throws java.security.SignatureException("bad signature")
+
+        val result = verifier.verifyCertificates(listOf(goodCert, badCert))
+
+        assertEquals(PluginTrustLevel.UNTRUSTED, result)
+    }
+
+    // ========================================================================================
+    // verifyCodeSigners tests
+    // ========================================================================================
+
+    @Test
+    fun `verifyCodeSigners should return OFFICIAL when all signers have valid certificates`() {
+        val goodCert = mockk<X509Certificate>()
+        every { goodCert.verify(any()) } just Runs
+
+        val certPath = mockk<CertPath>()
+        every { certPath.certificates } returns listOf(goodCert)
+
+        val codeSigner = mockk<CodeSigner>()
+        every { codeSigner.signerCertPath } returns certPath
+
+        val result = verifier.verifyCodeSigners(arrayOf(codeSigner))
+
+        assertEquals(PluginTrustLevel.OFFICIAL, result)
+    }
+
+    @Test
+    fun `verifyCodeSigners should return UNTRUSTED when a signer has invalid certificate`() {
+        val badCert = mockk<X509Certificate>()
+        every { badCert.verify(any()) } throws java.security.SignatureException("bad signature")
+
+        val certPath = mockk<CertPath>()
+        every { certPath.certificates } returns listOf(badCert)
+
+        val codeSigner = mockk<CodeSigner>()
+        every { codeSigner.signerCertPath } returns certPath
+
+        val result = verifier.verifyCodeSigners(arrayOf(codeSigner))
+
+        assertEquals(PluginTrustLevel.UNTRUSTED, result)
+    }
+
+    @Test
+    fun `verifyCodeSigners should return UNTRUSTED on first invalid signer and skip remaining`() {
+        val badCert = mockk<X509Certificate>()
+        every { badCert.verify(any()) } throws java.security.SignatureException("bad signature")
+
+        val badCertPath = mockk<CertPath>()
+        every { badCertPath.certificates } returns listOf(badCert)
+
+        val badSigner = mockk<CodeSigner>()
+        every { badSigner.signerCertPath } returns badCertPath
+
+        val goodCert = mockk<X509Certificate>()
+        every { goodCert.verify(any()) } just Runs
+
+        val goodCertPath = mockk<CertPath>()
+        every { goodCertPath.certificates } returns listOf(goodCert)
+
+        val goodSigner = mockk<CodeSigner>()
+        every { goodSigner.signerCertPath } returns goodCertPath
+
+        val result = verifier.verifyCodeSigners(arrayOf(badSigner, goodSigner))
+
+        assertEquals(PluginTrustLevel.UNTRUSTED, result)
+    }
+
+    // ========================================================================================
+    // Helper methods
+    // ========================================================================================
+
+    private fun createUnsignedJar(fileName: String, entries: Map<String, String>): Path {
+        val jarPath = tempDir.resolve(fileName)
+        val manifest = Manifest()
+        manifest.mainAttributes.putValue("Manifest-Version", "1.0")
+
+        JarOutputStream(jarPath.toFile().outputStream(), manifest).use { jos ->
+            for ((name, content) in entries) {
+                jos.putNextEntry(JarEntry(name))
+                jos.write(content.toByteArray())
+                jos.closeEntry()
+            }
+        }
+
+        return jarPath
+    }
+}
+
diff --git a/app/src/test/kotlin/org/gameyfin/app/core/security/OidcUserExtensionsTest.kt b/app/src/test/kotlin/org/gameyfin/app/core/security/OidcUserExtensionsTest.kt
new file mode 100644
index 0000000..f203031
--- /dev/null
+++ b/app/src/test/kotlin/org/gameyfin/app/core/security/OidcUserExtensionsTest.kt
@@ -0,0 +1,137 @@
+package org.gameyfin.app.core.security
+
+import io.mockk.clearAllMocks
+import io.mockk.every
+import io.mockk.mockk
+import io.mockk.unmockkAll
+import org.junit.jupiter.api.AfterEach
+import org.junit.jupiter.api.Test
+import org.springframework.security.oauth2.core.oidc.user.OidcUser
+import kotlin.test.assertEquals
+
+class OidcUserExtensionsTest {
+
+    @AfterEach
+    fun tearDown() {
+        unmockkAll()
+        clearAllMocks()
+    }
+
+    private fun oidcUser(
+        preferredUsername: String? = null,
+        name: String? = null,
+        email: String? = null,
+        subject: String = "sub-12345"
+    ): OidcUser = mockk {
+        every { getClaim<String>("preferred_username") } returns preferredUsername
+        every { getClaim<String>("name") } returns name
+        every { getClaim<String>("email") } returns email
+        // support any other claim key by returning null
+        every { getClaim<String>(not(or(or("preferred_username", "name"), "email"))) } returns null
+        every { this@mockk.subject } returns subject
+    }
+
+    // ── configured attribute present ──────────────────────────────────────────
+
+    @Test
+    fun `returns configured attribute when it is present`() {
+        val user = mockk<OidcUser> {
+            every { getClaim<String>("upn") } returns "alice@corp"
+            every { subject } returns "sub-1"
+        }
+        assertEquals("alice@corp", user.resolvedUsername("upn"))
+    }
+
+    @Test
+    fun `returns preferred_username when it is configured and present`() {
+        val user = oidcUser(preferredUsername = "alice")
+        assertEquals("alice", user.resolvedUsername("preferred_username"))
+    }
+
+    // ── configured attribute absent, fallback chain ───────────────────────────
+
+    @Test
+    fun `falls back to preferred_username when configured attribute is absent`() {
+        val user = mockk<OidcUser> {
+            every { getClaim<String>("upn") } returns null
+            every { getClaim<String>("preferred_username") } returns "alice"
+            every { subject } returns "sub-1"
+        }
+        assertEquals("alice", user.resolvedUsername("upn"))
+    }
+
+    @Test
+    fun `falls back to name when preferred_username is absent`() {
+        val user = oidcUser(preferredUsername = null, name = "Alice Smith")
+        assertEquals("Alice Smith", user.resolvedUsername("preferred_username"))
+    }
+
+    @Test
+    fun `falls back to email when preferred_username and name are absent`() {
+        val user = oidcUser(preferredUsername = null, name = null, email = "alice@example.com")
+        assertEquals("alice@example.com", user.resolvedUsername("preferred_username"))
+    }
+
+    @Test
+    fun `falls back to sub when all other claims are absent`() {
+        val user = oidcUser(preferredUsername = null, name = null, email = null, subject = "sub-99")
+        assertEquals("sub-99", user.resolvedUsername("preferred_username"))
+    }
+
+    // ── blank / empty strings are treated as absent ───────────────────────────
+
+    @Test
+    fun `skips blank preferred_username and falls back to name`() {
+        val user = oidcUser(preferredUsername = "   ", name = "Bob")
+        assertEquals("Bob", user.resolvedUsername("preferred_username"))
+    }
+
+    @Test
+    fun `skips empty preferred_username and falls back to name`() {
+        val user = oidcUser(preferredUsername = "", name = "Bob")
+        assertEquals("Bob", user.resolvedUsername("preferred_username"))
+    }
+
+    @Test
+    fun `skips blank name and falls back to email`() {
+        val user = oidcUser(preferredUsername = null, name = "", email = "bob@example.com")
+        assertEquals("bob@example.com", user.resolvedUsername("preferred_username"))
+    }
+
+    // ── default parameter ─────────────────────────────────────────────────────
+
+    @Test
+    fun `uses preferred_username by default when no attributeName argument is supplied`() {
+        val user = oidcUser(preferredUsername = "charlie")
+        assertEquals("charlie", user.resolvedUsername())
+    }
+
+    @Test
+    fun `falls back to sub by default when all standard claims are absent`() {
+        val user = oidcUser(subject = "sub-default-fallback")
+        assertEquals("sub-default-fallback", user.resolvedUsername())
+    }
+
+    // ── configured attribute equals a fallback name ───────────────────────────
+
+    @Test
+    fun `does not duplicate lookup when configured attribute is preferred_username`() {
+        val user = oidcUser(preferredUsername = "dave")
+        // should still work correctly without doubling up
+        assertEquals("dave", user.resolvedUsername("preferred_username"))
+    }
+
+    @Test
+    fun `configured attribute email returns email claim directly`() {
+        // When "email" is explicitly configured as the attribute, it should be tried first
+        val mockUser = mockk<OidcUser> {
+            every { getClaim<String>("email") } returns "eve@example.com"
+            every { getClaim<String>("preferred_username") } returns "other"
+            every { getClaim<String>("name") } returns null
+            every { subject } returns "sub-3"
+        }
+        assertEquals("eve@example.com", mockUser.resolvedUsername("email"))
+    }
+}
+
+
diff --git a/app/src/test/kotlin/org/gameyfin/app/core/security/SsoAuthenticationSuccessHandlerTest.kt b/app/src/test/kotlin/org/gameyfin/app/core/security/SsoAuthenticationSuccessHandlerTest.kt
new file mode 100644
index 0000000..2d8a6f1
--- /dev/null
+++ b/app/src/test/kotlin/org/gameyfin/app/core/security/SsoAuthenticationSuccessHandlerTest.kt
@@ -0,0 +1,433 @@
+package org.gameyfin.app.core.security
+
+import io.mockk.*
+import jakarta.servlet.http.HttpServletRequest
+import jakarta.servlet.http.HttpServletResponse
+import org.gameyfin.app.config.ConfigProperties
+import org.gameyfin.app.config.ConfigService
+import org.gameyfin.app.config.MatchUsersBy
+import org.gameyfin.app.core.Role
+import org.gameyfin.app.users.RoleService
+import org.gameyfin.app.users.UserService
+import org.gameyfin.app.users.entities.User
+import org.junit.jupiter.api.AfterEach
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.assertThrows
+import org.springframework.security.access.hierarchicalroles.RoleHierarchy
+import org.springframework.security.core.Authentication
+import org.springframework.security.core.authority.SimpleGrantedAuthority
+import org.springframework.security.core.context.SecurityContext
+import org.springframework.security.core.context.SecurityContextHolder
+import org.springframework.security.oauth2.core.oidc.user.OidcUser
+import kotlin.test.assertEquals
+
+class SsoAuthenticationSuccessHandlerTest {
+
+    private lateinit var userService: UserService
+    private lateinit var roleService: RoleService
+    private lateinit var config: ConfigService
+    private lateinit var roleHierarchy: RoleHierarchy
+    private lateinit var handler: SsoAuthenticationSuccessHandler
+
+    private lateinit var request: HttpServletRequest
+    private lateinit var response: HttpServletResponse
+    private lateinit var authentication: Authentication
+    private lateinit var securityContext: SecurityContext
+
+    @BeforeEach
+    fun setup() {
+        userService = mockk(relaxed = true)
+        roleService = mockk(relaxed = true)
+        config = mockk()
+        roleHierarchy = mockk(relaxed = true)
+
+        handler = SsoAuthenticationSuccessHandler(userService, roleService, config, roleHierarchy)
+
+        request = mockk()
+        response = mockk(relaxed = true)
+        authentication = mockk()
+        securityContext = mockk(relaxed = true)
+
+        mockkStatic(SecurityContextHolder::class)
+        every { SecurityContextHolder.getContext() } returns securityContext
+
+        // Default: no continue parameter → redirect to "/"
+        every { request.getParameter("continue") } returns null
+
+        // Default role resolution
+        every { roleService.extractGrantedAuthorities(any()) } returns emptyList()
+        every { roleService.authoritiesToRoles(any()) } returns listOf(Role.USER)
+    }
+
+    @AfterEach
+    fun tearDown() {
+        unmockkAll()
+        clearAllMocks()
+    }
+
+    // ── helper to build a minimal OidcUser mock ───────────────────────────────
+
+    private fun oidcUser(
+        subject: String = "sub-1",
+        preferredUsername: String? = "alice",
+        email: String = "alice@example.com",
+        extraClaims: Map<String, String?> = emptyMap()
+    ): OidcUser = mockk {
+        every { this@mockk.subject } returns subject
+        every { getClaim<String>("preferred_username") } returns preferredUsername
+        every { getClaim<String>("name") } returns null
+        every { getClaim<String>("email") } returns email
+        extraClaims.forEach { (key, value) -> every { getClaim<String>(key) } returns value }
+        every { authorities } returns emptyList()
+        every { this@mockk.email } returns email
+    }
+
+    // ── Username resolution: configured attribute ─────────────────────────────
+
+    @Test
+    fun `uses configured username attribute when claim is present`() {
+        val oidcUser = mockk<OidcUser> {
+            every { subject } returns "sub-1"
+            every { getClaim<String>("upn") } returns "alice@corp"
+            every { getClaim<String>("preferred_username") } returns "fallback"
+            every { getClaim<String>("name") } returns null
+            every { getClaim<String>("email") } returns "alice@example.com"
+            every { authorities } returns emptyList()
+            every { email } returns "alice@example.com"
+        }
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "upn"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.username
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+
+        every { userService.findByOidcProviderId("sub-1") } returns null
+        every { userService.getByUsername("alice@corp") } returns null
+        val savedSlot = slot<User>()
+        every { userService.registerOrUpdateUser(capture(savedSlot)) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        assertEquals("alice@corp", savedSlot.captured.username)
+    }
+
+    @Test
+    fun `falls back to preferred_username when configured attribute is absent`() {
+        val oidcUser = mockk<OidcUser> {
+            every { subject } returns "sub-2"
+            every { getClaim<String>("upn") } returns null
+            every { getClaim<String>("preferred_username") } returns "alice"
+            every { getClaim<String>("name") } returns null
+            every { getClaim<String>("email") } returns "alice@example.com"
+            every { authorities } returns emptyList()
+            every { email } returns "alice@example.com"
+        }
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "upn"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.username
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+
+        every { userService.findByOidcProviderId("sub-2") } returns null
+        every { userService.getByUsername("alice") } returns null
+        val savedSlot = slot<User>()
+        every { userService.registerOrUpdateUser(capture(savedSlot)) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        assertEquals("alice", savedSlot.captured.username)
+    }
+
+    @Test
+    fun `falls back to sub when all claims are absent`() {
+        val oidcUser = mockk<OidcUser> {
+            every { subject } returns "sub-99"
+            every { getClaim<String>(any()) } returns null
+            every { authorities } returns emptyList()
+            every { email } returns "sub99@example.com"
+        }
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "preferred_username"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.username
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+
+        every { userService.findByOidcProviderId("sub-99") } returns null
+        every { userService.getByUsername("sub-99") } returns null
+        val savedSlot = slot<User>()
+        every { userService.registerOrUpdateUser(capture(savedSlot)) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        assertEquals("sub-99", savedSlot.captured.username)
+    }
+
+    @Test
+    fun `uses preferred_username fallback when UsernameAttribute config is null`() {
+        val oidcUser = oidcUser(preferredUsername = "alice")
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns null
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.username
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+
+        every { userService.findByOidcProviderId("sub-1") } returns null
+        every { userService.getByUsername("alice") } returns null
+        val savedSlot = slot<User>()
+        every { userService.registerOrUpdateUser(capture(savedSlot)) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        assertEquals("alice", savedSlot.captured.username)
+    }
+
+    // ── New user registration ─────────────────────────────────────────────────
+
+    @Test
+    fun `registers new user when not found by provider ID or username`() {
+        val oidcUser = oidcUser(subject = "sub-new", preferredUsername = "newuser")
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "preferred_username"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.username
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+
+        every { userService.findByOidcProviderId("sub-new") } returns null
+        every { userService.getByUsername("newuser") } returns null
+        val savedSlot = slot<User>()
+        every { userService.registerOrUpdateUser(capture(savedSlot)) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        verify(exactly = 1) { userService.registerOrUpdateUser(any()) }
+        assertEquals("newuser", savedSlot.captured.username)
+        assertEquals("sub-new", savedSlot.captured.oidcProviderId)
+    }
+
+    @Test
+    fun `registers new user when not found by provider ID or email`() {
+        val oidcUser = oidcUser(subject = "sub-new2", preferredUsername = "newuser2", email = "new@example.com")
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "preferred_username"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.email
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+
+        every { userService.findByOidcProviderId("sub-new2") } returns null
+        every { userService.getByEmail("new@example.com") } returns null
+        val savedSlot = slot<User>()
+        every { userService.registerOrUpdateUser(capture(savedSlot)) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        assertEquals("newuser2", savedSlot.captured.username)
+    }
+
+    // ── Existing user update ──────────────────────────────────────────────────
+
+    @Test
+    fun `updates existing user found by provider ID with resolved username`() {
+        val oidcUser =
+            oidcUser(subject = "sub-existing", preferredUsername = "updated-name", email = "updated@example.com")
+        val existingUser = User(
+            id = 1L,
+            username = "old-name",
+            email = "old@example.com",
+            oidcProviderId = "sub-existing",
+            enabled = true
+        )
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "preferred_username"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.username
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+
+        every { userService.findByOidcProviderId("sub-existing") } returns existingUser
+        every { userService.registerOrUpdateUser(existingUser) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        assertEquals("updated-name", existingUser.username)
+        assertEquals("updated@example.com", existingUser.email)
+        assertEquals(true, existingUser.emailConfirmed)
+        assertEquals("sub-existing", existingUser.oidcProviderId)
+    }
+
+    @Test
+    fun `links and updates existing user found by username match`() {
+        val oidcUser = oidcUser(subject = "sub-link", preferredUsername = "existinguser")
+        val existingUser = User(
+            id = 2L,
+            username = "existinguser",
+            email = "existing@example.com",
+            enabled = true
+        )
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "preferred_username"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.username
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+
+        every { userService.findByOidcProviderId("sub-link") } returns null
+        every { userService.getByUsername("existinguser") } returns existingUser
+        every { userService.registerOrUpdateUser(existingUser) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        assertEquals("sub-link", existingUser.oidcProviderId)
+        assertEquals("existinguser", existingUser.username)
+    }
+
+    @Test
+    fun `links and updates existing user found by email match`() {
+        val oidcUser =
+            oidcUser(subject = "sub-email-link", preferredUsername = "renamed", email = "matched@example.com")
+        val existingUser = User(
+            id = 3L,
+            username = "oldusername",
+            email = "matched@example.com",
+            enabled = true
+        )
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "preferred_username"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.email
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+
+        every { userService.findByOidcProviderId("sub-email-link") } returns null
+        every { userService.getByEmail("matched@example.com") } returns existingUser
+        every { userService.registerOrUpdateUser(existingUser) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        // Username should be updated to the resolved username from SSO
+        assertEquals("renamed", existingUser.username)
+        assertEquals("sub-email-link", existingUser.oidcProviderId)
+    }
+
+    // ── Role assignment ───────────────────────────────────────────────────────
+
+    @Test
+    fun `assigns USER role when no roles extracted from SSO`() {
+        val oidcUser = oidcUser()
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "preferred_username"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.username
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+
+        every { userService.findByOidcProviderId(any()) } returns null
+        every { userService.getByUsername(any()) } returns null
+        every { roleService.extractGrantedAuthorities(any()) } returns emptyList()
+        every { roleService.authoritiesToRoles(any()) } returns emptyList() // empty → should default to USER
+
+        val savedSlot = slot<User>()
+        every { userService.registerOrUpdateUser(capture(savedSlot)) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        assertEquals(listOf(Role.USER), savedSlot.captured.roles)
+    }
+
+    @Test
+    fun `assigns ADMIN role when SSO provides it`() {
+        val oidcUser = oidcUser()
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "preferred_username"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.username
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+
+        every { userService.findByOidcProviderId(any()) } returns null
+        every { userService.getByUsername(any()) } returns null
+        val adminAuthority = SimpleGrantedAuthority(Role.Names.ADMIN)
+        every { roleService.extractGrantedAuthorities(any()) } returns listOf(adminAuthority)
+        every { roleService.authoritiesToRoles(listOf(adminAuthority)) } returns listOf(Role.ADMIN)
+
+        val savedSlot = slot<User>()
+        every { userService.registerOrUpdateUser(capture(savedSlot)) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        assertEquals(listOf(Role.ADMIN), savedSlot.captured.roles)
+    }
+
+    // ── Redirect behaviour ────────────────────────────────────────────────────
+
+    @Test
+    fun `redirects to root when no continue parameter`() {
+        val oidcUser = oidcUser()
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "preferred_username"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.username
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+        every { request.getParameter("continue") } returns null
+
+        every { userService.findByOidcProviderId(any()) } returns null
+        every { userService.getByUsername(any()) } returns null
+        every { userService.registerOrUpdateUser(any()) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        verify { response.sendRedirect("/") }
+    }
+
+    @Test
+    fun `redirects to continue URL when it starts with slash`() {
+        val oidcUser = oidcUser()
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "preferred_username"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.username
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+        every { request.getParameter("continue") } returns "/collection/games"
+
+        every { userService.findByOidcProviderId(any()) } returns null
+        every { userService.getByUsername(any()) } returns null
+        every { userService.registerOrUpdateUser(any()) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        verify { response.sendRedirect("/collection/games") }
+    }
+
+    @Test
+    fun `ignores continue URL that does not start with slash`() {
+        val oidcUser = oidcUser()
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "preferred_username"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns MatchUsersBy.username
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+        every { request.getParameter("continue") } returns "https://evil.example.com"
+
+        every { userService.findByOidcProviderId(any()) } returns null
+        every { userService.getByUsername(any()) } returns null
+        every { userService.registerOrUpdateUser(any()) } returns mockk(relaxed = true)
+
+        handler.onAuthenticationSuccess(request, response, authentication)
+
+        verify { response.sendRedirect("/") }
+    }
+
+    // ── Unknown MatchExistingUsersBy ──────────────────────────────────────────
+
+    @Test
+    fun `throws when MatchExistingUsersBy has unknown value`() {
+        val oidcUser = oidcUser()
+
+        every { config.get(ConfigProperties.SSO.OIDC.UsernameClaim) } returns "preferred_username"
+        every { config.get(ConfigProperties.SSO.OIDC.MatchExistingUsersBy) } returns null
+        every { authentication.principal } returns oidcUser
+        every { authentication.credentials } returns null
+
+        every { userService.findByOidcProviderId(any()) } returns null
+
+        assertThrows<IllegalStateException> {
+            handler.onAuthenticationSuccess(request, response, authentication)
+        }
+    }
+}
+
diff --git a/app/src/test/kotlin/org/gameyfin/app/core/token/TokenTypeUserTypeTest.kt b/app/src/test/kotlin/org/gameyfin/app/core/token/TokenTypeUserTypeTest.kt
index 0ead815..90701c7 100644
--- a/app/src/test/kotlin/org/gameyfin/app/core/token/TokenTypeUserTypeTest.kt
+++ b/app/src/test/kotlin/org/gameyfin/app/core/token/TokenTypeUserTypeTest.kt
@@ -93,7 +93,7 @@ class TokenTypeUserTypeTest {
     fun `nullSafeGet should return PasswordReset for password-reset key`() {
         every { resultSet.getString(0) } returns "password-reset"
 
-        val result = userType.nullSafeGet(resultSet, 0, session, null)
+        val result = userType.nullSafeGet(resultSet, 0, session)
 
         assertNotNull(result)
         assertEquals(TokenType.PasswordReset, result)
@@ -103,7 +103,7 @@ class TokenTypeUserTypeTest {
     fun `nullSafeGet should return EmailConfirmation for email-verification key`() {
         every { resultSet.getString(1) } returns "email-verification"
 
-        val result = userType.nullSafeGet(resultSet, 1, session, null)
+        val result = userType.nullSafeGet(resultSet, 1, session)
 
         assertNotNull(result)
         assertEquals(TokenType.EmailConfirmation, result)
@@ -113,7 +113,7 @@ class TokenTypeUserTypeTest {
     fun `nullSafeGet should return Invitation for invitation key`() {
         every { resultSet.getString(2) } returns "invitation"
 
-        val result = userType.nullSafeGet(resultSet, 2, session, null)
+        val result = userType.nullSafeGet(resultSet, 2, session)
 
         assertNotNull(result)
         assertEquals(TokenType.Invitation, result)
@@ -123,7 +123,7 @@ class TokenTypeUserTypeTest {
     fun `nullSafeGet should return null when database value is null`() {
         every { resultSet.getString(0) } returns null
 
-        val result = userType.nullSafeGet(resultSet, 0, session, null)
+        val result = userType.nullSafeGet(resultSet, 0, session)
 
         assertNull(result)
     }
@@ -133,7 +133,7 @@ class TokenTypeUserTypeTest {
         every { resultSet.getString(0) } returns "unknown-type"
 
         val exception = assertThrows(IllegalArgumentException::class.java) {
-            userType.nullSafeGet(resultSet, 0, session, null)
+            userType.nullSafeGet(resultSet, 0, session)
         }
 
         assertEquals("Unknown TokenType: unknown-type", exception.message)
@@ -144,58 +144,12 @@ class TokenTypeUserTypeTest {
         every { resultSet.getString(0) } returns ""
 
         val exception = assertThrows(IllegalArgumentException::class.java) {
-            userType.nullSafeGet(resultSet, 0, session, null)
+            userType.nullSafeGet(resultSet, 0, session)
         }
 
         assertEquals("Unknown TokenType: ", exception.message)
     }
 
-    @Test
-    fun `nullSafeSet should set string value for PasswordReset`() {
-        val capturedValues = mutableListOf<String>()
-        every { preparedStatement.setString(0, capture(capturedValues)) } returns Unit
-
-        userType.nullSafeSet(preparedStatement, TokenType.PasswordReset, 0, session)
-
-        assertEquals(1, capturedValues.size)
-        assertEquals("password-reset", capturedValues[0])
-    }
-
-    @Test
-    fun `nullSafeSet should set string value for EmailConfirmation`() {
-        val capturedValues = mutableListOf<String>()
-        every { preparedStatement.setString(1, capture(capturedValues)) } returns Unit
-
-        userType.nullSafeSet(preparedStatement, TokenType.EmailConfirmation, 1, session)
-
-        assertEquals(1, capturedValues.size)
-        assertEquals("email-verification", capturedValues[0])
-    }
-
-    @Test
-    fun `nullSafeSet should set string value for Invitation`() {
-        val capturedValues = mutableListOf<String>()
-        every { preparedStatement.setString(2, capture(capturedValues)) } returns Unit
-
-        userType.nullSafeSet(preparedStatement, TokenType.Invitation, 2, session)
-
-        assertEquals(1, capturedValues.size)
-        assertEquals("invitation", capturedValues[0])
-    }
-
-    @Test
-    fun `nullSafeSet should set null when value is null`() {
-        val capturedIndices = mutableListOf<Int>()
-        val capturedTypes = mutableListOf<Int>()
-        every { preparedStatement.setNull(capture(capturedIndices), capture(capturedTypes)) } returns Unit
-
-        userType.nullSafeSet(preparedStatement, null, 0, session)
-
-        assertEquals(1, capturedIndices.size)
-        assertEquals(0, capturedIndices[0])
-        assertEquals(Types.VARCHAR, capturedTypes[0])
-    }
-
     @Test
     fun `deepCopy should return same instance`() {
         val type = TokenType.PasswordReset
diff --git a/app/src/test/kotlin/org/gameyfin/app/games/GameServiceTest.kt b/app/src/test/kotlin/org/gameyfin/app/games/GameServiceTest.kt
index 02f1012..44c7ba7 100644
--- a/app/src/test/kotlin/org/gameyfin/app/games/GameServiceTest.kt
+++ b/app/src/test/kotlin/org/gameyfin/app/games/GameServiceTest.kt
@@ -20,9 +20,7 @@ import org.gameyfin.app.media.ImageService
 import org.gameyfin.app.media.ImageType
 import org.gameyfin.app.users.UserService
 import org.gameyfin.app.users.entities.User
-import org.gameyfin.pluginapi.gamemetadata.GameMetadataProvider
-import org.gameyfin.pluginapi.gamemetadata.Genre
-import org.gameyfin.pluginapi.gamemetadata.Platform
+import org.gameyfin.pluginapi.gamemetadata.*
 import org.junit.jupiter.api.AfterEach
 import org.junit.jupiter.api.Assertions.assertThrows
 import org.junit.jupiter.api.BeforeEach
@@ -33,6 +31,7 @@ import org.springframework.security.core.Authentication
 import org.springframework.security.core.context.SecurityContext
 import org.springframework.security.core.context.SecurityContextHolder
 import org.springframework.security.core.userdetails.UserDetails
+import org.springframework.security.oauth2.core.oidc.user.OidcUser
 import java.nio.file.Path
 import java.time.Instant
 import java.time.LocalDate
@@ -625,7 +624,7 @@ class GameServiceTest {
         every { pluginManager.getExtensions("test-plugin") } returns listOf(provider)
         every { pluginManager.getExtensions(GameMetadataProvider::class.java) } returns listOf(provider)
         every { pluginService.getPluginManagementEntry(provider.javaClass) } returns pluginEntry
-        every { pluginManager.getPluginForExtension(provider.javaClass) } returns null
+        every { pluginManager.getPluginForExtension(provider::class) } returns null
 
         val result = gameService.updateMetadata(game)
 
@@ -895,7 +894,7 @@ class GameServiceTest {
         )
         every { pluginService.getPluginManagementEntry(workingProvider.javaClass) } returns pluginEntry1
         every { pluginService.getPluginManagementEntry(failingProvider.javaClass) } returns pluginEntry2
-        every { pluginManager.getPluginForExtension(failingProvider.javaClass) } returns pluginWrapper
+        every { pluginManager.getPluginForExtension(failingProvider::class) } returns pluginWrapper
 
         val results = gameService.getPotentialMatches("Test Game", emptySet())
 
@@ -1372,6 +1371,946 @@ class GameServiceTest {
         )
     }
 
+    // ========================
+    // create(List<Game>) batch — cover/header image branches
+    // ========================
+
+    @Test
+    fun `create with list should handle games with null coverImage and headerImage`() {
+        val game = createTestGame(id = null)
+        game.coverImage = null
+        game.headerImage = null
+        val games = listOf(game)
+
+        every { companyService.createOrGet(any()) } returns mockk(relaxed = true)
+        every { imageService.createOrGet(any()) } returns mockk(relaxed = true)
+        every { gameRepository.saveAll(games) } returns games
+
+        val result = gameService.create(games)
+
+        assertEquals(games, result)
+        verify(exactly = 0) { imageService.createOrGet(match { it.type == ImageType.COVER }) }
+        verify(exactly = 0) { imageService.createOrGet(match { it.type == ImageType.HEADER }) }
+    }
+
+    @Test
+    fun `create with list should process coverImage and headerImage when present`() {
+        val coverImage = Image(originalUrl = "https://example.com/cover.jpg", type = ImageType.COVER)
+        val headerImage = Image(originalUrl = "https://example.com/header.jpg", type = ImageType.HEADER)
+        val processedCover = mockk<Image>(relaxed = true)
+        val processedHeader = mockk<Image>(relaxed = true)
+
+        val game = createTestGame(id = null)
+        game.coverImage = coverImage
+        game.headerImage = headerImage
+        val games = listOf(game)
+
+        every { companyService.createOrGet(any()) } returns mockk(relaxed = true)
+        every { imageService.createOrGet(coverImage) } returns processedCover
+        every { imageService.createOrGet(headerImage) } returns processedHeader
+        every { imageService.createOrGet(match { it != coverImage && it != headerImage }) } returns mockk(relaxed = true)
+        every { gameRepository.saveAll(games) } returns games
+
+        val result = gameService.create(games)
+
+        assertEquals(games, result)
+        assertEquals(processedCover, game.coverImage)
+        assertEquals(processedHeader, game.headerImage)
+    }
+
+    @Test
+    fun `create with list should skip all games when all have existing IDs`() {
+        val game1 = createTestGame(id = 1L)
+        val game2 = createTestGame(id = 2L)
+        val games = listOf(game1, game2)
+
+        every { gameRepository.saveAll(emptyList()) } returns emptyList()
+
+        val result = gameService.create(games)
+
+        assertEquals(emptyList(), result)
+    }
+
+    // ========================
+    // edit — OidcUser branch
+    // ========================
+
+    @Test
+    fun `edit should resolve user from OidcUser principal`() {
+        val gameId = 1L
+        val existingGame = createTestGame(gameId)
+        val oidcUser = mockk<OidcUser> {
+            every { preferredUsername } returns "oidcuser"
+        }
+
+        every { authentication.principal } returns oidcUser
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+        every { userService.getByUsernameNonNull("oidcuser") } returns mockUser
+        every { gameRepository.save(existingGame) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = "OIDC Updated Title",
+            platforms = null,
+            release = null,
+            coverUrl = null,
+            headerUrl = null,
+            comment = null,
+            summary = null,
+            developers = null,
+            publishers = null,
+            genres = null,
+            themes = null,
+            keywords = null,
+            features = null,
+            perspectives = null,
+            metadata = null
+        )
+
+        gameService.edit(updateDto)
+
+        assertEquals("OIDC Updated Title", existingGame.title)
+        verify(exactly = 1) { userService.getByUsernameNonNull("oidcuser") }
+    }
+
+    @Test
+    fun `edit should throw error for unknown principal type`() {
+        val gameId = 1L
+        val existingGame = createTestGame(gameId)
+
+        every { authentication.principal } returns "unknownPrincipal"
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = "Title",
+            platforms = null,
+            release = null,
+            coverUrl = null,
+            headerUrl = null,
+            comment = null,
+            summary = null,
+            developers = null,
+            publishers = null,
+            genres = null,
+            themes = null,
+            keywords = null,
+            features = null,
+            perspectives = null,
+            metadata = null
+        )
+
+        assertThrows(IllegalStateException::class.java) {
+            gameService.edit(updateDto)
+        }
+    }
+
+    // ========================
+    // edit — headerUrl branch
+    // ========================
+
+    @Test
+    fun `edit should create and download new header image when headerUrl provided`() {
+        val gameId = 1L
+        val existingGame = createTestGame(gameId)
+        val userDetails = mockk<UserDetails> {
+            every { username } returns "testuser"
+        }
+        val newHeaderUrl = "https://example.com/new-header.jpg"
+        val newHeaderImage = mockk<Image>(relaxed = true)
+
+        every { authentication.principal } returns userDetails
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+        every { userService.getByUsernameNonNull("testuser") } returns mockUser
+        every { imageService.createOrGet(any()) } returns newHeaderImage
+        every { imageService.downloadIfNew(newHeaderImage) } just Runs
+        every { gameRepository.save(existingGame) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = null,
+            platforms = null,
+            release = null,
+            coverUrl = null,
+            headerUrl = newHeaderUrl,
+            comment = null,
+            summary = null,
+            developers = null,
+            publishers = null,
+            genres = null,
+            themes = null,
+            keywords = null,
+            features = null,
+            perspectives = null,
+            metadata = null
+        )
+
+        gameService.edit(updateDto)
+
+        assertEquals(newHeaderImage, existingGame.headerImage)
+        verify(exactly = 1) {
+            imageService.createOrGet(match { it.originalUrl == newHeaderUrl && it.type == ImageType.HEADER })
+        }
+        verify(exactly = 1) { imageService.downloadIfNew(newHeaderImage) }
+    }
+
+    // ========================
+    // edit — comment, summary, genres, themes, keywords, features, perspectives branches
+    // ========================
+
+    @Test
+    fun `edit should update comment when provided`() {
+        val gameId = 1L
+        val existingGame = createTestGame(gameId)
+        val userDetails = mockk<UserDetails> {
+            every { username } returns "testuser"
+        }
+
+        every { authentication.principal } returns userDetails
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+        every { userService.getByUsernameNonNull("testuser") } returns mockUser
+        every { gameRepository.save(existingGame) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = null,
+            platforms = null,
+            release = null,
+            coverUrl = null,
+            headerUrl = null,
+            comment = "Updated Comment",
+            summary = null,
+            developers = null,
+            publishers = null,
+            genres = null,
+            themes = null,
+            keywords = null,
+            features = null,
+            perspectives = null,
+            metadata = null
+        )
+
+        gameService.edit(updateDto)
+
+        assertEquals("Updated Comment", existingGame.comment)
+    }
+
+    @Test
+    fun `edit should update summary when provided`() {
+        val gameId = 1L
+        val existingGame = createTestGame(gameId)
+        val userDetails = mockk<UserDetails> {
+            every { username } returns "testuser"
+        }
+
+        every { authentication.principal } returns userDetails
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+        every { userService.getByUsernameNonNull("testuser") } returns mockUser
+        every { gameRepository.save(existingGame) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = null,
+            platforms = null,
+            release = null,
+            coverUrl = null,
+            headerUrl = null,
+            comment = null,
+            summary = "Updated Summary",
+            developers = null,
+            publishers = null,
+            genres = null,
+            themes = null,
+            keywords = null,
+            features = null,
+            perspectives = null,
+            metadata = null
+        )
+
+        gameService.edit(updateDto)
+
+        assertEquals("Updated Summary", existingGame.summary)
+    }
+
+    @Test
+    fun `edit should update genres when provided`() {
+        val gameId = 1L
+        val existingGame = createTestGame(gameId)
+        val userDetails = mockk<UserDetails> {
+            every { username } returns "testuser"
+        }
+        val newGenres = listOf(Genre.ACTION, Genre.ADVENTURE)
+
+        every { authentication.principal } returns userDetails
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+        every { userService.getByUsernameNonNull("testuser") } returns mockUser
+        every { gameRepository.save(existingGame) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = null,
+            platforms = null,
+            release = null,
+            coverUrl = null,
+            headerUrl = null,
+            comment = null,
+            summary = null,
+            developers = null,
+            publishers = null,
+            genres = newGenres,
+            themes = null,
+            keywords = null,
+            features = null,
+            perspectives = null,
+            metadata = null
+        )
+
+        gameService.edit(updateDto)
+
+        assertEquals(newGenres.toList(), existingGame.genres)
+    }
+
+    @Test
+    fun `edit should update themes when provided`() {
+        val gameId = 1L
+        val existingGame = createTestGame(gameId)
+        val userDetails = mockk<UserDetails> {
+            every { username } returns "testuser"
+        }
+        val newThemes = listOf(Theme.FANTASY, Theme.SCIENCE_FICTION)
+
+        every { authentication.principal } returns userDetails
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+        every { userService.getByUsernameNonNull("testuser") } returns mockUser
+        every { gameRepository.save(existingGame) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = null,
+            platforms = null,
+            release = null,
+            coverUrl = null,
+            headerUrl = null,
+            comment = null,
+            summary = null,
+            developers = null,
+            publishers = null,
+            genres = null,
+            themes = newThemes,
+            keywords = null,
+            features = null,
+            perspectives = null,
+            metadata = null
+        )
+
+        gameService.edit(updateDto)
+
+        assertEquals(newThemes.toList(), existingGame.themes)
+    }
+
+    @Test
+    fun `edit should update keywords when provided`() {
+        val gameId = 1L
+        val existingGame = createTestGame(gameId)
+        val userDetails = mockk<UserDetails> {
+            every { username } returns "testuser"
+        }
+        val newKeywords = listOf("keyword1", "keyword2")
+
+        every { authentication.principal } returns userDetails
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+        every { userService.getByUsernameNonNull("testuser") } returns mockUser
+        every { gameRepository.save(existingGame) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = null,
+            platforms = null,
+            release = null,
+            coverUrl = null,
+            headerUrl = null,
+            comment = null,
+            summary = null,
+            developers = null,
+            publishers = null,
+            genres = null,
+            themes = null,
+            keywords = newKeywords,
+            features = null,
+            perspectives = null,
+            metadata = null
+        )
+
+        gameService.edit(updateDto)
+
+        assertEquals(newKeywords, existingGame.keywords)
+    }
+
+    @Test
+    fun `edit should update features when provided`() {
+        val gameId = 1L
+        val existingGame = createTestGame(gameId)
+        val userDetails = mockk<UserDetails> {
+            every { username } returns "testuser"
+        }
+        val newFeatures = listOf(GameFeature.SINGLEPLAYER, GameFeature.MULTIPLAYER)
+
+        every { authentication.principal } returns userDetails
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+        every { userService.getByUsernameNonNull("testuser") } returns mockUser
+        every { gameRepository.save(existingGame) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = null,
+            platforms = null,
+            release = null,
+            coverUrl = null,
+            headerUrl = null,
+            comment = null,
+            summary = null,
+            developers = null,
+            publishers = null,
+            genres = null,
+            themes = null,
+            keywords = null,
+            features = newFeatures,
+            perspectives = null,
+            metadata = null
+        )
+
+        gameService.edit(updateDto)
+
+        assertEquals(newFeatures.toList(), existingGame.features)
+    }
+
+    @Test
+    fun `edit should update perspectives when provided`() {
+        val gameId = 1L
+        val existingGame = createTestGame(gameId)
+        val userDetails = mockk<UserDetails> {
+            every { username } returns "testuser"
+        }
+        val newPerspectives = listOf(PlayerPerspective.FIRST_PERSON, PlayerPerspective.THIRD_PERSON)
+
+        every { authentication.principal } returns userDetails
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+        every { userService.getByUsernameNonNull("testuser") } returns mockUser
+        every { gameRepository.save(existingGame) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = null,
+            platforms = null,
+            release = null,
+            coverUrl = null,
+            headerUrl = null,
+            comment = null,
+            summary = null,
+            developers = null,
+            publishers = null,
+            genres = null,
+            themes = null,
+            keywords = null,
+            features = null,
+            perspectives = newPerspectives,
+            metadata = null
+        )
+
+        gameService.edit(updateDto)
+
+        assertEquals(newPerspectives.toList(), existingGame.perspectives)
+    }
+
+    // ========================
+    // edit — all fields at once + metadata.fields source update branch
+    // ========================
+
+    @Test
+    fun `edit should update all fields and set metadata field sources when fields exist`() {
+        val gameId = 1L
+        val pluginEntry = mockk<PluginManagementEntry>(relaxed = true) {
+            every { pluginId } returns "test-plugin"
+        }
+
+        val existingGame = createTestGame(gameId)
+        // Pre-populate metadata fields so that the ?.source = ... branch is exercised
+        existingGame.metadata.fields = mutableMapOf(
+            "title" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "platforms" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "release" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "coverImage" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "headerImage" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "comment" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "summary" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "developers" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "publishers" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "genres" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "themes" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "keywords" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "features" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry)),
+            "perspectives" to GameFieldMetadata(source = GameFieldPluginSource(plugin = pluginEntry))
+        )
+
+        val userDetails = mockk<UserDetails> {
+            every { username } returns "testuser"
+        }
+        val newCoverImage = mockk<Image>(relaxed = true)
+        val newHeaderImage = mockk<Image>(relaxed = true)
+
+        every { authentication.principal } returns userDetails
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+        every { userService.getByUsernameNonNull("testuser") } returns mockUser
+        every { imageService.createOrGet(match { it.type == ImageType.COVER }) } returns newCoverImage
+        every { imageService.createOrGet(match { it.type == ImageType.HEADER }) } returns newHeaderImage
+        every { imageService.downloadIfNew(any()) } just Runs
+        every { companyService.createOrGet(any()) } returns mockk(relaxed = true)
+        every { gameRepository.save(existingGame) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = "All Fields Title",
+            platforms = setOf(Platform.PLAYSTATION_5),
+            release = LocalDate.of(2025, 1, 1),
+            coverUrl = "https://example.com/cover.jpg",
+            headerUrl = "https://example.com/header.jpg",
+            comment = "All Fields Comment",
+            summary = "All Fields Summary",
+            developers = listOf("DevA"),
+            publishers = listOf("PubA"),
+            genres = listOf(Genre.ROLE_PLAYING),
+            themes = listOf(Theme.FANTASY),
+            keywords = listOf("kw1"),
+            features = listOf(GameFeature.SINGLEPLAYER),
+            perspectives = listOf(PlayerPerspective.FIRST_PERSON),
+            metadata = null
+        )
+
+        gameService.edit(updateDto)
+
+        assertEquals("All Fields Title", existingGame.title)
+        assertEquals(listOf(Platform.PLAYSTATION_5), existingGame.platforms)
+        assertEquals(
+            LocalDate.of(2025, 1, 1).atStartOfDay(ZoneOffset.UTC).toInstant(),
+            existingGame.release
+        )
+        assertEquals(newCoverImage, existingGame.coverImage)
+        assertEquals(newHeaderImage, existingGame.headerImage)
+        assertEquals("All Fields Comment", existingGame.comment)
+        assertEquals("All Fields Summary", existingGame.summary)
+        assertEquals(listOf(Genre.ROLE_PLAYING), existingGame.genres)
+        assertEquals(listOf(Theme.FANTASY), existingGame.themes)
+        assertEquals(listOf("kw1"), existingGame.keywords)
+        assertEquals(listOf(GameFeature.SINGLEPLAYER), existingGame.features)
+        assertEquals(listOf(PlayerPerspective.FIRST_PERSON), existingGame.perspectives)
+
+        // Verify all field sources were updated to user source
+        existingGame.metadata.fields.forEach { (_, meta) ->
+            assert(meta.source is GameFieldUserSource) {
+                "Expected GameFieldUserSource but got ${meta.source}"
+            }
+        }
+    }
+
+    @Test
+    fun `edit should handle metadata with null matchConfirmed`() {
+        val gameId = 1L
+        val existingGame = createTestGame(gameId)
+        existingGame.metadata.matchConfirmed = false
+
+        val userDetails = mockk<UserDetails> {
+            every { username } returns "testuser"
+        }
+
+        every { authentication.principal } returns userDetails
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+        every { userService.getByUsernameNonNull("testuser") } returns mockUser
+        every { gameRepository.save(existingGame) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = null,
+            platforms = null,
+            release = null,
+            coverUrl = null,
+            headerUrl = null,
+            comment = null,
+            summary = null,
+            developers = null,
+            publishers = null,
+            genres = null,
+            themes = null,
+            keywords = null,
+            features = null,
+            perspectives = null,
+            metadata = GameUpdateMetadataDto(matchConfirmed = null)
+        )
+
+        gameService.edit(updateDto)
+
+        // matchConfirmed should remain unchanged when null is provided
+        assertEquals(false, existingGame.metadata.matchConfirmed)
+    }
+
+    @Test
+    fun `edit should not update fields when all are null`() {
+        val gameId = 1L
+        val existingGame = createTestGame(gameId)
+        val originalTitle = existingGame.title
+        val originalPlatforms = existingGame.platforms.toList()
+
+        val userDetails = mockk<UserDetails> {
+            every { username } returns "testuser"
+        }
+
+        every { authentication.principal } returns userDetails
+        every { gameRepository.findByIdOrNull(gameId) } returns existingGame
+        every { userService.getByUsernameNonNull("testuser") } returns mockUser
+        every { gameRepository.save(existingGame) } returns existingGame
+
+        val updateDto = GameUpdateDto(
+            id = gameId,
+            title = null,
+            platforms = null,
+            release = null,
+            coverUrl = null,
+            headerUrl = null,
+            comment = null,
+            summary = null,
+            developers = null,
+            publishers = null,
+            genres = null,
+            themes = null,
+            keywords = null,
+            features = null,
+            perspectives = null,
+            metadata = null
+        )
+
+        gameService.edit(updateDto)
+
+        assertEquals(originalTitle, existingGame.title)
+        assertEquals(originalPlatforms, existingGame.platforms)
+        verify(exactly = 1) { gameRepository.save(existingGame) }
+    }
+
+    // ========================
+    // create(single) — called via matchManually(persist=true) with images
+    // ========================
+
+    @Test
+    fun `matchManually with persist should download coverImage and headerImage`() {
+        val originalIds = mapOf(
+            "org.gameyfin.app.games.TestProvider" to ExternalProviderIdDto("test-plugin", "123")
+        )
+        val path = Path.of("/test/game.exe")
+        val coverUri = java.net.URI("https://example.com/cover.jpg")
+        val headerUri = java.net.URI("https://example.com/header.jpg")
+        val screenshotUri = java.net.URI("https://example.com/screenshot.jpg")
+
+        val metadata = org.gameyfin.pluginapi.gamemetadata.GameMetadata(
+            originalId = "123",
+            title = "Image Test Game",
+            platforms = setOf(Platform.PC_MICROSOFT_WINDOWS),
+            coverUrls = setOf(coverUri),
+            headerUrls = setOf(headerUri),
+            screenshotUrls = setOf(screenshotUri)
+        )
+
+        val provider = spyk(TestProvider(metadata))
+        val pluginEntry = mockk<PluginManagementEntry>(relaxed = true) {
+            every { pluginId } returns "test-plugin"
+            every { priority } returns 1
+        }
+
+        val coverImage = Image(originalUrl = coverUri.toString(), type = ImageType.COVER)
+        val headerImage = Image(originalUrl = headerUri.toString(), type = ImageType.HEADER)
+        val screenshotImage = Image(originalUrl = screenshotUri.toString(), type = ImageType.SCREENSHOT)
+
+        every { pluginManager.getExtensions(GameMetadataProvider::class.java) } returns listOf(provider)
+        every { pluginService.getPluginManagementEntry(provider.javaClass) } returns pluginEntry
+        every { companyService.createOrGet(any()) } returns mockk(relaxed = true)
+        every { imageService.createOrGet(match { it.type == ImageType.COVER }) } returns coverImage
+        every { imageService.createOrGet(match { it.type == ImageType.HEADER }) } returns headerImage
+        every { imageService.createOrGet(match { it.type == ImageType.SCREENSHOT }) } returns screenshotImage
+        every { imageService.downloadIfNew(any()) } just Runs
+        every { filesystemService.calculateFileSize(any()) } returns 2000L
+        every { gameRepository.save(any()) } answers { firstArg() }
+
+        val result = gameService.matchManually(originalIds, path, library, null, persist = true)
+
+        assertNotNull(result)
+        verify(atLeast = 1) { imageService.downloadIfNew(any()) }
+        verify(exactly = 1) { gameRepository.save(any()) }
+    }
+
+    @Test
+    fun `matchManually with persist should handle image download exception gracefully`() {
+        val originalIds = mapOf(
+            "org.gameyfin.app.games.TestProvider" to ExternalProviderIdDto("test-plugin", "123")
+        )
+        val path = Path.of("/test/game.exe")
+        val coverUri = java.net.URI("https://example.com/cover.jpg")
+
+        val metadata = org.gameyfin.pluginapi.gamemetadata.GameMetadata(
+            originalId = "123",
+            title = "Error Image Game",
+            platforms = setOf(Platform.PC_MICROSOFT_WINDOWS),
+            coverUrls = setOf(coverUri)
+        )
+
+        val provider = spyk(TestProvider(metadata))
+        val pluginEntry = mockk<PluginManagementEntry>(relaxed = true) {
+            every { pluginId } returns "test-plugin"
+            every { priority } returns 1
+        }
+
+        val coverImage = Image(originalUrl = coverUri.toString(), type = ImageType.COVER)
+
+        every { pluginManager.getExtensions(GameMetadataProvider::class.java) } returns listOf(provider)
+        every { pluginService.getPluginManagementEntry(provider.javaClass) } returns pluginEntry
+        every { companyService.createOrGet(any()) } returns mockk(relaxed = true)
+        every { imageService.createOrGet(any()) } returns coverImage
+        every { imageService.downloadIfNew(any()) } throws RuntimeException("Download failed")
+        every { filesystemService.calculateFileSize(any()) } returns 2000L
+        every { gameRepository.save(any()) } answers { firstArg() }
+
+        val result = gameService.matchManually(originalIds, path, library, null, persist = true)
+
+        // Should still succeed despite image download error
+        assertNotNull(result)
+        verify(exactly = 1) { gameRepository.save(any()) }
+    }
+
+    @Test
+    fun `getEnumPropertyValues should return all enum entries`() {
+        val result = gameService.getEnumPropertyValues()
+
+        assertEquals(Genre.entries, result.genres)
+        assertEquals(Theme.entries, result.themes)
+        assertEquals(GameFeature.entries, result.features)
+        assertEquals(PlayerPerspective.entries, result.perspectives)
+    }
+
+    // ========================
+    // applyMetadataFields — all fields populated
+    // ========================
+
+    @Test
+    fun `matchManually should populate all metadata fields when fully-populated metadata is provided`() {
+        val coverUri = java.net.URI("https://example.com/cover.jpg")
+        val headerUri = java.net.URI("https://example.com/header.jpg")
+        val screenshotUri = java.net.URI("https://example.com/screenshot.jpg")
+        val videoUri = java.net.URI("https://example.com/video.mp4")
+        val releaseInstant = Instant.parse("2024-06-15T00:00:00Z")
+
+        val metadata = org.gameyfin.pluginapi.gamemetadata.GameMetadata(
+            originalId = "full-123",
+            title = "Fully Populated Game",
+            description = "A full description",
+            platforms = setOf(Platform.PC_MICROSOFT_WINDOWS),
+            coverUrls = setOf(coverUri),
+            headerUrls = setOf(headerUri),
+            screenshotUrls = setOf(screenshotUri),
+            release = releaseInstant,
+            userRating = 85,
+            criticRating = 90,
+            publishedBy = setOf("TestPublisher"),
+            developedBy = setOf("TestDeveloper"),
+            genres = setOf(Genre.ACTION),
+            themes = setOf(Theme.FANTASY),
+            keywords = setOf("keyword1", "keyword2"),
+            features = setOf(GameFeature.SINGLEPLAYER),
+            perspectives = setOf(PlayerPerspective.FIRST_PERSON),
+            videoUrls = setOf(videoUri)
+        )
+
+        val provider = spyk(TestProvider(metadata))
+        val pluginEntry = mockk<PluginManagementEntry>(relaxed = true) {
+            every { pluginId } returns "test-plugin"
+            every { priority } returns 1
+        }
+
+        val originalIds = mapOf(
+            provider.javaClass.name to ExternalProviderIdDto("test-plugin", "full-123")
+        )
+        val path = Path.of("/test/full-game.exe")
+
+        every { pluginManager.getExtensions(GameMetadataProvider::class.java) } returns listOf(provider)
+        every { pluginService.getPluginManagementEntry(provider.javaClass) } returns pluginEntry
+        every { imageService.createOrGet(any()) } returns mockk(relaxed = true)
+        every { filesystemService.calculateFileSize(any()) } returns 5000L
+
+        val result = gameService.matchManually(originalIds, path, library, null, persist = false)
+
+        assertNotNull(result)
+        assertEquals("Fully Populated Game", result.title)
+        assertEquals("A full description", result.summary)
+        assertEquals(releaseInstant, result.release)
+        assertEquals(85, result.userRating)
+        assertEquals(90, result.criticRating)
+        assertEquals(1, result.publishers.size)
+        assertEquals("TestPublisher", result.publishers[0].name)
+        assertEquals(CompanyType.PUBLISHER, result.publishers[0].type)
+        assertEquals(1, result.developers.size)
+        assertEquals("TestDeveloper", result.developers[0].name)
+        assertEquals(CompanyType.DEVELOPER, result.developers[0].type)
+        assertEquals(listOf(Genre.ACTION), result.genres)
+        assertEquals(listOf(Theme.FANTASY), result.themes)
+        assertEquals(listOf("keyword1", "keyword2"), result.keywords)
+        assertEquals(listOf(GameFeature.SINGLEPLAYER), result.features)
+        assertEquals(listOf(PlayerPerspective.FIRST_PERSON), result.perspectives)
+        assertEquals(listOf(videoUri), result.videoUrls)
+        assertEquals(1, result.images.size)
+    }
+
+    @Test
+    fun `matchManually should handle metadata with blank title and null-or-empty optional fields`() {
+        // Metadata with empty/null optional fields to exercise the takeIf guards
+        val metadata = org.gameyfin.pluginapi.gamemetadata.GameMetadata(
+            originalId = "sparse-456",
+            title = "Sparse Game",
+            description = "",           // blank description
+            platforms = emptySet(),      // empty platforms
+            coverUrls = null,
+            headerUrls = null,
+            screenshotUrls = null,
+            release = null,
+            userRating = null,
+            criticRating = null,
+            publishedBy = emptySet(),    // empty publishers
+            developedBy = emptySet(),    // empty developers
+            genres = emptySet(),         // empty genres
+            themes = emptySet(),         // empty themes
+            keywords = emptySet(),       // empty keywords
+            features = emptySet(),       // empty features
+            perspectives = emptySet(),   // empty perspectives
+            videoUrls = emptySet()      // empty videoUrls
+        )
+
+        val provider = spyk(TestProvider(metadata))
+        val pluginEntry = mockk<PluginManagementEntry>(relaxed = true) {
+            every { pluginId } returns "test-plugin"
+            every { priority } returns 1
+        }
+
+        val originalIds = mapOf(
+            provider.javaClass.name to ExternalProviderIdDto("test-plugin", "sparse-456")
+        )
+        val path = Path.of("/test/sparse-game.exe")
+
+        every { pluginManager.getExtensions(GameMetadataProvider::class.java) } returns listOf(provider)
+        every { pluginService.getPluginManagementEntry(provider.javaClass) } returns pluginEntry
+        every { imageService.createOrGet(any()) } returns mockk(relaxed = true)
+        every { filesystemService.calculateFileSize(any()) } returns 1000L
+
+        val result = gameService.matchManually(originalIds, path, library, null, persist = false)
+
+        assertNotNull(result)
+        // Title should still be set (it's non-blank)
+        assertEquals("Sparse Game", result.title)
+        // All optional fields should remain at defaults since metadata was empty/null
+        assertNull(result.summary)
+        assertNull(result.release)
+        assertNull(result.coverImage)
+        assertNull(result.headerImage)
+        assertNull(result.userRating)
+        assertNull(result.criticRating)
+        assertEquals(emptyList<Company>(), result.publishers)
+        assertEquals(emptyList<Company>(), result.developers)
+        assertEquals(emptyList<Genre>(), result.genres)
+        assertEquals(emptyList<Theme>(), result.themes)
+        assertEquals(emptyList<String>(), result.keywords)
+        assertEquals(emptyList<GameFeature>(), result.features)
+        assertEquals(emptyList<PlayerPerspective>(), result.perspectives)
+        assertEquals(emptyList<java.net.URI>(), result.videoUrls)
+        assertEquals(emptyList<Image>(), result.images)
+    }
+
+    @Test
+    fun `matchManually should skip fields from lower priority plugin when higher priority already set them`() {
+        val highPriorityMetadata = org.gameyfin.pluginapi.gamemetadata.GameMetadata(
+            originalId = "hp-1",
+            title = "HP Title",
+            description = "HP Summary",
+            platforms = setOf(Platform.PC_MICROSOFT_WINDOWS),
+            release = Instant.parse("2024-01-01T00:00:00Z"),
+            userRating = 95,
+            criticRating = 88,
+            publishedBy = setOf("HP Publisher"),
+            developedBy = setOf("HP Developer"),
+            genres = setOf(Genre.ROLE_PLAYING),
+            themes = setOf(Theme.SCIENCE_FICTION),
+            keywords = setOf("hp-kw"),
+            features = setOf(GameFeature.MULTIPLAYER),
+            perspectives = setOf(PlayerPerspective.THIRD_PERSON),
+            videoUrls = setOf(java.net.URI("https://hp.com/video.mp4"))
+        )
+
+        val lowPriorityMetadata = org.gameyfin.pluginapi.gamemetadata.GameMetadata(
+            originalId = "lp-2",
+            title = "LP Title",
+            description = "LP Summary",
+            platforms = setOf(Platform.PLAYSTATION_5),
+            release = Instant.parse("2023-01-01T00:00:00Z"),
+            userRating = 50,
+            criticRating = 40,
+            publishedBy = setOf("LP Publisher"),
+            developedBy = setOf("LP Developer"),
+            genres = setOf(Genre.ADVENTURE),
+            themes = setOf(Theme.FANTASY),
+            keywords = setOf("lp-kw"),
+            features = setOf(GameFeature.SINGLEPLAYER),
+            perspectives = setOf(PlayerPerspective.FIRST_PERSON),
+            videoUrls = setOf(java.net.URI("https://lp.com/video.mp4"))
+        )
+
+        val highProvider = spyk(TestProvider(highPriorityMetadata))
+        val lowProvider = spyk(TestProvider(lowPriorityMetadata))
+
+        val highEntry = mockk<PluginManagementEntry>(relaxed = true) {
+            every { pluginId } returns "hp-plugin"
+            every { priority } returns 100
+        }
+        val lowEntry = mockk<PluginManagementEntry>(relaxed = true) {
+            every { pluginId } returns "lp-plugin"
+            every { priority } returns 10
+        }
+
+        val originalIds = mapOf(
+            highProvider.javaClass.name to ExternalProviderIdDto("hp-plugin", "hp-1"),
+            lowProvider.javaClass.name to ExternalProviderIdDto("lp-plugin", "lp-2")
+        )
+        val path = Path.of("/test/priority-game.exe")
+
+        every { pluginManager.getExtensions(GameMetadataProvider::class.java) } returns listOf(
+            highProvider,
+            lowProvider
+        )
+        every { pluginService.getPluginManagementEntry(highProvider.javaClass) } returns highEntry
+        every { pluginService.getPluginManagementEntry(lowProvider.javaClass) } returns lowEntry
+        every { imageService.createOrGet(any()) } returns mockk(relaxed = true)
+        every { filesystemService.calculateFileSize(any()) } returns 3000L
+
+        val result = gameService.matchManually(originalIds, path, library, null, persist = false)
+
+        assertNotNull(result)
+        // All fields should come from the high-priority plugin
+        assertEquals("HP Title", result.title)
+        assertEquals("HP Summary", result.summary)
+        assertEquals(Instant.parse("2024-01-01T00:00:00Z"), result.release)
+        assertEquals(95, result.userRating)
+        assertEquals(88, result.criticRating)
+        assertEquals("HP Publisher", result.publishers[0].name)
+        assertEquals("HP Developer", result.developers[0].name)
+        assertEquals(listOf(Genre.ROLE_PLAYING), result.genres)
+        assertEquals(listOf(Theme.SCIENCE_FICTION), result.themes)
+        assertEquals(listOf("hp-kw"), result.keywords)
+        assertEquals(listOf(GameFeature.MULTIPLAYER), result.features)
+        assertEquals(listOf(PlayerPerspective.THIRD_PERSON), result.perspectives)
+        assertEquals(listOf(java.net.URI("https://hp.com/video.mp4")), result.videoUrls)
+    }
+
     private fun createTestGame(id: Long?, title: String = "Test Game"): Game {
         return Game(
             id = id,
@@ -1396,13 +2335,9 @@ class GameServiceTest {
             perspectives = emptyList(),
             images = mutableListOf(),
             videoUrls = emptyList(),
-            metadata = GameMetadata(
+            metadata = org.gameyfin.app.games.entities.GameMetadata(
                 path = "/test/path",
-                fileSize = 1000L,
-                fields = mutableMapOf(),
-                originalIds = emptyMap(),
-                downloadCount = 0,
-                matchConfirmed = false
+                fileSize = 1000L
             )
         )
     }
diff --git a/app/src/test/kotlin/org/gameyfin/app/libraries/LibraryScanServiceTest.kt b/app/src/test/kotlin/org/gameyfin/app/libraries/LibraryScanServiceTest.kt
index 53b45d3..2817a00 100644
--- a/app/src/test/kotlin/org/gameyfin/app/libraries/LibraryScanServiceTest.kt
+++ b/app/src/test/kotlin/org/gameyfin/app/libraries/LibraryScanServiceTest.kt
@@ -1,9 +1,14 @@
 package org.gameyfin.app.libraries
 
 import io.mockk.*
+import io.micrometer.core.instrument.simple.SimpleMeterRegistry
+import org.gameyfin.app.config.ConfigProperties
+import org.gameyfin.app.config.ConfigService
 import org.gameyfin.app.core.filesystem.FilesystemScanResult
 import org.gameyfin.app.core.filesystem.FilesystemService
+import org.gameyfin.app.core.metrics.ScanMetrics
 import org.gameyfin.app.core.plugins.PluginService
+import org.gameyfin.app.core.plugins.dto.PluginDto
 import org.gameyfin.app.games.entities.Game
 import org.gameyfin.app.games.entities.GameMetadata
 import org.gameyfin.app.games.repositories.GameRepository
@@ -11,9 +16,12 @@ import org.gameyfin.app.libraries.entities.IgnoredPath
 import org.gameyfin.app.libraries.entities.Library
 import org.gameyfin.app.libraries.enums.ScanType
 import org.gameyfin.app.libraries.scan.LibraryGameProcessor
+import org.gameyfin.pluginapi.gamemetadata.GameMetadataProvider
 import org.junit.jupiter.api.AfterEach
 import org.junit.jupiter.api.BeforeEach
 import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.assertThrows
+import org.pf4j.PluginState
 import java.nio.file.Path
 import java.time.Instant
 import kotlin.io.path.Path
@@ -28,6 +36,7 @@ class LibraryScanServiceTest {
     private lateinit var libraryScanService: LibraryScanService
     private lateinit var ignoredPathRepository: IgnoredPathRepository
     private lateinit var pluginService: PluginService
+    private lateinit var configService: ConfigService
 
     @BeforeEach
     fun setup() {
@@ -38,6 +47,15 @@ class LibraryScanServiceTest {
         gameRepository = mockk()
         ignoredPathRepository = mockk()
         pluginService = mockk()
+        configService = mockk()
+
+        // By default, at least one GameMetadataProvider is started so scans are allowed
+        every { pluginService.getAllByTypeAndState(GameMetadataProvider::class, PluginState.STARTED) } returns listOf(
+            mockk<PluginDto>()
+        )
+
+        // Return default max-concurrency value
+        every { configService.get(ConfigProperties.Libraries.Scan.MaxConcurrency) } returns ConfigProperties.Libraries.Scan.MaxConcurrency.default
 
         libraryScanService = LibraryScanService(
             libraryRepository,
@@ -46,7 +64,9 @@ class LibraryScanServiceTest {
             libraryGameProcessor,
             gameRepository,
             ignoredPathRepository,
-            pluginService
+            pluginService,
+            configService,
+            ScanMetrics(SimpleMeterRegistry())
         )
     }
 
@@ -150,6 +170,23 @@ class LibraryScanServiceTest {
         verify(exactly = 0) { filesystemService.scanLibraryForGamefiles(any()) }
     }
 
+    @Test
+    fun `triggerScan should throw when no GameMetadataProvider plugin is started`() {
+        every {
+            pluginService.getAllByTypeAndState(
+                GameMetadataProvider::class,
+                PluginState.STARTED
+            )
+        } returns emptyList()
+
+        assertThrows<IllegalStateException> {
+            libraryScanService.triggerScan(ScanType.QUICK, null)
+        }
+
+        verify(exactly = 0) { libraryRepository.findAll() }
+        verify(exactly = 0) { filesystemService.scanLibraryForGamefiles(any()) }
+    }
+
     @Test
     fun `triggerScan should handle filesystem scan errors`() {
         val library = createTestLibrary(1L)
diff --git a/app/src/test/kotlin/org/gameyfin/app/media/ImageEndpointTest.kt b/app/src/test/kotlin/org/gameyfin/app/media/ImageEndpointTest.kt
index aec45b5..0a60b64 100644
--- a/app/src/test/kotlin/org/gameyfin/app/media/ImageEndpointTest.kt
+++ b/app/src/test/kotlin/org/gameyfin/app/media/ImageEndpointTest.kt
@@ -1,6 +1,7 @@
 package org.gameyfin.app.media
 
 import io.mockk.*
+import jakarta.servlet.http.HttpServletRequest
 import org.gameyfin.app.core.plugins.PluginService
 import org.gameyfin.app.core.security.getCurrentAuth
 import org.gameyfin.app.users.UserService
@@ -8,21 +9,29 @@ import org.junit.jupiter.api.AfterEach
 import org.junit.jupiter.api.Assertions.assertThrows
 import org.junit.jupiter.api.BeforeEach
 import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.io.TempDir
+import org.springframework.http.HttpHeaders
 import org.springframework.http.HttpStatus
 import org.springframework.http.MediaType
 import org.springframework.security.core.Authentication
 import org.springframework.web.multipart.MultipartFile
 import java.io.ByteArrayInputStream
+import java.nio.file.Files
+import java.nio.file.Path
 import kotlin.test.assertEquals
 import kotlin.test.assertNotNull
 import kotlin.test.assertNull
 
 class ImageEndpointTest {
 
+    @TempDir
+    lateinit var tempDir: Path
+
     private lateinit var imageService: ImageService
     private lateinit var userService: UserService
     private lateinit var pluginService: PluginService
     private lateinit var imageEndpoint: ImageEndpoint
+    private lateinit var mockRequest: HttpServletRequest
 
     @BeforeEach
     fun setup() {
@@ -30,6 +39,9 @@ class ImageEndpointTest {
         userService = mockk()
         pluginService = mockk()
         imageEndpoint = ImageEndpoint(imageService, userService, pluginService)
+        mockRequest = mockk {
+            every { getHeader(HttpHeaders.IF_NONE_MATCH) } returns null
+        }
 
         mockkStatic("org.gameyfin.app.core.security.SecurityUtilsKt")
     }
@@ -40,23 +52,29 @@ class ImageEndpointTest {
         clearAllMocks()
     }
 
+    private fun createTempFile(content: String = "image data"): Path {
+        val file = Files.createTempFile(tempDir, "test-img-", ".tmp")
+        Files.write(file, content.toByteArray())
+        return file
+    }
+
     @Test
     fun `getScreenshot should return image content when image exists`() {
         val imageId = 1L
-        val image = Image(id = imageId, type = ImageType.SCREENSHOT, mimeType = "image/jpeg", contentLength = 1024L)
-        val inputStream = ByteArrayInputStream("image data".toByteArray())
+        val image = Image(id = imageId, type = ImageType.SCREENSHOT, mimeType = "image/jpeg", contentLength = 1024L, contentId = "abc")
+        val filePath = createTempFile()
 
         every { imageService.getImage(imageId) } returns image
-        every { imageService.getFileContent(image) } returns inputStream
+        every { imageService.getFilePath(image) } returns filePath
 
-        val response = imageEndpoint.getScreenshot(imageId)
+        val response = imageEndpoint.getScreenshot(imageId, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.OK, response.statusCode)
         assertEquals(1024L, response.headers.contentLength)
         assertEquals(MediaType.parseMediaType("image/jpeg"), response.headers.contentType)
         verify(exactly = 1) { imageService.getImage(imageId) }
-        verify(exactly = 1) { imageService.getFileContent(image) }
+        verify(exactly = 1) { imageService.getFilePath(image) }
     }
 
     @Test
@@ -65,47 +83,47 @@ class ImageEndpointTest {
 
         every { imageService.getImage(imageId) } returns null
 
-        val response = imageEndpoint.getScreenshot(imageId)
+        val response = imageEndpoint.getScreenshot(imageId, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.NOT_FOUND, response.statusCode)
         verify(exactly = 1) { imageService.getImage(imageId) }
-        verify(exactly = 0) { imageService.getFileContent(any()) }
+        verify(exactly = 0) { imageService.getFilePath(any()) }
     }
 
     @Test
-    fun `getScreenshot should return not found when file content is null`() {
+    fun `getScreenshot should return not found when file path is null`() {
         val imageId = 1L
         val image = Image(id = imageId, type = ImageType.SCREENSHOT)
 
         every { imageService.getImage(imageId) } returns image
-        every { imageService.getFileContent(image) } returns null
+        every { imageService.getFilePath(image) } returns null
 
-        val response = imageEndpoint.getScreenshot(imageId)
+        val response = imageEndpoint.getScreenshot(imageId, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.NOT_FOUND, response.statusCode)
         verify(exactly = 1) { imageService.getImage(imageId) }
-        verify(exactly = 1) { imageService.getFileContent(image) }
+        verify(exactly = 1) { imageService.getFilePath(image) }
     }
 
     @Test
     fun `getCover should return image content when image exists`() {
         val imageId = 2L
-        val image = Image(id = imageId, type = ImageType.COVER, mimeType = "image/png", contentLength = 2048L)
-        val inputStream = ByteArrayInputStream("cover data".toByteArray())
+        val image = Image(id = imageId, type = ImageType.COVER, mimeType = "image/png", contentLength = 2048L, contentId = "def")
+        val filePath = createTempFile("cover data")
 
         every { imageService.getImage(imageId) } returns image
-        every { imageService.getFileContent(image) } returns inputStream
+        every { imageService.getFilePath(image) } returns filePath
 
-        val response = imageEndpoint.getCover(imageId)
+        val response = imageEndpoint.getCover(imageId, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.OK, response.statusCode)
         assertEquals(2048L, response.headers.contentLength)
         assertEquals(MediaType.parseMediaType("image/png"), response.headers.contentType)
         verify(exactly = 1) { imageService.getImage(imageId) }
-        verify(exactly = 1) { imageService.getFileContent(image) }
+        verify(exactly = 1) { imageService.getFilePath(image) }
     }
 
     @Test
@@ -114,7 +132,7 @@ class ImageEndpointTest {
 
         every { imageService.getImage(imageId) } returns null
 
-        val response = imageEndpoint.getCover(imageId)
+        val response = imageEndpoint.getCover(imageId, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.NOT_FOUND, response.statusCode)
@@ -124,20 +142,20 @@ class ImageEndpointTest {
     @Test
     fun `getHeader should return image content when image exists`() {
         val imageId = 3L
-        val image = Image(id = imageId, type = ImageType.HEADER, mimeType = "image/webp", contentLength = 4096L)
-        val inputStream = ByteArrayInputStream("header data".toByteArray())
+        val image = Image(id = imageId, type = ImageType.HEADER, mimeType = "image/webp", contentLength = 4096L, contentId = "ghi")
+        val filePath = createTempFile("header data")
 
         every { imageService.getImage(imageId) } returns image
-        every { imageService.getFileContent(image) } returns inputStream
+        every { imageService.getFilePath(image) } returns filePath
 
-        val response = imageEndpoint.getHeader(imageId)
+        val response = imageEndpoint.getHeader(imageId, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.OK, response.statusCode)
         assertEquals(4096L, response.headers.contentLength)
         assertEquals(MediaType.parseMediaType("image/webp"), response.headers.contentType)
         verify(exactly = 1) { imageService.getImage(imageId) }
-        verify(exactly = 1) { imageService.getFileContent(image) }
+        verify(exactly = 1) { imageService.getFilePath(image) }
     }
 
     @Test
@@ -146,7 +164,7 @@ class ImageEndpointTest {
 
         every { imageService.getImage(imageId) } returns null
 
-        val response = imageEndpoint.getHeader(imageId)
+        val response = imageEndpoint.getHeader(imageId, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.NOT_FOUND, response.statusCode)
@@ -183,14 +201,14 @@ class ImageEndpointTest {
     @Test
     fun `getAvatarByUsername should return avatar when user has avatar`() {
         val username = "testuser"
-        val avatar = Image(id = 1L, type = ImageType.AVATAR, mimeType = "image/jpeg", contentLength = 512L)
-        val inputStream = ByteArrayInputStream("avatar data".toByteArray())
+        val avatar = Image(id = 1L, type = ImageType.AVATAR, mimeType = "image/jpeg", contentLength = 512L, contentId = "avatar-id")
+        val filePath = createTempFile("avatar data")
 
         every { userService.getAvatar(username) } returns avatar
         every { imageService.getImage(1L) } returns avatar
-        every { imageService.getFileContent(avatar) } returns inputStream
+        every { imageService.getFilePath(avatar) } returns filePath
 
-        val response = imageEndpoint.getAvatarByUsername(username)
+        val response = imageEndpoint.getAvatarByUsername(username, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.OK, response.statusCode)
@@ -198,7 +216,7 @@ class ImageEndpointTest {
         assertEquals(MediaType.parseMediaType("image/jpeg"), response.headers.contentType)
         verify(exactly = 1) { userService.getAvatar(username) }
         verify(exactly = 1) { imageService.getImage(1L) }
-        verify(exactly = 1) { imageService.getFileContent(avatar) }
+        verify(exactly = 1) { imageService.getFilePath(avatar) }
     }
 
     @Test
@@ -207,7 +225,7 @@ class ImageEndpointTest {
 
         every { userService.getAvatar(username) } returns null
 
-        val response = imageEndpoint.getAvatarByUsername(username)
+        val response = imageEndpoint.getAvatarByUsername(username, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.NOT_FOUND, response.statusCode)
@@ -222,7 +240,7 @@ class ImageEndpointTest {
 
         every { userService.getAvatar(username) } returns avatar
 
-        val response = imageEndpoint.getAvatarByUsername(username)
+        val response = imageEndpoint.getAvatarByUsername(username, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.NOT_FOUND, response.statusCode)
@@ -334,13 +352,13 @@ class ImageEndpointTest {
     @Test
     fun `getImageContent should handle image without content length`() {
         val imageId = 1L
-        val image = Image(id = imageId, type = ImageType.SCREENSHOT, mimeType = "image/jpeg", contentLength = null)
-        val inputStream = ByteArrayInputStream("image data".toByteArray())
+        val image = Image(id = imageId, type = ImageType.SCREENSHOT, mimeType = "image/jpeg", contentLength = null, contentId = "abc")
+        val filePath = createTempFile()
 
         every { imageService.getImage(imageId) } returns image
-        every { imageService.getFileContent(image) } returns inputStream
+        every { imageService.getFilePath(image) } returns filePath
 
-        val response = imageEndpoint.getScreenshot(imageId)
+        val response = imageEndpoint.getScreenshot(imageId, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.OK, response.statusCode)
@@ -351,13 +369,13 @@ class ImageEndpointTest {
     @Test
     fun `getImageContent should handle image without mime type`() {
         val imageId = 1L
-        val image = Image(id = imageId, type = ImageType.SCREENSHOT, mimeType = null, contentLength = 1024L)
-        val inputStream = ByteArrayInputStream("image data".toByteArray())
+        val image = Image(id = imageId, type = ImageType.SCREENSHOT, mimeType = null, contentLength = 1024L, contentId = "abc")
+        val filePath = createTempFile()
 
         every { imageService.getImage(imageId) } returns image
-        every { imageService.getFileContent(image) } returns inputStream
+        every { imageService.getFilePath(image) } returns filePath
 
-        val response = imageEndpoint.getScreenshot(imageId)
+        val response = imageEndpoint.getScreenshot(imageId, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.OK, response.statusCode)
@@ -369,13 +387,13 @@ class ImageEndpointTest {
     @Test
     fun `getImageContent should handle image without content length and mime type`() {
         val imageId = 1L
-        val image = Image(id = imageId, type = ImageType.SCREENSHOT, mimeType = null, contentLength = null)
-        val inputStream = ByteArrayInputStream("image data".toByteArray())
+        val image = Image(id = imageId, type = ImageType.SCREENSHOT, mimeType = null, contentLength = null, contentId = "abc")
+        val filePath = createTempFile()
 
         every { imageService.getImage(imageId) } returns image
-        every { imageService.getFileContent(image) } returns inputStream
+        every { imageService.getFilePath(image) } returns filePath
 
-        val response = imageEndpoint.getScreenshot(imageId)
+        val response = imageEndpoint.getScreenshot(imageId, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.OK, response.statusCode)
@@ -409,13 +427,13 @@ class ImageEndpointTest {
     fun `getScreenshot should handle large content length`() {
         val imageId = 1L
         val largeSize = Long.MAX_VALUE
-        val image = Image(id = imageId, type = ImageType.SCREENSHOT, mimeType = "image/jpeg", contentLength = largeSize)
-        val inputStream = ByteArrayInputStream("image data".toByteArray())
+        val image = Image(id = imageId, type = ImageType.SCREENSHOT, mimeType = "image/jpeg", contentLength = largeSize, contentId = "abc")
+        val filePath = createTempFile()
 
         every { imageService.getImage(imageId) } returns image
-        every { imageService.getFileContent(image) } returns inputStream
+        every { imageService.getFilePath(image) } returns filePath
 
-        val response = imageEndpoint.getScreenshot(imageId)
+        val response = imageEndpoint.getScreenshot(imageId, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.OK, response.statusCode)
@@ -426,13 +444,13 @@ class ImageEndpointTest {
     @Test
     fun `getCover should handle zero content length`() {
         val imageId = 1L
-        val image = Image(id = imageId, type = ImageType.COVER, mimeType = "image/png", contentLength = 0L)
-        val inputStream = ByteArrayInputStream("".toByteArray())
+        val image = Image(id = imageId, type = ImageType.COVER, mimeType = "image/png", contentLength = 0L, contentId = "abc")
+        val filePath = createTempFile("")
 
         every { imageService.getImage(imageId) } returns image
-        every { imageService.getFileContent(image) } returns inputStream
+        every { imageService.getFilePath(image) } returns filePath
 
-        val response = imageEndpoint.getCover(imageId)
+        val response = imageEndpoint.getCover(imageId, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.OK, response.statusCode)
@@ -443,14 +461,14 @@ class ImageEndpointTest {
     @Test
     fun `getAvatarByUsername should handle empty username`() {
         val username = ""
-        val avatar = Image(id = 1L, type = ImageType.AVATAR, mimeType = "image/jpeg", contentLength = 512L)
-        val inputStream = ByteArrayInputStream("avatar data".toByteArray())
+        val avatar = Image(id = 1L, type = ImageType.AVATAR, mimeType = "image/jpeg", contentLength = 512L, contentId = "avatar-id")
+        val filePath = createTempFile("avatar data")
 
         every { userService.getAvatar(username) } returns avatar
         every { imageService.getImage(1L) } returns avatar
-        every { imageService.getFileContent(avatar) } returns inputStream
+        every { imageService.getFilePath(avatar) } returns filePath
 
-        val response = imageEndpoint.getAvatarByUsername(username)
+        val response = imageEndpoint.getAvatarByUsername(username, mockRequest)
 
         assertNotNull(response)
         assertEquals(HttpStatus.OK, response.statusCode)
@@ -504,5 +522,83 @@ class ImageEndpointTest {
 
         verify(exactly = 1) { imageService.createFromInputStream(ImageType.AVATAR, inputStream, "image/png") }
     }
-}
 
+    @Test
+    fun `should return 304 Not Modified when ETag matches If-None-Match`() {
+        val imageId = 1L
+        val contentId = "abc-123"
+        val image = Image(id = imageId, type = ImageType.COVER, mimeType = "image/png", contentLength = 2048L, contentId = contentId)
+        val requestWithEtag = mockk<HttpServletRequest> {
+            every { getHeader(HttpHeaders.IF_NONE_MATCH) } returns "\"$contentId\""
+        }
+
+        every { imageService.getImage(imageId) } returns image
+
+        val response = imageEndpoint.getCover(imageId, requestWithEtag)
+
+        assertNotNull(response)
+        assertEquals(HttpStatus.NOT_MODIFIED, response.statusCode)
+        assertNull(response.body)
+        verify(exactly = 1) { imageService.getImage(imageId) }
+        verify(exactly = 0) { imageService.getFilePath(any()) }
+    }
+
+    @Test
+    fun `should return 200 with ETag when If-None-Match does not match`() {
+        val imageId = 1L
+        val contentId = "abc-123"
+        val image = Image(id = imageId, type = ImageType.COVER, mimeType = "image/png", contentLength = 2048L, contentId = contentId)
+        val filePath = createTempFile("cover data")
+        val requestWithOldEtag = mockk<HttpServletRequest> {
+            every { getHeader(HttpHeaders.IF_NONE_MATCH) } returns "\"old-etag\""
+        }
+
+        every { imageService.getImage(imageId) } returns image
+        every { imageService.getFilePath(image) } returns filePath
+
+        val response = imageEndpoint.getCover(imageId, requestWithOldEtag)
+
+        assertNotNull(response)
+        assertEquals(HttpStatus.OK, response.statusCode)
+        assertNotNull(response.body)
+        assertEquals("\"$contentId\"", response.headers.eTag)
+        verify(exactly = 1) { imageService.getImage(imageId) }
+        verify(exactly = 1) { imageService.getFilePath(image) }
+    }
+
+    @Test
+    fun `should include ETag and Cache-Control headers in response`() {
+        val imageId = 1L
+        val contentId = "content-uuid-456"
+        val image = Image(id = imageId, type = ImageType.COVER, mimeType = "image/jpeg", contentLength = 1024L, contentId = contentId)
+        val filePath = createTempFile()
+
+        every { imageService.getImage(imageId) } returns image
+        every { imageService.getFilePath(image) } returns filePath
+
+        val response = imageEndpoint.getCover(imageId, mockRequest)
+
+        assertNotNull(response)
+        assertEquals(HttpStatus.OK, response.statusCode)
+        assertEquals("\"$contentId\"", response.headers.eTag)
+        assertNotNull(response.headers.cacheControl)
+    }
+
+    @Test
+    fun `should return 304 for weak ETag match`() {
+        val imageId = 1L
+        val contentId = "abc-123"
+        val image = Image(id = imageId, type = ImageType.COVER, mimeType = "image/png", contentLength = 2048L, contentId = contentId)
+        val requestWithWeakEtag = mockk<HttpServletRequest> {
+            every { getHeader(HttpHeaders.IF_NONE_MATCH) } returns "W/\"$contentId\""
+        }
+
+        every { imageService.getImage(imageId) } returns image
+
+        val response = imageEndpoint.getCover(imageId, requestWithWeakEtag)
+
+        assertNotNull(response)
+        assertEquals(HttpStatus.NOT_MODIFIED, response.statusCode)
+        verify(exactly = 0) { imageService.getFilePath(any()) }
+    }
+}
diff --git a/app/src/test/kotlin/org/gameyfin/app/media/ImageServiceTest.kt b/app/src/test/kotlin/org/gameyfin/app/media/ImageServiceTest.kt
index 83b4c94..19e18dc 100644
--- a/app/src/test/kotlin/org/gameyfin/app/media/ImageServiceTest.kt
+++ b/app/src/test/kotlin/org/gameyfin/app/media/ImageServiceTest.kt
@@ -1,5 +1,7 @@
 package org.gameyfin.app.media
 
+import com.github.benmanes.caffeine.cache.Cache
+import com.github.benmanes.caffeine.cache.Caffeine
 import io.mockk.*
 import org.apache.tika.io.TikaInputStream
 import org.gameyfin.app.core.events.GameDeletedEvent
@@ -14,13 +16,16 @@ import org.gameyfin.app.users.persistence.UserRepository
 import org.junit.jupiter.api.AfterEach
 import org.junit.jupiter.api.Assertions.assertThrows
 import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.Nested
 import org.junit.jupiter.api.Test
 import org.springframework.dao.DataIntegrityViolationException
 import org.springframework.data.repository.findByIdOrNull
+import java.awt.Color
+import java.awt.image.BufferedImage
 import java.io.ByteArrayInputStream
-import kotlin.test.assertEquals
-import kotlin.test.assertNotNull
-import kotlin.test.assertNull
+import java.io.ByteArrayOutputStream
+import javax.imageio.ImageIO
+import kotlin.test.*
 
 class ImageServiceTest {
 
@@ -28,6 +33,7 @@ class ImageServiceTest {
     private lateinit var fileStorageService: FileStorageService
     private lateinit var gameRepository: GameRepository
     private lateinit var userRepository: UserRepository
+    private lateinit var imageCache: Cache<Long, Image>
     private lateinit var imageService: ImageService
 
     @BeforeEach
@@ -36,7 +42,8 @@ class ImageServiceTest {
         fileStorageService = mockk()
         gameRepository = mockk()
         userRepository = mockk()
-        imageService = ImageService(imageRepository, fileStorageService, gameRepository, userRepository)
+        imageCache = Caffeine.newBuilder().build()
+        imageService = ImageService(imageRepository, fileStorageService, gameRepository, userRepository, imageCache)
     }
 
     @AfterEach
@@ -665,4 +672,157 @@ class ImageServiceTest {
         verify(exactly = 1) { imageRepository.delete(oldAvatar) }
         verify(exactly = 1) { fileStorageService.deleteFile(any()) }
     }
+
+    // ---------------------------------------------------------------------------
+    // Helpers
+    // ---------------------------------------------------------------------------
+
+    /**
+     * Creates a minimal in-memory PNG of the given dimensions filled with a solid colour.
+     * Returns the bytes as an [java.io.InputStream] that can be fed directly to [ImageIO.read].
+     */
+    private fun createPngStream(width: Int, height: Int, color: Color = Color.BLUE): ByteArrayInputStream {
+        val img = BufferedImage(width, height, BufferedImage.TYPE_INT_RGB)
+        val g = img.createGraphics()
+        g.color = color
+        g.fillRect(0, 0, width, height)
+        g.dispose()
+        val out = ByteArrayOutputStream()
+        ImageIO.write(img, "png", out)
+        return ByteArrayInputStream(out.toByteArray())
+    }
+
+    // ---------------------------------------------------------------------------
+    // scaleImageForBlurhash – companion object helper (public, directly testable)
+    // ---------------------------------------------------------------------------
+
+    @Nested
+    inner class ScaleImageForBlurhash {
+
+        @Test
+        fun `returns original image when width is already within maxWidth`() {
+            val small = BufferedImage(80, 60, BufferedImage.TYPE_INT_RGB)
+            val result = ImageService.scaleImageForBlurhash(small, maxWidth = 100)
+            assertNotNull(result)
+            assertSame(result, small, "Expected the same instance to be returned for small images")
+        }
+
+        @Test
+        fun `returns original image when width exactly equals maxWidth`() {
+            val exact = BufferedImage(100, 75, BufferedImage.TYPE_INT_RGB)
+            val result = ImageService.scaleImageForBlurhash(exact, maxWidth = 100)
+            assertSame(result, exact)
+        }
+
+        @Test
+        fun `scales down a landscape image to maxWidth maintaining aspect ratio`() {
+            val landscape = BufferedImage(400, 200, BufferedImage.TYPE_INT_RGB)
+            val result = ImageService.scaleImageForBlurhash(landscape, maxWidth = 100)
+            assertEquals(100, result.width)
+            assertEquals(50, result.height)   // 200 * (100/400) = 50
+        }
+
+        @Test
+        fun `scales down a portrait image preserving aspect ratio`() {
+            val portrait = BufferedImage(200, 400, BufferedImage.TYPE_INT_RGB)
+            val result = ImageService.scaleImageForBlurhash(portrait, maxWidth = 100)
+            assertEquals(100, result.width)
+            assertEquals(200, result.height)  // 400 * (100/200) = 200
+        }
+
+        @Test
+        fun `scales down a square image preserving aspect ratio`() {
+            val square = BufferedImage(300, 300, BufferedImage.TYPE_INT_RGB)
+            val result = ImageService.scaleImageForBlurhash(square, maxWidth = 100)
+            assertEquals(100, result.width)
+            assertEquals(100, result.height)
+        }
+    }
+
+    // ---------------------------------------------------------------------------
+    // calculateBlurhash – tested indirectly via createFromInputStream
+    // The blurhash is stored on the Image entity that processImageContent populates.
+    // ---------------------------------------------------------------------------
+
+    @Nested
+    inner class CalculateBlurhash {
+
+        @Test
+        fun `blurhash is set for a valid landscape PNG`() {
+            val pngStream = createPngStream(width = 200, height = 100)
+            Image(id = 1L, type = ImageType.COVER, mimeType = "image/png")
+
+            every { fileStorageService.saveFile(any()) } returns "content-id"
+            every { imageRepository.save(any<Image>()) } answers { firstArg() }
+
+            val result = imageService.createFromInputStream(ImageType.COVER, pngStream, "image/png")
+
+            assertNotNull(result.blurhash, "Expected a blurhash to be generated for a landscape image")
+            assertTrue(result.blurhash!!.isNotBlank())
+        }
+
+        @Test
+        fun `blurhash is set for a valid portrait PNG`() {
+            val pngStream = createPngStream(width = 100, height = 200)
+
+            every { fileStorageService.saveFile(any()) } returns "content-id"
+            every { imageRepository.save(any<Image>()) } answers { firstArg() }
+
+            val result = imageService.createFromInputStream(ImageType.COVER, pngStream, "image/png")
+
+            assertNotNull(result.blurhash, "Expected a blurhash to be generated for a portrait image")
+            assertTrue(result.blurhash!!.isNotBlank())
+        }
+
+        @Test
+        fun `blurhash is set for a valid square PNG`() {
+            val pngStream = createPngStream(width = 150, height = 150)
+
+            every { fileStorageService.saveFile(any()) } returns "content-id"
+            every { imageRepository.save(any<Image>()) } answers { firstArg() }
+
+            val result = imageService.createFromInputStream(ImageType.COVER, pngStream, "image/png")
+
+            assertNotNull(result.blurhash, "Expected a blurhash to be generated for a square image")
+            assertTrue(result.blurhash!!.isNotBlank())
+        }
+
+        @Test
+        fun `blurhash is set for an image already smaller than the scaling threshold`() {
+            // 50x50 is below the default maxWidth=100 used in scaleImageForBlurhash
+            val pngStream = createPngStream(width = 50, height = 50)
+
+            every { fileStorageService.saveFile(any()) } returns "content-id"
+            every { imageRepository.save(any<Image>()) } answers { firstArg() }
+
+            val result = imageService.createFromInputStream(ImageType.COVER, pngStream, "image/png")
+
+            assertNotNull(result.blurhash, "Expected a blurhash even when image is already small")
+        }
+
+        @Test
+        fun `blurhash is null when input stream does not contain a valid image`() {
+            // Feed random non-image bytes; ImageIO.read returns null, so blurhash should be null
+            val garbage = ByteArrayInputStream("not-an-image".toByteArray())
+
+            every { fileStorageService.saveFile(any()) } returns "content-id"
+            every { imageRepository.save(any<Image>()) } answers { firstArg() }
+
+            val result = imageService.createFromInputStream(ImageType.COVER, garbage, "image/png")
+
+            assertNull(result.blurhash, "Expected null blurhash for non-image input")
+        }
+
+        @Test
+        fun `blurhash is null for an empty input stream`() {
+            val empty = ByteArrayInputStream(ByteArray(0))
+
+            every { fileStorageService.saveFile(any()) } returns "content-id"
+            every { imageRepository.save(any<Image>()) } answers { firstArg() }
+
+            val result = imageService.createFromInputStream(ImageType.COVER, empty, "image/png")
+
+            assertNull(result.blurhash, "Expected null blurhash for empty input")
+        }
+    }
 }
diff --git a/app/src/test/kotlin/org/gameyfin/app/users/entities/UserEntityTest.kt b/app/src/test/kotlin/org/gameyfin/app/users/entities/UserEntityTest.kt
new file mode 100644
index 0000000..6af5275
--- /dev/null
+++ b/app/src/test/kotlin/org/gameyfin/app/users/entities/UserEntityTest.kt
@@ -0,0 +1,104 @@
+package org.gameyfin.app.users.entities
+
+import io.mockk.clearAllMocks
+import io.mockk.every
+import io.mockk.mockk
+import io.mockk.unmockkAll
+import org.junit.jupiter.api.AfterEach
+import org.junit.jupiter.api.Test
+import org.springframework.security.oauth2.core.oidc.user.OidcUser
+import kotlin.test.assertEquals
+import kotlin.test.assertNull
+import kotlin.test.assertTrue
+
+class UserEntityTest {
+
+    @AfterEach
+    fun tearDown() {
+        unmockkAll()
+        clearAllMocks()
+    }
+
+    private fun oidcUser(
+        subject: String = "sub-1",
+        preferredUsername: String? = "alice",
+        email: String = "alice@example.com"
+    ): OidcUser = mockk {
+        every { this@mockk.subject } returns subject
+        every { this@mockk.preferredUsername } returns preferredUsername
+        every { this@mockk.email } returns email
+    }
+
+    // ── constructor(oidcUser) ─────────────────────────────────────────────────
+
+    @Test
+    fun `single-arg OidcUser constructor maps all fields`() {
+        val oidcUser = oidcUser(subject = "sub-1", preferredUsername = "alice", email = "alice@example.com")
+
+        val user = User(oidcUser)
+
+        assertEquals("alice", user.username)
+        assertEquals("alice@example.com", user.email)
+        assertEquals("sub-1", user.oidcProviderId)
+        assertTrue(user.emailConfirmed)
+        assertTrue(user.enabled)
+        assertNull(user.password)
+    }
+
+    // ── constructor(oidcUser, resolvedUsername) ───────────────────────────────
+
+    @Test
+    fun `two-arg OidcUser constructor uses provided resolvedUsername`() {
+        val oidcUser = oidcUser(subject = "sub-2", preferredUsername = "original", email = "bob@example.com")
+
+        val user = User(oidcUser, "resolved-name")
+
+        assertEquals("resolved-name", user.username)
+        assertEquals("bob@example.com", user.email)
+        assertEquals("sub-2", user.oidcProviderId)
+        assertTrue(user.emailConfirmed)
+        assertTrue(user.enabled)
+        assertNull(user.password)
+    }
+
+    @Test
+    fun `two-arg constructor uses resolved name even when preferred_username is present`() {
+        val oidcUser = oidcUser(preferredUsername = "preferred", email = "c@example.com")
+
+        val user = User(oidcUser, "fallback-from-name-claim")
+
+        assertEquals("fallback-from-name-claim", user.username)
+    }
+
+    @Test
+    fun `two-arg constructor accepts sub as resolvedUsername when all claims are absent`() {
+        val oidcUser = oidcUser(subject = "sub-fallback", preferredUsername = null)
+
+        val user = User(oidcUser, "sub-fallback")
+
+        assertEquals("sub-fallback", user.username)
+        assertEquals("sub-fallback", user.oidcProviderId)
+    }
+
+    @Test
+    fun `two-arg constructor correctly sets email and oidcProviderId regardless of username`() {
+        val oidcUser = oidcUser(subject = "sub-xyz", email = "test@example.com")
+
+        val user = User(oidcUser, "any-username")
+
+        assertEquals("test@example.com", user.email)
+        assertEquals("sub-xyz", user.oidcProviderId)
+    }
+
+    @Test
+    fun `two-arg constructor sets emailConfirmed and enabled to true`() {
+        val oidcUser = oidcUser()
+
+        val user = User(oidcUser, "whatever")
+
+        assertTrue(user.emailConfirmed)
+        assertTrue(user.enabled)
+    }
+}
+
+
diff --git a/app/tsconfig.json b/app/tsconfig.json
index 936eadf..8b5f0dc 100644
--- a/app/tsconfig.json
+++ b/app/tsconfig.json
@@ -22,6 +22,7 @@
     "noUnusedParameters": false,
     "experimentalDecorators": true,
     "useDefineForClassFields": false,
+    "noEmit": true,
     "baseUrl": "src/main/frontend",
     "paths": {
       "@vaadin/flow-frontend": [
diff --git a/build.gradle.kts b/build.gradle.kts
index 5e05973..91b94df 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -6,7 +6,7 @@ import org.jetbrains.kotlin.gradle.tasks.KotlinJvmCompile
 import java.nio.file.Files
 
 group = "org.gameyfin"
-version = "2.3.3"
+version = "2.4.0-preview"
 
 allprojects {
     repositories {
@@ -43,7 +43,7 @@ subprojects {
     }
 }
 
-extra.set("pluginDir", rootProject.layout.buildDirectory.get().asFile.resolve("plugins"))
+extra.set("pf4j.pluginsDir", rootProject.layout.buildDirectory.get().asFile.resolve("plugins"))
 
 abstract class UpdatePackageJsonVersionTask : DefaultTask() {
     @get:Input
diff --git a/docker/Dockerfile.ubuntu b/docker/Dockerfile.ubuntu
index 3a3ab3c..4fe0a62 100644
--- a/docker/Dockerfile.ubuntu
+++ b/docker/Dockerfile.ubuntu
@@ -1,19 +1,52 @@
 # syntax=docker/dockerfile:1.4
 
-FROM eclipse-temurin:21-jre-alpine as builder
-WORKDIR /opt/gameyfin
-ARG JAR_FILE=./app/build/libs/app.jar
+# ── Stage 1: extract layers & collect plugins ────────────────────────────
+FROM eclipse-temurin:25-jre-alpine AS extractor
+
+WORKDIR /builder
+
+ARG JAR_FILE=./app/build/libs/app-*.jar
 COPY ${JAR_FILE} application.jar
-RUN java -Djarmode=tools -jar application.jar extract --layers --launcher --destination extracted
+
+# Extract using layered layout for optimal Docker layer caching
+RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted
 
 # Pre-collect plugin JARs so final stage can copy them in a single layer
 COPY --link ./plugins/ /tmp/plugins/
-RUN mkdir -p /opt/gameyfin/plugins \
-    && find /tmp/plugins -type f -path "*/build/libs/*.jar" -exec cp {} /opt/gameyfin/plugins/ \; \
+RUN mkdir -p /builder/plugins \
+    && find /tmp/plugins -type f -path "*/build/libs/*.jar" -exec cp {} /builder/plugins/ \; \
     && rm -rf /tmp/plugins
 
+# ── Stage 2: AOT cache training (must use the *runtime* JVM) ─────────────
+# Boot the full application, wait for readiness, fire warm-up HTTP requests
+# that exercise Vaadin/Hilla, Spring Security, Hibernate, and PF4J plugin
+# loading, then gracefully shut down
+FROM eclipse-temurin:25-jre AS aot-training
 
-FROM eclipse-temurin:21-jre
+WORKDIR /training
+
+# curl is needed by the training script to poll health and send warm-up requests
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends curl && \
+    rm -rf /var/lib/apt/lists/*
+
+# Copy the extracted layers to reassemble the application for the training run
+COPY --from=extractor /builder/extracted/dependencies/ ./
+COPY --from=extractor /builder/extracted/spring-boot-loader/ ./
+COPY --from=extractor /builder/extracted/snapshot-dependencies/ ./
+COPY --from=extractor /builder/extracted/application/ ./
+
+# Copy plugins
+COPY --from=extractor /builder/plugins ./plugins
+
+# Copy and run the AOT training script
+# On x86-64, the script passes UseAVX=0 to restrict generated code to baseline
+# SSE2 so the cache is portable across all amd64 CPUs (skipped on aarch64).
+COPY --link ./docker/aot-training.sh ./aot-training.sh
+RUN chmod +x aot-training.sh && ./aot-training.sh
+
+# ── Stage 3: runtime image ───────────────────────────────────────────────
+FROM eclipse-temurin:25-jre
 
 # OCI labels
 LABEL maintainer="grimsi" \
@@ -49,12 +82,15 @@ RUN groupadd -g "$GID" "$USER" && \
 # Copy entrypoint script with proper perms and ownership
 COPY --link --chown=${UID}:${GID} --chmod=0755 ./docker/entrypoint.ubuntu.sh /entrypoint.sh
 
-# Copy application layers and plugin jars from builder stage
-COPY --from=builder --link --chown=${UID}:${GID} /opt/gameyfin/extracted/dependencies/ ./
-COPY --from=builder --link --chown=${UID}:${GID} /opt/gameyfin/extracted/spring-boot-loader/ ./
-COPY --from=builder --link --chown=${UID}:${GID} /opt/gameyfin/extracted/snapshot-dependencies/ ./
-COPY --from=builder --link --chown=${UID}:${GID} /opt/gameyfin/extracted/application/ ./
-COPY --from=builder --link --chown=${UID}:${GID} /opt/gameyfin/plugins ./plugins
+# Copy application layers from extractor stage
+COPY --from=extractor --link --chown=${UID}:${GID} /builder/extracted/dependencies/ ./
+COPY --from=extractor --link --chown=${UID}:${GID} /builder/extracted/spring-boot-loader/ ./
+COPY --from=extractor --link --chown=${UID}:${GID} /builder/extracted/snapshot-dependencies/ ./
+COPY --from=extractor --link --chown=${UID}:${GID} /builder/extracted/application/ ./
+COPY --from=extractor --link --chown=${UID}:${GID} /builder/plugins ./plugins
+
+# Copy AOT cache from training stage
+COPY --from=aot-training --link --chown=${UID}:${GID} /training/app.aot ./
 
 EXPOSE 8080
 
diff --git a/docker/aot-training.sh b/docker/aot-training.sh
new file mode 100755
index 0000000..43f4172
--- /dev/null
+++ b/docker/aot-training.sh
@@ -0,0 +1,124 @@
+#!/usr/bin/env bash
+# ──────────────────────────────────────────────────────────────────────────────
+# AOT cache training script
+#
+# Instead of the quick-exit  -Dspring.context.exit=onRefresh  approach, this
+# script boots the full application, waits for readiness, fires HTTP requests
+# that exercise the hot paths (Vaadin/Hilla, Spring Security, Hibernate, PF4J
+# plugin loading), and then gracefully shuts the JVM down.
+#
+# Because the JVM is started with  -XX:AOTCacheOutput=…  it records method
+# profiling data for every code path that actually ran, producing a much
+# richer AOT cache than the "exit on refresh" strategy.
+# ──────────────────────────────────────────────────────────────────────────────
+set -euo pipefail
+
+# ── Configurable knobs ────────────────────────────────────────────────────────
+APP_PORT=8080
+MGMT_PORT=8081
+HEALTH_URL="http://localhost:${MGMT_PORT}/actuator/health/readiness"
+MAX_WAIT=300          # seconds to wait for the app to become ready
+WARMUP_PAUSE=2        # seconds to sleep after warmup before sending SIGTERM
+
+# Dummy AES key — only used inside the ephemeral training container
+export APP_KEY="bknLhYui9N21X2z3sIR+HR9LHI9STMMOZRz5K8nFzJY="
+
+# ── Start the application in the background ───────────────────────────────────
+# On x86-64, restrict to baseline SSE2 (UseAVX=0) so the AOT cache is portable across all x86 CPUs
+# The flag is x86-only and must not be passed on aarch64.
+ARCH_OPTS=""
+case "$(uname -m)" in
+    x86_64|amd64) ARCH_OPTS="-XX:UseAVX=0" ;;
+esac
+
+echo "▶ Starting application for AOT training …"
+java -XX:AOTCacheOutput=app.aot \
+     -XX:+UseCompactObjectHeaders \
+     $ARCH_OPTS \
+     -jar application.jar --spring.profiles.active=aot-training &
+APP_PID=$!
+
+# ── Wait for readiness ────────────────────────────────────────────────────────
+echo "Waiting for health endpoint (${HEALTH_URL}) …"
+elapsed=0
+until curl -sf "${HEALTH_URL}" 2>/dev/null | grep -q '"status":"UP"'; do
+    if ! kill -0 "$APP_PID" 2>/dev/null; then
+        echo "✗ Application exited prematurely (PID ${APP_PID})."
+        exit 1
+    fi
+    if [ "$elapsed" -ge "$MAX_WAIT" ]; then
+        echo "✗ Timed out after ${MAX_WAIT}s waiting for the app to start."
+        kill "$APP_PID" 2>/dev/null || true
+        exit 1
+    fi
+    sleep 1s
+    elapsed=$((elapsed + 1))
+done
+echo "✓ Application is ready (took ~${elapsed}s)."
+
+# ── Warm-up requests ─────────────────────────────────────────────────────────
+# Each request exercises a different slice of the runtime:
+#   • Vaadin Hilla page rendering + React SSR bootstrap
+#   • Spring Security filter chain
+#   • Hilla JSON-RPC endpoint serialisation (SetupEndpoint, UserEndpoint)
+#   • Actuator / Micrometer metrics
+echo "Sending warm-up requests …"
+
+# Helper: ignore HTTP errors — we only care that the JVM executes the code path.
+warmup() {
+    echo "   → $1"
+    curl -sf -o /dev/null -w "     HTTP %{http_code} (%{time_total}s)\n" "$@" || true
+}
+
+warmup_post() {
+    local url="$1"
+    local body="${2:-{}}"
+    echo "   → POST $url"
+    curl -sf -o /dev/null -w "     HTTP %{http_code} (%{time_total}s)\n" \
+         -X POST \
+         -H "Content-Type: application/json" \
+         -d "$body" \
+         "$url" || true
+}
+
+# -- Vaadin / static pages --
+warmup "http://localhost:${APP_PORT}/"
+warmup "http://localhost:${APP_PORT}/login"
+warmup "http://localhost:${APP_PORT}/setup"
+
+# -- Hilla endpoints (JSON-RPC style: POST /connect/<Endpoint>/<method>) --
+warmup_post "http://localhost:${APP_PORT}/connect/SetupEndpoint/isSetupCompleted"
+warmup_post "http://localhost:${APP_PORT}/connect/UserEndpoint/getUserInfo"
+warmup_post "http://localhost:${APP_PORT}/connect/MessageEndpoint/isEnabled"
+warmup_post "http://localhost:${APP_PORT}/connect/ConfigEndpoint/areGameRequestsEnabled"
+warmup_post "http://localhost:${APP_PORT}/connect/PlatformEndpoint/getStats"
+
+# -- Actuator --
+warmup "http://localhost:${MGMT_PORT}/actuator/health"
+warmup "http://localhost:${MGMT_PORT}/actuator/info"
+warmup "http://localhost:${MGMT_PORT}/actuator/metrics"
+
+echo "✓ Warm-up complete."
+
+# ── Graceful shutdown ─────────────────────────────────────────────────────────
+echo "⏳ Pausing ${WARMUP_PAUSE}s before shutdown …"
+sleep "$WARMUP_PAUSE"
+
+echo "⏹ Sending SIGTERM to PID ${APP_PID} …"
+kill "$APP_PID" 2>/dev/null || true
+
+# Wait for the process to exit
+if wait "$APP_PID" 2>/dev/null; then
+    echo "✓ Application exited cleanly."
+else
+    echo "✓ Application exited (code $?)."
+fi
+
+# ── Verify the AOT cache was produced ─────────────────────────────────────────
+if [ -s app.aot ]; then
+    echo "✓ AOT cache written ($(du -h app.aot | cut -f1))."
+else
+    echo "✗ AOT cache file is missing or empty!"
+    exit 1
+fi
+
diff --git a/docker/docker-compose.example.yml b/docker/docker-compose.example.yml
index 0a0d85e..5e3d017 100644
--- a/docker/docker-compose.example.yml
+++ b/docker/docker-compose.example.yml
@@ -3,6 +3,8 @@ services:
     image: ghcr.io/gameyfin/gameyfin:2
     container_name: gameyfin
     restart: unless-stopped
+    # (optional) Limit the memory usage of the container. Recommended minimum is 1024m.
+    # mem_limit: 1024m
     environment:
       # Generate a new APP_KEY using the command "openssl rand -base64 32" or similar.
       APP_KEY: <your app key here>
@@ -14,6 +16,14 @@ services:
       # (optional) Set the user and group ID to run Gameyfin with a specific user.
       # PUID: 1000 # Change this to your user ID if needed
       # PGID: 1000 # Change this to your group ID if needed
+
+      # (optional) Override or extend JVM flags. The container ships with sensible defaults.
+      #
+      # JAVA_OPTS – extra flags *appended* to the built-in defaults:
+      # JAVA_OPTS: -Dsome.property=value
+      #
+      # JAVA_OPTS_OVERRIDE – *replaces* all built-in defaults entirely:
+      # JAVA_OPTS_OVERRIDE: -Xmx512m -XX:+UseG1GC
     volumes:
       - "./db:/opt/gameyfin/db"
       - "./data:/opt/gameyfin/data"
diff --git a/docker/entrypoint.ubuntu.sh b/docker/entrypoint.ubuntu.sh
index 613edd8..92ca97f 100644
--- a/docker/entrypoint.ubuntu.sh
+++ b/docker/entrypoint.ubuntu.sh
@@ -20,6 +20,50 @@ if [ -n "$PUID$PGID" ]; then
   done
 fi
 
-export JAVA_TOOL_OPTIONS="${JAVA_OPTS:-}"
+# ── JVM memory tuning for containers ──────────────────────────────
+# Explicit heap cap instead of MaxRAMPercentage to leave room for
+# metaspace, native threads, NIO direct buffers and H2 file-mapped pages.
+# -Xmx512m / -Xms128m  – hard heap ceiling; floor at 128 m so idle apps shrink.
+# UseG1GC              – good general-purpose GC.
+# G1HeapRegionSize=1m  – smaller regions improve reclamation at small heaps.
+# MinHeapFreeRatio / MaxHeapFreeRatio – return unused heap to the OS faster.
+# G1PeriodicGCInterval – triggers a concurrent GC every 15 s while idle so
+#                        the free-ratio settings are actually evaluated and
+#                        uncommitted pages are returned to the OS.
+# UseStringDeduplication saves heap on duplicate String values.
+# UseCompactObjectHeaders saves ~8 bytes per object reference on 64-bit JVMs.
+# Reduced thread-stack size (-Xss512k) saves ~0.5 MB per thread.
+# MaxMetaspaceSize     – bounds class-metadata growth (Vaadin/Spring load many).
+# MaxDirectMemorySize  – caps NIO direct buffers.
+# AOT Cache reduces startup time and memory footprint.
+DEFAULT_JVM_OPTS="\
+  -Xms128m \
+  -Xmx512m \
+  -XX:+UseG1GC \
+  -XX:G1HeapRegionSize=1m \
+  -XX:MinHeapFreeRatio=15 \
+  -XX:MaxHeapFreeRatio=30 \
+  -XX:G1PeriodicGCInterval=15000 \
+  -XX:+UseStringDeduplication \
+  -XX:+UseCompactObjectHeaders \
+  -XX:MaxMetaspaceSize=192m \
+  -XX:MaxDirectMemorySize=64m \
+  -Xss512k"
 
-exec gosu gameyfin:gameyfin java -Djava.net.preferIPv4Stack=true org.springframework.boot.loader.launch.JarLauncher
\ No newline at end of file
+# Append AOT Cache flag if a non-empty training cache file exists
+if [ -s /opt/gameyfin/app.aot ]; then
+  DEFAULT_JVM_OPTS="${DEFAULT_JVM_OPTS} -XX:AOTCache=/opt/gameyfin/app.aot"
+fi
+
+# Two env-var options for users (set in docker-compose "environment:"):
+#   JAVA_OPTS          – extra flags *appended* to the built-in defaults
+#                        e.g. JAVA_OPTS=-Dsome.prop=value
+#   JAVA_OPTS_OVERRIDE – if set, *replaces* all built-in defaults entirely
+#                        e.g. JAVA_OPTS_OVERRIDE=-Xmx512m -XX:+UseG1GC
+if [ -n "${JAVA_OPTS_OVERRIDE:-}" ]; then
+  export JDK_JAVA_OPTIONS="${JAVA_OPTS_OVERRIDE}"
+else
+  export JDK_JAVA_OPTIONS="${DEFAULT_JVM_OPTS} ${JAVA_OPTS:-}"
+fi
+
+exec gosu gameyfin:gameyfin java -Djava.net.preferIPv4Stack=true -jar application.jar
diff --git a/gradle.properties b/gradle.properties
index ddc3819..b71a175 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -4,24 +4,24 @@ org.gradle.parallel=true
 org.gradle.caching=true
 org.gradle.configuration-cache=true
 # Dependency versions
-kotlinVersion=2.3.0
-kspVersion=2.3.5
-vaadinVersion=25.0.4
-springBootVersion=4.0.2
+kotlinVersion=2.3.10
+kspVersion=2.3.6
+vaadinVersion=25.0.5
+springBootVersion=4.0.3
 springCloudVersion=2025.1.1
 springDependencyManagementVersion=1.1.7
 jakartaValidationVersion=3.1.0
 kotlinLoggingVersion=7.0.14
-springContentVersion=3.0.17
 commonsIoVersion=2.21.0
 guavaVersion=33.5.0-jre
 mjml4jVersion=1.1.5
 tikaVersion=3.2.3
 fuzzywuzzyVersion=1.4.0
 blurhashVersion=0.3.0
+caffeineVersion=3.2.3
 # Plugin dependency versions
 pf4jVersion=3.15.0
-pf4jKspVersion=2.3.0-1.0.4
+pf4jKspVersion=2.3.10-1.0.4
 # Test framework versions
 junitVersion=6.0.2
 mockkVersion=1.14.9
diff --git a/plugins/torrentdownload/src/main/kotlin/org/gameyfin/plugins/download/torrent/TorrentClient.kt b/plugins/torrentdownload/src/main/kotlin/org/gameyfin/plugins/download/torrent/TorrentClient.kt
index 055f961..9f956c7 100644
--- a/plugins/torrentdownload/src/main/kotlin/org/gameyfin/plugins/download/torrent/TorrentClient.kt
+++ b/plugins/torrentdownload/src/main/kotlin/org/gameyfin/plugins/download/torrent/TorrentClient.kt
@@ -79,7 +79,7 @@ class TorrentClient(
         // Verify file access before adding to session
         if (!Files.isReadable(gameFile)) {
             log.error("Cannot read game file for seeding: $gameFile - check file permissions")
-            throw IllegalStateException("Game file is not readable: $gameFile")
+            error("Game file is not readable: $gameFile")
         }
 
         try {
@@ -193,17 +193,25 @@ class TorrentClient(
                 val distributedFullCopies = status.distributedFullCopies()
 
                 // If there are other seeders or complete peers, stop seeding
-                if (distributedFullCopies > 0) {
-                    log.debug("Stopping seeding for torrent '${status.name()}' as it is healthy: $distributedFullCopies distributed full copies.")
-                    session?.remove(handle)
-                } else if (completePeersFromTracker > 1) {
-                    log.debug("Stopping seeding for torrent '${status.name()}' as it is healthy: $completePeersFromTracker complete peers from tracker.")
-                    session?.remove(handle)
-                } else if (knownSeeders > 0) {
-                    log.debug("Stopping seeding for torrent '${status.name()}' as it is healthy: $knownSeeders known seeders.")
-                    session?.remove(handle)
-                } else {
-                    log.debug("Continuing to seed torrent '${status.name()}' - no other complete peers found.")
+                when {
+                    distributedFullCopies > 0 -> {
+                        log.debug("Stopping seeding for torrent '${status.name()}' as it is healthy: $distributedFullCopies distributed full copies.")
+                        session?.remove(handle)
+                    }
+
+                    completePeersFromTracker > 1 -> {
+                        log.debug("Stopping seeding for torrent '${status.name()}' as it is healthy: $completePeersFromTracker complete peers from tracker.")
+                        session?.remove(handle)
+                    }
+
+                    knownSeeders > 0 -> {
+                        log.debug("Stopping seeding for torrent '${status.name()}' as it is healthy: $knownSeeders known seeders.")
+                        session?.remove(handle)
+                    }
+
+                    else -> {
+                        log.debug("Continuing to seed torrent '${status.name()}' - no other complete peers found.")
+                    }
                 }
             }
         }
diff --git a/scripts/gog.sh b/scripts/gog.sh
index 3e1fd8c..435a8cc 100755
--- a/scripts/gog.sh
+++ b/scripts/gog.sh
@@ -36,18 +36,46 @@ done
 # Ensure target directory exists
 mkdir -p "$TARGET_DIR"
 
-# Fetch game data from GOG
-API_URL="https://catalog.gog.com/v1/catalog?limit=$NUM_GAMES&systems=in%3Awindows&order=desc%3Abestselling&productType=in%3Agame%2Cpack"
-RESPONSE=$(curl -s "$API_URL")
+# Fetch game data from GOG (max 100 per request, paginate if needed)
+PAGE_SIZE=100
+COLLECTED=0
+CURRENT_PAGE=1
 
-# Extract titles and create folders
-echo "$RESPONSE" | jq -r '.products[].title' | while read -r TITLE; do
-  # Replace problematic characters in folder names
-  SAFE_TITLE=$(echo "$TITLE" | tr -cd '[:alnum:] _-')
-  GAME_DIR="$TARGET_DIR/$SAFE_TITLE"
-  mkdir -p "$GAME_DIR"
-  if $CREATE_README; then
-    touch "$GAME_DIR/README.md"
+process_titles() {
+  while read -r TITLE; do
+    # Replace problematic characters in folder names
+    SAFE_TITLE=$(echo "$TITLE" | tr -cd '[:alnum:] _-' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+    GAME_DIR="$TARGET_DIR/$SAFE_TITLE"
+    mkdir -p "$GAME_DIR"
+    if $CREATE_README; then
+      touch "$GAME_DIR/README.md"
+    fi
+    echo "Created: $GAME_DIR"
+  done
+}
+
+while [ "$COLLECTED" -lt "$NUM_GAMES" ]; do
+  REMAINING=$((NUM_GAMES - COLLECTED))
+  LIMIT=$PAGE_SIZE
+  if [ "$REMAINING" -lt "$PAGE_SIZE" ]; then
+    LIMIT=$REMAINING
   fi
-  echo "Created: $GAME_DIR"
+
+  API_URL="https://catalog.gog.com/v1/catalog?limit=$LIMIT&page=$CURRENT_PAGE&systems=in%3Awindows&order=desc%3Abestselling&productType=in%3Agame%2Cpack"
+  RESPONSE=$(curl -s "$API_URL")
+
+  TOTAL_PAGES=$(echo "$RESPONSE" | jq -r '.pages')
+  TITLES=$(echo "$RESPONSE" | jq -r '.products[].title')
+  COUNT=$(echo "$TITLES" | grep -c .)
+
+  echo "$TITLES" | process_titles
+
+  COLLECTED=$((COLLECTED + COUNT))
+
+  # Stop if we've reached the last available page
+  if [ "$CURRENT_PAGE" -ge "$TOTAL_PAGES" ]; then
+    break
+  fi
+
+  CURRENT_PAGE=$((CURRENT_PAGE + 1))
 done