diff --git a/Jenkinsfile b/Jenkinsfile
index 4385afa92..9873250b2 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -1,6 +1,6 @@
 
 def failedBuild = false
-def minor_version = "8.2"
+def minor_version = "9.1"
 def version = "${minor_version}"
 def changeUrl = env.CHANGE_URL
 def slackResponse = null
diff --git a/Jenkinsfile-security b/Jenkinsfile-security
index 6da6afe91..a26c55b42 100644
--- a/Jenkinsfile-security
+++ b/Jenkinsfile-security
@@ -1,5 +1,5 @@
 
-def version = "8.2"
+def version = "9.1"
 def changeUrl = env.CHANGE_URL
 def job = ""
 def errors = []
diff --git a/api-authorizations/packaging/metadata b/api-authorizations/packaging/metadata
index 01a87a15f..b3003cd9a 100644
--- a/api-authorizations/packaging/metadata
+++ b/api-authorizations/packaging/metadata
@@ -8,5 +8,6 @@
   "jar-files": [ "/opt/rudder/share/plugins/${plugin-name}/${plugin-name}.jar" ],
   "content": {
     "files.txz": "/opt/rudder/share/plugins"
-  }
+  },
+  "requires-license": true
 }
diff --git a/api-authorizations/src/main/scala-templates/default/com/normation/plugins/apiauthorizations/EnablePluginImpl.scala b/api-authorizations/src/main/scala-templates/default/com/normation/plugins/apiauthorizations/EnablePluginImpl.scala
index 9cbd1b519..a94f25707 100644
--- a/api-authorizations/src/main/scala-templates/default/com/normation/plugins/apiauthorizations/EnablePluginImpl.scala
+++ b/api-authorizations/src/main/scala-templates/default/com/normation/plugins/apiauthorizations/EnablePluginImpl.scala
@@ -38,6 +38,6 @@
 package com.normation.plugins.apiauthorizations
 
 import com.normation.plugins.PluginEnableImpl
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends PluginEnableImpl
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends PluginEnableImpl
diff --git a/api-authorizations/src/main/scala-templates/limited/com/normation/plugins/apiauthorizations/EnablePluginImpl.scala b/api-authorizations/src/main/scala-templates/limited/com/normation/plugins/apiauthorizations/EnablePluginImpl.scala
index 612ecdace..af29240d4 100644
--- a/api-authorizations/src/main/scala-templates/limited/com/normation/plugins/apiauthorizations/EnablePluginImpl.scala
+++ b/api-authorizations/src/main/scala-templates/limited/com/normation/plugins/apiauthorizations/EnablePluginImpl.scala
@@ -38,15 +38,15 @@
 package com.normation.plugins.apiauthorizations
 
 import com.normation.plugins.LicensedPluginCheck
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 import com.normation.zio.*
 
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends LicensedPluginCheck {
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends LicensedPluginCheck {
   // here are processed variables
   def pluginResourcePublickey = "${plugin-resource-publickey}"
   def pluginResourceLicense   = "${plugin-resource-license}"
   def pluginDeclaredVersion   = "${plugin-declared-version}"
   def pluginId                = "${plugin-fullname}"
 
-  override def getNumberOfNodes: Int = nodeInfoService.getNumberOfManagedNodes.runNow
+  override def getNumberOfNodes: Int = nodeFactRepo.getNumberOfManagedNodes().runNow
 }
diff --git a/api-authorizations/src/main/scala/bootstrap/rudder/plugin/ApiAuthorizationsConf.scala b/api-authorizations/src/main/scala/bootstrap/rudder/plugin/ApiAuthorizationsConf.scala
index acd7ac069..96540ea7b 100644
--- a/api-authorizations/src/main/scala/bootstrap/rudder/plugin/ApiAuthorizationsConf.scala
+++ b/api-authorizations/src/main/scala/bootstrap/rudder/plugin/ApiAuthorizationsConf.scala
@@ -55,7 +55,7 @@ class AclLevel(status: PluginStatus) extends ApiAuthorizationLevelService {
  */
 object ApiAuthorizationsConf extends RudderPluginModule {
   // by build convention, we have only one of that on the classpath
-  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeInfoService)
+  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeFactRepository)
 
   // override default service level
   RudderConfig.apiAuthorizationLevelService.overrideLevel(new AclLevel(pluginStatusService))
diff --git a/api-authorizations/src/main/scala/com/normation/plugins/apiauthorizations/UserInformationExtension.scala b/api-authorizations/src/main/scala/com/normation/plugins/apiauthorizations/UserInformationExtension.scala
index 2c151f82b..31e05a638 100644
--- a/api-authorizations/src/main/scala/com/normation/plugins/apiauthorizations/UserInformationExtension.scala
+++ b/api-authorizations/src/main/scala/com/normation/plugins/apiauthorizations/UserInformationExtension.scala
@@ -85,7 +85,7 @@ class UserInformationExtension(
           </div>
         </li>
 
-        <script>
+        <script data-lift="with-nonce">
         //<![CDATA[
           // init elm app
           $(document).ready(function(){
diff --git a/api-authorizations/src/main/scala/com/normation/plugins/apiauthorizations/UserJsonCodec.scala b/api-authorizations/src/main/scala/com/normation/plugins/apiauthorizations/UserJsonCodec.scala
deleted file mode 100644
index bf0cba355..000000000
--- a/api-authorizations/src/main/scala/com/normation/plugins/apiauthorizations/UserJsonCodec.scala
+++ /dev/null
@@ -1,23 +0,0 @@
-package com.normation.plugins.apiauthorizations
-
-import com.normation.rudder.api.ApiAccountId
-import com.normation.rudder.api.ApiAccountName
-import com.normation.rudder.api.ApiAccountType
-import com.normation.rudder.api.ApiAuthorizationKind
-import com.normation.rudder.apidata.JsonApiAcl
-import com.normation.utils.DateFormaterService
-import org.joda.time.DateTime
-import zio.json.*
-
-trait UserJsonCodec {
-
-  implicit val accountIdEncoder:         JsonEncoder[ApiAccountId]         = JsonEncoder[String].contramap(_.value)
-  implicit val accountNameEncoder:       JsonEncoder[ApiAccountName]       = JsonEncoder[String].contramap(_.value)
-  implicit val dateTimeEncoder:          JsonEncoder[DateTime]             = JsonEncoder[String].contramap(DateFormaterService.serialize)
-  implicit val accountTypeEncoder:       JsonEncoder[ApiAccountType]       = JsonEncoder[String].contramap(_.name)
-  implicit val authorizationTypeEncoder: JsonEncoder[ApiAuthorizationKind] = JsonEncoder[String].contramap(_.name)
-  implicit val aclEncoder:               JsonEncoder[JsonApiAcl]           = DeriveJsonEncoder.gen[JsonApiAcl]
-
-}
-
-object UserJsonCodec extends UserJsonCodec
diff --git a/api-authorizations/src/main/scala/com/normation/plugins/apiauthorizations/UserTokenApiDefinition.scala b/api-authorizations/src/main/scala/com/normation/plugins/apiauthorizations/UserTokenApiDefinition.scala
index b8d196013..874766d69 100644
--- a/api-authorizations/src/main/scala/com/normation/plugins/apiauthorizations/UserTokenApiDefinition.scala
+++ b/api-authorizations/src/main/scala/com/normation/plugins/apiauthorizations/UserTokenApiDefinition.scala
@@ -41,16 +41,18 @@ import bootstrap.liftweb.AuthBackendProvidersManager
 import com.normation.errors.*
 import com.normation.eventlog.ModificationId
 import com.normation.rudder.api.*
-import com.normation.rudder.apidata.JsonApiAcl
 import com.normation.rudder.facts.nodes.NodeSecurityContext
+import com.normation.rudder.repository.ldap.JsonApiAuthz
 import com.normation.rudder.rest.*
 import com.normation.rudder.rest.UserApi
+import com.normation.rudder.rest.data.*
 import com.normation.rudder.rest.implicits.ToLiftResponseOne
 import com.normation.rudder.rest.lift.*
 import com.normation.rudder.users.UserRepository
 import com.normation.utils.DateFormaterService
 import com.normation.utils.StringUuidGenerator
 import io.scalaland.chimney.Transformer
+import io.scalaland.chimney.syntax.*
 import net.liftweb.http.LiftResponse
 import net.liftweb.http.Req
 import org.joda.time.DateTime
@@ -71,17 +73,13 @@ class UserApiImpl(
   def schemas: ApiModuleProvider[UserApi] = UserApi
 
   def getLiftEndpoints(): List[LiftApiModule] = {
-    UserApi.endpoints
-      .map(e => {
-        e match {
-          case UserApi.GetTokenFeatureStatus => GetTokenFeatureStatus
-          case UserApi.GetApiToken           => GetApiToken
-          case UserApi.CreateApiToken        => CreateApiToken
-          case UserApi.DeleteApiToken        => DeleteApiToken
-          case UserApi.UpdateApiToken        => UpdateApiToken
-        }
-      })
-      .toList
+    UserApi.endpoints.map {
+      case UserApi.GetTokenFeatureStatus => GetTokenFeatureStatus
+      case UserApi.GetApiToken           => GetApiToken
+      case UserApi.CreateApiToken        => CreateApiToken
+      case UserApi.DeleteApiToken        => DeleteApiToken
+      case UserApi.UpdateApiToken        => UpdateApiToken
+    }
   }
 
   /*
@@ -128,13 +126,13 @@ class UserApiImpl(
 
     def process0(version: ApiVersion, path: ApiPath, req: Req, params: DefaultParams, authzToken: AuthzToken): LiftResponse = {
       val now     = DateTime.now
-      val secret  = ApiToken.generate_secret(tokenGenerator)
-      val hash    = ApiToken.hash(secret)
+      val secret  = ApiTokenSecret.generate(tokenGenerator)
+      val hash    = ApiTokenHash.fromSecret(secret)
       val account = ApiAccount(
         ApiAccountId(authzToken.qc.actor.name),
         ApiAccountKind.User,
         ApiAccountName(authzToken.qc.actor.name),
-        ApiToken(hash),
+        Some(hash),
         s"API token for user '${authzToken.qc.actor.name}'",
         isEnabled = true,
         now,
@@ -145,7 +143,7 @@ class UserApiImpl(
 
       writeApi
         .save(account, ModificationId(uuidGen.newUuid), authzToken.qc.actor)
-        .map(RestAccountsResponse.fromUnredacted(_, secret))
+        .map(RestAccountsResponse.fromUnredacted(_, secret.exposeSecret()))
         .chainError(s"Error when trying to save user '${authzToken.qc.actor.name}' API token")
         .toLiftResponseOne(params, schema, None)
     }
@@ -180,17 +178,12 @@ class UserApiImpl(
 object UserApiImpl {
 
   /**
-    * The value that will be displayed in the API response for the token.
-    */
+   * The value that will be displayed in the API response for the token.
+   */
   final case class ClearTextToken(value: String) extends AnyVal
 
   object ClearTextToken {
 
-    implicit val transformer: Transformer[ApiToken, ClearTextToken] = Transformer
-      .define[ApiToken, ClearTextToken]
-      .withFieldComputed(_.value, token => if (token.isHashed) "" else token.value)
-      .buildTransformer
-
     implicit val encoder: JsonEncoder[ClearTextToken] = JsonEncoder[String].contramap(_.value)
   }
 
@@ -206,13 +199,12 @@ object UserApiImpl {
       expirationDate:                  Option[String],
       expirationDateDefined:           Boolean,
       authorizationType:               Option[ApiAuthorizationKind],
-      acl:                             Option[List[JsonApiAcl]]
+      acl:                             Option[List[JsonApiAuthz]]
   )
 
-  object RestApiAccount extends UserJsonCodec {
+  object RestApiAccount extends ApiAccountCodecs {
     implicit class ApiAccountOps(val account: ApiAccount) extends AnyVal {
       import ApiAccountKind.*
-      import io.scalaland.chimney.syntax.*
       def expirationDate: Option[String] = {
         account.kind match {
           case PublicApi(_, expirationDate) => expirationDate.map(DateFormaterService.getDisplayDateTimePicker)
@@ -229,13 +221,13 @@ object UserApiImpl {
         }
       }
 
-      def acl: Option[List[JsonApiAcl]] = {
+      def acl: Option[List[JsonApiAuthz]] = {
         import ApiAuthorization.*
         account.kind match {
           case PublicApi(authz, expirationDate) =>
             authz match {
               case None | RO | RW => Option.empty
-              case ACL(acls)      => Some(acls.flatMap(x => x.actions.map(a => JsonApiAcl(x.path.value, a.name))))
+              case ACL(acls)      => Some(acls.map(x => JsonApiAuthz(x.path.value, x.actions.toList.map(_.name))))
             }
           case User | System                    => Option.empty
         }
@@ -254,6 +246,7 @@ object UserApiImpl {
 
     implicit val transformer: Transformer[ApiAccount, RestApiAccount] = Transformer
       .define[ApiAccount, RestApiAccount]
+      .withFieldConst(_.token, ClearTextToken("")) // if the hash need to be exposed, it's done post transformation
       .withFieldComputed(_.kind, _.kind.kind)
       .withFieldComputed(_.acl, _.acl)
       .withFieldComputed(_.expirationDate, _.expirationDate)
@@ -264,9 +257,6 @@ object UserApiImpl {
       )
       .buildTransformer
 
-    implicit val publicTokenEncoder: JsonEncoder[ApiToken] =
-      JsonEncoder[String].contramap(_.value)
-
     implicit val encoder: JsonEncoder[RestApiAccount] = DeriveJsonEncoder.gen[RestApiAccount]
   }
 
@@ -312,7 +302,7 @@ object UserApiImpl {
       accounts: RestAccountId
   )
 
-  object RestAccountIdResponse extends UserJsonCodec {
+  object RestAccountIdResponse extends ApiAccountCodecs {
     implicit val accountIdResponseEncoder: JsonEncoder[RestAccountId]         = DeriveJsonEncoder.gen[RestAccountId]
     implicit val encoder:                  JsonEncoder[RestAccountIdResponse] = DeriveJsonEncoder.gen[RestAccountIdResponse]
 
diff --git a/api-authorizations/src/test/scala/com/normation/plugins/apiauthorizations/MockServices.scala b/api-authorizations/src/test/scala/com/normation/plugins/apiauthorizations/MockServices.scala
index 3446fc934..fed3736e1 100644
--- a/api-authorizations/src/test/scala/com/normation/plugins/apiauthorizations/MockServices.scala
+++ b/api-authorizations/src/test/scala/com/normation/plugins/apiauthorizations/MockServices.scala
@@ -5,7 +5,7 @@ import com.normation.eventlog.EventActor
 import com.normation.eventlog.ModificationId
 import com.normation.rudder.api.ApiAccount
 import com.normation.rudder.api.ApiAccountId
-import com.normation.rudder.api.ApiToken
+import com.normation.rudder.api.ApiTokenHash
 import com.normation.rudder.api.RoApiAccountRepository
 import com.normation.rudder.api.TokenGenerator
 import com.normation.rudder.api.WoApiAccountRepository
@@ -27,7 +27,7 @@ class MockServices(newToken: String, accounts: Map[ApiAccountId, ApiAccount] = M
     }
 
     override def getAllStandardAccounts: IOResult[Seq[ApiAccount]] = ???
-    override def getByToken(token: ApiToken): IOResult[Option[ApiAccount]] = ???
+    override def getByToken(token: ApiTokenHash): IOResult[Option[ApiAccount]] = ???
     override def getSystemAccount: ApiAccount = ???
   }
 
diff --git a/api-authorizations/src/test/scala/com/normation/plugins/apiauthorizations/api/UserApiTest.scala b/api-authorizations/src/test/scala/com/normation/plugins/apiauthorizations/api/UserApiTest.scala
index 4612acb04..234cc5ce5 100644
--- a/api-authorizations/src/test/scala/com/normation/plugins/apiauthorizations/api/UserApiTest.scala
+++ b/api-authorizations/src/test/scala/com/normation/plugins/apiauthorizations/api/UserApiTest.scala
@@ -4,19 +4,11 @@ import better.files.*
 import com.normation.errors.IOResult
 import com.normation.errors.effectUioUnit
 import com.normation.rudder.AuthorizationType
-import com.normation.rudder.api.ApiAccount
-import com.normation.rudder.api.ApiAccountId
-import com.normation.rudder.api.ApiAccountKind
-import com.normation.rudder.api.ApiAccountName
-import com.normation.rudder.api.ApiAuthorization
-import com.normation.rudder.api.ApiToken
-import com.normation.rudder.api.ApiVersion
+import com.normation.rudder.api.*
 import com.normation.rudder.facts.nodes.NodeSecurityContext
 import com.normation.rudder.rest.RestTestSetUp
 import com.normation.rudder.rest.TraitTestApiFromYamlFiles
-import com.normation.rudder.users.AuthenticatedUser
-import com.normation.rudder.users.RudderAccount
-import com.normation.rudder.users.UserService
+import com.normation.rudder.users.*
 import java.nio.file.Files
 import org.joda.time.DateTime
 import org.joda.time.DateTimeUtils
@@ -43,7 +35,7 @@ class UserApiTest extends ZIOSpecDefault {
       ApiAccountId("user1"),
       ApiAccountKind.System, // so that we have access to the plugin endpoints
       ApiAccountName("user1"),
-      ApiToken("v2:some-hashed-token"),
+      Some(ApiTokenHash.fromHashValue("v2:some-hashed-token")),
       "number one user",
       isEnabled = true,
       creationDate = accountCreationDate,
diff --git a/auth-backends/README.adoc b/auth-backends/README.adoc
index b0c26ad87..2f8b67f24 100644
--- a/auth-backends/README.adoc
+++ b/auth-backends/README.adoc
@@ -435,7 +435,7 @@ It was an AD error that seems to have been triggered by some unexpected request
 If you want to connect with a secure connection to an LDAP or AD, you need to add the
 directory certificate to Rudder's JVM `keystore`.
 
-Without that, you will see errors in `/var/log/rudder/webapp/XXXXXXX_stderrout.log` files like:
+Without that, you will see errors in `/var/log/rudder/webapp/webapp.log` files like:
 
 ```
 WARN  application - Login authentication failed for user 'xxx' from IP '127.0.0.1|X-Forwarded-For:xxx.xxx.xxx.xxx': simple bind failed: xxx.xxx:636; nested exception is javax.naming.CommunicationException: simple bind failed:
@@ -477,7 +477,7 @@ https://openid.net/connect/[OpenID Connect] (OIDC) is a very common SSO protocol
 
 These protocols delegate the actual authentication to an identity provider (IdP) that in turns send the relevant authentication information to the client, i.e. to Rudder in our case. These `IdP` can be public providers, like https://google.com[Google], deployed and managed internally in a company, like ForgeRock's open source https://forgerock.github.io/openam-community-edition/[OpenAM], or used as SaaS, like https://okta.com[Okta] - and often, providers do a mix of these things.
 
-Rudder support plain old `OAUTHv2` and `OpentID Connect`. They have several normalized scenario and Rudder supports the most common for a web application server side authentication: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authentication using Authorization Code Flow].
+Rudder support plain old `OAUTHv2` and `OpenID Connect`. They have several normalized scenario and Rudder supports the most common for a web application server side authentication: https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth[Authentication using Authorization Code Flow].
 
 [NOTE]
 
@@ -708,7 +708,7 @@ in `/opt/rudder/etc/rudder-web.properties` and *not* in each file under `/opt/ru
 
 Check that you correctly updated parameter `rudder.auth.provider` to include `oidc` or `oauth2` in
 the list, that you have at least one key defined in `rudder.auth.oauth2.provider.registrations`, and
-that you have Rudder webapp logs (`/var/log/rudder/webapp/YYYY_mm_dd.stderrout.log`) lines like:
+that you have Rudder webapp logs (`/var/log/rudder/webapp/webapp.log`) lines like:
 
 ----
 [timestamp] INFO  application - Configured authentication provider(s): [rootAdmin, oidc, file]
@@ -821,4 +821,206 @@ It means that the role `node_all` is not recognized. It is because it is not a r
 
 In this case you should create a custom role (let's say `access_to_node`) with the permission `node_all`
 that you will map to your IdP role `role-oidc-a` and modifying the parameter `mapping.entitlements` in the OIDC config file like so:
-`rudder.auth.oauth2.provider.okta.roles.mapping.entitlements.role-oidc-a=access_to_node`
+`rudder.auth.oauth2.provider.okta.roles.mapping.entitlements.role-oidc-a=access_to_node`.
+
+
+=== OAuth2 tokens : JWT and opaque bearer tokens
+
+OAuth2 tokens are used to grant access to resources, using authentication tokens, serving the purpose of authenticating machines, automated systems, etc.
+There are two types of tokens implemented as authentication backends in Rudder: JWT (JSON Web Tokens) and opaque bearer tokens.
+
+JWT tokens contain user information and permissions in a JSON format. They can be verified using a signature, allowing for local validation without contacting the authorization server.
+
+Opaque bearer tokens do not contain user information. They serve as a reference to session or authorization data stored on the server. To validate these tokens, the resource server must contact the authorization server to obtain user details.
+
+Both are implemented with configuration that is similar to the provisioning of users with OIDC, except that tokens are involved :
+
+* for JWT, Rudder can locally validate the token's signature, ensuring that the token has not been tampered with and that it is issued by a trusted source. This local validation improves performance and reliability, since it reduces the need for frequent communication with the authorization server (signature keys are fetched from the server, are they are cached, but revoked at some point).
+* for opaque bearer tokens, Rudder relies on the authorization server to validate the token. This means that requests with an opaque token requires a call to the authorization server for introspection. While this can introduce some latency, it ensures that the most up-to-date user information is used when resolving token authentication.
+
+Tenants and roles mapping can be configured for both :
+
+* for JWT, the token has custom attributes
+* for opaque bearer token, the token is bound with an API account in Rudder, which can have ACLs and tenants
+
+WARNING: In Rudder, you should use only one of both tokens, provided that they are configured correctly (see below for example configurations)
+
+==== Obtaining and using JWT token in Rudder
+
+First you will need to obtain a valid JWT token from your IdP, for example from Okta :
+
+```
+curl --request POST 'https://xxxx.okta.com/oauth2/xxxxaudiencexxxx/v1/token' \
+--header 'Accept: application/json' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--header 'Authorization: Basic xxx' \
+--data 'grant_type=client_credentials'
+```
+
+It will return an access token in the payload that should directly be usable with the Rudder REST API as a `Bearer` token i.e. with the header `Authorization: Bearer the_access_token`.
+
+Below is an example configuration for handling JWT tokens in Rudder from an external OAuth2 provider `okta`.
+You will need to put this configuration in the application properties by adding it to the properties folder, so `/opt/rudder/etc/rudder-web.properties.d/oauth2-api-jwt.properties` by default, and you will need to replace `okta` with your actual provider.
+
+```
+# Authentication provider id in rudder.auth.provider:
+# - OAUTHv2 with JWT: oauth2ApiJwt
+
+# Configure the list of Identity provider services. Here, you choose
+# an identifier for each service as a comma separated list.
+# Identifier should be lower case ascii, -, _. For example, if
+# your company uses both "Okta" and "Google", you can choose "okta" and
+# "google" (how original) identifiers:
+rudder.auth.oauth2.jwt.provider.registrations=okta
+
+# Now, configure Okta related properties. You will need to do
+# the same for each provider with an identifier.
+
+# The identity service provider name as it will be displayed in Rudder
+rudder.auth.oauth2.jwt.provider.okta.name=Okta
+
+# Space separated list of OAUTHv2 "scope" for claims that should be included in the identity
+# token once authentication is done. These values should be documented by your IdP documentation.
+# Rudder only need to have at least scope which provides the attribute that will be used for
+# `userId` (see next property)
+rudder.auth.oauth2.jwt.provider.okta.scope=openid email profile groups
+
+# The single most important property for a JWT token: where the
+# IdP public keys that will be used to check the JWT signature are located. 
+# The audience is part of the uri :
+rudder.auth.oauth2.jwt.provider.okta.uri.jwkSet=https://xxxx.okta.com/oauth2/xxx/v1/keys
+
+# role mapping: OIDC token will provide extended roles to user
+rudder.auth.oauth2.jwt.provider.okta.roles.enabled=true
+rudder.auth.oauth2.jwt.provider.okta.roles.attribute=customroles
+rudder.auth.oauth2.jwt.provider.okta.roles.override=true
+rudder.auth.oauth2.jwt.provider.okta.roles.mapping.enforced=true 
+rudder.auth.oauth2.jwt.provider.okta.roles.mapping.entitlements.rudder_admin=administrator
+rudder.auth.oauth2.jwt.provider.okta.roles.mapping.entitlements.rudder_readonly=readonly
+rudder.auth.oauth2.jwt.provider.okta.enableProvisioning=true
+
+# tenants
+rudder.auth.oauth2.jwt.provider.okta.tenants.enabled=true
+rudder.auth.oauth2.jwt.provider.okta.tenants.attribute=customroles
+rudder.auth.oauth2.jwt.provider.okta.tenants.override=true
+rudder.auth.oauth2.jwt.provider.okta.tenants.mapping.enforced=true 
+rudder.auth.oauth2.jwt.provider.okta.tenants.mapping.entitlements.rudder_ta=tenantA
+rudder.auth.oauth2.jwt.provider.okta.tenants.mapping.entitlements.rudder_tb=tenantB
+rudder.auth.oauth2.jwt.provider.okta.tenants.mapping.entitlements.rudder_admin=*
+```
+
+
+==== Configuration to use opaque bearer tokens
+
+First you will need to obtain a bearer token from your IdP, for example with Okta using the https://xxxx.okta.com/oauth2/v1/authorize?client_id=...&scope=openid&response_type=token&...
+
+Then you will need to create an API account in Rudder, without a token (because it is used to identify opaque bearer tokens and to declare authorizations, tenants, etc.).
+When creating the API account, The `Account ID` field should have the value of the `cid` (client id) attribute of the opaque bearer token that needs to be identified.
+
+Once the API account is created and as long as it is not expired, the access token that was obtained above should directly be usable with the Rudder REST API as a `Bearer` token i.e. with the header `Authorization: Bearer the_access_token`.
+
+Below is an example configuration for handling opaque bearer token tokens in Rudder from an external OAuth2 provider `okta`.
+You will need to put this configuration in the application properties by adding it to the properties folder, so `/opt/rudder/etc/rudder-web.properties.d/oauth2-api-opaque.properties` by default, and you will need to replace `okta` with your actual provider.
+
+```
+# Authentication provider id in rudder.auth.provider:
+# - OAUTHv2 with opaque bearer token: oauth2ApiOpaqueToken
+
+# Configure the list of Identity provider services. Here, you choose
+# an identifier for each service as a comma separated list.
+# Identifier should be lower case ascii, -, _. For example, if
+# your company uses both "Okta" and "Google", you can choose "okta" and
+# "google" (how original) identifiers:
+rudder.auth.oauth2.opaque.provider.registrations=okta
+
+# Now, configure Okta related properties. You will need to do
+# the same for each provider with an identifier.
+
+# The identity service provider name as it will be displayed in Rudder
+rudder.auth.oauth2.opaque.provider.okta.name=Okta
+
+# In Oauth2/OIDC, a client (ie, Rudder) is identifier by a pair of credentials:
+# - 1/ an id,
+# - 2/ a corresponding secret key.
+#
+# 1/ Identifier of the application you created in your IdP for Rudder.
+#    In Okta, it will be listed under https://xxxx-admin.okta.com/admin/apps/active
+#    once you created it with "Create App Integration". If you click on your application,
+#    it's located in "Client Credential > Client ID".
+#
+rudder.auth.oauth2.opaque.provider.okta.client.id=xxxx
+#
+# 2/ The corresponding "client secret", provided by your Identity Provider.
+#    For Okta, it's available when you click on your application in
+#    https://xxxx-admin.okta.com/admin/apps/active in "Client Credential > Client Secret"
+rudder.auth.oauth2.opaque.provider.okta.client.secret=xxxx
+
+#
+# Opaque bearer tokens must be validated by the IdP on an "introspect" URL.
+# This URL is dependant of your local identity provider configuration but
+# generally looks like: https://baseurl/v1/introspect, for example for OKTA:
+# https://instance-id.okta.com/oauth2/v1/introspect
+#
+rudder.auth.oauth2.opaque.provider.okta.uri.introspect=https://xxxx.okta.com/oauth2/v1/introspect
+
+#
+# An opaque access token is just used for validating the authentication. A corresponding
+# API token must exist in Rudder to define things like token authorization, tenants
+# access, etc. The mapping is done thanks to an attribute value of the token.
+# By default, and as advised in the OAuth2 standard, we use by default the value
+# for attribute `client_id` but some OIDC configuration use something else
+# (`sub`, `cid`... ) so this can be changed with that property.
+#
+# Optional, default "client_id".
+# The name of the attribute in the access token that should be used to map to
+# Rudder API token ID.
+#
+rudder.auth.oauth2.opaque.provider.okta.userNameAttributeName=client_id
+```
+
+==== Common errors during token authentication
+
+Token authentication can result in errors, simply due to token validity, or due to misconfiguration in the IdP/in Rudder. Here are some common errors and guidelines to help troubleshoot these issues.
+
+*Token is invalid*
+
+Such cases may especially happen with JWT, there will be Webapp error logs (in `/var/log/rudder/webapp/webapp.log`) :
+
+----
+[timestamp] INFO  application.authentication - Rudder authentication attempt for principal '[token]' with backend 'oauth2ApiJwt': failure: An error occurred while attempting to decode the Jwt: Malformed token
+----
+Ensure that the token is correctly formatted and has not been altered. You can verify the structure of the Base64 encoded JSON locally or by using an https://jwt.io/[online debugger].
+
+
+*Invalid signature*
+
+Check that the token's signature matches the expected signature. This often involves verifying the signing key or algorithm used.
+Error logs will also be issued by the Webapp :
+----
+[timestamp] INFO  application.authentication - Rudder authentication attempt for principal '[token]' with backend 'oauth2ApiJwt': failure: An error occurred while attempting to decode the Jwt: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
+----
+
+
+*Token is expired*
+
+The different types of token have an expiration policy, so a new token will need to be used instead. When authenticating with an expired token, here are some example error logs for JWT and opaque bearer token respectively :
+
+----
+[timestamp] INFO  application.authentication - Rudder authentication attempt for principal '[token]' with backend 'oauth2ApiJwt': failure: An error occurred while attempting to decode the Jwt: Jwt expired at 2025-XX-XXTXX:XX:XXZ
+[timestamp] INFO  application.authentication - Rudder authentication attempt for principal '[token]' with backend 'oauth2ApiOpaqueToken': failure: Provided token isn't active
+----
+
+*API account in Rudder does not exist or has expired*
+
+In the case of opaque bearer tokens, an API account with a specific account ID is needed (it should have the value of the client ID attribute of the generated opaque token). The API account also has an expiration date, that can be modified in Rudder if needed. The error log corresponding to an invalid API account is :
+----
+[timestamp] INFO  application.authentication - Rudder authentication attempt for principal '[token]' with backend 'oauth2ApiOpaqueToken': failure: An opaque Bearer token was received but No token with ID [accountID] is configured in Rudder
+----
+
+*Token ID is invalid because due to missing claim*
+
+In the configuration properties for opaque bearer tokens, there is a `rudder.auth.oauth2.opaque.provider.okta.userNameAttributeName` property that should be an attribute that is defined in the token. Otherwise, an error will be logged and the property will need to be changed (https://jwt.io/[debugging the Base64 token] could help finding the right value) : 
+
+----
+[timestamp] INFO  application.authentication - Rudder authentication attempt for principal '[token]' with backend 'oauth2ApiOpaqueToken': failure: An opaque Bearer token was received but it doesn't have a '[userNameAttributeName_value]' claim, so we don't have a token ID and the token is invalid
+----
diff --git a/auth-backends/packaging/metadata b/auth-backends/packaging/metadata
index 5bde8255d..ba4bfabd8 100644
--- a/auth-backends/packaging/metadata
+++ b/auth-backends/packaging/metadata
@@ -8,5 +8,6 @@
   "jar-files": [ "/opt/rudder/share/plugins/${plugin-name}/${plugin-name}.jar" ],
   "content": {
     "files.txz": "/opt/rudder/share/plugins"
-  }
+  },
+  "requires-license": true
 }
diff --git a/auth-backends/pom-template.xml b/auth-backends/pom-template.xml
index dd70231ce..359bcde9a 100644
--- a/auth-backends/pom-template.xml
+++ b/auth-backends/pom-template.xml
@@ -58,6 +58,11 @@
       <artifactId>spring-security-oauth2-client</artifactId>
       <version>${spring-security-version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.security</groupId>
+      <artifactId>spring-security-oauth2-resource-server</artifactId>
+      <version>${spring-security-version}</version>
+    </dependency>
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-oauth2-jose</artifactId>
@@ -71,12 +76,12 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-       <version>2.17.0</version>
+       <version>2.18.1</version>
     </dependency>
     <dependency>
       <groupId>com.nimbusds</groupId>
       <artifactId>nimbus-jose-jwt</artifactId>
-      <version>9.37.3</version>
+      <version>9.45</version>
       <exclusions>
         <exclusion>
           <groupId>net.minidev</groupId>
diff --git a/auth-backends/src/main/resources/applicationContext-security-auth-oauth2ApiJwt.xml b/auth-backends/src/main/resources/applicationContext-security-auth-oauth2ApiJwt.xml
new file mode 100644
index 000000000..318885100
--- /dev/null
+++ b/auth-backends/src/main/resources/applicationContext-security-auth-oauth2ApiJwt.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+Copyright 2022 Normation SAS
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+In accordance with the terms of section 7 (7. Additional Terms.) of
+the GNU Affero GPL v3, the copyright holders add the following
+Additional permissions:
+Notwithstanding to the terms of section 5 (5. Conveying Modified Source
+Versions) and 6 (6. Conveying Non-Source Forms.) of the GNU Affero GPL v3
+licence, when you create a Related Module, this Related Module is
+not considered as a part of the work and may be distributed under the
+license agreement of your choice.
+A "Related Module" means a set of sources files including their
+documentation that, without modification of the Source Code, enables
+supplementary functions or services in addition to those offered by
+the Software.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/agpl.html>.
+-->
+
+<!-- do not delete - this is the empty configuration file for spring bean for rootAdmin backend -->
+
+<beans:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:beans="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-5.3.xsd">
+
+
+</beans:beans>
diff --git a/auth-backends/src/main/resources/applicationContext-security-auth-oauth2ApiOpaqueToken.xml b/auth-backends/src/main/resources/applicationContext-security-auth-oauth2ApiOpaqueToken.xml
new file mode 100644
index 000000000..318885100
--- /dev/null
+++ b/auth-backends/src/main/resources/applicationContext-security-auth-oauth2ApiOpaqueToken.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+Copyright 2022 Normation SAS
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+In accordance with the terms of section 7 (7. Additional Terms.) of
+the GNU Affero GPL v3, the copyright holders add the following
+Additional permissions:
+Notwithstanding to the terms of section 5 (5. Conveying Modified Source
+Versions) and 6 (6. Conveying Non-Source Forms.) of the GNU Affero GPL v3
+licence, when you create a Related Module, this Related Module is
+not considered as a part of the work and may be distributed under the
+license agreement of your choice.
+A "Related Module" means a set of sources files including their
+documentation that, without modification of the Source Code, enables
+supplementary functions or services in addition to those offered by
+the Software.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <http://www.gnu.org/licenses/agpl.html>.
+-->
+
+<!-- do not delete - this is the empty configuration file for spring bean for rootAdmin backend -->
+
+<beans:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:beans="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-5.3.xsd">
+
+
+</beans:beans>
diff --git a/auth-backends/src/main/scala-templates/default/com/normation/plugins/authbackends/EnablePluginImpl.scala b/auth-backends/src/main/scala-templates/default/com/normation/plugins/authbackends/EnablePluginImpl.scala
index 0a6d4236e..b981d3395 100644
--- a/auth-backends/src/main/scala-templates/default/com/normation/plugins/authbackends/EnablePluginImpl.scala
+++ b/auth-backends/src/main/scala-templates/default/com/normation/plugins/authbackends/EnablePluginImpl.scala
@@ -38,10 +38,10 @@
 package com.normation.plugins.authbackends
 
 import com.normation.plugins.PluginEnableImpl
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 
 /*
  * The class will be loaded by ServiceLoader, it needs an empty constructor.
  */
 
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends PluginEnableImpl
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends PluginEnableImpl
diff --git a/auth-backends/src/main/scala-templates/limited/com/normation/plugins/authbackends/EnablePluginImpl.scala b/auth-backends/src/main/scala-templates/limited/com/normation/plugins/authbackends/EnablePluginImpl.scala
index e58dcbbc9..79adc8412 100644
--- a/auth-backends/src/main/scala-templates/limited/com/normation/plugins/authbackends/EnablePluginImpl.scala
+++ b/auth-backends/src/main/scala-templates/limited/com/normation/plugins/authbackends/EnablePluginImpl.scala
@@ -38,7 +38,7 @@
 package com.normation.plugins.authbackends
 
 import com.normation.plugins.LicensedPluginCheck
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 import com.normation.zio.*
 
 /*
@@ -48,12 +48,12 @@ import com.normation.zio.*
  *
  * The class will be loaded by ServiceLoader, it needs an empty constructor.
  */
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends LicensedPluginCheck {
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends LicensedPluginCheck {
   // here are processed variables
   def pluginResourcePublickey = "${plugin-resource-publickey}"
   def pluginResourceLicense   = "${plugin-resource-license}"
   def pluginDeclaredVersion   = "${plugin-declared-version}"
   def pluginId                = "${plugin-fullname}"
 
-  override def getNumberOfNodes: Int = nodeInfoService.getNumberOfManagedNodes.runNow
+  override def getNumberOfNodes: Int = nodeFactRepo.getNumberOfManagedNodes().runNow
 }
diff --git a/auth-backends/src/main/scala/bootstrap/rudder/plugin/AuthBackendsConf.scala b/auth-backends/src/main/scala/bootstrap/rudder/plugin/AuthBackendsConf.scala
index 30a2eb6ff..836d78868 100644
--- a/auth-backends/src/main/scala/bootstrap/rudder/plugin/AuthBackendsConf.scala
+++ b/auth-backends/src/main/scala/bootstrap/rudder/plugin/AuthBackendsConf.scala
@@ -44,20 +44,12 @@ import bootstrap.liftweb.RudderInMemoryUserDetailsService
 import bootstrap.liftweb.RudderProperties
 import com.normation.errors.IOResult
 import com.normation.plugins.RudderPluginModule
-import com.normation.plugins.authbackends.AuthBackendsLogger
-import com.normation.plugins.authbackends.AuthBackendsLoggerPure
-import com.normation.plugins.authbackends.AuthBackendsPluginDef
-import com.normation.plugins.authbackends.AuthBackendsRepositoryImpl
-import com.normation.plugins.authbackends.CheckRudderPluginEnableImpl
-import com.normation.plugins.authbackends.LoginFormRendering
-import com.normation.plugins.authbackends.RudderClientRegistration
-import com.normation.plugins.authbackends.RudderPropertyBasedOAuth2RegistrationDefinition
+import com.normation.plugins.authbackends.*
 import com.normation.plugins.authbackends.api.AuthBackendsApiImpl
 import com.normation.plugins.authbackends.snippet.Oauth2LoginBanner
 import com.normation.rudder.Role
 import com.normation.rudder.RudderRoles
-import com.normation.rudder.api.AclPath
-import com.normation.rudder.api.ApiAuthorization
+import com.normation.rudder.api.*
 import com.normation.rudder.domain.eventlog.RudderEventActor
 import com.normation.rudder.domain.logger.ApplicationLoggerPure
 import com.normation.rudder.domain.logger.PluginLogger
@@ -66,10 +58,10 @@ import com.normation.rudder.rest.RoleApiMapping
 import com.normation.rudder.users.*
 import com.normation.zio.*
 import com.typesafe.config.ConfigException
-import java.net.URI
-import java.util
 import jakarta.servlet.http.HttpServletRequest
 import jakarta.servlet.http.HttpServletResponse
+import java.net.URI
+import java.util
 import org.joda.time.DateTime
 import org.springframework.context.ApplicationContext
 import org.springframework.context.ApplicationContextAware
@@ -79,11 +71,14 @@ import org.springframework.core.ParameterizedTypeReference
 import org.springframework.core.convert.converter.Converter
 import org.springframework.http.RequestEntity
 import org.springframework.http.ResponseEntity
+import org.springframework.security.authentication.AbstractAuthenticationToken
 import org.springframework.security.authentication.AuthenticationManager
+import org.springframework.security.authentication.AuthenticationProvider
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.GrantedAuthority
 import org.springframework.security.core.authority.SimpleGrantedAuthority
 import org.springframework.security.core.authority.mapping.GrantedAuthoritiesMapper
+import org.springframework.security.core.userdetails.UserDetails
 import org.springframework.security.core.userdetails.UsernameNotFoundException
 import org.springframework.security.oauth2.client.InMemoryOAuth2AuthorizedClientService
 import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService
@@ -111,6 +106,19 @@ import org.springframework.security.oauth2.core.oidc.user.OidcUserAuthority
 import org.springframework.security.oauth2.core.user.DefaultOAuth2User
 import org.springframework.security.oauth2.core.user.OAuth2User
 import org.springframework.security.oauth2.core.user.OAuth2UserAuthority
+import org.springframework.security.oauth2.jwt.Jwt
+import org.springframework.security.oauth2.jwt.JwtDecoder
+import org.springframework.security.oauth2.jwt.NimbusJwtDecoder
+import org.springframework.security.oauth2.server.resource.InvalidBearerTokenException
+import org.springframework.security.oauth2.server.resource.authentication.BearerTokenAuthentication
+import org.springframework.security.oauth2.server.resource.authentication.DefaultOpaqueTokenAuthenticationConverter
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationProvider
+import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken
+import org.springframework.security.oauth2.server.resource.authentication.OpaqueTokenAuthenticationProvider
+import org.springframework.security.oauth2.server.resource.introspection.NimbusOpaqueTokenIntrospector
+import org.springframework.security.oauth2.server.resource.introspection.OpaqueTokenAuthenticationConverter
+import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter
 import org.springframework.security.web.DefaultSecurityFilterChain
 import org.springframework.security.web.authentication.AuthenticationFailureHandler
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler
@@ -121,6 +129,7 @@ import org.springframework.web.client.RestOperations
 import org.springframework.web.client.RestTemplate
 import org.springframework.web.client.UnknownContentTypeException
 import scala.jdk.CollectionConverters.*
+import zio.ZIO
 import zio.syntax.*
 
 /*
@@ -133,7 +142,7 @@ object AuthBackendsConf extends RudderPluginModule {
   val DISPLAY_LOGIN_FORM_PROP = "rudder.auth.displayLoginForm"
 
   // by build convention, we have only one of that on the classpath
-  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeInfoService)
+  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeFactRepository)
 
   lazy val authBackendsProvider = new AuthBackendsProvider {
     def authenticationBackends = Set("ldap")
@@ -145,7 +154,12 @@ object AuthBackendsConf extends RudderPluginModule {
     }
   }
 
-  val oauthBackendNames = Set("oauth2", "oidc")
+  private val oauthBackendNames       = Set(RudderOAuth2UserService.PROTOCOL_ID, RudderOidcUserService.PROTOCOL_ID)
+  // Javascript web token
+  private val jwtBackendNames         = Set(RudderJwtAuthenticationProvider.PROTOCOL_ID)
+  // opaque bearer token
+  private val opaqueTokenBackendNames = Set(RudderOpaqueTokenAuthenticationProvider.PROTOCOL_ID)
+
   RudderConfig.authenticationProviders.addProvider(authBackendsProvider)
   RudderConfig.authenticationProviders.addProvider(new AuthBackendsProvider() {
     override def authenticationBackends: Set[String] = oauthBackendNames
@@ -153,17 +167,35 @@ object AuthBackendsConf extends RudderPluginModule {
       s"Oauth2 and OpenID Connect authentication backends provider: '${authenticationBackends.mkString("','")}"
     override def allowedToUseBackend(name: String): Boolean = pluginStatusService.isEnabled()
   })
+  RudderConfig.authenticationProviders.addProvider(new AuthBackendsProvider() {
+    override def authenticationBackends: Set[String] = jwtBackendNames
+    override def name:                   String      =
+      s"Oauth2 and OpenID Connect authentication backends provider for JWT Bearer token in REST API: '${authenticationBackends.mkString("','")}"
+    override def allowedToUseBackend(name: String): Boolean = pluginStatusService.isEnabled()
+  })
+  RudderConfig.authenticationProviders.addProvider(new AuthBackendsProvider() {
+    override def authenticationBackends: Set[String] = opaqueTokenBackendNames
+    override def name:                   String      =
+      s"Oauth2 and OpenID Connect authentication backends provider for Opaque Bearer token in REST API: '${authenticationBackends.mkString("','")}"
+    override def allowedToUseBackend(name: String): Boolean = pluginStatusService.isEnabled()
+  })
 
-  lazy val isOauthConfiguredByUser = {
-    // We need to know if we have to initialize oauth/oicd specific code and snippet.
+  lazy val (isOauthConfiguredByUser: Boolean, isJwtConfiguredByUser: Boolean, isOpaqueTokenConfiguredByUser: Boolean) = {
+    // We need to know if we have to initialize oauth/oidc specific code and snippet.
     // For that, we need to look in config file directly, because initialisation is complicated and we have no way to
     // know what part of auth is initialized before what other. It duplicates parsing, but it seems to be the price
     // of having plugins & spring. We let the full init be done in rudder itself.
     val configuredAuthProviders = AuthenticationMethods.getForConfig(RudderProperties.config).map(_.name)
-    configuredAuthProviders.find(a => oauthBackendNames.contains(a)).isDefined
+    (
+      configuredAuthProviders.exists(a => oauthBackendNames.contains(a)),
+      configuredAuthProviders.exists(a => jwtBackendNames.contains(a)),
+      configuredAuthProviders.exists(a => opaqueTokenBackendNames.contains(a))
+    )
   }
 
-  lazy val oauth2registrations = RudderPropertyBasedOAuth2RegistrationDefinition.make().runNow
+  lazy val oauth2registrations      = RudderPropertyBasedOAuth2RegistrationDefinition.make().runNow
+  lazy val jwtRegistrations         = RudderPropertyBasedJwtRegistrationDefinition.make().runNow
+  lazy val opaqueTokenRegistrations = RudderPropertyBasedOpaqueTokenRegistrationDefinition.make().runNow
 
   override lazy val pluginDef: AuthBackendsPluginDef = new AuthBackendsPluginDef(AuthBackendsConf.pluginStatusService)
 
@@ -189,7 +221,7 @@ object AuthBackendsConf extends RudderPluginModule {
   if (isOauthConfiguredByUser) {
     PluginLogger.info(s"Oauthv2 or OIDC authentication backend is enabled, updating login form")
     RudderConfig.snippetExtensionRegister.register(
-      new Oauth2LoginBanner(pluginStatusService, pluginDef.version, oauth2registrations)
+      new Oauth2LoginBanner(pluginStatusService, oauth2registrations)
     )
   }
 }
@@ -257,10 +289,12 @@ class AuthBackendsSpringConfiguration extends ApplicationContextAware {
 
       RudderConfig.authenticationProviders.addSpringAuthenticationProvider(
         RudderOAuth2UserService.PROTOCOL_ID,
+        // here, we can't use applicationContext.getBean without circular reference. It will be put in Spring cache.
         oauth2AuthenticationProvider(rudderUserService, registrationRepository, userRepository, roleApiMapping)
       )
       RudderConfig.authenticationProviders.addSpringAuthenticationProvider(
         RudderOidcUserService.PROTOCOL_ID,
+        // here, we can't use applicationContext.getBean without circular reference. It will be put in Spring cache.
         oidcAuthenticationProvider(rudderUserService, registrationRepository, userRepository, roleApiMapping)
       )
       val manager =
@@ -274,6 +308,66 @@ class AuthBackendsSpringConfiguration extends ApplicationContextAware {
 
       applicationContext.getAutowireCapableBeanFactory.configureBean(newSecurityChain, "mainHttpSecurityFilters")
     }
+
+    // Adding API authentication protected with OAuth2 thanks to a JWT "bearer token"
+    if (AuthBackendsConf.isJwtConfiguredByUser) {
+      // only add filter if we have one registration
+      val optConfig = applicationContext.getBean("jwtRegistrationRepository", classOf[Option[RudderJwtRegistration]])
+      optConfig match {
+
+        case Some(config) =>
+          RudderConfig.authenticationProviders.addSpringAuthenticationProvider(
+            RudderJwtAuthenticationProvider.PROTOCOL_ID,
+            // here, we can't use applicationContext.getBean without circular reference. It will be put in Spring cache.
+            oauth2ApiJwtAuthenticationProvider(optConfig)
+          )
+
+          val http    = applicationContext.getBean("publicApiSecurityFilter", classOf[DefaultSecurityFilterChain])
+          val filters = http.getFilters
+          val manager =
+            applicationContext.getBean("org.springframework.security.authenticationManager", classOf[AuthenticationManager])
+          filters.add(3, new BearerTokenAuthenticationFilter(manager))
+
+          val newSecurityChain = new DefaultSecurityFilterChain(http.getRequestMatcher, filters)
+
+          applicationContext.getAutowireCapableBeanFactory.configureBean(newSecurityChain, "publicApiSecurityFilter")
+
+        case None =>
+          AuthBackendsLogger.info(
+            s"${RudderJwtAuthenticationProvider.PROTOCOL_ID} is configured as an authentication provider but there is no valid registration for it: it will be ignored"
+          )
+      }
+    }
+
+    // Adding API authentication protected with OAuth2 thanks to an "opaque access bearer token"
+    if (AuthBackendsConf.isOpaqueTokenConfiguredByUser) {
+      // only add filter if we have one registration
+      val optConfig =
+        applicationContext.getBean("opaqueTokenRegistrationRepository", classOf[Option[RudderOpaqueTokenRegistration]])
+      optConfig match {
+        case Some(config) =>
+          RudderConfig.authenticationProviders.addSpringAuthenticationProvider(
+            RudderJwtAuthenticationProvider.PROTOCOL_ID,
+            // here, we can't use applicationContext.getBean without circular reference. It will be put in Spring cache.
+            oauth2ApiOpaqueTokenAuthenticationProvider(optConfig)
+          )
+
+          val http    = applicationContext.getBean("publicApiSecurityFilter", classOf[DefaultSecurityFilterChain])
+          val filters = http.getFilters
+          val manager =
+            applicationContext.getBean("org.springframework.security.authenticationManager", classOf[AuthenticationManager])
+          filters.add(3, new BearerTokenAuthenticationFilter(manager))
+
+          val newSecurityChain = new DefaultSecurityFilterChain(http.getRequestMatcher, filters)
+
+          applicationContext.getAutowireCapableBeanFactory.configureBean(newSecurityChain, "publicApiSecurityFilter")
+
+        case None =>
+          AuthBackendsLogger.warn(
+            s"Warning! ${RudderOpaqueTokenAuthenticationProvider.PROTOCOL_ID} is configured as an authentication provider but there is no valid registration for it: it will be ignored"
+          )
+      }
+    }
   }
 
   @Bean def userRepository: UserRepository = RudderConfig.userRepository
@@ -285,7 +379,7 @@ class AuthBackendsSpringConfiguration extends ApplicationContextAware {
 
   /**
    * We read configuration for OIDC providers in rudder config files.
-   * The format is defined in
+   * The format is defined in documentation and parsed in RudderPropertyBasedOAuth2RegistrationDefinition
    */
   @Bean def clientRegistrationRepository: RudderClientRegistrationRepository = {
     val registrations = (
@@ -295,19 +389,75 @@ class AuthBackendsSpringConfiguration extends ApplicationContextAware {
       } yield {
         r.toMap
       }
-    ).foldZIO(
-      err =>
-        (if (AuthBackendsConf.isOauthConfiguredByUser) {
-           AuthBackendsLoggerPure.error(err.fullMsg)
-         } else {
-           AuthBackendsLoggerPure.debug(err.fullMsg)
-         }) *> Map.empty[String, RudderClientRegistration].succeed,
-      ok => ok.succeed
-    ).runNow
+    ).catchAll { err =>
+      (if (AuthBackendsConf.isOauthConfiguredByUser) {
+         AuthBackendsLoggerPure.error(err.fullMsg)
+       } else {
+         AuthBackendsLoggerPure.debug(err.fullMsg)
+       }) *> Map.empty[String, RudderClientRegistration].succeed
+    }.runNow
 
     new RudderClientRegistrationRepository(registrations)
   }
 
+  /**
+   * We also need to read configuration for JWT providers in rudder config files.
+   * The format is defined in documentation and parsed in RudderPropertyBasedJwtRegistrationDefinition
+   *
+   * For now, we are able to manage ONLY ONE registration, because SpringSecurity token decoder
+   * doesn't have any logic to handle more than one JWK url.
+   */
+  @Bean def jwtRegistrationRepository: Option[RudderJwtRegistration] = {
+    (
+      for {
+        _ <- AuthBackendsConf.jwtRegistrations.updateRegistration(RudderProperties.config)
+        r <- AuthBackendsConf.jwtRegistrations.registrations.get
+        _ <- r match {
+               case Nil | _ :: Nil => ZIO.unit
+               case h :: tail      =>
+                 AuthBackendsLoggerPure.warn(
+                   s"Warning! Rudder JWT only support one provider at a time. Only '${h._1}' will be use, '${tail.map(_._1).mkString("','")}' will be ignored."
+                 )
+             }
+      } yield {
+        r.headOption.map(_._2)
+      }
+    ).catchAll(err => {
+      (if (AuthBackendsConf.isJwtConfiguredByUser) {
+         AuthBackendsLoggerPure.error(err.fullMsg)
+       } else {
+         AuthBackendsLoggerPure.debug(err.fullMsg)
+       }) *> None.succeed
+    }).runNow
+  }
+
+  /*
+   * The same then JWT, for opaque token registration
+   */
+  @Bean def opaqueTokenRegistrationRepository: Option[RudderOpaqueTokenRegistration] = {
+    (
+      for {
+        _ <- AuthBackendsConf.opaqueTokenRegistrations.updateRegistration(RudderProperties.config)
+        r <- AuthBackendsConf.opaqueTokenRegistrations.registrations.get
+        _ <- r match {
+               case Nil | _ :: Nil => ZIO.unit
+               case h :: tail      =>
+                 AuthBackendsLoggerPure.warn(
+                   s"Warning! Rudder opaque access bearer tokens only support one provider at a time. Only '${h._1}' will be use, '${tail.map(_._1).mkString("','")}' will be ignored."
+                 )
+             }
+      } yield {
+        r.headOption.map(_._2)
+      }
+    ).catchAll { err =>
+      (if (AuthBackendsConf.isOpaqueTokenConfiguredByUser) {
+         AuthBackendsLoggerPure.error(err.fullMsg)
+       } else {
+         AuthBackendsLoggerPure.debug(err.fullMsg)
+       }) *> None.succeed
+    }.runNow
+  }
+
   /**
    * We don't use rights provided by spring, nor the one provided by OAUTH2, so
    * always map user to role `ROLE_USER`
@@ -375,7 +525,7 @@ class AuthBackendsSpringConfiguration extends ApplicationContextAware {
       registrationRepository:   RudderClientRegistrationRepository,
       userRepository:           UserRepository,
       roleApiMapping:           RoleApiMapping
-  ) = {
+  ): OAuth2LoginAuthenticationProvider = {
     val x = new OAuth2LoginAuthenticationProvider(
       rudderAuthorizationCodeTokenResponseClient(),
       oauth2UserService(rudderUserDetailsService, registrationRepository, userRepository, roleApiMapping)
@@ -398,20 +548,96 @@ class AuthBackendsSpringConfiguration extends ApplicationContextAware {
     x.setAuthoritiesMapper(userAuthoritiesMapper)
     x
   }
-}
 
-// a couple of dedicated user details that have the needed information for the SSO part
+  @Bean def oauth2ApiJwtAuthenticationProvider(
+      jwtRegistrationRepository: Option[RudderJwtRegistration]
+  ): AuthenticationProvider = {
+    jwtRegistrationRepository match {
+      case Some(config) =>
+        val decoder   = NimbusJwtDecoder.withJwkSetUri(config.jwkSetUri).build
+        val converter = new RudderJwtAuthenticationConverter(
+          jwtRegistrationRepository,
+          RudderConfig.roleApiMapping,
+          config.pivotAttributeName
+        )
+        new RudderJwtAuthenticationProvider(decoder, converter)
 
-class RudderClientRegistrationRepository(val registrations: Map[String, RudderClientRegistration])
-    extends ClientRegistrationRepository {
-  override def findByRegistrationId(registrationId: String): ClientRegistration = {
-    registrations.get(registrationId) match {
-      case None    => null
-      case Some(x) => x.registration
+      case None => MissingConfigurationAuthenticationProvider
+    }
+  }
+
+  @Bean def oauth2ApiOpaqueTokenAuthenticationProvider(
+      opaqueTokenRegistrationRepository: Option[RudderOpaqueTokenRegistration]
+  ): AuthenticationProvider = {
+    opaqueTokenRegistrationRepository match {
+      case Some(config) =>
+        val introspector = new NimbusOpaqueTokenIntrospector(config.introspectUri, config.clientId, config.clientSecret)
+        new RudderOpaqueTokenAuthenticationProvider(
+          introspector,
+          new RudderOpaqueTokenAuthenticationConverter(RudderConfig.roApiAccountRepository, config.pivotAttributeName)
+        )
+
+      case None => MissingConfigurationAuthenticationProvider
     }
   }
+
+}
+
+// a couple of dedicated user details that have the needed information for the SSO part
+
+//////////////// RudderUserDetails from OAuth2/OIDC login ////////////////
+
+/*
+ * The `RudderDetails` class that is instantiated from an OAuth2 `client_credentials` login (ie when a user, generally
+ * a service, asked the IdP for a `Bearer` token and then used that token to access Rudder APIs)
+ * We can't directly inherit `JwtAuthenticationToken` and `RudderUserDetail` because none is a trait, only classes.
+ */
+case class RudderOAuth2Jwt(jwt: JwtAuthenticationToken, rudderUserDetail: RudderUserDetail)
+    extends JwtAuthenticationToken(jwt.getToken, rudderUserDetail.getAuthorities) with UserDetails {
+
+  this.setDetails(jwt.getDetails)
+  this.setAuthenticated(jwt.isAuthenticated)
+
+  // this is important, it's the way to identify a RudderUser
+  override def getPrincipal: AnyRef = rudderUserDetail
+
+  override def getPassword: String = rudderUserDetail.getPassword
+  override def getUsername: String = rudderUserDetail.getUsername
+
+  override def isAccountNonExpired:     Boolean = rudderUserDetail.isAccountNonExpired
+  override def isAccountNonLocked:      Boolean = rudderUserDetail.isAccountNonLocked
+  override def isCredentialsNonExpired: Boolean = rudderUserDetail.isCredentialsNonExpired
+  override def isEnabled:               Boolean = rudderUserDetail.isEnabled
 }
 
+case class RudderOAuth2OpaqueToken(obt: BearerTokenAuthentication, rudderUserDetail: RudderUserDetail)
+    extends BearerTokenAuthentication(
+      obt.getPrincipal.asInstanceOf[OAuth2AuthenticatedPrincipal],
+      obt.getCredentials.asInstanceOf[OAuth2AccessToken],
+      rudderUserDetail.getAuthorities
+    ) with UserDetails {
+
+  this.setDetails(obt.getDetails)
+  this.setAuthenticated(obt.isAuthenticated)
+
+  // this is important, it's the way to identify a RudderUser
+  override def getPrincipal: AnyRef = rudderUserDetail
+
+  override def getPassword: String = rudderUserDetail.getPassword
+  override def getUsername: String = rudderUserDetail.getUsername
+
+  override def isAccountNonExpired:     Boolean = rudderUserDetail.isAccountNonExpired
+  override def isAccountNonLocked:      Boolean = rudderUserDetail.isAccountNonLocked
+  override def isCredentialsNonExpired: Boolean = rudderUserDetail.isCredentialsNonExpired
+  override def isEnabled:               Boolean = rudderUserDetail.isEnabled
+
+  override def getTokenAttributes: util.Map[String, AnyRef] = obt.getTokenAttributes
+}
+
+/*
+ * The `RudderDetails` class that is instantiated from an OIDC `authorization_code` login (ie when a user actually
+ * logged on the IdP)
+ */
 final class RudderOidcDetails(oidc: OidcUser, rudder: RudderUserDetail)
     extends RudderUserDetail(rudder.account, rudder.status, rudder.roles, rudder.apiAuthz, rudder.nodePerms) with OidcUser {
   override def getClaims:     util.Map[String, AnyRef] = oidc.getClaims
@@ -421,12 +647,28 @@ final class RudderOidcDetails(oidc: OidcUser, rudder: RudderUserDetail)
   override def getName:       String                   = oidc.getName
 }
 
+/*
+ * The `RudderDetails` class that is instantiated from an OIDC `authorization_code` login (ie when a user actually
+ * logged on the IdP)
+ */
 final class RudderOauth2Details(oauth2: OAuth2User, rudder: RudderUserDetail)
     extends RudderUserDetail(rudder.account, rudder.status, rudder.roles, rudder.apiAuthz, rudder.nodePerms) with OAuth2User {
   override def getAttributes: util.Map[String, AnyRef] = oauth2.getAttributes
   override def getName:       String                   = oauth2.getName
 }
 
+//////////////// User OAuth2/OIDC authentication - `authorization_code` workflows ////////////////
+
+class RudderClientRegistrationRepository(val registrations: Map[String, RudderClientRegistration])
+    extends ClientRegistrationRepository {
+  override def findByRegistrationId(registrationId: String): ClientRegistration = {
+    registrations.get(registrationId) match {
+      case None    => null
+      case Some(x) => x.registration
+    }
+  }
+}
+
 /*
  * We need to reimplement these methods because we need to correctly manage errors without having horrible
  * stack traces in logs. Classes below are reimplementation or extension of the corresponding Spring classes
@@ -481,6 +723,212 @@ class RudderDefaultOAuth2AuthorizationRequestResolver(
 
 }
 
+object RudderTokenMapping {
+
+  /*
+   * This is the way to get the list of defined role given what an OAuth2 token gives.
+   * - we have a notion of "default roles" which are the one the user or the token have by default, without
+   *   token info
+   * - we can map roles to rudder ones so that IdP role names and Rudder ones are independent
+   * - we can restrict the available roles to the ones mapped so that a Rogue IdP can't use Rudder internal
+   *   roles names (and chaos ensues if those internal name change)
+   */
+  def getRoles(
+      reg:           RudderOAuth2Registration with RegistrationWithRoles,
+      principal:     String, // user name or token id
+      protocolName:  String, // oauth2Api, oauth2, oidc
+      default:       Set[Role]
+  )(
+      getTokenRoles: String => Option[Set[String]]
+  ): Set[Role] = {
+    val roles = if (reg.roles.enabled) {
+      val filteredRoles = getProvidedList(reg.roles, principal)(getTokenRoles)
+
+      AuthBackendsLogger.trace(
+        s"IdP configuration has registered role mapping: [${reg.roles.mapping.toList.sorted.map(x => s"${x._1 -> x._2}").mkString("; ")}]"
+      )
+      val mappedRoles: Set[Role] = filteredRoles.flatMap { r =>
+        val role = reg.roles.mapping.get(r) match {
+          // if the role is not in the mapping, use the provided name as is.
+          case None    => RudderRoles.findRoleByName(r)
+          case Some(m) =>
+            AuthBackendsLogger.debug(
+              s"Principal '${principal}': mapping IdP provided role '${r}' to Rudder role '${m}' "
+            )
+            RudderRoles
+              .findRoleByName(m)
+              .map(_.map(x => Role.Alias(x, r, s"Alias from ${reg.registrationId} IdP")))
+        }
+        role.runNow.orElse {
+          AuthBackendsLogger.debug(
+            s"Role '${r}' does not match any Rudder role, ignoring it for user ${principal}"
+          )
+          None
+        }
+      }
+
+      if (mappedRoles.nonEmpty) {
+        ApplicationLoggerPure.Auth.logEffect.info(
+          s"Principal '${principal}' role list extended with ${protocolName} provided roles: [${Role
+              .toDisplayNames(mappedRoles)
+              .mkString(", ")}] (override: ${reg.roles.overrides})"
+        )
+      } else {
+        AuthBackendsLogger.debug(
+          s"No roles provided by ${protocolName} in attribute: ${reg.roles.attributeName} (or attribute is missing, or user-management plugin is missing)"
+        )
+      }
+
+      val roles = if (reg.roles.overrides) {
+        // override means: don't use user role configured in rudder-users.xml
+        mappedRoles
+      } else {
+        default ++ mappedRoles
+      }
+      AuthBackendsLogger.debug(
+        s"Principal '${principal}' final list of roles: [${roles.map(_.name).mkString(", ")}]"
+      )
+      roles
+
+    } else {
+      AuthBackendsLogger.debug(s"${protocolName} configuration is not configured to use token provided roles")
+      default
+    }
+
+    roles
+  }
+
+  /*
+   * This is the way to get the list of defined tenants given what an OAuth2 token gives.
+   * - we have a notion of "default tenants" which are the one the user or the token have by default, without
+   *   token info
+   * - we can map tenants to rudder ones so that IdP tenant names and Rudder ones are independent
+   * - we can restrict the available tenants to the ones mapped so that a Rogue IdP can't use Rudder internal
+   *   tenants names (and chaos ensues if those internal name change - even if tenants should be public names)
+   */
+  def getTenants(
+      reg:             RudderOAuth2Registration with RegistrationWithRoles,
+      principal:       String, // user name or token id
+      protocolName:    String, // oauth2Api, oauth2, oidc
+      default:         NodeSecurityContext
+  )(
+      getTokenTenants: String => Option[Set[String]]
+  ): NodeSecurityContext = {
+    val tenants = if (reg.tenants.enabled) {
+      val filteredTenants = getProvidedList(reg.tenants, principal)(getTokenTenants)
+
+      AuthBackendsLogger.trace(
+        s"IdP configuration has registered tenant mapping: [${reg.tenants.mapping.toList.sorted.map(x => s"${x._1 -> x._2}").mkString("; ")}]"
+      )
+
+      // for the tenant mapping, we don't check with existing tenants because the real list
+      // will be checked at each request (ie, the intersection is done for each node access)
+      val mappedTenants = filteredTenants.toList.map { t =>
+        reg.tenants.mapping.get(t) match {
+          // if the tenant is not in the mapping, use the provided name as is.
+          case None    => t
+          case Some(m) =>
+            AuthBackendsLogger.debug(
+              s"Principal '${principal}': mapping IdP provided role '${t}' to Rudder role '${m}' "
+            )
+            m
+        }
+      }
+
+      val parsedTenants = NodeSecurityContext.parseList(Some(mappedTenants)) match {
+        case Left(err)  =>
+          AuthBackendsLogger.debug(
+            s"Parsing provided tenants for ${protocolName} in attribute: ${reg.tenants.attributeName} for principal ${principal} lead to an error, disabling all tenants: ${err.fullMsg}"
+          )
+          NodeSecurityContext.None
+        case Right(nsc) =>
+          ApplicationLoggerPure.Auth.logEffect.info(
+            s"Principal '${principal}' tenant list extended with ${protocolName} provided tenants: '${nsc.value}' (override: ${reg.tenants.overrides})"
+          )
+          nsc
+      }
+
+      val tenants = if (reg.tenants.overrides) {
+        // override means: don't use user tenants configured in rudder-users.xml
+        parsedTenants
+      } else {
+        default.plus(parsedTenants)
+      }
+      AuthBackendsLogger.debug(
+        s"Principal '${principal}' final list of tenants: '${tenants.value}'"
+      )
+      tenants
+
+    } else {
+      AuthBackendsLogger.debug(s"${protocolName} configuration is not configured to use token provided tenants")
+      default
+    }
+
+    tenants
+  }
+
+  /*
+   * A generic method to get the list of string corresponding to the given `ProvidedList`.
+   */
+  def getProvidedList(
+      provided:     ProvidedList,
+      principal:    String // user name or token id
+  )(
+      getTokenList: String => Option[Set[String]]
+  ): Set[String] = {
+    val custom = {
+      try {
+        getTokenList(provided.attributeName) match {
+          case Some(l) =>
+            l
+          case None    =>
+            AuthBackendsLogger.warn(
+              s"Principal '${principal}' returned information does not contain an attribute '${provided.attributeName}' " +
+              s"which is the one configured for custom ${provided.debugName} provisioning (see " +
+              s"'rudder.auth.oauth2.provider.$${idpID}.${provided.debugName}.attribute' value). " +
+              s"Please check that the attribute name is correct and that requested scope provides that attribute."
+            )
+            Set.empty[String]
+        }
+      } catch {
+        case ex: Exception =>
+          AuthBackendsLogger.warn(
+            s"Unable to get custom ${provided.debugName} for user '${principal}' when looking for attribute '${provided.attributeName}' :${ex.getMessage}'"
+          )
+          Set.empty[String]
+      }
+    }
+
+    // check if we have role mapping or restriction
+    val filteredSet = if (provided.restrictToMapping) {
+      val f = custom.intersect(provided.mapping.keySet)
+      AuthBackendsLogger.debug(
+        s"IdP configuration enforce restriction to mapped ${provided.debugName}, resulting filtered list: [${f.mkString(", ")}]"
+      )
+      f
+    } else custom
+
+    filteredSet
+  }
+
+  /*
+   * Map roles to the corresponding API ACL.
+   */
+  def getApiAuthorization(roleApiMapping: RoleApiMapping, roles: Set[Role]): ApiAuthorization.ACL = {
+    // we derive api authz from users rights
+    val acl = roleApiMapping
+      .getApiAclFromRoles(roles.toSeq)
+      .groupBy(_.path.parts.head)
+      .flatMap {
+        case (_, seq) =>
+          seq.sortBy(_.path)(AclPath.orderingaAclPath).sortBy(_.path.parts.head.value)
+      }
+      .toList
+
+    ApiAuthorization.ACL(acl)
+  }
+}
+
 trait RudderUserServerMapping[R <: OAuth2UserRequest, U <: OAuth2User, T <: RudderUserDetail with U] {
 
   def registrationRepository: RudderClientRegistrationRepository
@@ -540,7 +988,7 @@ trait RudderUserServerMapping[R <: OAuth2UserRequest, U <: OAuth2User, T <: Rudd
   }
 
   def buildUser(
-      optReg:         Option[RudderClientRegistration],
+      optReg:         Option[RudderOAuth2Registration with RegistrationWithRoles],
       userRequest:    R,
       user:           U,
       roleApiMapping: RoleApiMapping,
@@ -548,114 +996,33 @@ trait RudderUserServerMapping[R <: OAuth2UserRequest, U <: OAuth2User, T <: Rudd
       userBuilder:    (U, RudderUserDetail) => T,
       tenants:        NodeSecurityContext
   ): T = {
-    val roles = {
-      optReg match {
-        case None      =>
-          AuthBackendsLogger.trace(
-            s"No configuration found for ${protocolName} registration id: ${userRequest.getClientRegistration.getRegistrationId}"
-          )
-          rudder.roles // if no registration, use user roles
-        case Some(reg) =>
-          if (reg.roles.enabled) {
-            val custom = {
-              try {
-                import scala.jdk.CollectionConverters.*
-                if (user.getAttributes.containsKey(reg.roles.attributeName)) {
-                  user
-                    .getAttribute[java.util.ArrayList[String]](reg.roles.attributeName)
-                    .asScala
-                    .toSet
-                } else {
-                  AuthBackendsLogger.warn(
-                    s"User '${rudder.getUsername}' returned information does not contain an attribute '${reg.roles.attributeName}' " +
-                    s"which is the one configured for custom role provisioning (see 'rudder.auth.oauth2.provider.$${idpID}.roles.attribute'" +
-                    s" value). Please check that the attribute name is correct and that requested scope provides that attribute."
-                  )
-                  Set.empty[String]
-                }
-              } catch {
-                case ex: Exception =>
-                  AuthBackendsLogger.warn(
-                    s"Unable to get custom roles for user '${rudder.getUsername}' when looking for attribute '${reg.roles.attributeName}' :${ex.getMessage}'"
-                  )
-                  Set.empty[String]
-              }
-            }
 
-            // check if we have role mapping or restriction
-            val filteredRoles = if (reg.restrictRoleMapping) {
-              val f = custom.filter(r => reg.roleMapping.keySet.contains(r))
-              AuthBackendsLogger.debug(
-                s"IdP configuration enforce restriction to mapped role, resulting filtered list: [${f.mkString(", ")}]"
-              )
-              f
-            } else custom
-            AuthBackendsLogger.trace(
-              s"IdP configuration has registered role mapping: [${reg.roleMapping.toList.sorted.map(x => s"${x._1 -> x._2}").mkString("; ")}]"
-            )
-            val mappedRoles: Set[Role] = filteredRoles.flatMap { r =>
-              val role = reg.roleMapping.get(r) match {
-                // if the role is not in the mapping, use the provided name as is.
-                case None    => RudderRoles.findRoleByName(r)
-                case Some(m) =>
-                  AuthBackendsLogger.debug(
-                    s"Principal '${rudder.getUsername}': mapping IdP provided role '${r}' to Rudder role '${m}' "
-                  )
-                  RudderRoles
-                    .findRoleByName(m)
-                    .map(_.map(x => Role.Alias(x, r, s"Alias from ${reg.registration.getRegistrationId} IdP")))
-              }
-              role.runNow.orElse {
-                AuthBackendsLogger.debug(
-                  s"Role '${r}' does not match any Rudder role, ignoring it for user ${rudder.getUsername}"
-                )
-                None
-              }
-            }
+    val (roles, nsc) = optReg match {
+      case None =>
+        AuthBackendsLogger.trace(
+          s"No configuration found for ${protocolName} registration id: ${userRequest.getClientRegistration.getRegistrationId}"
+        )
+        (rudder.roles, tenants) // if no registration, use defaults
+
+      case Some(reg) =>
+        val getAttr = (attributeName: String) => {
+          if (user.getAttributes.containsKey(attributeName)) {
+            import scala.jdk.CollectionConverters.*
+            Some(user.getAttribute[java.util.ArrayList[String]](attributeName).asScala.toSet)
+          } else None
+        }
 
-            if (mappedRoles.nonEmpty) {
-              ApplicationLoggerPure.Auth.logEffect.info(
-                s"Principal '${rudder.getUsername}' role list extended with ${protocolName} provided roles: [${Role
-                    .toDisplayNames(mappedRoles)
-                    .mkString(", ")}] (override: ${reg.roles.over})"
-              )
-            } else {
-              AuthBackendsLogger.debug(
-                s"No roles provided by ${protocolName} in attribute: ${reg.roles.attributeName} (or attribute is missing, or user-management plugin is missing)"
-              )
-            }
-
-            val roles = if (reg.roles.over) {
-              // override means: don't use user role configured in rudder-users.xml
-              mappedRoles
-            } else {
-              rudder.roles ++ mappedRoles
-            }
-            AuthBackendsLogger.debug(
-              s"Principal '${rudder.getUsername}' final list of roles: [${roles.map(_.name).mkString(", ")}]"
-            )
-            roles
+        val roles = RudderTokenMapping.getRoles(reg, rudder.getUsername, protocolId, rudder.roles)(getAttr)
+        val nsc   = RudderTokenMapping.getTenants(reg, rudder.getUsername, protocolId, tenants)(getAttr)
 
-          } else {
-            AuthBackendsLogger.debug(s"${protocolName} configuration is not configured to use token provided roles")
-            rudder.roles
-          }
-      }
+        (roles, nsc)
     }
-    // we derive api authz from users rights
-    val acls  = roleApiMapping
-      .getApiAclFromRoles(roles.toSeq)
-      .groupBy(_.path.parts.head)
-      .flatMap {
-        case (_, seq) =>
-          seq.sortBy(_.path)(AclPath.orderingaAclPath).sortBy(_.path.parts.head.value)
-      }
-      .toList
 
-    val apiAuthz    = ApiAuthorization.ACL(acls)
-    val userDetails = rudder.copy(roles = roles, apiAuthz = apiAuthz, nodePerms = tenants)
+    // we derive api authz from users rights
+    val apiAuthz    = RudderTokenMapping.getApiAuthorization(roleApiMapping, roles)
+    val userDetails = rudder.copy(roles = roles, apiAuthz = apiAuthz, nodePerms = nsc)
     AuthBackendsLogger.debug(
-      s"Principal '${rudder.getUsername}' final roles: [${roles.map(_.name).mkString(", ")}], and API authz: ${apiAuthz.debugString}"
+      s"Principal '${rudder.getUsername}' final roles: [${roles.map(_.name).mkString(", ")}], and API authz: ${apiAuthz.debugString}, and tenants: ${nsc.value}"
     )
     // we need to update roles in all cases
     userBuilder(user, userDetails)
@@ -862,3 +1229,234 @@ class RudderDefaultOAuth2UserService extends DefaultOAuth2UserService {
     }
   }
 }
+
+//////////////// REST API OAuth2 authentication - `client_credentials` workflows ////////////////
+
+/////////////// OAuth2/OIDC - JWT bearer token ///////////////
+
+/*
+ * A placeholder AuthenticationProvider to use when we don't have any registration.
+ * Spring undecidable initialisation patterns force us to do strange things.
+ */
+object MissingConfigurationAuthenticationProvider extends AuthenticationProvider {
+  override def authenticate(authentication: Authentication): Authentication = {
+    throw new OAuth2AuthenticationException(
+      s"This authentication provider is missing configuration and can't be called for authentication"
+    )
+  }
+  override def supports(authentication: Class[?]): Boolean = false
+}
+
+/*
+ * Authentication provider for OAuth2/OIDC for protecting APIs with JWT tokens
+ */
+object RudderJwtAuthenticationProvider {
+
+  val PROTOCOL_ID: String = "oauth2ApiJwt"
+}
+
+/*
+ * JWT bearer token for oauth2 protected API - authentication provider.
+ * This class is here only to allow to hook our mapping class in place of Spring default one.
+ */
+class RudderJwtAuthenticationProvider(jwtDecoder: JwtDecoder, converter: RudderJwtAuthenticationConverter)
+    extends AuthenticationProvider {
+  private val jwtAuthenticationProvider = new JwtAuthenticationProvider(jwtDecoder)
+  jwtAuthenticationProvider.setJwtAuthenticationConverter(converter)
+
+  override def authenticate(authentication: Authentication): Authentication = {
+    val a = jwtAuthenticationProvider.authenticate(authentication)
+    a
+  }
+
+  override def supports(authentication: Class[?]): Boolean = jwtAuthenticationProvider.supports(authentication)
+}
+
+class RudderJwtAuthenticationConverter(
+    clientRegistrationRepository: Option[RudderJwtRegistration],
+    roleApiMapping:               RoleApiMapping,
+    pivotAttribute:               String
+) extends Converter[Jwt, AbstractAuthenticationToken] {
+
+  import bootstrap.rudder.plugin.RudderJwtAuthenticationProvider.PROTOCOL_ID
+  private val jwtConverter = new JwtAuthenticationConverter()
+
+  override def convert(jwt: Jwt): AbstractAuthenticationToken = {
+    val t = jwtConverter.convert(jwt).asInstanceOf[JwtAuthenticationToken]
+
+    // Find the registration for that token. It's done by looking at the client ID it must contain.
+    // We only have the clientId, so we need to check them all
+    val clientId = t.getToken.getClaimAsString(pivotAttribute)
+
+    if (clientId == null) { // we're in Java-land, these things can happen
+      throw new InvalidBearerTokenException(
+        s"A JWT Bearer token was received but it doesn't have a 'cid' claim, so we don't have a client ID and the token is invalid"
+      )
+    } else {
+
+      clientRegistrationRepository match {
+        case None               =>
+          throw new InvalidBearerTokenException(
+            s"A JWT Bearer token was received but we don't have any registration for the provided clientId: ${clientId}"
+          )
+        case Some(registration) =>
+          // check that audience matches the expected one if the registration enforce it
+          if (registration.audience.check && !t.getToken.getAudience.asScala.contains(registration.audience.value)) {
+            throw new InvalidBearerTokenException(
+              s"Audience is not the expected one for token, client with ID ${clientId} must target audience: ${registration.audience.value}, but got ${t.getToken.getAudience.asScala
+                  .mkString(", ")}"
+            )
+          }
+
+          def getAttr(attributeName: String) = t.getToken.getClaimAsStringList(attributeName) match {
+            case null => None
+            case x    =>
+              import scala.jdk.CollectionConverters.*
+              Some(x.asScala.toSet)
+          }
+
+          val roles    = RudderTokenMapping.getRoles(registration, t.getName, PROTOCOL_ID, default = Set())(getAttr)
+          val nsc      =
+            RudderTokenMapping.getTenants(registration, t.getName, PROTOCOL_ID, default = NodeSecurityContext.None)(getAttr)
+          val apiAuthz = RudderTokenMapping.getApiAuthorization(roleApiMapping, roles)
+
+          // create RudderUserDetails from token
+          val details: RudderUserDetail = {
+            val created = new DateTime(jwt.getIssuedAt.toEpochMilli)
+            val exp     = Some(new DateTime(jwt.getExpiresAt.toEpochMilli))
+
+            RudderUserDetail(
+              RudderAccount.Api(
+                ApiAccount(
+                  ApiAccountId(jwt.getId),
+                  ApiAccountKind.PublicApi(apiAuthz, exp),
+                  ApiAccountName(jwt.getId),
+                  Some(ApiTokenHash.fromHashValue(jwt.getTokenValue)),
+                  "",
+                  isEnabled = true, // always enabled at that point, since the token is valid
+                  created,
+                  created,
+                  nsc
+                )
+              ),
+              UserStatus.Active, // always active at the point, since the token is valid
+              roles,
+              apiAuthz,
+              nsc
+            )
+          }
+
+          AuthBackendsLogger.debug(
+            s"Principal from JWT '${details.getUsername}' final roles: [${roles.map(_.name).mkString(", ")}], and API authz: ${apiAuthz.debugString}, and tenants: ${nsc.value}"
+          )
+
+          RudderOAuth2Jwt(t, details)
+      }
+    }
+  }
+}
+
+/////////////// OAuth2/OIDC - Opaque bearer access token ///////////////
+
+/*
+ * Authentication provider for OAuth2/OIDC for protecting APIs with JWT tokens
+ */
+object RudderOpaqueTokenAuthenticationProvider {
+  val PROTOCOL_ID: String = "oauth2ApiOpaqueToken"
+}
+
+// this class is only here to allow to use our convert in place of default spring configuration
+class RudderOpaqueTokenAuthenticationProvider(
+    introspector: NimbusOpaqueTokenIntrospector,
+    converter:    RudderOpaqueTokenAuthenticationConverter
+) extends AuthenticationProvider {
+  private val opaqueTokenAuthenticationProvider = new OpaqueTokenAuthenticationProvider(introspector)
+  opaqueTokenAuthenticationProvider.setAuthenticationConverter(converter)
+
+  override def authenticate(authentication: Authentication): Authentication = {
+    val a = opaqueTokenAuthenticationProvider.authenticate(authentication)
+    a
+  }
+
+  override def supports(authentication: Class[?]): Boolean = opaqueTokenAuthenticationProvider.supports(authentication)
+}
+
+/*
+ * Logic for mapping a validated opaque bearer access token to Rudder logic.
+ * All the authentication security is done by spring-security, here we manage mapping
+ * logic to rudder "user details".
+ */
+class RudderOpaqueTokenAuthenticationConverter(
+    roApiAccountRepository: RoApiAccountRepository,
+    pivotAttribute:         String
+) extends OpaqueTokenAuthenticationConverter {
+
+  override def convert(introspectedToken: String, authenticatedPrincipal: OAuth2AuthenticatedPrincipal): Authentication = {
+    val t = DefaultOpaqueTokenAuthenticationConverter
+      .convert(introspectedToken, authenticatedPrincipal)
+
+    // retrieve token id
+    val tokenId = t.getTokenAttributes.asScala.get(pivotAttribute) match {
+      case Some(v) =>
+        // we only understand string for that value
+        v match {
+          case null | "" =>
+            throw new InvalidBearerTokenException(
+              s"An opaque Bearer token was received but value for '${pivotAttribute}' claim isn't a non-empty string so the token is invalid"
+            )
+          case id: String => ApiAccountId(id)
+          case _ =>
+            throw new InvalidBearerTokenException(
+              s"An opaque Bearer token was received but value for '${pivotAttribute}' claim isn't a string so the token is invalid"
+            )
+        }
+
+      case None =>
+        throw new InvalidBearerTokenException(
+          s"An opaque Bearer token was received but it doesn't have a '${pivotAttribute}' claim, so we don't have a token ID and the token is invalid"
+        )
+    }
+
+    // try to lookup token id
+    roApiAccountRepository.getById(tokenId).runNow match {
+      case None             =>
+        throw new InvalidBearerTokenException(
+          s"An opaque Bearer token was received but No token with ID ${tokenId.value} is configured in Rudder"
+        )
+      case Some(apiAccount) =>
+        if (!apiAccount.isEnabled) {
+          throw new InvalidBearerTokenException(
+            s"An opaque Bearer token was received but token with ID ${tokenId.value} is disabled in Rudder"
+          )
+        } else {
+
+          // we only accept public API token for that kind of authentication
+          apiAccount.kind match {
+            case ApiAccountKind.PublicApi(authz, expirationDate) =>
+              expirationDate match {
+                case Some(date) if (DateTime.now().isAfter(date)) =>
+                  throw new InvalidBearerTokenException(
+                    s"An opaque Bearer token was received but API token with ID ${tokenId.value} is expired in Rudder"
+                  )
+
+                case _ => // no expiration date or expiration date not reached
+                  val user = RudderUserDetail(
+                    RudderAccount.Api(apiAccount),
+                    UserStatus.Active,
+                    RudderAuthType.Api.apiRudderRole,
+                    authz,
+                    apiAccount.tenants
+                  )
+                  RudderOAuth2OpaqueToken(t, user)
+              }
+
+            // all other API account type leads to an error
+            case _                                               =>
+              throw new InvalidBearerTokenException(
+                s"An opaque Bearer token was received but No valid public API token with ID ${tokenId.value} is configured in Rudder"
+              )
+          }
+        }
+    }
+  }
+}
diff --git a/auth-backends/src/main/scala/com/normation/plugins/authbackends/AuthBackendsPluginDef.scala b/auth-backends/src/main/scala/com/normation/plugins/authbackends/AuthBackendsPluginDef.scala
index 65f911333..54e934b60 100644
--- a/auth-backends/src/main/scala/com/normation/plugins/authbackends/AuthBackendsPluginDef.scala
+++ b/auth-backends/src/main/scala/com/normation/plugins/authbackends/AuthBackendsPluginDef.scala
@@ -37,18 +37,11 @@
 
 package com.normation.plugins.authbackends
 
-import bootstrap.liftweb.Boot
 import bootstrap.liftweb.ConfigResource
 import bootstrap.rudder.plugin.AuthBackendsConf
 import com.normation.plugins.*
-import com.normation.rudder.AuthorizationType.Administration
 import com.normation.rudder.rest.EndpointSchema
 import com.normation.rudder.rest.lift.LiftApiModuleProvider
-import net.liftweb.http.ClasspathTemplates
-import net.liftweb.sitemap.Loc.LocGroup
-import net.liftweb.sitemap.Loc.Template
-import net.liftweb.sitemap.Loc.TestAccess
-import net.liftweb.sitemap.LocPath.stringToLocPath
 import net.liftweb.sitemap.Menu
 
 class AuthBackendsPluginDef(override val status: PluginStatus) extends DefaultPluginDef {
@@ -65,16 +58,6 @@ class AuthBackendsPluginDef(override val status: PluginStatus) extends DefaultPl
 
   override def apis: Option[LiftApiModuleProvider[? <: EndpointSchema]] = Some(AuthBackendsConf.api)
 
-  override def pluginMenuEntry: List[(Menu, Option[String])] = {
-    (
-      (Menu("authBackensdManagement", <span>Authentication backends</span>) /
-      "secure" / "plugins" / "authBackendsManagement"
-      >> LocGroup("pluginsGroup")
-      >> TestAccess(() => Boot.userIsAllowed("/secure/index", Administration.Read))
-      >> Template(() =>
-        ClasspathTemplates("template" :: "AuthBackendsManagement" :: Nil) openOr <div>Template not found</div>
-      )).toMenu,
-      None
-    ) :: Nil
-  }
+  // no menu, the doc will be directly in plugin
+  override def pluginMenuEntry: List[(Menu, Option[String])] = Nil
 }
diff --git a/auth-backends/src/main/scala/com/normation/plugins/authbackends/DataTypes.scala b/auth-backends/src/main/scala/com/normation/plugins/authbackends/DataTypes.scala
index 264a0f51f..214b310f6 100644
--- a/auth-backends/src/main/scala/com/normation/plugins/authbackends/DataTypes.scala
+++ b/auth-backends/src/main/scala/com/normation/plugins/authbackends/DataTypes.scala
@@ -107,7 +107,11 @@ final case class JsonLdapConfig(
     ldapFilter:   ConfigOption
 )
 
-final object JsonSerialization {
+final case class BasePath(base: String, id: String) {
+  def path(key: String) = base + "." + id + "." + key
+}
+
+object JsonSerialization {
   implicit val configOptionEncoder:    JsonEncoder[ConfigOption]          = DeriveJsonEncoder.gen[ConfigOption]
   implicit val jsonAdminConfigEncoder: JsonEncoder[JsonAdminConfig]       = DeriveJsonEncoder.gen[JsonAdminConfig]
   implicit val jsonFileConfigEncoder:  JsonEncoder[JsonFileConfig]        = DeriveJsonEncoder.gen[JsonFileConfig]
diff --git a/auth-backends/src/main/scala/com/normation/plugins/authbackends/Oauth2Authentication.scala b/auth-backends/src/main/scala/com/normation/plugins/authbackends/Oauth2Authentication.scala
index 37122d3b4..7c443ee93 100644
--- a/auth-backends/src/main/scala/com/normation/plugins/authbackends/Oauth2Authentication.scala
+++ b/auth-backends/src/main/scala/com/normation/plugins/authbackends/Oauth2Authentication.scala
@@ -39,6 +39,7 @@ import bootstrap.liftweb.UserLogout
 import bootstrap.rudder.plugin.BuildLogout
 import cats.data.NonEmptyList
 import com.normation.errors.*
+import com.normation.plugins.authbackends.RudderRegistrationPropertyCommon.readProviders
 import com.typesafe.config.Config
 import org.springframework.security.oauth2.client.registration.ClientRegistration
 import org.springframework.security.oauth2.core.AuthorizationGrantType
@@ -59,70 +60,178 @@ import zio.syntax.*
  * In our case, the configuration is done in the rudder property configuration file, and
  * we just parse the different client and register them in an in memory immutable map.
  *
- * The other important aspect is the identifier used to match the user on the oauth service.
- * For now, that identifier must be use as login in rudder.
+ * We then have two broad cases:
+ * - delegating authentication for *users* to an IdP through an interactive process which is called `authorization_code`
+ *   workflow.
+ *   One of the important aspect of that workflow is the identifier used to match the user between the IdP and Rudder.
+ *   For now, that identifier must be used as Rudder login.
+ * - delegating authentication for *API tokens* to an IdP through a JWT bearer token created by an IdP and for which we
+ *   check the authenticity through a process which is called `client_credentials` workflow.
  *
  */
 
-final case class OIDCProvidedRole(enabled: Boolean, attributeName: String, over: Boolean) {
-  override def toString: String = if (enabled) s"enabled, list obtained from attribute: ${attributeName} (override: ${over})"
+sealed trait ProvidedList {
+  def debugName:         String
+  def enabled:           Boolean
+  def attributeName:     String
+  def overrides:         Boolean
+  def restrictToMapping: Boolean
+  def mapping:           Map[String, String]
+
+  override def toString: String = if (enabled) s"enabled, list obtained from attribute: ${attributeName} (override: ${overrides})"
   else "disabled"
 }
 
+final case class ProvidedRoles(
+    enabled:           Boolean,
+    attributeName:     String,
+    overrides:         Boolean,
+    restrictToMapping: Boolean,
+    mapping:           Map[String, String]
+) extends ProvidedList {
+  val debugName = "roles"
+}
+
+final case class ProvidedTenants(
+    enabled:           Boolean,
+    attributeName:     String,
+    overrides:         Boolean,
+    restrictToMapping: Boolean,
+    mapping:           Map[String, String]
+) extends ProvidedList {
+  val debugName = "tenants"
+}
+
+final case class JwtAudience(
+    check: Boolean,
+    value: String
+)
+
+/*
+ * We have to data structures to model the configuration parameters needed for a workflow:
+ * - the first, `RudderJWTRegistration` is simple and is only used for API protection with Bearer token. It only needs an
+ *   URL to get a public key for signature checking, and some role mapping
+ * - the second, `RudderClientRegistration`, is complicated because in it, Rudder takes active part in the authentication
+ *   and act for the users to make them log on IdP and then into Rudder. We need it to have a client ID and secret in
+ *   the IdP, and lots of other parameters.
+ */
+
+// properties common to both JWT and OAuth2/OIDC registration
+sealed trait RudderOAuth2Registration {
+  def registrationId: String
+}
+
+trait RegistrationWithPivotAttribute {
+  def pivotAttributeName: String
+}
+
+trait RegistrationWithRoles {
+  def roles:   ProvidedRoles
+  def tenants: ProvidedTenants
+}
+
+/*
+ * API access with JWT (bearer token) - client_credentials workflow
+ */
+final case class RudderJwtRegistration(
+    registrationId:     String,
+    jwkSetUri:          String,
+    pivotAttributeName: String,
+    audience:           JwtAudience,
+    roles:              ProvidedRoles,
+    tenants:            ProvidedTenants
+) extends RudderOAuth2Registration with RegistrationWithRoles
+    with RegistrationWithPivotAttribute // there is nothing secret here, no need to override `toString()`.
+
+object RudderJwtRegistration {
+  val defaultPivotAttribute: String = "cid"
+}
+
+/*
+ * API access with JWT (bearer token) - client_credentials workflow
+ */
+final case class RudderOpaqueTokenRegistration(
+    registrationId:     String,
+    clientId:           String,
+    clientSecret:       String,
+    introspectUri:      String,
+    pivotAttributeName: String
+) extends RudderOAuth2Registration with RegistrationWithPivotAttribute {
+  // be careful to not leak secret in "toString"
+  override def toString: String = {
+    s"""{${registrationId}}, clientId:'${clientId}' introspect URL: '${introspectUri}', token mapping attribute: ${pivotAttributeName}"""
+  }
+}
+
+object RudderOpaqueTokenRegistration {
+  // by default, the user/service ID that gained authentication with that token is store in "sub", but it can
+  // be implementation specific.
+  val defaultPivotAttribute: String = "sub"
+}
+
 /*
+ * User login - authorization_code workflow.
  * Data container class to add our properties to spring ClientRegistration ones
  * We never want to print the secret in logs, so override it.
  */
 final case class RudderClientRegistration(
-    registration:        ClientRegistration,
-    logoutUrl:           Option[String],
-    logoutRedirectUrl:   Option[String],
-    infoMsg:             String,
-    roles:               OIDCProvidedRole,
-    provisioning:        Boolean,
-    restrictRoleMapping: Boolean,
-    roleMapping:         Map[String, String]
-) {
+    registration:      ClientRegistration,
+    logoutUrl:         Option[String],
+    logoutRedirectUrl: Option[String],
+    infoMsg:           String,
+    roles:             ProvidedRoles,
+    provisioning:      Boolean,
+    tenants:           ProvidedTenants
+) extends RudderOAuth2Registration with RegistrationWithRoles with RegistrationWithPivotAttribute {
+  override def registrationId: String = registration.getRegistrationId
+
+  override def pivotAttributeName: String = registration.getProviderDetails.getUserInfoEndpoint.getUserNameAttributeName
+
+  // we don't have access to "registration.toString", and it leaks "clientSecret", so we need to hide it
   override def toString: String = {
-    toDebugStringWithSecret.replaceFirst("""clientSecret='([^']+?)'""", "clientSecret='*****'")
+    toDebugStringWithSecret.replaceAll("""clientSecret='([^']+?)'""", "clientSecret='*****'")
   }
 
   // avoid that in logs etc, use only for interactive debugging sessions
-  def toDebugStringWithSecret =
+  def toDebugStringWithSecret: String =
     s"""{${registration.toString}}, '${infoMsg}', roles: ${roles.toString}, user provisioning enabled: ${provisioning}"""
 }
 
 /*
- * Client registration definition based on rudder property file:
- * - read property `rudder.auth.oauth2.client.registrations` which give a comma-separated
- *   list of client registration to oauth2 providers
- * - for each registration, read the needed properties based on template
- *   `rudder.auth.oauth2.client.${registration}.${propertyName}`
+ * We want to have same attribute name for same things in both JWT and OAuth2/OIDC configuration files.
  */
-object RudderPropertyBasedOAuth2RegistrationDefinition {
-
-  val A_NAME                 = "name"
-  val A_CLIENT_ID            = "client.id"
-  val A_CLIENT_SECRET        = "client.secret"
-  val A_CLIENT_REDIRECT      = "client.redirect"
-  val A_AUTH_METHOD          = "authMethod"
-  val A_GRANT_TYPE           = "grantType"
-  val A_INFO_MESSAGE         = "ui.infoMessage"
-  val A_SCOPE                = "scope"
-  val A_URI_AUTH             = "uri.auth"
-  val A_URI_TOKEN            = "uri.token"
-  val A_URI_USER_INFO        = "uri.userInfo"
-  val A_URI_JWK_SET          = "uri.jwkSet"
-  val A_URI_LOGOUT           = "uri.logout"
-  val A_URI_LOGOUT_REDIRECT  = "uri.logoutRedirect"
-  val A_PIVOT_ATTR           = "userNameAttributeName"
-  val A_ROLES_ENABLED        = "roles.enabled"
-  val A_ROLES_ATTRIBUTE      = "roles.attribute"
-  val A_ROLES_OVERRIDE       = "roles.override"
-  val A_ENFORCE_ROLE_MAPPING = "roles.mapping.restricted"
-  val A_ROLE_MAPPING         = "roles.mapping.entitlements"        // ie: OIDC role = Rudder role
-  val A_ROLE_REVERSE_MAPPING = "roles.mapping.reverseEntitlements" // ie: Rudder role = OIDC role (overrides mapping)
-  val A_PROVISIONING         = "enableProvisioning"
+object RudderRegistrationPropertyCommon {
+  val A_NAME                    = "name"
+  val A_CLIENT_ID               = "client.id"
+  val A_CLIENT_SECRET           = "client.secret"
+  val A_CLIENT_REDIRECT         = "client.redirect"
+  val A_AUTH_METHOD             = "authMethod"
+  val A_GRANT_TYPE              = "grantType"
+  val A_INFO_MESSAGE            = "ui.infoMessage"
+  val A_SCOPE                   = "scope"
+  val A_AUDIENCE_CHECK          = "audience.check"
+  val A_AUDIENCE_VALUE          = "audience.value"
+  val A_TENANTS_ENABLED         = "tenants.enabled"
+  val A_TENANTS_ATTRIBUTE       = "tenants.attribute"
+  val A_TENANTS_OVERRIDE        = "tenants.override"
+  val A_ENFORCE_TENANTS_MAPPING = "tenants.mapping.restricted"
+  val A_TENANTS_MAPPING         = "tenants.mapping.entitlements"        // ie: OIDC tenant = Rudder tenant
+  val A_TENANTS_REVERSE_MAPPING = "tenants.mapping.reverseEntitlements" // ie: Rudder tenants = OIDC tenants (overrides mapping)
+  val A_URI_AUTH                = "uri.auth"
+  val A_URI_TOKEN               = "uri.token"
+  val A_URI_USER_INFO           = "uri.userInfo"
+  val A_URI_JWK_SET             = "uri.jwkSet"
+  val A_URI_LOGOUT              = "uri.logout"
+  val A_URI_LOGOUT_REDIRECT     = "uri.logoutRedirect"
+  val A_URI_INTROSPECT          = "uri.introspect"
+  val A_PIVOT_ATTRIBUTE         = "userNameAttributeName"
+  val A_ROLES_ENABLED           = "roles.enabled"
+  val A_ROLES_ATTRIBUTE         = "roles.attribute"
+  val A_ROLES_OVERRIDE          = "roles.override"
+  val A_ENFORCE_ROLES_MAPPING   = "roles.mapping.restricted"
+  val A_ROLES_MAPPING           = "roles.mapping.entitlements"          // ie: OIDC role = Rudder role
+  val A_ROLES_REVERSE_MAPPING   = "roles.mapping.reverseEntitlements"   // ie: Rudder role = OIDC role (overrides mapping)
+  val A_PROVISIONING            = "enableProvisioning"
 
   val authMethods = {
     import ClientAuthenticationMethod.*
@@ -134,31 +243,38 @@ object RudderPropertyBasedOAuth2RegistrationDefinition {
     List(AUTHORIZATION_CODE, REFRESH_TOKEN, CLIENT_CREDENTIALS) // PASSWORD and IMPLICIT are deprecated for security reasons
   }
 
-  val baseProperty = "rudder.auth.oauth2.provider"
-
   val registrationAttributes = Map(
-    A_NAME                 -> "human readable name to use in the button 'login with XXXX'",
-    A_CLIENT_ID            -> "id generated in the Oauth2 service provider to identify rudder as a client app",
-    A_CLIENT_SECRET        -> "the corresponding secret key",
-    A_CLIENT_REDIRECT      -> "rudder URL to redirect to once authentication is done on the provider (must be resolvable from user browser)",
-    A_AUTH_METHOD          -> s"authentication method to use (${authMethods.map(_.getValue).mkString(",")})",
-    A_GRANT_TYPE           -> s"authorization grant type to use (${grantTypes.map(_.getValue).mkString(",")}",
-    A_INFO_MESSAGE         -> "message displayed in the login form, for example to tell the user what login he must use",
-    A_SCOPE                -> "data scope to request access to",
-    A_URI_AUTH             -> "provider URL to contact for main authentication (see provider documentation)",
-    A_URI_TOKEN            -> "provider URL to contact for token verification (see provider documentation)",
-    A_URI_USER_INFO        -> "provider URL to contact to get user information (see provider documentation)",
-    A_URI_JWK_SET          -> "provider URL to check signature of JWT token (see provider documentation)",
-    A_URI_LOGOUT           -> "(optional) provider URL to logout and end session (see provider documentation).",
-    A_URI_LOGOUT_REDIRECT  -> "(optional) the redirect URL to provide to the IdP after logout",
-    A_PIVOT_ATTR           -> "the attribute used to find local app user",
-    A_ROLES_ENABLED        -> "enable custom role extension by OIDC",
-    A_ROLES_ATTRIBUTE      -> "the attribute to use for list of custom role name. It's content in token must be a array of strings.",
-    A_ROLES_OVERRIDE       -> "keep user configured roles in rudder-user.xml or override them with the one provided in the token",
-    A_PROVISIONING         -> "allows the automatic creation of users in Rudder in they successfully authenticate with OIDC",
-    A_ROLE_MAPPING         -> s"provide a map of alias `IdP role name` -> `Rudder role name`, where each IdP role name is a sub-key of '${A_ROLE_MAPPING}'",
-    A_ROLE_REVERSE_MAPPING -> s"provide a map of alias `Rudder role name` -> `IdP role name`, where each IdP role name is a sub-key of '${A_ROLE_MAPPING}', useful when the IdP role name contains '='",
-    A_ENFORCE_ROLE_MAPPING -> "if true (default), restricts roles available by the IdP to the role defined in mapping entitlement. Else the map provides alias for Rudder internal role names."
+    A_NAME                    -> "human readable name to use in the button 'login with XXXX'",
+    A_CLIENT_ID               -> "id generated in the Oauth2 service provider to identify rudder as a client app",
+    A_CLIENT_SECRET           -> "the corresponding secret key",
+    A_CLIENT_REDIRECT         -> "rudder URL to redirect to once authentication is done on the provider (must be resolvable from user browser)",
+    A_AUTH_METHOD             -> s"authentication method to use (${authMethods.map(_.getValue).mkString(",")})",
+    A_GRANT_TYPE              -> s"authorization grant type to use (${grantTypes.map(_.getValue).mkString(",")}",
+    A_INFO_MESSAGE            -> "message displayed in the login form, for example to tell the user what login he must use",
+    A_SCOPE                   -> "data scope to request access to",
+    A_AUDIENCE_CHECK          -> "(default 'true') in the case of JWT, does Rudder need to check the 'aud' claim of the token?",
+    A_AUDIENCE_VALUE          -> "(default 'io.rudder.api') in the case of JWT, the audience value that the token must have to be given access to an API",
+    A_TENANTS_ENABLED         -> "(default false) if enable, restrict the authentication to the provided list of tenants",
+    A_TENANTS_ATTRIBUTE       -> "(default '') the name of the attribute containing the list of authorized tenants",
+    A_TENANTS_OVERRIDE        -> "(default false) keep user configured tenants in rudder-user.xml or override them with the one provided in the token",
+    A_TENANTS_MAPPING         -> s"(optional) provides a map of alias `IdP tenant name` -> `Rudder tenant name`, where each IdP tenant name is a sub-key of '${A_TENANTS_MAPPING}'",
+    A_TENANTS_REVERSE_MAPPING -> s"(optional) provides a map of alias `Rudder tenant name` -> `IdP tenant name`, where each IdP tenant name is a sub-key of '${A_TENANTS_MAPPING}', useful when the IdP tenant name contains '='",
+    A_ENFORCE_TENANTS_MAPPING -> "(default true) if true, restricts roles available by the IdP to the role defined in mapping entitlement. Else the map provides alias for Rudder internal role names.",
+    A_URI_AUTH                -> "provider URL to contact for main authentication (see provider documentation)",
+    A_URI_TOKEN               -> "provider URL to contact for token verification (see provider documentation)",
+    A_URI_USER_INFO           -> "provider URL to contact to get user information (see provider documentation)",
+    A_URI_JWK_SET             -> "provider URL to check signature of JWT token (see provider documentation)",
+    A_URI_LOGOUT              -> "(optional) provider URL to logout and end session (see provider documentation).",
+    A_URI_LOGOUT_REDIRECT     -> "(optional) the redirect URL to provide to the IdP after logout",
+    A_URI_INTROSPECT          -> "in case of opaque access bearer token, the introspect URL on which the token must be validated",
+    A_PIVOT_ATTRIBUTE         -> "the attribute used to find local app user (OIDC user authentication) or the local API token (opaque bearer token)",
+    A_ROLES_ENABLED           -> "(default false) enable custom role extension by OIDC",
+    A_ROLES_ATTRIBUTE         -> "the attribute to use for list of custom role name. It's content in token must be a array of strings.",
+    A_ROLES_OVERRIDE          -> "(default false) keep user configured roles in rudder-user.xml or override them with the one provided in the token",
+    A_PROVISIONING            -> "(default false) allows the automatic creation of users in Rudder in they successfully authenticate with OIDC",
+    A_ROLES_MAPPING           -> s"(optional) provides a map of alias `IdP role name` -> `Rudder role name`, where each IdP role name is a sub-key of '${A_ROLES_MAPPING}'",
+    A_ROLES_REVERSE_MAPPING   -> s"(optional) provides a map of alias `Rudder role name` -> `IdP role name`, where each IdP role name is a sub-key of '${A_ROLES_MAPPING}', useful when the IdP role name contains '='",
+    A_ENFORCE_ROLES_MAPPING   -> "(default true) if true, restricts roles available by the IdP to the role defined in mapping entitlement. Else the map provides alias for Rudder internal role names."
   )
 
   def parseAuthenticationMethod(method: String): PureResult[ClientAuthenticationMethod] = {
@@ -172,7 +288,7 @@ object RudderPropertyBasedOAuth2RegistrationDefinition {
           case _                               =>
             Left(
               Inconsistency(
-                s"Requested OAUTh2 authentication methods '${method}' is not recognized, please use one of: ${authMethods.map(_.getValue).mkString("'", "','", "'")}"
+                s"Requested OAUTH2 authentication methods '${method}' is not recognized, please use one of: ${authMethods.map(_.getValue).mkString("'", "','", "'")}"
               )
             )
         }
@@ -185,7 +301,7 @@ object RudderPropertyBasedOAuth2RegistrationDefinition {
       case None    =>
         Left(
           Inconsistency(
-            s"Requested OAUTh2 authorization grant type '${grant}' is not recognized, please use one of: ${grantTypes.map(_.getValue).mkString("'", "','", "'")}"
+            s"Requested OAUTH2 authorization grant type '${grant}' is not recognized, please use one of: ${grantTypes.map(_.getValue).mkString("'", "','", "'")}"
           )
         )
       case Some(m) => Right(m)
@@ -222,97 +338,81 @@ object RudderPropertyBasedOAuth2RegistrationDefinition {
     }
   }
 
-  def readOneRegistration(id: String, config: Config): IOResult[RudderClientRegistration] = {
+  // utility method that read key in config and fails with an error message if
+  // not found.
+  protected[authbackends] def read(key: String)(implicit base: BasePath, config: Config): IOResult[String] = {
+    val path = base.path(key)
+    IOResult.attempt(s"Missing key '${path}' for registration '${base.id}' (${registrationAttributes(key)})")(
+      config.getString(path)
+    )
+  }
 
-    // utility method that read key in config and fails with an error message if
-    // not found.
-    def read(key: String): IOResult[String] = {
-      val path = baseProperty + "." + id + "." + key
-      IOResult.attempt(s"Missing key '${path}' for OAUTH2 registration '${id}' (${registrationAttributes(key)})")(
-        config.getString(path)
-      )
-    }
+  protected[authbackends] def toBool(s: String) = s.toLowerCase match {
+    case "true" => true
+    case _      => false
+  }
 
-    def toBool(s: String) = s.toLowerCase match {
-      case "true" => true
-      case _      => false
-    }
-    def readMap(key: String): IOResult[Map[String, String]] = {
-      val path = baseProperty + "." + id + "." + key
-      import scala.jdk.CollectionConverters.*
-      for {
-        keySet <- IOResult
-                    .attempt(s"Missing key '${path}' for OAUTH2 registration '${id}' (${registrationAttributes(key)})")(
-                      config.getConfig(path).entrySet().asScala.map(_.getKey()).toList
-                    )
-                    .catchAll(_ =>
-                      List().succeed
-                    ) // in that case, we suppose that the key is just missing so we return a default empty value for mapping
-        values <- ZIO.foreach(keySet) { key =>
-                    val wholeKey = path + "." + key
-                    IOResult.attempt(s"Error when reading role entitlement mapping '${wholeKey}'") {
-                      (key, config.getString(wholeKey))
-                    }
+  protected[authbackends] def readMap(
+      key: String
+  )(implicit base: BasePath, config: Config): IOResult[Map[String, String]] = {
+    val path = base.path(key)
+    import scala.jdk.CollectionConverters.*
+    for {
+      keySet <- IOResult
+                  .attempt(s"Missing key '${path}' for OAUTH2 registration '${base.id}' (${registrationAttributes(key)})")(
+                    config.getConfig(path).entrySet().asScala.map(_.getKey()).toList
+                  )
+                  .catchAll(_ =>
+                    List().succeed
+                  ) // in that case, we suppose that the key is just missing so we return a default empty value for mapping
+      values <- ZIO.foreach(keySet) { key =>
+                  val wholeKey = path + "." + key
+                  IOResult.attempt(s"Error when reading role entitlement mapping '${wholeKey}'") {
+                    (key, config.getString(wholeKey))
                   }
-      } yield values.toMap
+                }
+    } yield values.toMap
+  }
+
+  protected[authbackends] def readRoles()(implicit base: BasePath, config: Config): IOResult[ProvidedRoles] = {
+    for {
+      rolesEnabled       <- read(A_ROLES_ENABLED).catchAll(_ => "false".succeed)
+      rolesAttr          <- read(A_ROLES_ATTRIBUTE).catchAll(_ => "".succeed)
+      rolesOverride      <- read(A_ROLES_OVERRIDE).catchAll(_ => "false".succeed)
+      enforceRoleMapping <- read(A_ENFORCE_ROLES_MAPPING).catchAll(_ => "false".succeed)
+      mapping            <- readMap(A_ROLES_MAPPING)
+      reverseMapping     <- readMap(A_ROLES_REVERSE_MAPPING)
+    } yield {
+      ProvidedRoles(
+        toBool(rolesEnabled),
+        rolesAttr,
+        toBool(rolesOverride),
+        toBool(enforceRoleMapping),
+        mapping ++ reverseMapping.map { case (a, b) => (b, a) }
+      )
     }
+  }
 
+  protected[authbackends] def readTenants()(implicit base: BasePath, config: Config): IOResult[ProvidedTenants] = {
     for {
-      name                <- read(A_NAME)
-      clientId            <- read(A_CLIENT_ID)
-      clientSecret        <- read(A_CLIENT_SECRET)
-      clientRedirect      <- read(A_CLIENT_REDIRECT)
-      authMethod          <- read(A_AUTH_METHOD).flatMap(parseAuthenticationMethod(_).toIO)
-      grantTypes          <- read(A_GRANT_TYPE).flatMap(parseAuthorizationGrantType(_).toIO)
-      infoMessage         <- read(A_INFO_MESSAGE)
-      scopes              <- read(A_SCOPE).flatMap(parseScope(_))
-      uriAuth             <- read(A_URI_AUTH)
-      uriToken            <- read(A_URI_TOKEN)
-      uriUserInfo         <- read(A_URI_USER_INFO)
-      pivotAttr           <- read(A_PIVOT_ATTR)
-      jwkSetUri           <- read(A_URI_JWK_SET)
-      logoutUri           <- read(A_URI_LOGOUT).fold(_ => Option.empty[String], Some(_))
-      logoutUriRedirect   <- read(A_URI_LOGOUT_REDIRECT).fold(_ => Option.empty[String], Some(_))
-      rolesEnabled        <- read(A_ROLES_ENABLED).catchAll(_ => "false".succeed)
-      rolesAttr           <- read(A_ROLES_ATTRIBUTE).catchAll(_ => "".succeed)
-      rolesOverride       <- read(A_ROLES_OVERRIDE).catchAll(_ => "false".succeed)
-      provisioningAllowed <- read(A_PROVISIONING).catchAll(_ => "false".succeed)
-      enforceRoleMapping  <- read(A_ENFORCE_ROLE_MAPPING).catchAll(_ => "false".succeed)
-      roleMapping         <- readMap(A_ROLE_MAPPING)
-      roleReverseMapping  <- readMap(A_ROLE_REVERSE_MAPPING)
+      tenantsEnabled     <- read(A_TENANTS_ENABLED).catchAll(_ => "false".succeed)
+      tenantsAttr        <- read(A_TENANTS_ATTRIBUTE).catchAll(_ => "".succeed)
+      tenantsOverride    <- read(A_TENANTS_OVERRIDE).catchAll(_ => "false".succeed)
+      enforceRoleMapping <- read(A_ENFORCE_TENANTS_MAPPING).catchAll(_ => "false".succeed)
+      mapping            <- readMap(A_TENANTS_MAPPING)
+      reverseMapping     <- readMap(A_TENANTS_REVERSE_MAPPING)
     } yield {
-      RudderClientRegistration(
-        ClientRegistration
-          .withRegistrationId(id)
-          .clientId(clientId)
-          .clientSecret(clientSecret)
-          .clientAuthenticationMethod(authMethod)
-          .authorizationGrantType(grantTypes)
-          .redirectUri(clientRedirect)
-          .scope(scopes*)
-          .authorizationUri(uriAuth)
-          .tokenUri(uriToken)
-          .userInfoUri(uriUserInfo)
-          .userNameAttributeName(pivotAttr)
-          .clientName(name)
-          .jwkSetUri(jwkSetUri)
-          .build(),
-        logoutUri,
-        logoutUriRedirect,
-        infoMessage,
-        OIDCProvidedRole(
-          toBool(rolesEnabled),
-          rolesAttr,
-          toBool(rolesOverride)
-        ),
-        toBool(provisioningAllowed),
+      ProvidedTenants(
+        toBool(tenantsEnabled),
+        tenantsAttr,
+        toBool(tenantsOverride),
         toBool(enforceRoleMapping),
-        roleMapping ++ roleReverseMapping.map { case (a, b) => (b, a) }
+        mapping ++ reverseMapping.map { case (a, b) => (b, a) }
       )
     }
   }
 
-  def readProviders(config: Config): IOResult[List[String]] = {
+  def readProviders(config: Config, baseProperty: String): IOResult[List[String]] = {
     val path = baseProperty + ".registrations"
     IOResult.attempt(
       s"Missing property '${path}' which define the comma separated list of provider registration to use for OAUTH2."
@@ -320,22 +420,56 @@ object RudderPropertyBasedOAuth2RegistrationDefinition {
       config.getString(path).split(",").map(_.trim).toList
     )
   }
+}
+
+/*
+ * Client registration definition based on rudder property file:
+ * - read property `rudder.auth.{oauth2,jwt}.client.registrations` which give a comma-separated
+ *   list of client registration to oauth2 providers
+ * - for each registration, read the needed properties based on template
+ *   `rudder.auth.{oauth2,jwt}.client.${registration}.${propertyName}`
+ */
+
+// a base trait for common methods
+trait RudderPropertyBasedRegistration[A <: RudderOAuth2Registration] {
+
+  /*
+   * Name of the authentication kind to use in logs
+   */
+  def registrationLogName: String
+  /*
+   * Name of the root path used for the base property.
+   */
+  def baseProperty:        String
+
+  /*
+   * The list of registration for that kind of JWT/OAuth2 authentication
+   */
+  def registrations: Ref[List[(String, A)]]
+
+  /*
+   * How to decode one authentication
+   */
+  def readOneRegistration(id: String, config: Config): IOResult[A]
 
   /*
    * Read the whole set of providers with their registrations.
    * We return a list to keep the order provided in the config file.
    */
-  def readAllRegistrations(config: Config): IOResult[List[(String, RudderClientRegistration)]] = {
+  def readAllRegistrations(
+      config:              Config,
+      readOneRegistration: (String, Config) => IOResult[A]
+  ): IOResult[List[(String, A)]] = {
     for {
       // we don't want to fail if the list of provider is missing, just log it as a warning
-      providers     <- readProviders(config)
+      providers     <- readProviders(config, baseProperty)
       // we don't want to fail if one of the registration is not ok, just log it
-      _             <- AuthBackendsLoggerPure.info(s"List of configured providers for oauth2/OpenIDConnect: ${providers.mkString(", ")}")
+      _             <- AuthBackendsLoggerPure.info(s"List of configured providers for ${registrationLogName}: ${providers.mkString(", ")}")
       registrations <- ZIO.foreach(providers) { p =>
                          readOneRegistration(p, config).foldZIO(
                            err =>
                              AuthBackendsLoggerPure.error(
-                               s"Error when reading OAUTH2 configuration for registration to '${p}' provider: ${err.fullMsg}'"
+                               s"Error when reading ${registrationLogName} configuration for registration to '${p}' provider: ${err.fullMsg}'"
                              ) *>
                              None.succeed,
                            res => {
@@ -347,6 +481,132 @@ object RudderPropertyBasedOAuth2RegistrationDefinition {
     } yield registrations.flatten
   }
 
+  /*
+   * read information from config and update internal cache
+   */
+  def updateRegistration(config: Config): IOResult[Unit]
+
+}
+
+object RudderPropertyBasedJwtRegistrationDefinition {
+
+  private val baseProperty        = "rudder.auth.oauth2.jwt.provider"
+  private val registrationLogName = "OAuth2 JWT"
+
+  def make(): IOResult[RudderPropertyBasedJwtRegistrationDefinition] = {
+    for {
+      ref <- Ref.make(List.empty[(String, RudderJwtRegistration)])
+    } yield {
+      new RudderPropertyBasedJwtRegistrationDefinition(ref)
+    }
+  }
+
+}
+
+class RudderPropertyBasedJwtRegistrationDefinition(val registrations: Ref[List[(String, RudderJwtRegistration)]])
+    extends RudderPropertyBasedRegistration[RudderJwtRegistration] {
+
+  import com.normation.plugins.authbackends.RudderRegistrationPropertyCommon.*
+
+  override def baseProperty:        String = RudderPropertyBasedJwtRegistrationDefinition.baseProperty
+  override def registrationLogName: String = RudderPropertyBasedJwtRegistrationDefinition.registrationLogName
+
+  def updateRegistration(config: Config): IOResult[Unit] = {
+    for {
+      newOnes <- readAllRegistrations(config, readOneRegistration)
+      _       <- registrations.set(newOnes)
+    } yield ()
+  }
+
+  def readOneRegistration(id: String, config: Config): IOResult[RudderJwtRegistration] = {
+    implicit val base = BasePath(baseProperty, id)
+    implicit val c    = config
+
+    for {
+      jwkSetUri      <- read(A_URI_JWK_SET)
+      checkAudience  <- read(A_AUDIENCE_CHECK).catchAll(_ => "true".succeed)
+      audienceValue  <- read(A_AUDIENCE_VALUE).catchAll(_ => "io.rudder.api".succeed)
+      pivotAttribute <- read(A_PIVOT_ATTRIBUTE).catchAll(_ => RudderJwtRegistration.defaultPivotAttribute.succeed)
+      roles          <- readRoles()
+      tenants        <- readTenants()
+    } yield {
+      RudderJwtRegistration(
+        id,
+        jwkSetUri,
+        pivotAttribute,
+        JwtAudience(toBool(checkAudience), audienceValue),
+        roles,
+        tenants
+      )
+    }
+  }
+}
+
+/*
+ * Registration for opaque access tokens
+ */
+object RudderPropertyBasedOpaqueTokenRegistrationDefinition {
+
+  private val baseProperty        = "rudder.auth.oauth2.opaque.provider"
+  private val registrationLogName = "OAuth2 Opaque Access Token"
+
+  def make(): IOResult[RudderPropertyBasedOpaqueTokenRegistrationDefinition] = {
+    for {
+      ref <- Ref.make(List.empty[(String, RudderOpaqueTokenRegistration)])
+    } yield {
+      new RudderPropertyBasedOpaqueTokenRegistrationDefinition(ref)
+    }
+  }
+
+}
+
+class RudderPropertyBasedOpaqueTokenRegistrationDefinition(val registrations: Ref[List[(String, RudderOpaqueTokenRegistration)]])
+    extends RudderPropertyBasedRegistration[RudderOpaqueTokenRegistration] {
+
+  import com.normation.plugins.authbackends.RudderRegistrationPropertyCommon.*
+
+  override def baseProperty:        String = RudderPropertyBasedOpaqueTokenRegistrationDefinition.baseProperty
+  override def registrationLogName: String = RudderPropertyBasedOpaqueTokenRegistrationDefinition.registrationLogName
+
+  def updateRegistration(config: Config): IOResult[Unit] = {
+    for {
+      newOnes <- readAllRegistrations(config, readOneRegistration)
+      _       <- registrations.set(newOnes)
+    } yield ()
+  }
+
+  def readOneRegistration(id: String, config: Config): IOResult[RudderOpaqueTokenRegistration] = {
+    implicit val base = BasePath(baseProperty, id)
+    implicit val c    = config
+
+    for {
+      clientId       <- read(A_CLIENT_ID)
+      clientSecret   <- read(A_CLIENT_SECRET)
+      introspectUri  <- read(A_URI_INTROSPECT)
+      pivotAttribute <- read(A_PIVOT_ATTRIBUTE).catchAll(_ => RudderOpaqueTokenRegistration.defaultPivotAttribute.succeed)
+    } yield {
+      RudderOpaqueTokenRegistration(
+        id,
+        clientId,
+        clientSecret,
+        introspectUri,
+        pivotAttribute
+      )
+    }
+  }
+}
+
+/*
+ * Client registration definition based on rudder property file:
+ * - read property `rudder.auth.oauth2.client.registrations` which give a comma-separated
+ *   list of client registration to oauth2 providers
+ * - for each registration, read the needed properties based on template
+ *   `rudder.auth.oauth2.client.${registration}.${propertyName}`
+ */
+object RudderPropertyBasedOAuth2RegistrationDefinition {
+  private val baseProperty        = "rudder.auth.oauth2.provider"
+  private val registrationLogName = "OAuth2/OIDC"
+
   def make(): IOResult[RudderPropertyBasedOAuth2RegistrationDefinition] = {
     for {
       ref <- Ref.make(List.empty[(String, RudderClientRegistration)])
@@ -354,18 +614,22 @@ object RudderPropertyBasedOAuth2RegistrationDefinition {
       new RudderPropertyBasedOAuth2RegistrationDefinition(ref)
     }
   }
-
 }
 
-class RudderPropertyBasedOAuth2RegistrationDefinition(val registrations: Ref[List[(String, RudderClientRegistration)]]) {
-  import RudderPropertyBasedOAuth2RegistrationDefinition.*
+class RudderPropertyBasedOAuth2RegistrationDefinition(val registrations: Ref[List[(String, RudderClientRegistration)]])
+    extends RudderPropertyBasedRegistration[RudderClientRegistration] {
+
+  import com.normation.plugins.authbackends.RudderRegistrationPropertyCommon.*
+
+  override def baseProperty:        String = RudderPropertyBasedOAuth2RegistrationDefinition.baseProperty
+  override def registrationLogName: String = RudderPropertyBasedOAuth2RegistrationDefinition.registrationLogName
 
   /*
    * read information from config and update internal cache
    */
-  def updateRegistration(config: Config): IOResult[Unit] = {
+  override def updateRegistration(config: Config): IOResult[Unit] = {
     for {
-      newOnes <- readAllRegistrations(config)
+      newOnes <- readAllRegistrations(config, readOneRegistration)
       _       <- registrations.set(newOnes)
       // for each oauthRegistration, register a logout action
       _       <- ZIO.foreach(newOnes) {
@@ -383,4 +647,54 @@ class RudderPropertyBasedOAuth2RegistrationDefinition(val registrations: Ref[Lis
     } yield ()
   }
 
+  override def readOneRegistration(id: String, config: Config): IOResult[RudderClientRegistration] = {
+    implicit val base = BasePath(baseProperty, id)
+    implicit val c    = config
+
+    for {
+      name                <- read(A_NAME)
+      clientId            <- read(A_CLIENT_ID)
+      clientSecret        <- read(A_CLIENT_SECRET)
+      clientRedirect      <- read(A_CLIENT_REDIRECT)
+      authMethod          <- read(A_AUTH_METHOD).flatMap(parseAuthenticationMethod(_).toIO)
+      grantTypes          <- read(A_GRANT_TYPE).flatMap(parseAuthorizationGrantType(_).toIO)
+      infoMessage         <- read(A_INFO_MESSAGE)
+      scopes              <- read(A_SCOPE).flatMap(parseScope)
+      uriAuth             <- read(A_URI_AUTH)
+      uriToken            <- read(A_URI_TOKEN)
+      uriUserInfo         <- read(A_URI_USER_INFO)
+      pivotAttr           <- read(A_PIVOT_ATTRIBUTE)
+      jwkSetUri           <- read(A_URI_JWK_SET)
+      logoutUri           <- read(A_URI_LOGOUT).fold(_ => Option.empty[String], Some(_))
+      logoutUriRedirect   <- read(A_URI_LOGOUT_REDIRECT).fold(_ => Option.empty[String], Some(_))
+      roles               <- readRoles()
+      tenants             <- readTenants()
+      provisioningAllowed <- read(A_PROVISIONING).catchAll(_ => "false".succeed)
+    } yield {
+      RudderClientRegistration(
+        ClientRegistration
+          .withRegistrationId(id)
+          .clientId(clientId)
+          .clientSecret(clientSecret)
+          .clientAuthenticationMethod(authMethod)
+          .authorizationGrantType(grantTypes)
+          .redirectUri(clientRedirect)
+          .scope(scopes*)
+          .authorizationUri(uriAuth)
+          .tokenUri(uriToken)
+          .userInfoUri(uriUserInfo)
+          .userNameAttributeName(pivotAttr)
+          .clientName(name)
+          .jwkSetUri(jwkSetUri)
+          .build(),
+        logoutUri,
+        logoutUriRedirect,
+        infoMessage,
+        roles,
+        toBool(provisioningAllowed),
+        tenants
+      )
+    }
+  }
+
 }
diff --git a/auth-backends/src/main/scala/com/normation/plugins/authbackends/snippet/Oauth2LoginBanner.scala b/auth-backends/src/main/scala/com/normation/plugins/authbackends/snippet/Oauth2LoginBanner.scala
index be0f6015e..b23cb89cf 100644
--- a/auth-backends/src/main/scala/com/normation/plugins/authbackends/snippet/Oauth2LoginBanner.scala
+++ b/auth-backends/src/main/scala/com/normation/plugins/authbackends/snippet/Oauth2LoginBanner.scala
@@ -40,7 +40,6 @@ package com.normation.plugins.authbackends.snippet
 import bootstrap.rudder.plugin.AuthBackendsConf
 import com.normation.plugins.PluginExtensionPoint
 import com.normation.plugins.PluginStatus
-import com.normation.plugins.PluginVersion
 import com.normation.plugins.authbackends.LoginFormRendering
 import com.normation.plugins.authbackends.RudderPropertyBasedOAuth2RegistrationDefinition
 import com.normation.rudder.web.snippet.Login
@@ -53,7 +52,6 @@ import scala.xml.NodeSeq
 
 class Oauth2LoginBanner(
     val status:    PluginStatus,
-    version:       PluginVersion,
     registrations: RudderPropertyBasedOAuth2RegistrationDefinition
 )(implicit val ttag: ClassTag[Login])
     extends PluginExtensionPoint[Login] {
diff --git a/auth-backends/src/main/scala/org/springframework/security/oauth2/server/resource/authentication/DefaultOpaqueTokenAuthenticationConverter.scala b/auth-backends/src/main/scala/org/springframework/security/oauth2/server/resource/authentication/DefaultOpaqueTokenAuthenticationConverter.scala
new file mode 100644
index 000000000..9b7b0dc91
--- /dev/null
+++ b/auth-backends/src/main/scala/org/springframework/security/oauth2/server/resource/authentication/DefaultOpaqueTokenAuthenticationConverter.scala
@@ -0,0 +1,51 @@
+/*
+ *************************************************************************************
+ * Copyright 2025 Normation SAS
+ *************************************************************************************
+ *
+ * This file is part of Rudder.
+ *
+ * Rudder is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * In accordance with the terms of section 7 (7. Additional Terms.) of
+ * the GNU General Public License version 3, the copyright holders add
+ * the following Additional permissions:
+ * Notwithstanding to the terms of section 5 (5. Conveying Modified Source
+ * Versions) and 6 (6. Conveying Non-Source Forms.) of the GNU General
+ * Public License version 3, when you create a Related Module, this
+ * Related Module is not considered as a part of the work and may be
+ * distributed under the license agreement of your choice.
+ * A "Related Module" means a set of sources files including their
+ * documentation that, without modification of the Source Code, enables
+ * supplementary functions or services in addition to those offered by
+ * the Software.
+ *
+ * Rudder is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Rudder.  If not, see <http://www.gnu.org/licenses/>.
+
+ *
+ *************************************************************************************
+ */
+
+package org.springframework.security.oauth2.server.resource.authentication
+
+import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal
+
+/*
+ * This class exists only to be able to access Spring default implementation
+ * of opaque bearer token convert which exists in `OpaqueTokenAuthenticationProvider`
+ * as a package private static method.
+ */
+
+object DefaultOpaqueTokenAuthenticationConverter {
+  def convert(introspectedToken: String, authenticatedPrincipal: OAuth2AuthenticatedPrincipal): BearerTokenAuthentication =
+    OpaqueTokenAuthenticationProvider.convert(introspectedToken, authenticatedPrincipal)
+}
diff --git a/auth-backends/src/test/resources/jwt/jwt_reverse_role_mapping.properties b/auth-backends/src/test/resources/jwt/jwt_reverse_role_mapping.properties
new file mode 100644
index 000000000..21b39d979
--- /dev/null
+++ b/auth-backends/src/test/resources/jwt/jwt_reverse_role_mapping.properties
@@ -0,0 +1,18 @@
+rudder.auth.oauth2.jwt.provider.registrations=someidp
+rudder.auth.oauth2.jwt.provider.someidp.name=Some ID
+rudder.auth.oauth2.jwt.provider.someidp.uri.jwkSet="https://someidp/oauth2/v1/keys"
+rudder.auth.oauth2.jwt.provider.someidp.audience=io.rudder.api
+rudder.auth.oauth2.jwt.provider.someidp.roles.attribute=customroles
+rudder.auth.oauth2.jwt.provider.someidp.roles.mapping.enforced=true
+rudder.auth.oauth2.jwt.provider.someidp.roles.mapping.entitlements.rudder_admin=administrator
+rudder.auth.oauth2.jwt.provider.someidp.roles.mapping.entitlements.rudder_readonly=readonly
+rudder.auth.oauth2.jwt.provider.someidp.roles.mapping.reverseEntitlements.readonlyOVERRIDDEN=rudder_readonly
+rudder.auth.oauth2.jwt.provider.someidp.roles.mapping.reverseEntitlements.administrator=CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu
+rudder.auth.oauth2.jwt.provider.someidp.tenants.enabled=true
+rudder.auth.oauth2.jwt.provider.someidp.tenants.attribute=customtenants
+rudder.auth.oauth2.jwt.provider.someidp.tenants.override=true
+rudder.auth.oauth2.jwt.provider.someidp.tenants.mapping.enforced=true
+rudder.auth.oauth2.jwt.provider.someidp.tenants.mapping.entitlements.rudder_TA=TA
+rudder.auth.oauth2.jwt.provider.someidp.tenants.mapping.entitlements.rudder_TB=TB
+rudder.auth.oauth2.jwt.provider.someidp.tenants.mapping.reverseEntitlements.TB_OVERRIDDEN=rudder_TB
+rudder.auth.oauth2.jwt.provider.someidp.tenants.mapping.reverseEntitlements.TA=CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu
diff --git a/auth-backends/src/test/resources/jwt/jwt_simple.properties b/auth-backends/src/test/resources/jwt/jwt_simple.properties
new file mode 100644
index 000000000..9f0e4624d
--- /dev/null
+++ b/auth-backends/src/test/resources/jwt/jwt_simple.properties
@@ -0,0 +1,14 @@
+rudder.auth.oauth2.jwt.provider.registrations=someidp
+rudder.auth.oauth2.jwt.provider.someidp.name=Some ID
+rudder.auth.oauth2.jwt.provider.someidp.uri.jwkSet="https://someidp/oauth2/v1/keys"
+rudder.auth.oauth2.jwt.provider.someidp.audience=io.rudder.api
+rudder.auth.oauth2.jwt.provider.someidp.roles.attribute=customroles
+rudder.auth.oauth2.jwt.provider.someidp.roles.mapping.enforced=true
+rudder.auth.oauth2.jwt.provider.someidp.roles.mapping.entitlements.rudder_admin=administrator
+rudder.auth.oauth2.jwt.provider.someidp.roles.mapping.entitlements.rudder_readonly=readonly
+rudder.auth.oauth2.jwt.provider.someidp.tenants.enabled=true
+rudder.auth.oauth2.jwt.provider.someidp.tenants.attribute=customtenants
+rudder.auth.oauth2.jwt.provider.someidp.tenants.override=true
+rudder.auth.oauth2.jwt.provider.someidp.tenants.mapping.enforced=true
+rudder.auth.oauth2.jwt.provider.someidp.tenants.mapping.entitlements.rudder_TA=TA
+rudder.auth.oauth2.jwt.provider.someidp.tenants.mapping.entitlements.rudder_TB=TB
diff --git a/auth-backends/src/test/resources/oidc/oidc_reverse_role_mapping.properties b/auth-backends/src/test/resources/oidc/oidc_reverse_role_mapping.properties
index ac78ea06b..25da1288d 100644
--- a/auth-backends/src/test/resources/oidc/oidc_reverse_role_mapping.properties
+++ b/auth-backends/src/test/resources/oidc/oidc_reverse_role_mapping.properties
@@ -21,3 +21,11 @@ rudder.auth.oauth2.provider.someidp.roles.mapping.entitlements.rudder_readonly=r
 rudder.auth.oauth2.provider.someidp.roles.mapping.reverseEntitlements.readonlyOVERRIDDEN=rudder_readonly
 rudder.auth.oauth2.provider.someidp.roles.mapping.reverseEntitlements.administrator=CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu
 rudder.auth.oauth2.provider.someidp.enableProvisioning=true
+rudder.auth.oauth2.provider.someidp.tenants.enabled=true
+rudder.auth.oauth2.provider.someidp.tenants.attribute=customtenants
+rudder.auth.oauth2.provider.someidp.tenants.override=true
+rudder.auth.oauth2.provider.someidp.tenants.mapping.enforced=true
+rudder.auth.oauth2.provider.someidp.tenants.mapping.entitlements.rudder_TA=TA
+rudder.auth.oauth2.provider.someidp.tenants.mapping.entitlements.rudder_TB=TB
+rudder.auth.oauth2.provider.someidp.tenants.mapping.reverseEntitlements.TB_OVERRIDDEN=rudder_TB
+rudder.auth.oauth2.provider.someidp.tenants.mapping.reverseEntitlements.TA=CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu
diff --git a/auth-backends/src/test/resources/oidc/oidc_simple.properties b/auth-backends/src/test/resources/oidc/oidc_simple.properties
index 9841a76a0..d5265174d 100644
--- a/auth-backends/src/test/resources/oidc/oidc_simple.properties
+++ b/auth-backends/src/test/resources/oidc/oidc_simple.properties
@@ -19,3 +19,9 @@ rudder.auth.oauth2.provider.someidp.roles.mapping.enforced=true
 rudder.auth.oauth2.provider.someidp.roles.mapping.entitlements.rudder_admin=administrator
 rudder.auth.oauth2.provider.someidp.roles.mapping.entitlements.rudder_readonly=readonly
 rudder.auth.oauth2.provider.someidp.enableProvisioning=true
+rudder.auth.oauth2.provider.someidp.tenants.enabled=true
+rudder.auth.oauth2.provider.someidp.tenants.attribute=customtenants
+rudder.auth.oauth2.provider.someidp.tenants.override=true
+rudder.auth.oauth2.provider.someidp.tenants.mapping.enforced=true
+rudder.auth.oauth2.provider.someidp.tenants.mapping.entitlements.rudder_TA=TA
+rudder.auth.oauth2.provider.someidp.tenants.mapping.entitlements.rudder_TB=TB
diff --git a/auth-backends/src/test/resources/oidc/oidc_tenants.properties b/auth-backends/src/test/resources/oidc/oidc_tenants.properties
new file mode 100644
index 000000000..c6ce29e64
--- /dev/null
+++ b/auth-backends/src/test/resources/oidc/oidc_tenants.properties
@@ -0,0 +1,29 @@
+rudder.auth.oauth2.provider.registrations=someidp
+rudder.auth.oauth2.provider.someidp.name=Some ID
+rudder.auth.oauth2.provider.someidp.ui.infoMessage="Hey, log in to Some Idp!"
+rudder.auth.oauth2.provider.someidp.client.id=xxxClientIdxxx
+rudder.auth.oauth2.provider.someidp.client.secret=xxxClientPassxxx
+rudder.auth.oauth2.provider.someidp.scope=openid email profile groups
+rudder.auth.oauth2.provider.someidp.userNameAttributeName=email
+rudder.auth.oauth2.provider.someidp.uri.auth="https://someidp/oauth2/v1/authorize"
+rudder.auth.oauth2.provider.someidp.uri.token="https://someidp/oauth2/v1/token"
+rudder.auth.oauth2.provider.someidp.uri.userInfo="https://someidp/oauth2/v1/userinfo"
+rudder.auth.oauth2.provider.someidp.uri.jwkSet="https://someidp/oauth2/v1/keys"
+rudder.auth.oauth2.provider.someidp.client.redirect="{baseUrl}/login/oauth2/code/{registrationId}"
+rudder.auth.oauth2.provider.someidp.grantType=authorization_code
+rudder.auth.oauth2.provider.someidp.authMethod=basic
+rudder.auth.oauth2.provider.someidp.roles.enabled=true
+rudder.auth.oauth2.provider.someidp.roles.attribute=customroles
+rudder.auth.oauth2.provider.someidp.roles.override=true
+rudder.auth.oauth2.provider.someidp.roles.mapping.enforced=true
+rudder.auth.oauth2.provider.someidp.roles.mapping.entitlements.rudder_admin=administrator
+rudder.auth.oauth2.provider.someidp.roles.mapping.entitlements.rudder_readonly=readonly
+rudder.auth.oauth2.provider.someidp.enableProvisioning=true
+rudder.auth.oauth2.provider.someidp.tenants.enabled=true
+rudder.auth.oauth2.provider.someidp.tenants.attribute=customtenants
+rudder.auth.oauth2.provider.someidp.tenants.override=true
+rudder.auth.oauth2.provider.someidp.tenants.mapping.enforced=true
+rudder.auth.oauth2.provider.someidp.tenants.mapping.entitlements.rudder_TA=TA
+rudder.auth.oauth2.provider.someidp.tenants.mapping.entitlements.rudder_TB=TB
+rudder.auth.oauth2.provider.someidp.tenants.mapping.entitlements.rudder_all=*
+rudder.auth.oauth2.provider.someidp.tenants.mapping.entitlements.rudder_none=-
diff --git a/auth-backends/src/test/resources/opaque/opaque.properties b/auth-backends/src/test/resources/opaque/opaque.properties
new file mode 100644
index 000000000..ba4a06d03
--- /dev/null
+++ b/auth-backends/src/test/resources/opaque/opaque.properties
@@ -0,0 +1,5 @@
+rudder.auth.oauth2.opaque.provider.registrations=someidp
+rudder.auth.oauth2.opaque.provider.someidp.client.id=xxxClientIdxxx
+rudder.auth.oauth2.opaque.provider.someidp.client.secret=xxxClientPassxxx
+rudder.auth.oauth2.opaque.provider.someidp.uri.introspect=https://someidp/oauth2/v1/introspect
+rudder.auth.oauth2.opaque.provider.someidp.userNameAttributeName=email
diff --git a/auth-backends/src/test/resources/opaque/opaque_default.properties b/auth-backends/src/test/resources/opaque/opaque_default.properties
new file mode 100644
index 000000000..707baff24
--- /dev/null
+++ b/auth-backends/src/test/resources/opaque/opaque_default.properties
@@ -0,0 +1,4 @@
+rudder.auth.oauth2.opaque.provider.registrations=someidp
+rudder.auth.oauth2.opaque.provider.someidp.client.id=xxxClientIdxxx
+rudder.auth.oauth2.opaque.provider.someidp.client.secret=xxxClientPassxxx
+rudder.auth.oauth2.opaque.provider.someidp.uri.introspect=https://someidp/oauth2/v1/introspect
diff --git a/auth-backends/src/test/scala/com/normation/plugins/authbackends/TestReadOidcConfig.scala b/auth-backends/src/test/scala/com/normation/plugins/authbackends/TestReadOidcConfig.scala
index e8ddba33c..b775a8d56 100644
--- a/auth-backends/src/test/scala/com/normation/plugins/authbackends/TestReadOidcConfig.scala
+++ b/auth-backends/src/test/scala/com/normation/plugins/authbackends/TestReadOidcConfig.scala
@@ -36,11 +36,15 @@
  */
 package com.normation.plugins.authbackends
 
+import bootstrap.rudder.plugin.RudderTokenMapping
+import com.normation.rudder.facts.nodes.NodeSecurityContext
+import com.normation.rudder.tenants.TenantId
 import com.normation.zio.*
 import com.typesafe.config.ConfigFactory
 import org.junit.runner.RunWith
 import org.specs2.mutable.*
 import org.specs2.runner.JUnitRunner
+import zio.Chunk
 
 @RunWith(classOf[JUnitRunner])
 class TestReadOidcConfig extends Specification {
@@ -48,34 +52,157 @@ class TestReadOidcConfig extends Specification {
   // WARNING: HOCON doesn't behave the same if you read from a file or from a string, so for the test to be relevant,
   // we need to load from files.
 
-  "reading the configuration should works" >> {
+  "reading an OIDC configuration" should {
+    val registration = RudderPropertyBasedOAuth2RegistrationDefinition.make().runNow
 
-    val config = ConfigFactory.parseResources("oidc/oidc_simple.properties")
-    val regs   = RudderPropertyBasedOAuth2RegistrationDefinition.readAllRegistrations(config).runNow.toMap
+    "read the correct name" in {
+
+      val config = ConfigFactory.parseResources("oidc/oidc_simple.properties")
+      val regs   = registration.readAllRegistrations(config, registration.readOneRegistration).runNow.toMap
+
+      regs.keySet === Set("someidp")
+    }
+
+    "have two entitlements mapping" in {
+
+      val config = ConfigFactory.parseResources("oidc/oidc_simple.properties")
+      val regs   = registration.readAllRegistrations(config, registration.readOneRegistration).runNow.toMap
+
+      (regs("someidp").roles.mapping === Map(
+        "rudder_admin"    -> "administrator",
+        "rudder_readonly" -> "readonly"
+      )) and (regs("someidp").tenants.mapping === Map(
+        "rudder_TA" -> "TA",
+        "rudder_TB" -> "TB"
+      ))
+    }
+
+    "be able to use complex roles names with the reverse mapping" in {
+      val config = ConfigFactory.parseResources("oidc/oidc_reverse_role_mapping.properties")
+      val regs   = registration.readAllRegistrations(config, registration.readOneRegistration).runNow.toMap
+
+      (regs("someidp").roles.mapping === Map(
+        "rudder_admin"                                                                       -> "administrator",
+        "rudder_readonly"                                                                    -> "readonlyOVERRIDDEN",
+        "CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu" -> "administrator"
+      )) and (
+        regs("someidp").tenants.mapping === Map(
+          "rudder_TA"                                                                          -> "TA",
+          "rudder_TB"                                                                          -> "TB_OVERRIDDEN",
+          "CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu" -> "TA"
+        )
+      )
+    }
 
-    regs.keySet === Set("someidp")
   }
 
-  "we should have two entitlement mapping" >> {
+  "tenants mapping" should {
+    val config       = ConfigFactory.parseResources("oidc/oidc_tenants.properties")
+    val registration = RudderPropertyBasedOAuth2RegistrationDefinition.make().runNow
+    val regs         = registration.readAllRegistrations(config, registration.readOneRegistration).runNow.toMap
 
-    val config = ConfigFactory.parseResources("oidc/oidc_simple.properties")
-    val regs   = RudderPropertyBasedOAuth2RegistrationDefinition.readAllRegistrations(config).runNow.toMap
+    "work for simple tenants" in {
+      val tokenValues = Set("rudder_TA", "rudder_TB")
+      val tenants     =
+        RudderTokenMapping.getTenants(regs("someidp"), "user", "jwt", NodeSecurityContext.None)(_ => Some(tokenValues))
 
-    regs("someidp").roleMapping === Map(
-      "rudder_admin"    -> "administrator",
-      "rudder_readonly" -> "readonly"
-    )
+      tenants === NodeSecurityContext.ByTenants(Chunk(TenantId("TA"), TenantId("TB")))
+    }
+
+    "work for no tenants" in {
+      val tokenValues = Set.empty[String]
+      val tenants     =
+        RudderTokenMapping.getTenants(regs("someidp"), "user", "jwt", NodeSecurityContext.None)(_ => Some(tokenValues))
+
+      tenants === NodeSecurityContext.None
+    }
+
+    "work for none" in {
+      val tokenValues = Set("rudder_none", "rudder_TA")
+      val tenants     =
+        RudderTokenMapping.getTenants(regs("someidp"), "user", "jwt", NodeSecurityContext.None)(_ => Some(tokenValues))
+
+      tenants === NodeSecurityContext.None
+    }
+
+    "work for all" in {
+      val tokenValues = Set("rudder_all", "rudder_TA")
+      val tenants     =
+        RudderTokenMapping.getTenants(regs("someidp"), "user", "jwt", NodeSecurityContext.None)(_ => Some(tokenValues))
+
+      tenants === NodeSecurityContext.All
+    }
   }
 
-  "we can use complex roles names with the reverse mapping" >> {
-    val config = ConfigFactory.parseResources("oidc/oidc_reverse_role_mapping.properties")
-    val regs   = RudderPropertyBasedOAuth2RegistrationDefinition.readAllRegistrations(config).runNow.toMap
+  "reading a JWT configuration" should {
+    val registration = RudderPropertyBasedJwtRegistrationDefinition.make().runNow
+
+    "read the correct name" in {
 
-    regs("someidp").roleMapping === Map(
-      "rudder_admin"                                                                       -> "administrator",
-      "rudder_readonly"                                                                    -> "readonlyOVERRIDDEN",
-      "CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu" -> "administrator"
+      val config = ConfigFactory.parseResources("jwt/jwt_simple.properties")
+      val regs   = registration.readAllRegistrations(config, registration.readOneRegistration).runNow.toMap
+
+      regs.keySet === Set("someidp")
+    }
+
+    "have two entitlements mapping" in {
+
+      val config = ConfigFactory.parseResources("jwt/jwt_simple.properties")
+      val regs   = registration.readAllRegistrations(config, registration.readOneRegistration).runNow.toMap
+
+      (regs("someidp").roles.mapping === Map(
+        "rudder_admin"    -> "administrator",
+        "rudder_readonly" -> "readonly"
+      )) and (regs("someidp").tenants.mapping === Map(
+        "rudder_TA" -> "TA",
+        "rudder_TB" -> "TB"
+      ))
+    }
+
+    "be able to use complex roles names with the reverse mapping" in {
+      val config = ConfigFactory.parseResources("jwt/jwt_reverse_role_mapping.properties")
+      val regs   = registration.readAllRegistrations(config, registration.readOneRegistration).runNow.toMap
+
+      (regs("someidp").roles.mapping === Map(
+        "rudder_admin"                                                                       -> "administrator",
+        "rudder_readonly"                                                                    -> "readonlyOVERRIDDEN",
+        "CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu" -> "administrator"
+      )) and (
+        regs("someidp").tenants.mapping === Map(
+          "rudder_TA"                                                                          -> "TA",
+          "rudder_TB"                                                                          -> "TB_OVERRIDDEN",
+          "CN=AAAA-BBBBB,OU=Groups,OU=_IT,OU=BB-DD,OU=UUU-XXXX-YY,DC=ee,DC=if,DC=ttttt,DC=uuu" -> "TA"
+        )
+      )
+    }
+  }
+
+  "reading an opaque configuration" should {
+    val reg          = RudderOpaqueTokenRegistration(
+      "someidp",
+      "xxxClientIdxxx",
+      "xxxClientPassxxx",
+      "https://someidp/oauth2/v1/introspect",
+      "email"
     )
+    val registration = RudderPropertyBasedOpaqueTokenRegistrationDefinition.make().runNow
+
+    "read the correct configuration" in {
+
+      val config = ConfigFactory.parseResources("opaque/opaque.properties")
+      val regs   = registration.readAllRegistrations(config, registration.readOneRegistration).runNow.toMap
+
+      regs.keySet === Set("someidp") and regs("someidp") === reg
+    }
+
+    "read the correct configuration with default" in {
+
+      val config = ConfigFactory.parseResources("opaque/opaque_default.properties")
+      val regs   = registration.readAllRegistrations(config, registration.readOneRegistration).runNow.toMap
+
+      regs.keySet === Set("someidp") and regs("someidp") === reg.copy(pivotAttributeName = "sub")
+    }
+
   }
 
 }
diff --git a/branding/packaging/metadata b/branding/packaging/metadata
index 096eac652..20520a4d4 100644
--- a/branding/packaging/metadata
+++ b/branding/packaging/metadata
@@ -8,5 +8,6 @@
   "jar-files": [ "/opt/rudder/share/plugins/${plugin-name}/${plugin-name}.jar" ],
   "content": {
     "files.txz": "/opt/rudder/share/plugins"
-  }
+  },
+  "requires-license": true
 }
diff --git a/branding/src/main/elm/sources/View.elm b/branding/src/main/elm/sources/View.elm
index 6bd8e573c..da5348618 100644
--- a/branding/src/main/elm/sources/View.elm
+++ b/branding/src/main/elm/sources/View.elm
@@ -2,9 +2,9 @@ module View exposing (barStyle, checkbox, createPanel, customBar, customBarPrevi
 
 import Color exposing (Color)
 import DataTypes exposing (..)
-import Html exposing (..)
-import Html.Attributes exposing (..)
-import Html.Events exposing (..)
+import Html exposing (Html, Attribute, a, div, label, input, span, i, form, button, h4, text)
+import Html.Attributes exposing (id, class, style, type_, checked, for, href, attribute, value)
+import Html.Events exposing (onClick, onInput)
 import ColorPicker
 
 
@@ -29,7 +29,7 @@ view model =
       Nothing ->   ( "(No file chosen)"  , (UploadFile "small"), "upload-btn"  )
 
     customLogos =
-      [ div [ class "panel-col col-md-6" ]
+      [ div [ class "card-col col-md-6" ]
         [ div [ class "form-group" ]
           [ div [ class "input-group" ]
             [ label [ for "enable-wide-logo", class "input-group-text" ]
@@ -47,7 +47,7 @@ view model =
             ]
           ]
         ]
-      , div [ class "panel-col col-md-6 bg-pattern" ][ viewPreview settings.smallLogo settings.wideLogo]
+      , div [ class "card-col col-md-6 bg-pattern " ][ viewPreview settings.smallLogo settings.wideLogo]
       ]
 
     viewPreview : Logo -> Logo -> Html msg
@@ -69,7 +69,7 @@ view model =
         ]
 
     bar =
-      [ div [ class "panel-col col-md-6" ]
+      [ div [ class "card-col col-md-6" ]
         [ checkbox settings.displayBar ToggleCustomBar "enable-bar" "Display custom bar"
         , div [ class "form-group" ]
           [ label [] [ text "Background color" ]
@@ -89,18 +89,18 @@ view model =
             ]
           , textField ToggleLabel EditLabelText settings.displayLabel settings.labelTxt "text-label" "Label text"
         ]
-      , div [ class "panel-col col-md-6 bg-pattern" ] [ customBarPreview model.settings ]
+      , div [ class "card-col col-md-6 bg-pattern" ] [ customBarPreview model.settings ]
       ]
 
     loginPage =
-      [ div [ class "panel-col col-md-6" ]
+      [ div [ class "card-col col-md-6" ]
         [ checkbox settings.displayBarLogin ToggleCustomBarLogin "display-bar" "Display custom bar"
         , textField ToggleMotd EditMotd settings.displayMotd settings.motd "text-motd" "MOTD"
         ]
-      , div [ class "panel-col col-md-6 bg-pattern" ] [ loginPagePreview model.settings ]
+      , div [ class "card-col col-md-6 bg-pattern" ] [ loginPagePreview model.settings ]
       ]
   in
-    Html.form []
+    div [class "d-flex flex-column p-3 pb-5"]
       [ createPanel "Custom logos" "custom-logos" customLogos
       , createPanel "Custom bar" "custom-bar" bar
       , createPanel "Login page" "login-page" loginPage
@@ -156,17 +156,14 @@ fileField msg inputId txt =
 
 createPanel : String -> String -> List (Html msg) -> Html msg
 createPanel panelTitle panelId bodyContent =
-    let
-        hrefId = "#" ++ panelId
-    in
-    div [ class "panel panel-default" ]
-        [ div [ class "panel-heading" ]
-            [ h4 [ class "panel-title" ]
-                [ a [ attribute "data-bs-toggle" "collapse", attribute "data-bs-target" hrefId, href hrefId ] [ text panelTitle ]
+    div [ class "card rounded-3 mb-3" ]
+        [ div [ class "card-header p-0" ]
+            [ h4 [class "m-0"]
+                [ a [ attribute "data-bs-toggle" "collapse", href ("#" ++ panelId) ] [ text panelTitle ]
                 ]
             ]
-        , div [ id panelId, class "panel-collapse collapse show" ]
-            [ div [ class "panel-body" ] bodyContent ]
+        , div [ id panelId, class "collapse show" ]
+            [ div [ class "card-body p-0 d-flex" ] bodyContent ]
         ]
 
 
diff --git a/branding/src/main/resources/template/brandingManagement.html b/branding/src/main/resources/template/brandingManagement.html
index 8a9d5f4e9..85a831863 100755
--- a/branding/src/main/resources/template/brandingManagement.html
+++ b/branding/src/main/resources/template/brandingManagement.html
@@ -1,16 +1,17 @@
-<html>
-<body data-lift-content-id="branding-main">
-  <div id="branding-main" data-lift="surround?with=common-layout;at=content">
+
+<xml:group>
+  <component-body>
+
+  <lift:authz role="administration_read">
    <head_merge>
 
-   <title>Plugin Branding</title>
    <meta charset="utf8" />
    <link rel="stylesheet" type="text/css" href="/toserve/branding/media.css"  media="screen" data-lift="with-cached-resource">
    <script src="/toserve/branding/rudder-branding.js" data-lift="with-cached-resource"></script>
 
    </head_merge>
    <main></main>
-   <script>
+   <script data-lift="with-nonce">
      var main         = document.querySelector("main");
      var flags        = { contextPath : contextPath };
      var app          = Elm.Branding.init({ node : main, flags: flags});
@@ -25,7 +26,7 @@
        createErrorNotification(str)
      });
    </script>
-  </div>
-</body>
-</html>
+  </lift:authz>
 
+  </component-body>
+</xml:group>
diff --git a/branding/src/main/scala-templates/default/com/normation/plugins/branding/EnablePluginImpl.scala b/branding/src/main/scala-templates/default/com/normation/plugins/branding/EnablePluginImpl.scala
index c94bbb418..55f39b01d 100644
--- a/branding/src/main/scala-templates/default/com/normation/plugins/branding/EnablePluginImpl.scala
+++ b/branding/src/main/scala-templates/default/com/normation/plugins/branding/EnablePluginImpl.scala
@@ -38,6 +38,6 @@
 package com.normation.plugins.branding
 
 import com.normation.plugins.PluginEnableImpl
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends PluginEnableImpl
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends PluginEnableImpl
diff --git a/branding/src/main/scala-templates/limited/com/normation/plugins/branding/EnablePluginImpl.scala b/branding/src/main/scala-templates/limited/com/normation/plugins/branding/EnablePluginImpl.scala
index 8236a551b..033928733 100644
--- a/branding/src/main/scala-templates/limited/com/normation/plugins/branding/EnablePluginImpl.scala
+++ b/branding/src/main/scala-templates/limited/com/normation/plugins/branding/EnablePluginImpl.scala
@@ -38,15 +38,15 @@
 package com.normation.plugins.branding
 
 import com.normation.plugins.LicensedPluginCheck
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 import com.normation.zio.*
 
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends LicensedPluginCheck {
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends LicensedPluginCheck {
   // here are processed variables
   def pluginResourcePublickey = "${plugin-resource-publickey}"
   def pluginResourceLicense   = "${plugin-resource-license}"
   def pluginDeclaredVersion   = "${plugin-declared-version}"
   def pluginId                = "${plugin-fullname}"
 
-  override def getNumberOfNodes: Int = nodeInfoService.getNumberOfManagedNodes.runNow
+  override def getNumberOfNodes: Int = nodeFactRepo.getNumberOfManagedNodes().runNow
 }
diff --git a/branding/src/main/scala/bootstrap/rudder/plugin/BrandingPluginConf.scala b/branding/src/main/scala/bootstrap/rudder/plugin/BrandingPluginConf.scala
index 28f6bf758..e0114d39e 100644
--- a/branding/src/main/scala/bootstrap/rudder/plugin/BrandingPluginConf.scala
+++ b/branding/src/main/scala/bootstrap/rudder/plugin/BrandingPluginConf.scala
@@ -44,6 +44,7 @@ import com.normation.plugins.branding.BrandingPluginDef
 import com.normation.plugins.branding.CheckRudderPluginEnableImpl
 import com.normation.plugins.branding.api.BrandingApi
 import com.normation.plugins.branding.api.BrandingApiService
+import com.normation.plugins.branding.snippet.BrandingResources
 import com.normation.plugins.branding.snippet.CommonBranding
 import com.normation.plugins.branding.snippet.LoginBranding
 
@@ -53,7 +54,7 @@ import com.normation.plugins.branding.snippet.LoginBranding
 object BrandingPluginConf extends RudderPluginModule {
 
   // by build convention, we have only one of that on the classpath
-  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeInfoService)
+  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeFactRepository)
   lazy val pluginDef: BrandingPluginDef = new BrandingPluginDef(BrandingPluginConf.pluginStatusService)
 
   val brandingConfService: BrandingConfService = new BrandingConfService(BrandingConfService.defaultConfigFilePath)
@@ -62,6 +63,7 @@ object BrandingPluginConf extends RudderPluginModule {
     new BrandingApi(brandingApiService, RudderConfig.stringUuidGenerator)
 
   RudderConfig.rudderApi.addModules(brandingApi.getLiftEndpoints())
+  RudderConfig.snippetExtensionRegister.register(new BrandingResources(pluginDef.status))
   RudderConfig.snippetExtensionRegister.register(new CommonBranding(pluginStatusService))
-  RudderConfig.snippetExtensionRegister.register(new LoginBranding(pluginStatusService, pluginDef.version))
+  RudderConfig.snippetExtensionRegister.register(new LoginBranding(pluginStatusService))
 }
diff --git a/branding/src/main/scala/com/normation/plugins/branding/BrandingConf.scala b/branding/src/main/scala/com/normation/plugins/branding/BrandingConf.scala
index cfed8c18f..b96f0dbce 100644
--- a/branding/src/main/scala/com/normation/plugins/branding/BrandingConf.scala
+++ b/branding/src/main/scala/com/normation/plugins/branding/BrandingConf.scala
@@ -105,7 +105,7 @@ object JsonColor {
 final case class Logo(enable: Boolean, name: Option[String], data: Option[String]) {
   def loginLogo = (enable, data) match {
     case (true, Some(d)) => (<div class="custom-branding-logo" style={"background-image: url(" ++ d ++ ");"}></div>)
-    case (_, _)          => <img src="/images/logo-rudder.svg" data-lift="with-cached-resource" alt="Rudder"/>
+    case (_, _)          => <img src="/images/logo/rudder-logo-rect-black.svg" data-lift="with-cached-resource" alt="Rudder"/>
   }
 
   def commonWideLogo  = (enable, data) match {
@@ -116,7 +116,7 @@ final case class Logo(enable: Boolean, name: Option[String], data: Option[String
           .sidebar-collapse .logo-lg{{display: none !important;}}
         </style>
       </span>
-    case (_, _)          => <img src="/images/logo-rudder-white.svg" data-lift="with-cached-resource" alt="Rudder"/>
+    case (_, _)          => <img src="/images/logo/rudder-logo-rect-white.svg" data-lift="with-cached-resource" alt="Rudder"/>
   }
   def commonSmallLogo = (enable, data) match {
     case (true, Some(d)) =>
@@ -133,7 +133,7 @@ final case class Logo(enable: Boolean, name: Option[String], data: Option[String
           }}
         </style>
       </span>
-    case (_, _)          => <img src="/images/logo-rudder-sm.svg" data-lift="with-cached-resource" alt="Rudder"/>
+    case (_, _)          => <img src="/images/logo/rudder-logo-square-white.svg" data-lift="with-cached-resource" alt="Rudder"/>
   }
 }
 
diff --git a/branding/src/main/scala/com/normation/plugins/branding/BrandingPluginDef.scala b/branding/src/main/scala/com/normation/plugins/branding/BrandingPluginDef.scala
index 0abea7400..6d688229e 100644
--- a/branding/src/main/scala/com/normation/plugins/branding/BrandingPluginDef.scala
+++ b/branding/src/main/scala/com/normation/plugins/branding/BrandingPluginDef.scala
@@ -37,21 +37,12 @@
 
 package com.normation.plugins.branding
 
-import bootstrap.liftweb.Boot
 import bootstrap.liftweb.ConfigResource
-import bootstrap.liftweb.MenuUtils
 import bootstrap.rudder.plugin.BrandingPluginConf
 import com.normation.plugins.DefaultPluginDef
 import com.normation.plugins.PluginStatus
-import com.normation.rudder.AuthorizationType.Administration
 import com.normation.rudder.rest.EndpointSchema
 import com.normation.rudder.rest.lift.LiftApiModuleProvider
-import net.liftweb.http.ClasspathTemplates
-import net.liftweb.sitemap.Loc.LocGroup
-import net.liftweb.sitemap.Loc.Template
-import net.liftweb.sitemap.Loc.TestAccess
-import net.liftweb.sitemap.LocPath.stringToLocPath
-import net.liftweb.sitemap.Menu
 
 class BrandingPluginDef(override val status: PluginStatus) extends DefaultPluginDef {
 
@@ -64,17 +55,4 @@ class BrandingPluginDef(override val status: PluginStatus) extends DefaultPlugin
   def oneTimeInit: Unit = {}
 
   val configFiles: Seq[ConfigResource] = Seq()
-
-  override def pluginMenuEntry: List[(Menu, Option[String])] = {
-    (
-      (Menu("640-brandingManagement", <span>Branding</span>) /
-      "secure" / "administration" / "brandingManagement"
-      >> LocGroup("administrationGroup")
-      >> TestAccess(() => Boot.userIsAllowed("/secure/administration/policyServerManagement", Administration.Read))
-      >> Template(() =>
-        ClasspathTemplates("template" :: "brandingManagement" :: Nil) openOr <div>Template not found</div>
-      )).toMenu,
-      Some(MenuUtils.utilitiesMenu)
-    ) :: Nil
-  }
 }
diff --git a/branding/src/main/scala/com/normation/plugins/branding/snippet/BrandingResources.scala b/branding/src/main/scala/com/normation/plugins/branding/snippet/BrandingResources.scala
index 2fcc0e5e8..d373965ad 100644
--- a/branding/src/main/scala/com/normation/plugins/branding/snippet/BrandingResources.scala
+++ b/branding/src/main/scala/com/normation/plugins/branding/snippet/BrandingResources.scala
@@ -37,18 +37,23 @@
 
 package com.normation.plugins.branding.snippet
 
-import net.liftweb.http.DispatchSnippet
+import com.normation.plugins.PluginExtensionPoint
+import com.normation.plugins.PluginStatus
+import com.normation.rudder.web.ChooseTemplate
+import com.normation.rudder.web.snippet.administration.Settings
 import net.liftweb.http.LiftRules
+import scala.reflect.ClassTag
 import scala.xml.NodeSeq
 
-class BrandingResources extends DispatchSnippet {
+class BrandingResources(val status: PluginStatus)(implicit val ttag: ClassTag[Settings]) extends PluginExtensionPoint[Settings] {
 
   private[this] def link(s: String) = s"/${LiftRules.resourceServerPath}/branding/${s}"
 
-  override def dispatch = {
-    case "css" =>
-      (_: NodeSeq) => <link type="text/css" rel="stylesheet" href={link("rudder-branding.css")} ></link>
-    case "js"  =>
-      (_: NodeSeq) => <script type="text/javascript" src={link("rudder-branding.js")}></script>
-  }
+  private def template: NodeSeq = ChooseTemplate("template" :: "brandingManagement" :: Nil, "component-body")
+
+  override def pluginCompose(snippet: Settings): Map[String, NodeSeq => NodeSeq] = Map(
+    "body" -> Settings.addTab("brandingTab", "Branding configuration", template),
+    "css"  -> ((_: NodeSeq) => <link type="text/css" rel="stylesheet" href={link("rudder-branding.css")} ></link>),
+    "js"   -> ((_: NodeSeq) => <script type="text/javascript" src={link("rudder-branding.js")}></script>)
+  )
 }
diff --git a/branding/src/main/scala/com/normation/plugins/branding/snippet/CommonBranding.scala b/branding/src/main/scala/com/normation/plugins/branding/snippet/CommonBranding.scala
index 0d4ea5f59..50e803aff 100644
--- a/branding/src/main/scala/com/normation/plugins/branding/snippet/CommonBranding.scala
+++ b/branding/src/main/scala/com/normation/plugins/branding/snippet/CommonBranding.scala
@@ -78,7 +78,7 @@ class CommonBranding(val status: PluginStatus)(implicit val ttag: ClassTag[Commo
       </div>
       case _                          => NodeSeq.Empty
     }
-    var (customWideLogo, customSmallLogo, rudderLogo) = data match {
+    val (customWideLogo, customSmallLogo, rudderLogo) = data match {
       case Right(d) =>
         (
           d.wideLogo.commonWideLogo,
@@ -87,12 +87,11 @@ class CommonBranding(val status: PluginStatus)(implicit val ttag: ClassTag[Commo
               <a target="_blank" href="https://www.rudder.io/" class="rudder-branding-footer">
               {
                 if (d.wideLogo.enable && d.wideLogo.data.isDefined)
-                  <img alt="Rudder" data-lift="with-cached-resource" src="/images/logo-rudder-white.svg" class="rudder-branding-logo-lg"/>
+                  <img alt="Rudder" data-lift="with-cached-resource" src="/images/logo/rudder-logo-rect-white.svg" class="rudder-branding-logo-lg"/>
                 else NodeSeq.Empty
-              }
-              {
+              }{
                 if (d.smallLogo.enable && d.smallLogo.data.isDefined)
-                  <img alt="Rudder" data-lift="with-cached-resource" src="/images/logo-rudder-sm.svg"    class="rudder-branding-logo-sm"/>
+                  <img alt="Rudder" data-lift="with-cached-resource" src="/images/logo/rudder-logo-square-white.svg" class="rudder-branding-logo-sm"/>
                 else NodeSeq.Empty
               }
             </a>
@@ -104,7 +103,7 @@ class CommonBranding(val status: PluginStatus)(implicit val ttag: ClassTag[Commo
       case _        =>
         (
           <img alt="Rudder" data-lift="with-cached-resource" src="/images/logo-rudder-nologo.svg" class="rudder-branding-logo-lg"/>,
-          <img alt="Rudder" data-lift="with-cached-resource" src="/images/logo-rudder-sm.svg"     class="rudder-branding-logo-sm"/>,
+          <img alt="Rudder" data-lift="with-cached-resource" src="/images/logo/rudder-logo-square-white.svg" class="rudder-branding-logo-sm"/>,
           NodeSeq.Empty
         )
     }
diff --git a/branding/src/main/scala/com/normation/plugins/branding/snippet/LoginBranding.scala b/branding/src/main/scala/com/normation/plugins/branding/snippet/LoginBranding.scala
index 5c9ea6a33..ad472602d 100644
--- a/branding/src/main/scala/com/normation/plugins/branding/snippet/LoginBranding.scala
+++ b/branding/src/main/scala/com/normation/plugins/branding/snippet/LoginBranding.scala
@@ -40,7 +40,6 @@ package com.normation.plugins.branding.snippet
 import bootstrap.rudder.plugin.BrandingPluginConf
 import com.normation.plugins.PluginExtensionPoint
 import com.normation.plugins.PluginStatus
-import com.normation.plugins.PluginVersion
 import com.normation.rudder.web.snippet.Login
 import com.normation.zio.UnsafeRun
 import net.liftweb.common.Loggable
@@ -48,7 +47,7 @@ import net.liftweb.util.Helpers.*
 import scala.reflect.ClassTag
 import scala.xml.NodeSeq
 
-class LoginBranding(val status: PluginStatus, version: PluginVersion)(implicit val ttag: ClassTag[Login])
+class LoginBranding(val status: PluginStatus)(implicit val ttag: ClassTag[Login])
     extends PluginExtensionPoint[Login] with Loggable {
 
   def pluginCompose(snippet: Login): Map[String, NodeSeq => NodeSeq] = Map(
@@ -90,7 +89,8 @@ class LoginBranding(val status: PluginStatus, version: PluginVersion)(implicit v
           }}
           </style>
         )
-      case _        => (<img src="/images/logo-rudder-white.svg" data-lift="with-cached-resource" alt="Rudder"/>, NodeSeq.Empty)
+      case _        =>
+        (<img src="/images/logo/rudder-logo-square-white.svg" data-lift="with-cached-resource" alt="Rudder"/>, NodeSeq.Empty)
     }
     val logoContainer             = {
       <div>
diff --git a/branding/src/main/scala/com/normation/rudder/rest/BrandingApiSchema.scala b/branding/src/main/scala/com/normation/rudder/rest/BrandingApiSchema.scala
index 29cc580c7..6896e71ce 100644
--- a/branding/src/main/scala/com/normation/rudder/rest/BrandingApiSchema.scala
+++ b/branding/src/main/scala/com/normation/rudder/rest/BrandingApiSchema.scala
@@ -63,14 +63,16 @@ object BrandingApiEndpoints extends Enum[BrandingApiSchema] with ApiModuleProvid
     val z              = implicitly[Line].value
     val description    = "Update branding plugin configuration"
     val (action, path) = POST / "branding"
-    val dataContainer: Option[String] = None
+    val dataContainer: Option[String]          = None
+    val authz:         List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   final case object ReloadBrandingConf extends BrandingApiSchema with ZeroParam with StartsAtVersion10 with SortIndex {
     val z              = implicitly[Line].value
     val description    = "Reload branding plugin configuration from config file"
     val (action, path) = POST / "branding" / "reload"
-    val dataContainer: Option[String] = None
+    val dataContainer: Option[String]          = None
+    val authz:         List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   def endpoints = values.toList.sortBy(_.z)
diff --git a/branding/src/main/style/media.css b/branding/src/main/style/media.css
deleted file mode 100755
index a730e01d7..000000000
--- a/branding/src/main/style/media.css
+++ /dev/null
@@ -1,395 +0,0 @@
-html, body {
-  background: #fff;
-  padding: 0;
-  margin: 0;
-}
-main{
-	padding-top: 20px;
-}
-.bg-pattern{
-	background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAlcAAAGQCAYAAACDPkUVAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH4gINDzsW3MiGwAAAIABJREFUeNrt3VFS47oSBmBZxRbOxftfXTjeg3UfKPl0FCm2hzAE+HgZICr5i3mYrlb7z1RKSfXr7e2tpJTSNE3pf//735QGX3VdSim9vr7erCulpGmartb973//m6Zpunq9fv3777+lOnr78T2/79513T8+Pj4+vp/oG+2Xewt6sPrm/v3335uNYoFW31x7wYhpb9y6rodvHN9z+u4VVu4fHx8fH99P843+HyylvBdXseJrF7SVXKwg6/fTNF2tHb3RepPairS97r2KlO+5fEc6Vu4fHx8fH99P8/WuW383XS6Xw620UkrKOad//vnnqpIb3ZAWlnO+W/G17bazrb7f7vtoq/QjviOtV39fPj4+Pr6f4mvXRWM+U6HlnK/OHtu2W2zhtW80wnqtubaCvNfq4/v3VGH1N3y9/fx9+fj4+Ph+qm9UWKWU0su9Cq1esL72zz//3FSQ9fu2RVZ/f3Y4ra4dVYZ8Hxvue5Rv7yjQ35ePj4+P76f76pp2Fmtqh7n2jnZ6VVr7Rnvtu7NHWbWF96dT/3yf5/uT/dw/Pj4+Pr6f5hs9PZjjgvh9u1Fvon7UmuvBzh5ltTeO73l8Z44C3T8+Pj4+vp/qi8eVcb/cXmy0UXy9t9HojT7iKIvv632fnWPl78vHx8fH9x19vfiGm86VHA0+OVZ8fHx8fHznfKWUbV2OZ4ZyNPjkWPHx8fHx8e376n61IJvn+b+nG2OLTI6GHCs5Vnx8fHx8fPu+ul/tWMUnDHNspcnRkGMlx4qPj4+Pj2/ft65rmqYpzfO8XXcLEY2ttJgD0TvLjC2y2GbrVXKjwqD3+GNc1+ZU8J1rlT7Kt3cU6O/Lx8fHx/fbffW6bTG3ffyNHA0+OVZ8fHx8fHwf9+W6kRwNPjlWfHx8fHx8x3yjEPa3t7eS5VTw7V3X/ePj4+Pj47v2tXNYVwVY72JyNORYuX98fHx8fHz3fW1Ce/05ty/K0ZBj5f7x8fHx8fHt+2JBV0pJ67q+Pz04apHJ0fj7vrOt0kf67lXq/r58fHx8fHzH/5+++vgbORpf6zvaipRjxcfHx8fH9zy+dt1LrdbqgpgDEdNG28pwVBjsPd7f5lREWMypqPv8Nt9exfwo395RoL8vHx8fHx/fvq87hB/PKOVU/A7fn+zn/vHx8fHx8d02QHpHlVmOxu/znTkKdP/4+Pj4+Pj6vtH/q7m3QI6GHCv3j4+Pj4+P77xvi2KQoyHHyv3j4+Pj4+M75+t9LctSpvqpzindPq740YqvHSrrtfrawbR2iC0+HcB33veZHSt/Xz4+Pj6+3+5r9yulpO0sU06FHCt/Xz4+Pj4+vvO+OotVX9s0cirkWPn78vHx8fHxHfPF/ZZl2Qqr19fX6UVOhRwrf18+Pj4+Pr5zvvrv5XK5+f93GlVycjTkWPn78vHx8fHxjX2Xy+WqY1ULtClOwT9i+KtX8e0Nfx25IXx8fHx8fHx838GXHwGL7bHRmaccDTlW/r58fHx8fD/FFztWrS3LqZBj5f7x8fHx8fGd863rOnwaMddfHK344rp60ZgDESvI+n2c0r8XHd+b0ue77zvSsXL/+Pj4+Pj4Huub53nqFX0ppfTSVmhnciDixHybA9FerH6/LMvulP7oyOvZfX/ainyE78hZsL8vHx8fHx/f43yj62Y5Go/zHW1FyrHi4+Pj4+P73r62sIqdrdxu0nv8Mb6BNgcittJiDkTvLDO28GKbrdfqGxUuz+7ba0U+yrd3FPhd7x8fHx8fH9938PUKui1/q8XXBXI05Fj5+/Lx8fHx8fV99/KuboorORV8fHx8fHx8fG+nR4DqunwEFtttozNPORpyrPx9+fj4+Ph+k2/0/3TuLZCjIcfK35ePj4+Pj2/sG/0/XUp5L67kaDyvT44VHx8fHx/f8/l6162/m+KnOe8Nf8UciN75ZHtDPjun4m/7zrYiH+k7csb77PePj4+Pj4/vp/juzXblMxWaHKtjrUg5Vnx8fHx8fD/bNyqsUkrp5V6F1k7VxxyI9lHEtkVWf99e8E9yKp7Jt1e5Psq3dxT4Xe8fHx8fHx/fT/HVNe0sVjfn6sjRmBwNOVZ8fHx8fHy/2deuv0lob1NJ2416E/Wj1lwPdvaorb1xv8l35ijQ/ePj4+Pj4/saXzyujPvl9mKjjeRoyLHy9+Xj4+Pj47s9rmz/P7/pXMnR+BrfvcLK/ePj4+Pj43tuXynlOqFdjoYcK39fPj4+Pj6+4766Xy3I5nn+7+nG2CKTY3WuFflI371KXQ4JHx8fHx/fc/nqfrVjFZ8wzLGVJsfqWCtSjhUfHx8fH9/v9q3rmqZpSvM8b9fdQkRjKy3mQPTOMmOLLLbZepXcqHDpPf4Y17U5FX/bt9eKfJRv7yjwu94/Pj4+Pj6+3+Kr122Lue3jb+Ro/D3fn+zn/vHx8fHx8X0PX64bydH4e74zR4HuHx8fHx8f3/P5RiHsb29vJcup+Ds+OVZ8fHx8fHw/x9fOYV0VYL2LydGQY8XHx8fHx8d339cmtNefc/uiHA05Vnx8fHx8fHz7vljQlVLSuq7vTw+OWmRyrB7ru1cJyyHh4+Pj4+P7vr523dXH38ix+jxfb7/vdv/4+Pj4+Pj4+v+fx3UvtVqrC2IOREwbbSvDUeGyFz/Q5lREWMypqPs82rdXkT7Kt3cU+F3vHx8fHx8fH1+5uu7NLFY8o5RT8Rjfn+zn/vHx8fHx8X0vXw0Sba+Z5Wg83nfmKND94+Pj4+Pj+56+0f/7ubdAjoYcKz4+Pj4+Pr7zvi2KQY6GHCs+Pj4+Pj6+c77e17IsZaqf6pzS7eOKH6342qGyXquvHUxrh9ji0wHP6PvMjtVvuH98fHx8fHzf2dfuV0pJ21mmHCs5Vnx8fHx8fHznfXUWq762aeRYybHi4+Pj4+PjO+aL+y3LshVWr6+v04scKzlWfHx8fHx8fOd89d/L5XJTH0yjSk6OhhwrPj4+Pj4+vrHvcrlcdaxqgTbFKfhHDH/1Kr694a8jN4SPj4+Pj4+P7zv48iNgsT02OvOUYyWHhI+Pj4+P76f4YseqtWU5FXKs+Pj4+Pj4+M751nUdPo2Y6y+OVnxxXb1ozIGIFWT9Pk7p34uO703pf7XvSMfK/ePj4+Pj4/tdvnmep17Rl1JKL22FdiYHIk7MtzkQ7cXq98uy7E7pnzmS+1u+I2etz37/+Pj4+Pj4+B7nG103y7E65uvt1/rkkPDx8fHx8f0OX1tYxc5WbjfpPf4Y30CbAxFbaTEHoneWGVt4sc3Wa/Wd6Vh9hm/vKHDke/b7x8fHx8fHx/dxX6+g2/K3WnxdIMcqPa1PDgkfHx8fH9/X+u7lXd0UV3Iq+Pj4+Pj4+PjeTo8o1XX5CCy220ZnnnKs5JDw8fHx8fH9Jt+ojsi9BXKs0tP55JDw8fHx8fE9j29UR5RS3osrOVb3O1ZyPvj4+Pj4+PjaDljPN01TmuKnOe8Nf8UciN75ZHtDPjvH6pG+I2eoZ3M0/vb94+Pj4+Pj4/s7vnuzXflMhSbHSs4HHx8fHx8fXxoWViml9HKvQmun6mMORPsoYtsiq79vL/jR4bRH+faOAke+vfiGr75/fHx8fHx8fH/HV9e0s1jdnKsjR3dyrOR88PHx8fHx/WZfu/4mob1NJW036k3Uj1pzPdjZo8D2xj3Sd+Yo8Ct8z37/+Pj4+Pj4+K6PK+N+ub3YaCM5VnI++Pj4+Pj4+G6PK9t646ZzJcfqa3xySPj4+Pj4+L6vr5RyndAux0rOBx8fHx8fH99xX92vFmTzPP/3dGNskcmxkvPBx8fHx8fHt++r+9WOVXzCMMdWmhwrOR98fHx8fHx8+751XdM0TWme5+26W4hobKXFHIjeWWZskcU2W6+SO9OxiuvanIo/9e0dBY58vcczP8P3p/ePj4+Pj4+P7zl89bptMbd9/I0cq7/nk0PCx8fHx8f3c325biTH6u/55JDw8fHx8fF9b98ohP3t7a1kOVZ/xyeHhI+Pj4+P7+f42jmsqwKsdzE5VnI++Pj4+Pj4+O772oT2+nNuX5RjJeeDj4+Pj4+Pb98XC7pSSlrX9f3pwVGLTI7VY31ySPj4+Pj4+H6mr1139fE3cqw+zyeHhI+Pj4+P72f62nUvtVqrC2IOREwbbSvDP+1YtTkVERZzKuo1R769o8CRby++4VG+P71/fHx8fHx8fN/H1x3Cj2eUcqwe45PzwcfHx8fH9/N9NUi0vWaWY/V4nxwSPj4+Pj6+n+8b1SW5t0COlZwPPj4+Pj4+vvO+LYpBjpWcDz4+Pj4+Pr5zvt7Xsixlqp/qnNLt44ofrfjaobJeq68dTGuH2D6zY/UIX3x64RnvHx8fHx8fH9/n+dr9SilpO8uUYyXng4+Pj4+Pj++8r85i1dc2jRwrOR98fHx8fHx8x3xxv2VZtsLq9fV1epFjJeeDj4+Pj4+P75yv/nu5XG7ql2lUycmxkvPBx8fHx8fHN/ZdLperjlUt0KY4Bf+I4a9exbc3/HXkhvDx8fHx8fHxfQdffgQstsdGZ55yrPj4+Pj4+Ph+ii92rFpblmMl54OPj4+Pj4/vnG9d1+HTiLn+4mjFF9fVi8YciFhB1u/jlH4v2n6vY/WVvr2nCPj4+Pj4+Ph+n2+e56lX9KWU0ssjWmkRVnMg2ovV75dl+ePh9bM5FY/0fUaOBh8fHx8fH9/39Y2um+VYHfPJ+eDj4+Pj4+MbFVaxs5XPttLaHIjYSos5EL2zzCMtvD/JqfgMX2wD8vHx8fHx8fGNjgzrdbf8rRZfF8ixkvPBx8fHx8fH1/fdy7u6Ka7kVPDx8fHx8fHxvZ3+KMC6Lh+BxXbb6MxTjhUfHx8fHx/fb/KN6pzcWyDHSs4HHx8fHx8f39g3qnNKKe/FlRyr9y85H3x8fHx8fHxHfL3r1t9N8dOc94a/Yg5E73yyvSGfnWP1SN9n5Gjw8fHx8fHx/UzfvdmufKZCk2PFx8fHx8fHx5eGhVVKKb3cq9DaqfqYA9E+inivRdarDEdHhnvxDY/y1d+3N4SPj4+Pj4+P74ivrmlnsbo5V3vDWi1QjhUfHx8fHx/fb/O1628S2ttU0naj3kT9vdbc0aPA0Rtob9wjfb0bx8fHx8fHx8d3xhePK+N+ub3YaCM5Vnx8fHx8fHx8t8eVbT1007mSY8XHx8fHx8fHd85XSrlOaJdjxcfHx8fHx8d33Ff3qwXZPM//Pd0YW2RyrPj4+Pj4+Pj49n11v9qxik8Y5thKk2PFx8fHx8fHx7fvW9c1TdOU5nnerruFiMZWWsyB6J1lHmnh/UlORVzX5lT8qS+2Afn4+Pj4+Pj4Hu2r122Lue3jb+RY8fHx8fHx8fF93JfrRnKs+Pj4+Pj4+PiO+UYh7G9vbyXLseLj4+Pj4+PjO+dr57CuCrDexeRY8fHx8fHx8fHd97UJ7fXn3L4ox4qPj4+Pj4+Pb98XC7pSSlrX9f3pwVGLTI4VHx8fHx8fH9+xeiiuu/r4GzlWfHx8fHx8fHznfO26l1qt1QWfkWM1qiDrDamvxZyKus/IV3/fVpt8fHx8fHx8fH/L1x3Cj2eUcqz4+Pj4+Pj4+PLho8DeUWWWY8XHx8fHx8fHd943qpvykQvK0eDj4+Pj4+Pj2/dtUQxyrPj4+Pj4+Pj4zvl6X8uylGF8+yMqvnaorNfqawfT2iG2+HRA+zglHx8fHx8fH99X+tr9Sinp7mfj9CpIORp8fHx8fHx8fNfdrZrQnlKYuWrfQK/1JUeDj4+Pj4+Pj+/6yHJZlq2wen19nV7OHgXK0eDj4+Pj4+P77b767+VyuckJnUaVnBwNPj4+Pj4+Pr6x73K5XHWsaoE2xSn4Rwx/9Sq+veGvIzeEj4+Pj4+Pj+87+PIjYLE9NjrzlKPBx8fHx8fH91N8sWPV2rKcCj4+Pj4+Pj6+c751XYdPI+b6i6MVX1xXLxpzIGIFWb+PU/r3ouN7U/p8fHx8fHx8fM/mm+d56hV9KaX00lZoZ3Ig4sR8mwPRXqx+vyzL7pT+6CyTj4+Pj4+Pj+9ZfKPrZjkafHx8fHx8fHznfG1hFTtbNyGivccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1fv4GzkafHx8fHx8fHxj3728q5viSk4FHx8fHx8fH9/xgq5dl4/AYrttdOYpR4OPj4+Pj4/vN/lGBVjuLZCjwcfHx8fHx8c39o0Kq1LKe3ElR4OPj4+Pj4+P79xThj3fNE1pip/mvDf8FXMgeueT7Q357JwKPj4+Pj4+Pr6v8N2b7cpnKjQ5Gnx8fHx8fHx8aVhYpZRSlqPBx8fHx8fHx3feF48XY+HXzbm615rrVWlyNPj4+Pj4+Ph+m69df5PQ3lZz7Ua9ifpRa64HG7X6Rm+gvXF8fHx8fHx8fM/ki8eVcb/cXmy0kRwNPj4+Pj4+Pr7b48q2oMu9s8cWJkeDj4+Pj4+Pj2/sK6VcJ7TL0eDj4+Pj4+PjO+6r+9WCbJ7n/55ujC0yORp8fHx8fHx8fPu+ul/tWNVCbpqm986VHA0+Pj4+Pj4+vuO+dV3TNE1pnuftuluIqJwKPj4+Pj4+Pr7zvnrdtpjbPv5GjgYfHx8fHx8f38d9uW4kR4OPj4+Pj4+P75hvFML+9vZWspwKPj4+Pj4+Pr5zvnYO66oA611MjgYfHx8fHx8f331fm9Bef87ti3I0+Pj4+Pj4+Pj2fbGgK6WkdV3fnx4ctcjkaPDx8fHx8fHxTYeG6+O6q4+/kaPBx8fHx8fHx3fO1657qdVaXRBzIGLaaFsZjs4oR48/9irIekPqazGnou7Dx8fHx8fHx/esvu4QfjyjlFPBx8fHx8fHx5cPHwX2jiqzHA0+Pj4+Pj4+vvO+UQGWewvkaPDx8fHx8fHxnfdtUQxyNPj4+Pj4+Pj4zvl6X8uylKl+qnNKt48rfrTia4fKeq2+djCtHWKLTwfw8fHx8fHx8T2Tr92vlJK2s0w5FXx8fHx8fHx85311Fqu+tmnkVPDx8fHx8fHxHfPF/ZZl2Qqr19fX6UVOBR8fHx8fHx/fOV/993K53HxEzjSq5ORo8PHx8fHx8fGNfZfL5apjVQu0KU7BP2L4q1fx7Q1/HbkhfHx8fHx8fHzfwZcfAYvtsdGZpxwNPj4+Pj4+vp/iix2r1pblVPDx8fHx8fHxnfOt6zp8GjHXXxyt+OK6etGYAxEryPp9nNK/Fx3fm9Ln4+Pj4+Pj43s23zzPU6/oSymll7ZCO5MDESfm2xyI9mL1+2VZdqf0R2eZfHx8fHx8fHzP4htdN8vR4OPj4+Pj4+M752sLq9jZyu0mvccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1eLrAjkafHx8fHx8fHx93728q5viSk4FHx8fHx8fH9/xgq5dl4/AYrttdOYpR4OPj4+Pj4/vN/lGBVjuLZCjwcfHx8fHx8c39o0Kq1LKe3ElR4OPj4+Pj4+P79xThj3fNE1pip/mvDf8FXMgeueT7Q357JwKPj4+Pj4+Pr6v8N2b7cpnKjQ5Gnx8fHx8fHx8aVhYpZRSlqPBx8fHx8fHx3feF48XY+HXzbm615rrVWlyNPj4+Pj4+Ph+m69df5PQ3lZz7Ua9ifpRa64HG7X6Rm+gvXF8fHx8fHx8fM/ki8eVcb/cXmy0kRwNPj4+Pj4+Pr7b48q2oMu9s8cWJkeDj4+Pj4+Pj2/sK6VcJ7TL0eDj4+Pj4+PjO+6r+9WCbJ7n/55ujC0yORp8fHx8fHx8fPu+ul/tWNVCbpqm986VHA0+Pj4+Pj4+vuO+dV3TNE1pnuftuluIqJwKPj4+Pj4+Pr7zvnrdtpjbPv5GjgYfHx8fHx8f38d9uW4kR4OPj4+Pj4+P75hvFML+9vZWspwKPj4+Pj4+Pr5zvnYO66oA611MjgYfHx8fHx8f331fm9Bef87ti3I0+Pj4+Pj4+Pj2fbGgK6WkdV3fnx4ctcjkaPDx8fHx8fHxTYeG6+O6q4+/kaPBx8fHx8fHx3fO1657qdVaXRBzIGLaaFsZjs4oR48/9irIekPqazGnou7Dx8fHx8fHx/esvu4QfjyjlFPBx8fHx8fHx5cPHwX2jiqzHA0+Pj4+Pj4+vvO+UQGWewvkaPDx8fHx8fHxnfdtUQxyNPj4+Pj4+Pj4zvl6X8uylKl+qnNKt48rfrTia4fKeq2+djCtHWKLTwfw8fHx8fHx8T2Tr92vlJK2s0w5FXx8fHx8fHx85311Fqu+tmnkVPDx8fHx8fHxHfPF/ZZl2Qqr19fX6UVOBR8fHx8fHx/fOV/993K53HxEzjSq5ORo8PHx8fHx8fGNfZfL5apjVQu0KU7BP2L4q1fx7Q1/HbkhfHx8fHx8fHzfwZcfAYvtsdGZpxwNPj4+Pj4+vp/iix2r1pblVPDx8fHx8fHxnfOt6zp8GjHXXxyt+OK6etGYAxEryPp9nNK/Fx3fm9Ln4+Pj4+Pj43s23zzPU6/oSymll7ZCO5MDESfm2xyI9mL1+2VZdqf0R2eZfHx8fHx8fHzP4htdN8vR4OPj4+Pj4+M752sLq9jZyu0mvccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1eLrAjkafHx8fHx8fHx93728q5viSk4FHx8fHx8fH9/xgq5dl4/AYrttdOYpR4OPj4+Pj4/vN/lGBVjuLZCjwcfHx8fHx8c39o0Kq1LKe3ElR4OPj4+Pj4+P79xThj3fNE1pip/mvDf8FXMgeueT7Q357JwKPj4+Pj4+Pr6v8N2b7cpnKjQ5Gnx8fHx8fHx8aVhYpZRSlqPBx8fHx8fHx3feF48XY+HXzbm615rrVWlyNPj4+Pj4+Ph+m69df5PQ3lZz7Ua9ifpRa64HG7X6Rm+gvXF8fHx8fHx8fM/ki8eVcb/cXmy0kRwNPj4+Pj4+Pr7b48q2oMu9s8cWJkeDj4+Pj4+Pj2/sK6VcJ7TL0eDj4+Pj4+PjO+6r+9WCbJ7n/55ujC0yORp8fHx8fHx8fPu+ul/tWNVCbpqm986VHA0+Pj4+Pj4+vuO+dV3TNE1pnuftuluIqJwKPj4+Pj4+Pr7zvnrdtpjbPv5GjgYfHx8fHx8f38d9uW4kR4OPj4+Pj4+P75hvFML+9vZWspwKPj4+Pj4+Pr5zvnYO66oA611MjgYfHx8fHx8f331fm9Bef87ti3I0+Pj4+Pj4+Pj2fbGgK6WkdV3fnx4ctcjkaPDx8fHx8fHxTYeG6+O6q4+/kaPBx8fHx8fHx3fO1657qdVaXRBzIGLaaFsZjs4oR48/9irIekPqazGnou7Dx8fHx8fHx/esvu4QfjyjlFPBx8fHx8fHx5cPHwX2jiqzHA0+Pj4+Pj4+vvO+UQGWewvkaPDx8fHx8fHxnfdtUQxyNPj4+Pj4+Pj4zvl6X8uylKl+qnNKt48rfrTia4fKeq2+djCtHWKLTwfw8fHx8fHx8T2Tr92vlJK2s0w5FXx8fHx8fHx85311Fqu+tmnkVPDx8fHx8fHxHfPF/ZZl2Qqr19fX6UVOBR8fHx8fHx/fOV/993K53HxEzjSq5ORo8PHx8fHx8fGNfZfL5apjVQu0KU7BP2L4q1fx7Q1/HbkhfHx8fHx8fHzfwZcfAYvtsdGZpxwNPj4+Pj4+vp/iix2r1pblVPDx8fHx8fHxnfOt6zp8GjHXXxyt+OK6etGYAxEryPp9nNK/Fx3fm9Ln4+Pj4+Pj43s23zzPU6/oSymll7ZCO5MDESfm2xyI9mL1+2VZdqf0R2eZfHx8fHx8fHzP4htdN8vR4OPj4+Pj4+M752sLq9jZyu0mvccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1eLrAjkafHx8fHx8fHx93728q5viSk4FHx8fHx8fH9/xgq5dl4/AYrttdOYpR4OPj4+Pj4/vN/lGBVjuLZCjwcfHx8fHx8c39o0Kq1LKe3ElR4OPj4+Pj4+P79xThj3fNE1pip/mvDf8FXMgeueT7Q357JwKPj4+Pj4+Pr6v8N2b7cpnKjQ5Gnx8fHx8fHx8aVhYpZRSlqPBx8fHx8fHx3feF48XY+HXzbm615rrVWlyNPj4+Pj4+Ph+m69df5PQ3lZz7Ua9ifpRa64HG7X6Rm+gvXF8fHx8fHx8fM/ki8eVcb/cXmy0kRwNPj4+Pj4+Pr7b48q2oMu9s8cWJkeDj4+Pj4+Pj2/sK6VcJ7TL0eDj4+Pj4+PjO+6r+9WCbJ7n/55ujC0yORp8fHx8fHx8fPu+ul/tWNVCbpqm986VHA0+Pj4+Pj4+vuO+dV3TNE1pnuftuluIqJwKPj4+Pj4+Pr7zvnrdtpjbPv5GjgYfHx8fHx8f38d9uW4kR4OPj4+Pj4+P75hvFML+9vZWspwKPj4+Pj4+Pr5zvnYO66oA611MjgYfHx8fHx8f331fm9Bef87ti3I0+Pj4+Pj4+Pj2fbGgK6WkdV3fnx4ctcjkaPDx8fHx8fHxTYeG6+O6q4+/kaPBx8fHx8fHx3fO1657qdVaXRBzIGLaaFsZjs4oR48/9irIekPqazGnou7Dx8fHx8fHx/esvu4QfjyjlFPBx8fHx8fHx5cPHwX2jiqzHA0+Pj4+Pj4+vvO+UQGWewvkaPDx8fHx8fHxnfdtUQxyNPj4+Pj4+Pj4zvl6X8uylKl+qnNKt48rfrTia4fKeq2+djCtHWKLTwfw8fHx8fHx8T2Tr92vlJK2s0w5FXx8fHx8fHx85311Fqu+tmnkVPDx8fHx8fHxHfPF/ZZl2Qqr19fX6UVOBR8fHx8fHx/fOV/993K53HxEzjSq5ORo8PHx8fHx8fGNfZfL5apjVQu0KU7BP2L4q1fx7Q1/HbkhfHx8fHx8fHzfwZcfAYvtsdGZpxwNPj4+Pj6ZIRpyAAAINUlEQVQ+vp/iix2r1pblVPDx8fHx8fHxnfOt6zp8GjHXXxyt+OK6etGYAxEryPp9nNK/Fx3fm9Ln4+Pj4+Pj43s23zzPU6/oSymll7ZCO5MDESfm2xyI9mL1+2VZdqf0R2eZfHx8fHx8fHzP4htdN8vR4OPj4+Pj4+M752sLq9jZyu0mvccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1eLrAjkafHx8fHx8fHx93728q5viSk4FHx8fHx8fH9/xgq5dl4/AYrttdOYpR4OPj4+Pj4/vN/lGBVjuLZCjwcfHx8fHx8c39o0Kq1LKe3ElR4OPj4+Pj4+P79xThj3fNE1pip/mvDf8FXMgeueT7Q357JwKPj4+Pj4+Pr6v8N2b7cpnKjQ5Gnx8fHx8fHx8aVhYpZRSlqPBx8fHx8fHx3feF48XY+HXzbm615rrVWlyNPj4+Pj4+Ph+m69df5PQ3lZz7Ua9ifpRa64HG7X6Rm+gvXF8fHx8fHx8fM/ki8eVcb/cXmy0kRwNPj4+Pj4+Pr7b48q2oMu9s8cWJkeDj4+Pj4+Pj2/sK6VcJ7TL0eDj4+Pj4+PjO+6r+9WCbJ7n/55ujC0yORp8fHx8fHx8fPu+ul/tWNVCbpqm986VHA0+Pj4+Pj4+vuO+dV3TNE1pnuftuluIqJwKPj4+Pj4+Pr7zvnrdtpjbPv5GjgYfHx8fHx8f38d9uW4kR4OPj4+Pj4+P75hvFML+9vZWspwKPj4+Pj4+Pr5zvnYO66oA611MjgYfHx8fHx8f331fm9Bef87ti3I0+Pj4+Pj4+Pj2fbGgK6WkdV3fnx4ctcjkaPDx8fHx8fHxTYeG6+O6q4+/kaPBx8fHx8fHx3fO1657qdVaXRBzIGLaaFsZjs4oR48/9irIekPqazGnou7Dx8fHx8fHx/esvu4QfjyjlFPBx8fHx8fHx5cPHwX2jiqzHA0+Pj4+Pj4+vvO+UQGWewvkaPDx8fHx8fHxnfdtUQxyNPj4+Pj4+Pj4zvl6X8uylKl+qnNKt48rfrTia4fKeq2+djCtHWKLTwfw8fHx8fHx8T2Tr92vlJK2s0w5FXx8fHx8fHx85311Fqu+tmnkVPDx8fHx8fHxHfPF/ZZl2Qqr19fX6UVOBR8fHx8fHx/fOV/993K53HxEzjSq5ORo8PHx8fHx8fGNfZfL5apjVQu0KU7BP2L4q1fx7Q1/HbkhfHx8fHx8fHzfwZcfAYvtsdGZpxwNPj4+Pj4+vp/iix2r1pblVPDx8fHx8fHxnfOt6zp8GjHXXxyt+OK6etGYAxEryPp9nNK/Fx3fm9Ln4+Pj4+Pj43s23zzPU6/oSymll7ZCO5MDESfm2xyI9mL1+2VZdqf0R2eZfHx8fHx8fHzP4htdN8vR4OPj4+Pj4+M752sLq9jZyu0mvccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1eLrAjkafHx8fHx8fHx93728q5viSk4FHx8fHx8fH9/xgq5dl4/AYrttdOYpR4OPj4+Pj4/vN/lGBVjuLZCjwcfHx8fHx8c39o0Kq1LKe3ElR4OPj4+Pj4+P79xThj3fNE1pip/mvDf8FXMgeueT7Q357JwKPj4+Pj4+Pr6v8N2b7cpnKjQ5Gnx8fHx8fHx8aVhYpZRSlqPBx8fHx8fHx3feF48XY+HXzbm615rrVWlyNPj4+Pj4+Ph+m69df5PQ3lZz7Ua9ifpRa64HG7X6Rm+gvXF8fHx8fHx8fM/ki8eVcb/cXmy0kRwNPj4+Pj4+Pr7b48q2oMu9s8cWJkeDj4+Pj4+Pj2/sK6VcJ7TL0eDj4+Pj4+PjO+6r+9WCbJ7n/55ujC0yORp8fHx8fHx8fPu+ul/tWNVCbpqm986VHA0+Pj4+Pj4+vuO+dV3TNE1pnuftuluIqJwKPj4+Pj4+Pr7zvnrdtpjbPv5GjgYfHx8fHx8f38d9uW4kR4OPj4+Pj4+P75hvFML+9vZWspwKPj4+Pj4+Pr5zvnYO66oA611MjgYfHx8fHx8f331fm9Bef87ti3I0+Pj4+Pj4+Pj2fbGgK6WkdV3fnx4ctcjkaPDx8fHx8fHxTYeG6+O6q4+/kaPBx8fHx8fHx3fO1657qdVaXRBzIGLaaFsZjs4oR48/9irIekPqazGnou7Dx8fHx8fHx/esvu4QfjyjlFPBx8fHx8fHx5cPHwX2jiqzHA0+Pj4+Pj4+vvO+UQGWewvkaPDx8fHx8fHxnfdtUQxyNPj4+Pj4+Pj4zvl6X8uylKl+qnNKt48rfrTia4fKeq2+djCtHWKLTwfw8fHx8fHx8T2Tr92vlJK2s0w5FXx8fHx8fHx85311Fqu+tmnkVPDx8fHx8fHxHfPF/ZZl2Qqr19fX6UVOBR8fHx8fHx/fOV/993K53HxEzjSq5ORo8PHx8fHx8fGNfZfL5apjVQu0KU7BP2L4q1fx7Q1/HbkhfHx8fHx8fHzfwZcfAYvtsdGZpxwNPj4+Pj4+vp/iix2r1pblVPDx8fHx8fHxnfOt6zp8GjHXXxyt+OK6etGYAxEryPp9nNK/Fx3fm9Ln4+Pj4+Pj43s23zzPU6/oSymll7ZCO5MDESfm2xyI9mL1+2VZdqf0R2eZfHx8fHx8fHzP4htdN8vR4OPj4+Pj4+M752sLq9jZyu0mvccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1eLrAjkafHx8fHx8fHx93728q5viSk4FHx8fHx8fH9/xgq5d939udIhFzw2M+gAAAABJRU5ErkJggg==);
-}
-label.form-control{
-	background-color: #F8F9FC;
-	box-shadow: none;
-	border-left: none;
-	padding: 8px 12px !important;
-}
-label.form-control,label.input-group-text{
-	cursor: pointer;
-}
-label.form-control > i {
-  font-weight: normal;
-  opacity: .8;
-  font-family: var(--font-mono);
-  font-size: .9em;
-  margin-left: 2px;
-  font-style: normal;
-}
-form{
-  padding: 15px;
-}
-.panel-body, .panel-heading{
-	padding: 0;
-}
-.panel-body > .row > div{
-	padding: 15px 30px;
-}
-.panel-heading a{
-  padding: 10px 15px;
-  display: block;
-  text-decoration: none !important;
-  transition-duration: .2s;
-  border-bottom: 2px solid #D6DEEF;
-  background-color: #fff;
-  font-weight: bold;
-  transition-duration: .2s;
-  color: #041922 !important;
-  cursor: default;
-}
-.panel:hover .panel-heading a{
-  border-bottom-color: #13beb7;
-}
-.panel-heading a.collapsed{
-	border-bottom: 2px solid #D6DEEF;
-}
-/* -- PANEL SEPARATION -- */
-.panel-body > .panel-col:first-child{
-	padding: 15px;
-	margin-right: -1px;
-	border-right: 1px solid #D6DEEF;
-	position: relative;
-	background-color: #fff;
-}
-.panel-body > .panel-col:last-child:before{
-	content: "";
-	z-index: 100;
-	position: absolute;
-	left: -1px;
-	top: calc(50% - 20px);
-	width: 0;
-	height: 0;
-	border-top: 20px solid transparent;
-	border-bottom: 20px solid transparent;
-	border-left: 20px solid #fff;
-	display: block;
-}
-.panel-body > .panel-col:last-child:after{
-	content: "";
-	z-index: 95;
-	position: absolute;
-	left: 0px;
-	top: calc(50% - 20px);
-	width: 0;
-	height: 0;
-	border-top: 20px solid transparent;
-	border-bottom: 20px solid transparent;
-	border-left: 20px solid #D6DEEF;
-	display: block;
-}
-.panel-body > .panel-col:last-child{
-  padding: 15px;
-  border-left: 1px solid #D6DEEF;
-  background-color: #F8F9FC;
-  display: flex;
-}
-
-@media screen and (min-width: 992px){
-	.panel-body > .panel-col:first-child{
-		margin-right: -1px;
-		border-right: 1px solid #D6DEEF;
-	}
-	.panel-body > .panel-col:last-child:before{
-		left: -1px;
-		top: calc(50% - 20px);
-		width: 0;
-		height: 0;
-		border-top: 20px solid transparent;
-		border-bottom: 20px solid transparent;
-		border-left: 20px solid #fff;
-	}
-	.panel-body > .panel-col:last-child:after{
-		left: 0px;
-		top: calc(50% - 20px);
-		width: 0;
-		height: 0;
-		border-top: 20px solid transparent;
-		border-bottom: 20px solid transparent;
-		border-left: 20px solid #D6DEEF;
-	}
-}
-/* -- --------------- -- */
-.preview-window{
-	background-color: #fff;
-	margin:auto;
-	border:1px solid #D6DEEF;
-	width:100%;
-	max-width: 400px;
-	position: relative;
-}
-.preview-window .custom-bar{
-	width: 100%;
-	height:20px;
-	text-align: center;
-	position: absolute;
-	top: 0;
-	left: 0;
-}
-.preview-window .custom-bar > span{
-    font-size: 12px;
-    line-height: 20px;
-    font-weight: bold;
-}
-.preview-window > .left-menu{
-	width: 20%;
-	height:220px;
-	background-color: #041922;
-	margin-top: -20px;
-}
-.preview-window > .top-menu{
-	height: 25px;
-	background-color: #fff;
-	position: relative;
-	width: 100%;
-	margin-top: 20px;
-}
-.preview-window > .top-menu:after {
-  content: "";
-  box-shadow: 2px 2px 5px #dce2e4b8;
-  position: absolute;
-  display: block;
-  top: 0;
-  left: 20%;
-  right: 0;
-  bottom: 0;
-}
-.preview-window > .custom-bar.hidden + .top-menu, .preview-window > .custom-bar.hidden + .top-menu + .left-menu{
-	margin-top: 0px;
-}
-.preview-window > .top-menu > div{
-	position: absolute;
-	left: 0;
-	top: 0;
-	height: 25px;
-	width: 20%;
-	background-color: #041922;
-}
-.preview-window > .top-menu > div > span{
-    position: absolute;
-    left  : 10px;
-    right : 10px;
-    top   : 5px;
-    bottom: 5px;
-    background-size: contain;
-    background-position: center;
-    background-repeat: no-repeat;
-}
-
-/* === LOGIN === */
-.preview-window.login{
-  padding: 15px;
-  background-color: #F8F9FC;
-  display: flex;
-  flex-direction: column;
-  justify-content: center;
-  align-items: center;
-}
-.login .login-container{
-  width: 62%;
-}
-.login .logo-container > div{
-  height: 40px;
-  width: 100%;
-  background-size: contain;
-  background-position: center;
-  background-repeat: no-repeat;
-  margin: 12px 0 10px 0;
-}
-.preview-window .fake-form{
-  width: 100%;
-  border-radius: 14px;
-  padding: 20px;
-  box-shadow: 0 10px 20px 10px #dce3ef9e;
-  position: relative;
-  margin-bottom: 25px;
-}
-.preview-window .fake-form .custom-bar{
-  height:15px;
-  position: absolute;
-  top: 0;
-  bottom: 0;
-  left: 0;
-  right: 0;
-  font-weight: 700;
-  border-top-left-radius: 14px;
-  border-top-right-radius: 14px;
-}
-.preview-window .fake-form .custom-bar > span{
-  line-height: 15px;
-}
-.preview-window .fake-form .text-motd{
-  margin-top: 5px;
-  padding: 0 8px;
-  font-size: .9em;
-  text-align: center;
-}
-.preview-window .fake-form .fake-input{
-  width: 90%;
-  margin: auto;
-  height: 20px;
-  border-radius: 4px;
-  border:1px solid #D6DEEF;
-  margin-top: 12px;
-}
-.preview-window .fake-form .fake-btn{
-  background-color: #13beb7;
-  width: 90%;
-  margin: auto;
-  height: 20px;
-  border-radius: 4px;
-  margin-top: 12px;
-}
-
-/* LOGOS PREVIEW */
-.preview-logo{
-  width: 100%;
-  max-width: 370px;
-  display: flex;
-  margin: auto;
-  transition-property: opacity;
-  transition-duration: .2s;
-  height: 40px;
-  position: relative;
-  padding: 15px;
-  box-sizing: content-box;
-}
-.preview-logo:before,
-.preview-logo:after{
-  content:"";
-  position: absolute;
-  top: 0;
-  bottom: 0;
-  z-index: 1;
-  transition-property: opacity;
-  transition-duration: .2s;
-}
-.preview-logo:before{
-  left: 0;
-  width: 70px;
-  background-color: #041922;
-}
-.preview-logo:after{
-  left: 70px;
-  width: calc(100% - 70px);
-  background-color: #041922;
-}
-.preview-logo.sm-disabled:before,
-.preview-logo.lg-disabled:after{
-  opacity: .5;
-}
-.preview-logo > div{
-  background-position: center;
-  background-size: contain;
-  background-repeat: no-repeat;
-  position: relative;
-  z-index: 2;
-}
-.preview-logo > div:first-child{
-  width: 40px;
-}
-.preview-logo > div:last-child{
-  flex: 1;
-}
-
-/* -- COLOR PICKER -- */
-ui-dropdown-panel{
-    z-index:9999 !important;
-}
-.input-group > .input-group-text + ui-picker{
-    border-color: #D6DEEF;
-    border-top-left-radius: 0;
-    border-bottom-left-radius: 0;
-}
-.input-group > .input-group-text + ui-picker > ui-picker-input{
-	padding: 0;
-	height: 100%;
-}
-.input-group > .input-group-text + ui-picker > ui-picker-input > ui-color-picker-rect{
-    top: 0;
-    right: -1px;
-    width: 34px;
-    height: 33.5px;
-    border-top-left-radius: 0;
-    border-bottom-left-radius: 0;
-    padding: 11px 10px;
-    background-image: none;
-    background-color: #F8F9FC;
-    border: 1px solid #D6DEEF;
-    border-top: none;
-    border-bottom: none;
-}
-.input-group > .input-group-text + ui-picker ui-color-picker-background{
-	border-radius: 2px;
-}
-.input-group > .input-group-text + ui-picker ui-color-picker-text{
-    padding: 6px 12px;
-}
-
-/* RUDDER CSS CONFLICTS FIXES */
-#branding-main{
-  padding-bottom: 40px;
-}
-#branding-main .panel-heading,
-#branding-main .panel-heading .panel-title{
-  margin:0;
-  padding:0;
-}
-#branding-main .input-group > .input-group-text:last-child > .fa{
-  color: #72829D;
-  transition-duration: .2s;
-}
-.remove-btn ,
-.upload-btn {
-  transition-duration: .2s;
-}
-#branding-main .input-group > .input-group-text:last-child.remove-btn:hover > i.fa{
-  color: #DA291C;
-}
-#branding-main .input-group > .input-group-text:last-child.upload-btn:hover > i.fa{
-  color: #337ab7;
-}
-#branding-main .input-group > .input-group-text:last-child.remove-btn > i.fa-upload,
-#branding-main .input-group > .input-group-text:last-child.upload-btn > i.fa-times{
-  display: none;
-}
-
-#branding-main .toolbar {
-    background-color: #fff;
-    border-top: 1px solid #D6DEEF;
-    position: fixed;
-    z-index: 200;
-    text-align: right;
-    bottom: 0;
-    left: 0;
-    width: 100%;
-    padding: 10px 30px;
-}
-#branding-main .toolbar .btn{
-    min-width: 80px;
-}
-#branding-main .panel{
-  overflow: hidden;
-  border: 1px solid #D6DEEF;
-  margin-bottom: 20px;
-  border-radius: 4px;
-}
-#branding-main .panel-body{
-  padding: 0;
-  display: flex;
-}
-
-/* CSS EFFECTS */
-#headerBar > .background{
-  transition-duration:.6s;
-  transition-property: color, background-color;
-}
\ No newline at end of file
diff --git a/branding/src/main/style/media.scss b/branding/src/main/style/media.scss
new file mode 100755
index 000000000..7d412dc81
--- /dev/null
+++ b/branding/src/main/style/media.scss
@@ -0,0 +1,389 @@
+// Colors
+$rudder-bg-light-gray : #F8F9FC;
+$rudder-border-color-default : #D6DEEF;
+
+#brandingTab{
+  width: 100%;
+  background-color: $rudder-bg-light-gray;
+}
+.bg-pattern{
+  position: relative;
+  background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAlcAAAGQCAYAAACDPkUVAAAABmJLR0QA/wD/AP+gvaeTAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAB3RJTUUH4gINDzsW3MiGwAAAIABJREFUeNrt3VFS47oSBmBZxRbOxftfXTjeg3UfKPl0FCm2hzAE+HgZICr5i3mYrlb7z1RKSfXr7e2tpJTSNE3pf//735QGX3VdSim9vr7erCulpGmartb973//m6Zpunq9fv3777+lOnr78T2/79513T8+Pj4+vp/oG+2Xewt6sPrm/v3335uNYoFW31x7wYhpb9y6rodvHN9z+u4VVu4fHx8fH99P843+HyylvBdXseJrF7SVXKwg6/fTNF2tHb3RepPairS97r2KlO+5fEc6Vu4fHx8fH99P8/WuW383XS6Xw620UkrKOad//vnnqpIb3ZAWlnO+W/G17bazrb7f7vtoq/QjviOtV39fPj4+Pr6f4mvXRWM+U6HlnK/OHtu2W2zhtW80wnqtubaCvNfq4/v3VGH1N3y9/fx9+fj4+Ph+qm9UWKWU0su9Cq1esL72zz//3FSQ9fu2RVZ/f3Y4ra4dVYZ8Hxvue5Rv7yjQ35ePj4+P76f76pp2Fmtqh7n2jnZ6VVr7Rnvtu7NHWbWF96dT/3yf5/uT/dw/Pj4+Pr6f5hs9PZjjgvh9u1Fvon7UmuvBzh5ltTeO73l8Z44C3T8+Pj4+vp/qi8eVcb/cXmy0UXy9t9HojT7iKIvv632fnWPl78vHx8fH9x19vfiGm86VHA0+OVZ8fHx8fHznfKWUbV2OZ4ZyNPjkWPHx8fHx8e376n61IJvn+b+nG2OLTI6GHCs5Vnx8fHx8fPu+ul/tWMUnDHNspcnRkGMlx4qPj4+Pj2/ft65rmqYpzfO8XXcLEY2ttJgD0TvLjC2y2GbrVXKjwqD3+GNc1+ZU8J1rlT7Kt3cU6O/Lx8fHx/fbffW6bTG3ffyNHA0+OVZ8fHx8fHwf9+W6kRwNPjlWfHx8fHx8x3yjEPa3t7eS5VTw7V3X/ePj4+Pj47v2tXNYVwVY72JyNORYuX98fHx8fHz3fW1Ce/05ty/K0ZBj5f7x8fHx8fHt+2JBV0pJ67q+Pz04apHJ0fj7vrOt0kf67lXq/r58fHx8fHzH/5+++vgbORpf6zvaipRjxcfHx8fH9zy+dt1LrdbqgpgDEdNG28pwVBjsPd7f5lREWMypqPv8Nt9exfwo395RoL8vHx8fHx/fvq87hB/PKOVU/A7fn+zn/vHx8fHx8d02QHpHlVmOxu/znTkKdP/4+Pj4+Pj6vtH/q7m3QI6GHCv3j4+Pj4+P77xvi2KQoyHHyv3j4+Pj4+M75+t9LctSpvqpzindPq740YqvHSrrtfrawbR2iC0+HcB33veZHSt/Xz4+Pj6+3+5r9yulpO0sU06FHCt/Xz4+Pj4+vvO+OotVX9s0cirkWPn78vHx8fHxHfPF/ZZl2Qqr19fX6UVOhRwrf18+Pj4+Pr5zvvrv5XK5+f93GlVycjTkWPn78vHx8fHxjX2Xy+WqY1ULtClOwT9i+KtX8e0Nfx25IXx8fHx8fHx838GXHwGL7bHRmaccDTlW/r58fHx8fD/FFztWrS3LqZBj5f7x8fHx8fGd863rOnwaMddfHK344rp60ZgDESvI+n2c0r8XHd+b0ue77zvSsXL/+Pj4+Pj4Huub53nqFX0ppfTSVmhnciDixHybA9FerH6/LMvulP7oyOvZfX/ainyE78hZsL8vHx8fHx/f43yj62Y5Go/zHW1FyrHi4+Pj4+P73r62sIqdrdxu0nv8Mb6BNgcittJiDkTvLDO28GKbrdfqGxUuz+7ba0U+yrd3FPhd7x8fHx8fH9938PUKui1/q8XXBXI05Fj5+/Lx8fHx8fV99/KuboorORV8fHx8fHx8fG+nR4DqunwEFtttozNPORpyrPx9+fj4+Ph+k2/0/3TuLZCjIcfK35ePj4+Pj2/sG/0/XUp5L67kaDyvT44VHx8fHx/f8/l6162/m+KnOe8Nf8UciN75ZHtDPjun4m/7zrYiH+k7csb77PePj4+Pj4/vp/juzXblMxWaHKtjrUg5Vnx8fHx8fD/bNyqsUkrp5V6F1k7VxxyI9lHEtkVWf99e8E9yKp7Jt1e5Psq3dxT4Xe8fHx8fHx/fT/HVNe0sVjfn6sjRmBwNOVZ8fHx8fHy/2deuv0lob1NJ2416E/Wj1lwPdvaorb1xv8l35ijQ/ePj4+Pj4/saXzyujPvl9mKjjeRoyLHy9+Xj4+Pj47s9rmz/P7/pXMnR+BrfvcLK/ePj4+Pj43tuXynlOqFdjoYcK39fPj4+Pj6+4766Xy3I5nn+7+nG2CKTY3WuFflI371KXQ4JHx8fHx/fc/nqfrVjFZ8wzLGVJsfqWCtSjhUfHx8fH9/v9q3rmqZpSvM8b9fdQkRjKy3mQPTOMmOLLLbZepXcqHDpPf4Y17U5FX/bt9eKfJRv7yjwu94/Pj4+Pj6+3+Kr122Lue3jb+Ro/D3fn+zn/vHx8fHx8X0PX64bydH4e74zR4HuHx8fHx8f3/P5RiHsb29vJcup+Ds+OVZ8fHx8fHw/x9fOYV0VYL2LydGQY8XHx8fHx8d339cmtNefc/uiHA05Vnx8fHx8fHz7vljQlVLSuq7vTw+OWmRyrB7ru1cJyyHh4+Pj4+P7vr523dXH38ix+jxfb7/vdv/4+Pj4+Pj4+v+fx3UvtVqrC2IOREwbbSvDUeGyFz/Q5lREWMypqPs82rdXkT7Kt3cU+F3vHx8fHx8fH1+5uu7NLFY8o5RT8Rjfn+zn/vHx8fHx8X0vXw0Sba+Z5Wg83nfmKND94+Pj4+Pj+56+0f/7ubdAjoYcKz4+Pj4+Pr7zvi2KQY6GHCs+Pj4+Pj6+c77e17IsZaqf6pzS7eOKH6342qGyXquvHUxrh9ji0wHP6PvMjtVvuH98fHx8fHzf2dfuV0pJ21mmHCs5Vnx8fHx8fHznfXUWq762aeRYybHi4+Pj4+PjO+aL+y3LshVWr6+v04scKzlWfHx8fHx8fOd89d/L5XJTH0yjSk6OhhwrPj4+Pj4+vrHvcrlcdaxqgTbFKfhHDH/1Kr694a8jN4SPj4+Pj4+P7zv48iNgsT02OvOUYyWHhI+Pj4+P76f4YseqtWU5FXKs+Pj4+Pj4+M751nUdPo2Y6y+OVnxxXb1ozIGIFWT9Pk7p34uO703pf7XvSMfK/ePj4+Pj4/tdvnmep17Rl1JKL22FdiYHIk7MtzkQ7cXq98uy7E7pnzmS+1u+I2etz37/+Pj4+Pj4+B7nG103y7E65uvt1/rkkPDx8fHx8f0OX1tYxc5WbjfpPf4Y30CbAxFbaTEHoneWGVt4sc3Wa/Wd6Vh9hm/vKHDke/b7x8fHx8fHx/dxX6+g2/K3WnxdIMcqPa1PDgkfHx8fH9/X+u7lXd0UV3Iq+Pj4+Pj4+PjeTo8o1XX5CCy220ZnnnKs5JDw8fHx8fH9Jt+ojsi9BXKs0tP55JDw8fHx8fE9j29UR5RS3osrOVb3O1ZyPvj4+Pj4+PjaDljPN01TmuKnOe8Nf8UciN75ZHtDPjvH6pG+I2eoZ3M0/vb94+Pj4+Pj4/s7vnuzXflMhSbHSs4HHx8fHx8fXxoWViml9HKvQmun6mMORPsoYtsiq79vL/jR4bRH+faOAke+vfiGr75/fHx8fHx8fH/HV9e0s1jdnKsjR3dyrOR88PHx8fHx/WZfu/4mob1NJW036k3Uj1pzPdjZo8D2xj3Sd+Yo8Ct8z37/+Pj4+Pj4+K6PK+N+ub3YaCM5VnI++Pj4+Pj4+G6PK9t646ZzJcfqa3xySPj4+Pj4+L6vr5RyndAux0rOBx8fHx8fH99xX92vFmTzPP/3dGNskcmxkvPBx8fHx8fHt++r+9WOVXzCMMdWmhwrOR98fHx8fHx8+751XdM0TWme5+26W4hobKXFHIjeWWZskcU2W6+SO9OxiuvanIo/9e0dBY58vcczP8P3p/ePj4+Pj4+P7zl89bptMbd9/I0cq7/nk0PCx8fHx8f3c325biTH6u/55JDw8fHx8fF9b98ohP3t7a1kOVZ/xyeHhI+Pj4+P7+f42jmsqwKsdzE5VnI++Pj4+Pj4+O772oT2+nNuX5RjJeeDj4+Pj4+Pb98XC7pSSlrX9f3pwVGLTI7VY31ySPj4+Pj4+H6mr1139fE3cqw+zyeHhI+Pj4+P72f62nUvtVqrC2IOREwbbSvDP+1YtTkVERZzKuo1R769o8CRby++4VG+P71/fHx8fHx8fN/H1x3Cj2eUcqwe45PzwcfHx8fH9/N9NUi0vWaWY/V4nxwSPj4+Pj6+n+8b1SW5t0COlZwPPj4+Pj4+vvO+LYpBjpWcDz4+Pj4+Pr5zvt7Xsixlqp/qnNLt44ofrfjaobJeq68dTGuH2D6zY/UIX3x64RnvHx8fHx8fH9/n+dr9SilpO8uUYyXng4+Pj4+Pj++8r85i1dc2jRwrOR98fHx8fHx8x3xxv2VZtsLq9fV1epFjJeeDj4+Pj4+P75yv/nu5XG7ql2lUycmxkvPBx8fHx8fHN/ZdLperjlUt0KY4Bf+I4a9exbc3/HXkhvDx8fHx8fHxfQdffgQstsdGZ55yrPj4+Pj4+Ph+ii92rFpblmMl54OPj4+Pj4/vnG9d1+HTiLn+4mjFF9fVi8YciFhB1u/jlH4v2n6vY/WVvr2nCPj4+Pj4+Ph+n2+e56lX9KWU0ssjWmkRVnMg2ovV75dl+ePh9bM5FY/0fUaOBh8fHx8fH9/39Y2um+VYHfPJ+eDj4+Pj4+MbFVaxs5XPttLaHIjYSos5EL2zzCMtvD/JqfgMX2wD8vHx8fHx8fGNjgzrdbf8rRZfF8ixkvPBx8fHx8fH1/fdy7u6Ka7kVPDx8fHx8fHxvZ3+KMC6Lh+BxXbb6MxTjhUfHx8fHx/fb/KN6pzcWyDHSs4HHx8fHx8f39g3qnNKKe/FlRyr9y85H3x8fHx8fHxHfL3r1t9N8dOc94a/Yg5E73yyvSGfnWP1SN9n5Gjw8fHx8fHx/UzfvdmufKZCk2PFx8fHx8fHx5eGhVVKKb3cq9DaqfqYA9E+inivRdarDEdHhnvxDY/y1d+3N4SPj4+Pj4+P74ivrmlnsbo5V3vDWi1QjhUfHx8fHx/fb/O1628S2ttU0naj3kT9vdbc0aPA0Rtob9wjfb0bx8fHx8fHx8d3xhePK+N+ub3YaCM5Vnx8fHx8fHx8t8eVbT1007mSY8XHx8fHx8fHd85XSrlOaJdjxcfHx8fHx8d33Ff3qwXZPM//Pd0YW2RyrPj4+Pj4+Pj49n11v9qxik8Y5thKk2PFx8fHx8fHx7fvW9c1TdOU5nnerruFiMZWWsyB6J1lHmnh/UlORVzX5lT8qS+2Afn4+Pj4+Pj4Hu2r122Lue3jb+RY8fHx8fHx8fF93JfrRnKs+Pj4+Pj4+PiO+UYh7G9vbyXLseLj4+Pj4+PjO+dr57CuCrDexeRY8fHx8fHx8fHd97UJ7fXn3L4ox4qPj4+Pj4+Pb98XC7pSSlrX9f3pwVGLTI4VHx8fHx8fH9+xeiiuu/r4GzlWfHx8fHx8fHznfO26l1qt1QWfkWM1qiDrDamvxZyKus/IV3/fVpt8fHx8fHx8fH/L1x3Cj2eUcqz4+Pj4+Pj4+PLho8DeUWWWY8XHx8fHx8fHd943qpvykQvK0eDj4+Pj4+Pj2/dtUQxyrPj4+Pj4+Pj4zvl6X8uylGF8+yMqvnaorNfqawfT2iG2+HRA+zglHx8fHx8fH99X+tr9Sinp7mfj9CpIORp8fHx8fHx8fNfdrZrQnlKYuWrfQK/1JUeDj4+Pj4+Pj+/6yHJZlq2wen19nV7OHgXK0eDj4+Pj4+P77b767+VyuckJnUaVnBwNPj4+Pj4+Pr6x73K5XHWsaoE2xSn4Rwx/9Sq+veGvIzeEj4+Pj4+Pj+87+PIjYLE9NjrzlKPBx8fHx8fH91N8sWPV2rKcCj4+Pj4+Pj6+c751XYdPI+b6i6MVX1xXLxpzIGIFWb+PU/r3ouN7U/p8fHx8fHx8fM/mm+d56hV9KaX00lZoZ3Ig4sR8mwPRXqx+vyzL7pT+6CyTj4+Pj4+Pj+9ZfKPrZjkafHx8fHx8fHznfG1hFTtbNyGivccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1fv4GzkafHx8fHx8fHxj3728q5viSk4FHx8fHx8fH9/xgq5dl4/AYrttdOYpR4OPj4+Pj4/vN/lGBVjuLZCjwcfHx8fHx8c39o0Kq1LKe3ElR4OPj4+Pj4+P79xThj3fNE1pip/mvDf8FXMgeueT7Q357JwKPj4+Pj4+Pr6v8N2b7cpnKjQ5Gnx8fHx8fHx8aVhYpZRSlqPBx8fHx8fHx3feF48XY+HXzbm615rrVWlyNPj4+Pj4+Ph+m69df5PQ3lZz7Ua9ifpRa64HG7X6Rm+gvXF8fHx8fHx8fM/ki8eVcb/cXmy0kRwNPj4+Pj4+Pr7b48q2oMu9s8cWJkeDj4+Pj4+Pj2/sK6VcJ7TL0eDj4+Pj4+PjO+6r+9WCbJ7n/55ujC0yORp8fHx8fHx8fPu+ul/tWNVCbpqm986VHA0+Pj4+Pj4+vuO+dV3TNE1pnuftuluIqJwKPj4+Pj4+Pr7zvnrdtpjbPv5GjgYfHx8fHx8f38d9uW4kR4OPj4+Pj4+P75hvFML+9vZWspwKPj4+Pj4+Pr5zvnYO66oA611MjgYfHx8fHx8f331fm9Bef87ti3I0+Pj4+Pj4+Pj2fbGgK6WkdV3fnx4ctcjkaPDx8fHx8fHxTYeG6+O6q4+/kaPBx8fHx8fHx3fO1657qdVaXRBzIGLaaFsZjs4oR48/9irIekPqazGnou7Dx8fHx8fHx/esvu4QfjyjlFPBx8fHx8fHx5cPHwX2jiqzHA0+Pj4+Pj4+vvO+UQGWewvkaPDx8fHx8fHxnfdtUQxyNPj4+Pj4+Pj4zvl6X8uylKl+qnNKt48rfrTia4fKeq2+djCtHWKLTwfw8fHx8fHx8T2Tr92vlJK2s0w5FXx8fHx8fHx85311Fqu+tmnkVPDx8fHx8fHxHfPF/ZZl2Qqr19fX6UVOBR8fHx8fHx/fOV/993K53HxEzjSq5ORo8PHx8fHx8fGNfZfL5apjVQu0KU7BP2L4q1fx7Q1/HbkhfHx8fHx8fHzfwZcfAYvtsdGZpxwNPj4+Pj4+vp/iix2r1pblVPDx8fHx8fHxnfOt6zp8GjHXXxyt+OK6etGYAxEryPp9nNK/Fx3fm9Ln4+Pj4+Pj43s23zzPU6/oSymll7ZCO5MDESfm2xyI9mL1+2VZdqf0R2eZfHx8fHx8fHzP4htdN8vR4OPj4+Pj4+M752sLq9jZyu0mvccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1eLrAjkafHx8fHx8fHx93728q5viSk4FHx8fHx8fH9/xgq5dl4/AYrttdOYpR4OPj4+Pj4/vN/lGBVjuLZCjwcfHx8fHx8c39o0Kq1LKe3ElR4OPj4+Pj4+P79xThj3fNE1pip/mvDf8FXMgeueT7Q357JwKPj4+Pj4+Pr6v8N2b7cpnKjQ5Gnx8fHx8fHx8aVhYpZRSlqPBx8fHx8fHx3feF48XY+HXzbm615rrVWlyNPj4+Pj4+Ph+m69df5PQ3lZz7Ua9ifpRa64HG7X6Rm+gvXF8fHx8fHx8fM/ki8eVcb/cXmy0kRwNPj4+Pj4+Pr7b48q2oMu9s8cWJkeDj4+Pj4+Pj2/sK6VcJ7TL0eDj4+Pj4+PjO+6r+9WCbJ7n/55ujC0yORp8fHx8fHx8fPu+ul/tWNVCbpqm986VHA0+Pj4+Pj4+vuO+dV3TNE1pnuftuluIqJwKPj4+Pj4+Pr7zvnrdtpjbPv5GjgYfHx8fHx8f38d9uW4kR4OPj4+Pj4+P75hvFML+9vZWspwKPj4+Pj4+Pr5zvnYO66oA611MjgYfHx8fHx8f331fm9Bef87ti3I0+Pj4+Pj4+Pj2fbGgK6WkdV3fnx4ctcjkaPDx8fHx8fHxTYeG6+O6q4+/kaPBx8fHx8fHx3fO1657qdVaXRBzIGLaaFsZjs4oR48/9irIekPqazGnou7Dx8fHx8fHx/esvu4QfjyjlFPBx8fHx8fHx5cPHwX2jiqzHA0+Pj4+Pj4+vvO+UQGWewvkaPDx8fHx8fHxnfdtUQxyNPj4+Pj4+Pj4zvl6X8uylKl+qnNKt48rfrTia4fKeq2+djCtHWKLTwfw8fHx8fHx8T2Tr92vlJK2s0w5FXx8fHx8fHx85311Fqu+tmnkVPDx8fHx8fHxHfPF/ZZl2Qqr19fX6UVOBR8fHx8fHx/fOV/993K53HxEzjSq5ORo8PHx8fHx8fGNfZfL5apjVQu0KU7BP2L4q1fx7Q1/HbkhfHx8fHx8fHzfwZcfAYvtsdGZpxwNPj4+Pj4+vp/iix2r1pblVPDx8fHx8fHxnfOt6zp8GjHXXxyt+OK6etGYAxEryPp9nNK/Fx3fm9Ln4+Pj4+Pj43s23zzPU6/oSymll7ZCO5MDESfm2xyI9mL1+2VZdqf0R2eZfHx8fHx8fHzP4htdN8vR4OPj4+Pj4+M752sLq9jZyu0mvccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1eLrAjkafHx8fHx8fHx93728q5viSk4FHx8fHx8fH9/xgq5dl4/AYrttdOYpR4OPj4+Pj4/vN/lGBVjuLZCjwcfHx8fHx8c39o0Kq1LKe3ElR4OPj4+Pj4+P79xThj3fNE1pip/mvDf8FXMgeueT7Q357JwKPj4+Pj4+Pr6v8N2b7cpnKjQ5Gnx8fHx8fHx8aVhYpZRSlqPBx8fHx8fHx3feF48XY+HXzbm615rrVWlyNPj4+Pj4+Ph+m69df5PQ3lZz7Ua9ifpRa64HG7X6Rm+gvXF8fHx8fHx8fM/ki8eVcb/cXmy0kRwNPj4+Pj4+Pr7b48q2oMu9s8cWJkeDj4+Pj4+Pj2/sK6VcJ7TL0eDj4+Pj4+PjO+6r+9WCbJ7n/55ujC0yORp8fHx8fHx8fPu+ul/tWNVCbpqm986VHA0+Pj4+Pj4+vuO+dV3TNE1pnuftuluIqJwKPj4+Pj4+Pr7zvnrdtpjbPv5GjgYfHx8fHx8f38d9uW4kR4OPj4+Pj4+P75hvFML+9vZWspwKPj4+Pj4+Pr5zvnYO66oA611MjgYfHx8fHx8f331fm9Bef87ti3I0+Pj4+Pj4+Pj2fbGgK6WkdV3fnx4ctcjkaPDx8fHx8fHxTYeG6+O6q4+/kaPBx8fHx8fHx3fO1657qdVaXRBzIGLaaFsZjs4oR48/9irIekPqazGnou7Dx8fHx8fHx/esvu4QfjyjlFPBx8fHx8fHx5cPHwX2jiqzHA0+Pj4+Pj4+vvO+UQGWewvkaPDx8fHx8fHxnfdtUQxyNPj4+Pj4+Pj4zvl6X8uylKl+qnNKt48rfrTia4fKeq2+djCtHWKLTwfw8fHx8fHx8T2Tr92vlJK2s0w5FXx8fHx8fHx85311Fqu+tmnkVPDx8fHx8fHxHfPF/ZZl2Qqr19fX6UVOBR8fHx8fHx/fOV/993K53HxEzjSq5ORo8PHx8fHx8fGNfZfL5apjVQu0KU7BP2L4q1fx7Q1/HbkhfHx8fHx8fHzfwZcfAYvtsdGZpxwNPj4+Pj4+vp/iix2r1pblVPDx8fHx8fHxnfOt6zp8GjHXXxyt+OK6etGYAxEryPp9nNK/Fx3fm9Ln4+Pj4+Pj43s23zzPU6/oSymll7ZCO5MDESfm2xyI9mL1+2VZdqf0R2eZfHx8fHx8fHzP4htdN8vR4OPj4+Pj4+M752sLq9jZyu0mvccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1eLrAjkafHx8fHx8fHx93728q5viSk4FHx8fHx8fH9/xgq5dl4/AYrttdOYpR4OPj4+Pj4/vN/lGBVjuLZCjwcfHx8fHx8c39o0Kq1LKe3ElR4OPj4+Pj4+P79xThj3fNE1pip/mvDf8FXMgeueT7Q357JwKPj4+Pj4+Pr6v8N2b7cpnKjQ5Gnx8fHx8fHx8aVhYpZRSlqPBx8fHx8fHx3feF48XY+HXzbm615rrVWlyNPj4+Pj4+Ph+m69df5PQ3lZz7Ua9ifpRa64HG7X6Rm+gvXF8fHx8fHx8fM/ki8eVcb/cXmy0kRwNPj4+Pj4+Pr7b48q2oMu9s8cWJkeDj4+Pj4+Pj2/sK6VcJ7TL0eDj4+Pj4+PjO+6r+9WCbJ7n/55ujC0yORp8fHx8fHx8fPu+ul/tWNVCbpqm986VHA0+Pj4+Pj4+vuO+dV3TNE1pnuftuluIqJwKPj4+Pj4+Pr7zvnrdtpjbPv5GjgYfHx8fHx8f38d9uW4kR4OPj4+Pj4+P75hvFML+9vZWspwKPj4+Pj4+Pr5zvnYO66oA611MjgYfHx8fHx8f331fm9Bef87ti3I0+Pj4+Pj4+Pj2fbGgK6WkdV3fnx4ctcjkaPDx8fHx8fHxTYeG6+O6q4+/kaPBx8fHx8fHx3fO1657qdVaXRBzIGLaaFsZjs4oR48/9irIekPqazGnou7Dx8fHx8fHx/esvu4QfjyjlFPBx8fHx8fHx5cPHwX2jiqzHA0+Pj4+Pj4+vvO+UQGWewvkaPDx8fHx8fHxnfdtUQxyNPj4+Pj4+Pj4zvl6X8uylKl+qnNKt48rfrTia4fKeq2+djCtHWKLTwfw8fHx8fHx8T2Tr92vlJK2s0w5FXx8fHx8fHx85311Fqu+tmnkVPDx8fHx8fHxHfPF/ZZl2Qqr19fX6UVOBR8fHx8fHx/fOV/993K53HxEzjSq5ORo8PHx8fHx8fGNfZfL5apjVQu0KU7BP2L4q1fx7Q1/HbkhfHx8fHx8fHzfwZcfAYvtsdGZpxwNPj4+Pj6ZIRpyAAAINUlEQVQ+vp/iix2r1pblVPDx8fHx8fHxnfOt6zp8GjHXXxyt+OK6etGYAxEryPp9nNK/Fx3fm9Ln4+Pj4+Pj43s23zzPU6/oSymll7ZCO5MDESfm2xyI9mL1+2VZdqf0R2eZfHx8fHx8fHzP4htdN8vR4OPj4+Pj4+M752sLq9jZyu0mvccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1eLrAjkafHx8fHx8fHx93728q5viSk4FHx8fHx8fH9/xgq5dl4/AYrttdOYpR4OPj4+Pj4/vN/lGBVjuLZCjwcfHx8fHx8c39o0Kq1LKe3ElR4OPj4+Pj4+P79xThj3fNE1pip/mvDf8FXMgeueT7Q357JwKPj4+Pj4+Pr6v8N2b7cpnKjQ5Gnx8fHx8fHx8aVhYpZRSlqPBx8fHx8fHx3feF48XY+HXzbm615rrVWlyNPj4+Pj4+Ph+m69df5PQ3lZz7Ua9ifpRa64HG7X6Rm+gvXF8fHx8fHx8fM/ki8eVcb/cXmy0kRwNPj4+Pj4+Pr7b48q2oMu9s8cWJkeDj4+Pj4+Pj2/sK6VcJ7TL0eDj4+Pj4+PjO+6r+9WCbJ7n/55ujC0yORp8fHx8fHx8fPu+ul/tWNVCbpqm986VHA0+Pj4+Pj4+vuO+dV3TNE1pnuftuluIqJwKPj4+Pj4+Pr7zvnrdtpjbPv5GjgYfHx8fHx8f38d9uW4kR4OPj4+Pj4+P75hvFML+9vZWspwKPj4+Pj4+Pr5zvnYO66oA611MjgYfHx8fHx8f331fm9Bef87ti3I0+Pj4+Pj4+Pj2fbGgK6WkdV3fnx4ctcjkaPDx8fHx8fHxTYeG6+O6q4+/kaPBx8fHx8fHx3fO1657qdVaXRBzIGLaaFsZjs4oR48/9irIekPqazGnou7Dx8fHx8fHx/esvu4QfjyjlFPBx8fHx8fHx5cPHwX2jiqzHA0+Pj4+Pj4+vvO+UQGWewvkaPDx8fHx8fHxnfdtUQxyNPj4+Pj4+Pj4zvl6X8uylKl+qnNKt48rfrTia4fKeq2+djCtHWKLTwfw8fHx8fHx8T2Tr92vlJK2s0w5FXx8fHx8fHx85311Fqu+tmnkVPDx8fHx8fHxHfPF/ZZl2Qqr19fX6UVOBR8fHx8fHx/fOV/993K53HxEzjSq5ORo8PHx8fHx8fGNfZfL5apjVQu0KU7BP2L4q1fx7Q1/HbkhfHx8fHx8fHzfwZcfAYvtsdGZpxwNPj4+Pj4+vp/iix2r1pblVPDx8fHx8fHxnfOt6zp8GjHXXxyt+OK6etGYAxEryPp9nNK/Fx3fm9Ln4+Pj4+Pj43s23zzPU6/oSymll7ZCO5MDESfm2xyI9mL1+2VZdqf0R2eZfHx8fHx8fHzP4htdN8vR4OPj4+Pj4+M752sLq9jZyu0mvccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1eLrAjkafHx8fHx8fHx93728q5viSk4FHx8fHx8fH9/xgq5dl4/AYrttdOYpR4OPj4+Pj4/vN/lGBVjuLZCjwcfHx8fHx8c39o0Kq1LKe3ElR4OPj4+Pj4+P79xThj3fNE1pip/mvDf8FXMgeueT7Q357JwKPj4+Pj4+Pr6v8N2b7cpnKjQ5Gnx8fHx8fHx8aVhYpZRSlqPBx8fHx8fHx3feF48XY+HXzbm615rrVWlyNPj4+Pj4+Ph+m69df5PQ3lZz7Ua9ifpRa64HG7X6Rm+gvXF8fHx8fHx8fM/ki8eVcb/cXmy0kRwNPj4+Pj4+Pr7b48q2oMu9s8cWJkeDj4+Pj4+Pj2/sK6VcJ7TL0eDj4+Pj4+PjO+6r+9WCbJ7n/55ujC0yORp8fHx8fHx8fPu+ul/tWNVCbpqm986VHA0+Pj4+Pj4+vuO+dV3TNE1pnuftuluIqJwKPj4+Pj4+Pr7zvnrdtpjbPv5GjgYfHx8fHx8f38d9uW4kR4OPj4+Pj4+P75hvFML+9vZWspwKPj4+Pj4+Pr5zvnYO66oA611MjgYfHx8fHx8f331fm9Bef87ti3I0+Pj4+Pj4+Pj2fbGgK6WkdV3fnx4ctcjkaPDx8fHx8fHxTYeG6+O6q4+/kaPBx8fHx8fHx3fO1657qdVaXRBzIGLaaFsZjs4oR48/9irIekPqazGnou7Dx8fHx8fHx/esvu4QfjyjlFPBx8fHx8fHx5cPHwX2jiqzHA0+Pj4+Pj4+vvO+UQGWewvkaPDx8fHx8fHxnfdtUQxyNPj4+Pj4+Pj4zvl6X8uylKl+qnNKt48rfrTia4fKeq2+djCtHWKLTwfw8fHx8fHx8T2Tr92vlJK2s0w5FXx8fHx8fHx85311Fqu+tmnkVPDx8fHx8fHxHfPF/ZZl2Qqr19fX6UVOBR8fHx8fHx/fOV/993K53HxEzjSq5ORo8PHx8fHx8fGNfZfL5apjVQu0KU7BP2L4q1fx7Q1/HbkhfHx8fHx8fHzfwZcfAYvtsdGZpxwNPj4+Pj4+vp/iix2r1pblVPDx8fHx8fHxnfOt6zp8GjHXXxyt+OK6etGYAxEryPp9nNK/Fx3fm9Ln4+Pj4+Pj43s23zzPU6/oSymll7ZCO5MDESfm2xyI9mL1+2VZdqf0R2eZfHx8fHx8fHzP4htdN8vR4OPj4+Pj4+M752sLq9jZyu0mvccf4xtocyBiKy3mQPTOMmMLL7bZeq2+0RkqHx8fHx8fH99X+3oF3Za/1eLrAjkafHx8fHx8fHx93728q5viSk4FHx8fHx8fH9/xgq5d939udIhFzw2M+gAAAABJRU5ErkJggg==);
+}
+
+label.form-control{
+  background-color: $rudder-bg-light-gray;
+  box-shadow: none;
+  border-left: none;
+  padding: 8px 12px !important;
+
+  i {
+    font-weight: normal;
+    opacity: .8;
+    font-family: var(--font-mono);
+    font-size: .9em;
+    margin-left: 2px;
+    font-style: normal;
+  }
+}
+
+label.form-control,
+label.input-group-text{
+  cursor: pointer;
+}
+
+.card-body > .row > div{
+  padding: 15px 30px;
+}
+.card-header a{
+  padding: 10px 15px;
+  display: flex;
+  border-bottom: 2px solid #D6DEEF;
+  background-color: #fff;
+  font-weight: bold;
+  transition-duration: 0.2s;
+  color: #041922 !important;
+}
+.card:hover .card-header a{
+  border-bottom-color: #13beb7;
+}
+.card-header a.collapsed{
+  border-bottom: 2px solid $rudder-border-color-default;
+}
+/* -- PANEL SEPARATION -- */
+.card-body > .card-col:first-child{
+  padding: 15px;
+  margin-right: -1px;
+  border-right: 1px solid $rudder-border-color-default;
+  position: relative;
+  background-color: #fff;
+}
+.card-body > .card-col:last-child:before{
+  content: "";
+  z-index: 100;
+  position: absolute;
+  left: -1px;
+  top: calc(50% - 20px);
+  width: 0;
+  height: 0;
+  border-top: 20px solid transparent;
+  border-bottom: 20px solid transparent;
+  border-left: 20px solid #fff;
+  display: block;
+}
+.card-body > .card-col:last-child:after{
+  content: "";
+  z-index: 95;
+  position: absolute;
+  left: 0px;
+  top: calc(50% - 20px);
+  width: 0;
+  height: 0;
+  border-top: 20px solid transparent;
+  border-bottom: 20px solid transparent;
+  border-left: 20px solid $rudder-border-color-default;
+  display: block;
+}
+.card-body > .card-col:last-child{
+  padding: 15px;
+  border-left: 1px solid $rudder-border-color-default;
+  background-color: $rudder-bg-light-gray;
+  display: flex;
+}
+
+@media screen and (min-width: 992px){
+  .card-body > .card-col:first-child{
+    margin-right: -1px;
+    border-right: 1px solid $rudder-border-color-default;
+  }
+  .card-body > .card-col:last-child:before{
+    left: -1px;
+    top: calc(50% - 20px);
+    width: 0;
+    height: 0;
+    border-top: 20px solid transparent;
+    border-bottom: 20px solid transparent;
+    border-left: 20px solid #fff;
+  }
+  .card-body > .card-col:last-child:after{
+    left: 0px;
+    top: calc(50% - 20px);
+    width: 0;
+    height: 0;
+    border-top: 20px solid transparent;
+    border-bottom: 20px solid transparent;
+    border-left: 20px solid $rudder-border-color-default;
+  }
+}
+/* -- --------------- -- */
+.preview-window{
+  background-color: #fff;
+  margin:auto;
+  border:1px solid $rudder-border-color-default;
+  width:100%;
+  max-width: 400px;
+  position: relative;
+
+  .custom-bar{
+    width: 100%;
+    height:20px;
+    text-align: center;
+    position: absolute;
+    top: 0;
+    left: 0;
+
+    & > span{
+      font-size: 12px;
+      line-height: 20px;
+      font-weight: bold;
+    }
+
+    &.hidden {
+      & + .top-menu,
+      & + .left-menu{
+        margin-top: 0px;
+      }
+    }
+  }
+
+  & > .left-menu{
+    width: 20%;
+    height:220px;
+    background-color: #041922;
+    margin-top: -20px;
+  }
+
+  & > .top-menu{
+    height: 25px;
+    background-color: #fff;
+    position: relative;
+    width: 100%;
+    margin-top: 20px;
+
+    &:after {
+      content: "";
+      box-shadow: 2px 2px 5px #dce2e4b8;
+      position: absolute;
+      display: block;
+      top: 0;
+      left: 20%;
+      right: 0;
+      bottom: 0;
+    }
+
+    & > div{
+      position: absolute;
+      left: 0;
+      top: 0;
+      height: 25px;
+      width: 20%;
+      background-color: #041922;
+
+      & > span{
+        position: absolute;
+        left  : 10px;
+        right : 10px;
+        top   : 5px;
+        bottom: 5px;
+        background-size: contain;
+        background-position: center;
+        background-repeat: no-repeat;
+      }
+    }
+  }
+}
+
+/* === LOGIN === */
+.preview-window.login{
+  padding: 15px;
+  background-color: $rudder-bg-light-gray;
+  display: flex;
+  flex-direction: column;
+  justify-content: center;
+  align-items: center;
+}
+.login .login-container{
+  width: 62%;
+}
+.login .logo-container > div{
+  height: 40px;
+  width: 100%;
+  background-size: contain;
+  background-position: center;
+  background-repeat: no-repeat;
+  margin: 12px 0 10px 0;
+}
+.preview-window .fake-form{
+  width: 100%;
+  border-radius: 14px;
+  padding: 20px;
+  box-shadow: 0 10px 20px 10px #dce3ef9e;
+  position: relative;
+  margin-bottom: 25px;
+}
+.preview-window .fake-form .custom-bar{
+  height:15px;
+  position: absolute;
+  top: 0;
+  bottom: 0;
+  left: 0;
+  right: 0;
+  font-weight: 700;
+  border-top-left-radius: 14px;
+  border-top-right-radius: 14px;
+}
+.preview-window .fake-form .custom-bar > span{
+  line-height: 15px;
+}
+.preview-window .fake-form .text-motd{
+  margin-top: 5px;
+  padding: 0 8px;
+  font-size: .9em;
+  text-align: center;
+}
+.preview-window .fake-form .fake-input{
+  width: 90%;
+  margin: auto;
+  height: 20px;
+  border-radius: 4px;
+  border:1px solid $rudder-border-color-default;
+  margin-top: 12px;
+}
+.preview-window .fake-form .fake-btn{
+  background-color: #13beb7;
+  width: 90%;
+  margin: auto;
+  height: 20px;
+  border-radius: 4px;
+  margin-top: 12px;
+}
+
+/* LOGOS PREVIEW */
+.preview-logo{
+  width: 100%;
+  max-width: 370px;
+  display: flex;
+  margin: auto;
+  transition-property: opacity;
+  transition-duration: .2s;
+  height: 40px;
+  position: relative;
+  padding: 15px;
+  box-sizing: content-box;
+
+  &:before,
+  &:after{
+    content:"";
+    position: absolute;
+    top: 0;
+    bottom: 0;
+    z-index: 1;
+    transition-property: opacity;
+    transition-duration: .2s;
+  }
+  &:before{
+    left: 0;
+    width: 70px;
+    background-color: #041922;
+  }
+  &:after{
+    left: 70px;
+    width: calc(100% - 70px);
+    background-color: #041922;
+  }
+  &.sm-disabled:before,
+  &.lg-disabled:after{
+    opacity: .5;
+  }
+
+  & > div{
+    background-position: center;
+    background-size: contain;
+    background-repeat: no-repeat;
+    position: relative;
+    z-index: 2;
+
+    &:first-child{
+      width: 40px;
+    }
+    &:last-child{
+      flex: 1;
+    }
+  }
+}
+
+/* -- COLOR PICKER -- */
+ui-dropdown-panel{
+    z-index:9999 !important;
+}
+.input-group > .input-group-text + ui-picker{
+  border-color: $rudder-border-color-default;
+  border-top-left-radius: 0;
+  border-bottom-left-radius: 0;
+
+  & > ui-picker-input{
+    padding: 0;
+    height: 100%;
+
+    & > ui-color-picker-rect{
+      top: 0;
+      right: -1px;
+      width: 34px;
+      height: 33.5px;
+      border-top-left-radius: 0;
+      border-bottom-left-radius: 0;
+      padding: 11px 10px;
+      background-image: none;
+      background-color: $rudder-bg-light-gray;
+      border: 1px solid $rudder-border-color-default;
+      border-top: none;
+      border-bottom: none;
+    }
+  }
+}
+.input-group > .input-group-text + ui-picker ui-color-picker-background{
+  border-radius: 2px;
+}
+.input-group > .input-group-text + ui-picker ui-color-picker-text{
+    padding: 6px 12px;
+}
+
+#brandingTab .input-group > .input-group-text:last-child > .fa{
+  color: #72829D;
+  transition-duration: .2s;
+}
+.remove-btn ,
+.upload-btn {
+  transition-duration: .2s;
+}
+#brandingTab .input-group > .input-group-text.remove-btn:hover > i.fa{
+  color: #DA291C;
+}
+#brandingTab .input-group > .input-group-text.upload-btn:hover > i.fa{
+  color: #337ab7;
+}
+#brandingTab .input-group > .input-group-text.remove-btn > i.fa-upload,
+#brandingTab .input-group > .input-group-text.upload-btn > i.fa-times{
+  display: none;
+}
+
+#brandingTab .toolbar {
+  background-color: #fff;
+  border-top: 1px solid $rudder-border-color-default;
+  position: fixed;
+  z-index: 200;
+  text-align: right;
+  bottom: 0;
+  left: 0;
+  width: 100%;
+  padding: 10px 30px;
+  .btn{
+    min-width: 80px;
+  }
+}
+
+/* CSS EFFECTS */
+#headerBar > .background{
+  transition-duration:.6s;
+  transition-property: color, background-color;
+}
\ No newline at end of file
diff --git a/change-validation/README.adoc b/change-validation/README.adoc
index 1e357de4e..5a74e765f 100644
--- a/change-validation/README.adoc
+++ b/change-validation/README.adoc
@@ -71,7 +71,7 @@ image::docs/images/States.png[]
 
 == Change request management page
 
-All Change requests can be seen on the /secure/plugins/changes/changeRequests page.
+All Change requests can be seen on the /secure/configurationManager/changes/changeRequests page.
 There is a table containing all requests, you can access to each of them by clicking on their id.
 You can filter change requests by status and only display what you need.
 
@@ -79,7 +79,7 @@ image::docs/images/Management.png[]
 
 === Change request detail page
 
-Each Change request is reachable on the /secure/plugins/changes/changeRequest/id.
+Each Change request is reachable on the /secure/configurationManager/changes/changeRequest/id.
 
 image::docs/images/Details.png[]
 
diff --git a/change-validation/packaging/metadata b/change-validation/packaging/metadata
index 206921d9e..5a1309939 100644
--- a/change-validation/packaging/metadata
+++ b/change-validation/packaging/metadata
@@ -8,5 +8,6 @@
   "jar-files": [ "/opt/rudder/share/plugins/${plugin-name}/${plugin-name}.jar" ],
   "content": {
     "files.txz": "/opt/rudder/share/plugins"
-  }
+  },
+  "requires-license": true
 }
diff --git a/change-validation/pom-template.xml b/change-validation/pom-template.xml
index 61de0fadc..a2e4527a6 100644
--- a/change-validation/pom-template.xml
+++ b/change-validation/pom-template.xml
@@ -51,7 +51,7 @@
     <dependency>
       <groupId>com.github.spullara.mustache.java</groupId>
       <artifactId>compiler</artifactId>
-      <version>0.9.11</version>
+      <version>0.9.14</version>
     </dependency>
     <dependency>
       <groupId>com.sun.mail</groupId>
@@ -63,7 +63,7 @@
     <dependency>
       <groupId>com.github.davidmoten</groupId>
       <artifactId>subethasmtp</artifactId>
-      <version>7.0.2</version>
+      <version>7.1.1</version>
       <scope>test</scope>
     </dependency>
 
diff --git a/change-validation/src/main/elm/elm.json b/change-validation/src/main/elm/elm.json
index df468af9a..70a0dd8e6 100644
--- a/change-validation/src/main/elm/elm.json
+++ b/change-validation/src/main/elm/elm.json
@@ -12,11 +12,13 @@
             "elm/html": "1.0.0",
             "elm/http": "2.0.0",
             "elm/json": "1.1.3",
-            "elm/regex": "1.0.0"
+            "elm/regex": "1.0.0",
+            "elm-explorations/test": "2.2.0"
         },
         "indirect": {
             "elm/bytes": "1.0.8",
             "elm/file": "1.0.5",
+            "elm/random": "1.0.0",
             "elm/time": "1.0.0",
             "elm/url": "1.0.0",
             "elm/virtual-dom": "1.0.3"
diff --git a/change-validation/src/main/elm/sources/ApiCalls.elm b/change-validation/src/main/elm/sources/ApiCalls.elm
index 701e74e16..3ce480a9e 100644
--- a/change-validation/src/main/elm/sources/ApiCalls.elm
+++ b/change-validation/src/main/elm/sources/ApiCalls.elm
@@ -1,58 +1,89 @@
 module ApiCalls exposing (..)
 
-import Http exposing (emptyBody, expectJson, header, jsonBody, request)
-import JsonDecoders exposing (decodeApiDeleteUsername, decodeUserList)
 import DataTypes exposing (..)
-import JsonEncoders exposing (encodeUsernames)
+import Http exposing (emptyBody, expectJson, header, jsonBody, request)
+import JsonDecoders exposing (decodeApiDeleteUsername, decodeSetting, decodeUserList)
+import JsonEncoders exposing (encodeSetting, encodeUsernames)
 
-getUrl: DataTypes.Model -> String -> String
+
+getUrl : DataTypes.Model -> String -> String
 getUrl m url =
-  m.contextPath ++ "/secure/api/" ++ url
+    m.contextPath ++ "/secure/api/" ++ url
+
 
 getUsers : DataTypes.Model -> Cmd Msg
 getUsers model =
-  let
-    req =
-      request
-        { method  = "GET"
-        , headers = [header "X-Requested-With" "XMLHttpRequest"]
-        , url     = getUrl model "users"
-        , body    = emptyBody
-        , expect  = expectJson GetUsers decodeUserList
-        , timeout = Nothing
-        , tracker = Nothing
-        }
-  in
+    let
+        req =
+            request
+                { method = "GET"
+                , headers = [ header "X-Requested-With" "XMLHttpRequest" ]
+                , url = getUrl model "users"
+                , body = emptyBody
+                , expect = expectJson (WorkflowUsersMsg << GetUsers) decodeUserList
+                , timeout = Nothing
+                , tracker = Nothing
+                }
+    in
     req
 
-removeValidatedUser: Username -> Model -> Cmd Msg
-removeValidatedUser username model =
-  let
-    req =
-      request
-        { method  = "DELETE"
-        , headers = [header "X-Requested-With" "XMLHttpRequest"]
-        , url     = getUrl model ("validatedUsers/" ++ username)
-        , body    = emptyBody
-        , expect  = expectJson RemoveUser decodeApiDeleteUsername
-        , timeout = Nothing
-        , tracker = Nothing
-        }
-  in
-    req
 
 saveWorkflow : List Username -> Model -> Cmd Msg
 saveWorkflow usernames model =
-  let
-    req =
-      request
-        { method  = "POST"
-        , headers = [header "X-Requested-With" "XMLHttpRequest"]
-        , url     = getUrl model "validatedUsers"
-        , body    = jsonBody (encodeUsernames usernames)
-        , expect  = expectJson SaveWorkflow decodeUserList
-        , timeout = Nothing
-        , tracker = Nothing
-        }
-  in
-    req
\ No newline at end of file
+    let
+        req =
+            request
+                { method = "POST"
+                , headers = [ header "X-Requested-With" "XMLHttpRequest" ]
+                , url = getUrl model "validatedUsers"
+                , body = jsonBody (encodeUsernames usernames)
+                , expect = expectJson (WorkflowUsersMsg << SaveWorkflow) decodeUserList
+                , timeout = Nothing
+                , tracker = Nothing
+                }
+    in
+    req
+
+
+getSetting : Model -> String -> (Result Http.Error Bool -> WorkflowUsersMsg) -> Cmd Msg
+getSetting model settingId msg =
+    let
+        req =
+            request
+                { method = "GET"
+                , headers = [ header "X-Requested-With" "XMLHttpRequest" ]
+                , url = getUrl model ("settings/" ++ settingId)
+                , body = emptyBody
+                , expect = expectJson (WorkflowUsersMsg << msg) (decodeSetting settingId)
+                , timeout = Nothing
+                , tracker = Nothing
+                }
+    in
+    req
+
+
+getValidateAllSetting : Model -> Cmd Msg
+getValidateAllSetting model =
+    getSetting model "enable_validate_all" GetValidateAllSetting
+
+
+setSetting : Model -> String -> (Result Http.Error Bool -> WorkflowUsersMsg) -> Bool -> Cmd Msg
+setSetting model settingId msg newValue =
+    let
+        req =
+            request
+                { method = "POST"
+                , headers = [ header "X-Requested-With" "XMLHttpRequest" ]
+                , url = getUrl model ("settings/" ++ settingId)
+                , body = jsonBody (encodeSetting newValue)
+                , expect = expectJson (WorkflowUsersMsg << msg) (decodeSetting settingId)
+                , timeout = Nothing
+                , tracker = Nothing
+                }
+    in
+    req
+
+
+saveValidateAllSetting : Bool -> Model -> Cmd Msg
+saveValidateAllSetting newValue model =
+    setSetting model "enable_validate_all" SaveValidateAllSetting newValue
diff --git a/change-validation/src/main/elm/sources/ChangeRequestEditForm.elm b/change-validation/src/main/elm/sources/ChangeRequestEditForm.elm
new file mode 100644
index 000000000..715fc4b1d
--- /dev/null
+++ b/change-validation/src/main/elm/sources/ChangeRequestEditForm.elm
@@ -0,0 +1,489 @@
+module ChangeRequestEditForm exposing (..)
+
+------------------------------
+-- Init and main --
+------------------------------
+
+import Browser
+import ErrorMessages exposing (getErrorMessage)
+import Html exposing (Html, a, div, form, h2, h3, input, label, p, span, text, textarea)
+import Html.Attributes exposing (class, disabled, for, href, id, maxlength, name, readonly, required, style, type_, value)
+import Html.Events exposing (onClick, onInput, onSubmit)
+import Http exposing (Error, emptyBody, expectJson, header, jsonBody, request)
+import Json.Decode exposing (Decoder, andThen, at, fail, field, index, int, map3, map4, map5, string, succeed)
+import Json.Encode as Encode
+import Ports exposing (errorNotification, readUrl, successNotification)
+
+
+getApiUrl : Model -> String -> String
+getApiUrl m url =
+    m.contextPath ++ "/secure/api/" ++ url
+
+
+changeRequestsPageUrl : Model -> String
+changeRequestsPageUrl m =
+    m.contextPath ++ "/secure/configurationManager/changes/changeRequests"
+
+
+main =
+    Browser.element
+        { init = init
+        , view = view
+        , update = update
+        , subscriptions = subscriptions
+        }
+
+
+init : { contextPath : String, hasWriteRights : Bool } -> ( Model, Cmd Msg )
+init flags =
+    let
+        initModel =
+            Model
+                flags.contextPath
+                ChangeRequestIdNotSet
+                flags.hasWriteRights
+                NoView
+    in
+    ( initModel, Cmd.none )
+
+
+
+------------------------------
+-- MODEL --
+------------------------------
+
+
+type alias Model =
+    { contextPath : String
+    , changeRequest : ChangeRequestDetailsOpt
+    , hasWriteRights : Bool
+    , viewState : ViewState
+    }
+
+
+type Msg
+    = GetChangeRequestDetails (Result Error ChangeRequestDetails)
+    | SetChangeRequestDetails (Result Error ChangeRequestDetails)
+    | GetChangeRequestIdFromUrl String
+      -- Form input
+    | FormInputName String
+    | FormInputDescription String
+    | FormSubmit
+
+
+type alias ChangeRequestDetails =
+    { title : String
+    , state : String
+    , id : Int
+    , description : String
+    }
+
+
+type ChangeRequestDetailsOpt
+    = Success ChangeRequestDetails
+    | ChangeRequestIdNotSet
+
+
+type ViewState
+    = NoView
+    | ViewError String
+    | Form { initValues : ChangeRequestDetails, formValues : ChangeRequestDetails }
+
+
+
+------------------------------
+-- API --
+------------------------------
+
+
+getChangeRequestDetails : Model -> Int -> Cmd Msg
+getChangeRequestDetails model crId =
+    let
+        req =
+            request
+                { method = "GET"
+                , headers = [ header "X-Requested-With" "XMLHttpRequest" ]
+                , url = getApiUrl model ("changeRequests/" ++ String.fromInt crId)
+                , body = emptyBody
+                , expect = expectJson GetChangeRequestDetails decodeChangeRequestDetails
+                , timeout = Nothing
+                , tracker = Nothing
+                }
+    in
+    req
+
+
+updateChangeRequestDetails : Model -> ChangeRequestDetails -> Cmd Msg
+updateChangeRequestDetails model changeRequestDetails =
+    let
+        req =
+            request
+                { method = "POST"
+                , headers = [ header "X-Requested-With" "XMLHttpRequest" ]
+                , url = getApiUrl model ("changeRequests/" ++ String.fromInt changeRequestDetails.id)
+                , body = encodeChangeRequestDetails changeRequestDetails |> jsonBody
+                , expect = expectJson SetChangeRequestDetails decodeChangeRequestDetails
+                , timeout = Nothing
+                , tracker = Nothing
+                }
+    in
+    req
+
+
+
+------------------------------
+-- ENCODE / DECODE JSON --
+------------------------------
+
+
+decodeChangeRequestStatus : Decoder String
+decodeChangeRequestStatus =
+    string
+        |> andThen
+            (\str ->
+                case str of
+                    "Open" ->
+                        succeed str
+
+                    "Closed" ->
+                        succeed str
+
+                    "Pending validation" ->
+                        succeed str
+
+                    "Pending deployment" ->
+                        succeed str
+
+                    "Cancelled" ->
+                        succeed str
+
+                    "Deployed" ->
+                        succeed str
+
+                    _ ->
+                        fail "Invalid change request status"
+            )
+
+
+decodeChangeRequestDetails : Decoder ChangeRequestDetails
+decodeChangeRequestDetails =
+    at [ "data" ]
+        (field "changeRequests"
+            (index 0
+                (map4
+                    ChangeRequestDetails
+                    (field "displayName" string)
+                    (field "status" decodeChangeRequestStatus)
+                    (field "id" int)
+                    (field "description" string)
+                )
+            )
+        )
+
+
+encodeChangeRequestDetails : ChangeRequestDetails -> Encode.Value
+encodeChangeRequestDetails changeRequestDetails =
+    Encode.object
+        [ ( "description", Encode.string changeRequestDetails.description )
+        , ( "name", Encode.string changeRequestDetails.title )
+        ]
+
+
+
+------------------------------
+-- UPDATE --
+------------------------------
+
+
+update : Msg -> Model -> ( Model, Cmd Msg )
+update msg model =
+    case msg of
+        GetChangeRequestDetails result ->
+            case result of
+                Ok changeRequestDetails ->
+                    ( { model | changeRequest = Success changeRequestDetails, viewState = initForm changeRequestDetails }, Cmd.none )
+
+                Err err ->
+                    let
+                        errMsg =
+                            getErrorMessage err
+                    in
+                    ( { model | viewState = ViewError errMsg }
+                    , errorNotification ("Error while trying to fetch change request details: " ++ errMsg)
+                    )
+
+        GetChangeRequestIdFromUrl crIdStr ->
+            case String.toInt crIdStr of
+                Just crId ->
+                    ( model, getChangeRequestDetails model crId )
+
+                Nothing ->
+                    let
+                        errMsg =
+                            crIdStr ++ " is not a valid change request id"
+                    in
+                    ( { model | viewState = ViewError errMsg }, errorNotification errMsg )
+
+        SetChangeRequestDetails result ->
+            case result of
+                Ok changeRequestDetails ->
+                    ( { model | changeRequest = Success changeRequestDetails, viewState = initForm changeRequestDetails }
+                    , successNotification "Successfully updated change request details"
+                    )
+
+                Err err ->
+                    let
+                        errMsg =
+                            getErrorMessage err
+                    in
+                    ( model, errorNotification ("Error while trying to update change request details: " ++ errMsg) )
+
+        FormInputName newName ->
+            ( model |> updateForm (setName newName), Cmd.none )
+
+        FormInputDescription newDescription ->
+            ( model |> updateForm (setDescription newDescription), Cmd.none )
+
+        FormSubmit ->
+            case model.viewState of
+                Form { initValues, formValues } ->
+                    if canSaveChanges initValues formValues then
+                        ( model, updateChangeRequestDetails model formValues )
+
+                    else
+                        ( model, Cmd.none )
+
+                _ ->
+                    ( model, Cmd.none )
+
+
+initForm : ChangeRequestDetails -> ViewState
+initForm cr =
+    Form { initValues = cr, formValues = cr }
+
+
+updateForm : (ViewState -> ViewState) -> Model -> Model
+updateForm f model =
+    { model | viewState = f model.viewState }
+
+
+setDescription : String -> ViewState -> ViewState
+setDescription newDescription viewState =
+    case viewState of
+        Form ({ formValues } as formState) ->
+            Form { formState | formValues = { formValues | description = newDescription } }
+
+        _ ->
+            viewState
+
+
+setName : String -> ViewState -> ViewState
+setName newName viewState =
+    case viewState of
+        Form formState ->
+            let
+                formVal =
+                    formState.formValues
+            in
+            Form { formState | formValues = { formVal | title = newName } }
+
+        _ ->
+            viewState
+
+
+formModified : ChangeRequestDetails -> ChangeRequestDetails -> Bool
+formModified initCR formCR =
+    not (initCR.title == formCR.title) || not (initCR.description == formCR.description)
+
+
+{-| In order to save the changes in the change request form, the form must have been modified
+_and_ the change request title mustn't be empty |
+-}
+canSaveChanges : ChangeRequestDetails -> ChangeRequestDetails -> Bool
+canSaveChanges initCR formCR =
+    formModified initCR formCR && not (String.isEmpty formCR.title)
+
+
+
+------------------------------
+-- VIEW --
+------------------------------
+
+
+view : Model -> Html Msg
+view model =
+    case model.viewState of
+        Form formState ->
+            let
+                canEdit =
+                    model.hasWriteRights
+            in
+            div
+                [ id "change-request-edit-form" ]
+                [ div
+                    [ class "col-lg-6 col-xs-12 pe-3 ps-3", id "detailsForm" ]
+                    [ form
+                        [ class "needs-validation", id "changeRequestEditForm" ]
+                        [ editCRName formState.formValues.title canEdit
+                        , div
+                            []
+                            [ label [] [ text "State" ]
+                            , roInputField formState.initValues.state
+                            ]
+                        , div []
+                            [ label [] [ text "ID" ]
+                            , roInputField (String.fromInt formState.formValues.id)
+                            ]
+                        , editCRDescription formState.formValues.description canEdit
+                        , div
+                            []
+                            [ saveButton formState.initValues formState.formValues canEdit ]
+                        ]
+                    ]
+                ]
+
+        NoView ->
+            errorView model "Change Request Id was not set."
+
+        ViewError errMsg ->
+            errorView model errMsg
+
+
+roInputField : String -> Html Msg
+roInputField content =
+    input
+        [ class "form-control col-xs-12"
+        , disabled True
+        , readonly True
+        , value content
+        ]
+        []
+
+
+editCRName : String -> Bool -> Html Msg
+editCRName crName writeRights =
+    let
+        inputClass =
+            if crName == "" then
+                "form-control col-xs-12 is-invalid"
+
+            else
+                "form-control col-xs-12"
+
+        attributes =
+            [ name "CRName"
+            , type_ "text"
+            , value crName
+            , id "CRNameLabel"
+            ]
+                ++ (if writeRights then
+                        [ class inputClass
+                        , required True
+                        , onInput FormInputName
+                        ]
+
+                    else
+                        [ class "form-control col-xs-12"
+                        , disabled True
+                        , readonly True
+                        ]
+                   )
+    in
+    div [ id "CRName" ]
+        [ div
+            [ class "row" ]
+            [ label
+                [ for "CRNameLabel", class "col-xs-12 form-label" ]
+                [ span [] [ text "Change request title" ] ]
+            , div
+                [ class "needs-validation" ]
+                [ input attributes []
+                , div
+                    [ class "invalid-feedback" ]
+                    [ text "The change request title cannot be empty." ]
+                ]
+            ]
+        ]
+
+
+editCRDescription : String -> Bool -> Html Msg
+editCRDescription crDescription writeRights =
+    let
+        inputClass =
+            "form-control col-xs-12"
+
+        attributes =
+            [ name "CRDescription"
+            , id "CRDescriptionLabel"
+            ]
+                ++ (if writeRights then
+                        [ maxlength 255
+                        , onInput FormInputDescription
+                        , class inputClass
+                        ]
+
+                    else
+                        [ class inputClass
+                        , disabled True
+                        , readonly True
+                        ]
+                   )
+    in
+    div
+        [ id "CRDescription" ]
+        [ div
+            [ class "row" ]
+            [ label
+                [ for "CRDescriptionLabel", class "col-xs-12" ]
+                [ span [ class "fw-normal" ] [ text "Description" ] ]
+            , div
+                [ class "col-xs-12" ]
+                [ textarea attributes [ text crDescription ]
+                ]
+            ]
+        ]
+
+
+saveButton : ChangeRequestDetails -> ChangeRequestDetails -> Bool -> Html Msg
+saveButton modelCR formCR writeRights =
+    if writeRights then
+        let
+            attrList =
+                [ value "Update"
+                , class "btn btn-default"
+                , type_ "button"
+                , onClick FormSubmit
+                , disabled <| not (canSaveChanges modelCR formCR)
+                ]
+        in
+        div [ id "CRSave" ]
+            [ input
+                attrList
+                [ text "Update" ]
+            ]
+
+    else
+        div [ id "CRSave" ] []
+
+
+errorView : Model -> String -> Html Msg
+errorView model errMsg =
+    div
+        [ style "padding" "40px"
+        , style "text-align" "center"
+        ]
+        [ h2 [] [ text "Change request id was not found" ]
+        , h3 [] [ text errMsg ]
+        , a [ href (changeRequestsPageUrl model) ] [ text "Back to change requests page" ]
+        ]
+
+
+
+------------------------------
+-- SUBSCRIPTIONS
+------------------------------
+
+
+subscriptions : Model -> Sub Msg
+subscriptions _ =
+    readUrl (\id -> GetChangeRequestIdFromUrl id)
diff --git a/change-validation/src/main/elm/sources/ChangeValidationSettings.elm b/change-validation/src/main/elm/sources/ChangeValidationSettings.elm
new file mode 100644
index 000000000..a294bd4b4
--- /dev/null
+++ b/change-validation/src/main/elm/sources/ChangeValidationSettings.elm
@@ -0,0 +1,101 @@
+module ChangeValidationSettings exposing (..)
+
+import ApiCalls exposing (getUsers, getValidateAllSetting)
+import Browser
+import DataTypes exposing (Msg(..), WorkflowUsersMsg)
+import Html exposing (Html, div)
+import SupervisedTargets exposing (getTargets)
+import View
+import WorkflowUsers
+
+
+
+------------------------------
+-- Init and main --
+------------------------------
+
+
+init : { contextPath : String, hasWriteRights : Bool } -> ( Model, Cmd Msg )
+init flags =
+    let
+        m =
+            initModel flags.contextPath flags.hasWriteRights
+    in
+    ( m, Cmd.batch [ getUsers m.workflowUsersModel, getValidateAllSetting m.workflowUsersModel, getTargets m.supervisedTargetsModel ] )
+
+
+main =
+    Browser.element
+        { init = init
+        , view = view
+        , update = update
+        , subscriptions = subscriptions
+        }
+
+
+initModel : String -> Bool -> Model
+initModel contextPath hasWriteRights =
+    { workflowUsersModel = WorkflowUsers.initModel contextPath hasWriteRights
+    , supervisedTargetsModel = SupervisedTargets.initModel contextPath
+    }
+
+
+
+------------------------------
+-- MODEL --
+------------------------------
+
+
+type alias Model =
+    { workflowUsersModel : DataTypes.Model
+    , supervisedTargetsModel : SupervisedTargets.Model
+    }
+
+
+
+------------------------------
+-- VIEW
+------------------------------
+
+
+view : Model -> Html Msg
+view model =
+    div []
+        [ View.view model.workflowUsersModel
+        , SupervisedTargets.view model.supervisedTargetsModel
+        ]
+
+
+
+------------------------------
+-- UPDATE
+------------------------------
+
+
+update : Msg -> Model -> ( Model, Cmd Msg )
+update msg model =
+    case msg of
+        WorkflowUsersMsg wuMsg ->
+            let
+                ( wuModel, wuCmd ) =
+                    WorkflowUsers.update wuMsg model.workflowUsersModel
+            in
+            ( { model | workflowUsersModel = wuModel }, wuCmd )
+
+        SupervisedTargetsMsg stMsg ->
+            let
+                ( stModel, stCmd ) =
+                    SupervisedTargets.update stMsg model.supervisedTargetsModel
+            in
+            ( { model | supervisedTargetsModel = stModel }, stCmd )
+
+
+
+------------------------------
+-- SUBSCRIPTIONS
+------------------------------
+
+
+subscriptions : Model -> Sub Msg
+subscriptions _ =
+    Sub.none
diff --git a/change-validation/src/main/elm/sources/DataTypes.elm b/change-validation/src/main/elm/sources/DataTypes.elm
index 916002150..29784cc40 100644
--- a/change-validation/src/main/elm/sources/DataTypes.elm
+++ b/change-validation/src/main/elm/sources/DataTypes.elm
@@ -4,56 +4,141 @@ import Http exposing (Error)
 import List exposing (map)
 import Result exposing (Result)
 
-type alias UserList = List User
-type alias Username = String
-type alias ApiMsg = String
+
+type alias UserList =
+    List User
+
+
+type alias Username =
+    String
+
+
+type alias ApiMsg =
+    String
+
 
 type EditMod
-  = On
-  | Off
+    = On
+    | Off
+
+
 
 {--
   Left  : validated users
   Right : unvalidated users
 --}
+
+
 type ColPos
-  = Left
-  | Right
+    = Left
+    | Right
+
 
 type alias User =
-  { username    : Username
-  , isValidated : Bool
-  , isInFile    : Bool
-  }
+    { username : Username
+    , isValidated : Bool
+    , isInFile : Bool
+    }
+
 
 type alias Model =
-  { contextPath      : String
-  , users            : UserList
-  , validatedUsers   : UserList
-  , unvalidatedUsers : UserList
-  , rightChecked     : List User
-  , leftChecked      : List User
-  , hasMoved         : List User -- Too track updates
-  , editMod          : EditMod
-  }
+    { contextPath : String
+    , editMod : EditMod
+    , workflowUsersView : WorkflowUsersView
+    , hasWriteRights : Bool
+    , validateAllView : ValidateAllView
+    }
+
+
+type alias WorkflowUsersForm =
+    { users : UserList
+    , validatedUsers : UserList
+    , unvalidatedUsers : UserList
+    , rightChecked : UserList
+    , leftChecked : UserList
+    , hasMoved : UserList -- To track updates
+    }
+
+
+type WorkflowUsersView
+    = WorkflowUsersInitView
+    | WorkflowUsers WorkflowUsersForm
+
+
+type UserListField
+    = Users
+    | ValidatedUsers
+    | UnvalidatedUsers
+    | RightChecked
+    | LeftChecked
+    | HasMoved
+
+
+type ValidateAllView
+    = ValidateAllInitView
+    | ValidateAll { initValues : FormState, formValues : FormState }
+
+
+type alias FormState =
+    { validateAll : Bool -- "enable_validate_all" setting
+    }
+
 
 getUsernames : UserList -> List Username
-getUsernames users = map .username users
+getUsernames users =
+    map .username users
+
+
+type WorkflowUsersMsg
+    = {--Messages for the "Workflow Users" table --}
+      {--API CALLS --}
+      GetUsers (Result Error UserList)
+    | RemoveUser (Result Error Username)
+    | SaveWorkflow (Result Error UserList)
+    | CallApi (Model -> Cmd Msg)
+      {--TABLE MANAGE CONTENT --}
+    | LeftToRight
+    | RightToLeft
+    | AddLeftChecked User Bool
+    | AddRightChecked User Bool
+    | CheckAll ColPos Bool
+      {--MOD MANAGEMENT --}
+    | SwitchMode
+    | ExitEditMod
+      {--Messages for the "Validate all changes" checkbox and button --}
+      {--API CALLS--}
+    | GetValidateAllSetting (Result Error Bool)
+    | SaveValidateAllSetting (Result Error Bool)
+      {--VIEW UPDATE--}
+    | ChangeValidateAllSetting Bool
+
 
 type Msg
-  =
-  {-- API CALLS --}
-  GetUsers (Result Error UserList)
-  | RemoveUser (Result Error Username)
-  | SaveWorkflow (Result Error UserList)
-  | CallApi (Model -> Cmd Msg)
-  {-- TABLE MANAGE CONTENT --}
-  | LeftToRight
-  | RightToLeft
-  | AddLeftChecked User Bool
-  | AddRightChecked User Bool
-  | CheckAll ColPos Bool
-  {-- MOD MANAGEMENT --}
-  | SwitchMode
-  | ExitEditMod
+    = WorkflowUsersMsg WorkflowUsersMsg
+    | SupervisedTargetsMsg SupervisedTargetsMsg
+
+
+type SupervisedTargetsMsg
+    = GetTargets (Result Error Category)
+    | SaveTargets (Result Error String) -- here the string is just the status message
+    | SendSave
+    | UpdateTarget Target
+
+
+type alias Target =
+    { id : String -- id
+    , name : String -- display name of the rule target
+    , description : String -- description
+    , supervised : Bool -- do you want to validate CR targeting that rule target
+    }
+
+
+type alias Category =
+    { name : String -- name of the category
+    , categories : Subcategories -- sub-categories
+    , targets : List Target -- targets in category
+    }
+
 
+type Subcategories
+    = Subcategories (List Category) -- needed because no recursive type alias support
diff --git a/change-validation/src/main/elm/sources/ErrorMessages.elm b/change-validation/src/main/elm/sources/ErrorMessages.elm
new file mode 100644
index 000000000..81fe1a4a3
--- /dev/null
+++ b/change-validation/src/main/elm/sources/ErrorMessages.elm
@@ -0,0 +1,26 @@
+module ErrorMessages exposing (..)
+
+import Http
+
+
+getErrorMessage : Http.Error -> String
+getErrorMessage e =
+    let
+        errMessage =
+            case e of
+                Http.BadStatus status ->
+                    "Code " ++ String.fromInt status
+
+                Http.BadUrl str ->
+                    "Invalid API url"
+
+                Http.Timeout ->
+                    "It took too long to get a response"
+
+                Http.NetworkError ->
+                    "Network error"
+
+                Http.BadBody c ->
+                    "Wrong content in request body" ++ c
+    in
+    errMessage
diff --git a/change-validation/src/main/elm/sources/Init.elm b/change-validation/src/main/elm/sources/Init.elm
deleted file mode 100644
index 428de21b4..000000000
--- a/change-validation/src/main/elm/sources/Init.elm
+++ /dev/null
@@ -1,49 +0,0 @@
-port module Init exposing (..)
-
-import DataTypes exposing (EditMod(..), Model, Msg(..))
-import Http
-
-------------------------------
--- PORTS
-------------------------------
-
-
-port successNotification : String -> Cmd msg
-port errorNotification : String -> Cmd msg
-
-
-
-------------------------------
--- SUBSCRIPTIONS
-------------------------------
-
-
-subscriptions : Model -> Sub Msg
-subscriptions _ =
-  Sub.none
-
-initModel : String -> Model
-initModel contextPath  =
-  Model contextPath [] [] [] [] [] [] Off
-
-getErrorMessage : Http.Error -> String
-getErrorMessage e =
-    let
-        errMessage =
-            case e of
-                Http.BadStatus status ->
-                    "Code " ++ String.fromInt status
-
-                Http.BadUrl str ->
-                    "Invalid API url"
-
-                Http.Timeout ->
-                    "It took too long to get a response"
-
-                Http.NetworkError ->
-                    "Network error"
-                Http.BadBody c->
-                  "Wrong content in request body" ++ c
-
-    in
-    errMessage
\ No newline at end of file
diff --git a/change-validation/src/main/elm/sources/JsonDecoders.elm b/change-validation/src/main/elm/sources/JsonDecoders.elm
index d53380b44..5eed72276 100644
--- a/change-validation/src/main/elm/sources/JsonDecoders.elm
+++ b/change-validation/src/main/elm/sources/JsonDecoders.elm
@@ -1,20 +1,32 @@
 module JsonDecoders exposing (..)
 
 import DataTypes exposing (ApiMsg, User, UserList, Username)
-import Json.Decode exposing (Decoder, at, bool, list, string, succeed)
+import Json.Decode exposing (Decoder, at, bool, field, list, string, succeed)
 import Json.Decode.Pipeline exposing (required)
 
+
 decodeUser : Decoder User
 decodeUser =
-  succeed User
-    |> required "username" string
-    |> required "isValidated" bool
-    |> required "userExists" bool
+    succeed User
+        |> required "username" string
+        |> required "isValidated" bool
+        |> required "userExists" bool
+
 
 decodeUserList : Decoder UserList
 decodeUserList =
-  at [ "data" ] (list decodeUser)
+    at [ "data" ] (list decodeUser)
+
 
 decodeApiDeleteUsername : Decoder Username
 decodeApiDeleteUsername =
-  at [ "data" ] string
+    at [ "data" ] string
+
+
+decodeSetting : String -> Decoder Bool
+decodeSetting fieldName =
+    let
+        decSetting =
+            field "settings" (field fieldName bool)
+    in
+    at [ "data" ] decSetting
diff --git a/change-validation/src/main/elm/sources/JsonEncoders.elm b/change-validation/src/main/elm/sources/JsonEncoders.elm
index d6cafb010..e5d415873 100644
--- a/change-validation/src/main/elm/sources/JsonEncoders.elm
+++ b/change-validation/src/main/elm/sources/JsonEncoders.elm
@@ -3,29 +3,39 @@ module JsonEncoders exposing (..)
 import DataTypes exposing (User, Username)
 import Json.Encode exposing (Value, bool, list, object, string)
 
-username : Username -> (String, Value)
+
+username : Username -> ( String, Value )
 username value =
-  ("username", string value)
+    ( "username", string value )
+
 
-isValidated : Bool -> (String, Value)
+isValidated : Bool -> ( String, Value )
 isValidated value =
-  ("isValidated", bool value)
+    ( "isValidated", bool value )
 
-isInFile : Bool -> (String, Value)
+
+isInFile : Bool -> ( String, Value )
 isInFile value =
-  ("userExists", bool value)
+    ( "userExists", bool value )
+
 
 encodeUser : User -> Value
 encodeUser userInfo =
-  object
-  [ username userInfo.username
-  , isValidated userInfo.isValidated
-  , isInFile userInfo.isInFile
-  ]
+    object
+        [ username userInfo.username
+        , isValidated userInfo.isValidated
+        , isInFile userInfo.isInFile
+        ]
+
 
 encodeUsernames : List Username -> Value
 encodeUsernames usernames =
-  object
-  [ ("action", string "addValidatedUsersList")
-  , ("validatedUsers", list (\s -> string s) usernames)
-  ]
+    object
+        [ ( "action", string "addValidatedUsersList" )
+        , ( "validatedUsers", list (\s -> string s) usernames )
+        ]
+
+
+encodeSetting : Bool -> Value
+encodeSetting value =
+    object [ ( "value", bool value ) ]
diff --git a/change-validation/src/main/elm/sources/Ports.elm b/change-validation/src/main/elm/sources/Ports.elm
new file mode 100644
index 000000000..4a0cc7a1d
--- /dev/null
+++ b/change-validation/src/main/elm/sources/Ports.elm
@@ -0,0 +1,14 @@
+port module Ports exposing (..)
+
+------------------------------
+-- PORTS
+------------------------------
+
+
+port successNotification : String -> Cmd msg
+
+
+port errorNotification : String -> Cmd msg
+
+
+port readUrl : (String -> msg) -> Sub msg
diff --git a/change-validation/src/main/elm/sources/SupervisedTargets.elm b/change-validation/src/main/elm/sources/SupervisedTargets.elm
index f9247984e..8a2dec062 100644
--- a/change-validation/src/main/elm/sources/SupervisedTargets.elm
+++ b/change-validation/src/main/elm/sources/SupervisedTargets.elm
@@ -1,27 +1,17 @@
-module SupervisedTargets exposing (Category, Model, Msg(..), Subcategories(..), Target, alphanumericRegex, decodeApiCategory, decodeApiSave, decodeCategory, decodeSubcategories, decodeTarget, displayCategory, displaySubcategories, displayTarget, encodeTargets, getSupervisedIds, getTargets, init, isAlphanumeric, main, saveTargets, subscriptions, update, updateTarget, view)
+module SupervisedTargets exposing (Model, alphanumericRegex, decodeApiCategory, decodeApiSave, decodeCategory, decodeSubcategories, decodeTarget, displayCategory, displaySubcategories, displayTarget, encodeTargets, getSupervisedIds, getTargets, initModel, isAlphanumeric, saveTargets, update, updateTarget, view)
 
+import DataTypes exposing (Category, Msg, Subcategories(..), SupervisedTargetsMsg(..), Target)
+import ErrorMessages exposing (getErrorMessage)
 import Html exposing (..)
-import Browser
-import Html.Attributes exposing (checked, class, type_)
+import Html.Attributes exposing (checked, class, id, type_)
 import Html.Events exposing (..)
 import Http exposing (..)
 import Json.Decode as D exposing (Decoder)
 import Json.Decode.Pipeline exposing (..)
 import Json.Encode as E
+import Ports exposing (errorNotification, successNotification)
 import Regex
 import String
-import Init exposing (errorNotification, successNotification, getErrorMessage)
-
-
-
-------------------------------
--- SUBSCRIPTIONS
-------------------------------
-
-
-subscriptions : Model -> Sub Msg
-subscriptions model =
-    Sub.none
 
 
 
@@ -30,24 +20,9 @@ subscriptions model =
 ------------------------------
 
 
-init : { contextPath : String } -> ( Model, Cmd Msg )
-init flags =
-    let
-        initModel =
-            Model flags.contextPath (Category "waiting for server data..." (Subcategories []) [])
-    in
-    ( initModel
-    , getTargets initModel
-    )
-
-
-main =
-    Browser.element
-        { init = init
-        , view = view
-        , update = update
-        , subscriptions = subscriptions
-        }
+initModel : String -> Model
+initModel contextPath =
+    Model contextPath (Category "waiting for server data..." (Subcategories []) [])
 
 
 
@@ -56,40 +31,14 @@ main =
 ------------------------------
 
 
-type alias Target =
-    { id : String -- id
-    , name : String -- display name of the rule target
-    , description : String -- description
-    , supervised : Bool -- do you want to validate CR targeting that rule target
-    }
-
-
-type alias Category =
-    { name : String -- name of the category
-    , categories : Subcategories -- sub-categories
-    , targets : List Target -- targets in category
-    }
-
-
-type Subcategories
-    = Subcategories (List Category) -- needed because no recursive type alias support
-
-
 type alias Model =
     { contextPath : String
     , allTargets : Category -- from API
     }
 
 
-type Msg
-    = GetTargets (Result Error Category)
-    | SaveTargets (Result Error String) -- here the string is just the status message
-    | SendSave
-    | UpdateTarget Target
-      -- NOTIFICATIONS
-
-
 
+-- NOTIFICATIONS
 ------------------------------
 -- API --
 ------------------------------
@@ -108,15 +57,15 @@ getTargets model =
         req =
             request
                 { method = "GET"
-                , headers = [Http.header "X-Requested-With" "XMLHttpRequest"]
+                , headers = [ Http.header "X-Requested-With" "XMLHttpRequest" ]
                 , url = url
                 , body = emptyBody
-                , expect = expectJson GetTargets decodeApiCategory
+                , expect = expectJson (DataTypes.SupervisedTargetsMsg << GetTargets) decodeApiCategory
                 , timeout = Nothing
                 , tracker = Nothing
                 }
     in
-      req
+    req
 
 
 
@@ -129,10 +78,10 @@ saveTargets model =
         req =
             request
                 { method = "POST"
-                , headers = [Http.header "X-Requested-With" "XMLHttpRequest"]
+                , headers = [ Http.header "X-Requested-With" "XMLHttpRequest" ]
                 , url = model.contextPath ++ "/secure/api/changevalidation/supervised/targets"
                 , body = jsonBody (encodeTargets (getSupervisedIds model.allTargets))
-                , expect = expectJson SaveTargets decodeApiSave
+                , expect = expectJson (SaveTargets >> DataTypes.SupervisedTargetsMsg) decodeApiSave
                 , timeout = Nothing
                 , tracker = Nothing
                 }
@@ -210,7 +159,7 @@ decodeTarget =
 
 encodeTargets : List String -> E.Value
 encodeTargets targets =
-    E.object [ ( "supervised", E.list  (\s -> E.string s) targets ) ]
+    E.object [ ( "supervised", E.list (\s -> E.string s) targets ) ]
 
 
 
@@ -219,7 +168,7 @@ encodeTargets targets =
 ------------------------------
 
 
-update : Msg -> Model -> ( Model, Cmd Msg )
+update : SupervisedTargetsMsg -> Model -> ( Model, Cmd Msg )
 update msg model =
     case msg of
         {--Api Calls message --}
@@ -289,13 +238,52 @@ updateTarget target cat =
 
 view : Model -> Html Msg
 view model =
-    div []
-        [ div [ class "row" ]
-            [ div [ class "col-xs-12" ]
-                [ displayCategory model.allTargets
-                , div [ class "card-footer" ] [ button [ onClick SendSave, class "btn btn-success right" ] [ text "Save" ] ]
+    div [ id "supervisedTargets" ]
+        [ h3 [ class "page-subtitle" ]
+            [ text "Configure groups with change validations" ]
+        , div [ class "section-with-doc" ]
+            [ div [ class "section-left" ]
+                [ div [ id "supervised-targets-app" ]
+                    [ div [ id "list-groups-change-validation" ]
+                        [ div [ class "row" ]
+                            [ div [ class "col-xs-12" ]
+                                [ displayCategory model.allTargets
+                                , div [ class "card-footer" ] [ button [ onClick (SendSave |> DataTypes.SupervisedTargetsMsg), class "btn btn-success right" ] [ text "Save" ] ]
+                                ]
+                            ]
+                        ]
+                    ]
                 ]
+            , supervisedTargetsInfoSection
+            ]
+        ]
+
+
+supervisedTargetsInfoSection : Html Msg
+supervisedTargetsInfoSection =
+    createRightInfoSection
+        [ p []
+            [ text " Change validation are enable for "
+            , b [] [ text "any" ]
+            , text " change that would impact a node belonging to one of the chosen groups below. Be careful: a change on one another group "
+            ]
+        , p [] [ text " The supervised changes are: " ]
+        , ul []
+            [ li [] [ text "any change in a global parameter, as these changes can have side effects spreading technique code," ]
+            , li [] [ text "any modification in one of the supervised groups," ]
+            , li [] [ text "any change in a rule which targets a node which belong to a group marked as supervised, " ]
+            , li [] [ text "any change in a directive used in one of the previous rules." ]
             ]
+        , p [] []
+        , p [] [ text " Changes in techniques are not subjected to change validation, nor are changes resulting from an archive import. " ]
+        ]
+
+
+createRightInfoSection : List (Html Msg) -> Html Msg
+createRightInfoSection contents =
+    div [ class "section-right" ]
+        [ div [ class "doc doc-info" ]
+            (div [ class "marker" ] [ span [ class "fa fa-info-circle" ] [] ] :: contents)
         ]
 
 
@@ -359,15 +347,16 @@ displayTarget target =
                 [ input
                     [ type_ "checkbox"
                     , checked target.supervised
-                    , onClick (UpdateTarget { target | supervised = not target.supervised })
+                    , onClick (DataTypes.SupervisedTargetsMsg (UpdateTarget { target | supervised = not target.supervised }))
                     ]
                     []
-                , span [ class "ion ion-checkmark-round" ] []
+                , span [ class "fa fa-check" ] []
                 ]
             ]
         ]
 
 
+
 ------------------------------
 -- HELPERS
 ------------------------------
diff --git a/change-validation/src/main/elm/sources/View.elm b/change-validation/src/main/elm/sources/View.elm
index 257081fa0..41c2ef55f 100644
--- a/change-validation/src/main/elm/sources/View.elm
+++ b/change-validation/src/main/elm/sources/View.elm
@@ -1,99 +1,127 @@
 module View exposing (..)
 
-import ApiCalls exposing (getUsers, saveWorkflow)
-import DataTypes exposing (ColPos(..), EditMod(..), Model, Msg(..), User, UserList, Username, getUsernames)
+import ApiCalls exposing (getUsers, saveValidateAllSetting, saveWorkflow)
+import DataTypes exposing (ColPos(..), EditMod(..), Model, Msg(..), User, UserList, Username, ValidateAllView(..), WorkflowUsersForm, WorkflowUsersMsg(..), WorkflowUsersView(..), getUsernames)
 import Html exposing (..)
-import Html.Attributes exposing (attribute, checked, class, disabled, id, style, type_, value)
+import Html.Attributes exposing (attribute, checked, class, disabled, for, id, style, type_, value)
 import Html.Events exposing (onCheck, onClick)
 import List exposing (isEmpty, length, member)
 import String exposing (fromInt)
 
-createInfoTootlip : String -> String -> Html msg
+
+type alias WorkflowUsersMsg =
+    DataTypes.WorkflowUsersMsg
+
+
+createInfoTootlip : String -> String -> Html Msg
 createInfoTootlip content placement =
-  span
-  [
-      class "fa fa-exclamation-triangle center-box-element input-icon bstool"
-    , attribute "data-bs-toggle" "tooltip"
-    , attribute "data-bs-placement" placement
-    , attribute "title" content
-  ][]
+    span
+        [ class "fa fa-exclamation-triangle center-box-element input-icon bstool"
+        , attribute "data-bs-toggle" "tooltip"
+        , attribute "data-bs-placement" placement
+        , attribute "title" content
+        ]
+        []
+
+
+createRightInfoSectionParagraphs : List String -> Html Msg
+createRightInfoSectionParagraphs paragraphs =
+    let
+        paragraphElements =
+            List.map (\paragraphContent -> p [] [ text paragraphContent ]) paragraphs
+    in
+    div [ class "section-right" ]
+        [ div [ class "doc doc-info" ]
+            ([ div [ class "marker" ] [ span [ class "fa fa-info-circle" ] [] ] ] ++ paragraphElements)
+        ]
+
+
 
 -- Displayed nb items and nb selected items when edition mod is On
-displayFooter: Model -> ColPos -> Html Msg
-displayFooter model pos =
-  let
-    isChecked =
-      case pos of
-        Left ->
-          (length model.leftChecked == length model.validatedUsers) && not (isEmpty model.leftChecked)
-        Right ->
-          (length model.rightChecked == length model.unvalidatedUsers) && not (isEmpty model.rightChecked)
-  in
-    div [class "box-footer"]
-    [
-      label [class "all-items"]
-      [
-        input
-        [
-            class ""
-          , onCheck (\checkStatus-> CheckAll pos checkStatus)
-          , type_ "checkbox"
-          , value
-          (
-            case pos of
-              Left ->
-                 fromInt (length model.validatedUsers)
-              Right ->
-                 fromInt (length model.unvalidatedUsers)
-          )
-          , checked  (isChecked)
-          , disabled
-          (
+
+
+displayFooter : WorkflowUsersForm -> ColPos -> Html Msg
+displayFooter workflowUsersForm pos =
+    let
+        isChecked =
             case pos of
-              Left ->
-                isEmpty model.validatedUsers
-              Right ->
-                isEmpty model.unvalidatedUsers
-          )
-        ] []
-      ],
-      div [id "nb-items", class "footer-infos nb-items"]
-      [
-        case pos of
-          Left -> text (( fromInt (length model.validatedUsers)) ++ " Items")
-          Right ->  text (( fromInt (length model.unvalidatedUsers)) ++ " Items")
-      ],
-      div [id "nb-selected", class "footer-infos"]
-      [
-        case pos of
-          Left ->
-            if (length model.leftChecked == length model.validatedUsers) && (not (isEmpty model.leftChecked)) then
-              text "All Selected"
-            else
-              text ((fromInt (length model.leftChecked)) ++ " Selected")
-          Right ->
-            if (length model.rightChecked == length model.unvalidatedUsers) && (not (isEmpty model.rightChecked)) then
-              text "All Selected"
-            else
-              text ((fromInt (length model.rightChecked)) ++ " Selected")
-      ]
-    ]
+                Left ->
+                    (length workflowUsersForm.leftChecked == length workflowUsersForm.validatedUsers) && not (isEmpty workflowUsersForm.leftChecked)
+
+                Right ->
+                    (length workflowUsersForm.rightChecked == length workflowUsersForm.unvalidatedUsers) && not (isEmpty workflowUsersForm.rightChecked)
+    in
+    div [ class "box-footer" ]
+        [ label [ class "all-items" ]
+            [ input
+                [ class ""
+                , onCheck (\checkStatus -> WorkflowUsersMsg (CheckAll pos checkStatus))
+                , type_ "checkbox"
+                , value
+                    (case pos of
+                        Left ->
+                            fromInt (length workflowUsersForm.validatedUsers)
+
+                        Right ->
+                            fromInt (length workflowUsersForm.unvalidatedUsers)
+                    )
+                , checked isChecked
+                , disabled
+                    (case pos of
+                        Left ->
+                            isEmpty workflowUsersForm.validatedUsers
+
+                        Right ->
+                            isEmpty workflowUsersForm.unvalidatedUsers
+                    )
+                ]
+                []
+            ]
+        , div [ id "nb-items", class "footer-infos nb-items" ]
+            [ case pos of
+                Left ->
+                    text (fromInt (length workflowUsersForm.validatedUsers) ++ " Items")
+
+                Right ->
+                    text (fromInt (length workflowUsersForm.unvalidatedUsers) ++ " Items")
+            ]
+        , div [ id "nb-selected", class "footer-infos" ]
+            [ case pos of
+                Left ->
+                    if (length workflowUsersForm.leftChecked == length workflowUsersForm.validatedUsers) && not (isEmpty workflowUsersForm.leftChecked) then
+                        text "All Selected"
+
+                    else
+                        text (fromInt (length workflowUsersForm.leftChecked) ++ " Selected")
+
+                Right ->
+                    if (length workflowUsersForm.rightChecked == length workflowUsersForm.unvalidatedUsers) && not (isEmpty workflowUsersForm.rightChecked) then
+                        text "All Selected"
+
+                    else
+                        text (fromInt (length workflowUsersForm.rightChecked) ++ " Selected")
+            ]
+        ]
+
+
 
 {--
   The box containing all users in the system who are not validated
   Displayed when edition mod is On
 --}
-displayRightCol : Model -> Html Msg
-displayRightCol model =
-  div [ class "box-users-container"]
-  [
-    h5 [ class "box-header" ] [ b [][ text "Users" ]],
-    div  [ class "box-users-content" ]
-    [
-      renderUsers  model.unvalidatedUsers Right model
-    ],
-    displayFooter model Right
-  ]
+
+
+displayRightCol : WorkflowUsersForm -> EditMod -> Html Msg
+displayRightCol workflowUsersForm editMod =
+    div [ class "box-users-container" ]
+        [ h5 [ class "box-header" ] [ b [] [ text "Users" ] ]
+        , div [ class "box-users-content" ]
+            [ renderUsers workflowUsersForm.unvalidatedUsers Right editMod workflowUsersForm
+            ]
+        , displayFooter workflowUsersForm Right
+        ]
+
+
 
 {--
   Helper function to display individual user's row
@@ -105,105 +133,131 @@ displayRightCol model =
 
   On edition mod "On" interactions are activated
 --}
-renderUserHelper : User -> ColPos -> Model -> Html Msg
-renderUserHelper user pos model =
-  let
-    isEditActivate = if model.editMod == On then True else False
-    sideChecked =
-      case pos of
-        Left -> AddLeftChecked user ( not (member user model.leftChecked))
-        Right -> AddRightChecked user (  not (member user model.rightChecked))
-    isChecked =
-      case pos of
-        Left -> member user model.leftChecked
-        Right -> member user model.rightChecked
-    content =
-      li[ class "li-box-content-user" ]
-      [
-        label [ style "vertical-align" "middle", style "display" "inline-block" ]
-        [
-          if isEditActivate then
-            input
-            [
-              class "box-input-element center-box-element"
-            , type_ "checkbox"
-            , value user.username
-            , checked isChecked
-            ] []
-          else
-            div [class "box-input-element center-box-element"] []
-        ]
-        , div[ class "center-box-element" ][ text <| user.username ],
-          if not user.isInFile then
-            createInfoTootlip
-            """
+
+
+renderUserHelper : User -> ColPos -> EditMod -> WorkflowUsersForm -> Html Msg
+renderUserHelper user pos editMod workflowUsersForm =
+    let
+        isEditActivate =
+            if editMod == On then
+                True
+
+            else
+                False
+
+        sideChecked =
+            case pos of
+                Left ->
+                    WorkflowUsersMsg (AddLeftChecked user (not (member user workflowUsersForm.leftChecked)))
+
+                Right ->
+                    WorkflowUsersMsg (AddRightChecked user (not (member user workflowUsersForm.rightChecked)))
+
+        isChecked =
+            case pos of
+                Left ->
+                    member user workflowUsersForm.leftChecked
+
+                Right ->
+                    member user workflowUsersForm.rightChecked
+
+        content =
+            li [ class "li-box-content-user" ]
+                [ label [ style "vertical-align" "middle", style "display" "inline-block" ]
+                    [ if isEditActivate then
+                        input
+                            [ class "box-input-element center-box-element"
+                            , type_ "checkbox"
+                            , value user.username
+                            , checked isChecked
+                            ]
+                            []
+
+                      else
+                        div [ class "box-input-element center-box-element" ] []
+                    ]
+                , div [ class "center-box-element" ] [ text <| user.username ]
+                , if not user.isInFile then
+                    createInfoTootlip
+                        """
             The user <b> doesn't exist anymore </b> but they are still a validated user, delete them by removing them from the validated users.
             """
-             "auto"
-          else
-            div [][]
-      ]
-  in
+                        "auto"
+
+                  else
+                    div [] []
+                ]
+    in
     if isEditActivate then
-      if member user model.hasMoved then
-        if isChecked  then
-          div [class "users moved-checked", onClick sideChecked ] [ content ]
-        else
-          div [ id "moved-user", class "users-clickable", onClick sideChecked ] [ content ]
-      else if user.isInFile then
-        if isChecked then
-          div [class "users normal-checked", onClick sideChecked ] [ content ]
-        else
-          div [ id "normal-user", class "users-clickable", onClick sideChecked ] [ content ]
-      else
-        if isChecked then
-          div [class "users not-in-file-checked", onClick sideChecked ] [ content ]
+        if member user workflowUsersForm.hasMoved then
+            if isChecked then
+                div [ class "users moved-checked", onClick sideChecked ] [ content ]
+
+            else
+                div [ id "moved-user", class "users-clickable", onClick sideChecked ] [ content ]
+
+        else if user.isInFile then
+            if isChecked then
+                div [ class "users normal-checked", onClick sideChecked ] [ content ]
+
+            else
+                div [ id "normal-user", class "users-clickable", onClick sideChecked ] [ content ]
+
+        else if isChecked then
+            div [ class "users not-in-file-checked", onClick sideChecked ] [ content ]
+
         else
-          div [ id "not-in-file-user", class "users-clickable", onClick sideChecked ] [ content ]
-    -- deactivate the ability to select users in edition mod "Off"
+            div [ id "not-in-file-user", class "users-clickable", onClick sideChecked ] [ content ]
+        -- deactivate the ability to select users in edition mod "Off"
+
+    else if user.isInFile then
+        div [ id "normal-user", class "users" ] [ content ]
+
     else
-      if user.isInFile then
-        div [ id "normal-user", class "users"] [ content ]
-      else
-        div [ id "not-in-file-user", class "users"] [ content ]
+        div [ id "not-in-file-user", class "users" ] [ content ]
+
+
 
 {--
   Display all users according to the box they belong
       Left  -> validated
       Right -> unvalidated
 --}
-renderUsers : UserList -> ColPos -> Model -> Html Msg
-renderUsers users pos model =
-  ul [ ] (List.map (\u -> renderUserHelper u pos model) users)
-
-
-displayArrows : Model -> Html Msg
-displayArrows model =
-  let
-    leftArrowBtnType  =
-      if (isEmpty model.rightChecked) then
-        "btn btn-sm move-left btn-default"
-      else
-        "btn btn-sm move-left btn-primary"
-    rightArrowBtnType =
-      if (isEmpty model.leftChecked) then
-        "btn btn-sm move-right btn-default"
-      else
-        "btn btn-sm move-right btn-primary"
-  in
-    div [ class "list-arrows arrows-validation"]
-      [
-        button [ onClick LeftToRight, class rightArrowBtnType, disabled (isEmpty model.leftChecked) ]
-        [
-          span [ class "fa fa-chevron-right" ][]
-        ],
-        br [] [],
-        br [] [],
-        button [ onClick RightToLeft,class leftArrowBtnType, disabled (isEmpty model.rightChecked)]
-        [
-          span [ class "fa fa-chevron-left" ] []
+
+
+renderUsers : UserList -> ColPos -> EditMod -> WorkflowUsersForm -> Html Msg
+renderUsers users pos editMod workflowUsersForm =
+    ul [] (List.map (\u -> renderUserHelper u pos editMod workflowUsersForm) users)
+
+
+displayArrows : WorkflowUsersForm -> Html Msg
+displayArrows workflowUsersForm =
+    let
+        leftArrowBtnType =
+            if isEmpty workflowUsersForm.rightChecked then
+                "btn btn-sm move-left btn-default"
+
+            else
+                "btn btn-sm move-left btn-primary"
+
+        rightArrowBtnType =
+            if isEmpty workflowUsersForm.leftChecked then
+                "btn btn-sm move-right btn-default"
+
+            else
+                "btn btn-sm move-right btn-primary"
+    in
+    div [ class "list-arrows arrows-validation" ]
+        [ button [ onClick (LeftToRight |> WorkflowUsersMsg), class rightArrowBtnType, disabled (isEmpty workflowUsersForm.leftChecked) ]
+            [ span [ class "fa fa-chevron-right" ] []
+            ]
+        , br [] []
+        , br [] []
+        , button [ onClick (RightToLeft |> WorkflowUsersMsg), class leftArrowBtnType, disabled (isEmpty workflowUsersForm.rightChecked) ]
+            [ span [ class "fa fa-chevron-left" ] []
+            ]
         ]
-      ]
+
 
 
 {--
@@ -214,96 +268,187 @@ displayArrows model =
 
   The footer is displayed only in edition mod
 --}
-displayLeftCol : Model -> Html Msg
-displayLeftCol model =
-  let
-    cancelType =
-        if model.editMod == On && (isEmpty model.hasMoved) then
-          ExitEditMod
-        else
-          CallApi getUsers
-    actnBtnIfModif =
-      if model.editMod == Off then
-        div [] []
-      else
-        div []
-        [
-          button
-          [
-            id "cancel-workflow"
-          , class "btn btn-default btn-action-workflow"
-          , onClick cancelType
-          , type_ "button"
-          ] [text <| if cancelType == ExitEditMod then "Exit" else "Cancel"]
-          ,
-          if not (isEmpty model.hasMoved) then
-            button
-            [
-              id "save-workflow "
-            , class "btn btn-success btn-action-workflow"
-            , onClick (CallApi (saveWorkflow (getUsernames model.validatedUsers)))
-            , type_ "button"
-            ] [text <| "Save"]
-          else
-            div [] []
-        ]
-  in
+
+
+displayLeftCol : WorkflowUsersForm -> EditMod -> Html Msg
+displayLeftCol workflowUsersForm editMod =
+    let
+        cancelType =
+            if editMod == On && isEmpty workflowUsersForm.hasMoved then
+                ExitEditMod |> WorkflowUsersMsg
+
+            else
+                CallApi getUsers |> WorkflowUsersMsg
+
+        actnBtnIfModif =
+            if editMod == Off then
+                div [] []
+
+            else
+                div []
+                    [ button
+                        [ id "cancel-workflow"
+                        , class "btn btn-default btn-action-workflow"
+                        , onClick cancelType
+                        , type_ "button"
+                        ]
+                        [ text <|
+                            if cancelType == (ExitEditMod |> WorkflowUsersMsg) then
+                                "Exit"
+
+                            else
+                                "Cancel"
+                        ]
+                    , if not (isEmpty workflowUsersForm.hasMoved) then
+                        button
+                            [ id "save-workflow "
+                            , class "btn btn-success btn-action-workflow"
+                            , onClick (CallApi (saveWorkflow (getUsernames workflowUsersForm.validatedUsers)) |> WorkflowUsersMsg)
+                            , type_ "button"
+                            ]
+                            [ text <| "Save" ]
+
+                      else
+                        div [] []
+                    ]
+    in
     div []
-    [
-      div [ class "box-users-container "]
-      [
-        h5 [class "box-header"] [ b [][text "Validated users"]],
-        div  [class "box-users-content"]
-        [
-          if isEmpty model.validatedUsers then
-            div [style "text-align" "center"]
-            [
-              if model.editMod == Off then
-                i [class "fa fa-user-times empty-validated-user", style "margin-bottom" "10px"]
-                [
-                  br [][],
-                  p [class "empty-box-msg"] [text "No validated users found"]
+        [ div [ class "box-users-container " ]
+            [ h5 [ class "box-header" ] [ b [] [ text "Validated users" ] ]
+            , div [ class "box-users-content" ]
+                [ if isEmpty workflowUsersForm.validatedUsers then
+                    div [ style "text-align" "center" ]
+                        [ if editMod == Off then
+                            i [ class "fa fa-user-times empty-validated-user", style "margin-bottom" "10px" ]
+                                [ br [] []
+                                , p [ class "empty-box-msg" ] [ text "No validated users found" ]
+                                ]
+
+                          else
+                            div [] []
+                        ]
+
+                  else
+                    renderUsers workflowUsersForm.validatedUsers Left editMod workflowUsersForm
                 ]
-                else
-                  div [] []
+            , case editMod of
+                On ->
+                    div [] []
+
+                Off ->
+                    div [ class "circle-edit", onClick (SwitchMode |> WorkflowUsersMsg) ]
+                        [ i [ class "edit-icon-validated-user fa fa-pencil", style "margin" "0" ] []
+                        ]
             ]
-          else
-           renderUsers model.validatedUsers Left model
-        ],
-        case model.editMod of
-          On ->
-            div [] []
-          Off ->
-            div [class "circle-edit", onClick SwitchMode]
-            [
-              i [class "edit-icon-validated-user fa fa-pencil", style "margin" "0"] []
+        , case editMod of
+            On ->
+                displayFooter workflowUsersForm Left
+
+            Off ->
+                div [] []
+        , div [ class "action-button-container" ]
+            [ actnBtnIfModif
             ]
-      ],
-      case model.editMod of
-        On -> displayFooter model Left
-        Off -> div [][]
-      ,
-      div [class "action-button-container"]
-      [
-        actnBtnIfModif
-      ]
-    ]
+        ]
+
 
 view : Model -> Html Msg
 view model =
-  div []
-  [
-    case model.editMod of
-      On ->
-        div [class "inner-portlet" ,style "display" "flex", style "justify-content" "center"]
-        [
-          displayLeftCol model
-        , displayArrows model
-        , displayRightCol model
-        ]
-      Off ->
-        div [class "inner-portlet" ,style "display" "flex", style "justify-content" "center"]
-        [
-          displayLeftCol model
-        ]
-  ]
\ No newline at end of file
+    let
+        validateAllForm =
+            if model.hasWriteRights then
+                [ Html.br [] [], displayValidateAllForm model ]
+
+            else
+                []
+    in
+    let
+        workflowUsers =
+            case model.workflowUsersView of
+                WorkflowUsersInitView ->
+                    text ""
+
+                WorkflowUsers workflowUsersForm ->
+                    div [ class "section-with-doc" ]
+                        [ div [ class "section-left" ]
+                            [ div
+                                []
+                                [ case model.editMod of
+                                    On ->
+                                        div [ class "inner-portlet", style "display" "flex", style "justify-content" "center", id "workflowUsers" ]
+                                            [ displayLeftCol workflowUsersForm On
+                                            , displayArrows workflowUsersForm
+                                            , displayRightCol workflowUsersForm On
+                                            ]
+
+                                    Off ->
+                                        div [ class "inner-portlet", style "display" "flex", style "justify-content" "center" ]
+                                            [ displayLeftCol workflowUsersForm Off
+                                            ]
+                                ]
+                            ]
+                        , createRightInfoSectionParagraphs
+                            [ " Any modification made by a validated user will be automatically deployed, "
+                                ++ "without needing to be validated by another user first. "
+                            ]
+                        ]
+    in
+    div
+        [ id "workflowUsers" ]
+        (workflowUsers :: validateAllForm)
+
+
+displayValidateAllForm : Model -> Html Msg
+displayValidateAllForm model =
+    case model.validateAllView of
+        ValidateAll formState ->
+            div
+                [ class "section-with-doc" ]
+                [ div [ class "section-left" ]
+                    [ form []
+                        [ ul []
+                            [ li
+                                [ class "rudder-form" ]
+                                [ div [ class "input-group" ]
+                                    [ label
+                                        [ class "input-group-addon"
+                                        , for "validationAutoValidatedUser"
+                                        ]
+                                        [ input
+                                            [ type_ "checkbox"
+                                            , id "validationAutoValidatedUser"
+                                            , checked formState.formValues.validateAll
+                                            , onClick (WorkflowUsersMsg (ChangeValidateAllSetting (not formState.formValues.validateAll)))
+                                            ]
+                                            []
+                                        , label
+                                            [ for "validationAutoValidatedUser", class "label-radio" ]
+                                            [ span [ class "fa fa-check" ] [] ]
+                                        , span [ class "fa fa-check check-icon" ] []
+                                        ]
+                                    , label
+                                        [ class "form-control", for "validationAutoValidatedUser" ]
+                                        [ text " Validate all changes " ]
+                                    ]
+                                ]
+                            ]
+                        , input
+                            [ type_ "button"
+                            , value "Save change"
+                            , id "validationAutoSubmit"
+                            , class "btn btn-default"
+                            , disabled (formState.formValues.validateAll == formState.initValues.validateAll)
+                            , onClick (WorkflowUsersMsg (CallApi (saveValidateAllSetting formState.formValues.validateAll)))
+                            ]
+                            []
+                        ]
+                    ]
+                , createRightInfoSectionParagraphs
+                    [ " Any modification made by a validated user will be automatically approved no matter the nature of the change. "
+                    , " Hence, configuring the groups below will have no effect on validated users (in the list above), but will apply"
+                        ++ " to non-validated users, who will still need to create a change request in order to modify a node from a supervised group. "
+                    ]
+                ]
+
+        _ ->
+            text ""
diff --git a/change-validation/src/main/elm/sources/WorkflowInformation.elm b/change-validation/src/main/elm/sources/WorkflowInformation.elm
new file mode 100644
index 000000000..12f8aa632
--- /dev/null
+++ b/change-validation/src/main/elm/sources/WorkflowInformation.elm
@@ -0,0 +1,314 @@
+module WorkflowInformation exposing (..)
+
+import Browser
+import ErrorMessages exposing (getErrorMessage)
+import Html exposing (Html, a, i, li, span, text, ul)
+import Html.Attributes as Attr
+import Http exposing (Error, emptyBody, expectJson, header, request)
+import Json.Decode exposing (Decoder, at, bool, field, index, int, list, map2, maybe)
+import Ports exposing (errorNotification)
+
+
+
+------------------------------
+-- Init and main --
+------------------------------
+
+
+getApiUrl : Model -> String -> String
+getApiUrl m url =
+    m.contextPath ++ "/secure/api/" ++ url
+
+
+getPendingValidationUrl : Model -> String
+getPendingValidationUrl m =
+    m.contextPath ++ "/secure/configurationManager/changes/changeRequests/Pending_validation"
+
+
+getPendingDeploymentUrl : Model -> String
+getPendingDeploymentUrl m =
+    m.contextPath ++ "/secure/configurationManager/changes/changeRequests/Pending_deployment"
+
+
+init : { contextPath : String } -> ( Model, Cmd Msg )
+init flags =
+    let
+        initModel =
+            Model flags.contextPath NotSet
+    in
+    ( initModel, getWorkflowEnabledSetting initModel )
+
+
+main =
+    Browser.element
+        { init = init
+        , view = view
+        , update = update
+        , subscriptions = subscriptions
+        }
+
+
+
+------------------------------
+-- MODEL --
+------------------------------
+
+
+type alias PendingCount =
+    { pendingValidation : Maybe Int
+    , pendingDeployment : Maybe Int
+    , totalCount : Int
+    }
+
+
+type PendingCountOpt
+    = NotSet
+    | PendingCountWithTotal PendingCount
+
+
+type WorkflowInfoStatus
+    = Enabled
+    | Disabled
+
+
+type alias Model =
+    { contextPath : String
+    , pendingCount : PendingCountOpt
+    }
+
+
+type Msg
+    = GetPendingCount (Result Error PendingCountOpt)
+    | GetWorkflowEnabledSetting (Result Error WorkflowInfoStatus)
+
+
+
+------------------------------
+-- API --
+------------------------------
+-- API call to get the number of pending change request for each respective "pending" status
+
+
+getPendingCount : Model -> Cmd Msg
+getPendingCount model =
+    let
+        req =
+            request
+                { method = "GET"
+                , headers = [ header "X-Requested-With" "XMLHttpRequest" ]
+                , url = getApiUrl model "changevalidation/workflow/pendingCountByStatus"
+                , body = emptyBody
+                , expect = expectJson GetPendingCount decodePendingCountList
+                , timeout = Nothing
+                , tracker = Nothing
+                }
+    in
+    req
+
+
+getWorkflowEnabledSetting : Model -> Cmd Msg
+getWorkflowEnabledSetting model =
+    let
+        req =
+            request
+                { method = "GET"
+                , headers = [ header "X-Requested-With" "XMLHttpRequest" ]
+                , url = getApiUrl model "settings/enable_change_request"
+                , body = emptyBody
+                , expect = expectJson GetWorkflowEnabledSetting decodeEnabledSetting
+                , timeout = Nothing
+                , tracker = Nothing
+                }
+    in
+    req
+
+
+
+------------------------------
+-- ENCODE / DECODE JSON --
+------------------------------
+
+
+pendingCountOpt : Maybe Int -> Maybe Int -> PendingCountOpt
+pendingCountOpt pendingValidation pendingDeployment =
+    case ( pendingValidation, pendingDeployment ) of
+        ( Nothing, Nothing ) ->
+            NotSet
+
+        -- At least one field (pendingValidation and/or pendingDeployment) is not equal to Nothing
+        ( _, _ ) ->
+            PendingCountWithTotal
+                { pendingDeployment = pendingDeployment
+                , pendingValidation = pendingValidation
+                , totalCount = Maybe.withDefault 0 pendingValidation + Maybe.withDefault 0 pendingDeployment
+                }
+
+
+decodePendingCountOpt : Decoder PendingCountOpt
+decodePendingCountOpt =
+    map2
+        pendingCountOpt
+        (maybe (field "pendingValidation" int))
+        (maybe (field "pendingDeployment" int))
+
+
+decodePendingCountList : Decoder PendingCountOpt
+decodePendingCountList =
+    at [ "data" ] (field "workflow" (index 0 decodePendingCountOpt))
+
+
+decodeEnabledSetting : Decoder WorkflowInfoStatus
+decodeEnabledSetting =
+    let
+        boolToStatus b =
+            case b of
+                True ->
+                    Enabled
+
+                False ->
+                    Disabled
+    in
+    let
+        decSetting =
+            field "settings" (field "enable_change_request" (Json.Decode.map boolToStatus bool))
+    in
+    at [ "data" ] decSetting
+
+
+
+------------------------------
+-- UPDATE --
+------------------------------
+
+
+update : Msg -> Model -> ( Model, Cmd Msg )
+update msg model =
+    case msg of
+        GetPendingCount result ->
+            case result of
+                Ok pendingCount ->
+                    ( { model | pendingCount = pendingCount }, Cmd.none )
+
+                -- Unauthorized access
+                Err (Http.BadStatus 403) ->
+                    ( { model | pendingCount = NotSet }, Cmd.none )
+
+                Err err ->
+                    ( model, errorNotification ("Error while trying to fetch pending change requests: " ++ getErrorMessage err) )
+
+        GetWorkflowEnabledSetting result ->
+            case result of
+                Ok setting ->
+                    case setting of
+                        Enabled ->
+                            ( model, getPendingCount model )
+
+                        Disabled ->
+                            ( { model | pendingCount = NotSet }, Cmd.none )
+
+                -- Unauthorized access
+                Err (Http.BadStatus 403) ->
+                    ( { model | pendingCount = NotSet }, Cmd.none )
+
+                Err err ->
+                    ( model, errorNotification ("Error while trying to fetch change_requests_enabled setting: " ++ getErrorMessage err) )
+
+
+
+------------------------------
+-- VIEW --
+------------------------------
+
+
+view : Model -> Html Msg
+view model =
+    let
+        viewDropdown =
+            case model.pendingCount of
+                NotSet ->
+                    viewDropdownToggle True "-"
+
+                PendingCountWithTotal pc ->
+                    viewDropdownToggle False ( String.fromInt pc.totalCount )
+    in
+    li
+        [ Attr.class "nav-item dropdown notifications-menu"
+        , Attr.id "workflow-app"
+        ]
+        [ viewDropdown
+        , ul
+            [ Attr.class "dropdown-menu"
+            , Attr.attribute "role" "menu"
+            ]
+            [ li [] [ viewDropDownMenu model ] ]
+        ]
+
+
+
+viewDropDownMenu : Model -> Html Msg
+viewDropDownMenu model =
+    case model.pendingCount of
+        NotSet ->
+            ul [ Attr.class "menu" ] []
+
+        PendingCountWithTotal pc ->
+            ul [ Attr.class "menu" ]
+                [ displayPendingCount pc.pendingValidation "Pending Validation" (getPendingValidationUrl model) "pe-2 fa fa-flag-o"
+                , displayPendingCount pc.pendingDeployment "Pending Deployment" (getPendingDeploymentUrl model) "pe-2 fa fa-flag-checkered"
+                ]
+
+
+viewDropdownToggle : Bool -> String -> Html Msg
+viewDropdownToggle isLoading displayedCount =
+    a
+        [ Attr.href "#"
+        , Attr.class ( "dropdown-toggle " ++ if isLoading then "placeholder-glow" else "" )
+        , Attr.attribute "data-bs-toggle" "dropdown"
+        , Attr.attribute "role" "button"
+        , Attr.attribute "aria-expanded" "false"
+        ]
+        [ span [] [ text "CR" ]
+        , span
+            [ Attr.id "number"
+            , Attr.class ( "badge rudder-badge " ++ if isLoading then "placeholder" else "" )
+            ]
+            [ Html.text displayedCount ]
+        ]
+
+
+displayPendingCount : Maybe Int -> String -> String -> String -> Html Msg
+displayPendingCount countOpt countName link flag =
+    case countOpt of
+        Nothing ->
+            Html.text ""
+
+        Just count ->
+            li []
+                [ a
+                    [ Attr.href link
+                    , Attr.class "pe-auto"
+                    ]
+                    [ span []
+                        [ i
+                            [ Attr.class flag
+                            ]
+                            []
+                        , Html.text countName
+                        ]
+                    , span
+                        [ Attr.class "float-end badge bg-light text-dark px-2"
+                        ]
+                        [ Html.text (String.fromInt count) ]
+                    ]
+                ]
+
+
+
+------------------------------
+-- SUBSCRIPTIONS
+------------------------------
+
+
+subscriptions : Model -> Sub Msg
+subscriptions _ =
+    Sub.none
diff --git a/change-validation/src/main/elm/sources/WorkflowInformationTest.elm b/change-validation/src/main/elm/sources/WorkflowInformationTest.elm
new file mode 100644
index 000000000..586a3cf41
--- /dev/null
+++ b/change-validation/src/main/elm/sources/WorkflowInformationTest.elm
@@ -0,0 +1,88 @@
+module WorkflowInformationTest exposing (..)
+
+import Expect
+import Fuzz exposing (int, maybe)
+import Test exposing (..)
+import WorkflowInformation exposing (PendingCountOpt(..), pendingCountOpt)
+
+
+expectedTotalCount nonOptCount optCount =
+    case optCount of
+        Just res ->
+            res + nonOptCount
+
+        Nothing ->
+            nonOptCount
+
+
+suite =
+    describe "pending count"
+        [ -- A PendingCount Json that has two empty fields will always be decoded as a NotSet object
+          test "NotSet" <|
+            \_ ->
+                pendingCountOpt Nothing Nothing
+                    |> Expect.equal NotSet
+        , -- A PendingCount Json whose pendingValidation field is present will always be decoded as a PendingCountWithTotal object
+          fuzz2
+            int
+            (maybe int)
+            "Non-empty pendingValidation field"
+          <|
+            \pendingValidation pendingDeploymentOpt ->
+                pendingCountOpt (Just pendingValidation) pendingDeploymentOpt
+                    |> Expect.equal
+                        (PendingCountWithTotal
+                            { pendingValidation = Just pendingValidation
+                            , pendingDeployment = pendingDeploymentOpt
+                            , totalCount = expectedTotalCount pendingValidation pendingDeploymentOpt
+                            }
+                        )
+        , -- A PendingCount Json whose pendingDeployment field is present will always be decoded as a PendingCountWithTotal object
+          fuzz2
+            (maybe int)
+            int
+            "Non-empty pendingDeployment field"
+          <|
+            \pendingValidationOpt pendingDeployment ->
+                pendingCountOpt pendingValidationOpt (Just pendingDeployment)
+                    |> Expect.equal
+                        (PendingCountWithTotal
+                            { pendingValidation = pendingValidationOpt
+                            , pendingDeployment = Just pendingDeployment
+                            , totalCount = expectedTotalCount pendingDeployment pendingValidationOpt
+                            }
+                        )
+        , -- A PendingCount Json whose pendingValidation and pendingDeployment fields are both present will always be decoded as a PendingCountWithTotal object
+          fuzz2
+            int
+            int
+            "Non-empty pendingDeployment and pendingValidation fields"
+          <|
+            \pendingValidation pendingDeployment ->
+                pendingCountOpt (Just pendingValidation) (Just pendingDeployment)
+                    |> Expect.equal
+                        (PendingCountWithTotal
+                            { pendingValidation = Just pendingValidation
+                            , pendingDeployment = Just pendingDeployment
+                            , totalCount = pendingValidation + pendingDeployment
+                            }
+                        )
+        , -- After decoding, the obtained PendingCountOpt object must be a 'NotSet' if the two given fields are equal to 'Nothing', and be a 'PendingCountWithTotal' object whose fields are exactly equal to the given values.
+          fuzz2
+            (maybe int)
+            (maybe int)
+            "PendingCountWithTotal cannot have two empty fields"
+          <|
+            \pendingValidation pendingDeployment ->
+                case pendingCountOpt pendingValidation pendingDeployment of
+                    NotSet ->
+                        ( pendingValidation, pendingDeployment ) |> Expect.equal ( Nothing, Nothing )
+
+                    PendingCountWithTotal pendingCount ->
+                        case ( pendingCount.pendingValidation, pendingCount.pendingDeployment ) of
+                            ( Nothing, Nothing ) ->
+                                Expect.fail "PendingCountWithTotal cannot have both of its pendingValidation and pendingDeployment fields be equal to 'Nothing'"
+
+                            ( _, _ ) ->
+                                ( pendingCount.pendingValidation, pendingCount.pendingDeployment ) |> Expect.equal ( pendingValidation, pendingDeployment )
+        ]
diff --git a/change-validation/src/main/elm/sources/WorkflowUsers.elm b/change-validation/src/main/elm/sources/WorkflowUsers.elm
index ba8346b0c..ab8209b93 100644
--- a/change-validation/src/main/elm/sources/WorkflowUsers.elm
+++ b/change-validation/src/main/elm/sources/WorkflowUsers.elm
@@ -1,150 +1,305 @@
 module WorkflowUsers exposing (..)
 
-import ApiCalls exposing (getUsers)
-import Browser
-import DataTypes exposing (ColPos(..), EditMod(..), Model, Msg(..), User, UserList)
-import Init exposing (initModel, subscriptions, errorNotification, successNotification, getErrorMessage)
+import DataTypes exposing (ColPos(..), EditMod(..), Model, Msg, User, UserList, UserListField(..), ValidateAllView(..), WorkflowUsersForm, WorkflowUsersMsg(..), WorkflowUsersView(..))
+import ErrorMessages exposing (getErrorMessage)
 import List exposing (filter, member)
+import Ports exposing (errorNotification, successNotification)
 import String
-import View exposing (view)
+
 
 filterValidatedUsers : UserList -> UserList
 filterValidatedUsers users =
     filter (\u -> u.isValidated) users
 
+
 filterUnvalidatedUsers : UserList -> UserList
 filterUnvalidatedUsers users =
     filter (\u -> not u.isValidated) users
 
-mainInit : {contextPath : String} -> ( Model, Cmd Msg )
-mainInit initValues =
-  let
-    m =
-      initModel initValues.contextPath
-  in
-    ( m, getUsers m )
-
-main =
-  Browser.element
-  { init          = mainInit
-  , view          = view
-  , update        = update
-  , subscriptions = subscriptions
-  }
-
-update : Msg -> Model -> ( Model, Cmd Msg )
+
+initModel : String -> Bool -> Model
+initModel contextPath hasWriteRights =
+    Model contextPath Off WorkflowUsersInitView hasWriteRights ValidateAllInitView
+
+
+update : WorkflowUsersMsg -> Model -> ( Model, Cmd Msg )
 update msg model =
-  case msg of
-    GetUsers result ->
-      case result of
-        Ok users  ->
-          (
-            { model
-            | users = users
-            , unvalidatedUsers = filterUnvalidatedUsers users
-            , validatedUsers   = filterValidatedUsers users
-            , leftChecked      = []
-            , rightChecked     = []
-            , hasMoved         = []
-            }
+    case msg of
+        GetUsers result ->
+            case result of
+                Ok users ->
+                    ( { model
+                        | workflowUsersView =
+                            WorkflowUsers
+                                { users = users
+                                , unvalidatedUsers = filterUnvalidatedUsers users
+                                , validatedUsers = filterValidatedUsers users
+                                , leftChecked = []
+                                , rightChecked = []
+                                , hasMoved = []
+                                }
+                      }
+                    , Cmd.none
+                    )
+
+                Err error ->
+                    ( model, errorNotification ("An error occurred while trying to get users:" ++ getErrorMessage error) )
+
+        RemoveUser result ->
+            case result of
+                Ok removeUser ->
+                    ( { model | workflowUsersView = mapUserList Users (filter (\m -> m.username /= removeUser)) model.workflowUsersView }, Cmd.none )
+
+                Err error ->
+                    ( model, errorNotification ("An error occurred while trying to delete a validated users:" ++ getErrorMessage error) )
+
+        SaveWorkflow result ->
+            case result of
+                Ok updatedUsers ->
+                    ( { model
+                        | workflowUsersView =
+                            model.workflowUsersView
+                                |> setUserListOn Users updatedUsers
+                                |> setUserListOn UnvalidatedUsers (filterUnvalidatedUsers updatedUsers)
+                                |> setUserListOn ValidatedUsers (filterValidatedUsers updatedUsers)
+                                |> setUserListOn HasMoved []
+                                |> setChecked [] []
+                      }
+                    , successNotification ""
+                    )
+
+                Err error ->
+                    ( model, errorNotification ("An error occurred while trying to save validated users:" ++ getErrorMessage error) )
+
+        CallApi call ->
+            ( model, call model )
+
+        RightToLeft ->
+            case model.workflowUsersView of
+                WorkflowUsers form ->
+                    ( { model
+                        | workflowUsersView =
+                            model.workflowUsersView
+                                |> mapUserList UnvalidatedUsers (filter (\u -> not (member u form.rightChecked)))
+                                |> setUserListOn HasMoved (form.hasMoved ++ form.rightChecked)
+                                |> setUserListOn ValidatedUsers (form.rightChecked ++ form.validatedUsers)
+                                |> setChecked [] []
+                      }
+                    , Cmd.none
+                    )
+
+                _ ->
+                    ( model, Cmd.none )
+
+        LeftToRight ->
+            case model.workflowUsersView of
+                WorkflowUsers form ->
+                    ( { model
+                        | workflowUsersView =
+                            model.workflowUsersView
+                                |> setUserListOn UnvalidatedUsers (form.leftChecked ++ form.unvalidatedUsers)
+                                |> setUserListOn HasMoved (form.hasMoved ++ form.leftChecked)
+                                |> mapUserList ValidatedUsers (filter (\u -> not (member u form.leftChecked)))
+                                |> setChecked [] []
+                      }
+                    , Cmd.none
+                    )
+
+                _ ->
+                    ( model, Cmd.none )
+
+        AddLeftChecked user isChecked ->
+            case model.workflowUsersView of
+                WorkflowUsers form ->
+                    if not (member user form.leftChecked) && isChecked then
+                        ( { model
+                            | workflowUsersView =
+                                model.workflowUsersView
+                                    |> setChecked (user :: form.leftChecked) []
+                          }
+                        , Cmd.none
+                        )
+
+                    else
+                        ( { model
+                            | workflowUsersView = model.workflowUsersView |> mapUserList LeftChecked (filter (\u -> user /= u))
+                          }
+                        , Cmd.none
+                        )
+
+                _ ->
+                    ( model, Cmd.none )
+
+        AddRightChecked user isChecked ->
+            case model.workflowUsersView of
+                WorkflowUsers form ->
+                    if not (member user form.rightChecked) && isChecked then
+                        ( { model
+                            | workflowUsersView =
+                                model.workflowUsersView
+                                    |> setChecked [] (user :: form.rightChecked)
+                          }
+                        , Cmd.none
+                        )
+
+                    else
+                        ( { model
+                            | workflowUsersView = model.workflowUsersView |> mapUserList RightChecked (filter (\u -> user /= u))
+                          }
+                        , Cmd.none
+                        )
+
+                _ ->
+                    ( model, Cmd.none )
+
+        CheckAll colPos isChecked ->
+            case colPos of
+                Left ->
+                    if isChecked then
+                        ( { model | workflowUsersView = model.workflowUsersView |> checkAllView Left }, Cmd.none )
+
+                    else
+                        ( { model | workflowUsersView = model.workflowUsersView |> setUserListOn LeftChecked [] }, Cmd.none )
+
+                Right ->
+                    if isChecked then
+                        ( { model | workflowUsersView = model.workflowUsersView |> checkAllView Right }, Cmd.none )
+
+                    else
+                        ( { model | workflowUsersView = model.workflowUsersView |> setUserListOn RightChecked [] }, Cmd.none )
+
+        SwitchMode ->
+            case model.editMod of
+                On ->
+                    ( { model | editMod = Off }, Cmd.none )
+
+                Off ->
+                    ( { model | editMod = On }, Cmd.none )
+
+        ExitEditMod ->
+            ( { model
+                | editMod = Off
+                , workflowUsersView =
+                    model.workflowUsersView
+                        |> setChecked [] []
+              }
             , Cmd.none
-          )
-        Err error ->
-          ( model, errorNotification ("An error occurred while trying to get users:" ++ getErrorMessage error))
-
-    RemoveUser result ->
-      case result of
-        Ok removeUser ->
-          ( { model | users = filter  (\m -> m.username /= removeUser) model.users  }, Cmd.none )
-        Err error     ->
-          ( model, errorNotification ("An error occurred while trying to delete a validated users:" ++ getErrorMessage error))
-
-    SaveWorkflow result ->
-      case result of
-        Ok updatedUsers ->
-          (
-            { model
-            | users = updatedUsers
-            , unvalidatedUsers = filterUnvalidatedUsers updatedUsers
-            , validatedUsers   = filterValidatedUsers updatedUsers
-            , leftChecked      = []
-            , rightChecked     = []
-            , hasMoved         = []
-            }
-            , successNotification ""
-          )
-        Err error       ->
-          ( model, errorNotification ("An error occurred while trying to save validated users:" ++ getErrorMessage error))
-
-    CallApi call ->
-      (model, call model)
-
-    RightToLeft ->
-      let
-        newUnvalidatedUsers =
-          filter (\u -> not (member u model.rightChecked)) model.unvalidatedUsers
-        newValidatedUsers   =
-          model.rightChecked ++ model.validatedUsers
-      in
-        (
-          { model
-          | unvalidatedUsers = newUnvalidatedUsers
-          , hasMoved         = model.hasMoved ++ model.rightChecked
-          , validatedUsers   = newValidatedUsers
-          , leftChecked      = []
-          , rightChecked     = []
-          }
-          , Cmd.none
-        )
-
-    LeftToRight ->
-      let
-        newValidatedUsers   =
-          filter (\u -> not (member u model.leftChecked)) model.validatedUsers
-        newUnvalidatedUsers =
-          model.leftChecked ++ model.unvalidatedUsers
-      in
-        (
-          { model
-          | unvalidatedUsers = newUnvalidatedUsers
-          , hasMoved         = model.hasMoved ++ model.leftChecked
-          , validatedUsers   = newValidatedUsers
-          , leftChecked      = []
-          , rightChecked     = []
-          }
-          , Cmd.none
-        )
-
-    AddLeftChecked user isChecked ->
-      if  (not (member user model.leftChecked)) &&  isChecked  then
-        ({model | leftChecked = user :: model.leftChecked, rightChecked = []}, Cmd.none)
-      else
-        ({model | leftChecked = filter (\u -> user /= u) model.leftChecked}, Cmd.none)
-
-
-    AddRightChecked user isChecked ->
-      if (not (member user model.rightChecked) ) &&  isChecked then
-        ({model | rightChecked = user :: model.rightChecked, leftChecked = []}, Cmd.none)
-      else
-        ({model | rightChecked = filter (\u -> user /= u) model.rightChecked}, Cmd.none)
-
-    CheckAll colPos isChecked->
-      case colPos of
-        Left  ->
-          if  isChecked then
-            ({model | leftChecked = model.validatedUsers, rightChecked = []}, Cmd.none)
-          else
-            ({model | leftChecked = []}, Cmd.none)
-        Right ->
-          if  isChecked then
-            ({model | rightChecked = model.unvalidatedUsers, leftChecked = []}, Cmd.none)
-          else
-            ({model | rightChecked = []}, Cmd.none)
-
-    SwitchMode ->
-      case model.editMod of
-        On  -> ({model | editMod = Off}, Cmd.none)
-        Off -> ({model | editMod = On}, Cmd.none)
-
-    ExitEditMod ->
-      ({model | editMod = Off, leftChecked = [], rightChecked = []}, Cmd.none)
\ No newline at end of file
+            )
+
+        SaveValidateAllSetting result ->
+            case result of
+                Ok newSetting ->
+                    ( { model | validateAllView = initValidateAllForm newSetting }
+                    , successNotification "Successfully saved setting"
+                    )
+
+                Err error ->
+                    ( model, errorNotification ("An error occurred while trying to save validate_all_enabled setting :" ++ getErrorMessage error) )
+
+        GetValidateAllSetting result ->
+            case result of
+                Ok setting ->
+                    ( { model | validateAllView = initValidateAllForm setting }, Cmd.none )
+
+                Err error ->
+                    ( model, errorNotification ("An error occurred while trying to get validate_all_enabled setting :" ++ getErrorMessage error) )
+
+        ChangeValidateAllSetting enable_validate_all ->
+            ( { model | validateAllView = setValidateAll enable_validate_all model.validateAllView }, Cmd.none )
+
+
+setUserListOn : UserListField -> UserList -> WorkflowUsersView -> WorkflowUsersView
+setUserListOn field newList viewState =
+    case viewState of
+        WorkflowUsers formState ->
+            case field of
+                Users ->
+                    WorkflowUsers { formState | users = newList }
+
+                ValidatedUsers ->
+                    WorkflowUsers { formState | validatedUsers = newList }
+
+                UnvalidatedUsers ->
+                    WorkflowUsers { formState | unvalidatedUsers = newList }
+
+                RightChecked ->
+                    WorkflowUsers { formState | rightChecked = newList }
+
+                LeftChecked ->
+                    WorkflowUsers { formState | leftChecked = newList }
+
+                HasMoved ->
+                    WorkflowUsers { formState | hasMoved = newList }
+
+        _ ->
+            viewState
+
+
+setChecked : UserList -> UserList -> WorkflowUsersView -> WorkflowUsersView
+setChecked left right =
+    setUserListOn LeftChecked left >> setUserListOn RightChecked right
+
+
+checkAllView : ColPos -> WorkflowUsersView -> WorkflowUsersView
+checkAllView colPos viewState =
+    case viewState of
+        WorkflowUsers formState ->
+            case colPos of
+                Left ->
+                    viewState |> setChecked formState.validatedUsers []
+
+                Right ->
+                    viewState |> setChecked [] formState.unvalidatedUsers
+
+        _ ->
+            viewState
+
+
+mapUserList : UserListField -> (UserList -> UserList) -> WorkflowUsersView -> WorkflowUsersView
+mapUserList field f viewState =
+    case viewState of
+        WorkflowUsers formState ->
+            case field of
+                Users ->
+                    WorkflowUsers { formState | users = f formState.users }
+
+                ValidatedUsers ->
+                    WorkflowUsers { formState | validatedUsers = f formState.validatedUsers }
+
+                UnvalidatedUsers ->
+                    WorkflowUsers { formState | unvalidatedUsers = f formState.unvalidatedUsers }
+
+                RightChecked ->
+                    WorkflowUsers { formState | rightChecked = f formState.rightChecked }
+
+                LeftChecked ->
+                    WorkflowUsers { formState | leftChecked = f formState.leftChecked }
+
+                HasMoved ->
+                    WorkflowUsers { formState | hasMoved = f formState.hasMoved }
+
+        _ ->
+            viewState
+
+
+initValidateAllForm : Bool -> ValidateAllView
+initValidateAllForm value =
+    let
+        formState =
+            { validateAll = value }
+    in
+    ValidateAll { initValues = formState, formValues = formState }
+
+
+setValidateAll : Bool -> ValidateAllView -> ValidateAllView
+setValidateAll newValue viewState =
+    case viewState of
+        ValidateAll formState ->
+            let
+                newFormState =
+                    { validateAll = newValue }
+            in
+            ValidateAll { formState | formValues = newFormState }
+
+        _ ->
+            viewState
diff --git a/change-validation/src/main/resources/change-validation.conf b/change-validation/src/main/resources/change-validation.conf
index 81b1795b1..82d821be6 100644
--- a/change-validation/src/main/resources/change-validation.conf
+++ b/change-validation/src/main/resources/change-validation.conf
@@ -7,20 +7,20 @@ smtp.password=""
 
 # The rudder base URL (domain) as seen from people who will receive emails. This parameter is used
 # to display link to change requests in notification emails.
-# If the CR URL is: https://my.rudder.server/rudder/secure/plugins/changes/changeRequest/1
+# If the CR URL is: https://my.rudder.server/rudder/secure/configurationManager/changes/changeRequest/1
 # You should use: https://my.rudder.server/rudder [without end slash]
 rudder.base.url="https://my.rudder.server/rudder"
 
 
 # The rudder base URL (domain) as seen from people who will receive emails. This parameter is used
 # to display link to change requests in notification emails.
-# If the CR URL is: https://my.rudder.server/rudder/secure/plugins/changes/changeRequest/1
+# If the CR URL is: https://my.rudder.server/rudder/secure/configurationManager/changes/changeRequest/1
 # You should use: https://my.rudder.server/rudder [without end slash]
 rudder.base.url="https://my.rudder.server/rudder"
 
 
 # `subject` parameter support templating.
-#  Please refer to the documentation : https://docs.rudder.io/reference/6.1/plugins/change-validation.html
+#  Please refer to the documentation : https://docs.rudder.io/reference/current/plugins/change-validation.html
 #  to know which parameters can be used for templating.
 
 # Pending validation
diff --git a/change-validation/src/main/resources/template/ChangeValidationManagement.html b/change-validation/src/main/resources/template/ChangeValidationManagement.html
index b556b6eef..05062fa79 100644
--- a/change-validation/src/main/resources/template/ChangeValidationManagement.html
+++ b/change-validation/src/main/resources/template/ChangeValidationManagement.html
@@ -1,332 +1,217 @@
-<!doctype html>
-<html>
+<xml:group>
+  <component-body>
 
-<head>
-<meta charset="utf8" />
-<!-- everything here will be ignored and replaced by common-layout -->
-</head>
+	<head_merge>
+	  <link rel="stylesheet" type="text/css" href="/toserve/changevalidation/change-validation.css" media="screen"
+	  data-lift="with-cached-resource">
+	  <script src="/toserve/changevalidation/change-validation.js" data-lift="with-cached-resource"></script>
+	  <script src="/toserve/changevalidation/rudder-changevalidationsettings.js" data-lift="with-cached-resource"></script>
+	</head_merge>
 
-<body data-lift-content-id="plugin-main">
-<div id="plugin-main" data-lift="surround?with=common-layout;at=content">
-<head_merge>
-<title>Rudder - Change Validation</title>
-<link rel="stylesheet" type="text/css" href="/toserve/changevalidation/change-validation.css" media="screen" data-lift="with-cached-resource">
-<script src="/toserve/changevalidation/change-validation.js" data-lift="with-cached-resource"></script>
-<script src="/toserve/changevalidation/rudder-supervisedtargets.js" data-lift="with-cached-resource"></script>
-<script src="/toserve/changevalidation/rudder-workflowusers.js" data-lift="with-cached-resource"></script>
-</head_merge>
+	<div class="d-flex h-100">
 
-<div class="rudder-template">
+	  <div class="sidebar-left">
+		<div class="sidebar-body" id="navbar-changevalidation">
+		  <ul class="nav nav-tabs"></ul>
+		</div>
+	  </div>
 
-<div class="one-col">
-<div class="main-header">
-  <div class="header-title">
-    <h1>
-      <span>Change validation</span>
-    </h1>
-  </div>
-</div>
-<div class="one-col-main">
+	  <div class="template-main h-100">
+		<div class="main-container">
+		  <div class="main-details" data-bs-spy="scroll" data-bs-target="#navbar-changevalidation" data-bs-smooth-scroll="true">
+			<div class="lift:ChangeValidationSettings.activation" id="workflowForm">
+			  <h3 class="page-title" style="margin-top: 0;">Change validation status</h3>
+			  <div class="section-with-doc">
+				<div class="section-left">
+				  <form class="lift:form.ajax">
+				<ul>
+				  <li class="rudder-form">
+					<div class="input-group">
+					  <label class="input-group-addon" for="workflowEnabled">
+						<input id="workflowEnabled" type="checkbox">
+						<label for="workflowEnabled" class="label-radio">
+					  		<span class="ion ion-checkmark-round"></span>
+						</label>
+						<span class="ion ion-checkmark-round check-icon"></span>
+					  </label>
+					  <label class="form-control" for="workflowEnabled">
+						Enable change requests
+					  </label>
+					</div>
+				  </li>
+				  <li class="rudder-form">
+					<div class="input-group">
+					  <label class="input-group-addon" for="selfVal">
+						<input id="selfVal" type="checkbox">
+						<label for="selfVal" class="label-radio">
+                        <span class="ion ion-checkmark-round"></span>
+						</label>
+						<span class="ion ion-checkmark-round check-icon"></span>
+					  </label>
+					  <label class="form-control" for="selfVal">
+						Allow self validation
+						<span id="selfValTooltip"></span>
+					  </label>
+					</div>
+				  </li>
+				  <li class="rudder-form">
+					<div class="input-group">
+					  <label class="input-group-addon" for="selfDep">
+						<input id="selfDep" type="checkbox">
+						<label for="selfDep" class="label-radio">
+                        <span class="ion ion-checkmark-round"></span>
+						</label>
+						<span class="ion ion-checkmark-round check-icon"></span>
+					  </label>
+					  <label class="form-control" for="selfDep">
+						Allow self deployment
+						<span id="selfDepTooltip"></span>
+					  </label>
+					</div>
+				  </li>
+				</ul>
+				<lift:authz role="administration_write">
+				  <input type="submit" value="Reload" id="workflowSubmit" />
+				  <span class="lift:Msg?id=updateWorkflow">[messages]</span>
+				</lift:authz>
+				  </form>
+				</div>
+				<div class="section-right">
+				  <div class="doc doc-info">
+				<div class="marker">
+				  <span class="fa fa-info-circle"></span>
+				</div>
+				<p>
+				  If enabled, all change to configuration (directives, rules, groups and parameters) will be
+				  submitted for validation via a change request based on node targeting (configured
+				  below).<br />
+				  A new change request will enter the <b>Pending validation</b> status, then can be moved to
+				  <b>Pending deployment</b> (approved but not yet deployed) or <b>Deployed</b> (approved and
+				  deployed) statuses.
+				</p>
+				<p>
+				  If you have the user management plugin, only users with the <b>validator</b> or
+				  <b>deployer</b> roles are authorized to perform
+				  these steps (see <i><strong>/opt/rudder/etc/rudder-users.xml</strong></i>).
+				</p>
+				<p>
+				  If disabled or if the change is not submitted to validation, the configuration will be
+				  immediately deployed.
+				</p>
+				  </div>
+				</div>
+			  </div>
+			</div>
+			<div>
+			  <h3 class="page-title">Configure email notification</h3>
+			  <div class="section-with-doc">
+				<div class="section-left">
+				  <p>You can modify the email's template of each steps here: </p>
+				  <ul class="clipboard-list">
+				<li>
+				  <span>/var/rudder/plugins/change-validation/validation-mail.template</span>
+				  <a class="btn-goto btn-clipboard"
+					onclick="copy('/var/rudder/plugins/change-validation/validation-mail.template')"
+					data-toggle='tooltip' data-placement='bottom' data-container="html"
+					title="Copy to clipboard">
+					<i class="far fa-clipboard"></i>
+				  </a>
+				</li>
+				<li>
+				  <span>/var/rudder/plugins/change-validation/deployment-mail.template</span>
+				  <a class="btn-goto btn-clipboard"
+					onclick="copy('/var/rudder/plugins/change-validation/deployment-mail.template')"
+					data-toggle='tooltip' data-placement='bottom' data-container="html"
+					title="Copy to clipboard">
+					<i class="far fa-clipboard"></i>
+				  </a>
+				</li>
+				<li>
+				  <span>/var/rudder/plugins/change-validation/cancelled-mail.template</span>
+				  <a class="btn-goto btn-clipboard"
+					onclick="copy('/var/rudder/plugins/change-validation/cancelled-mail.template')"
+					data-toggle='tooltip' data-placement='bottom' data-container="html"
+					title="Copy to clipboard">
+					<i class="far fa-clipboard"></i>
+				  </a>
+				</li>
+				<li>
+				  <span>/var/rudder/plugins/change-validation/deployed-mail.template</span>
+				  <a class="btn-goto btn-clipboard"
+					onclick="copy('/var/rudder/plugins/change-validation/deployed-mail.template')"
+					data-toggle='tooltip' data-placement='bottom' data-container="html"
+					title="Copy to clipboard">
+					<i class="far fa-clipboard"></i>
+				  </a>
+				</li>
+				  </ul>
+				</div>
+				<div class="section-right">
+				  <div class="doc doc-info">
+				<div class="marker">
+				  <span class="fa fa-info-circle"></span>
+				</div>
+				<p>
+				  By default, email notifications are disabled. To enable them, make sure that the
+				  <b>smtp.hostServer</b> parameter is
+				  not left empty in the configuration file:
+				  <b>/opt/rudder/etc/plugins/change-validation.conf</b>
+				</p>
+				  </div>
+				</div>
+			  </div>
+			</div>
+			<div>
+			  <h3 class="page-title">Configure change request triggers</h3>
+			  <div>
+				<p>
+				  By default, change request are created for all users. You can change when a change request
+				  is created with below options:
+				</p>
+				<ul>
+				  <li>exempt some users from validation;</li>
+				  <li>trigger change request only for changes impacting nodes belonging to some supervised groups;
+				  </li>
+				</ul>
+				<p>Be careful: a change request is created when <b>at least one</b> predicate matches, so an
+				  exempted user
+				  still need a change request to modify a node from a supervised group.
+				</p>
+			  </div>
+			  <h3 class="page-subtitle">Configure users with change validation</h3>
+			  <div id="changeValidationSettings"></div>
 
-  <div class="template-sidebar sidebar-left">
-    <div class="sidebar-body" id="navbar-scrollspy">
-      <ul class="nav nav-tabs"></ul>
-    </div>
-  </div>
+					<script data-lift="with-nonce">
+					  var hasWriteRights = false;
+					</script>
+					<lift:authz role="administration_write">
+					  <script data-lift="with-nonce">
+						hasWriteRights = true;
+					</script>
+				</lift:authz>
 
-  <div class="template-main">
-    <div class="main-container">
-      <div class="main-details" data-spy="scroll" data-target="#navbar-scrollspy">
-	<div class="lift:ChangeValidationSettings.activation" id="workflowForm">
-	  <h3 class="page-title" style="margin-top: 0;">Change validation status</h3>
-	  <div class="section-with-doc">
-	    <div class="section-left">
-	      <form class="lift:form.ajax">
-		<ul>
-		  <li class="rudder-form">
-		    <div class="input-group">
-		      <label class="input-group-addon" for="workflowEnabled">
-			<input id="workflowEnabled" type="checkbox">
-			<label for="workflowEnabled" class="label-radio">
-			  <span class="ion ion-checkmark-round"></span>
-			</label>
-			<span class="ion ion-checkmark-round check-icon"></span>
-		      </label>
-		      <label class="form-control" for="workflowEnabled">
-			Enable change requests
-		      </label>
-		    </div>
-		  </li>
-		  <li class="rudder-form">
-		    <div class="input-group">
-		      <label class="input-group-addon" for="selfVal">
-			<input id="selfVal" type="checkbox">
-			<label for="selfVal" class="label-radio">
-			  <span class="ion ion-checkmark-round"></span>
-			</label>
-			<span class="ion ion-checkmark-round check-icon"></span>
-		      </label>
-		      <label class="form-control" for="selfVal">
-			Allow self validation
-			<span id="selfValTooltip"></span>
-		      </label>
-		    </div>
-		  </li>
-		  <li class="rudder-form">
-		    <div class="input-group">
-		      <label class="input-group-addon" for="selfDep">
-			<input id="selfDep" type="checkbox">
-			<label for="selfDep" class="label-radio">
-			  <span class="ion ion-checkmark-round"></span>
-			</label>
-			<span class="ion ion-checkmark-round check-icon"></span>
-		      </label>
-		      <label class="form-control" for="selfDep">
-			Allow self deployment
-			<span id="selfDepTooltip"></span>
-		      </label>
-		    </div>
-		  </li>
-		</ul>
-		<lift:authz role="administration_write">
-		  <input type="submit" value="Reload" id="workflowSubmit" />
-		  <span class="lift:Msg?id=updateWorkflow">[messages]</span>
-		</lift:authz>
-	      </form>
-	    </div>
-	    <div class="section-right">
-	      <div class="doc doc-info">
-		<div class="marker">
-		  <span class="fa fa-info-circle"></span>
-		</div>
-		<p>
-		  If enabled, all change to configuration (directives, rules, groups and parameters) will be
-		  submitted for validation via a change request based on node targeting (configured
-		  below).<br />
-		  A new change request will enter the <b>Pending validation</b> status, then can be moved to
-		  <b>Pending deployment</b> (approved but not yet deployed) or <b>Deployed</b> (approved and
-		  deployed) statuses.
-		</p>
-		<p>
-		  If you have the user management plugin, only users with the <b>validator</b> or
-		  <b>deployer</b> roles are authorized to perform
-		  these steps (see <i><strong>/opt/rudder/etc/rudder-users.xml</strong></i>).
-		</p>
-		<p>
-		  If disabled or if the change is not submitted to validation, the configuration will be
-		  immediately deployed.
-		</p>
-	      </div>
-	    </div>
-	  </div>
-	</div>
-	<div>
-	  <h3 class="page-title">Configure email notification</h3>
-	  <div class="section-with-doc">
-	    <div class="section-left">
-	      <p>You can modify the email's template of each steps here: </p>
-	      <ul class="clipboard-list">
-		<li>
-		  <span>/var/rudder/plugins/change-validation/validation-mail.template</span>
-		  <a class="btn-goto btn-clipboard"
-		    onclick="copy('/var/rudder/plugins/change-validation/validation-mail.template')"
-		    data-toggle='tooltip' data-placement='bottom' data-container="html"
-		    title="Copy to clipboard">
-		    <i class="far fa-clipboard"></i>
-		  </a>
-		</li>
-		<li>
-		  <span>/var/rudder/plugins/change-validation/deployment-mail.template</span>
-		  <a class="btn-goto btn-clipboard"
-		    onclick="copy('/var/rudder/plugins/change-validation/deployment-mail.template')"
-		    data-toggle='tooltip' data-placement='bottom' data-container="html"
-		    title="Copy to clipboard">
-		    <i class="far fa-clipboard"></i>
-		  </a>
-		</li>
-		<li>
-		  <span>/var/rudder/plugins/change-validation/cancelled-mail.template</span>
-		  <a class="btn-goto btn-clipboard"
-		    onclick="copy('/var/rudder/plugins/change-validation/cancelled-mail.template')"
-		    data-toggle='tooltip' data-placement='bottom' data-container="html"
-		    title="Copy to clipboard">
-		    <i class="far fa-clipboard"></i>
-		  </a>
-		</li>
-		<li>
-		  <span>/var/rudder/plugins/change-validation/deployed-mail.template</span>
-		  <a class="btn-goto btn-clipboard"
-		    onclick="copy('/var/rudder/plugins/change-validation/deployed-mail.template')"
-		    data-toggle='tooltip' data-placement='bottom' data-container="html"
-		    title="Copy to clipboard">
-		    <i class="far fa-clipboard"></i>
-		  </a>
-		</li>
-	      </ul>
-	    </div>
-	    <div class="section-right">
-	      <div class="doc doc-info">
-		<div class="marker">
-		  <span class="fa fa-info-circle"></span>
+				<script data-lift="with-nonce">
+					$(document).ready(function () {
+                      const cvs = document.getElementById("changeValidationSettings");
+                      const initValues = {
+                        contextPath: contextPath,
+                        hasWriteRights: hasWriteRights
+                      };
+                      const app = Elm.ChangeValidationSettings.init({node: cvs, flags: initValues});
+                      app.ports.successNotification.subscribe(function (str) {
+                        createSuccessNotification(str)
+                      });
+                      app.ports.errorNotification.subscribe(function (str) {
+                        createErrorNotification(str)
+                      });
+                      buildScrollSpyNav("navbar-changevalidation", "changeValidationTab");
+                    });
+				</script>
+
+			</div>
+		  </div>
 		</div>
-		<p>
-		  By default, email notifications are disabled. To enable them, make sure that the
-		  <b>smtp.hostServer</b> parameter is
-		  not left empty in the configuration file:
-		  <b>/opt/rudder/etc/plugins/change-validation.conf</b>
-		</p>
-	      </div>
-	    </div>
 	  </div>
 	</div>
-                <div>
-                  <h3 class="page-title">Configure change request triggers</h3>
-                  <div>
-                    <p>
-                      By default, change request are created for all users. You can change when a change request
-                      is created with below options:
-                    </p>
-                    <ul>
-                      <li>exempt some users from validation;</li>
-                      <li>trigger change request only for changes impacting nodes belonging to some supervised groups;
-                      </li>
-                    </ul>
-                    <p>Be careful: a change request is created when <b>at least one</b> predicate matches, so an
-                      exempted user
-                      still need a change request to modify a node from a supervised group.
-                    </p>
-                  </div>
-                  <h3 class="page-subtitle">Configure users with change validation</h3>
-                  <div class="section-with-doc">
-                    <div class="section-left">
-                      <div id="WorkflowUsers-app">
-                        <div id="validated-users-management"></div>
-                      </div>
-                    </div>
-                    <div class="section-right">
-                      <div class="doc doc-info">
-                        <div class="marker">
-                          <span class="fa fa-info-circle"></span>
-                        </div>
-                        <p>
-                          Any change done by a validated user will be automatically deployed without validation needed
-                          by another user.
-                        </p>
-                      </div>
-                    </div>
-                  </div>
-                  <lift:authz role="administration_write">
-                  <br>
-                  <div data-lift="ChangeValidationSettings.validation">
-                    <div class="section-with-doc">
-                      <div class="section-left">
-                        <form class="lift:form.ajax">
-                          <ul>
-                            <li class="rudder-form">
-                              <div class="input-group">
-                                <label class="input-group-addon" for="validationAutoValidatedUser">
-                                  <input type="checkbox" value="Reload" id="validationAutoValidatedUser"/>
-                                  <label for="validationAutoValidatedUser" class="label-radio">
-                                    <span class="ion ion-checkmark-round"></span>
-                                  </label>
-                                  <span class="ion ion-checkmark-round check-icon"></span>
-                                </label>
-                                <label class="form-control" for="validationAutoValidatedUser">
-                                  Validate all changes
-                                </label>
-                              </div>
-                            </li>
-                          </ul>
-                          <input type="submit" value="Save change" id="validationAutoSubmit"/>
-                          <span class="lift:Msg?id=updateValidation">[messages]</span>
-                        </form>
-                      </div>
-                      <div class="section-right">
-                        <div class="doc doc-info">
-                          <div class="marker">
-                            <span class="fa fa-info-circle"></span>
-                          </div>
-                          <p>
-                            Any change done by a Validated User will be automatically approved no matter the nature of the change.
-                          </p>
-                          <p>
-                            Configuring groups below will hence have no effect on validated users (in the list above), but will apply to non-validated users, who will still need a change request to modify a node from a supervised group.
-                          </p>
-                        </div>
-                      </div>
-                    </div>
-                    
-                  </div>
-                  </lift:authz>
-                  <div>
-                    <h3 class="page-subtitle">Configure groups with change validations</h3>
-                    <div class="section-with-doc">
-                      <div class="section-left">
-                        <div id="supervised-targets-app">
-                          <div id="list-groups-change-validation"></div>
-                        </div>
-                        <script>
-                          $(document).ready(function () {
-                            var main = document.getElementById("list-groups-change-validation");
-                            var wu = document.getElementById("validated-users-management");
-                            var initValues = {
-                              contextPath: contextPath
-                            };
-                            var app = Elm.SupervisedTargets.init({node: main, flags: initValues});
-                            var app2 = Elm.WorkflowUsers.init({node: wu, flags: initValues})
-                            app.ports.successNotification.subscribe(function (str) {
-                              createSuccessNotification(str)
-                            });
-                            app.ports.errorNotification.subscribe(function (str) {
-                              createErrorNotification(str)
-                            });
-                            app2.ports.successNotification.subscribe(function (str) {
-                              createSuccessNotification(str)
-                            });
-                            app2.ports.errorNotification.subscribe(function (str) {
-                              createErrorNotification(str)
-                            });
-                            buildScrollSpyNav();
-                          });
-                        </script>
-                      </div>
-                      <div class="section-right">
-                        <div class="doc doc-info">
-                          <div class="marker">
-                            <span class="fa fa-info-circle"></span>
-                          </div>
-                          <p>
-                            Change validation are enable for <b>any</b> change that would impact a node belonging to one
-                            of the chosen groups below.
-                            Be careful: a change on one another group
-                          </p>
-                          <p>
-                            The supervised changes are:
-                          <ul>
-                            <li>any change in a global parameter, as these changes can have side effects spreading
-                              technique code,</li>
-                            <li>any modification in one of the supervised groups,</li>
-                            <li>any change in a rule which targets a node which belong to a group marked as supervised,
-                            </li>
-                            <li>any change in a directive used in one of the previous rules.</li>
-                          </ul>
-                          </p>
-                          <p>
-                            Changes in techniques are not subjected to change validation, nor are changes resulting from
-                            an archive import.
-                          </p>
-                        </div>
-                      </div>
-                    </div>
-                  </div>
-                </div>
-              </div>
-            </div>
-          </div>
-        </div>
-      </div>
-    </div>
-  </div>
-</body>
-
-</html>
+  </component-body>
+</xml:group>
diff --git a/change-validation/src/main/resources/template/changeRequest.html b/change-validation/src/main/resources/template/changeRequest.html
index 353cbf050..ec2235c4d 100644
--- a/change-validation/src/main/resources/template/changeRequest.html
+++ b/change-validation/src/main/resources/template/changeRequest.html
@@ -4,6 +4,7 @@
 	<title>Rudder - Change Validation</title>
 	<link rel="stylesheet" type="text/css" href="/toserve/changevalidation/change-validation.css" media="screen" data-lift="with-cached-resource">
 	<script src="/toserve/changevalidation/change-validation.js" data-lift="with-cached-resource"></script>
+    <script src="/toserve/changevalidation/rudder-changerequesteditform.js" data-lift="with-cached-resource"></script>
 </head_merge>
 
 <div class="rudder-template">
@@ -16,9 +17,59 @@
         <div class="main-container">
           <div class="main-details">
 
+            <div id="change-request-edit-form" ></div>
+
+              <script data-lift="with-nonce">
+                  var hasWriteRights = false;
+              </script>
+              <lift:authz role="deployer_write">
+                  <script data-lift="with-nonce">
+                      hasWriteRights = true;
+                  </script>
+              </lift:authz>
+              <lift:authz role="deployer_edit">
+                  <script data-lift="with-nonce">
+                      hasWriteRights = true;
+                  </script>
+              </lift:authz>
+              <lift:authz role="validator_write">
+                  <script data-lift="with-nonce">
+                      hasWriteRights = true;
+                  </script>
+              </lift:authz>
+              <lift:authz role="validator_edit">
+                  <script data-lift="with-nonce">
+                      hasWriteRights = true;
+                  </script>
+              </lift:authz>
+
+            <script data-lift="with-nonce">
+            $(document).ready(function () {
+              var main = document.getElementById("change-request-edit-form");
+              var initValues = {
+                contextPath: contextPath,
+                hasWriteRights : hasWriteRights
+              };
+              var app = Elm.ChangeRequestEditForm.init({node: main, flags: initValues});
+              app.ports.errorNotification.subscribe(function (str) {
+                createErrorNotification(str)
+              });
+              app.ports.successNotification.subscribe(function(str) {
+                createSuccessNotification(str)
+              });
+              var path = window.location.pathname.split("/")
+              if (path.length > 2) {
+                var id = path[path.length -1];
+                app.ports.readUrl.send(id);
+              }
+            });
+            </script>
+
+            <!--
             <div id="changeRequestDetails">
               <div class="lift:ChangeRequestDetails.details"></div>
             </div>
+            -->
 
             <div id="warnOnUnmergeable">
               <div class="lift:ChangeRequestDetails.warnUnmergeable"></div>
diff --git a/change-validation/src/main/resources/toserve/changevalidation/change-validation.js b/change-validation/src/main/resources/toserve/changevalidation/change-validation.js
index 158ee3b2a..56e3517b0 100644
--- a/change-validation/src/main/resources/toserve/changevalidation/change-validation.js
+++ b/change-validation/src/main/resources/toserve/changevalidation/change-validation.js
@@ -57,7 +57,7 @@ function createChangeRequestTable(gridId, data, contextPath, refresh) {
         $(nTd).empty();
         $(nTd).addClass("link");
         var editLink = $("<a/>");
-        editLink.attr("href",contextPath +'/secure/plugins/changes/changeRequest/'+sData);
+        editLink.attr("href",contextPath +'/secure/configurationManager/changes/changeRequest/'+sData);
         editLink.text(sData);
         $(nTd).append(editLink);
       }
@@ -73,7 +73,7 @@ function createChangeRequestTable(gridId, data, contextPath, refresh) {
         $(nTd).empty();
         $(nTd).addClass("link");
         var editLink = $("<a/>");
-        editLink.attr("href",contextPath +'/secure/plugins/changes/changeRequest/'+oData.id);
+        editLink.attr("href",contextPath +'/secure/configurationManager/changes/changeRequest/'+oData.id);
         editLink.text(sData);
         $(nTd).append(editLink);
       }
diff --git a/change-validation/src/main/scala-templates/default/com/normation/plugins/changevalidation/EnablePluginImpl.scala b/change-validation/src/main/scala-templates/default/com/normation/plugins/changevalidation/EnablePluginImpl.scala
index 047ed8707..a97af0bab 100644
--- a/change-validation/src/main/scala-templates/default/com/normation/plugins/changevalidation/EnablePluginImpl.scala
+++ b/change-validation/src/main/scala-templates/default/com/normation/plugins/changevalidation/EnablePluginImpl.scala
@@ -38,10 +38,10 @@
 package com.normation.plugins.changevalidation
 
 import com.normation.plugins.PluginEnableImpl
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 
 /*
  * The class will be loaded by ServiceLoader, it needs an empty constructor.
  */
 
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends PluginEnableImpl
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends PluginEnableImpl
diff --git a/change-validation/src/main/scala-templates/limited/com/normation/plugins/changevalidation/EnablePluginImpl.scala b/change-validation/src/main/scala-templates/limited/com/normation/plugins/changevalidation/EnablePluginImpl.scala
index a250f3692..be78c4fd5 100644
--- a/change-validation/src/main/scala-templates/limited/com/normation/plugins/changevalidation/EnablePluginImpl.scala
+++ b/change-validation/src/main/scala-templates/limited/com/normation/plugins/changevalidation/EnablePluginImpl.scala
@@ -38,7 +38,7 @@
 package com.normation.plugins.changevalidation
 
 import com.normation.plugins.LicensedPluginCheck
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 import com.normation.zio.*
 
 /*
@@ -48,12 +48,12 @@ import com.normation.zio.*
  *
  * The class will be loaded by ServiceLoader, it needs an empty constructor.
  */
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends LicensedPluginCheck {
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends LicensedPluginCheck {
   // here are processed variables
   def pluginResourcePublickey = "${plugin-resource-publickey}"
   def pluginResourceLicense   = "${plugin-resource-license}"
   def pluginDeclaredVersion   = "${plugin-declared-version}"
   def pluginId                = "${plugin-fullname}"
 
-  override def getNumberOfNodes: Int = nodeInfoService.getNumberOfManagedNodes.runNow
+  override def getNumberOfNodes: Int = nodeFactRepo.getNumberOfManagedNodes().runNow
 }
diff --git a/change-validation/src/main/scala/bootstrap/rudder/plugin/ChangeValidationConf.scala b/change-validation/src/main/scala/bootstrap/rudder/plugin/ChangeValidationConf.scala
index ffe4b00f9..f3c0e4d93 100644
--- a/change-validation/src/main/scala/bootstrap/rudder/plugin/ChangeValidationConf.scala
+++ b/change-validation/src/main/scala/bootstrap/rudder/plugin/ChangeValidationConf.scala
@@ -41,7 +41,7 @@ import bootstrap.liftweb.RudderConfig
 import bootstrap.liftweb.RudderConfig.commitAndDeployChangeRequest
 import bootstrap.liftweb.RudderConfig.doobie
 import bootstrap.liftweb.RudderConfig.workflowLevelService
-import com.normation.box.*
+import com.normation.errors.IOResult
 import com.normation.eventlog.EventActor
 import com.normation.plugins.PluginStatus
 import com.normation.plugins.RudderPluginModule
@@ -71,6 +71,9 @@ import com.normation.plugins.changevalidation.api.SupervisedTargetsApi
 import com.normation.plugins.changevalidation.api.SupervisedTargetsApiImpl
 import com.normation.plugins.changevalidation.api.ValidatedUserApi
 import com.normation.plugins.changevalidation.api.ValidatedUserApiImpl
+import com.normation.plugins.changevalidation.api.WorkflowInternalApi
+import com.normation.plugins.changevalidation.api.WorkflowInternalApiImpl
+import com.normation.plugins.changevalidation.extension.ChangeValidationTab
 import com.normation.rudder.domain.nodes.NodeGroupId
 import com.normation.rudder.domain.policies.DirectiveUid
 import com.normation.rudder.domain.policies.RuleUid
@@ -87,8 +90,7 @@ import com.normation.rudder.services.workflows.WorkflowLevelService
 import com.normation.rudder.services.workflows.WorkflowService
 import com.normation.zio.UnsafeRun
 import java.nio.file.Paths
-import net.liftweb.common.Box
-import net.liftweb.common.Full
+import zio.syntax.ToZio
 
 /*
  * The validation workflow level
@@ -98,15 +100,15 @@ class ChangeValidationWorkflowLevelService(
     defaultWorkflowService:    WorkflowService,
     validationWorkflowService: TwoValidationStepsWorkflowServiceImpl,
     validationNeeded:          Seq[ValidationNeeded],
-    workflowEnabledByUser:     () => Box[Boolean],
-    alwaysNeedValidation:      () => Box[Boolean],
+    workflowEnabledByUser:     () => IOResult[Boolean],
+    alwaysNeedValidation:      () => IOResult[Boolean],
     validatedUserRepo:         RoValidatedUserRepository
 ) extends WorkflowLevelService {
 
   override def workflowLevelAllowsEnable: Boolean = status.isEnabled()
 
   override def workflowEnabled: Boolean = {
-    workflowLevelAllowsEnable && workflowEnabledByUser().getOrElse(false)
+    workflowLevelAllowsEnable && workflowEnabledByUser().orElseSucceed(false).runNow
   }
   override def name:            String  = "Change Request Validation Workflows"
 
@@ -116,7 +118,7 @@ class ChangeValidationWorkflowLevelService(
    * return the correct workflow given the "needed" check. Also check
    * for the actual status of workflow to decide what workflow to use.
    */
-  private[this] def getWorkflow(shouldBeNeeded: Box[Boolean]): Box[WorkflowService] = {
+  private[this] def getWorkflow(shouldBeNeeded: IOResult[Boolean]): IOResult[WorkflowService] = {
     for {
       need <- shouldBeNeeded
     } yield {
@@ -132,19 +134,19 @@ class ChangeValidationWorkflowLevelService(
    * Method to use to combine several validationNeeded check.
    * Note that a validated user will prevent workflow to be performed, no other validationNeeded check will be executed
    */
-  def combine[T](
-      checkFn: (ValidationNeeded, EventActor, T) => Box[Boolean],
+  private def combine[T](
+      checkFn: (ValidationNeeded, EventActor, T) => IOResult[Boolean],
       checks:  Seq[ValidationNeeded],
       actor:   EventActor,
       change:  T
-  ): Box[WorkflowService] = {
+  ): IOResult[WorkflowService] = {
     def getWorkflowAux = {
       // When we "always need validation", we ignore all validationNeeded checks, otherwise we validate using these checks
       getWorkflow(validationNeeded.foldLeft(alwaysNeedValidation()) {
         case (shouldValidate, nextCheck) =>
           shouldValidate.flatMap {
             // logic is "or": if previous should validate is true, don't check following
-            case true  => Full(true)
+            case true  => true.succeed
             case false => checkFn(nextCheck, actor, change)
           }
       })
@@ -161,47 +163,46 @@ class ChangeValidationWorkflowLevelService(
     validatedUserRepo
       .get(actor)
       .chainError("Could get user from validated user list when checking validation workflow")
-      .toBox
       .flatMap {
-        case Some(e) => getWorkflow(Full(false))
+        case Some(e) => getWorkflow(false.succeed)
         case None    => getWorkflowAux
       }
   }
 
-  override def getForRule(actor: EventActor, change: RuleChangeRequest):               Box[WorkflowService] = {
+  override def getForRule(actor: EventActor, change: RuleChangeRequest):               IOResult[WorkflowService] = {
     combine[RuleChangeRequest]((v, a, c) => v.forRule(a, c), validationNeeded, actor, change)
   }
-  override def getForDirective(actor: EventActor, change: DirectiveChangeRequest):     Box[WorkflowService] = {
+  override def getForDirective(actor: EventActor, change: DirectiveChangeRequest):     IOResult[WorkflowService] = {
     combine[DirectiveChangeRequest]((v, a, c) => v.forDirective(a, c), validationNeeded, actor, change)
   }
-  override def getForNodeGroup(actor: EventActor, change: NodeGroupChangeRequest):     Box[WorkflowService] = {
+  override def getForNodeGroup(actor: EventActor, change: NodeGroupChangeRequest):     IOResult[WorkflowService] = {
     combine[NodeGroupChangeRequest]((v, a, c) => v.forNodeGroup(a, c), validationNeeded, actor, change)
   }
-  override def getForGlobalParam(actor: EventActor, change: GlobalParamChangeRequest): Box[WorkflowService] = {
+  override def getForGlobalParam(actor: EventActor, change: GlobalParamChangeRequest): IOResult[WorkflowService] = {
     combine[GlobalParamChangeRequest]((v, a, c) => v.forGlobalParam(a, c), validationNeeded, actor, change)
   }
 
-  override def getByDirective(uid: DirectiveUid, onlyPending: Boolean): Box[Vector[ChangeRequest]] = {
+  override def getByDirective(uid: DirectiveUid, onlyPending: Boolean): IOResult[Vector[ChangeRequest]] = {
     if (workflowEnabled) {
       validationWorkflowService.roChangeRequestRepository.getByDirective(uid, onlyPending)
     } else {
-      Full(Vector())
+      Vector().succeed
     }
   }
 
-  override def getByNodeGroup(id: NodeGroupId, onlyPending: Boolean): Box[Vector[ChangeRequest]] = {
+  override def getByNodeGroup(id: NodeGroupId, onlyPending: Boolean): IOResult[Vector[ChangeRequest]] = {
     if (workflowEnabled) {
       validationWorkflowService.roChangeRequestRepository.getByNodeGroup(id, onlyPending)
     } else {
-      Full(Vector())
+      Vector().succeed
     }
   }
 
-  override def getByRule(id: RuleUid, onlyPending: Boolean): Box[Vector[ChangeRequest]] = {
+  override def getByRule(id: RuleUid, onlyPending: Boolean): IOResult[Vector[ChangeRequest]] = {
     if (workflowEnabled) {
       validationWorkflowService.roChangeRequestRepository.getByRule(id, onlyPending)
     } else {
-      Full(Vector())
+      Vector().succeed
     }
   }
 }
@@ -226,7 +227,7 @@ object ChangeValidationConf extends RudderPluginModule {
     "/opt/rudder/etc/plugins/change-validation.conf"
   )
   // by build convention, we have only one of that on the classpath
-  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeInfoService)
+  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeFactRepository)
 
   lazy val roWorkflowRepository = new RoWorkflowJdbcRepository(RudderConfig.doobie)
   lazy val woWorkflowRepository = new WoWorkflowJdbcRepository(RudderConfig.doobie)
@@ -243,9 +244,9 @@ object ChangeValidationConf extends RudderPluginModule {
     woChangeRequestRepository,
     notificationService,
     RudderConfig.userService,
-    () => Full(RudderConfig.workflowLevelService.workflowEnabled),
-    () => RudderConfig.configService.rudder_workflow_self_validation().toBox,
-    () => RudderConfig.configService.rudder_workflow_self_deployment().toBox
+    () => RudderConfig.workflowLevelService.workflowEnabled.succeed,
+    () => RudderConfig.configService.rudder_workflow_self_validation(),
+    () => RudderConfig.configService.rudder_workflow_self_deployment()
   )
 
   lazy val unsupervisedTargetRepo = new UnsupervisedTargetsRepository(
@@ -289,8 +290,8 @@ object ChangeValidationConf extends RudderPluginModule {
           RudderConfig.nodeFactRepository
         )
       ),
-      () => RudderConfig.configService.rudder_workflow_enabled().toBox,
-      () => RudderConfig.configService.rudder_workflow_validate_all().toBox,
+      () => RudderConfig.configService.rudder_workflow_enabled(),
+      () => RudderConfig.configService.rudder_workflow_validate_all(),
       roValidatedUserRepository
     )
   )
@@ -320,16 +321,21 @@ object ChangeValidationConf extends RudderPluginModule {
       roValidatedUserRepository,
       woValidatedUserRepository
     )
+    val api4 = new WorkflowInternalApiImpl(
+      roWorkflowRepository,
+      RudderConfig.userService
+    )
     new LiftApiModuleProvider[EndpointSchema] {
       override def schemas: ApiModuleProvider[EndpointSchema] = new ApiModuleProvider[EndpointSchema] {
         override def endpoints: List[EndpointSchema] =
-          ValidatedUserApi.endpoints ::: SupervisedTargetsApi.endpoints ::: ChangeRequestApi.endpoints
+          ValidatedUserApi.endpoints ::: SupervisedTargetsApi.endpoints ::: ChangeRequestApi.endpoints ::: WorkflowInternalApi.endpoints
       }
 
       override def getLiftEndpoints(): List[LiftApiModule] =
-        api1.getLiftEndpoints() ::: api2.getLiftEndpoints() ::: api3.getLiftEndpoints()
+        api1.getLiftEndpoints() ::: api2.getLiftEndpoints() ::: api3.getLiftEndpoints() ::: api4.getLiftEndpoints()
     }
   }
 
   RudderConfig.snippetExtensionRegister.register(new TopBarExtension(pluginStatusService))
+  RudderConfig.snippetExtensionRegister.register(new ChangeValidationTab(pluginDef.status))
 }
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeRequestJdbcRepository.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeRequestJdbcRepository.scala
index ad53ab95b..a5b8ae6eb 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeRequestJdbcRepository.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeRequestJdbcRepository.scala
@@ -37,7 +37,12 @@
 
 package com.normation.plugins.changevalidation
 
+import cats.Show
 import cats.data.NonEmptyList
+import cats.implicits.toBifunctorOps
+import cats.syntax.applicative.*
+import cats.syntax.applicativeError.*
+import cats.syntax.functor.*
 import cats.syntax.reducible.*
 import com.normation.errors.*
 import com.normation.eventlog.EventActor
@@ -45,12 +50,18 @@ import com.normation.eventlog.ModificationId
 import com.normation.rudder.db.Doobie
 import com.normation.rudder.db.Doobie.*
 import com.normation.rudder.domain.nodes.NodeGroupId
+import com.normation.rudder.domain.policies.DirectiveId
 import com.normation.rudder.domain.policies.DirectiveUid
+import com.normation.rudder.domain.policies.RuleId
 import com.normation.rudder.domain.policies.RuleUid
 import com.normation.rudder.domain.workflows.ChangeRequest
 import com.normation.rudder.domain.workflows.ChangeRequestId
 import com.normation.rudder.domain.workflows.ChangeRequestInfo
 import com.normation.rudder.domain.workflows.ConfigurationChangeRequest
+import com.normation.rudder.domain.workflows.DirectiveChanges
+import com.normation.rudder.domain.workflows.GlobalParameterChanges
+import com.normation.rudder.domain.workflows.NodeGroupChanges
+import com.normation.rudder.domain.workflows.RuleChanges
 import com.normation.rudder.domain.workflows.WorkflowNodeId
 import com.normation.rudder.services.marshalling.ChangeRequestChangesSerialisation
 import com.normation.rudder.services.marshalling.ChangeRequestChangesUnserialisation
@@ -58,11 +69,24 @@ import doobie.*
 import doobie.implicits.*
 import doobie.postgres.implicits.*
 import doobie.util.fragments
-import net.liftweb.common.*
+import net.liftweb.common.Box
+import net.liftweb.common.Full
 import net.liftweb.common.Loggable
 import org.joda.time.DateTime
 import scala.xml.Elem
 import zio.interop.catz.*
+import zio.syntax.*
+
+/**
+ * Change request from the database does not have a trivial mapping to the `ChangeRequest` structure :
+ * there is the XML content that needs to be validated, and in some cases (some APIs) we decide to 
+ * return the valid ones and ignore invalid ones.
+ * 
+ * So, the type here is used to create a Read that does not fail but contains the failure.
+ */
+sealed trait DbChangeRequest
+case class ChangeRequestWithSuccessXml(cr: ChangeRequest)  extends DbChangeRequest
+case class ChangeRequestWithInvalidXml(error: RudderError) extends DbChangeRequest
 
 trait RoChangeRequestJdbcRepositorySQL {
 
@@ -77,43 +101,72 @@ trait RoChangeRequestJdbcRepositorySQL {
 
   import changeRequestMapper.*
 
-  implicit val readCRWithState: Read[Box[(ChangeRequest, WorkflowNodeId)]] = {
-    Read[(Box[ChangeRequest], WorkflowNodeId)].map { case (cr, state) => cr.map((_, state)) }
+  implicit val ChangeRequestReadOpt: Read[DbChangeRequest] = {
+    Read[CR].map {
+      case (id, name, description, content, modId) =>
+        crcUnserialiser
+          .unserialise(content)
+          .chainError(s"Error when trying to get the content of the change request ${id}") match {
+          case Right((directivesMaps, nodesMaps, ruleMaps, paramMaps)) =>
+            ChangeRequestWithSuccessXml(
+              ConfigurationChangeRequest(
+                ChangeRequestId(id),
+                modId.map(ModificationId.apply),
+                ChangeRequestInfo(
+                  name.getOrElse(""),
+                  description.getOrElse("")
+                ),
+                directivesMaps,
+                nodesMaps,
+                ruleMaps,
+                paramMaps
+              )
+            )
+
+          case Left(err) =>
+            ChangeRequestWithInvalidXml(err)
+        }
+    }
   }
 
-  def getAllSQL: Query0[Box[ChangeRequest]] =
-    sql"SELECT id, name, description, content, modificationId FROM ChangeRequest".query[Box[ChangeRequest]]
+  def getAllSQL: Query0[DbChangeRequest] =
+    sql"SELECT id, name, description, content, modificationId FROM ChangeRequest".query[DbChangeRequest]
 
-  def getSQL(changeRequestId: ChangeRequestId): Query0[Box[ChangeRequest]] = {
+  def getSQL(changeRequestId: ChangeRequestId): Query0[ChangeRequest] = {
     sql"SELECT id, name, description, content, modificationId FROM ChangeRequest where id = ${changeRequestId}"
-      .query[Box[ChangeRequest]]
+      .query[ChangeRequest]
   }
 
-  def getByContributorSQL(actor: EventActor): Query0[Box[ChangeRequest]] = {
+  def getRawCRSQL(changeRequestId: ChangeRequestId): Query0[DbChangeRequest] = {
+    sql"SELECT id, name, description, content, modificationId FROM ChangeRequest where id = ${changeRequestId}"
+      .query[DbChangeRequest]
+  }
+
+  def getByContributorSQL(actor: EventActor): Query0[ChangeRequest] = {
     val actorName = Array(actor.name)
     sql"SELECT id, name, description, content, modificationId FROM ChangeRequest where cast( xpath('//firstChange/change/actor/text()',content) as character varying[]) = ${actorName}"
-      .query[Box[ChangeRequest]]
+      .query[ChangeRequest]
   }
 
   def getChangeRequestsByXpathContentSQL(
       xpath:        Fragment,
       shouldEquals: String,
       onlyPending:  Boolean
-  ): Query0[Box[ChangeRequest]] = {
+  ): Query0[ChangeRequest] = {
     val param = Array(shouldEquals)
     if (onlyPending) {
       sql"""SELECT CR.id, name, description, content, modificationId FROM changeRequest CR LEFT JOIN workflow W on CR.id = W.id where cast( xpath(${xpath}, content) as character varying[]) = ${param} and state like 'Pending%'"""
-        .query[Box[ChangeRequest]]
+        .query[ChangeRequest]
     } else {
       sql"""SELECT id, name, description, content, modificationId FROM ChangeRequest where cast( xpath(${xpath}, content) as character varying[]) = ${param}"""
-        .query[Box[ChangeRequest]]
+        .query[ChangeRequest]
     }
   }
 
   def getByFiltersSQL(
       statuses:       Option[NonEmptyList[WorkflowNodeId]],
       xpathWithValue: Option[(Fragment, String)] // (xpath, value)
-  ): Query0[Box[(ChangeRequest, WorkflowNodeId)]] = {
+  ): Query0[(ChangeRequest, WorkflowNodeId)] = {
     (fr"SELECT CR.id, CR.name, CR.description, CR.content, CR.modificationId, W.state FROM ChangeRequest CR LEFT JOIN workflow W on CR.id = W.id" ++
     fragments.whereAndOpt(
       statuses.map(fragments.in(fr"state", _)),
@@ -122,7 +175,7 @@ trait RoChangeRequestJdbcRepositorySQL {
           val param = Array(value)
           fr"cast( xpath(${xpath}, content) as character varying[]) = ${param}"
       }
-    )).query[Box[(ChangeRequest, WorkflowNodeId)]]
+    )).query[(ChangeRequest, WorkflowNodeId)]
   }
 
 }
@@ -154,59 +207,78 @@ class RoChangeRequestJdbcRepository(
   import doobie.*
 
   // utility method which correctly transform Doobie types towards Box[Vector[ChangeRequest]]
-  private[this] def execQuery(q: Query0[Box[ChangeRequest]]): Box[Vector[ChangeRequest]] = {
-    transactRunBox(xa => {
-      q.to[Vector]
-        .map(
-          // we are just ignoring change request with unserialisation
-          // error. Does not seem the best.
-          _.flatten.toVector
-        )
-        .transact(xa)
-    })
+  private[this] def execQuery(errMsg: String, q: Query0[ChangeRequest]): IOResult[Vector[ChangeRequest]] = {
+    transactIOResult(errMsg)(xa => { q.to[Vector].transact(xa) })
   }
 
-  override def getAll(): Box[Vector[ChangeRequest]] = {
-    execQuery(getAllSQL)
+  override def getAll(): IOResult[Vector[ChangeRequest]] = {
+    transactIOResult("errMsg")(xa => {
+      getAllSQL
+        .to[List]
+        .transact(xa)
+        .flatMap(vector => {
+          val (errors, success) = vector.partitionMap {
+            case ChangeRequestWithInvalidXml(err) => Left(err)
+            case ChangeRequestWithSuccessXml(suc) => Right(suc)
+          }
+
+          NonEmptyList
+            .fromList(errors)
+            .succeed
+            .tapSome {
+              case Some(errs) =>
+                ChangeValidationLoggerPure
+                  .warn(
+                    Chained("There are some errors getting all change requests", Accumulated(errs)).fullMsg
+                  )
+            }
+            .as(success.toVector)
+        })
+    })
   }
 
-  override def get(changeRequestId: ChangeRequestId): Box[Option[ChangeRequest]] = {
-    transactRunBox(xa => getSQL(changeRequestId).option.map(_.flatMap(_.toOption)).transact(xa))
+  override def get(changeRequestId: ChangeRequestId): IOResult[Option[ChangeRequest]] = {
+    transactIOResult(s"Could not get change request with id ${changeRequestId} in database")(xa =>
+      getSQL(changeRequestId).option.transact(xa)
+    )
   }
 
   // Get every change request where a user add a change
-  override def getByContributor(actor: EventActor): Box[Vector[ChangeRequest]] = {
-    execQuery(getByContributorSQL(actor))
+  override def getByContributor(actor: EventActor): IOResult[Vector[ChangeRequest]] = {
+    execQuery(s"Could not get change requests that were modified by ${actor.name} in database", getByContributorSQL(actor))
   }
 
-  override def getByDirective(id: DirectiveUid, onlyPending: Boolean): Box[Vector[ChangeRequest]] = {
+  override def getByDirective(id: DirectiveUid, onlyPending: Boolean): IOResult[Vector[ChangeRequest]] = {
     execQuery(
+      s"Could not get change requests for directive with id ${id.value} in database",
       getChangeRequestsByXpathContentSQL(
         directiveIdXPathFr,
         id.value,
         onlyPending
       )
-    ) ?~! s"could not fetch change request for directive with id ${id.value}"
+    )
   }
 
-  override def getByNodeGroup(id: NodeGroupId, onlyPending: Boolean): Box[Vector[ChangeRequest]] = {
+  override def getByNodeGroup(id: NodeGroupId, onlyPending: Boolean): IOResult[Vector[ChangeRequest]] = {
     execQuery(
+      s"Could not get change requests for group with id ${id.serialize} in database",
       getChangeRequestsByXpathContentSQL(
         groupIdXPathFr,
         id.serialize,
         onlyPending
       )
-    ) ?~! s"could not fetch change request for group with id ${id.serialize}"
+    )
   }
 
-  override def getByRule(id: RuleUid, onlyPending: Boolean): Box[Vector[ChangeRequest]] = {
+  override def getByRule(id: RuleUid, onlyPending: Boolean): IOResult[Vector[ChangeRequest]] = {
     execQuery(
+      s"Could not get change requests for rule with id ${id.value} in database",
       getChangeRequestsByXpathContentSQL(
         ruleIdXPathFr,
         id.value,
         onlyPending
       )
-    ) ?~! s"could not fetch change request for rule with id ${id.value}"
+    )
   }
 
   override def getByFilter(filter: ChangeRequestFilter): IOResult[Vector[(ChangeRequest, WorkflowNodeId)]] = {
@@ -225,22 +297,22 @@ class RoChangeRequestJdbcRepository(
         getByFiltersSQL(statuses.map(_.toNonEmptyList), by.map(getXPathWithValue))
     }
 
-    transactIOResult(errorMsg)(filteredQuery.to[Vector].map(_.flatten).transact(_))
+    transactIOResult(errorMsg)(filteredQuery.to[Vector].transact(_))
   }
 
 }
 
 class WoChangeRequestJdbcRepository(
-    doobie: Doobie,
-    mapper: ChangeRequestMapper,
-    roRepo: RoChangeRequestRepository
-) extends WoChangeRequestRepository with Loggable with WoChangeRequestJdbcRepositorySQL {
+    doobie:                           Doobie,
+    override val changeRequestMapper: ChangeRequestMapper,
+    roRepo:                           RoChangeRequestRepository
+) extends WoChangeRequestRepository with Loggable with WoChangeRequestJdbcRepositorySQL with RoChangeRequestJdbcRepositorySQL {
 
   import doobie.*
 
   // get the different part from a change request: name, description, content, modId
   private[this] def getAtom(cr: ChangeRequest): (Option[String], Option[String], Elem, Option[String]) = {
-    val xml   = mapper.crcSerialiser.serialise(cr)
+    val xml   = changeRequestMapper.crcSerialiser.serialise(cr)
     val name  = cr.info.name match {
       case "" => None
       case x  => Some(x)
@@ -259,29 +331,31 @@ class WoChangeRequestJdbcRepository(
    * The id is ignored, and a new one will be attributed
    * to the change request.
    */
-  def createChangeRequest(changeRequest: ChangeRequest, actor: EventActor, reason: Option[String]): Box[ChangeRequest] = {
+  def createChangeRequest(changeRequest: ChangeRequest, actor: EventActor, reason: Option[String]): IOResult[ChangeRequest] = {
 
     val (name, desc, xml, modId) = getAtom(changeRequest)
 
-    for {
-      id <- transactRunBox(xa => createChangeRequestSQL(name, desc, xml, modId).withUniqueGeneratedKeys[Int]("id").transact(xa))
-      cr <- roRepo.get(ChangeRequestId(id)).flatMap {
-              case None    =>
-                val msg = s"The newly saved change request with ID ${id} was not found back in data base"
-                ChangeValidationLogger.error(msg)
-                Failure(msg)
-              case Some(x) => Full(x)
-            }
-    } yield {
-      cr
-    }
+    transactIOResult[Option[ChangeRequest]](s"Could not create change request with id ${changeRequest.id} in database")(xa => {
+      (for {
+        id <- createChangeRequestSQL(name, desc, xml, modId).withUniqueGeneratedKeys[Int]("id")
+        cr <- getSQL(ChangeRequestId(id)).option
+      } yield {
+        cr
+      }).transact(xa)
+    })
+      .notOptional(s"The new change request cannot be saved in database")
+      .tapError(err => ChangeValidationLoggerPure.error(err.fullMsg))
   }
 
   /**
    * Delete a change request.
    * (whatever the read/write mode is).
    */
-  def deleteChangeRequest(changeRequestId: ChangeRequestId, actor: EventActor, reason: Option[String]): Box[ChangeRequest] = {
+  def deleteChangeRequest(
+      changeRequestId: ChangeRequestId,
+      actor:           EventActor,
+      reason:          Option[String]
+  ): IOResult[ChangeRequest] = {
     // we should update it rather, shouldn't we ?
     throw new IllegalArgumentException(
       "This a developer error. Please contact rudder developer, saying that they call unemplemented deleteChangeRequest"
@@ -289,34 +363,31 @@ class WoChangeRequestJdbcRepository(
   }
 
   /**
-   * Update a change request. The change request must exists.
+   * Update a change request. The change request must exist.
    */
-  def updateChangeRequest(changeRequest: ChangeRequest, actor: EventActor, reason: Option[String]): Box[ChangeRequest] = {
+  def updateChangeRequest(changeRequest: ChangeRequest, actor: EventActor, reason: Option[String]): IOResult[ChangeRequest] = {
     // no transaction between steps, because we don't actually use anything in the existing change request
-
-    for {
-      cr      <- roRepo.get(changeRequest.id)
-      ok      <- cr match {
-                   case None    =>
-                     val msg = s"Cannot update non-existent Change Request with id ${changeRequest.id.value}"
-                     ChangeValidationLogger.warn(msg)
-                     Failure(msg)
-                   case Some(x) => Full("ok")
-                 }
-      update  <- {
-        val (name, desc, xml, modId) = getAtom(changeRequest)
-        transactRunBox(xa => updateChangeRequestSQL(name, desc, xml, modId, changeRequest.id).run.transact(xa))
+    val process = {
+      for {
+        exists <- getRawCRSQL(changeRequest.id).option
+        _      <- exists match {
+                    case None    =>
+                      val msg =
+                        s"Change Request with id ${changeRequest.id.value} was not found in database"
+                      new IllegalArgumentException(msg).raiseError[ConnectionIO, Unit]
+                    case Some(_) =>
+                      val (name, desc, xml, modId) = getAtom(changeRequest)
+                      updateChangeRequestSQL(name, desc, xml, modId, changeRequest.id).run.void
+                  }
+      } yield {
+        changeRequest
       }
-      updated <- roRepo.get(changeRequest.id).flatMap {
-                   case None    =>
-                     val msg = s"Couldn't find the updated entry when updating Change Request ${changeRequest.id.value}"
-                     ChangeValidationLogger.error(msg)
-                     Failure(msg)
-                   case Some(x) => Full(x)
-                 }
-    } yield {
-      updated
     }
+
+    transactIOResult(
+      s"Could not update change request with id ${changeRequest.id.value} in database"
+    )(xa => process.transact(xa))
+      .tapError(err => ChangeValidationLoggerPure.error(err.fullMsg))
   }
 }
 
@@ -329,48 +400,6 @@ class ChangeRequestMapper(
   // id, name, description, content, modificationId
   type CR = (Int, Option[String], Option[String], Elem, Option[String])
 
-  // unserialize the XML.
-  // If it fails, produce a failure
-  // directives map is boxed because some Exception could be launched
-  def unserialize(
-      id:          Int,
-      name:        Option[String],
-      description: Option[String],
-      content:     Elem,
-      modId:       Option[String]
-  ): Box[ChangeRequest] = {
-    crcUnserialiser.unserialise(content) match {
-      case Full((directivesMaps, nodesMaps, ruleMaps, paramMaps)) =>
-        directivesMaps match {
-          case Full(map) =>
-            Full(
-              ConfigurationChangeRequest(
-                ChangeRequestId(id),
-                modId.map(ModificationId.apply),
-                ChangeRequestInfo(
-                  name.getOrElse(""),
-                  description.getOrElse("")
-                ),
-                map,
-                nodesMaps,
-                ruleMaps,
-                paramMaps
-              )
-            )
-
-          case eb: EmptyBox =>
-            val fail = eb ?~! s"could not deserialize directive change of change request #${id} cause is: ${eb}"
-            ChangeValidationLogger.error(fail)
-            fail
-        }
-
-      case eb: EmptyBox =>
-        val fail = eb ?~! s"Error when trying to get the content of the change request ${id} : ${eb}"
-        ChangeValidationLogger.error(fail.msg)
-        fail
-    }
-  }
-
   def serialize(optCR: Box[ChangeRequest]): CR = {
     optCR match {
       case Full(cr) =>
@@ -391,7 +420,44 @@ class ChangeRequestMapper(
     }
   }
 
-  implicit val ChangeRequestRead: Read[Box[ChangeRequest]] = {
-    Read[CR].map((t: CR) => unserialize(t._1, t._2, t._3, t._4, t._5))
+  type ElemXml = (
+      Map[DirectiveId, DirectiveChanges],
+      Map[NodeGroupId, NodeGroupChanges],
+      Map[RuleId, RuleChanges],
+      Map[String, GlobalParameterChanges]
+  )
+
+  implicit val ElemShow: Show[Elem] = {
+    Show.show(e => e.toString())
+  }
+
+  implicit val ElemXmlGet: Get[ElemXml] = XmlMeta.get.temap(content => {
+    crcUnserialiser
+      .unserialise(content)
+      .leftMap(err => Chained("Could not get content column from change request ", err).fullMsg)
+  })
+
+  implicit val ChangeRequestShow: Show[CR] = {
+    Show.show(cr => s"( id : ${cr._1}, name : ${cr._2}, description : ${cr._3}, content : ${cr._4}, modificationId : ${cr._5} ")
+  }
+
+  implicit val ChangeRequestRead: Read[ChangeRequest] = {
+
+    Read[(Int, Option[String], Option[String], ElemXml, Option[String])].map {
+
+      case (id, name, description, (directivesMaps, nodesMaps, ruleMaps, paramMaps), modId) =>
+        ConfigurationChangeRequest(
+          ChangeRequestId(id),
+          modId.map(ModificationId.apply),
+          ChangeRequestInfo(
+            name.getOrElse(""),
+            description.getOrElse("")
+          ),
+          directivesMaps,
+          nodesMaps,
+          ruleMaps,
+          paramMaps
+        )
+    }
   }
 }
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeRequestJson.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeRequestJson.scala
index 35fbfa572..5a6d20e29 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeRequestJson.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeRequestJson.scala
@@ -85,6 +85,7 @@ import com.normation.rudder.domain.properties.PropertyProvider
 import com.normation.rudder.domain.queries.Query
 import com.normation.rudder.domain.workflows.ChangeRequest
 import com.normation.rudder.domain.workflows.ChangeRequestId
+import com.normation.rudder.domain.workflows.ChangeRequestInfo
 import com.normation.rudder.domain.workflows.ConfigurationChangeRequest
 import com.normation.rudder.domain.workflows.DirectiveChange
 import com.normation.rudder.domain.workflows.DirectiveChanges
@@ -101,9 +102,6 @@ import io.scalaland.chimney.PartialTransformer
 import io.scalaland.chimney.Transformer
 import io.scalaland.chimney.partial.Result
 import io.scalaland.chimney.syntax.*
-import net.liftweb.common.Empty
-import net.liftweb.common.Failure
-import net.liftweb.common.Full
 import scala.util.Try
 import zio.Chunk
 import zio.NonEmptyChunk
@@ -198,6 +196,48 @@ object ChangeRequestJson {
   }
 }
 
+final case class ChangeRequestInfoJson(
+    name:        Option[String],
+    description: Option[String]
+) {
+
+  def updateCrInfo(crInfo: ChangeRequestInfo): ChangeRequestInfo = {
+    crInfo.copy(
+      name = name.getOrElse(crInfo.name),
+      description = description.getOrElse(crInfo.description)
+    )
+  }
+}
+
+object ChangeRequestInfoJson {
+  implicit val decoder: JsonDecoder[ChangeRequestInfoJson] = DeriveJsonDecoder.gen[ChangeRequestInfoJson]
+}
+
+/**
+ * Class that represents the number of change requests that are currently in a "pending" status, i.e.
+ * "Pending validation" and "Pending deployment" respectively.
+ * Both fields are optional : either field will be present if and only if the user who made the request has
+ * the required authorization type, i.e. Validator.Read, and Deployer.Read authorizations respectively.
+ *
+ * @param pendingValidation the current number of change requests that have the "Pending validation" status
+ * @param pendingDeployment the current number of change requests that have the "Pending deployment" status
+ */
+final case class PendingCountJson(
+    pendingValidation: Option[Long],
+    pendingDeployment: Option[Long]
+)
+
+object PendingCountJson {
+  implicit val encoder: JsonEncoder[PendingCountJson] = DeriveJsonEncoder.gen[PendingCountJson]
+
+  def from(map: Map[WorkflowNodeId, Long]): PendingCountJson = {
+    PendingCountJson(
+      map.get(TwoValidationStepsWorkflowServiceImpl.Validation.id),
+      map.get(TwoValidationStepsWorkflowServiceImpl.Deployment.id)
+    )
+  }
+}
+
 @jsonDiscriminator("action") sealed trait ActionChangeJson {
   def name: String = this match {
     case ActionChangeJson.create => "create"
@@ -355,7 +395,7 @@ object DirectiveChangeJson {
       technique:   Technique,
       diffService: DiffService
   ): PartialTransformer[ModifyToDirectiveDiff, DirectiveModifyChangeJson] = {
-    case (ModifyToDirectiveDiff(techniqueName, directive, rootSection), _) =>
+    case (ModifyToDirectiveDiff(_, directive, rootSection), _) =>
       val result = change.initialState match {
         case Some((techniqueName, initialState, section @ Some(initialRootSection))) =>
           val diff = diffService.diffDirective(initialState, section, directive, rootSection, techniqueName)
@@ -414,10 +454,11 @@ object DirectiveChangeActionJson {
           case d: DirectiveDeleteChangeJson => DirectiveChangeActionJson(ActionChangeJson.delete, d)
           case d: DirectiveModifyChangeJson => DirectiveChangeActionJson(ActionChangeJson.modify, d)
         }) match {
-        case Empty                          =>
-          Result.fromErrorString(s"Error while serializing directives from CR ${change.firstChange.diff.directive.id.serialize}")
-        case Failure(msg, exception, chain) => Result.fromErrorString(msg)
-        case Full(value)                    => value
+        case Left(err)    =>
+          Result.fromErrorString(
+            s"Error while serializing directives from CR ${change.firstChange.diff.directive.id.serialize}: ${err.msg}"
+          )
+        case Right(value) => value
       }
   }
 
@@ -545,10 +586,11 @@ object RuleChangeActionJson {
           case d: RuleDeleteChangeJson => RuleChangeActionJson(ActionChangeJson.delete, d)
           case d: RuleModifyChangeJson => RuleChangeActionJson(ActionChangeJson.modify, d)
         }) match {
-        case Empty                          =>
-          Result.fromErrorString(s"Error while serializing rules from CR ${change.firstChange.diff.rule.id.serialize}")
-        case Failure(msg, exception, chain) => Result.fromErrorString(msg)
-        case Full(value)                    => value
+        case Left(err)    =>
+          Result.fromErrorString(
+            s"Error while serializing rules from CR ${change.firstChange.diff.rule.id.serialize}: ${err.msg}"
+          )
+        case Right(value) => value
       }
   }
 
@@ -749,10 +791,11 @@ object GroupChangeActionJson {
           case d: GroupDeleteChangeJson => GroupChangeActionJson(ActionChangeJson.delete, d)
           case d: GroupModifyChangeJson => GroupChangeActionJson(ActionChangeJson.modify, d)
         }) match {
-        case Empty                          =>
-          Result.fromErrorString(s"Error while serializing group from CR ${change.firstChange.diff.group.id.serialize}")
-        case Failure(msg, exception, chain) => Result.fromErrorString(msg)
-        case Full(value)                    => value
+        case Left(err)    =>
+          Result.fromErrorString(
+            s"Error while serializing group from CR ${change.firstChange.diff.group.id.serialize}: ${err.msg}"
+          )
+        case Right(value) => value
       }
   }
 
@@ -863,10 +906,11 @@ object GlobalParameterChangeActionJson {
           case d: GlobalParameterDeleteChangeJson => GlobalParameterChangeActionJson(ActionChangeJson.delete, d)
           case d: GlobalParameterModifyChangeJson => GlobalParameterChangeActionJson(ActionChangeJson.modify, d)
         }) match {
-        case Empty                          =>
-          Result.fromErrorString(s"Error while serializing global parameter from CR ${change.firstChange.diff.parameter.name}")
-        case Failure(msg, exception, chain) => Result.fromErrorString(msg)
-        case Full(value)                    => value
+        case Left(err)    =>
+          Result.fromErrorString(
+            s"Error while serializing global parameter from CR ${change.firstChange.diff.parameter.name}: ${err.msg}"
+          )
+        case Right(value) => value
       }
   }
 
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeRequestRepository.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeRequestRepository.scala
index 90aa125ae..aa321fd56 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeRequestRepository.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeRequestRepository.scala
@@ -45,24 +45,23 @@ import com.normation.rudder.domain.policies.RuleUid
 import com.normation.rudder.domain.workflows.ChangeRequest
 import com.normation.rudder.domain.workflows.ChangeRequestId
 import com.normation.rudder.domain.workflows.WorkflowNodeId
-import net.liftweb.common.Box
 
 /**
  * Read access to change request
  */
 trait RoChangeRequestRepository {
 
-  def getAll(): Box[Vector[ChangeRequest]]
+  def getAll(): IOResult[Vector[ChangeRequest]]
 
-  def get(changeRequestId: ChangeRequestId): Box[Option[ChangeRequest]]
+  def get(changeRequestId: ChangeRequestId): IOResult[Option[ChangeRequest]]
 
-  def getByDirective(id: DirectiveUid, onlyPending: Boolean): Box[Vector[ChangeRequest]]
+  def getByDirective(id: DirectiveUid, onlyPending: Boolean): IOResult[Vector[ChangeRequest]]
 
-  def getByNodeGroup(id: NodeGroupId, onlyPending: Boolean): Box[Vector[ChangeRequest]]
+  def getByNodeGroup(id: NodeGroupId, onlyPending: Boolean): IOResult[Vector[ChangeRequest]]
 
-  def getByRule(id: RuleUid, onlyPending: Boolean): Box[Vector[ChangeRequest]]
+  def getByRule(id: RuleUid, onlyPending: Boolean): IOResult[Vector[ChangeRequest]]
 
-  def getByContributor(actor: EventActor): Box[Vector[ChangeRequest]]
+  def getByContributor(actor: EventActor): IOResult[Vector[ChangeRequest]]
 
   def getByFilter(filter: ChangeRequestFilter): IOResult[Vector[(ChangeRequest, WorkflowNodeId)]]
 
@@ -72,35 +71,30 @@ trait RoChangeRequestRepository {
  * A proxy implementation simply delegating to either A or B implementation
  */
 class EitherRoChangeRequestRepository(
-    cond:      () => Box[Boolean],
+    cond:      () => IOResult[Boolean],
     whenTrue:  RoChangeRequestRepository,
     whenFalse: RoChangeRequestRepository
 ) extends RoChangeRequestRepository {
 
-  // remove some boilerplate to make following proxy implementation more readable, just exposing the actual method to call
-  private[this] def condApply[T](method: RoChangeRequestRepository => Box[T]): Box[T] = {
-    cond().flatMap(if (_) method(whenTrue) else method(whenFalse))
-  }
-
   private[this] def condApply[T](method: RoChangeRequestRepository => IOResult[T]): IOResult[T] = {
-    cond().toIO.flatMap(if (_) method(whenTrue) else method(whenFalse))
+    cond().flatMap(if (_) method(whenTrue) else method(whenFalse))
   }
 
-  def getAll(): Box[Vector[ChangeRequest]] = condApply(_.getAll())
+  def getAll(): IOResult[Vector[ChangeRequest]] = condApply(_.getAll())
 
-  def get(changeRequestId: ChangeRequestId): Box[Option[ChangeRequest]] = condApply(_.get(changeRequestId))
+  def get(changeRequestId: ChangeRequestId): IOResult[Option[ChangeRequest]] = condApply(_.get(changeRequestId))
 
-  def getByDirective(id: DirectiveUid, onlyPending: Boolean): Box[Vector[ChangeRequest]] = condApply(
+  def getByDirective(id: DirectiveUid, onlyPending: Boolean): IOResult[Vector[ChangeRequest]] = condApply(
     _.getByDirective(id, onlyPending)
   )
 
-  def getByNodeGroup(id: NodeGroupId, onlyPending: Boolean): Box[Vector[ChangeRequest]] = condApply(
+  def getByNodeGroup(id: NodeGroupId, onlyPending: Boolean): IOResult[Vector[ChangeRequest]] = condApply(
     _.getByNodeGroup(id, onlyPending)
   )
 
-  def getByRule(id: RuleUid, onlyPending: Boolean): Box[Vector[ChangeRequest]] = condApply(_.getByRule(id, onlyPending))
+  def getByRule(id: RuleUid, onlyPending: Boolean): IOResult[Vector[ChangeRequest]] = condApply(_.getByRule(id, onlyPending))
 
-  def getByContributor(actor: EventActor): Box[Vector[ChangeRequest]] = condApply(_.getByContributor(actor))
+  def getByContributor(actor: EventActor): IOResult[Vector[ChangeRequest]] = condApply(_.getByContributor(actor))
 
   def getByFilter(filter: ChangeRequestFilter): IOResult[Vector[(ChangeRequest, WorkflowNodeId)]] = condApply(
     _.getByFilter(filter)
@@ -117,7 +111,7 @@ trait WoChangeRequestRepository {
    * The id is ignored, and a new one will be attributed
    * to the change request.
    */
-  def createChangeRequest(changeRequest: ChangeRequest, actor: EventActor, reason: Option[String]): Box[ChangeRequest]
+  def createChangeRequest(changeRequest: ChangeRequest, actor: EventActor, reason: Option[String]): IOResult[ChangeRequest]
 
   /**
    * Update a change request. The change request must not
@@ -126,13 +120,13 @@ trait WoChangeRequestRepository {
    * will be ignore), an explicit call to setWriteOnly must be
    * done for that.
    */
-  def updateChangeRequest(changeRequest: ChangeRequest, actor: EventActor, reason: Option[String]): Box[ChangeRequest]
+  def updateChangeRequest(changeRequest: ChangeRequest, actor: EventActor, reason: Option[String]): IOResult[ChangeRequest]
 
   /**
    * Delete a change request.
    * (whatever the read/write mode is).
    */
-  def deleteChangeRequest(changeRequestId: ChangeRequestId, actor: EventActor, reason: Option[String]): Box[ChangeRequest]
+  def deleteChangeRequest(changeRequestId: ChangeRequestId, actor: EventActor, reason: Option[String]): IOResult[ChangeRequest]
 
 }
 
@@ -140,23 +134,27 @@ trait WoChangeRequestRepository {
  * Again, a proxy forwarding to an implementation based on a runtime property
  */
 class EitherWoChangeRequestRepository(
-    cond:      () => Box[Boolean],
+    cond:      () => IOResult[Boolean],
     whenTrue:  WoChangeRequestRepository,
     whenFalse: WoChangeRequestRepository
 ) extends WoChangeRequestRepository {
-  def createChangeRequest(changeRequest: ChangeRequest, actor: EventActor, reason: Option[String]):     Box[ChangeRequest] = {
+  def createChangeRequest(changeRequest: ChangeRequest, actor: EventActor, reason: Option[String]): IOResult[ChangeRequest] = {
     cond().flatMap(
       if (_) whenTrue.createChangeRequest(changeRequest, actor, reason)
       else whenFalse.createChangeRequest(changeRequest, actor, reason)
     )
   }
-  def updateChangeRequest(changeRequest: ChangeRequest, actor: EventActor, reason: Option[String]):     Box[ChangeRequest] = {
+  def updateChangeRequest(changeRequest: ChangeRequest, actor: EventActor, reason: Option[String]): IOResult[ChangeRequest] = {
     cond().flatMap(
       if (_) whenTrue.updateChangeRequest(changeRequest, actor, reason)
       else whenFalse.updateChangeRequest(changeRequest, actor, reason)
     )
   }
-  def deleteChangeRequest(changeRequestId: ChangeRequestId, actor: EventActor, reason: Option[String]): Box[ChangeRequest] = {
+  def deleteChangeRequest(
+      changeRequestId: ChangeRequestId,
+      actor:           EventActor,
+      reason:          Option[String]
+  ): IOResult[ChangeRequest] = {
     cond().flatMap(
       if (_) whenTrue.deleteChangeRequest(changeRequestId, actor, reason)
       else whenFalse.deleteChangeRequest(changeRequestId, actor, reason)
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeValidationPluginDef.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeValidationPluginDef.scala
index 5b541455a..cd58eedb4 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeValidationPluginDef.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/ChangeValidationPluginDef.scala
@@ -37,10 +37,8 @@
 
 package com.normation.plugins.changevalidation
 
-import bootstrap.liftweb.Boot
 import bootstrap.liftweb.Boot.redirection
 import bootstrap.liftweb.ConfigResource
-import bootstrap.liftweb.MenuUtils
 import bootstrap.rudder.plugin.ChangeValidationConf
 import com.normation.plugins.*
 import com.normation.rudder.AuthorizationType
@@ -58,7 +56,6 @@ import net.liftweb.http.RedirectWithState
 import net.liftweb.http.RewriteRequest
 import net.liftweb.http.RewriteResponse
 import net.liftweb.sitemap.Loc.Hidden
-import net.liftweb.sitemap.Loc.LocGroup
 import net.liftweb.sitemap.Loc.Template
 import net.liftweb.sitemap.Loc.TestAccess
 import net.liftweb.sitemap.LocPath.stringToLocPath
@@ -72,18 +69,18 @@ class ChangeValidationPluginDef(override val status: PluginStatus) extends Defau
     // URL rewrites
     LiftRules.statefulRewrite.append {
       case RewriteRequest(
-            ParsePath("secure" :: "plugins" :: "changes" :: "changeRequests" :: filter :: Nil, _, _, _),
+            ParsePath("secure" :: "configurationManager" :: "changes" :: "changeRequests" :: filter :: Nil, _, _, _),
             GetRequest,
             _
           ) => {
-        RewriteResponse("secure" :: "plugins" :: "changes" :: "changeRequests" :: Nil, Map("filter" -> filter))
+        RewriteResponse("secure" :: "configurationManager" :: "changes" :: "changeRequests" :: Nil, Map("filter" -> filter))
       }
       case RewriteRequest(
-            ParsePath("secure" :: "plugins" :: "changes" :: "changeRequest" :: crId :: Nil, _, _, _),
+            ParsePath("secure" :: "configurationManager" :: "changes" :: "changeRequest" :: crId :: Nil, _, _, _),
             GetRequest,
             _
           ) =>
-        RewriteResponse("secure" :: "plugins" :: "changes" :: "changeRequest" :: Nil, Map("crId" -> crId))
+        RewriteResponse("secure" :: "configurationManager" :: "changes" :: "changeRequest" :: Nil, Map("crId" -> crId))
     }
 
     // init directory to save JSON
@@ -107,41 +104,25 @@ class ChangeValidationPluginDef(override val status: PluginStatus) extends Defau
       CurrentUser.checkRights(AuthorizationType.Deployer.Read)
 
     (Menu("changeRequests", <span>Change Requests</span>) /
-    "secure" / "plugins" / "changes"
-    >> LocGroup("changeValidation")
+    "secure" / "configurationManager" / "changes"
     >> Hidden
     >> TestAccess(() => {
       if (status.isEnabled() && canViewPage)
         Empty
       else
-        Full(RedirectWithState("/secure/utilities/eventLogs", redirection))
+        Full(RedirectWithState("/secure/index", redirection))
     })).submenus(
       Menu("changeRequestsList", <span>Change requests</span>) /
-      "secure" / "plugins" / "changes" / "changeRequests"
+      "secure" / "configurationManager" / "changes" / "changeRequests"
       >> Hidden
       >> Template(() => ClasspathTemplates("template" :: "changeRequests" :: Nil) openOr <div>Template not found</div>),
       Menu("changeRequestDetails", <span>Change request</span>) /
-      "secure" / "plugins" / "changes" / "changeRequest"
+      "secure" / "configurationManager" / "changes" / "changeRequest"
       >> Hidden
       >> Template(() => ClasspathTemplates("template" :: "changeRequest" :: Nil) openOr <div>Template not found</div>)
     )
   }
 
-  override def pluginMenuEntry: List[(Menu, Option[String])] = {
-    (
-      (
-        Menu("770-changeValidationManagement", <span>Change validation</span>) /
-        "secure" / "plugins" / "changeValidationManagement"
-        >> LocGroup("pluginsGroup")
-        >> TestAccess(() => Boot.userIsAllowed("/secure/index", AuthorizationType.Administration.Read))
-        >> Template(() =>
-          ClasspathTemplates("template" :: "ChangeValidationManagement" :: Nil) openOr <div>Template not found</div>
-        )
-      ).toMenu,
-      Some(MenuUtils.administrationMenu)
-    ) :: Nil
-  }
-
   override def updateSiteMap(menus: List[Menu]): List[Menu] = {
     super.updateSiteMap(menus) :+ changeRequestValidationMenu
   }
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/DataTypes.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/DataTypes.scala
index f335e5200..0708ab128 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/DataTypes.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/DataTypes.scala
@@ -50,7 +50,6 @@ import com.normation.rudder.repository.FullNodeGroupCategory
 import io.scalaland.chimney.Transformer
 import net.liftweb.common.Logger
 import org.slf4j.LoggerFactory
-import scala.annotation.nowarn
 import scala.collection.immutable.SortedSet
 import zio.NonEmptyChunk
 import zio.json.*
@@ -167,7 +166,7 @@ trait TargetJsonCodec {
 
   implicit val unsupervisedTargetIdsEncoder: JsonEncoder[UnsupervisedTargetIds] = DeriveJsonEncoder.gen[UnsupervisedTargetIds]
   implicit val unsupervisedTargetIdsDecoder: JsonDecoder[UnsupervisedTargetIds] = {
-    @nowarn implicit val simpleTargetDecoder: JsonDecoder[SimpleTarget] = JsonDecoder[String].mapOrFail(s => {
+    implicit val simpleTargetDecoder: JsonDecoder[SimpleTarget] = JsonDecoder[String].mapOrFail(s => {
       RuleTarget
         .unser(s)
         .collect { case t: SimpleTarget => t }
@@ -177,7 +176,7 @@ trait TargetJsonCodec {
   }
 
   implicit val supervisedSimpleTargetsDecoder: JsonDecoder[SupervisedSimpleTargets] = {
-    @nowarn implicit val loggedSimpleTargetDecoder: JsonDecoder[SimpleTarget] = {
+    implicit val loggedSimpleTargetDecoder: JsonDecoder[SimpleTarget] = {
       JsonDecoder[String].mapOrFail(s => {
         RuleTarget
           .unser(s)
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/TopBarExtension.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/TopBarExtension.scala
index b7f467e5c..52536f96d 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/TopBarExtension.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/TopBarExtension.scala
@@ -2,12 +2,17 @@ package com.normation.plugins.changevalidation
 
 import com.normation.plugins.PluginExtensionPoint
 import com.normation.plugins.PluginStatus
+import com.normation.rudder.AuthorizationType
+import com.normation.rudder.users.CurrentUser
 import com.normation.rudder.web.snippet.CommonLayout
 import net.liftweb.common.Loggable
 import net.liftweb.util.Helpers.*
 import scala.reflect.ClassTag
 import scala.xml.NodeSeq
 
+/**
+ * Load the change-validation scripts, css and async comet actor : to display it in the top bar
+ */
 class TopBarExtension(val status: PluginStatus)(implicit val ttag: ClassTag[CommonLayout])
     extends PluginExtensionPoint[CommonLayout] with Loggable {
 
@@ -15,10 +20,24 @@ class TopBarExtension(val status: PluginStatus)(implicit val ttag: ClassTag[Comm
     "display" -> render _
   )
 
+  /**
+   * User must have either or both of the Validator.Read and Deployer.Read authorizations
+   * in order to display this.
+   */
   def render(xml: NodeSeq) = {
-    (
-      "#rudder-navbar -*" #> <li class="lift:comet?type=WorkflowInformation" name="workflowInfo" ></li>
-    ).apply(xml)
+    val isValidator = CurrentUser.checkRights(AuthorizationType.Validator.Read)
+    val isDeployer  = CurrentUser.checkRights(AuthorizationType.Deployer.Read)
+    if (isValidator || isDeployer) {
+      (
+        "#rudder-navbar -*" #>
+        <head_merge>
+          <script type="text/javascript" data-lift="with-cached-resource" src="/toserve/changevalidation/rudder-workflowinformation.js"></script>
+          <link rel="stylesheet" type="text/css" href="/toserve/changevalidation/change-validation.css" media="screen" data-lift="with-cached-resource" />
+        </head_merge>
+        & "#rudder-navbar -*" #>
+        <li class="lift:comet?type=WorkflowInformation" name="workflowInfo" ></li>
+      ).apply(xml)
+    } else xml
   }
 
 }
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/ValidationNeeded.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/ValidationNeeded.scala
index 3e32e9f00..8b96c8cd9 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/ValidationNeeded.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/ValidationNeeded.scala
@@ -37,7 +37,6 @@
 
 package com.normation.plugins.changevalidation
 
-import com.normation.box.*
 import com.normation.errors.IOResult
 import com.normation.eventlog.EventActor
 import com.normation.inventory.domain.NodeId
@@ -52,9 +51,9 @@ import com.normation.rudder.services.workflows.DirectiveChangeRequest
 import com.normation.rudder.services.workflows.GlobalParamChangeRequest
 import com.normation.rudder.services.workflows.NodeGroupChangeRequest
 import com.normation.rudder.services.workflows.RuleChangeRequest
-import net.liftweb.common.Box
-import net.liftweb.common.Full
 import scala.collection.MapView
+import zio.ZIO
+import zio.syntax.ToZio
 
 object bddMock {
   val USER_AUTH_NEEDED = Map(
@@ -71,10 +70,10 @@ object bddMock {
  * (see https://issues.rudder.io/issues/22188#note-5)
  */
 trait ValidationNeeded {
-  def forRule(actor:        EventActor, change: RuleChangeRequest):        Box[Boolean]
-  def forDirective(actor:   EventActor, change: DirectiveChangeRequest):   Box[Boolean]
-  def forNodeGroup(actor:   EventActor, change: NodeGroupChangeRequest):   Box[Boolean]
-  def forGlobalParam(actor: EventActor, change: GlobalParamChangeRequest): Box[Boolean]
+  def forRule(actor:        EventActor, change: RuleChangeRequest):        IOResult[Boolean]
+  def forDirective(actor:   EventActor, change: DirectiveChangeRequest):   IOResult[Boolean]
+  def forNodeGroup(actor:   EventActor, change: NodeGroupChangeRequest):   IOResult[Boolean]
+  def forGlobalParam(actor: EventActor, change: GlobalParamChangeRequest): IOResult[Boolean]
 }
 
 /*
@@ -109,22 +108,25 @@ class NodeGroupValidationNeeded(
    * - rule R is changed to add Group2 in its target (or opposite change: Group2 removed)
    * - the change must be validated.
    */
-  override def forRule(actor: EventActor, change: RuleChangeRequest): Box[Boolean] = {
-    val start = System.currentTimeMillis()
-    val res   = (for {
+  override def forRule(actor: EventActor, change: RuleChangeRequest): IOResult[Boolean] = {
+    for {
+      start           <- com.normation.zio.currentTimeMillis
       groups          <- groupLib.getFullGroupLibrary()
       // I think it's ok to have that, it will need a deeper change when we will want to have per-tenant change validation
       arePolicyServer <- nodeFactRepo.getAll()(QueryContext.systemQC)
       supervised      <- supervisedTargets()
+      targets          = Set(change.newRule) ++ change.previousRule.toSet
+      res              = checkNodeTargetByRule(groups, arePolicyServer.mapValues(_.rudderSettings.isPolicyServer), supervised, targets)
+      end             <- com.normation.zio.currentTimeMillis
+      _               <- {
+        ChangeValidationLoggerPure.Metrics.debug(
+          s"Check rule '${change.newRule.name}' [${change.newRule.id.serialize}]" +
+          s"change requestion need for validation in ${end - start}ms"
+        )
+      }
     } yield {
-      val targets = Set(change.newRule) ++ change.previousRule.toSet
-      checkNodeTargetByRule(groups, arePolicyServer.mapValues(_.rudderSettings.isPolicyServer), supervised, targets)
-    }).toBox
-    ChangeValidationLogger.Metrics.debug(
-      s"Check rule '${change.newRule.name}' [${change.newRule.id.serialize}] change requestion need for validation in ${System
-          .currentTimeMillis() - start}ms"
-    )
-    res
+      res
+    }
   }
 
   /**
@@ -161,7 +163,7 @@ class NodeGroupValidationNeeded(
    *   belong to an other group)
    * - now the rule is applied to supervised node, but no validation was done.
    */
-  override def forNodeGroup(actor: EventActor, change: NodeGroupChangeRequest): Box[Boolean] = {
+  override def forNodeGroup(actor: EventActor, change: NodeGroupChangeRequest): IOResult[Boolean] = {
     // Here we need to test the future content of the group, and not the current one.
     // So we need to know:
     // - the list of supervised node in the group before the change,
@@ -169,61 +171,70 @@ class NodeGroupValidationNeeded(
     // - the list of supervised node in the group after change,
     // => non empty means validation needed
 
-    val start = System.currentTimeMillis()
-
-    val res = (for {
+    for {
+      start      <- com.normation.zio.currentTimeMillis
       groups     <- groupLib.getFullGroupLibrary()
       nodeFacts  <- nodeFactRepo.getAll()(QueryContext.systemQC)
       supervised <- supervisedTargets()
-    } yield {
-      val targetNodes = change.newGroup.serverList ++ change.previousGroup.map(_.serverList).getOrElse(Set())
-      val exists      = groups
-        .getNodeIds(supervised.map(identity), nodeFacts.mapValues(_.rudderSettings.isPolicyServer))
-        .find(nodeId => targetNodes.contains(nodeId))
+      targetNodes = change.newGroup.serverList ++ change.previousGroup.map(_.serverList).getOrElse(Set())
+      exists      = groups
+                      .getNodeIds(supervised.map(identity), nodeFacts.mapValues(_.rudderSettings.isPolicyServer))
+                      .find(nodeId => targetNodes.contains(nodeId))
+      res        <-
+        // we want to let the log know why the change request needs validation
+        ZIO
+          .foreach(exists) { nodeId =>
+            ChangeValidationLoggerPure
+              .debug(
+                s"Node '${nodeId.value}' belongs to both a supervised group and to group '${change.newGroup.name}' [${change.newGroup.id.serialize}]"
+              )
+          }
+          .map(_.nonEmpty)
 
-      // we want to let the log knows why the change request need validation
-      exists.foreach { nodeId =>
-        ChangeValidationLogger.debug(
-          s"Node '${nodeId.value}' belongs to both a supervised group and to group '${change.newGroup.name}' [${change.newGroup.id.serialize}]"
+      end <- com.normation.zio.currentTimeMillis
+      _   <- {
+        ChangeValidationLoggerPure.Metrics.debug(
+          s"Check group '${change.newGroup.name}' [${change.newGroup.id.serialize}] " +
+          s"change requestion need for validation in ${end - start}ms"
         )
       }
-      exists.nonEmpty
-    }).toBox
-    ChangeValidationLogger.Metrics.debug(
-      s"Check group '${change.newGroup.name}' [${change.newGroup.id.serialize}] change requestion need for validation in ${System
-          .currentTimeMillis() - start}ms"
-    )
-    res
+    } yield {
+      res
+    }
   }
 
   /*
    * A directive need a validation if any rule using it need a validation.
    */
-  override def forDirective(actor: EventActor, change: DirectiveChangeRequest): Box[Boolean] = {
-    // in a change, the old directive id and the new one is the same.
-    val directiveId = change.newDirective.id
-    val start       = System.currentTimeMillis()
-    val res         = (for {
+  override def forDirective(actor: EventActor, change: DirectiveChangeRequest): IOResult[Boolean] = {
+    for {
+      start      <- com.normation.zio.currentTimeMillis
+      // in a change, the old directive id and the new one is the same.
+      directiveId = change.newDirective.id
       rules      <- ruleLib.getAll(includeSytem = true).map(_.filter(r => r.directiveIds.contains(directiveId)))
       // we need to add potentially new rules applied to that directive that the previous request does not cover
       newRules    = change.updatedRules
       supervised <- supervisedTargets()
       groups     <- groupLib.getFullGroupLibrary()
       nodeFacts  <- nodeFactRepo.getAll()(QueryContext.systemQC)
+      res         =
+        checkNodeTargetByRule(groups, nodeFacts.mapValues(_.rudderSettings.isPolicyServer), supervised, (rules ++ newRules).toSet)
+      end        <- com.normation.zio.currentTimeMillis
+      _          <- {
+        ChangeValidationLoggerPure.Metrics.debug(
+          s"Check directive '${change.newDirective.name}' [${change.newDirective.id.uid.serialize}]" +
+          s"change requestion need for validation in ${end - start}ms"
+        )
+      }
     } yield {
-      checkNodeTargetByRule(groups, nodeFacts.mapValues(_.rudderSettings.isPolicyServer), supervised, (rules ++ newRules).toSet)
-    }).toBox
-    ChangeValidationLogger.Metrics.debug(
-      s"Check directive '${change.newDirective.name}' [${change.newDirective.id.uid.serialize}] change requestion need for validation in ${System
-          .currentTimeMillis() - start}ms"
-    )
-    res
+      res
+    }
   }
 
   /*
    * For a global parameter, we just answer "yes"
    */
-  override def forGlobalParam(actor: EventActor, change: GlobalParamChangeRequest): Box[Boolean] = {
-    Full(true)
+  override def forGlobalParam(actor: EventActor, change: GlobalParamChangeRequest): IOResult[Boolean] = {
+    true.succeed
   }
 }
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/WorkflowJdbcRepository.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/WorkflowJdbcRepository.scala
index 14ceedecc..c1085d596 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/WorkflowJdbcRepository.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/WorkflowJdbcRepository.scala
@@ -36,31 +36,36 @@
  */
 package com.normation.plugins.changevalidation
 
+import cats.data.NonEmptyList
 import cats.implicits.*
+import com.normation.errors.IOResult
 import com.normation.rudder.db.Doobie
 import com.normation.rudder.domain.workflows.ChangeRequestId
 import com.normation.rudder.domain.workflows.WorkflowNodeId
 import doobie.*
 import doobie.implicits.*
-import net.liftweb.common.Box
+import doobie.util.fragments
 import net.liftweb.common.Loggable
+import zio.ZIO
 import zio.interop.catz.*
 
 /**
  * Repository to manage the Workflow part
  */
 trait RoWorkflowRepository {
-  def getAllByState(state: WorkflowNodeId): Box[Seq[ChangeRequestId]]
+  def getAllByState(state: WorkflowNodeId): IOResult[Seq[ChangeRequestId]]
 
-  def getStateOfChangeRequest(crId: ChangeRequestId): Box[WorkflowNodeId]
+  def getCountByState(filter: NonEmptyList[WorkflowNodeId]): IOResult[Map[WorkflowNodeId, Long]]
 
-  def getAllChangeRequestsState(): Box[Map[ChangeRequestId, WorkflowNodeId]]
+  def getStateOfChangeRequest(crId: ChangeRequestId): IOResult[WorkflowNodeId]
+
+  def getAllChangeRequestsState(): IOResult[Map[ChangeRequestId, WorkflowNodeId]]
 }
 
 trait WoWorkflowRepository {
-  def createWorkflow(crId: ChangeRequestId, state: WorkflowNodeId): Box[WorkflowNodeId]
+  def createWorkflow(crId: ChangeRequestId, state: WorkflowNodeId): IOResult[WorkflowNodeId]
 
-  def updateState(crId: ChangeRequestId, from: WorkflowNodeId, state: WorkflowNodeId): Box[WorkflowNodeId]
+  def updateState(crId: ChangeRequestId, from: WorkflowNodeId, state: WorkflowNodeId): IOResult[WorkflowNodeId]
 }
 
 trait RoWorkflowJdbcRepositorySQL {
@@ -68,6 +73,12 @@ trait RoWorkflowJdbcRepositorySQL {
     sql"select id from workflow where state = $state".query[ChangeRequestId]
   }
 
+  def getCountByStateSQL(filter: NonEmptyList[WorkflowNodeId]): Query0[(WorkflowNodeId, Long)] = {
+    val f = fragments.in(fr"state", filter)
+    sql"select state,count(distinct(id)) from workflow where ${f} group by state"
+      .query[(WorkflowNodeId, Long)]
+  }
+
   def getStateOfChangeRequestSQL(crId: ChangeRequestId): Query0[WorkflowNodeId] = {
     sql"select state from workflow where id = $crId".query[WorkflowNodeId]
   }
@@ -92,16 +103,38 @@ class RoWorkflowJdbcRepository(doobie: Doobie) extends RoWorkflowRepository with
   import WorkflowJdbcRepositorySQL.*
   import doobie.*
 
-  def getAllByState(state: WorkflowNodeId): Box[Seq[ChangeRequestId]] = {
-    transactRunBox(xa => getAllByStateSQL(state).to[Vector].transact(xa))
+  def getAllByState(state: WorkflowNodeId): IOResult[Seq[ChangeRequestId]] = {
+    transactIOResult(s"Could not get change request with state ${state.value}")(xa =>
+      getAllByStateSQL(state).to[Vector].transact(xa)
+    )
+  }
+
+  /**
+   * Returns the number of change requests for each state in the given filter.
+   * If there are no existing change requests for a given state in the filter, the count for this state will be 0.
+   * @param filter
+   * @return
+   */
+  override def getCountByState(filter: NonEmptyList[WorkflowNodeId]): IOResult[Map[WorkflowNodeId, Long]] = {
+    transactIOResult("Could not get total count of change requests in each state")(xa => {
+      for {
+        req    <- getCountByStateSQL(filter).to[Vector].transact(xa).map(_.toMap)
+        initMap = filter.map((_, 0L)).toList.toMap
+        res     = req.combine(initMap)
+      } yield {
+        res
+      }
+    })
   }
 
-  def getStateOfChangeRequest(crId: ChangeRequestId): Box[WorkflowNodeId] = {
-    transactRunBox(xa => getStateOfChangeRequestSQL(crId).unique.transact(xa))
+  def getStateOfChangeRequest(crId: ChangeRequestId): IOResult[WorkflowNodeId] = {
+    transactIOResult(s"Could not get state of change request with id ${crId.value}")(xa =>
+      getStateOfChangeRequestSQL(crId).unique.transact(xa)
+    )
   }
 
-  def getAllChangeRequestsState(): Box[Map[ChangeRequestId, WorkflowNodeId]] = {
-    transactRunBox(xa => getAllChangeRequestsStateSQL.to[Vector].transact(xa))
+  def getAllChangeRequestsState(): IOResult[Map[ChangeRequestId, WorkflowNodeId]] = {
+    transactIOResult("Could not get states of all change requests")(xa => getAllChangeRequestsStateSQL.to[Vector].transact(xa))
       .map(_.toMap)
   }
 }
@@ -110,53 +143,64 @@ class WoWorkflowJdbcRepository(doobie: Doobie) extends WoWorkflowRepository with
   import WorkflowJdbcRepositorySQL.*
   import doobie.*
 
-  def createWorkflow(crId: ChangeRequestId, state: WorkflowNodeId): Box[WorkflowNodeId] = {
+  def createWorkflow(crId: ChangeRequestId, state: WorkflowNodeId): IOResult[WorkflowNodeId] = {
     val process = {
       for {
-        exists  <- getStateOfChangeRequestSQL(crId).option
-        created <- exists match {
-                     case None    => createWorkflowSQL(crId, state).run.attempt
-                     case Some(s) =>
-                       val msg =
-                         s"Cannot start a workflow for Change Request id ${crId.value}, as it is already part of a workflow in state '${s}'"
-                       ChangeValidationLogger.error(msg)
-                       (Left(msg)).pure[ConnectionIO]
-                   }
+        exists <- getStateOfChangeRequestSQL(crId).option
+        _      <- exists match {
+                    case None    => createWorkflowSQL(crId, state).run.attempt
+                    case Some(s) =>
+                      val msg =
+                        s"Cannot start a workflow for Change Request id ${crId.value}, as it is already part of a workflow in state '${s}'"
+                      ChangeValidationLogger.error(msg)
+                      (Left(msg)).pure[ConnectionIO]
+                  }
       } yield {
         state
       }
     }
-    transactRunBox(xa => process.transact(xa))
+    transactIOResult(s"Could not create workflow with id ${crId.value} and state ${state.value}")(xa => process.transact(xa))
   }
 
-  def updateState(crId: ChangeRequestId, from: WorkflowNodeId, state: WorkflowNodeId): Box[WorkflowNodeId] = {
-    val process = {
+  def updateState(crId: ChangeRequestId, from: WorkflowNodeId, state: WorkflowNodeId): IOResult[WorkflowNodeId] = {
+    val process: ConnectionIO[Either[String, Unit]] = {
       for {
-        exists  <- getStateOfChangeRequestSQL(crId).option
-        created <- exists match {
-                     case Some(s) =>
-                       if (s == from) {
-                         updateStateSQL(
-                           crId,
-                           from,
-                           state
-                         ).run.attempt // swallows any "constraint violation" error if CrId is not in the ChangeRequest table
-                       } else {
-                         val msg = s"Cannot change status of ChangeRequest '${crId.value}': it has the status '${s.value}' " +
-                           s"but we were expecting '${from.value}'. Perhaps someone else changed it concurrently?"
-                         ChangeValidationLogger.error(msg)
-                         (Left(msg).pure[ConnectionIO])
-                       }
-                     case None    =>
-                       val msg =
-                         s"Cannot change a workflow for Change Request id ${crId.value}, as it is not part of any workflow yet"
-                       ChangeValidationLogger.error(msg)
-                       (Left(msg).pure[ConnectionIO])
-                   }
+        exists <- getStateOfChangeRequestSQL(crId).option
+        update <- exists match {
+                    case Some(s) =>
+                      if (s == from) {
+                        updateStateSQL(
+                          crId,
+                          from,
+                          state
+                        ).run.attempt.map(
+                          _.bimap(
+                            err => err.getMessage,
+                            _ => ()
+                          )
+                        )
+                      } else {
+                        val msg = s"Cannot change status of ChangeRequest '${crId.value}': it has status '${s.value}' " +
+                          s"but the expected status was '${from.value}'. Perhaps someone else changed it concurrently?"
+                        Left(msg).pure[ConnectionIO]
+                      }
+                    case None    =>
+                      val msg =
+                        s"Cannot change a workflow for Change Request id ${crId.value}, as it is not part of any workflow yet"
+                      Left(msg).pure[ConnectionIO]
+                  }
       } yield {
-        state
+        update
       }
     }
-    transactRunBox(xa => process.transact(xa))
+
+    for {
+      res <- transactIOResult(
+               s"Could not update state of change request with id ${crId.value} from ${from.value} to ${state.value}"
+             )(xa => process.transact(xa))
+      _   <- ZIO.whenCase(res) { case Left(err) => ChangeValidationLoggerPure.error(err) }
+    } yield {
+      state
+    }
   }
 }
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/WorkflowService.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/WorkflowService.scala
index 952384212..a83bec735 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/WorkflowService.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/WorkflowService.scala
@@ -37,7 +37,6 @@
 
 package com.normation.plugins.changevalidation
 
-import com.normation.box.*
 import com.normation.errors.*
 import com.normation.eventlog.EventActor
 import com.normation.eventlog.ModificationId
@@ -60,29 +59,30 @@ import com.normation.rudder.services.workflows.WorkflowService
 import com.normation.rudder.services.workflows.WorkflowUpdate
 import com.normation.rudder.users.UserService
 import com.normation.utils.StringUuidGenerator
-import net.liftweb.common.*
+import com.normation.zio.UnsafeRun
 import org.joda.time.DateTime
 import zio.*
+import zio.syntax.ToZio
 
 /**
  * A proxy workflow service based on a runtime choice
  */
-class EitherWorkflowService(cond: () => Box[Boolean], whenTrue: WorkflowService, whenFalse: WorkflowService)
+class EitherWorkflowService(cond: () => IOResult[Boolean], whenTrue: WorkflowService, whenFalse: WorkflowService)
     extends WorkflowService {
 
   // TODO: handle ERRORS for config!
 
   val name = "choose-active-validation-workflow"
 
-  def current: WorkflowService = if (cond().getOrElse(false)) whenTrue else whenFalse
+  def current: WorkflowService = if (cond().orElseSucceed(false).runNow) whenTrue else whenFalse
 
-  override def startWorkflow(changeRequest: ChangeRequest)(implicit cc: ChangeContext):                     Box[ChangeRequestId]                      =
+  override def startWorkflow(changeRequest: ChangeRequest)(implicit cc: ChangeContext):                     IOResult[ChangeRequestId]                      =
     current.startWorkflow(changeRequest)
-  override def openSteps:                                                                                   List[WorkflowNodeId]                      =
+  override def openSteps:                                                                                   List[WorkflowNodeId]                           =
     current.openSteps
-  override def closedSteps:                                                                                 List[WorkflowNodeId]                      =
+  override def closedSteps:                                                                                 List[WorkflowNodeId]                           =
     current.closedSteps
-  override def stepsValue:                                                                                  List[WorkflowNodeId]                      =
+  override def stepsValue:                                                                                  List[WorkflowNodeId]                           =
     current.stepsValue
   override def findNextSteps(currentUserRights: Seq[String], currentStep: WorkflowNodeId, isCreator: Boolean)(implicit
       qc: QueryContext
@@ -92,17 +92,17 @@ class EitherWorkflowService(cond: () => Box[Boolean], whenTrue: WorkflowService,
       currentUserRights: Seq[String],
       currentStep:       WorkflowNodeId,
       isCreator:         Boolean
-  ): Seq[(WorkflowNodeId, (ChangeRequestId, EventActor, Option[String]) => Box[WorkflowNodeId])] =
+  ): Seq[(WorkflowNodeId, (ChangeRequestId, EventActor, Option[String]) => IOResult[WorkflowNodeId])] =
     current.findBackSteps(currentUserRights, currentStep, isCreator)
-  override def findStep(changeRequestId: ChangeRequestId):                                                  Box[WorkflowNodeId]                       =
+  override def findStep(changeRequestId: ChangeRequestId):                                                  IOResult[WorkflowNodeId]                       =
     current.findStep(changeRequestId)
-  override def getAllChangeRequestsStep():                                                                  Box[Map[ChangeRequestId, WorkflowNodeId]] =
+  override def getAllChangeRequestsStep():                                                                  IOResult[Map[ChangeRequestId, WorkflowNodeId]] =
     current.getAllChangeRequestsStep()
-  override def isEditable(currentUserRights: Seq[String], currentStep: WorkflowNodeId, isCreator: Boolean): Boolean                                   =
+  override def isEditable(currentUserRights: Seq[String], currentStep: WorkflowNodeId, isCreator: Boolean): Boolean                                        =
     current.isEditable(currentUserRights, currentStep, isCreator)
-  override def isPending(currentStep: WorkflowNodeId):                                                      Boolean                                   =
+  override def isPending(currentStep: WorkflowNodeId):                                                      Boolean                                        =
     current.isPending(currentStep)
-  override def needExternalValidation():                                                                    Boolean                                   = current.needExternalValidation()
+  override def needExternalValidation():                                                                    Boolean                                        = current.needExternalValidation()
 }
 
 object TwoValidationStepsWorkflowServiceImpl {
@@ -137,15 +137,15 @@ class TwoValidationStepsWorkflowServiceImpl(
     woChangeRequestRepository:     WoChangeRequestRepository,
     notificationService:           NotificationService,
     userService:                   UserService,
-    workflowEnable:                () => Box[Boolean],
-    selfValidation:                () => Box[Boolean],
-    selfDeployment:                () => Box[Boolean]
+    workflowEnable:                () => IOResult[Boolean],
+    selfValidation:                () => IOResult[Boolean],
+    selfDeployment:                () => IOResult[Boolean]
 ) extends WorkflowService {
   import TwoValidationStepsWorkflowServiceImpl.*
 
   val name = "two-steps-validation-workflow"
 
-  def getItemsInStep(stepId: WorkflowNodeId): Box[Seq[ChangeRequestId]] = roWorkflowRepo.getAllByState(stepId)
+  def getItemsInStep(stepId: WorkflowNodeId): IOResult[Seq[ChangeRequestId]] = roWorkflowRepo.getAllByState(stepId)
 
   val closedSteps: List[WorkflowNodeId] = List(Cancelled.id, Deployed.id)
   val openSteps:   List[WorkflowNodeId] = List(Validation.id, Deployment.id)
@@ -166,14 +166,15 @@ class TwoValidationStepsWorkflowServiceImpl(
     }
 
     for {
-      saved          <- save ?~! s"could not save change request ${changeRequest.info.name}"
+      saved          <- save.chainError(s"could not save change request ${changeRequest.info.name}")
       modId           = ModificationId(uuidGen.newUuid)
       workflowEnable <- workflowEnable()
       _              <- if (workflowEnable) {
-                          changeRequestEventLogService.saveChangeRequestLog(modId, actor, saved, reason) ?~!
-                          s"could not save event log for change request ${saved.changeRequest.id} creation"
+                          changeRequestEventLogService
+                            .saveChangeRequestLog(modId, actor, saved, reason)
+                            .chainError(s"could not save event log for change request ${saved.changeRequest.id} creation")
                         } else {
-                          Full("OK, no workflow")
+                          "OK, no workflow".succeed
                         }
     } yield { saved.changeRequest }
   }
@@ -183,7 +184,7 @@ class TwoValidationStepsWorkflowServiceImpl(
       newInfo:          ChangeRequestInfo,
       actor:            EventActor,
       reason:           Option[String]
-  ): Box[ChangeRequest] = {
+  ): IOResult[ChangeRequest] = {
     val newCr = ChangeRequest.updateInfo(oldChangeRequest, newInfo)
     saveAndLogChangeRequest(ModifyToChangeRequestDiff(newCr, oldChangeRequest), actor, reason)
   }
@@ -198,7 +199,7 @@ class TwoValidationStepsWorkflowServiceImpl(
       isCreator:         Boolean
   )(implicit qc: QueryContext): WorkflowAction = {
 
-    def deployAction(action: (ChangeRequestId, EventActor, Option[String]) => Box[WorkflowNodeId]) = {
+    def deployAction(action: (ChangeRequestId, EventActor, Option[String]) => IOResult[WorkflowNodeId]) = {
       if (canDeploy(isCreator, selfDeployment))
         Seq((Deployed.id, action))
       else Seq()
@@ -230,7 +231,7 @@ class TwoValidationStepsWorkflowServiceImpl(
       currentUserRights: Seq[String],
       currentStep:       WorkflowNodeId,
       isCreator:         Boolean
-  ): Seq[(WorkflowNodeId, (ChangeRequestId, EventActor, Option[String]) => Box[WorkflowNodeId])] = {
+  ): Seq[(WorkflowNodeId, (ChangeRequestId, EventActor, Option[String]) => IOResult[WorkflowNodeId])] = {
     currentStep match {
       case Validation.id     =>
         if (canValidate(isCreator, selfValidation))
@@ -266,7 +267,7 @@ class TwoValidationStepsWorkflowServiceImpl(
     }
   }
 
-  def isPending(currentStep: WorkflowNodeId):     Boolean             = {
+  def isPending(currentStep: WorkflowNodeId):     Boolean                  = {
     currentStep match {
       case Validation.id     => true
       case Deployment.id     => true
@@ -279,15 +280,15 @@ class TwoValidationStepsWorkflowServiceImpl(
         false
     }
   }
-  def findStep(changeRequestId: ChangeRequestId): Box[WorkflowNodeId] = {
+  def findStep(changeRequestId: ChangeRequestId): IOResult[WorkflowNodeId] = {
     roWorkflowRepo.getStateOfChangeRequest(changeRequestId)
   }
 
-  def getAllChangeRequestsStep(): Box[Map[ChangeRequestId, WorkflowNodeId]] = {
+  def getAllChangeRequestsStep(): IOResult[Map[ChangeRequestId, WorkflowNodeId]] = {
     roWorkflowRepo.getAllChangeRequestsState()
   }
 
-  def startWorkflow(changeRequest: ChangeRequest)(implicit cc: ChangeContext): Box[ChangeRequestId] = {
+  def startWorkflow(changeRequest: ChangeRequest)(implicit cc: ChangeContext): IOResult[ChangeRequestId] = {
     ChangeValidationLogger.debug(s"${name}: start workflow for change request '${changeRequest.id.value}'")
     for {
       saved <- saveAndLogChangeRequest(AddChangeRequestDiff(changeRequest), cc.actor, cc.message)
@@ -305,7 +306,7 @@ class TwoValidationStepsWorkflowServiceImpl(
       changeRequestId: ChangeRequestId,
       actor:           EventActor,
       reason:          Option[String]
-  ): Box[WorkflowNodeId] = {
+  ): IOResult[WorkflowNodeId] = {
     (for {
       state       <- woWorkflowRepo.updateState(changeRequestId, from.id, to.id)
       workflowStep = WorkflowStepChange(changeRequestId, from.id, to.id)
@@ -314,13 +315,10 @@ class TwoValidationStepsWorkflowServiceImpl(
     } yield {
       workflowComet ! WorkflowUpdate
       state
-    }) match {
-      case Full(state) => Full(state)
-      case eb: EmptyBox =>
-        val e = eb ?~! s"Error when changing step in workflow for Change Request ${changeRequestId.value}"
-        ChangeValidationLogger.error(e.messageChain)
-        e
-    }
+    })
+      .chainError(s"Error when changing step in workflow for Change Request ${changeRequestId.value}")
+      .tapError(err => ChangeValidationLoggerPure.error(err.fullMsg))
+
   }
 
   /*
@@ -329,13 +327,13 @@ class TwoValidationStepsWorkflowServiceImpl(
    * - check for current user rights.
    *   WARNING: WE ARE SIDE STEPPING authz check until https://issues.rudder.io/issues/22595 is solved
    */
-  private def canValidate(isCreator: Boolean, selfValidation: () => Box[Boolean]): Boolean = {
-    val correctActor = selfValidation().getOrElse(false) || !isCreator
+  private def canValidate(isCreator: Boolean, selfValidation: () => IOResult[Boolean]): Boolean = {
+    val correctActor = selfValidation().orElseSucceed(false).runNow || !isCreator
     correctActor && userService.getCurrentUser.checkRights(AuthorizationType.Validator.Edit)
   }
 
-  private def canDeploy(isCreator: Boolean, selfDeployment: () => Box[Boolean]): Boolean = {
-    val correctActor = selfDeployment().getOrElse(false) || !isCreator
+  private def canDeploy(isCreator: Boolean, selfDeployment: () => IOResult[Boolean]): Boolean = {
+    val correctActor = selfDeployment().orElseSucceed(false).runNow || !isCreator
     correctActor && userService.getCurrentUser.checkRights(AuthorizationType.Deployer.Edit)
   }
 
@@ -347,7 +345,6 @@ class TwoValidationStepsWorkflowServiceImpl(
     for {
       cr <- roChangeRequestRepository
               .get(changeRequestId)
-              .toIO
               .notOptional(
                 s"Change request with ID '${changeRequestId.value}' was not found in database"
               )
@@ -372,13 +369,10 @@ class TwoValidationStepsWorkflowServiceImpl(
    */
   implicit class CatchEmailError(result: IOResult[Unit]) {
     def catchEmailError(from: String, to: String): Unit = {
-      result.toBox match {
-        case eb: EmptyBox =>
-          val msg =
-            (eb ?~! s"Error when trying to send email for change request status update from '${from}' to '${to}'").messageChain
-          ChangeValidationLogger.error(msg)
-        case Full(_) => // nothing
-      }
+      result
+        .chainError(s"Error when trying to send email for change request status update from '${from}' to '${to}'")
+        .catchAll(err => ChangeValidationLoggerPure.error(err.fullMsg))
+        .runNow
     }
   }
 
@@ -389,11 +383,12 @@ class TwoValidationStepsWorkflowServiceImpl(
       reason:          Option[String]
   )(implicit
       qc:              QueryContext
-  ): Box[WorkflowNodeId] = {
+  ): IOResult[WorkflowNodeId] = {
     ChangeValidationLogger.debug(s"${name}: deploy change for change request '${changeRequestId.value}'")
     for {
-      optcr <- roChangeRequestRepository.get(changeRequestId)
-      cr    <- Box(optcr) ?~! s"Change request with ID '${changeRequestId.value}' was not found in database"
+      cr    <- roChangeRequestRepository
+                 .get(changeRequestId)
+                 .notOptional(s"Change request with ID '${changeRequestId.value}' was not found in database")
       saved <-
         commit.save(cr)(ChangeContext(ModificationId(uuidGen.newUuid), qc.actor, new DateTime(), reason, None, qc.nodePerms))
       _     <- woChangeRequestRepository.updateChangeRequest(saved, actor, reason)
@@ -408,7 +403,7 @@ class TwoValidationStepsWorkflowServiceImpl(
       changeRequestId: ChangeRequestId,
       actor:           EventActor,
       reason:          Option[String]
-  ): Box[WorkflowNodeId] = {
+  ): IOResult[WorkflowNodeId] = {
     changeStep(from, Cancelled, changeRequestId, actor, reason)
   }
 
@@ -418,7 +413,7 @@ class TwoValidationStepsWorkflowServiceImpl(
       changeRequestId: ChangeRequestId,
       actor:           EventActor,
       reason:          Option[String]
-  ): Box[WorkflowNodeId] = {
+  ): IOResult[WorkflowNodeId] = {
     changeStep(Validation, Deployment, changeRequestId, actor, reason)
   }
 
@@ -426,7 +421,7 @@ class TwoValidationStepsWorkflowServiceImpl(
       changeRequestId: ChangeRequestId,
       actor:           EventActor,
       reason:          Option[String]
-  )(implicit qc: QueryContext): Box[WorkflowNodeId] = {
+  )(implicit qc: QueryContext): IOResult[WorkflowNodeId] = {
     onSuccessWorkflow(Validation, changeRequestId, actor, reason)
   }
 
@@ -434,7 +429,7 @@ class TwoValidationStepsWorkflowServiceImpl(
       changeRequestId: ChangeRequestId,
       actor:           EventActor,
       reason:          Option[String]
-  ): Box[WorkflowNodeId] = {
+  ): IOResult[WorkflowNodeId] = {
     toFailure(Validation, changeRequestId, actor, reason)
   }
 
@@ -442,7 +437,7 @@ class TwoValidationStepsWorkflowServiceImpl(
       changeRequestId: ChangeRequestId,
       actor:           EventActor,
       reason:          Option[String]
-  ): Box[WorkflowNodeId] = {
+  ): IOResult[WorkflowNodeId] = {
     toFailure(Deployment, changeRequestId, actor, reason)
   }
 
@@ -450,7 +445,7 @@ class TwoValidationStepsWorkflowServiceImpl(
       changeRequestId: ChangeRequestId,
       actor:           EventActor,
       reason:          Option[String]
-  )(implicit qc: QueryContext): Box[WorkflowNodeId] = {
+  )(implicit qc: QueryContext): IOResult[WorkflowNodeId] = {
     onSuccessWorkflow(Deployment, changeRequestId, actor, reason)
   }
 
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/ChangeRequestApi.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/ChangeRequestApi.scala
index d515e5455..e0ba16f47 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/ChangeRequestApi.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/ChangeRequestApi.scala
@@ -37,12 +37,19 @@
 
 package com.normation.plugins.changevalidation.api
 
-import com.normation.box.*
 import com.normation.cfclerk.domain.Technique
 import com.normation.cfclerk.domain.TechniqueId
 import com.normation.cfclerk.services.TechniqueRepository
-import com.normation.errors.*
+import com.normation.errors.AccumulateErrors
+import com.normation.errors.Inconsistency
+import com.normation.errors.IOResult
+import com.normation.errors.OptionToIoResult
+import com.normation.errors.OptionToPureResult
+import com.normation.errors.PureResult
+import com.normation.errors.PureToIoResult
+import com.normation.errors.Unexpected
 import com.normation.plugins.changevalidation.ChangeRequestFilter
+import com.normation.plugins.changevalidation.ChangeRequestInfoJson
 import com.normation.plugins.changevalidation.ChangeRequestJson
 import com.normation.plugins.changevalidation.RoChangeRequestRepository
 import com.normation.plugins.changevalidation.RoWorkflowRepository
@@ -53,6 +60,8 @@ import com.normation.rudder.api.ApiVersion
 import com.normation.rudder.api.HttpAction.DELETE
 import com.normation.rudder.api.HttpAction.GET
 import com.normation.rudder.api.HttpAction.POST
+import com.normation.rudder.config.ReasonBehavior
+import com.normation.rudder.config.UserPropertyService
 import com.normation.rudder.domain.nodes.NodeGroupUid
 import com.normation.rudder.domain.policies.DirectiveId
 import com.normation.rudder.domain.policies.DirectiveUid
@@ -69,10 +78,10 @@ import com.normation.rudder.rest.EndpointSchema
 import com.normation.rudder.rest.EndpointSchema.syntax.*
 import com.normation.rudder.rest.GeneralApi
 import com.normation.rudder.rest.OneParam
+import com.normation.rudder.rest.RudderJsonRequest.*
 import com.normation.rudder.rest.SortIndex
 import com.normation.rudder.rest.StartsAtVersion3
 import com.normation.rudder.rest.ZeroParam
-import com.normation.rudder.rest.data.APIChangeRequestInfo
 import com.normation.rudder.rest.implicits.*
 import com.normation.rudder.rest.lift.DefaultParams
 import com.normation.rudder.rest.lift.LiftApiModule
@@ -82,10 +91,7 @@ import com.normation.rudder.services.modification.DiffService
 import com.normation.rudder.services.workflows.CommitAndDeployChangeRequestService
 import com.normation.rudder.services.workflows.WorkflowLevelService
 import com.normation.rudder.users.UserService
-import com.normation.rudder.web.services.ReasonBehavior
-import com.normation.rudder.web.services.UserPropertyService
 import enumeratum.*
-import net.liftweb.common.Box
 import net.liftweb.http.LiftResponse
 import net.liftweb.http.Req
 import sourcecode.Line
@@ -172,7 +178,9 @@ class ChangeRequestApiImpl(
     userService:          UserService
 ) extends LiftApiModuleProvider[ChangeRequestApi] {
   import com.normation.plugins.changevalidation.api.ChangeRequestApi as API
-  implicit private val diffServiceImpl: DiffService = diffService
+
+  implicit def reasonBehavior:          ReasonBehavior = userPropertyService.reasonsFieldBehavior
+  implicit private val diffServiceImpl: DiffService    = diffService
 
   override def schemas: ApiModuleProvider[ChangeRequestApi] = API
 
@@ -302,8 +310,8 @@ class ChangeRequestApiImpl(
               s"Could not decline ChangeRequest ${id} details cause is: could not decline ChangeRequest ${id}, because status '${step.value}' cannot be cancelled."
             )
           (_, func)   = stepFunc
-          reason     <- extractReason(req)
-          result     <- func(changeRequest.id, authzToken.qc.actor, reason).toIO
+          reason     <- extractReason(req).toIO
+          result     <- func(changeRequest.id, authzToken.qc.actor, reason)
           serialized <- serialize(changeRequest, result).toIO
         } yield {
           serialized
@@ -339,8 +347,8 @@ class ChangeRequestApiImpl(
               s"Could not accept ChangeRequest ${id} details cause is: you could not send Change Request from '${step.value}' to '${targetStep.value}'."
             )
           (_, func)   = stepFunc
-          reason     <- extractReason(req)
-          result     <- func(changeRequest.id, authzToken.qc.actor, reason).toIO
+          reason     <- extractReason(req).toIO
+          result     <- func(changeRequest.id, authzToken.qc.actor, reason)
           serialized <- serialize(changeRequest, result).toIO
         } yield {
           serialized
@@ -390,17 +398,21 @@ class ChangeRequestApiImpl(
         authzToken: AuthzToken
     ): LiftResponse = {
       implicit val qc: QueryContext = authzToken.qc
-      def updateInfo(changeRequest: ChangeRequest, status: WorkflowNodeId, apiInfo: APIChangeRequestInfo)(implicit
+      def updateInfo(changeRequest: ChangeRequest, status: WorkflowNodeId, apiInfo: ChangeRequestInfoJson)(implicit
           techniqueByDirective: Map[DirectiveId, Technique]
       ): IOResult[ChangeRequestJson] = {
         val newInfo = apiInfo.updateCrInfo(changeRequest.info)
-        if (changeRequest.info == newInfo) {
+
+        if (newInfo.name == "") {
+          val message = s"Could not update ChangeRequest ${id} details cause is: Change request name cannot be empty."
+          Inconsistency(message).fail
+        } else if (changeRequest.info == newInfo) {
           val message = s"Could not update ChangeRequest ${id} details cause is: No changes to save."
           Inconsistency(message).fail
         } else {
           val newCR = ChangeRequest.updateInfo(changeRequest, newInfo)
           for {
-            updated    <- writeChangeRequest.updateChangeRequest(newCR, authzToken.qc.actor, None).toIO
+            updated    <- writeChangeRequest.updateChangeRequest(newCR, authzToken.qc.actor, None)
             serialized <- serialize(updated, status).toIO
           } yield {
             serialized
@@ -408,9 +420,14 @@ class ChangeRequestApiImpl(
         }
       }
 
-      withChangeRequestContext(id, params, schema, "update")((changeRequest, status, techniqueByDirective) =>
-        updateInfo(changeRequest, status, extractChangeRequestInfo(req.params))(techniqueByDirective.toMap)
-      ).toLiftResponseOne(params, schema, Some(id))
+      withChangeRequestContext(id, params, schema, "update")((changeRequest, status, techniqueByDirective) => {
+        for {
+          json   <- req.fromJson[ChangeRequestInfoJson].toIO
+          update <- updateInfo(changeRequest, status, json)(techniqueByDirective.toMap)
+        } yield {
+          update
+        }
+      }).toLiftResponseOne(params, schema, Some(id))
     }
   }
 
@@ -422,27 +439,27 @@ class ChangeRequestApiImpl(
   )(
       block:        (ChangeRequest, WorkflowNodeId, Map[DirectiveId, Technique]) => IOResult[T]
   ): IOResult[T] = {
-    val id = {
-      // PureResult.attempt(s"'${sid}' is not a valid change request id (need to be an integer)")(ChangeRequestId(sid.toInt))
-      Box(sid.toIntOption.map(ChangeRequestId(_))) ?~ (s"'${sid}' is not a valid change request id (need to be an integer)")
-    }
-
-    checkWorkflow match {
-      case true =>
-        (for {
-          crId          <- id
-          optCr         <- readChangeRequest.get(crId) ?~! (s"Could not find ChangeRequest ${sid}")
-          changeRequest <-
-            Box(optCr) ?~ (s"Could not get ChangeRequest ${sid} details cause is: change request with id ${sid} does not exist.")
-          status        <- readWorkflow.getStateOfChangeRequest(crId) ?~! (s"Could not find ChangeRequest ${sid} status")
-          result        <- getDirectiveTechniques(changeRequest).flatMap(block(changeRequest, status, _)).toBox
-        } yield {
-          result
-        }).toIO
-          .chainError(s"Could not ${actionDetail} ChangeRequest ${sid}")
 
-      case false =>
-        disabledWorkflowAnswer
+    if (checkWorkflow) {
+      (for {
+        crId          <- sid.toIntOption
+                           .notOptional(s"'${sid}' is not a valid change request id (need to be an integer)")
+                           .map(ChangeRequestId(_))
+        changeRequest <- readChangeRequest
+                           .get(crId)
+                           .chainError(s"Could not find ChangeRequest ${sid}")
+                           .notOptional(s"Change request with id ${sid} does not exist.")
+        status        <- readWorkflow
+                           .getStateOfChangeRequest(crId)
+                           .chainError(s"Could not find ChangeRequest ${sid} status")
+        result        <- getDirectiveTechniques(changeRequest)
+                           .flatMap(block(changeRequest, status, _))
+      } yield {
+        result
+      })
+        .chainError(s"Could not ${actionDetail} ChangeRequest ${sid}")
+    } else {
+      disabledWorkflowAnswer
     }
   }
 
@@ -506,32 +523,6 @@ class ChangeRequestApiImpl(
       })
   }
 
-  private def extractChangeRequestInfo(params: Map[String, List[String]]): APIChangeRequestInfo = {
-    APIChangeRequestInfo(
-      params.get("name").flatMap(_.headOption),
-      params.get("description").flatMap(_.headOption)
-    )
-  }
-
-  private def extractReason(req: Req): IOResult[Option[String]] = {
-    import ReasonBehavior.*
-    (userPropertyService.reasonsFieldBehavior match {
-      case Disabled => ZIO.none
-      case mode     =>
-        val reason = req.params.get("reason").flatMap(_.headOption)
-        (mode: @unchecked) match {
-          case Mandatory =>
-            reason
-              .notOptional("Reason field is mandatory and should be at least 5 characters long")
-              .reject {
-                case s if s.lengthIs < 5 => Inconsistency("Reason field should be at least 5 characters long")
-              }
-              .map(Some(_))
-          case Optionnal => reason.succeed
-        }
-    }).chainError("There was an error while extracting reason message")
-  }
-
   private[this] def extractFilters(params: Map[String, List[String]]): PureResult[ChangeRequestFilter] = {
     import ChangeRequestFilter.*
     for {
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/SupervisedTargetsApi.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/SupervisedTargetsApi.scala
index 3a0fa16b3..5ef25efe4 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/SupervisedTargetsApi.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/SupervisedTargetsApi.scala
@@ -88,7 +88,8 @@ object SupervisedTargetsApi       extends Enum[SupervisedTargetsApi] with ApiMod
     val description    = "Save the updated list of groups"
     val (action, path) = POST / "changevalidation" / "supervised" / "targets"
 
-    override def dataContainer: Option[String] = None
+    override def dataContainer: Option[String]          = None
+    val authz:                  List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   def endpoints = values.toList.sortBy(_.z)
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/ValidatedUserApi.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/ValidatedUserApi.scala
index 3fa096aaa..b42d52eee 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/ValidatedUserApi.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/ValidatedUserApi.scala
@@ -77,7 +77,8 @@ object ValidatedUserApi       extends Enum[ValidatedUserApi] with ApiModuleProvi
     val (action, path) = DELETE / "validatedUsers" / "{username}"
 
     override val name = "removeValidatedUser"
-    override def dataContainer: Option[String] = None
+    override def dataContainer: Option[String]          = None
+    val authz:                  List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
   final case object SaveWorkflowUsers           extends ValidatedUserApi with ZeroParam with StartsAtVersion3 with SortIndex {
     val z              = implicitly[Line].value
@@ -86,6 +87,7 @@ object ValidatedUserApi       extends Enum[ValidatedUserApi] with ApiModuleProvi
 
     override def dataContainer: Option[String] = None
     override val name = "saveWorkflowUser"
+    val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   def endpoints = values.toList.sortBy(_.z)
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/WorkflowInternalApi.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/WorkflowInternalApi.scala
new file mode 100644
index 000000000..fb6e320e9
--- /dev/null
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/api/WorkflowInternalApi.scala
@@ -0,0 +1,142 @@
+/*
+ *************************************************************************************
+ * Copyright 2025 Normation SAS
+ *************************************************************************************
+ *
+ * This file is part of Rudder.
+ *
+ * Rudder is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * In accordance with the terms of section 7 (7. Additional Terms.) of
+ * the GNU General Public License version 3, the copyright holders add
+ * the following Additional permissions:
+ * Notwithstanding to the terms of section 5 (5. Conveying Modified Source
+ * Versions) and 6 (6. Conveying Non-Source Forms.) of the GNU General
+ * Public License version 3, when you create a Related Module, this
+ * Related Module is not considered as a part of the work and may be
+ * distributed under the license agreement of your choice.
+ * A "Related Module" means a set of sources files including their
+ * documentation that, without modification of the Source Code, enables
+ * supplementary functions or services in addition to those offered by
+ * the Software.
+ *
+ * Rudder is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Rudder.  If not, see <http://www.gnu.org/licenses/>.
+
+ *
+ *************************************************************************************
+ */
+
+package com.normation.plugins.changevalidation.api
+
+import cats.data.NonEmptyList
+import com.normation.plugins.changevalidation.PendingCountJson
+import com.normation.plugins.changevalidation.RoWorkflowRepository
+import com.normation.plugins.changevalidation.TwoValidationStepsWorkflowServiceImpl
+import com.normation.rudder.AuthorizationType
+import com.normation.rudder.api.ApiVersion
+import com.normation.rudder.api.HttpAction.GET
+import com.normation.rudder.rest.ApiModuleProvider
+import com.normation.rudder.rest.ApiPath
+import com.normation.rudder.rest.AuthzToken
+import com.normation.rudder.rest.EndpointSchema
+import com.normation.rudder.rest.EndpointSchema.syntax.AddPath
+import com.normation.rudder.rest.EndpointSchema.syntax.BuildPath
+import com.normation.rudder.rest.EndpointSchema0
+import com.normation.rudder.rest.InternalApi
+import com.normation.rudder.rest.SortIndex
+import com.normation.rudder.rest.StartsAtVersion21
+import com.normation.rudder.rest.ZeroParam
+import com.normation.rudder.rest.implicits.ToLiftResponseOne
+import com.normation.rudder.rest.lift.DefaultParams
+import com.normation.rudder.rest.lift.LiftApiModule
+import com.normation.rudder.rest.lift.LiftApiModule0
+import com.normation.rudder.rest.lift.LiftApiModuleProvider
+import com.normation.rudder.users.UserService
+import enumeratum.Enum
+import enumeratum.EnumEntry
+import net.liftweb.http.LiftResponse
+import net.liftweb.http.Req
+import sourcecode.Line
+import zio.syntax.ToZio
+
+sealed trait WorkflowInternalApi extends EnumEntry with EndpointSchema with InternalApi with SortIndex
+object WorkflowInternalApi       extends Enum[WorkflowInternalApi] with ApiModuleProvider[WorkflowInternalApi] {
+
+  final case object PendingChangeRequestCount extends WorkflowInternalApi with ZeroParam with StartsAtVersion21 with SortIndex {
+    val z              = implicitly[Line].value
+    val (action, path) = GET / "changevalidation" / "workflow" / "pendingCountByStatus"
+    val description    =
+      "Get total count of change requests in each state, i.e. PendingValidation and PendingDeployment"
+
+    override def dataContainer: Option[String]          = Some("workflow")
+    override def authz:         List[AuthorizationType] = {
+      List(AuthorizationType.Deployer.Read, AuthorizationType.Validator.Read)
+    }
+  }
+
+  override def endpoints: List[WorkflowInternalApi]       = values.toList.sortBy(_.z)
+  override def values:    IndexedSeq[WorkflowInternalApi] = findValues
+}
+
+class WorkflowInternalApiImpl(
+    readWorkflow: RoWorkflowRepository,
+    userService:  UserService
+) extends LiftApiModuleProvider[WorkflowInternalApi] {
+  import com.normation.plugins.changevalidation.api.WorkflowInternalApi as API
+
+  override def schemas: ApiModuleProvider[WorkflowInternalApi] = API
+
+  override def getLiftEndpoints(): List[LiftApiModule] = {
+    API.endpoints.map { case API.PendingChangeRequestCount => PendingChangeRequestCount }
+  }
+
+  object PendingChangeRequestCount extends LiftApiModule0 {
+
+    override val schema: EndpointSchema0 = API.PendingChangeRequestCount
+
+    override def process0(
+        version:    ApiVersion,
+        path:       ApiPath,
+        req:        Req,
+        params:     DefaultParams,
+        authzToken: AuthzToken
+    ): LiftResponse = {
+
+      val user = userService.getCurrentUser
+
+      val isValidator = user.checkRights(AuthorizationType.Validator.Read)
+      val isDeployer  = user.checkRights(AuthorizationType.Deployer.Read)
+
+      val filter = {
+        if (isValidator && isDeployer) {
+          List(TwoValidationStepsWorkflowServiceImpl.Validation.id, TwoValidationStepsWorkflowServiceImpl.Deployment.id)
+        } else if (isValidator) List(TwoValidationStepsWorkflowServiceImpl.Validation.id)
+        else if (isDeployer) List(TwoValidationStepsWorkflowServiceImpl.Deployment.id)
+        else List()
+      }
+
+      NonEmptyList.fromList(filter) match {
+        case None                 =>
+          // Should never happen : a request from a user that doesn't have either rights will not be processed here
+          PendingCountJson(None, None).succeed.toLiftResponseOne(params, schema, None)
+        case Some(nonEmptyFilter) =>
+          readWorkflow
+            .getCountByState(nonEmptyFilter)
+            .map(PendingCountJson.from)
+            .chainError("Could not get pending change request count")
+            .toLiftResponseOne(params, schema, None)
+      }
+
+    }
+
+  }
+}
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/comet/WorkflowInformation.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/comet/WorkflowInformation.scala
index 65b508129..cc4a1d4ea 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/comet/WorkflowInformation.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/comet/WorkflowInformation.scala
@@ -38,147 +38,96 @@
 package com.normation.plugins.changevalidation.comet
 
 import bootstrap.liftweb.RudderConfig
-import com.normation.box.*
-import com.normation.plugins.changevalidation.EitherWorkflowService
-import com.normation.plugins.changevalidation.TwoValidationStepsWorkflowServiceImpl
-import com.normation.rudder.AuthorizationType
 import com.normation.rudder.batch.AsyncWorkflowInfo
-import com.normation.rudder.services.workflows.WorkflowService
 import com.normation.rudder.services.workflows.WorkflowUpdate
-import com.normation.rudder.users.CurrentUser
+import com.normation.zio.UnsafeRun
 import net.liftweb.common.*
 import net.liftweb.http.*
+import net.liftweb.http.js.JsCmds.Run
 import scala.xml.*
 
+/**
+ * Actor to dynamically update the count of change requests once workflows are updated.
+ *
+ * It loads the corresponding WorkflowInformation Elm app, which can also be
+ * dynamically loaded depending on feature toggle.
+ */
 class WorkflowInformation extends CometActor with CometListener with Loggable {
-  private[this] def workflowService = {
-    RudderConfig.workflowLevelService.getWorkflowService()
+
+  private[this] val asyncWorkflow = RudderConfig.asyncWorkflowInfo
+
+  private[this] var workflowEnabledPrev = getWorkflowEnabled()
+  private[this] var shouldLoadScript    = workflowEnabledPrev
+
+  private[this] def getWorkflowEnabled() = {
+    RudderConfig.configService.rudder_workflow_enabled().orElseSucceed(false).runNow
   }
-  private[this] val asyncWorkflow   = RudderConfig.asyncWorkflowInfo
 
-  private[this] val isValidator = CurrentUser.checkRights(AuthorizationType.Validator.Edit)
-  private[this] val isDeployer  = CurrentUser.checkRights(AuthorizationType.Deployer.Edit)
   override def registerWith: AsyncWorkflowInfo = asyncWorkflow
 
   override val defaultHtml = NodeSeq.Empty
 
-  val layout = {
-    <li class="nav-item dropdown notifications-menu">
+  def render: RenderOut = {
+    /*
+    A menu entry created by the WorkflowInformation Elm app, when mounted on #workflow-app, it looks like :
+
+    <li class="nav-item dropdown notifications-menu" id="workflow-app">
       <a href="#" class="dropdown-toggle" data-bs-toggle="dropdown" role="button" aria-expanded="false">
         <span>CR</span>
         <span id="number" class="badge rudder-badge"></span>
       </a>
       <ul class="dropdown-menu" role="menu">
-        <li id="workflow-app">
+        <li>
           <ul class="menu">
+            ... pending change requests by status here ...
           </ul>
         </li>
       </ul>
     </li>
-  }
-
-  def render = {
-    val xml = RudderConfig.configService.rudder_workflow_enabled().toBox match {
-      case eb: EmptyBox =>
-        val e = eb ?~! "Error when trying to read Rudder configuration for workflow activation"
-        logger.error(e.messageChain)
-        e.rootExceptionCause.foreach(ex => logger.error("Exception was:", e))
-
-        (".dropdown-menu *" #> <li class="dropdown-header">{e.msg}</li>).apply(layout)
-
-      case Full(workflowEnabled) =>
-        val cssSelect = {
-          if (workflowEnabled && (isValidator || isDeployer)) {
-            {
-              if (isValidator) pendingModifications
-              else ".dropdown-menu *+" #> NodeSeq.Empty
-            } & {
-              if (isDeployer) pendingDeployment
-              else ".dropdown-menu *+" #> NodeSeq.Empty
-            } &
-            "#number *" #> requestCount(workflowService)
-          } else {
-            ".dropdown *" #> NodeSeq.Empty
-          }
-        }
-
-        cssSelect(layout)
+     */
+
+    val xml = {
+      <li id="workflow-app" class="nav-item dropdown notifications-menu">
+        <a href="#" class="dropdown-toggle placeholder-glow" data-bs-toggle="dropdown" role="button" aria-expanded="false">
+          <span>CR</span>
+          <span id="number" class="badge rudder-badge placeholder">-</span>
+        </a>
+      </li>
     }
-
+    loadScript()
     new RenderOut(xml)
   }
 
-  def requestCount(workflowService: WorkflowService): Int = {
-
-    workflowService match {
-      case ws:     TwoValidationStepsWorkflowServiceImpl =>
-        val validation =
-          if (isValidator) ws.getItemsInStep(TwoValidationStepsWorkflowServiceImpl.Validation.id).map(_.size).getOrElse(0) else 0
-        val deployment =
-          if (isDeployer) ws.getItemsInStep(TwoValidationStepsWorkflowServiceImpl.Deployment.id).map(_.size).getOrElse(0) else 0
-        validation + deployment
-      case either: EitherWorkflowService                 => requestCount(either.current)
-      case _ => 0
-    }
-  }
-
-  def pendingModifications = {
-    val xml = pendingModificationRec(workflowService)
+  override def lowPriority = {
+    case WorkflowUpdate =>
+      val workflowEnabled = getWorkflowEnabled()
 
-    "#workflow-app ul *+" #> xml
-  }
-
-  private[this] def pendingModificationRec(workflowService: WorkflowService): NodeSeq = {
-    workflowService match {
-      case ws:     TwoValidationStepsWorkflowServiceImpl =>
-        ws.getItemsInStep(TwoValidationStepsWorkflowServiceImpl.Validation.id) match {
-          case Full(seq) =>
-            <li>
-              <a href="/secure/plugins/changes/changeRequests/Pending_validation" class="pe-auto">
-                <span>
-                  <i class="pe-2 fa fa-flag-o"></i>
-                  Pending review
-                </span>
-                <span class="float-end badge bg-light text-dark px-2">{seq.size}</span>
-              </a>
-            </li>
-          case e: EmptyBox =>
-            <li><p class="error">Error when trying to fetch pending change requests.</p></li>
-        }
-      case either: EitherWorkflowService                 => pendingModificationRec(either.current)
-      case _ => // For other kind of workflows, this has no meaning
-        <li><p class="error">Error, the configured workflow does not have that step.</p></li>
-    }
-  }
+      // The script should be loaded if the workflow_enabled setting has been enabled since the last render
+      if ((!workflowEnabledPrev) && workflowEnabled) shouldLoadScript = true
+      if (workflowEnabledPrev && (!workflowEnabled)) shouldLoadScript = false
 
-  def pendingDeployment = {
-    val xml = pendingDeploymentRec(workflowService)
+      workflowEnabledPrev = workflowEnabled
 
-    "#workflow-app ul *+" #> xml
+      loadScript()
   }
 
-  private[this] def pendingDeploymentRec(workflowService: WorkflowService): NodeSeq = {
-    workflowService match {
-      case ws:     TwoValidationStepsWorkflowServiceImpl =>
-        ws.getItemsInStep(TwoValidationStepsWorkflowServiceImpl.Deployment.id) match {
-          case Full(seq) =>
-            <li>
-              <a href="/secure/plugins/changes/changeRequests/Pending_deployment" class="pe-auto">
-                <span>
-                  <i class="pe-2 fa fa-flag-checkered"></i>
-                  Pending deployment
-                </span>
-                <span class="float-end badge bg-light text-dark px-2">{seq.size}</span>
-              </a>
-            </li>
-          case e: EmptyBox =>
-            <li><p class="error">Error when trying to fetch pending change requests.</p></li>
-        }
-      case either: EitherWorkflowService                 => pendingDeploymentRec(either.current)
-      case _ => // For other kind of workflows, this has no meaning
-        <li><p class="error">Error, the configured workflow does not have that step.</p></li>
+  private def loadScript(): Unit = {
+    if (shouldLoadScript) {
+      partialUpdate(Run("""
+        $(document).ready(function(){
+          const node = document.getElementById("workflow-app");
+          if (!node) return;
+          const initValues = {
+            contextPath : contextPath
+          };
+          const app  = Elm.WorkflowInformation.init({node: node, flags: initValues});
+
+          app.ports.errorNotification.subscribe((errMsg) => {
+            createErrorNotification(errMsg)
+          })
+        });
+      """))
     }
   }
 
-  override def lowPriority = { case WorkflowUpdate => reRender() }
 }
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/extension/ChangeValidationTab.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/extension/ChangeValidationTab.scala
new file mode 100644
index 000000000..4067a11e5
--- /dev/null
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/extension/ChangeValidationTab.scala
@@ -0,0 +1,55 @@
+/*
+ *************************************************************************************
+ * Copyright 2024 Normation SAS
+ *************************************************************************************
+ *
+ * This file is part of Rudder.
+ *
+ * Rudder is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * In accordance with the terms of section 7 (7. Additional Terms.) of
+ * the GNU General Public License version 3, the copyright holders add
+ * the following Additional permissions:
+ * Notwithstanding to the terms of section 5 (5. Conveying Modified Source
+ * Versions) and 6 (6. Conveying Non-Source Forms.) of the GNU General
+ * Public License version 3, when you create a Related Module, this
+ * Related Module is not considered as a part of the work and may be
+ * distributed under the license agreement of your choice.
+ * A "Related Module" means a set of sources files including their
+ * documentation that, without modification of the Source Code, enables
+ * supplementary functions or services in addition to those offered by
+ * the Software.
+ *
+ * Rudder is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Rudder.  If not, see <http://www.gnu.org/licenses/>.
+
+ *
+ *************************************************************************************
+ */
+
+package com.normation.plugins.changevalidation.extension
+
+import com.normation.plugins.PluginExtensionPoint
+import com.normation.plugins.PluginStatus
+import com.normation.rudder.web.ChooseTemplate
+import com.normation.rudder.web.snippet.administration.Settings
+import scala.reflect.ClassTag
+import scala.xml.NodeSeq
+
+class ChangeValidationTab(val status: PluginStatus)(implicit val ttag: ClassTag[Settings])
+    extends PluginExtensionPoint[Settings] {
+
+  private val template = ChooseTemplate("template" :: "ChangeValidationManagement" :: Nil, "component-body")
+
+  override def pluginCompose(snippet: Settings): Map[String, NodeSeq => NodeSeq] = Map(
+    "body" -> Settings.addTab("changeValidationTab", "Change validation", template)
+  )
+}
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestChangesForm.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestChangesForm.scala
index 49834a631..436a36a5d 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestChangesForm.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestChangesForm.scala
@@ -38,7 +38,6 @@
 package com.normation.plugins.changevalidation.snippet
 
 import bootstrap.liftweb.*
-import com.normation.box.*
 import com.normation.cfclerk.domain.SectionSpec
 import com.normation.cfclerk.domain.TechniqueId
 import com.normation.cfclerk.domain.TechniqueName
@@ -66,8 +65,10 @@ import com.normation.rudder.rule.category.RuleCategory
 import com.normation.rudder.users.CurrentUser
 import com.normation.rudder.web.ChooseTemplate
 import com.normation.rudder.web.model.*
+import com.normation.rudder.web.snippet.WithNonce
 import com.normation.utils.DateFormaterService
-import net.liftweb.common.*
+import com.normation.zio.UnsafeRun
+import net.liftweb.common.Loggable
 import net.liftweb.http.*
 import net.liftweb.http.js.JE.*
 import net.liftweb.http.js.JsCmds.*
@@ -75,6 +76,7 @@ import net.liftweb.util.Helpers.*
 import org.apache.commons.text.StringEscapeUtils
 import org.joda.time.DateTime
 import scala.xml.*
+import zio.json.*
 
 object ChangeRequestChangesForm {
   def form = ChooseTemplate(
@@ -107,8 +109,15 @@ class ChangeRequestChangesForm(
         implicit val qc: QueryContext = CurrentUser.queryContext
         changeRequest match {
           case cr: ConfigurationChangeRequest =>
-            ruleCategoryRepository.getRootCategory().toBox match {
-              case Full(rootRuleCategory) =>
+            ruleCategoryRepository
+              .getRootCategory()
+              .chainError("An error occurred when trying to get data from base. ")
+              .either
+              .runNow match {
+              case Left(err)               =>
+                logger.error(err.fullMsg)
+                Text(err.fullMsg)
+              case Right(rootRuleCategory) =>
                 ("#changeTree ul *" #> new ChangesTreeNode(cr, rootRuleCategory).toXml &
                 "#history *" #> displayHistory(
                   rootRuleCategory,
@@ -124,12 +133,9 @@ class ChangeRequestChangesForm(
                   cr.rules.values.map(_.changes).toList,
                   cr.globalParams.values.map(_.changes).toList
                 ))(form) ++
-                Script(JsRaw(s"""buildChangesTree("#changeTree","${S.contextPath}");""")) // JsRaw ok, const
-
-              case eb: EmptyBox =>
-                val e = eb ?~! "An error occurred when trying to get data from base. "
-                logger.error(e.messageChain)
-                Text(e.msg)
+                WithNonce.scriptWithNonce(
+                  Script(JsRaw(s"""buildChangesTree("#changeTree","${S.contextPath}");"""))
+                ) // JsRaw ok, const
             }
 
           case _ => Text("not implemented")
@@ -266,8 +272,8 @@ class ChangeRequestChangesForm(
       rules:            List[RuleChange] = Nil,
       globalParams:     List[GlobalParameterChange] = Nil
   )(implicit qc: QueryContext) = {
-    val crLogs = changeRequestEventLogService.getChangeRequestHistory(changeRequest.id).getOrElse(Seq())
-    val wfLogs = workFlowEventLogService.getChangeRequestHistory(changeRequest.id).getOrElse(Seq())
+    val crLogs = changeRequestEventLogService.getChangeRequestHistory(changeRequest.id).orElseSucceed(Seq()).runNow
+    val wfLogs = workFlowEventLogService.getChangeRequestHistory(changeRequest.id).orElseSucceed(Seq()).runNow
 
     val lines = {
       wfLogs.flatMap(displayWorkflowEvent(_)) ++
@@ -309,9 +315,11 @@ class ChangeRequestChangesForm(
         $$('.dataTables_filter input').attr("placeholder", "Filter"); """) // JsRaw ok, const
 
     ("#crBody" #> lines).apply(CRTable) ++
-    Script(
-      SetHtml("diff", diff(rootRuleCategory, directives, groups, rules, globalParams)) &
-      initDatatable
+    WithNonce.scriptWithNonce(
+      Script(
+        SetHtml("diff", diff(rootRuleCategory, directives, groups, rules, globalParams)) &
+        initDatatable
+      )
     )
   }
   val CRTable = {
@@ -442,7 +450,7 @@ class ChangeRequestChangesForm(
       "#shortDescription" #> group.description &
       "#query" #> (group.query match {
         case None    => Text("None")
-        case Some(q) => Text(q.toJSONString)
+        case Some(q) => Text(q.toJson)
       }) &
       "#isDynamic" #> group.isDynamic &
       "#properties" #> <ul>{group.properties.map(p => <li>{p.name}: {p.valueAsString}</li>)}</ul> &
@@ -467,7 +475,7 @@ class ChangeRequestChangesForm(
   )(implicit qc: QueryContext) = {
     def displayQuery(query: Option[Query])            = query match {
       case None    => "None"
-      case Some(q) => q.toJSONString
+      case Some(q) => q.toJson
     }
     def displayServerList(servers: Set[NodeId]): String = {
       servers.map(_.value).toList.sortBy(s => s).mkString("\n")
@@ -623,7 +631,7 @@ class ChangeRequestChangesForm(
         (ruleChange.change.map { change =>
           val rule = change.diff.rule
           (for {
-            groupLib <- getGroupLib().toBox
+            groupLib <- getGroupLib()
           } yield {
 
             change.diff match {
@@ -641,21 +649,17 @@ class ChangeRequestChangesForm(
                 displayRule(rule, rootRuleCategory, groupLib)
             }
 
-          }) match {
-            case Full(xml) =>
-              xml
-            case eb: EmptyBox =>
-              val fail = eb ?~! s"Could not display diff for ${rule.name} (${rule.id.serialize})"
-              logger.error(fail.messageChain)
-              <div>{fail.messageChain}</div>
+          }).chainError(s"Could not display diff for ${rule.name} (${rule.id.serialize})").either.runNow match {
+            case Right(xml) => xml
+            case Left(err)  =>
+              logger.error(err.fullMsg)
+              <div>{err.fullMsg}</div>
           }
-        }) match {
-          case Full(xml) =>
-            xml
-          case eb: EmptyBox =>
-            val fail = eb ?~! s"Could not display Rule diffs"
-            logger.error(fail.messageChain)
-            <div>{fail.messageChain}</div>
+        }).chainError(s"Could not display Rule diffs") match {
+          case Right(xml) => xml
+          case Left(err)  =>
+            logger.error(err.fullMsg)
+            <div>{err.fullMsg}</div>
         }
       }</li>
     }) ++
@@ -718,15 +722,17 @@ class ChangeRequestChangesForm(
     <pre style="width:200px;" id={s"after${name}"}
     class="nodisplay">{fun(diff.newValue)}</pre>
     <pre id={s"result${name}"} ></pre> ++
-    Script(
-      OnLoad(
-        JsRaw(
-          s"""
+    WithNonce.scriptWithNonce(
+      Script(
+        OnLoad(
+          JsRaw(
+            s"""
             var before = "before${name}";
             var after  = "after${name}";
             var result = "result${name}";
             makeDiff(before,after,result);"""
-        ) // JsRaw ok, escaped
+          ) // JsRaw ok, escaped
+        )
       )
     )
   }
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestDetails.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestDetails.scala
index ec153093d..788a579aa 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestDetails.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestDetails.scala
@@ -39,8 +39,10 @@ package com.normation.plugins.changevalidation.snippet
 
 import bootstrap.liftweb.RudderConfig
 import bootstrap.rudder.plugin.ChangeValidationConf
+import com.normation.box.*
+import com.normation.errors.BoxToIO
+import com.normation.errors.IOResult
 import com.normation.eventlog.EventActor
-import com.normation.eventlog.EventLog
 import com.normation.plugins.changevalidation.ChangeValidationLogger
 import com.normation.plugins.changevalidation.TwoValidationStepsWorkflowServiceImpl
 import com.normation.rudder.AuthorizationType
@@ -55,7 +57,12 @@ import com.normation.rudder.users.CurrentUser
 import com.normation.rudder.web.ChooseTemplate
 import com.normation.rudder.web.model.*
 import com.normation.utils.DateFormaterService
-import net.liftweb.common.*
+import com.normation.zio.UnsafeRun
+import net.liftweb.common.Box
+import net.liftweb.common.EmptyBox
+import net.liftweb.common.Failure
+import net.liftweb.common.Full
+import net.liftweb.common.Loggable
 import net.liftweb.http.*
 import net.liftweb.http.js.*
 import net.liftweb.http.js.JE.*
@@ -97,7 +104,7 @@ class ChangeRequestDetails extends DispatchSnippet with Loggable {
   private[this] var changeRequest: Box[ChangeRequest] = {
     CrId match {
       case Full(id) =>
-        roChangeRequestRepo.get(ChangeRequestId(id)) match {
+        roChangeRequestRepo.get(ChangeRequestId(id)).toBox match {
           case Full(Some(cr)) =>
             if (checkAccess(cr))
               Full(cr)
@@ -112,7 +119,9 @@ class ChangeRequestDetails extends DispatchSnippet with Loggable {
         Failure(s"Error in the cr id asked: ${fail.msg}")
     }
   }
-  private[this] def step = changeRequest.flatMap(cr => workflowService.findStep(cr.id))
+  private[this] def step = changeRequest.flatMap(cr => workflowService.findStep(cr.id).toBox)
+
+  implicit private val qc: QueryContext = CurrentUser.queryContext // bug https://issues.rudder.io/issues/26605
 
   def dispatch = {
     // Display Change request Header
@@ -120,7 +129,7 @@ class ChangeRequestDetails extends DispatchSnippet with Loggable {
       (xml => {
         changeRequest match {
           case eb: EmptyBox => NodeSeq.Empty
-          case Full(cr) => displayHeader(cr)(CurrentUser.queryContext)
+          case Full(cr) => displayHeader(cr)
         }
       })
 
@@ -136,16 +145,16 @@ class ChangeRequestDetails extends DispatchSnippet with Loggable {
             </div> ++
             Script(
               JsRaw(
-                s"""setTimeout("location.href = '${S.contextPath}/secure/plugins/changes/changeRequests';",5000);"""
+                s"""setTimeout("location.href = '${S.contextPath}/secure/configurationManager/changes/changeRequests';",5000);"""
               ) // JsRaw ok, const
             )
           case Full(cr) =>
             new ChangeRequestEditForm(
               cr.info,
               cr.owner,
-              step,
+              step.toIO,
               cr.id,
-              changeDetailsCallback(cr)(_)(CurrentUser.queryContext)
+              changeDetailsCallback(cr)(_)
             ).display
         }
       })
@@ -165,7 +174,7 @@ class ChangeRequestDetails extends DispatchSnippet with Loggable {
       _ => {
         changeRequest match {
           case eb: EmptyBox => NodeSeq.Empty
-          case Full(cr) => displayWarnUnmergeable(cr)(CurrentUser.queryContext)
+          case Full(cr) => displayWarnUnmergeable(cr)
         }
       }
     )
@@ -221,7 +230,7 @@ class ChangeRequestDetails extends DispatchSnippet with Loggable {
   private[this] def changeDetailsCallback(cr: ChangeRequest)(statusUpdate: ChangeRequestInfo)(implicit qc: QueryContext) = {
     workflowService match {
       case ws: TwoValidationStepsWorkflowServiceImpl =>
-        val newCR = ws.updateChangeRequestInfo(cr, statusUpdate, CurrentUser.actor, None)
+        val newCR = ws.updateChangeRequestInfo(cr, statusUpdate, CurrentUser.actor, None).toBox
         changeRequest = newCR
         SetHtml("changeRequestHeader", displayHeader(newCR.openOr(cr))) &
         SetHtml("changeRequestChanges", new ChangeRequestChangesForm(newCR.openOr(cr)).dispatch("changes")(NodeSeq.Empty))
@@ -233,50 +242,65 @@ class ChangeRequestDetails extends DispatchSnippet with Loggable {
   }
 
   def displayHeader(cr: ChangeRequest)(implicit qc: QueryContext) = {
-    // last action on the change Request (name/description changed):
-    val (action, date) = changeRequestEventLogService.getLastLog(cr.id) match {
-      case eb: EmptyBox => ("Error when retrieving the last action", None)
-      case Full(None)              => ("Error, no action were recorded for that change request", None) // should not happen here !
-      case Full(Some(e: EventLog)) =>
-        val actionName = e match {
-          case _: ModifyChangeRequest => "Modified"
-          case _: AddChangeRequest    => "Created"
-          case _: DeleteChangeRequest => "Deleted"
-        }
-        (s"${actionName} on ${DateFormaterService.getDisplayDate(e.creationDate)} by ${e.principal.name}", Some(e.creationDate))
+    val (findStep, last) = (for {
+      // last action on the change Request (name/description changed):
+      lastCRLog      <- changeRequestEventLogService.getLastLog(cr.id).either
+      (crAct, crDate) = lastCRLog match {
+                          case Left(err)      => (s"Error when retrieving the last change request action : ${err.fullMsg}", None)
+                          case Right(None)    => (s"Error: no action was recorded for change request with id ${cr.id.value}", None)
+                          case Right(Some(e)) =>
+                            val actionName = e match {
+                              case _: ModifyChangeRequest => "Modified"
+                              case _: AddChangeRequest    => "Created"
+                              case _: DeleteChangeRequest => "Deleted"
+                            }
+                            (
+                              s"${actionName} on ${DateFormaterService.getDisplayDate(e.creationDate)} by ${e.principal.name}",
+                              Some(e.creationDate)
+                            )
+                        }
+
+      // Last workflow change on that change Request
+      lastWFLog      <- workFlowEventLogService.getLastLog(cr.id).either
+      (wfAct, wfDate) = lastWFLog match {
+                          case Left(err)      => (s"Error when retrieving the last workflow change : ${err.fullMsg}", None)
+                          case Right(None)    => (s"Error: no action was recorded for change request with id ${cr.id.value}", None)
+                          case Right(Some(e)) =>
+                            val changeStep = eventlogDetailsService
+                              .getWorkflotStepChange(e.details)
+                              .map(step => s"State changed from ${step.from} to ${step.to}")
+                              .getOrElse("Step changed")
+
+                            (
+                              s"${changeStep} on ${DateFormaterService.getDisplayDate(e.creationDate)} by ${e.principal.name}",
+                              Some(e.creationDate)
+                            )
+                        }
+
+      last      = (crDate, wfDate) match {
+                    case (Some(crd), Some(wfd)) => if (crd.isAfter(wfd)) crAct else wfAct
+                    case (None, Some(_))        => wfAct
+                    case (_, None)              => crAct
+                  }
+      findStep <- workflowService
+                    .findStep(cr.id)
+                    .either
+    } yield {
+      (findStep, last)
+    }).runNow
+
+    val (crStatus, actionBtns) = findStep match {
+      case Left(err)   =>
+        (<div class="error">Cannot find the status of this change request</div>, NodeSeq.Empty)
+      case Right(step) =>
+        (Text(step.value), displayActionButton(cr, step))
     }
 
-    // Last workflow change on that change Request
-    val (step, stepDate) = workFlowEventLogService.getLastLog(cr.id) match {
-      case eb: EmptyBox => ("Error when retrieving the last action", None)
-      case Full(None)        => ("Error when retrieving the last action", None) // should not happen here !
-      case Full(Some(event)) =>
-        val changeStep = eventlogDetailsService
-          .getWorkflotStepChange(event.details)
-          .map(step => s"State changed from ${step.from} to ${step.to}")
-          .getOrElse("Step changed")
-
-        (
-          s"${changeStep} on ${DateFormaterService.getDisplayDate(event.creationDate)} by ${event.principal.name}",
-          Some(event.creationDate)
-        )
-    }
-
-    // Compare both to find the oldest
-    val last = (date, stepDate) match {
-      case (None, None)                 => action
-      case (Some(_), None)              => action
-      case (None, Some(_))              => step
-      case (Some(date), Some(stepDate)) => if (date.isAfter(stepDate)) action else step
-    }
-    ("#backButton [href]" #> "/secure/plugins/changes/changeRequests" &
+    ("#backButton [href]" #> "/secure/configurationManager/changes/changeRequests" &
     "#nameTitle *" #> s"CR #${cr.id}: ${cr.info.name}" &
-    "#CRStatus *" #> workflowService
-      .findStep(cr.id)
-      .map(x => Text(x.value))
-      .openOr(<div class="error">Cannot find the status of this change request</div>) &
+    "#CRStatus *" #> crStatus &
     "#CRLastAction *" #> s"${last}" &
-    "#actionBtns *" #> workflowService.findStep(cr.id).map(x => displayActionButton(cr, x)).openOr(NodeSeq.Empty))(header)
+    "#actionBtns *" #> actionBtns)(header)
 
   }
 
@@ -292,10 +316,10 @@ class ChangeRequestDetails extends DispatchSnippet with Loggable {
 
   def ChangeStepPopup(
       action:    String,
-      nextSteps: Seq[(WorkflowNodeId, (ChangeRequestId, EventActor, Option[String]) => Box[WorkflowNodeId])],
+      nextSteps: Seq[(WorkflowNodeId, (ChangeRequestId, EventActor, Option[String]) => IOResult[WorkflowNodeId])],
       cr:        ChangeRequest
   )(implicit qc: QueryContext) = {
-    type stepChangeFunction = (ChangeRequestId, EventActor, Option[String]) => Box[WorkflowNodeId]
+    type stepChangeFunction = (ChangeRequestId, EventActor, Option[String]) => IOResult[WorkflowNodeId]
 
     def closePopup: JsCmd = {
       SetHtml("changeRequestHeader", displayHeader(cr)) &
@@ -304,7 +328,8 @@ class ChangeRequestDetails extends DispatchSnippet with Loggable {
         workflowService
           .findStep(cr.id)
           .map(x => Text(x.value))
-          .openOr(<div class="error">Cannot find the status of this change request</div>)
+          .orElseSucceed(<div class="error">Cannot find the status of this change request</div>)
+          .runNow
       ) &
       SetHtml("changeRequestChanges", new ChangeRequestChangesForm(cr).dispatch("changes")(NodeSeq.Empty)) &
       JsRaw("""hideBsModal('popupContent');""") // JsRaw ok, const
@@ -335,13 +360,13 @@ class ChangeRequestDetails extends DispatchSnippet with Loggable {
     }
 
     val changeMessage = {
-      import com.normation.rudder.web.services.ReasonBehavior.*
+      import com.normation.rudder.config.ReasonBehavior.*
       userPropertyService.reasonsFieldBehavior match {
         case Disabled  => None
         case Mandatory => Some(buildReasonField(true, "subContainerReasonField"))
-        case Optionnal => Some(buildReasonField(false, "subContainerReasonField"))
+        case Optional  => Some(buildReasonField(false, "subContainerReasonField"))
         // for non-exhaustiveness God - yes, enum were not very well designed before scala 3
-        case x         => throw new IllegalArgumentException(s"This case should not happen, please report to developers")
+        case _         => throw new IllegalArgumentException(s"This case should not happen, please report to developers")
       }
     }
 
@@ -406,22 +431,26 @@ class ChangeRequestDetails extends DispatchSnippet with Loggable {
     def error(msg: String) = <div class="alert alert-danger">{msg}</div>
 
     def confirm(): JsCmd = {
+      val user = CurrentUser.actor
+
       if (formTracker.hasErrors) {
         formTracker.addFormError(error("There was problem with your request"))
         updateForm(nextChosen)
       } else {
-        nextChosen._2(cr.id, CurrentUser.actor, changeMessage.map(_.get)) match {
-          case Full(next) =>
+        val (_, evalNextStep) = nextChosen
+        evalNextStep(cr.id, user, changeMessage.map(_.get))
+          .chainError("could not change Change request step")
+          .either
+          .runNow match {
+          case Left(err)   =>
+            formTracker.addFormError(error(err.fullMsg))
+            logger.error(s"Error when saving change request '${cr.id.value}': ${err.fullMsg}")
+            updateForm(nextChosen)
+          case Right(next) =>
             SetHtml("workflowActionButtons", displayActionButton(cr, next)) &
             SetHtml("newStatus", Text(next.value)) &
             closePopup & JsRaw(""" initBsModal("successWorkflow"); """) // JsRaw ok, const
-          case eb: EmptyBox =>
-            val fail = eb ?~! "could not change Change request step"
-            formTracker.addFormError(error(fail.msg))
-            logger.error(s"Error when saving change request '${cr.id.value}': ${fail.messageChain}")
-            updateForm(nextChosen)
         }
-
       }
     }
 
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestEditForm.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestEditForm.scala
index ebd07cbb2..264284ce0 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestEditForm.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestEditForm.scala
@@ -38,12 +38,14 @@
 package com.normation.plugins.changevalidation.snippet
 
 import bootstrap.liftweb.RudderConfig
+import com.normation.errors.IOResult
 import com.normation.rudder.ActionType
 import com.normation.rudder.domain.workflows.*
 import com.normation.rudder.users.CurrentUser
 import com.normation.rudder.web.ChooseTemplate
 import com.normation.rudder.web.model.*
-import net.liftweb.common.*
+import com.normation.zio.UnsafeRun
+import net.liftweb.common.Loggable
 import net.liftweb.http.*
 import net.liftweb.http.js.*
 import net.liftweb.http.js.JsCmds.*
@@ -61,7 +63,7 @@ object ChangeRequestEditForm {
 class ChangeRequestEditForm(
     var info:        ChangeRequestInfo,
     creator:         String,
-    step:            Box[WorkflowNodeId],
+    step:            IOResult[WorkflowNodeId],
     crId:            ChangeRequestId,
     SuccessCallback: ChangeRequestInfo => JsCmd
 ) extends DispatchSnippet with Loggable {
@@ -100,7 +102,7 @@ class ChangeRequestEditForm(
     val authz   = CurrentUser.getRights.authorizationTypes.toSeq.collect { case right: ActionType.Edit => right.authzKind }
     val isOwner = creator == CurrentUser.actor.name
     step.map(workflowService.isEditable(authz, _, isOwner))
-  }.openOr(false)
+  }.orElseSucceed(false).runNow
 
   private[this] def actionButton = {
     if (isEditable)
@@ -134,7 +136,8 @@ class ChangeRequestEditForm(
     "#CRId *" #> crId.value &
     "#CRStatusDetails *" #> step
       .map(wfId => Text(wfId.toString))
-      .openOr(<div class="error">Cannot find the status of this change request</div>) &
+      .orElseSucceed(<div class="error">Cannot find the status of this change request</div>)
+      .runNow &
     "#CRDescription *" #> CRDescription &
     "#CRSave *" #> actionButton)(form)
   }
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestManagement.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestManagement.scala
index e1afed8ee..e3fd95cfe 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestManagement.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeRequestManagement.scala
@@ -48,18 +48,25 @@ import com.normation.rudder.users.CurrentUser
 import com.normation.rudder.web.services.JsTableData
 import com.normation.rudder.web.services.JsTableLine
 import com.normation.utils.DateFormaterService
-import net.liftweb.common.*
+import com.normation.zio.UnsafeRun
+import net.liftweb.common.Box
+import net.liftweb.common.EmptyBox
+import net.liftweb.common.Full
+import net.liftweb.common.Loggable
 import net.liftweb.http.*
 import net.liftweb.http.DispatchSnippet
 import net.liftweb.http.SHtml
 import net.liftweb.http.SHtml.SelectableOption
 import net.liftweb.http.js.JE.*
 import net.liftweb.http.js.JsCmds.*
+import net.liftweb.http.js.JsObj
 import net.liftweb.util.Helpers.*
 import org.apache.commons.text.StringEscapeUtils
 import scala.xml.Elem
 import scala.xml.NodeSeq
 import scala.xml.Text
+import zio.UIO
+import zio.syntax.*
 
 class ChangeRequestManagement extends DispatchSnippet with Loggable {
 
@@ -99,7 +106,9 @@ class ChangeRequestManagement extends DispatchSnippet with Loggable {
     val date =
       eventsMap.get(changeRequest.id).map(event => DateFormaterService.serialize(event.creationDate)).getOrElse("Unknown")
 
-    val json = {
+    override def json(freshName: () => String): JsObj = toJson
+
+    val toJson = {
       JsObj(
         "id"               -> changeRequest.id.value,
         "name"             -> changeRequest.info.name,
@@ -110,29 +119,32 @@ class ChangeRequestManagement extends DispatchSnippet with Loggable {
     }
   }
 
-  def getLines()    = {
+  def getLines(): UIO[JsTableData[ChangeRequestLine]] = {
     val changeRequests = if (currentUser) roCrRepo.getAll() else roCrRepo.getByContributor(CurrentUser.actor)
-    JsTableData(changeRequests match {
-      case Full(changeRequests) =>
-        val eventMap = getLastEventsMap
 
-        val workflowStateMap: Map[ChangeRequestId, WorkflowNodeId] = workflowService.getAllChangeRequestsStep() match {
-          case Full(stateMap) => stateMap
-          case eb: EmptyBox =>
-            val fail = eb ?~! "Could not find change requests state"
-            logger.error(fail.messageChain)
-            Map()
-        }
-        changeRequests.map(ChangeRequestLine(_, workflowStateMap, eventMap)).toList
-      case eb: EmptyBox =>
-        val fail = eb ?~! s"Could not get change requests because of : ${eb}"
-        logger.error(fail.msg)
-        Nil
-    })
+    for {
+      crs              <- changeRequests
+                            .chainError("Could not get change requests")
+                            .catchAll(err => {
+                              logger.error(err.fullMsg)
+                              Vector().succeed
+                            })
+      workflowStateMap <- workflowService
+                            .getAllChangeRequestsStep()
+                            .chainError("Could not find change requests state")
+                            .catchAll(err => {
+                              logger.error(err.fullMsg)
+                              Map.empty[ChangeRequestId, WorkflowNodeId].succeed
+                            })
+      lastEventsMap    <- getLastEventsMap
+    } yield {
+      JsTableData(crs.map(ChangeRequestLine(_, workflowStateMap, lastEventsMap)).toList)
+    }
   }
+
   def dataTableInit = {
     val refresh = AnonFunc(
-      SHtml.ajaxInvoke(() => JsRaw(s"refreshTable('${changeRequestTableId}',${getLines().json.toJsCmd})"))
+      SHtml.ajaxInvoke(() => JsRaw(s"refreshTable('${changeRequestTableId}',${getLines().runNow.toJson.toJsCmd})"))
     ) // JsRaw ok, from json
 
     val filter = initFilter match {
@@ -152,36 +164,38 @@ class ChangeRequestManagement extends DispatchSnippet with Loggable {
   /**
    * Get all events, merge them via a mutMap (we only want to keep the most recent event)
    */
-  private[this] def getLastEventsMap = {
-    val CREventsMap:       Map[ChangeRequestId, EventLog] = changeRequestEventLogService.getLastCREvents match {
-      case Full(map) => map
-      case eb: EmptyBox =>
-        val fail = eb ?~! "Could not find last Change requests events requests state"
-        logger.error(fail.messageChain)
-        Map()
-    }
-    val workflowEventsMap: Map[ChangeRequestId, EventLog] = workflowLoggerService.getLastWorkflowEvents() match {
-      case Full(map) => map
-      case eb: EmptyBox =>
-        val fail = eb ?~! "Could not find last Change requests events requests state"
-        logger.error(fail.messageChain)
-        Map()
-    }
+  private[this] def getLastEventsMap: UIO[Map[ChangeRequestId, EventLog]] = {
 
-    import scala.collection.mutable.Map as MutMap
+    for {
+      crEventsMap       <- changeRequestEventLogService.getLastCREvents
+                             .chainError("Could not find last Change requests events requests state")
+                             .catchAll(err => {
+                               logger.error(err.fullMsg)
+                               Map.empty[ChangeRequestId, EventLog].succeed
+                             })
+      workflowEventsMap <- workflowLoggerService
+                             .getLastWorkflowEvents()
+                             .chainError("Could not find last Change requests events requests state")
+                             .catchAll(err => {
+                               logger.error(err.fullMsg)
+                               Map.empty[ChangeRequestId, EventLog].succeed
+                             })
+    } yield {
+      import scala.collection.mutable.Map as MutMap
 
-    val eventMap = MutMap() ++ CREventsMap
+      val eventMap = MutMap() ++ crEventsMap
 
-    for {
-      (crId, event) <- workflowEventsMap
-    } {
-      eventMap.get(crId) match {
-        case Some(currentEvent) if (currentEvent.creationDate isAfter event.creationDate) =>
-        case _                                                                            => eventMap.update(crId, event)
+      for {
+        (crId, event) <- workflowEventsMap
+      } {
+        eventMap.get(crId) match {
+          case Some(currentEvent) if (currentEvent.creationDate isAfter event.creationDate) =>
+          case _                                                                            => eventMap.update(crId, event)
+        }
       }
-    }
 
-    eventMap.toMap
+      eventMap.toMap
+    }
   }
 
   def statusFilter = {
diff --git a/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeValidationSettings.scala b/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeValidationSettings.scala
index 4b249677f..b3152aa9c 100644
--- a/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeValidationSettings.scala
+++ b/change-validation/src/main/scala/com/normation/plugins/changevalidation/snippet/ChangeValidationSettings.scala
@@ -40,14 +40,14 @@ package com.normation.plugins.changevalidation.snippet
 import bootstrap.liftweb.RudderConfig
 import com.normation.appconfig.ReadConfigService
 import com.normation.appconfig.UpdateConfigService
-import com.normation.box.*
-import net.liftweb.common.*
+import com.normation.rudder.web.snippet.WithNonce
+import com.normation.zio.UnsafeRun
 import net.liftweb.http.*
 import net.liftweb.http.js.JsCmds.Run
 import net.liftweb.http.js.JsCmds.Script
-import net.liftweb.util.Helpers
 import net.liftweb.util.Helpers.*
 import scala.xml.NodeSeq
+import zio.syntax.*
 
 class ChangeValidationSettings extends DispatchSnippet {
 
@@ -61,26 +61,38 @@ class ChangeValidationSettings extends DispatchSnippet {
 
   def workflowConfiguration: NodeSeq => NodeSeq = { (xml: NodeSeq) =>
     //  initial values, updated on successful submit
-    var initEnabled = configService.rudder_workflow_enabled().toBox
-    var initSelfVal = configService.rudder_workflow_self_validation().toBox
-    var initSelfDep = configService.rudder_workflow_self_deployment().toBox
+    var initEnabled = configService.rudder_workflow_enabled()
+    var initSelfVal = configService.rudder_workflow_self_validation()
+    var initSelfDep = configService.rudder_workflow_self_deployment()
 
     // form values
-    var enabled = initEnabled.getOrElse(false)
-    var selfVal = initSelfVal.getOrElse(false)
-    var selfDep = initSelfDep.getOrElse(false)
+    var enabled = initEnabled.orElseSucceed(false).runNow
+    var selfVal = initSelfVal.orElseSucceed(false).runNow
+    var selfDep = initSelfDep.orElseSucceed(false).runNow
 
     def submit = {
-      configService.set_rudder_workflow_enabled(enabled).toBox.foreach(updateOk => initEnabled = Full(enabled))
-      configService.set_rudder_workflow_self_validation(selfVal).toBox.foreach(updateOk => initSelfVal = Full(selfVal))
-      configService.set_rudder_workflow_self_deployment(selfDep).toBox.foreach(updateOk => initSelfDep = Full(selfDep))
+      configService.set_rudder_workflow_enabled(enabled).either.runNow match {
+        case Right(_) => initEnabled = enabled.succeed
+        case _        => ()
+      }
+
+      configService.set_rudder_workflow_self_validation(selfVal).either.runNow match {
+        case Right(_) => initSelfVal = selfVal.succeed
+        case _        => ()
+      }
+
+      configService.set_rudder_workflow_self_deployment(selfDep).either.runNow match {
+        case Right(_) => initSelfDep = selfDep.succeed
+        case _        => ()
+      }
+
       S.notice("updateWorkflow", "Change Requests (validation workflow) configuration correctly updated")
       check()
     }
 
-    def noModif = (initEnabled.map(_ == enabled).getOrElse(false)
-      && initSelfVal.map(_ == selfVal).getOrElse(false)
-      && initSelfDep.map(_ == selfDep).getOrElse(false))
+    def noModif = (initEnabled.map(_ == enabled).orElseSucceed(false).runNow
+      && initSelfVal.map(_ == selfVal).orElseSucceed(false).runNow
+      && initSelfDep.map(_ == selfDep).orElseSucceed(false).runNow)
 
     def check()                    = {
       if (!noModif) {
@@ -108,83 +120,81 @@ class ChangeValidationSettings extends DispatchSnippet {
 
     // if the workflow plugin is not loaded, just removed the correstponding config
     val finalXml = if (workflowLevelService.workflowLevelAllowsEnable) {
-      xml ++ Script(initJs(enabled))
+      xml ++ WithNonce.scriptWithNonce(Script(initJs(enabled)))
     } else {
       NodeSeq.Empty
     }
 
     ("#workflowEnabled" #> {
-      initEnabled match {
-        case Full(value) =>
+      initEnabled
+        .chainError("there was an error while fetching value of property: 'Enable Change Requests' ")
+        .either
+        .runNow match {
+        case Right(value) =>
           SHtml.ajaxCheckbox(
             value,
             initJs _,
             ("id", "workflowEnabled"),
             ("class", "twoCol")
           )
-        case eb: EmptyBox =>
-          val fail = eb ?~ "there was an error, while fetching value of property: 'Enable Change Requests' "
-          <div class="error">{fail.msg}</div>
+        case Left(err)    =>
+          <div class="error">{err.msg}</div>
       }
     } &
 
     "#selfVal" #> {
-      initSelfVal match {
-        case Full(value) =>
+      initSelfVal
+        .chainError("there was an error while fetching value of property: 'Allow self validation' ")
+        .either
+        .runNow match {
+        case Right(value) =>
           SHtml.ajaxCheckbox(
             value,
             (b: Boolean) => { selfVal = b; check() },
             ("id", "selfVal"),
             ("class", "twoCol")
           )
-        case eb: EmptyBox =>
-          val fail = eb ?~ "there was an error, while fetching value of property: 'Allow self validation' "
-          <div class="error">{fail.msg}</div>
+        case Left(err)    =>
+          <div class="error">{err.msg}</div>
       }
-
     } &
 
     "#selfDep " #> {
-      initSelfDep match {
-        case Full(value) =>
+      initSelfDep
+        .chainError("there was an error while fetching value of property: 'Allow self deployment' ")
+        .either
+        .runNow match {
+        case Right(value) =>
           SHtml.ajaxCheckbox(
             value,
             (b: Boolean) => { selfDep = b; check() },
             ("id", "selfDep"),
             ("class", "twoCol")
           )
-        case eb: EmptyBox =>
-          val fail = eb ?~ "there was an error, while fetching value of property: 'Allow self deployment' "
-          <div class="error">{fail.msg}</div>
+        case Left(err)    =>
+          <div class="error">{err.msg}</div>
       }
     } &
 
     "#selfValTooltip *" #> {
 
-      initSelfVal match {
-        case Full(_) =>
-          val tooltipid = Helpers.nextFuncName
-          <span class="tooltipable" tooltipid={tooltipid} title="">
-              <span class="fa fa-info-circle info"></span>
-            </span>
-            <div class="tooltipContent" id={tooltipid}>
-              Allow users to validate Change Requests they created themselves? Validating is moving a Change Request to the "<b>Pending deployment</b>" status
-            </div>
-        case _       => NodeSeq.Empty
+      initSelfVal.either.runNow match {
+        case Right(_) =>
+          val tooltipMsg =
+            """Allow users to validate Change Requests they created themselves? Validating is moving a Change Request to the "<b>Pending deployment</b>" status"""
+          <span class="fa fa-info-circle icon-info" data-bs-toggle="tooltip" data-bs-placement="bottom" title={tooltipMsg}></span>
+        case Left(_)  => NodeSeq.Empty
       }
     } &
 
     "#selfDepTooltip *" #> {
-      initSelfDep match {
-        case Full(_) =>
-          val tooltipid = Helpers.nextFuncName
-          <span class="tooltipable" tooltipid={tooltipid} title="">
-              <span class="fa fa-info-circle info"></span>
-            </span>
-            <div class="tooltipContent" id={tooltipid}>
-              Allow users to deploy Change Requests they created themselves? Deploying is effectively applying a Change Request in the "<b>Pending deployment</b>" status.
-            </div>
-        case _       => NodeSeq.Empty
+
+      initSelfDep.either.runNow match {
+        case Right(_) =>
+          val tooltipMsg =
+            """Allow users to deploy Change Requests they created themselves? Deploying is effectively applying a Change Request in the "<b>Pending deployment</b>" status."""
+          <span class="fa fa-info-circle icon-info" data-bs-toggle="tooltip" data-bs-placement="bottom" title={tooltipMsg}></span>
+        case Left(_)  => NodeSeq.Empty
       }
     } &
 
@@ -196,21 +206,24 @@ class ChangeValidationSettings extends DispatchSnippet {
   // same as workflowConfiguration but with 1 single checkbox, and val autoValidatedUsers = configService.rudder_workflow_validation_auto_validated_users().toBox
   def validationConfiguration: NodeSeq => NodeSeq = { (xml: NodeSeq) =>
     // initial value, updated on successful submit
-    var initAutoValidatedUsers = configService.rudder_workflow_validate_all().toBox
+    var initAutoValidatedUsers = configService.rudder_workflow_validate_all()
 
     // form value
-    var autoValidatedUsers = initAutoValidatedUsers.getOrElse(false)
+    var autoValidatedUsers = initAutoValidatedUsers.orElseSucceed(false).runNow
 
     def submit = {
       configService
         .set_rudder_workflow_validate_all(autoValidatedUsers)
-        .toBox
-        .foreach(updateOk => initAutoValidatedUsers = Full(autoValidatedUsers))
+        .either
+        .runNow match {
+        case Right(_) => initAutoValidatedUsers = autoValidatedUsers.succeed
+        case _        => ()
+      }
       S.notice("updateValidation", "Validation configuration correctly updated")
       check()
     }
 
-    def noModif = initAutoValidatedUsers.map(_ == autoValidatedUsers).getOrElse(false)
+    def noModif = initAutoValidatedUsers.map(_ == autoValidatedUsers).orElseSucceed(false).runNow
 
     def check() = {
       if (!noModif) {
@@ -220,17 +233,19 @@ class ChangeValidationSettings extends DispatchSnippet {
     }
 
     ("#validationAutoValidatedUser" #> {
-      initAutoValidatedUsers match {
-        case Full(value) =>
+      initAutoValidatedUsers
+        .chainError("there was an error while fetching value of property: 'Auto validated users' ")
+        .either
+        .runNow match {
+        case Right(value) =>
           SHtml.ajaxCheckbox(
             value,
             (b: Boolean) => { autoValidatedUsers = b; check() },
             ("id", "validationAutoValidatedUser"),
             ("class", "twoCol")
           )
-        case eb: EmptyBox =>
-          val fail = eb ?~ "there was an error, while fetching value of property: 'Auto validated users' "
-          <div class="error">{fail.msg}</div>
+        case Left(err)    =>
+          <div class="error">{err.msg}</div>
       }
     } &
     "#validationAutoSubmit " #> {
diff --git a/change-validation/src/main/style/change-validation.css b/change-validation/src/main/style/change-validation.css
index c0bd6d803..72632e8c9 100644
--- a/change-validation/src/main/style/change-validation.css
+++ b/change-validation/src/main/style/change-validation.css
@@ -47,9 +47,7 @@
   flex-basis : initial !important;
   flex: initial !important;
 }
-.rudder-template .one-col .template-main .main-details {
-  padding-bottom: 0px;
-}
+
 /* ========= */
 ul.clipboard-list > li {
   padding: 6px 12px;
@@ -382,7 +380,7 @@ ul.clipboard-list > li:last-child{
   border-radius: 3px;
 }
 
-#supervised-targets-app .node-check .ion{
+#supervised-targets-app .node-check .fa{
   font-size: 12px;
   top: -10px;
   position: relative;
@@ -397,7 +395,7 @@ ul.clipboard-list > li:last-child{
   display: none;
 }
 
-#supervised-targets-app .node-check input[type=checkbox]:checked + .ion {
+#supervised-targets-app .node-check input[type=checkbox]:checked + .fa {
   visibility: visible;
   animation: opacity-1 .1s linear forwards;
 }
diff --git a/change-validation/src/test/resources/changevalidation_api/api_changerequest.yml b/change-validation/src/test/resources/changevalidation_api/api_changerequest.yml
index cfe96e326..8d342bfd5 100644
--- a/change-validation/src/test/resources/changevalidation_api/api_changerequest.yml
+++ b/change-validation/src/test/resources/changevalidation_api/api_changerequest.yml
@@ -3050,7 +3050,7 @@ response:
       "action": "changeRequestDetails",
       "id": "999",
       "result": "error",
-      "errorDetails": "Could not find ChangeRequest 999; cause was: Unexpected: Could not get ChangeRequest 999 details cause is: change request with id 999 does not exist."
+      "errorDetails": "Could not find ChangeRequest 999; cause was: Inconsistency: Change request with id 999 does not exist."
     }
 ---
 description: Get information about given change request when id is not a number
@@ -3063,7 +3063,7 @@ response:
       "action": "changeRequestDetails",
       "id": "aaa",
       "result": "error",
-      "errorDetails": "Could not find ChangeRequest aaa; cause was: Unexpected: 'aaa' is not a valid change request id (need to be an integer)"
+      "errorDetails": "Could not find ChangeRequest aaa; cause was: Inconsistency: 'aaa' is not a valid change request id (need to be an integer)"
     }
 ---
 description: Decline given change request
@@ -3301,7 +3301,7 @@ response:
       "action": "declineChangeRequest",
       "id": "12",
       "result": "error",
-      "errorDetails": "Could not decline ChangeRequest 12; cause was: Unexpected: Inconsistency: Could not decline ChangeRequest 12 details cause is: could not decline ChangeRequest 12, because status 'Cancelled' cannot be cancelled."
+      "errorDetails": "Could not decline ChangeRequest 12; cause was: Inconsistency: Could not decline ChangeRequest 12 details cause is: could not decline ChangeRequest 12, because status 'Cancelled' cannot be cancelled."
     }
 ---
 description: Decline given change request when id is unknown
@@ -3314,7 +3314,7 @@ response:
       "action": "declineChangeRequest",
       "id": "999",
       "result": "error",
-      "errorDetails": "Could not decline ChangeRequest 999; cause was: Unexpected: Could not get ChangeRequest 999 details cause is: change request with id 999 does not exist."
+      "errorDetails": "Could not decline ChangeRequest 999; cause was: Inconsistency: Change request with id 999 does not exist."
     }
 ---
 description: Decline given change request when id is not a number
@@ -3327,7 +3327,7 @@ response:
       "action": "declineChangeRequest",
       "id": "aaa",
       "result": "error",
-      "errorDetails": "Could not decline ChangeRequest aaa; cause was: Unexpected: 'aaa' is not a valid change request id (need to be an integer)"
+      "errorDetails": "Could not decline ChangeRequest aaa; cause was: Inconsistency: 'aaa' is not a valid change request id (need to be an integer)"
     }
 ---
 description: Accept given change request
@@ -3586,7 +3586,7 @@ response:
       "action": "acceptChangeRequest",
       "id": "999",
       "result": "error",
-      "errorDetails": "Could not accept ChangeRequest 999; cause was: Unexpected: Could not get ChangeRequest 999 details cause is: change request with id 999 does not exist."
+      "errorDetails": "Could not accept ChangeRequest 999; cause was: Inconsistency: Change request with id 999 does not exist."
     }
 ---
 description: Accept given change request when id is not a number
@@ -3603,17 +3603,19 @@ response:
       "action": "acceptChangeRequest",
       "id": "aaa",
       "result": "error",
-      "errorDetails": "Could not accept ChangeRequest aaa; cause was: Unexpected: 'aaa' is not a valid change request id (need to be an integer)"
+      "errorDetails": "Could not accept ChangeRequest aaa; cause was: Inconsistency: 'aaa' is not a valid change request id (need to be an integer)"
     }
 ---
 description: Update information about given change request
 method: POST
 url: /api/latest/changeRequests/4
 headers:
-  - "Content-Type: application/x-www-form-urlencoded"
-params:
-  name: "my group new name"
-  description: "My group new description"
+  - "Content-Type: application/json"
+body: >-
+  {
+    "name": "my group new name",
+    "description": "My group new description"
+  }
 response:
   code: 200
   content: >-
@@ -3704,7 +3706,7 @@ response:
       "action": "updateChangeRequest",
       "id": "999",
       "result": "error",
-      "errorDetails": "Could not update ChangeRequest 999; cause was: Unexpected: Could not get ChangeRequest 999 details cause is: change request with id 999 does not exist."
+      "errorDetails": "Could not update ChangeRequest 999; cause was: Inconsistency: Change request with id 999 does not exist."
     }
 ---
 description: Update information about given change request when id is not a number
@@ -3722,12 +3724,16 @@ response:
       "action": "updateChangeRequest",
       "id": "aaa",
       "result": "error",
-      "errorDetails": "Could not update ChangeRequest aaa; cause was: Unexpected: 'aaa' is not a valid change request id (need to be an integer)"
+      "errorDetails": "Could not update ChangeRequest aaa; cause was: Inconsistency: 'aaa' is not a valid change request id (need to be an integer)"
     }
 ---
 description: Update information about given change request when no parameter is sent
 method: POST
 url: /api/latest/changeRequests/4
+headers:
+  - "Content-Type: application/json"
+body: >-
+  {}
 response:
   code: 500
   content: >-
@@ -3735,17 +3741,19 @@ response:
       "action": "updateChangeRequest",
       "id": "4",
       "result": "error",
-      "errorDetails": "Could not update ChangeRequest 4; cause was: Unexpected: Inconsistency: Could not update ChangeRequest 4 details cause is: No changes to save."
+      "errorDetails": "Could not update ChangeRequest 4; cause was: Inconsistency: Could not update ChangeRequest 4 details cause is: No changes to save."
     }
 ---
 description: Update information about given change request without changing any info
 method: POST
 url: /api/latest/changeRequests/11
 headers:
-  - "Content-Type: application/x-www-form-urlencoded"
-params:
-  name: "second cr global param"
-  description: "My global param second change"
+  - "Content-Type: application/json"
+body: >-
+  {
+    "name": "second cr global param",
+    "description": "My global param second change"
+  }
 response:
   code: 500
   content: >-
@@ -3753,5 +3761,5 @@ response:
       "action" : "updateChangeRequest",
       "id" : "11",
       "result" : "error",
-      "errorDetails" : "Could not update ChangeRequest 11; cause was: Unexpected: Inconsistency: Could not update ChangeRequest 11 details cause is: No changes to save."
+      "errorDetails" : "Could not update ChangeRequest 11; cause was: Inconsistency: Could not update ChangeRequest 11 details cause is: No changes to save."
     }
diff --git a/change-validation/src/test/resources/changevalidation_api/api_workflowinternal.yml b/change-validation/src/test/resources/changevalidation_api/api_workflowinternal.yml
new file mode 100644
index 000000000..f100720b2
--- /dev/null
+++ b/change-validation/src/test/resources/changevalidation_api/api_workflowinternal.yml
@@ -0,0 +1,19 @@
+description: Get number of pending deployment and pending validation change requests
+method: GET
+url: /secure/api/changevalidation/workflow/pendingCountByStatus
+headers:
+response:
+  code: 200
+  content: >-
+    {
+      "action": "pendingChangeRequestCount",
+      "result": "success",
+      "data": {
+        "workflow": [
+          {
+            "pendingValidation": 2,
+            "pendingDeployment": 1
+          }
+        ]
+      }
+    }
\ No newline at end of file
diff --git a/change-validation/src/test/resources/emails/change-validation-email.conf b/change-validation/src/test/resources/emails/change-validation-email.conf
index e3d3839bf..24a6f6a44 100644
--- a/change-validation/src/test/resources/emails/change-validation-email.conf
+++ b/change-validation/src/test/resources/emails/change-validation-email.conf
@@ -7,20 +7,20 @@ smtp.password="thepass"
 
 # The rudder base URL (domain) as seen from people who will receive emails. This parameter is used
 # to display link to change requests in notification emails.
-# If the CR URL is: https://my.rudder.server/rudder/secure/plugins/changes/changeRequest/1
+# If the CR URL is: https://my.rudder.server/rudder/secure/configurationManager/changes/changeRequest/1
 # You should use: https://my.rudder.server/rudder [without end slash]
 rudder.base.url="https://my.rudder.server/rudder"
 
 
 # The rudder base URL (domain) as seen from people who will receive emails. This parameter is used
 # to display link to change requests in notification emails.
-# If the CR URL is: https://my.rudder.server/rudder/secure/plugins/changes/changeRequest/1
+# If the CR URL is: https://my.rudder.server/rudder/secure/configurationManager/changes/changeRequest/1
 # You should use: https://my.rudder.server/rudder [without end slash]
 rudder.base.url="https://my.rudder.server/rudder"
 
 
 # `subject` parameter support templating.
-#  Please refer to the documentation : https://docs.rudder.io/reference/6.1/plugins/change-validation.html
+#  Please refer to the documentation : https://docs.rudder.io/reference/latest/plugins/change-validation.html
 #  to know which parameters can be used for templating.
 
 # Pending validation
diff --git a/change-validation/src/test/scala/com/normation/plugins/changevalidation/ChangeRequestJdbcRepositoryTest.scala b/change-validation/src/test/scala/com/normation/plugins/changevalidation/ChangeRequestJdbcRepositoryTest.scala
index 4c3c2f340..9e61e1d6b 100644
--- a/change-validation/src/test/scala/com/normation/plugins/changevalidation/ChangeRequestJdbcRepositoryTest.scala
+++ b/change-validation/src/test/scala/com/normation/plugins/changevalidation/ChangeRequestJdbcRepositoryTest.scala
@@ -44,6 +44,8 @@ import com.normation.BoxSpecMatcher
 import com.normation.GitVersion
 import com.normation.cfclerk.domain.TechniqueName
 import com.normation.cfclerk.domain.TechniqueVersionHelper
+import com.normation.errors.RudderError
+import com.normation.errors.SystemError
 import com.normation.eventlog.EventActor
 import com.normation.eventlog.ModificationId
 import com.normation.rudder.db.DBCommon
@@ -66,9 +68,6 @@ import com.typesafe.config.ConfigValueFactory
 import doobie.Transactor
 import doobie.specs2.analysisspec.IOChecker
 import doobie.syntax.all.*
-import net.liftweb.common.Box
-import net.liftweb.common.Failure
-import net.liftweb.common.Full
 import org.joda.time.DateTime
 import org.junit.runner.RunWith
 import org.specs2.mutable.Specification
@@ -133,7 +132,7 @@ class ChangeRequestJdbcRepositoryTest extends Specification with DBCommon with I
       // same change request to test different xpaths : /changeRequest/directives/directive/@id, "/changeRequest/groups/group/@id", "/changeRequest/rules/rule/@id"
       // We test change of a directive, nodeGroup and rule using the same change request
       (sql"insert into ChangeRequest (name, description, creationTime, content, modificationId) values ('a change request', 'a change request description', '2023-01-01T00:00:00', ${sampleChangeRequestContent}, '11111111-1111-1111-1111-111111111111')".update.run *>
-      sql"insert into Workflow (id, state) values (${changeRequestId}, 'Pending validation')".update.run)
+      sql"insert into Workflow (id, state) values (${changeRequestId.value}, 'Pending validation')".update.run)
         .transact(xa)
     }) match {
       case Right(_) => ()
@@ -241,9 +240,9 @@ class ChangeRequestJdbcRepositoryTest extends Specification with DBCommon with I
     sampleChangeRequestContent
   }
   lazy val changeRequestChangesUnserialisation: ChangeRequestChangesUnserialisation = _ => {
-    Full(
+    Right(
       (
-        Full(Map(directiveId -> directiveChanges)),
+        Map(directiveId   -> directiveChanges),
         Map(groupId       -> nodeGroupChanges),
         Map(ruleId        -> ruleChanges),
         Map(globalParamId -> globalParamChanges)
@@ -288,13 +287,14 @@ class ChangeRequestJdbcRepositoryTest extends Specification with DBCommon with I
     }
 
     "get all change requests" in {
-      val res = roChangeRequestJdbcRepository.getAll()
-      (res.map(_.size) must beEqualTo(Full(1))) and (res.flatMap(_.headOption) mustFullEq expectedChangeRequest)
+      val res = roChangeRequestJdbcRepository.getAll().runNow
+      res.size must beEqualTo(1)
+      res.headOption must beSome(expectedChangeRequest)
     }
 
     "get a change request by id" in {
-      val res = roChangeRequestJdbcRepository.get(changeRequestId)
-      res.flatMap(Box(_)) mustFullEq expectedChangeRequest
+      val res = roChangeRequestJdbcRepository.get(changeRequestId).runNow
+      res must beSome(expectedChangeRequest)
     }
 
     // This does not seem to return any result at all, but the xpath and query look okay... :(
@@ -304,21 +304,24 @@ class ChangeRequestJdbcRepositoryTest extends Specification with DBCommon with I
     // }
 
     "get change requests by xpath content" in {
-      val resDirective = roChangeRequestJdbcRepository.getByDirective(DirectiveUid("foo"), false)
-      val resNodeGroup = roChangeRequestJdbcRepository.getByNodeGroup(NodeGroupId(NodeGroupUid("bar")), false)
-      val resRule      = roChangeRequestJdbcRepository.getByRule(RuleUid("baz"), false)
-      ((resDirective
-        .map(_.size) must beEqualTo(Full(1))) and (resDirective.flatMap(_.headOption) mustFullEq expectedChangeRequest) and
-      (resNodeGroup.map(_.size) must beEqualTo(Full(1))) and (resNodeGroup.flatMap(
-        _.headOption
-      ) mustFullEq expectedChangeRequest) and
-      (resRule.map(_.size) must beEqualTo(Full(1))) and (resRule.flatMap(_.headOption) mustFullEq expectedChangeRequest))
+      val resDirective = roChangeRequestJdbcRepository.getByDirective(DirectiveUid("foo"), false).runNow
+      val resNodeGroup = roChangeRequestJdbcRepository.getByNodeGroup(NodeGroupId(NodeGroupUid("bar")), false).runNow
+      val resRule      = roChangeRequestJdbcRepository.getByRule(RuleUid("baz"), false).runNow
 
+      resDirective.size must beEqualTo(1)
+      resDirective.headOption must beSome(expectedChangeRequest)
+
+      resNodeGroup.size must beEqualTo(1)
+      resNodeGroup.headOption must beSome(expectedChangeRequest)
+
+      resRule.size must beEqualTo(1)
+      resRule.headOption must beSome(expectedChangeRequest)
     }
 
     "get change request by filter" in {
       val res = roChangeRequestJdbcRepository.getByFilter(ChangeRequestFilter(None, None)).runNow
-      (res.size must beEqualTo(1)) and (res.head must beEqualTo((expectedChangeRequest, WorkflowNodeId("Pending validation"))))
+      res.size must beEqualTo(1)
+      res.head must beEqualTo((expectedChangeRequest, WorkflowNodeId("Pending validation")))
     }
 
     "create change request" in {
@@ -327,7 +330,7 @@ class ChangeRequestJdbcRepositoryTest extends Specification with DBCommon with I
         actor,
         Some("reason")
       )
-      res mustFullEq newChangeRequest
+      res.runNow must beEqualTo(newChangeRequest)
     }
 
     "delete change request (unimplemented)" in {
@@ -344,15 +347,20 @@ class ChangeRequestJdbcRepositoryTest extends Specification with DBCommon with I
         actor,
         Some("reason")
       )
-      res mustFullEq updatedChangeRequest
+      res.runNow must beEqualTo(updatedChangeRequest)
     }
 
     "update a non-existing change request" in {
-      woChangeRequestJdbcRepository.updateChangeRequest(
-        expectedChangeRequest.copy(id = ChangeRequestId(999)),
-        actor,
-        Some("reason")
-      ) must beEqualTo(Failure(s"Cannot update non-existent Change Request with id 999"))
+      woChangeRequestJdbcRepository
+        .updateChangeRequest(
+          expectedChangeRequest.copy(id = ChangeRequestId(999)),
+          actor,
+          Some("reason")
+        )
+        .either
+        .runNow must beLeft(beLike[RudderError] {
+        case err: SystemError => err.msg must beEqualTo("Could not update change request with id 999 in database")
+      })
     }
 
   }
diff --git a/change-validation/src/test/scala/com/normation/plugins/changevalidation/MockServices.scala b/change-validation/src/test/scala/com/normation/plugins/changevalidation/MockServices.scala
index 4457b5b02..29cba6eee 100644
--- a/change-validation/src/test/scala/com/normation/plugins/changevalidation/MockServices.scala
+++ b/change-validation/src/test/scala/com/normation/plugins/changevalidation/MockServices.scala
@@ -37,6 +37,7 @@
 package com.normation.plugins.changevalidation
 
 import better.files.File
+import cats.data.NonEmptyList
 import com.normation.errors.IOResult
 import com.normation.eventlog.EventActor
 import com.normation.eventlog.EventLog
@@ -44,6 +45,8 @@ import com.normation.eventlog.ModificationId
 import com.normation.inventory.domain.NodeId
 import com.normation.rudder.AuthorizationType
 import com.normation.rudder.api.ApiAuthorization
+import com.normation.rudder.config.StatelessUserPropertyService
+import com.normation.rudder.config.UserPropertyService
 import com.normation.rudder.domain.eventlog.ChangeRequestDiff
 import com.normation.rudder.domain.eventlog.ChangeRequestEventLog
 import com.normation.rudder.domain.eventlog.WorkflowStepChanged
@@ -71,11 +74,7 @@ import com.normation.rudder.services.workflows.CommitAndDeployChangeRequestServi
 import com.normation.rudder.users.AuthenticatedUser
 import com.normation.rudder.users.RudderAccount
 import com.normation.rudder.users.UserService
-import com.normation.rudder.web.services.StatelessUserPropertyService
-import com.normation.rudder.web.services.UserPropertyService
 import com.normation.zio.UnsafeRun
-import net.liftweb.common.Box
-import net.liftweb.common.Full
 import scala.collection.immutable.SortedMap
 import zio.Chunk
 import zio.Ref
@@ -178,10 +177,10 @@ class MockServices(changeRequestsByStatus: Map[WorkflowNodeId, List[ChangeReques
         .succeed
     }
 
-    override def get(changeRequestId: ChangeRequestId): Box[Option[ChangeRequest]] = {
+    override def get(changeRequestId: ChangeRequestId): IOResult[Option[ChangeRequest]] = {
       changeRequestsByStatus.values.flatten.find(_.id == changeRequestId) match {
-        case Some(cr) => Full(Some(cr))
-        case None     => Full(None)
+        case Some(cr) => Some(cr).succeed
+        case None     => None.succeed
       }
     }
 
@@ -189,61 +188,66 @@ class MockServices(changeRequestsByStatus: Map[WorkflowNodeId, List[ChangeReques
         changeRequest: ChangeRequest,
         actor:         EventActor,
         reason:        Option[String]
-    ): Box[ChangeRequest] = {
-      Full(changeRequest)
+    ): IOResult[ChangeRequest] = {
+      changeRequest.succeed
     }
 
-    override def getAll(): Box[Vector[ChangeRequest]] = ???
+    override def getAll(): IOResult[Vector[ChangeRequest]] = ???
 
-    override def getByDirective(id: DirectiveUid, onlyPending: Boolean): Box[Vector[ChangeRequest]] = ???
+    override def getByDirective(id: DirectiveUid, onlyPending: Boolean): IOResult[Vector[ChangeRequest]] = ???
 
-    override def getByNodeGroup(id: NodeGroupId, onlyPending: Boolean): Box[Vector[ChangeRequest]] = ???
+    override def getByNodeGroup(id: NodeGroupId, onlyPending: Boolean): IOResult[Vector[ChangeRequest]] = ???
 
-    override def getByRule(id: RuleUid, onlyPending: Boolean): Box[Vector[ChangeRequest]] = ???
+    override def getByRule(id: RuleUid, onlyPending: Boolean): IOResult[Vector[ChangeRequest]] = ???
 
-    override def getByContributor(actor: EventActor): Box[Vector[ChangeRequest]] = ???
+    override def getByContributor(actor: EventActor): IOResult[Vector[ChangeRequest]] = ???
 
     override def createChangeRequest(
         changeRequest: ChangeRequest,
         actor:         EventActor,
         reason:        Option[String]
-    ): Box[ChangeRequest] = ???
+    ): IOResult[ChangeRequest] = ???
 
     override def deleteChangeRequest(
         changeRequestId: ChangeRequestId,
         actor:           EventActor,
         reason:          Option[String]
-    ): Box[ChangeRequest] = ???
+    ): IOResult[ChangeRequest] = ???
 
   }
 
   object workflowRepository extends RoWorkflowRepository with WoWorkflowRepository {
-    override def getStateOfChangeRequest(crId: ChangeRequestId): Box[WorkflowNodeId] = {
+    override def getStateOfChangeRequest(crId: ChangeRequestId): IOResult[WorkflowNodeId] = {
       changeRequestsByStatus.find(_._2.exists(_.id == crId)).map(_._1) match {
-        case Some(state) => Full(state)
-        case None        => Full(WorkflowNodeId("unknown"))
+        case Some(state) => state.succeed
+        case None        => WorkflowNodeId("unknown").succeed
       }
     }
 
-    override def updateState(crId: ChangeRequestId, from: WorkflowNodeId, state: WorkflowNodeId): Box[WorkflowNodeId] = {
-      Full(state)
+    override def updateState(crId: ChangeRequestId, from: WorkflowNodeId, state: WorkflowNodeId): IOResult[WorkflowNodeId] = {
+      state.succeed
     }
 
-    override def getAllByState(state: WorkflowNodeId): Box[Seq[ChangeRequestId]] = {
+    override def getCountByState(filter: NonEmptyList[WorkflowNodeId]): IOResult[Map[WorkflowNodeId, Long]] = {
+      changeRequestsByStatus.flatMap {
+        case (k, v) =>
+          filter.find(_ == k).map({ _ => (k, v.size.toLong) })
+      }.succeed
+    }
+
+    override def getAllByState(state: WorkflowNodeId): IOResult[Seq[ChangeRequestId]] = {
       ???
     }
 
-    override def createWorkflow(crId: ChangeRequestId, state: WorkflowNodeId): Box[WorkflowNodeId] = ???
+    override def createWorkflow(crId: ChangeRequestId, state: WorkflowNodeId): IOResult[WorkflowNodeId] = ???
 
-    override def getAllChangeRequestsState(): Box[Map[ChangeRequestId, WorkflowNodeId]] = ???
+    override def getAllChangeRequestsState(): IOResult[Map[ChangeRequestId, WorkflowNodeId]] = ???
 
   }
 
   object commitAndDeployChangeRequest extends CommitAndDeployChangeRequestService {
 
-    def save(changeRequest: ChangeRequest)(implicit cc: ChangeContext): Box[ChangeRequest] = Full(
-      changeRequest
-    )
+    def save(changeRequest: ChangeRequest)(implicit cc: ChangeContext): IOResult[ChangeRequest] = changeRequest.succeed
 
     def isMergeable(changeRequest: ChangeRequest)(implicit qc: QueryContext): Boolean = {
       // can depend on "mergeable" changeRequest by their id to vary test cases
@@ -253,13 +257,14 @@ class MockServices(changeRequestsByStatus: Map[WorkflowNodeId, List[ChangeReques
   }
 
   object workflowEventLogService extends WorkflowEventLogService {
-    override def saveEventLog(stepChange: WorkflowStepChange, actor: EventActor, reason: Option[String]): Box[EventLog] = Full(
-      null
-    )
+    override def saveEventLog(stepChange: WorkflowStepChange, actor: EventActor, reason: Option[String]): IOResult[EventLog] = {
+      val res: EventLog = null
+      res.succeed
+    }
 
-    override def getChangeRequestHistory(id: ChangeRequestId): Box[Seq[WorkflowStepChanged]]    = ???
-    override def getLastLog(id:              ChangeRequestId): Box[Option[WorkflowStepChanged]] = ???
-    override def getLastWorkflowEvents(): Box[Map[ChangeRequestId, EventLog]] = ???
+    override def getChangeRequestHistory(id: ChangeRequestId): IOResult[Seq[WorkflowStepChanged]]    = ???
+    override def getLastLog(id:              ChangeRequestId): IOResult[Option[WorkflowStepChanged]] = ???
+    override def getLastWorkflowEvents(): IOResult[Map[ChangeRequestId, EventLog]] = ???
 
   }
 
@@ -270,12 +275,15 @@ class MockServices(changeRequestsByStatus: Map[WorkflowNodeId, List[ChangeReques
         principal: EventActor,
         diff:      ChangeRequestDiff,
         reason:    Option[String]
-    ): Box[EventLog] = Full(null)
+    ): IOResult[EventLog] = {
+      val res: EventLog = null
+      res.succeed
+    }
 
-    override def getChangeRequestHistory(id: ChangeRequestId): Box[Seq[ChangeRequestEventLog]]    = ???
-    override def getFirstLog(id:             ChangeRequestId): Box[Option[ChangeRequestEventLog]] = ???
-    override def getLastLog(id:              ChangeRequestId): Box[Option[ChangeRequestEventLog]] = ???
-    override def getLastCREvents: Box[Map[ChangeRequestId, EventLog]] = ???
+    override def getChangeRequestHistory(id: ChangeRequestId): IOResult[Seq[ChangeRequestEventLog]]    = ???
+    override def getFirstLog(id:             ChangeRequestId): IOResult[Option[ChangeRequestEventLog]] = ???
+    override def getLastLog(id:              ChangeRequestId): IOResult[Option[ChangeRequestEventLog]] = ???
+    override def getLastCREvents: IOResult[Map[ChangeRequestId, EventLog]] = ???
   }
 
   object notificationService extends NotificationService {
diff --git a/change-validation/src/test/scala/com/normation/plugins/changevalidation/TestEmailService.scala b/change-validation/src/test/scala/com/normation/plugins/changevalidation/TestEmailService.scala
index 25b00c400..e9fa7860b 100644
--- a/change-validation/src/test/scala/com/normation/plugins/changevalidation/TestEmailService.scala
+++ b/change-validation/src/test/scala/com/normation/plugins/changevalidation/TestEmailService.scala
@@ -106,7 +106,8 @@ class TestEmailService extends Specification with BeforeAfterAll {
 
       val config = notification.getSMTPConf(conf.pathAsString).forceGet
 
-      (config.smtpHostServer === "localhost") and (config.port === 2525)
+      config.smtpHostServer === "localhost"
+      config.port === 2525
       // todo more tests
     }
 
@@ -114,8 +115,8 @@ class TestEmailService extends Specification with BeforeAfterAll {
 
       val template = notification.getStepMailConf(TwoValidationStepsWorkflowServiceImpl.Validation, conf.pathAsString).forceGet
 
-      (template.to === Set(Email("validator1@change.req"), Email("validator2@change.req")) and
-      (template.template === (testDir / "validation-mail.template").pathAsString))
+      template.to === Set(Email("validator1@change.req"), Email("validator2@change.req"))
+      template.template === (testDir / "validation-mail.template").pathAsString
     }
 
     "be able to send a notification email" in {
@@ -150,7 +151,7 @@ class TestEmailService extends Specification with BeforeAfterAll {
           |  <li>Author: No One</li>
           |  <li>Description: this CR is for test</li>
           |</ul>
-          |<a href="https://my.rudder.server/rudder/secure/plugins/changes/changeRequest/42">Click here to review and validate</a></li>
+          |<a href="https://my.rudder.server/rudder/secure/configurationManager/changes/changeRequest/42">Click here to review and validate</a></li>
           |
           |""".stripMargin
       }
@@ -166,9 +167,9 @@ class TestEmailService extends Specification with BeforeAfterAll {
         s.split("\n").take(2).drop(3).take(2).drop(1).take(20).mkString("\n")
       }
 
-      (isEmpty must beTrue) and
-      (messages.isEmpty must beFalse) and
-      (deleteDate(msg) === deleteDate(expectedMessage))
+      isEmpty must beTrue
+      messages.isEmpty must beFalse
+      deleteDate(msg) === deleteDate(expectedMessage)
     }
   }
 }
diff --git a/change-validation/src/test/scala/com/normation/plugins/changevalidation/ValidatedUserJdbcRepositoryTest.scala b/change-validation/src/test/scala/com/normation/plugins/changevalidation/ValidatedUserJdbcRepositoryTest.scala
index 014555e30..8cef9698b 100644
--- a/change-validation/src/test/scala/com/normation/plugins/changevalidation/ValidatedUserJdbcRepositoryTest.scala
+++ b/change-validation/src/test/scala/com/normation/plugins/changevalidation/ValidatedUserJdbcRepositoryTest.scala
@@ -5,7 +5,7 @@ import better.files.Resource
 import cats.syntax.apply.*
 import com.normation.eventlog.EventActor
 import com.normation.rudder.db.DBCommon
-import com.normation.rudder.rest.AuthorizationApiMapping
+import com.normation.rudder.rest.ExtensibleAuthorizationApiMapping
 import com.normation.rudder.rest.RoleApiMapping
 import com.normation.rudder.users.FileUserDetailListProvider
 import com.normation.rudder.users.PasswordEncoderDispatcher
@@ -71,7 +71,7 @@ class ValidatedUserJdbcRepositoryTest extends Specification with DBCommon with I
     val usersFile      = {
       UserFile("test-users.xml", getUsersInputStream)
     }
-    val roleApiMapping = new RoleApiMapping(AuthorizationApiMapping.Core)
+    val roleApiMapping = new RoleApiMapping(new ExtensibleAuthorizationApiMapping(Nil))
 
     val res = new FileUserDetailListProvider(roleApiMapping, usersFile, new PasswordEncoderDispatcher(12))
     res.reload()
diff --git a/change-validation/src/test/scala/com/normation/plugins/changevalidation/ValidationNeededTest.scala b/change-validation/src/test/scala/com/normation/plugins/changevalidation/ValidationNeededTest.scala
index 0b1eb15b0..d79335593 100644
--- a/change-validation/src/test/scala/com/normation/plugins/changevalidation/ValidationNeededTest.scala
+++ b/change-validation/src/test/scala/com/normation/plugins/changevalidation/ValidationNeededTest.scala
@@ -57,7 +57,7 @@ import com.normation.rudder.services.workflows.GlobalParamModAction
 import com.normation.rudder.services.workflows.NodeGroupChangeRequest
 import com.normation.rudder.services.workflows.RuleChangeRequest
 import com.normation.rudder.services.workflows.RuleModAction
-import net.liftweb.common.Full
+import com.normation.zio.UnsafeRun
 import org.junit.runner.RunWith
 import org.specs2.mutable.Specification
 import org.specs2.runner.JUnitRunner
@@ -83,19 +83,19 @@ class ValidationNeededTest extends Specification {
 
     "always validate a modification in a GlobalParam" in {
       val globalParamChangeReq = GlobalParamChangeRequest(GlobalParamModAction.Create, None)
-      nodeGrpValNdd.forGlobalParam(actor, globalParamChangeReq) must beEqualTo(Full(true))
+      nodeGrpValNdd.forGlobalParam(actor, globalParamChangeReq).runNow must beTrue
     }
 
     "validate a modification in a node group if that group is supervised" in {
       val nodeGrp          = mockNodeGroups.g0
       val nodeGrpChangeReq = NodeGroupChangeRequest(DGModAction.CreateSolo, nodeGrp, None, None)
-      nodeGrpValNdd.forNodeGroup(actor, nodeGrpChangeReq) must beEqualTo(Full(true))
+      nodeGrpValNdd.forNodeGroup(actor, nodeGrpChangeReq).runNow must beTrue
     }
 
     "not validate a modification in a node group if that group is not supervised" in {
       val nodeGrp          = mockNodeGroups.g1
       val nodeGrpChangeReq = NodeGroupChangeRequest(DGModAction.CreateSolo, nodeGrp, None, None)
-      nodeGrpValNdd.forNodeGroup(actor, nodeGrpChangeReq) must beEqualTo(Full(false))
+      nodeGrpValNdd.forNodeGroup(actor, nodeGrpChangeReq).runNow must beFalse
     }
 
     "if a modification concerns a rule that" in {
@@ -109,7 +109,7 @@ class ValidationNeededTest extends Specification {
           rule,
           None
         )
-        nodeGrpValNdd.forRule(actor, ruleChangeReq) must beEqualTo(Full(true))
+        nodeGrpValNdd.forRule(actor, ruleChangeReq).runNow must beTrue
       }
 
       "doesn't target a supervised node, the modification mustn't be validated" in {
@@ -121,7 +121,7 @@ class ValidationNeededTest extends Specification {
           rule,
           None
         )
-        nodeGrpValNdd.forRule(actor, ruleChangeReq) must beEqualTo(Full(false))
+        nodeGrpValNdd.forRule(actor, ruleChangeReq).runNow must beFalse
       }
     }
 
@@ -144,7 +144,7 @@ class ValidationNeededTest extends Specification {
         List(mockRules.rules.defaultRule)       // targets all nodes, including node group g0
       )
 
-      nodeGrpValNdd.forDirective(actor, dirChangeReq) must beEqualTo(Full(true))
+      nodeGrpValNdd.forDirective(actor, dirChangeReq).runNow must beTrue
     }
 
     "not validate a modification in a directive if no rule that uses it requires validation" in {
@@ -161,7 +161,7 @@ class ValidationNeededTest extends Specification {
 
       )
 
-      nodeGrpValNdd.forDirective(actor, dirChangeReq) must beEqualTo(Full(false))
+      nodeGrpValNdd.forDirective(actor, dirChangeReq).runNow must beFalse
     }
 
   }
diff --git a/change-validation/src/test/scala/com/normation/plugins/changevalidation/WorkflowJdbcRepositoryTest.scala b/change-validation/src/test/scala/com/normation/plugins/changevalidation/WorkflowJdbcRepositoryTest.scala
index ce9e32612..280480c8b 100644
--- a/change-validation/src/test/scala/com/normation/plugins/changevalidation/WorkflowJdbcRepositoryTest.scala
+++ b/change-validation/src/test/scala/com/normation/plugins/changevalidation/WorkflowJdbcRepositoryTest.scala
@@ -37,14 +37,19 @@
 
 package com.normation.plugins.changevalidation
 
+import cats.data.NonEmptyList
 import cats.effect.IO
+import cats.syntax.apply.*
+import com.normation.plugins.changevalidation.TwoValidationStepsWorkflowServiceImpl.Cancelled
+import com.normation.plugins.changevalidation.TwoValidationStepsWorkflowServiceImpl.Deployment
+import com.normation.plugins.changevalidation.TwoValidationStepsWorkflowServiceImpl.Validation
 import com.normation.rudder.db.DBCommon
 import com.normation.rudder.domain.workflows.ChangeRequestId
 import com.normation.rudder.domain.workflows.WorkflowNodeId
+import com.normation.zio.UnsafeRun
 import doobie.Transactor
 import doobie.specs2.analysisspec.IOChecker
 import doobie.syntax.all.*
-import net.liftweb.common.Full
 import org.junit.runner.RunWith
 import org.specs2.mutable.Specification
 import org.specs2.runner.JUnitRunner
@@ -58,9 +63,22 @@ class WorkflowJdbcRepositoryTest extends Specification with DBCommon with IOChec
     super.initDb()
     // initialize some change requests to setup change requests for workflow
     doobie.transactRunEither(xa => {
-      // id: 1
-      sql"insert into ChangeRequest (name, description, creationTime, content, modificationId) values ('a change request', 'a change request description', '2023-01-01T00:00:00', '', '11111111-1111-1111-1111-111111111111')".update.run
-        .transact(xa)
+      (
+        // id: 1
+        sql"insert into ChangeRequest (name, description, creationTime, content, modificationId) values ('a change request', 'a change request description', '2023-01-01T00:00:00', '', '11111111-1111-1111-1111-111111111111')".update.run *>
+
+        // insert a change request that has status "Pending validation"
+        sql"insert into ChangeRequest (name, description, creationTime, content, modificationId) values ('pendingValidation1', 'a change request description', '2025-01-01T00:00:00', '', '11111111-1111-1111-1111-111111111111')".update.run *>
+
+        // insert two change requests that both have status "Pending deployment"
+        sql"insert into ChangeRequest (name, description, creationTime, content, modificationId) values ('pendingDeployment2', 'a change request description', '2025-01-01T00:00:00', '', '11111111-1111-1111-1111-111111111111')".update.run *>
+        sql"insert into ChangeRequest (name, description, creationTime, content, modificationId) values ('pendingDeployment3', 'a change request description', '2025-01-01T00:00:00', '', '11111111-1111-1111-1111-111111111111')".update.run *>
+
+        // insert ids 2, 3 and 4 in the workflow table with their corresponding status
+        sql"insert into Workflow (id, state) values (2, 'Pending validation')".update.run *>
+        sql"insert into Workflow (id, state) values (3, 'Pending deployment')".update.run *>
+        sql"insert into Workflow (id, state) values (4, 'Pending deployment')".update.run
+      ).transact(xa)
     }) match {
       case Right(_) => ()
       case Left(ex) => throw ex
@@ -72,12 +90,16 @@ class WorkflowJdbcRepositoryTest extends Specification with DBCommon with IOChec
   private lazy val roWorkflowJdbcRepository = new RoWorkflowJdbcRepository(doobie)
   private lazy val woWorkflowJdbcRepository = new WoWorkflowJdbcRepository(doobie)
 
-  val changeRequestId = ChangeRequestId(1)
+  val changeRequestId  = ChangeRequestId(1)
+  val changeRequestId2 = ChangeRequestId(2)
+  val changeRequestId3 = ChangeRequestId(3)
+  val changeRequestId4 = ChangeRequestId(4)
 
   "WorkflowJdbcRepository" should {
 
     "type-check queries" in {
       check(WorkflowJdbcRepositorySQL.getAllByStateSQL(WorkflowNodeId("foo")))
+      check(WorkflowJdbcRepositorySQL.getCountByStateSQL(NonEmptyList.of(WorkflowNodeId("foo"))))
       check(WorkflowJdbcRepositorySQL.getStateOfChangeRequestSQL(changeRequestId))
       check(WorkflowJdbcRepositorySQL.getAllChangeRequestsStateSQL)
       check(WorkflowJdbcRepositorySQL.createWorkflowSQL(changeRequestId, WorkflowNodeId("foo")))
@@ -87,28 +109,74 @@ class WorkflowJdbcRepositoryTest extends Specification with DBCommon with IOChec
     val firstWorkflowNodeId  = WorkflowNodeId("first")
     val secondWorkflowNodeId = WorkflowNodeId("second")
     "create a workflow" in {
-      woWorkflowJdbcRepository.createWorkflow(changeRequestId, firstWorkflowNodeId) must beEqualTo(Full(firstWorkflowNodeId))
+      woWorkflowJdbcRepository.createWorkflow(changeRequestId, firstWorkflowNodeId).runNow must beEqualTo(firstWorkflowNodeId)
     }
 
     "update a workflow" in {
-      woWorkflowJdbcRepository.updateState(changeRequestId, firstWorkflowNodeId, secondWorkflowNodeId) must beEqualTo(
-        Full(secondWorkflowNodeId)
+      woWorkflowJdbcRepository.updateState(changeRequestId, firstWorkflowNodeId, secondWorkflowNodeId).runNow must beEqualTo(
+        secondWorkflowNodeId
       )
     }
 
     "get all change requests by state" in {
-      roWorkflowJdbcRepository.getAllByState(firstWorkflowNodeId) must beEqualTo(Full(Seq.empty))
-      roWorkflowJdbcRepository.getAllByState(secondWorkflowNodeId) must beEqualTo(Full(Vector(changeRequestId)))
+      roWorkflowJdbcRepository.getAllByState(firstWorkflowNodeId).runNow must beEqualTo(Seq.empty)
+      roWorkflowJdbcRepository.getAllByState(secondWorkflowNodeId).runNow must beEqualTo(Vector(changeRequestId))
 
     }
 
     "get state of change request" in {
-      roWorkflowJdbcRepository.getStateOfChangeRequest(changeRequestId) must beEqualTo(Full(secondWorkflowNodeId))
+      roWorkflowJdbcRepository.getStateOfChangeRequest(changeRequestId).runNow must beEqualTo(secondWorkflowNodeId)
     }
 
     "get all change requests state" in {
-      roWorkflowJdbcRepository.getAllChangeRequestsState() must beEqualTo(Full(Map(changeRequestId -> secondWorkflowNodeId)))
+      roWorkflowJdbcRepository.getAllChangeRequestsState().runNow must beEqualTo(
+        Map(
+          changeRequestId  -> secondWorkflowNodeId,
+          changeRequestId2 -> Validation.id,
+          changeRequestId3 -> Deployment.id,
+          changeRequestId4 -> Deployment.id
+        )
+      )
+    }
+
+    "get the count of pending change requests for " in {
+
+      "both the 'Pending validation' and 'Pending deployment' states" in {
+        roWorkflowJdbcRepository.getCountByState(NonEmptyList.of(Validation.id, Deployment.id)).runNow must beEqualTo(
+          Map(
+            Validation.id -> 1,
+            Deployment.id -> 2
+          )
+        )
+      }
+
+      "the 'Pending validation' state" in {
+        roWorkflowJdbcRepository.getCountByState(NonEmptyList.of(Validation.id)).runNow must beEqualTo(
+          Map(
+            Validation.id -> 1
+          )
+        )
+      }
+
+      "the 'Pending deployment' state" in {
+        roWorkflowJdbcRepository.getCountByState(NonEmptyList.of(Deployment.id)).runNow must beEqualTo(
+          Map(
+            Deployment.id -> 2
+          )
+        )
+      }
     }
 
+    "return 0 for the number of change requests in a given state if no change request is in that state" in {
+
+      (woWorkflowJdbcRepository.updateState(changeRequestId2, Validation.id, Cancelled.id) *>
+
+      roWorkflowJdbcRepository.getCountByState(NonEmptyList.of(Validation.id, Deployment.id))).runNow must beEqualTo(
+        Map(
+          Validation.id -> 0,
+          Deployment.id -> 2
+        )
+      )
+    }
   }
 }
diff --git a/change-validation/src/test/scala/com/normation/plugins/changevalidation/api/ChangeRequestApiTest.scala b/change-validation/src/test/scala/com/normation/plugins/changevalidation/api/ChangeRequestApiTest.scala
index 859b7337f..73058ae50 100644
--- a/change-validation/src/test/scala/com/normation/plugins/changevalidation/api/ChangeRequestApiTest.scala
+++ b/change-validation/src/test/scala/com/normation/plugins/changevalidation/api/ChangeRequestApiTest.scala
@@ -73,9 +73,9 @@ import com.normation.rudder.domain.policies.Tags
 import com.normation.rudder.domain.properties.AddGlobalParameterDiff
 import com.normation.rudder.domain.properties.DeleteGlobalParameterDiff
 import com.normation.rudder.domain.properties.ModifyToGlobalParameterDiff
-import com.normation.rudder.domain.queries.And
-import com.normation.rudder.domain.queries.NodeReturnType
+import com.normation.rudder.domain.queries.CriterionComposition.*
 import com.normation.rudder.domain.queries.Query
+import com.normation.rudder.domain.queries.QueryReturnType.*
 import com.normation.rudder.domain.queries.ResultTransformation
 import com.normation.rudder.domain.workflows.ChangeRequestId
 import com.normation.rudder.domain.workflows.ChangeRequestInfo
@@ -96,10 +96,10 @@ import com.normation.rudder.rest.RestTestSetUp
 import com.normation.rudder.rest.TraitTestApiFromYamlFiles
 import com.normation.rudder.services.modification.DiffServiceImpl
 import java.nio.file.Files
-import net.liftweb.common.Full
 import org.joda.time.DateTime
 import org.junit.runner.RunWith
 import zio.*
+import zio.syntax.*
 import zio.test.*
 import zio.test.junit.ZTestJUnitRunner
 
@@ -624,9 +624,9 @@ class ChangeRequestApiTest extends ZIOSpecDefault {
     mockServices.changeRequestRepository,
     mockServices.notificationService,
     mockServices.userService,
-    () => Full(true),
-    () => Full(true),
-    () => Full(true)
+    () => true.succeed,
+    () => true.succeed,
+    () => true.succeed
   )
 
   restTestSetUp.workflowLevelService.overrideLevel(
@@ -635,8 +635,8 @@ class ChangeRequestApiTest extends ZIOSpecDefault {
       restTestSetUp.workflowLevelService.defaultWorkflowService,
       validationWorkflowService,
       List.empty,
-      () => Full(true),
-      () => Full(false),
+      () => true.succeed,
+      () => false.succeed,
       null
     )
   )
diff --git a/change-validation/src/test/scala/com/normation/plugins/changevalidation/api/WorkflowInternalApiTest.scala b/change-validation/src/test/scala/com/normation/plugins/changevalidation/api/WorkflowInternalApiTest.scala
new file mode 100644
index 000000000..93a35dd33
--- /dev/null
+++ b/change-validation/src/test/scala/com/normation/plugins/changevalidation/api/WorkflowInternalApiTest.scala
@@ -0,0 +1,122 @@
+/*
+ *************************************************************************************
+ * Copyright 2025 Normation SAS
+ *************************************************************************************
+ *
+ * This file is part of Rudder.
+ *
+ * Rudder is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * In accordance with the terms of section 7 (7. Additional Terms.) of
+ * the GNU General Public License version 3, the copyright holders add
+ * the following Additional permissions:
+ * Notwithstanding to the terms of section 5 (5. Conveying Modified Source
+ * Versions) and 6 (6. Conveying Non-Source Forms.) of the GNU General
+ * Public License version 3, when you create a Related Module, this
+ * Related Module is not considered as a part of the work and may be
+ * distributed under the license agreement of your choice.
+ * A "Related Module" means a set of sources files including their
+ * documentation that, without modification of the Source Code, enables
+ * supplementary functions or services in addition to those offered by
+ * the Software.
+ *
+ * Rudder is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Rudder.  If not, see <http://www.gnu.org/licenses/>.
+
+ *
+ *************************************************************************************
+ */
+
+package com.normation.plugins.changevalidation.api
+
+import better.files.File
+import com.normation.errors.IOResult
+import com.normation.errors.effectUioUnit
+import com.normation.plugins.changevalidation.MockServices
+import com.normation.plugins.changevalidation.TwoValidationStepsWorkflowServiceImpl.Cancelled
+import com.normation.plugins.changevalidation.TwoValidationStepsWorkflowServiceImpl.Deployment
+import com.normation.plugins.changevalidation.TwoValidationStepsWorkflowServiceImpl.Validation
+import com.normation.rudder.api.ApiVersion
+import com.normation.rudder.domain.workflows.ChangeRequest
+import com.normation.rudder.domain.workflows.ChangeRequestId
+import com.normation.rudder.domain.workflows.ChangeRequestInfo
+import com.normation.rudder.domain.workflows.ConfigurationChangeRequest
+import com.normation.rudder.rest.RestTestSetUp
+import com.normation.rudder.rest.TraitTestApiFromYamlFiles
+import java.nio.file.Files
+import org.junit.runner.RunWith
+import zio.Scope
+import zio.ZIO
+import zio.test.Spec
+import zio.test.TestEnvironment
+import zio.test.ZIOSpecDefault
+import zio.test.junit.ZTestJUnitRunner
+
+@RunWith(classOf[ZTestJUnitRunner])
+class WorkflowInternalApiTest extends ZIOSpecDefault {
+
+  private def mockChangeRequest(id: Int): ChangeRequest = {
+    ConfigurationChangeRequest(
+      ChangeRequestId(id),
+      None,
+      ChangeRequestInfo(s"cr ${id}", "mock change request"),
+      Map.empty,
+      Map.empty,
+      Map.empty,
+      Map.empty
+    )
+  }
+
+  val restTestSetUp = RestTestSetUp.newEnv
+
+  val tmpDir: File = File(Files.createTempDirectory("rudder-test-"))
+  val yamlSourceDirectory  = "changevalidation_api"
+  val yamlDestTmpDirectory = tmpDir / "templates"
+
+  val mockServices = new MockServices(
+    Map(
+      Validation.id -> List(mockChangeRequest(1), mockChangeRequest(2)),
+      Deployment.id -> List(mockChangeRequest(3)),
+      Cancelled.id  -> List(mockChangeRequest(4))
+    )
+  )
+
+  val modules = List(
+    new WorkflowInternalApiImpl(
+      mockServices.workflowRepository,
+      restTestSetUp.userService
+    )
+  )
+
+  val apiVersions = ApiVersion(13, true) :: ApiVersion(14, false) :: Nil
+
+  val (rudderApi, liftRules) = TraitTestApiFromYamlFiles.buildLiftRules(modules, apiVersions, None)
+  val transformations: Map[String, String => String] = Map()
+
+  override def spec: Spec[TestEnvironment with Scope, Any] = {
+    suite("All REST tests defined in files") {
+
+      for {
+        s <- TraitTestApiFromYamlFiles.doTest(
+               yamlSourceDirectory,
+               yamlDestTmpDirectory,
+               liftRules,
+               List("api_workflowinternal.yml"),
+               transformations
+             )
+        _ <- effectUioUnit(
+               if (java.lang.System.getProperty("tests.clean.tmp") != "false") IOResult.attempt(restTestSetUp.cleanup())
+               else ZIO.unit
+             )
+      } yield s
+    }
+  }
+}
diff --git a/datasources/packaging/metadata b/datasources/packaging/metadata
index 2f98c188c..27ac0e312 100644
--- a/datasources/packaging/metadata
+++ b/datasources/packaging/metadata
@@ -8,5 +8,6 @@
   "jar-files": [ "/opt/rudder/share/plugins/${plugin-name}/${plugin-name}.jar" ],
   "content": {
     "files.txz": "/opt/rudder/share/plugins"
-  }
+  },
+  "requires-license": true
 }
diff --git a/datasources/src/main/resources/template/dataSourceManagement.html b/datasources/src/main/resources/template/dataSourceManagement.html
index 84083cac1..dd7d3f0d4 100644
--- a/datasources/src/main/resources/template/dataSourceManagement.html
+++ b/datasources/src/main/resources/template/dataSourceManagement.html
@@ -6,15 +6,15 @@
   </head_merge>
   <main class="rudder-template" id="datasource">
   </main>
-  <script>
+  <script data-lift="with-nonce">
     var hasWriteRights = false;
   </script>
   <lift:authz role="rule_write">
-    <script>
+    <script data-lift="with-nonce">
       hasWriteRights = true;
     </script>
   </lift:authz>
-  <script>
+  <script data-lift="with-nonce">
     $(document).ready(function(){
       var main = document.querySelector("main");
       var initValues = {
diff --git a/datasources/src/main/scala-templates/default/com/normation/plugins/datasources/EnablePluginImpl.scala b/datasources/src/main/scala-templates/default/com/normation/plugins/datasources/EnablePluginImpl.scala
index 88eeaaf7c..838c85d8b 100644
--- a/datasources/src/main/scala-templates/default/com/normation/plugins/datasources/EnablePluginImpl.scala
+++ b/datasources/src/main/scala-templates/default/com/normation/plugins/datasources/EnablePluginImpl.scala
@@ -38,6 +38,6 @@
 package com.normation.plugins.datasources
 
 import com.normation.plugins.PluginEnableImpl
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends PluginEnableImpl
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends PluginEnableImpl
diff --git a/datasources/src/main/scala-templates/limited/com/normation/plugins/datasources/EnablePluginImpl.scala b/datasources/src/main/scala-templates/limited/com/normation/plugins/datasources/EnablePluginImpl.scala
index b660dab21..4bb3db108 100644
--- a/datasources/src/main/scala-templates/limited/com/normation/plugins/datasources/EnablePluginImpl.scala
+++ b/datasources/src/main/scala-templates/limited/com/normation/plugins/datasources/EnablePluginImpl.scala
@@ -38,15 +38,15 @@
 package com.normation.plugins.datasources
 
 import com.normation.plugins.LicensedPluginCheck
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 import com.normation.zio.*
 
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends LicensedPluginCheck {
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends LicensedPluginCheck {
   // here are processed variables
   def pluginResourcePublickey = "${plugin-resource-publickey}"
   def pluginResourceLicense   = "${plugin-resource-license}"
   def pluginDeclaredVersion   = "${plugin-declared-version}"
   def pluginId                = "${plugin-fullname}"
 
-  override def getNumberOfNodes: Int = nodeInfoService.getNumberOfManagedNodes.runNow
+  override def getNumberOfNodes: Int = nodeFactRepo.getNumberOfManagedNodes().runNow
 }
diff --git a/datasources/src/main/scala/bootstrap/rudder/plugin/DataSourcesConf.scala b/datasources/src/main/scala/bootstrap/rudder/plugin/DataSourcesConf.scala
index 26c2054b0..fee61b9f2 100644
--- a/datasources/src/main/scala/bootstrap/rudder/plugin/DataSourcesConf.scala
+++ b/datasources/src/main/scala/bootstrap/rudder/plugin/DataSourcesConf.scala
@@ -74,7 +74,7 @@ object DatasourcesConf extends RudderPluginModule {
   import bootstrap.liftweb.RudderConfig as Cfg
 
   // by build convention, we have only one of that on the classpath
-  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeInfoService)
+  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeFactRepository)
 
   lazy val regenerationHook = new OnUpdatedNodeRegenerate(RudderConfig.asyncDeploymentAgent)
 
@@ -113,8 +113,7 @@ object DatasourcesConf extends RudderPluginModule {
 
   val dataSourceApi9 = new DataSourceApiImpl(
     dataSourceRepository,
-    Cfg.nodeInfoService,
-    Cfg.woNodeRepository,
+    Cfg.nodeFactRepository,
     Cfg.stringUuidGenerator
   )
 
diff --git a/datasources/src/main/scala/com/normation/plugins/datasources/DataSourcesPluginDef.scala b/datasources/src/main/scala/com/normation/plugins/datasources/DataSourcesPluginDef.scala
index 2c2447905..387b9d1ec 100644
--- a/datasources/src/main/scala/com/normation/plugins/datasources/DataSourcesPluginDef.scala
+++ b/datasources/src/main/scala/com/normation/plugins/datasources/DataSourcesPluginDef.scala
@@ -48,7 +48,6 @@ import com.normation.rudder.rest.EndpointSchema
 import com.normation.rudder.rest.lift.LiftApiModuleProvider
 import com.normation.zio.*
 import net.liftweb.http.ClasspathTemplates
-import net.liftweb.sitemap.Loc.LocGroup
 import net.liftweb.sitemap.Loc.Template
 import net.liftweb.sitemap.Loc.TestAccess
 import net.liftweb.sitemap.LocPath.stringToLocPath
@@ -73,7 +72,6 @@ class DataSourcesPluginDef(override val status: PluginStatus) extends DefaultPlu
     (
       (Menu("150-dataSourceManagement", <span>Data sources</span>) /
       "secure" / "plugins" / "dataSourceManagement"
-      >> LocGroup("pluginsGroup")
       >> TestAccess(() => Boot.userIsAllowed("/secure/index", Administration.Read))
       >> Template(() =>
         ClasspathTemplates("template" :: "dataSourceManagement" :: Nil) openOr <div>Template not found</div>
diff --git a/datasources/src/main/scala/com/normation/plugins/datasources/api/DataSourceApi.scala b/datasources/src/main/scala/com/normation/plugins/datasources/api/DataSourceApi.scala
index f15a3f9ce..edd851748 100644
--- a/datasources/src/main/scala/com/normation/plugins/datasources/api/DataSourceApi.scala
+++ b/datasources/src/main/scala/com/normation/plugins/datasources/api/DataSourceApi.scala
@@ -66,7 +66,8 @@ object DataSourceApi       extends Enum[DataSourceApi] with ApiModuleProvider[Da
     val description    = "Reload all datasources for all nodes"
     val (action, path) = POST / "datasources" / "reload" / "node"
 
-    override def dataContainer: Option[String] = None
+    override def dataContainer: Option[String]          = None
+    val authz:                  List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   final case object ReloadAllDatasourcesOneNode extends DataSourceApi with OneParam with StartsAtVersion9 with SortIndex {
@@ -74,7 +75,8 @@ object DataSourceApi       extends Enum[DataSourceApi] with ApiModuleProvider[Da
     val description    = "Reload all datasources for the given node"
     val (action, path) = POST / "datasources" / "reload" / "node" / "{nodeid}"
 
-    override def dataContainer: Option[String] = None
+    override def dataContainer: Option[String]          = None
+    val authz:                  List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   final case object ReloadOneDatasourceAllNodes extends DataSourceApi with OneParam with StartsAtVersion9 with SortIndex {
@@ -82,7 +84,8 @@ object DataSourceApi       extends Enum[DataSourceApi] with ApiModuleProvider[Da
     val description    = "Reload this given datasources for all nodes"
     val (action, path) = POST / "datasources" / "reload" / "{datasourceid}"
 
-    override def dataContainer: Option[String] = None
+    override def dataContainer: Option[String]          = None
+    val authz:                  List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   final case object ReloadOneDatasourceOneNode extends DataSourceApi with TwoParam with StartsAtVersion9 with SortIndex {
@@ -90,7 +93,8 @@ object DataSourceApi       extends Enum[DataSourceApi] with ApiModuleProvider[Da
     val description    = "Reload the given datasource for the given node"
     val (action, path) = POST / "datasources" / "reload" / "{datasourceid}" / "node" / "{nodeid}"
 
-    override def dataContainer: Option[String] = None
+    override def dataContainer: Option[String]          = None
+    val authz:                  List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   final case object ClearValueOneDatasourceAllNodes extends DataSourceApi with OneParam with StartsAtVersion9 with SortIndex {
@@ -98,7 +102,8 @@ object DataSourceApi       extends Enum[DataSourceApi] with ApiModuleProvider[Da
     val description    = "Clear node property values on all nodes for given datasource"
     val (action, path) = POST / "datasources" / "clear" / "{datasourceid}"
 
-    override def dataContainer: Option[String] = None
+    override def dataContainer: Option[String]          = None
+    val authz:                  List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   final case object ClearValueOneDatasourceOneNode extends DataSourceApi with TwoParam with StartsAtVersion9 with SortIndex {
@@ -106,7 +111,8 @@ object DataSourceApi       extends Enum[DataSourceApi] with ApiModuleProvider[Da
     val description    = "Clear node property value set by given datasource on given node"
     val (action, path) = POST / "datasources" / "clear" / "{datasourceid}" / "node" / "{nodeid}"
 
-    override def dataContainer: Option[String] = None
+    override def dataContainer: Option[String]          = None
+    val authz:                  List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   final case object GetAllDataSources extends DataSourceApi with ZeroParam with StartsAtVersion9 with SortIndex {
@@ -132,7 +138,8 @@ object DataSourceApi       extends Enum[DataSourceApi] with ApiModuleProvider[Da
     val description    = "Delete given datasource"
     val (action, path) = DELETE / "datasources" / "{datasourceid}"
 
-    override def dataContainer: Option[String] = Some("datasources")
+    override def dataContainer: Option[String]          = Some("datasources")
+    val authz:                  List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   final case object CreateDataSource extends DataSourceApi with ZeroParam with StartsAtVersion9 with SortIndex {
@@ -140,7 +147,8 @@ object DataSourceApi       extends Enum[DataSourceApi] with ApiModuleProvider[Da
     val description    = "Create given datasource"
     val (action, path) = PUT / "datasources"
 
-    override def dataContainer: Option[String] = Some("datasources")
+    override def dataContainer: Option[String]          = Some("datasources")
+    val authz:                  List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   final case object UpdateDataSource extends DataSourceApi with OneParam with StartsAtVersion9 with SortIndex {
@@ -148,7 +156,8 @@ object DataSourceApi       extends Enum[DataSourceApi] with ApiModuleProvider[Da
     val description    = "Update information about the given datasource"
     val (action, path) = POST / "datasources" / "{datasourceid}"
 
-    override def dataContainer: Option[String] = Some("datasources")
+    override def dataContainer: Option[String]          = Some("datasources")
+    val authz:                  List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   def endpoints = values.toList.sortBy(_.z)
diff --git a/datasources/src/main/scala/com/normation/plugins/datasources/api/DataSourceApiImpl.scala b/datasources/src/main/scala/com/normation/plugins/datasources/api/DataSourceApiImpl.scala
index 1a87d4298..5ef4a39b0 100644
--- a/datasources/src/main/scala/com/normation/plugins/datasources/api/DataSourceApiImpl.scala
+++ b/datasources/src/main/scala/com/normation/plugins/datasources/api/DataSourceApiImpl.scala
@@ -51,28 +51,30 @@ import com.normation.plugins.datasources.RestResponseMessage
 import com.normation.plugins.datasources.UpdateCause
 import com.normation.plugins.datasources.api.DataSourceApi as API
 import com.normation.rudder.api.ApiVersion
-import com.normation.rudder.domain.nodes.Node
 import com.normation.rudder.domain.properties.CompareProperties
 import com.normation.rudder.domain.properties.GenericProperty.*
-import com.normation.rudder.repository.WoNodeRepository
+import com.normation.rudder.facts.nodes.ChangeContext
+import com.normation.rudder.facts.nodes.CoreNodeFact
+import com.normation.rudder.facts.nodes.NodeFactRepository
+import com.normation.rudder.facts.nodes.NodeSecurityContext
 import com.normation.rudder.rest.*
 import com.normation.rudder.rest.implicits.*
 import com.normation.rudder.rest.lift.DefaultParams
 import com.normation.rudder.rest.lift.LiftApiModule
 import com.normation.rudder.rest.lift.LiftApiModule0
 import com.normation.rudder.rest.lift.LiftApiModuleProvider
-import com.normation.rudder.services.nodes.NodeInfoService
 import com.normation.utils.StringUuidGenerator
 import io.scalaland.chimney.syntax.*
 import net.liftweb.http.LiftResponse
 import net.liftweb.http.Req
+import org.joda.time.DateTime
+import zio.Chunk
 import zio.syntax.*
 
 class DataSourceApiImpl(
-    dataSourceRepo:  DataSourceRepository with DataSourceUpdateCallbacks,
-    nodeInfoService: NodeInfoService,
-    nodeRepos:       WoNodeRepository,
-    uuidGen:         StringUuidGenerator
+    dataSourceRepo: DataSourceRepository with DataSourceUpdateCallbacks,
+    nodeFactRepo:   NodeFactRepository,
+    uuidGen:        StringUuidGenerator
 ) extends LiftApiModuleProvider[API] {
   api =>
 
@@ -80,8 +82,6 @@ class DataSourceApiImpl(
 
   override def schemas: ApiModuleProvider[API] = API
 
-  type ActionType = RestUtils.ActionType
-
   import com.normation.plugins.datasources.DataSourceExtractor.OptionalJson.*
 
   def getLiftEndpoints(): List[LiftApiModule] = {
@@ -174,8 +174,8 @@ class DataSourceApiImpl(
         UpdateCause(modId, authzToken.qc.actor, Some(s"API request to clear '${datasourceId}' on node '${nodeId.value}'"), false)
 
       (for {
-        nodes <- nodeInfoService.getAllNodes()
-        _     <- nodes.values.accumulate(node => erase(cause(node.id), node, DataSourceId(datasourceId)))
+        nodes <- nodeFactRepo.getAll()(authzToken.qc)
+        _     <- nodes.values.accumulate(node => erase(cause(node.id), node, DataSourceId(datasourceId), authzToken.qc.nodePerms))
         res    = s"Data for all nodes, for data source '${datasourceId}', cleared"
       } yield res)
         .chainError(s"Could not clear data source property '${datasourceId}'")
@@ -202,9 +202,8 @@ class DataSourceApiImpl(
       )
 
       (for {
-        optNode <- nodeInfoService.getNodeInfo(NodeId(nodeId))
-        node    <- optNode.notOptional(s"Node with ID '${nodeId}' was not found")
-        updated <- erase(cause, node.node, DataSourceId(datasourceId))
+        node    <- nodeFactRepo.get(NodeId(nodeId))(authzToken.qc).notOptional(s"Node with ID '${nodeId}' was not found")
+        updated <- erase(cause, node, DataSourceId(datasourceId), authzToken.qc.nodePerms)
         res      = s"Data for node '${nodeId}', for data source '${datasourceId}', cleared"
       } yield res)
         .chainError(s"Could not clear data source property '${datasourceId}'")
@@ -321,20 +320,25 @@ class DataSourceApiImpl(
   }
 
   /// utilities ///
-  private[this] def erase(cause: UpdateCause, node: Node, datasourceId: DataSourceId): IOResult[NodeUpdateResult] = {
+  private[this] def erase(
+      cause:        UpdateCause,
+      node:         CoreNodeFact,
+      datasourceId: DataSourceId,
+      nodePerms:    NodeSecurityContext
+  ): IOResult[NodeUpdateResult] = {
     val newProp = DataSource.nodeProperty(datasourceId.value, "".toConfigValue)
     node.properties.find(_.name == newProp.name) match {
       case None    => NodeUpdateResult.Unchanged(node.id).succeed
       case Some(p) =>
         if (p.provider == newProp.provider) {
           for {
-            newProps    <- CompareProperties.updateProperties(node.properties, Some(newProp :: Nil)).toIO
-            newNode      = node.copy(properties = newProps)
-            nodeUpdated <- nodeRepos
-                             .updateNode(newNode, cause.modId, cause.actor, cause.reason)
-                             .chainError(s"Cannot clear value for node '${node.id.value}' for property '${newProp.name}'")
+            newProps <- CompareProperties.updateProperties(node.properties.toList, Some(newProp :: Nil)).toIO
+            newNode   = node.copy(properties = Chunk.fromIterable(newProps))
+            _        <- nodeFactRepo
+                          .save(newNode)(ChangeContext(cause.modId, cause.actor, DateTime.now, cause.reason, None, nodePerms))
+                          .chainError(s"Cannot clear value for node '${node.id.value}' for property '${newProp.name}'")
           } yield {
-            NodeUpdateResult.Updated(nodeUpdated.id)
+            NodeUpdateResult.Updated(newNode.id)
           }
         } else {
           Unexpected(
diff --git a/datasources/src/test/scala/com/normation/plugins/datasources/UpdateHttpDatasetTest.scala b/datasources/src/test/scala/com/normation/plugins/datasources/UpdateHttpDatasetTest.scala
index 2ed650e02..ebe96b993 100644
--- a/datasources/src/test/scala/com/normation/plugins/datasources/UpdateHttpDatasetTest.scala
+++ b/datasources/src/test/scala/com/normation/plugins/datasources/UpdateHttpDatasetTest.scala
@@ -60,7 +60,6 @@ import com.normation.rudder.repository.RoParameterRepository
 import com.normation.rudder.services.nodes.PropertyEngineServiceImpl
 import com.normation.rudder.services.policies.InterpolatedValueCompilerImpl
 import com.normation.rudder.services.policies.NodeConfigData
-import com.normation.rudder.tenants.DefaultTenantService
 import com.normation.utils.StringUuidGeneratorImpl
 import com.normation.zio.*
 import com.softwaremill.quicklens.*
@@ -151,7 +150,6 @@ object TestingZioHttpServer {
 /**
  * This is just a test program to see how test clock works
  */
-@nowarn("msg=a type was inferred to be `\\w+`; this may indicate a programming error.")
 object TestingSpacedClock {
 
   val makeTestClock = TestClock.default.build
@@ -503,15 +501,9 @@ class UpdateHttpDatasetTest extends Specification with BoxSpecMatcher with Logga
                            }
                          }
                        }
-      ts            <- DefaultTenantService.make(Nil)
-      repo          <- CoreNodeFactRepository.make(
-                         NoopFactStorage,
-                         NoopGetNodesBySoftwareName,
-                         ts,
-                         Map(),
+      repo          <- CoreNodeFactRepository.makeNoop(
                          initNodeInfo,
-                         Chunk(updateCallback),
-                         Chunk()
+                         callbacks = Chunk(updateCallback)
                        )
     } yield (updates, repo)).runNow
   }
diff --git a/datasources/src/test/scala/com/normation/plugins/datasources/api/RestDataSourceFilesTest.scala b/datasources/src/test/scala/com/normation/plugins/datasources/api/RestDataSourceFilesTest.scala
index e20ec7808..e2713e3a8 100644
--- a/datasources/src/test/scala/com/normation/plugins/datasources/api/RestDataSourceFilesTest.scala
+++ b/datasources/src/test/scala/com/normation/plugins/datasources/api/RestDataSourceFilesTest.scala
@@ -62,8 +62,7 @@ class RestDataSourceFilesTest extends ZIOSpecDefault {
   val mockNodes      = new MockNodes()
   val dataSourceApi9 = new DataSourceApiImpl(
     datasourceRepo,
-    mockNodes.nodeInfoService,
-    null,
+    mockNodes.nodeFactRepo,
     restTestSetUp.uuidGen
   )
 
diff --git a/datasources/src/test/scala/com/normation/plugins/datasources/api/RestDataSourceTest.scala b/datasources/src/test/scala/com/normation/plugins/datasources/api/RestDataSourceTest.scala
index 979e28611..9a11ac0f8 100644
--- a/datasources/src/test/scala/com/normation/plugins/datasources/api/RestDataSourceTest.scala
+++ b/datasources/src/test/scala/com/normation/plugins/datasources/api/RestDataSourceTest.scala
@@ -66,8 +66,7 @@ class RestDataSourceTest extends Specification {
   val mockNodes      = new MockNodes()
   val dataSourceApi9 = new DataSourceApiImpl(
     datasourceRepo,
-    mockNodes.nodeInfoService,
-    null,
+    mockNodes.nodeFactRepo,
     restTestSetUp.uuidGen
   )
 
diff --git a/main-build.conf b/main-build.conf
index 7c87310c4..b5dc454e0 100644
--- a/main-build.conf
+++ b/main-build.conf
@@ -14,6 +14,6 @@
 # Version of Rudder used to build the plugin.
 # It defined the API/ABI used and it is important for binary compatibility
 branch-type=next
-rudder-version=8.2.8
+rudder-version=9.1.0~alpha1
 common-version=2.1.1
 private-version=2.1.0
diff --git a/node-external-reports/packaging/metadata b/node-external-reports/packaging/metadata
index d3d0c4d99..915e1b34a 100644
--- a/node-external-reports/packaging/metadata
+++ b/node-external-reports/packaging/metadata
@@ -8,5 +8,6 @@
   "jar-files": [ "/opt/rudder/share/plugins/${plugin-name}/${plugin-name}.jar" ],
   "content": {
     "files.txz": "/opt/rudder/share/plugins"
-  }
+  },
+  "requires-license": true
 }
diff --git a/node-external-reports/src/main/scala-templates/default/com/normation/plugins/nodeexternalreports/EnablePluginImpl.scala b/node-external-reports/src/main/scala-templates/default/com/normation/plugins/nodeexternalreports/EnablePluginImpl.scala
index 1c7e55f34..19e0326c8 100644
--- a/node-external-reports/src/main/scala-templates/default/com/normation/plugins/nodeexternalreports/EnablePluginImpl.scala
+++ b/node-external-reports/src/main/scala-templates/default/com/normation/plugins/nodeexternalreports/EnablePluginImpl.scala
@@ -38,10 +38,10 @@
 package com.normation.plugins.nodeexternalreports
 
 import com.normation.plugins.PluginEnableImpl
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 
 /*
  * The class will be loaded by ServiceLoader, it needs an empty constructor.
  */
 
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends PluginEnableImpl
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends PluginEnableImpl
diff --git a/node-external-reports/src/main/scala-templates/limited/com/normation/plugins/nodeexternalreports/EnablePluginImpl.scala b/node-external-reports/src/main/scala-templates/limited/com/normation/plugins/nodeexternalreports/EnablePluginImpl.scala
index 807d0586d..bdeb69421 100644
--- a/node-external-reports/src/main/scala-templates/limited/com/normation/plugins/nodeexternalreports/EnablePluginImpl.scala
+++ b/node-external-reports/src/main/scala-templates/limited/com/normation/plugins/nodeexternalreports/EnablePluginImpl.scala
@@ -38,7 +38,7 @@
 package com.normation.plugins.nodeexternalreports
 
 import com.normation.plugins.LicensedPluginCheck
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 import com.normation.zio.*
 
 /*
@@ -49,12 +49,12 @@ import com.normation.zio.*
  * The class will be loaded by ServiceLoader, it needs an empty constructor.
  */
 
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends LicensedPluginCheck {
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends LicensedPluginCheck {
   // here are processed variables
   def pluginResourcePublickey = "${plugin-resource-publickey}"
   def pluginResourceLicense   = "${plugin-resource-license}"
   def pluginDeclaredVersion   = "${plugin-declared-version}"
   def pluginId                = "${plugin-fullname}"
 
-  override def getNumberOfNodes: Int = nodeInfoService.getNumberOfManagedNodes.runNow
+  override def getNumberOfNodes: Int = nodeFactRepo.getNumberOfManagedNodes().runNow
 }
diff --git a/node-external-reports/src/main/scala/bootstrap/rudder/plugin/NodeExternalReportsConf.scala b/node-external-reports/src/main/scala/bootstrap/rudder/plugin/NodeExternalReportsConf.scala
index d19b393bc..65e1e4672 100644
--- a/node-external-reports/src/main/scala/bootstrap/rudder/plugin/NodeExternalReportsConf.scala
+++ b/node-external-reports/src/main/scala/bootstrap/rudder/plugin/NodeExternalReportsConf.scala
@@ -61,11 +61,11 @@ object NodeExternalReportsConf extends RudderPluginModule {
         x
     }
 
-    new ReadExternalReports(RudderConfig.nodeInfoService, configPath)
+    new ReadExternalReports(RudderConfig.nodeFactRepository, configPath)
   }
 
   // by build convention, we have only one of that on the classpath
-  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeInfoService)
+  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeFactRepository)
 
   lazy val externalNodeReportApi = new NodeExternalReportApi(readReport)
 
diff --git a/node-external-reports/src/main/scala/com/normation/plugins/nodeexternalreports/NodeExternalReportPluginDef.scala b/node-external-reports/src/main/scala/com/normation/plugins/nodeexternalreports/NodeExternalReportPluginDef.scala
index 6443f8a4f..0e6d53e9d 100644
--- a/node-external-reports/src/main/scala/com/normation/plugins/nodeexternalreports/NodeExternalReportPluginDef.scala
+++ b/node-external-reports/src/main/scala/com/normation/plugins/nodeexternalreports/NodeExternalReportPluginDef.scala
@@ -45,7 +45,6 @@ import com.normation.plugins.nodeexternalreports.service.NodeExternalReportApi
 import net.liftweb.common.Loggable
 import net.liftweb.http.ClasspathTemplates
 import net.liftweb.http.LiftRules
-import net.liftweb.sitemap.Loc.LocGroup
 import net.liftweb.sitemap.Loc.Template
 import net.liftweb.sitemap.LocPath.stringToLocPath
 import net.liftweb.sitemap.Menu
@@ -67,7 +66,6 @@ class NodeExternalReportsPluginDef(api: NodeExternalReportApi, override val stat
   override def pluginMenuEntry: List[(Menu, Option[String])] = {
     (
       (Menu("160-nodeExternalReportInfo", <span>Node external reports</span>) / "secure" / "plugins" / "nodeexternalreports" >>
-      LocGroup("pluginsGroup") >>
       Template(() => {
         ClasspathTemplates("nodeExternalReports" :: Nil) openOr
         <div>Template not found</div>
diff --git a/node-external-reports/src/main/scala/com/normation/plugins/nodeexternalreports/extension/CreateNodeDetailsExtension.scala b/node-external-reports/src/main/scala/com/normation/plugins/nodeexternalreports/extension/CreateNodeDetailsExtension.scala
index 28bddf3b9..bfd5c3d05 100644
--- a/node-external-reports/src/main/scala/com/normation/plugins/nodeexternalreports/extension/CreateNodeDetailsExtension.scala
+++ b/node-external-reports/src/main/scala/com/normation/plugins/nodeexternalreports/extension/CreateNodeDetailsExtension.scala
@@ -40,6 +40,8 @@ import com.normation.plugins.PluginExtensionPoint
 import com.normation.plugins.PluginStatus
 import com.normation.plugins.nodeexternalreports.service.NodeExternalReport
 import com.normation.plugins.nodeexternalreports.service.ReadExternalReports
+import com.normation.rudder.facts.nodes.QueryContext
+import com.normation.rudder.users.CurrentUser
 import com.normation.rudder.web.components.ShowNodeDetailsFromNode
 import net.liftweb.common.*
 import net.liftweb.util.CssSel
@@ -51,6 +53,8 @@ class CreateNodeDetailsExtension(externalReport: ReadExternalReports, val status
     val ttag: ClassTag[ShowNodeDetailsFromNode]
 ) extends PluginExtensionPoint[ShowNodeDetailsFromNode] with Loggable {
 
+  implicit private val qc: QueryContext = CurrentUser.queryContext // bug https://issues.rudder.io/issues/26605
+
   def pluginCompose(snippet: ShowNodeDetailsFromNode): Map[String, NodeSeq => NodeSeq] = Map(
     "popupDetails" -> addExternalReportTab(snippet) _,
     "mainDetails"  -> addExternalReportTab(snippet) _
@@ -61,7 +65,7 @@ class CreateNodeDetailsExtension(externalReport: ReadExternalReports, val status
    * - add an li in ul with id=ruleDetailsTabMenu
    * - add the actual tab after the div with id=ruleDetailsEditTab
    */
-  def addExternalReportTab(snippet: ShowNodeDetailsFromNode)(xml: NodeSeq) = {
+  def addExternalReportTab(snippet: ShowNodeDetailsFromNode)(xml: NodeSeq)(implicit qc: QueryContext) = {
 
     val (tabTitle, content) = externalReport.getExternalReports(snippet.nodeId) match {
       case eb: EmptyBox =>
diff --git a/node-external-reports/src/main/scala/com/normation/plugins/nodeexternalreports/service/ReadExternalReports.scala b/node-external-reports/src/main/scala/com/normation/plugins/nodeexternalreports/service/ReadExternalReports.scala
index 4f5047ad1..5a6bfa41c 100644
--- a/node-external-reports/src/main/scala/com/normation/plugins/nodeexternalreports/service/ReadExternalReports.scala
+++ b/node-external-reports/src/main/scala/com/normation/plugins/nodeexternalreports/service/ReadExternalReports.scala
@@ -38,7 +38,8 @@ package com.normation.plugins.nodeexternalreports.service
 
 import com.normation.box.*
 import com.normation.inventory.domain.NodeId
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
+import com.normation.rudder.facts.nodes.QueryContext
 import com.typesafe.config.*
 import java.io.File
 import net.liftweb.common.*
@@ -74,7 +75,7 @@ final case class NodeExternalReports(
  * Read the reports configuration file and build the
  * awaited reports
  */
-class ReadExternalReports(nodeInfoService: NodeInfoService, val reportConfigFile: String) extends Loggable {
+class ReadExternalReports(nodeFactRepo: NodeFactRepository, val reportConfigFile: String) extends Loggable {
 
   private[this] var config: Box[ExternalReports] = null
 
@@ -124,12 +125,12 @@ class ReadExternalReports(nodeInfoService: NodeInfoService, val reportConfigFile
    * with the correct report file for that node.
    * A Node says that no file was found
    */
-  def getExternalReports(nodeId: NodeId): Box[NodeExternalReports] = {
+  def getExternalReports(nodeId: NodeId)(implicit qc: QueryContext): Box[NodeExternalReports] = {
     if (config == null) loadAndUpdateConfig()
 
     for {
       conf    <- config
-      optNode <- nodeInfoService.getNodeInfo(nodeId).toBox
+      optNode <- nodeFactRepo.get(nodeId).toBox
       node    <- optNode match {
                    case None    => Failure(s"The node with ID '${nodeId}' was not found, we can't add external information")
                    case Some(n) => Full(n)
@@ -141,7 +142,7 @@ class ReadExternalReports(nodeInfoService: NodeInfoService, val reportConfigFile
           case (key, report) =>
             val fileName = {
               val uuidName     = report.reportName(node.id.value).toLowerCase
-              val hostnameName = report.reportName(node.hostname).toLowerCase
+              val hostnameName = report.reportName(node.fqdn).toLowerCase
 
               if ((new File(report.rootDirectory, hostnameName)).exists) {
                 Some(hostnameName)
diff --git a/openscap/README.adoc b/openscap/README.adoc
index 75e36d7c5..31716522a 100644
--- a/openscap/README.adoc
+++ b/openscap/README.adoc
@@ -16,7 +16,7 @@ The plugin provides a Technique to execute the OpenSCAP tool at regular interval
 
 == Installation
 
-* Your Rudder server must have python-requests and rudder-api-client installed
+* Your Rudder server must have python-requests installed
 * Install the plugin on the Rudder Server with `rudder package install openscap`
 
 == Usage
diff --git a/openscap/packaging/metadata b/openscap/packaging/metadata
index f792bf482..b27b55bf7 100644
--- a/openscap/packaging/metadata
+++ b/openscap/packaging/metadata
@@ -5,10 +5,6 @@
   "version": "${plugin-version}",
   "build-date": "${maven.build.timestamp}",
   "build-commit": "${commit-id}",
-  "depends": {
-    "apt": [ "rudder-api-client" ],
-    "rpm": [ "rudder-api-client" ]
-  },
   "jar-files": [ "/opt/rudder/share/plugins/${plugin-name}/${plugin-name}/${plugin-name}.jar" ],
   "content": {
     "files.txz": "/opt/rudder/share/plugins/${plugin-name}/"
diff --git a/openscap/src/main/scala-templates/default/com/normation/plugins/openscappolicies/EnablePluginImpl.scala b/openscap/src/main/scala-templates/default/com/normation/plugins/openscappolicies/EnablePluginImpl.scala
index bdcc602bd..b5e812a0d 100644
--- a/openscap/src/main/scala-templates/default/com/normation/plugins/openscappolicies/EnablePluginImpl.scala
+++ b/openscap/src/main/scala-templates/default/com/normation/plugins/openscappolicies/EnablePluginImpl.scala
@@ -38,10 +38,10 @@
 package com.normation.plugins.openscappolicies
 
 import com.normation.plugins.PluginEnableImpl
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 
 /*
  * The class will be loaded by ServiceLoader, it needs an empty constructor.
  */
 
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends PluginEnableImpl
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends PluginEnableImpl
diff --git a/openscap/src/main/scala-templates/limited/com/normation/plugins/openscappolicies/EnablePluginImpl.scala b/openscap/src/main/scala-templates/limited/com/normation/plugins/openscappolicies/EnablePluginImpl.scala
index 64a8293e3..80282f87c 100644
--- a/openscap/src/main/scala-templates/limited/com/normation/plugins/openscappolicies/EnablePluginImpl.scala
+++ b/openscap/src/main/scala-templates/limited/com/normation/plugins/openscappolicies/EnablePluginImpl.scala
@@ -38,7 +38,7 @@
 package com.normation.plugins.openscappolicies
 
 import com.normation.plugins.LicensedPluginCheck
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 import com.normation.zio.*
 
 /*
@@ -48,12 +48,12 @@ import com.normation.zio.*
  *
  * The class will be loaded by ServiceLoader, it needs an empty constructor.
  */
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends LicensedPluginCheck {
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends LicensedPluginCheck {
   // here are processed variables
   def pluginResourcePublickey = "${plugin-resource-publickey}"
   def pluginResourceLicense   = "${plugin-resource-license}"
   def pluginDeclaredVersion   = "${plugin-declared-version}"
   def pluginId                = "${plugin-fullname}"
 
-  override def getNumberOfNodes: Int = nodeInfoService.getNumberOfManagedNodes.runNow
+  override def getNumberOfNodes: Int = nodeFactRepo.getNumberOfManagedNodes().runNow
 }
diff --git a/openscap/src/main/scala/bootstrap/rudder/plugin/OpenscapPoliciesConf.scala b/openscap/src/main/scala/bootstrap/rudder/plugin/OpenscapPoliciesConf.scala
index c9460c8c4..35615f0e8 100644
--- a/openscap/src/main/scala/bootstrap/rudder/plugin/OpenscapPoliciesConf.scala
+++ b/openscap/src/main/scala/bootstrap/rudder/plugin/OpenscapPoliciesConf.scala
@@ -51,7 +51,7 @@ import com.normation.plugins.openscappolicies.services.OpenScapReportReader
  */
 object OpenscapPoliciesConf extends RudderPluginModule {
 
-  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeInfoService)
+  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeFactRepository)
 
   lazy val pluginDef: OpenscapPoliciesPluginDef = new OpenscapPoliciesPluginDef(OpenscapPoliciesConf.pluginStatusService)
 
diff --git a/openscap/src/main/scala/com/normation/plugins/openscappolicies/extension/OpenScapNodeDetailsExtension.scala b/openscap/src/main/scala/com/normation/plugins/openscappolicies/extension/OpenScapNodeDetailsExtension.scala
index 5f57b41a9..54a6e2447 100644
--- a/openscap/src/main/scala/com/normation/plugins/openscappolicies/extension/OpenScapNodeDetailsExtension.scala
+++ b/openscap/src/main/scala/com/normation/plugins/openscappolicies/extension/OpenScapNodeDetailsExtension.scala
@@ -42,6 +42,7 @@ import com.normation.plugins.PluginStatus
 import com.normation.plugins.openscappolicies.OpenScapReport
 import com.normation.plugins.openscappolicies.services.OpenScapReportReader
 import com.normation.plugins.openscappolicies.services.ReportSanitizer
+import com.normation.rudder.facts.nodes.QueryContext
 import com.normation.rudder.users.CurrentUser
 import com.normation.rudder.web.components.ShowNodeDetailsFromNode
 import com.normation.zio.*
@@ -63,22 +64,26 @@ class OpenScapNodeDetailsExtension(
 )(implicit val ttag: ClassTag[ShowNodeDetailsFromNode])
     extends PluginExtensionPoint[ShowNodeDetailsFromNode] with Loggable {
 
-  def pluginCompose(snippet: ShowNodeDetailsFromNode): Map[String, NodeSeq => NodeSeq] = Map(
-    "popupDetails" -> addOpenScapReportTab(snippet) _,
-    "mainDetails"  -> addOpenScapReportTab(snippet) _
-  )
+    def pluginCompose(snippet: ShowNodeDetailsFromNode): Map[String, NodeSeq => NodeSeq] = {
+      implicit val qc: QueryContext = CurrentUser.queryContext // bug https://issues.rudder.io/issues/26605
+
+      Map(
+        "popupDetails" -> addOpenScapReportTab(snippet) _,
+        "mainDetails"  -> addOpenScapReportTab(snippet) _
+      )
+    }
 
   /**
    * Add a tab:
    * - add an li in ul with id=openScapExtensionTab
    */
-  def addOpenScapReportTab(snippet: ShowNodeDetailsFromNode)(xml: NodeSeq): NodeSeq = {
+  def addOpenScapReportTab(snippet: ShowNodeDetailsFromNode)(xml: NodeSeq)(implicit qc: QueryContext): NodeSeq = {
     // Actually extend
     def display(): NodeSeq = {
       val nodeId  = snippet.nodeId
       val content = {
         (for {
-          info   <- openScapReader.getOpenScapReportFile(nodeId)(CurrentUser.queryContext)
+          info   <- openScapReader.getOpenScapReportFile(nodeId)
           report <- ZIO.foreach(info) { case (hostname, file) => openScapReader.getOpenScapReportContent(nodeId, hostname, file) }
         } yield {
           report
diff --git a/plugins-common-private/src/main/scala/com/normation/plugins/ParsePluginLicense.scala b/plugins-common-private/src/main/scala/com/normation/plugins/ParsePluginLicense.scala
index f37578144..703c52f28 100644
--- a/plugins-common-private/src/main/scala/com/normation/plugins/ParsePluginLicense.scala
+++ b/plugins-common-private/src/main/scala/com/normation/plugins/ParsePluginLicense.scala
@@ -40,6 +40,8 @@ package com.normation.plugins
 import com.normation.license.*
 import com.normation.license.MaybeLicenseError.Maybe
 import com.normation.rudder.domain.logger.PluginLogger
+import io.scalaland.chimney.Transformer
+import io.scalaland.chimney.syntax.*
 import java.nio.file.Files
 import java.nio.file.Paths
 import java.nio.file.attribute.FileTime
@@ -52,6 +54,7 @@ import scala.util.control.NonFatal
  */
 
 trait LicensedPluginCheck extends PluginStatus {
+  import LicensedPluginCheck.*
 
   /*
    * implementation must define variable with the following maven properties
@@ -117,7 +120,7 @@ trait LicensedPluginCheck extends PluginStatus {
     infoCache
   }
 
-  def current: PluginStatusInfo = {
+  def current: RudderPluginLicenseStatus = {
     (for {
       info              <- maybeLicense
       (license, version) = info
@@ -125,21 +128,35 @@ trait LicensedPluginCheck extends PluginStatus {
     } yield {
       check
     }) match {
-      case Right(x) => PluginStatusInfo.EnabledWithLicense(licenseInformation(x))
-      case Left(y)  => PluginStatusInfo.Disabled(y.msg, maybeLicense.toOption.map { case (l, v) => licenseInformation(l) })
+      case Right(x) => RudderPluginLicenseStatus.EnabledWithLicense(x.content.transformInto[PluginLicense])
+      case Left(y)  =>
+        RudderPluginLicenseStatus.Disabled(
+          y.msg,
+          maybeLicense.toOption.map { case (l, _) => l.content.transformInto[PluginLicense] }
+        )
     }
   }
+}
 
-  private[this] def licenseInformation(l: License): PluginLicenseInfo = {
-    PluginLicenseInfo(
-      licensee = l.content.licensee.value,
-      softwareId = l.content.softwareId.value,
-      minVersion = l.content.minVersion.value.toString,
-      maxVersion = l.content.maxVersion.value.toString,
-      startDate = l.content.startDate.value,
-      endDate = l.content.endDate.value,
-      maxNodes = l.content.maxNodes.value,
-      others = l.content.others.map(_.raw).toMap
-    )
+// LicenseInformation has exactly the fields in license with different wrapper types : define transformers
+private object LicensedPluginCheck {
+  import com.normation.utils.DateFormaterService.JodaTimeToJava
+
+  // Required for min-max version which is a parsed version
+  // The license defines a version with a .toString method
+  implicit val transformerVersion: Transformer[Version, String] = _.toString
+
+  implicit val transformerLicensee:   Transformer[LicenseField.Licensee, Licensee]     = Transformer.derive
+  implicit val transformerSoftwareId: Transformer[LicenseField.SoftwareId, SoftwareId] = Transformer.derive
+  implicit val transformerMinVersion: Transformer[LicenseField.MinVersion, MinVersion] = Transformer.derive
+  implicit val transformerMaxVersion: Transformer[LicenseField.MaxVersion, MaxVersion] = Transformer.derive
+  implicit val transformerMaxNodes:   Transformer[LicenseField.MaxNodes, MaxNodes]     = Transformer.derive
+
+  implicit val transformerPluginLicense: Transformer[LicenseInformation, PluginLicense] = {
+    Transformer
+      .define[LicenseInformation, PluginLicense]
+      .withFieldComputed(_.startDate, _.startDate.value.toJava)
+      .withFieldComputed(_.endDate, _.endDate.value.toJava)
+      .buildTransformer
   }
 }
diff --git a/plugins-common/package-lock.json b/plugins-common/package-lock.json
index 00dcd81fb..fadf82796 100644
--- a/plugins-common/package-lock.json
+++ b/plugins-common/package-lock.json
@@ -6,13 +6,13 @@
     "": {
       "dependencies": {
         "elm-review": "^2.11.2",
-        "gulp-sass": "^5.1.0",
-        "gulp-sourcemaps": "^3.0.0",
-        "sass": "^1.77.1"
+        "gulp-sass": "^6.0.0",
+        "gulp-sourcemaps": "^2.6.5",
+        "sass": "^1.77.6"
       },
       "devDependencies": {
         "better-npm-audit": "^3.7.3",
-        "del": "^7.1.0",
+        "del": "^8.0.0",
         "elm": "^0.19.1-6",
         "gulp": "^5.0.0",
         "gulp-elm": "^0.8.2",
@@ -23,6 +23,32 @@
         "through2": "^4.0.2"
       }
     },
+    "node_modules/@elm_binaries/darwin_arm64": {
+      "version": "0.19.1-0",
+      "resolved": "https://registry.npmjs.org/@elm_binaries/darwin_arm64/-/darwin_arm64-0.19.1-0.tgz",
+      "integrity": "sha512-mjbsH7BNHEAmoE2SCJFcfk5fIHwFIpxtSgnEAqMsVLpBUFoEtAeX+LQ+N0vSFJB3WAh73+QYx/xSluxxLcL6dA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "darwin"
+      ]
+    },
+    "node_modules/@elm_binaries/darwin_x64": {
+      "version": "0.19.1-0",
+      "resolved": "https://registry.npmjs.org/@elm_binaries/darwin_x64/-/darwin_x64-0.19.1-0.tgz",
+      "integrity": "sha512-QGUtrZTPBzaxgi9al6nr+9313wrnUVHuijzUK39UsPS+pa+n6CmWyV/69sHZeX9qy6UfeugE0PzF3qcUiy2GDQ==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "darwin"
+      ]
+    },
     "node_modules/@elm_binaries/linux_x64": {
       "version": "0.19.1-0",
       "resolved": "https://registry.npmjs.org/@elm_binaries/linux_x64/-/linux_x64-0.19.1-0.tgz",
@@ -36,47 +62,79 @@
         "linux"
       ]
     },
+    "node_modules/@elm_binaries/win32_x64": {
+      "version": "0.19.1-0",
+      "resolved": "https://registry.npmjs.org/@elm_binaries/win32_x64/-/win32_x64-0.19.1-0.tgz",
+      "integrity": "sha512-yDleiXqSE9EcqKtd9SkC/4RIW8I71YsXzMPL79ub2bBPHjWTcoyyeBbYjoOB9SxSlArJ74HaoBApzT6hY7Zobg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "optional": true,
+      "os": [
+        "win32"
+      ]
+    },
     "node_modules/@gulp-sourcemaps/identity-map": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/@gulp-sourcemaps/identity-map/-/identity-map-2.0.1.tgz",
-      "integrity": "sha512-Tb+nSISZku+eQ4X1lAkevcQa+jknn/OVUgZ3XCxEKIsLsqYuPoJwJOPQeaOk75X3WPftb29GWY1eqE7GLsXb1Q==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/@gulp-sourcemaps/identity-map/-/identity-map-1.0.2.tgz",
+      "integrity": "sha512-ciiioYMLdo16ShmfHBXJBOFm3xPC4AuwO4xeRpFeHz7WK9PYsWCmigagG2XyzZpubK4a3qNKoUBDhbzHfa50LQ==",
       "dependencies": {
-        "acorn": "^6.4.1",
-        "normalize-path": "^3.0.0",
-        "postcss": "^7.0.16",
+        "acorn": "^5.0.3",
+        "css": "^2.2.1",
+        "normalize-path": "^2.1.1",
         "source-map": "^0.6.0",
-        "through2": "^3.0.1"
+        "through2": "^2.0.3"
       },
       "engines": {
         "node": ">= 0.10"
       }
     },
-    "node_modules/@gulp-sourcemaps/identity-map/node_modules/acorn": {
-      "version": "6.4.2",
-      "resolved": "https://registry.npmjs.org/acorn/-/acorn-6.4.2.tgz",
-      "integrity": "sha512-XtGIhXwF8YM8bJhGxG5kXgjkEuNGLTkoYqVE+KMR+aspr4KGYmKYg7yUe3KghyQ9yheNwLnjmzh/7+gfDBmHCQ==",
-      "bin": {
-        "acorn": "bin/acorn"
+    "node_modules/@gulp-sourcemaps/identity-map/node_modules/normalize-path": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-2.1.1.tgz",
+      "integrity": "sha512-3pKJwH184Xo/lnH6oyP1q2pMd7HcypqqmRs91/6/i2CGtWwIKGCkOOMTm/zXbgTEWHw1uNpNi/igc3ePOYHb6w==",
+      "dependencies": {
+        "remove-trailing-separator": "^1.0.1"
       },
       "engines": {
-        "node": ">=0.4.0"
+        "node": ">=0.10.0"
       }
     },
-    "node_modules/@gulp-sourcemaps/identity-map/node_modules/source-map": {
-      "version": "0.6.1",
-      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-      "engines": {
-        "node": ">=0.10.0"
+    "node_modules/@gulp-sourcemaps/identity-map/node_modules/readable-stream": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz",
+      "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==",
+      "dependencies": {
+        "core-util-is": "~1.0.0",
+        "inherits": "~2.0.3",
+        "isarray": "~1.0.0",
+        "process-nextick-args": "~2.0.0",
+        "safe-buffer": "~5.1.1",
+        "string_decoder": "~1.1.1",
+        "util-deprecate": "~1.0.1"
+      }
+    },
+    "node_modules/@gulp-sourcemaps/identity-map/node_modules/safe-buffer": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
+    },
+    "node_modules/@gulp-sourcemaps/identity-map/node_modules/string_decoder": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
+      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
+      "dependencies": {
+        "safe-buffer": "~5.1.0"
       }
     },
     "node_modules/@gulp-sourcemaps/identity-map/node_modules/through2": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/through2/-/through2-3.0.2.tgz",
-      "integrity": "sha512-enaDQ4MUyP2W6ZyT6EsMzqBPZaM/avg8iuo+l2d3QCs0J+6RaqkHV/2/lOwDTueBHeJ/2LG9lrLW3d5rWPucuQ==",
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/through2/-/through2-2.0.5.tgz",
+      "integrity": "sha512-/mrRod8xqpA+IHSLyGCQ2s8SPHiCDEeQJSep1jqLYeEUClOFG2Qsh+4FU6G9VeqpZnGW/Su8LQGc4YKni5rYSQ==",
       "dependencies": {
-        "inherits": "^2.0.4",
-        "readable-stream": "2 || 3"
+        "readable-stream": "~2.3.6",
+        "xtend": "~4.0.1"
       }
     },
     "node_modules/@gulp-sourcemaps/map-sources": {
@@ -102,6 +160,33 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/@gulp-sourcemaps/map-sources/node_modules/readable-stream": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz",
+      "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==",
+      "dependencies": {
+        "core-util-is": "~1.0.0",
+        "inherits": "~2.0.3",
+        "isarray": "~1.0.0",
+        "process-nextick-args": "~2.0.0",
+        "safe-buffer": "~5.1.1",
+        "string_decoder": "~1.1.1",
+        "util-deprecate": "~1.0.1"
+      }
+    },
+    "node_modules/@gulp-sourcemaps/map-sources/node_modules/safe-buffer": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
+    },
+    "node_modules/@gulp-sourcemaps/map-sources/node_modules/string_decoder": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
+      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
+      "dependencies": {
+        "safe-buffer": "~5.1.0"
+      }
+    },
     "node_modules/@gulp-sourcemaps/map-sources/node_modules/through2": {
       "version": "2.0.5",
       "resolved": "https://registry.npmjs.org/through2/-/through2-2.0.5.tgz",
@@ -149,9 +234,9 @@
       }
     },
     "node_modules/@isaacs/cliui/node_modules/ansi-regex": {
-      "version": "6.0.1",
-      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.0.1.tgz",
-      "integrity": "sha512-n5M855fKb2SsfMIiFFoVrABHJC8QtHwVx+mHWP3QcEqBHYienj5dHSgjbxtC0WEZXYt4wcD6zrQElDPhFuZgfA==",
+      "version": "6.1.0",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-6.1.0.tgz",
+      "integrity": "sha512-7HSX4QQb4CspciLpVFwyRe79O3xsIZDDLER21kERQ71oaPodF8jL725AgJMFAYbooIqolJoRLuM81SpeUkpkvA==",
       "engines": {
         "node": ">=12"
       },
@@ -222,57 +307,57 @@
       }
     },
     "node_modules/@jridgewell/gen-mapping": {
-      "version": "0.3.3",
-      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.3.tgz",
-      "integrity": "sha512-HLhSWOLRi875zjjMG/r+Nv0oCW8umGb0BgEhyX3dDX3egwZtB8PqLnjz3yedt8R5StBrzcg4aBpnh8UA9D1BoQ==",
+      "version": "0.3.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/gen-mapping/-/gen-mapping-0.3.5.tgz",
+      "integrity": "sha512-IzL8ZoEDIBRWEzlCcRhOaCupYyN5gdIK+Q6fbFdPDg6HqX6jpkItn7DFIpW9LQzXG6Df9sA7+OKnq0qlz/GaQg==",
       "dev": true,
       "dependencies": {
-        "@jridgewell/set-array": "^1.0.1",
+        "@jridgewell/set-array": "^1.2.1",
         "@jridgewell/sourcemap-codec": "^1.4.10",
-        "@jridgewell/trace-mapping": "^0.3.9"
+        "@jridgewell/trace-mapping": "^0.3.24"
       },
       "engines": {
         "node": ">=6.0.0"
       }
     },
     "node_modules/@jridgewell/resolve-uri": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.1.tgz",
-      "integrity": "sha512-dSYZh7HhCDtCKm4QakX0xFpsRDqjjtZf/kjI/v3T3Nwt5r8/qz/M19F9ySyOqU94SXBmeG9ttTul+YnR4LOxFA==",
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
+      "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
       "dev": true,
       "engines": {
         "node": ">=6.0.0"
       }
     },
     "node_modules/@jridgewell/set-array": {
-      "version": "1.1.2",
-      "resolved": "https://registry.npmjs.org/@jridgewell/set-array/-/set-array-1.1.2.tgz",
-      "integrity": "sha512-xnkseuNADM0gt2bs+BvhO0p78Mk762YnZdsuzFV018NoG1Sj1SCQvpSqa7XUaTam5vAGasABV9qXASMKnFMwMw==",
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/@jridgewell/set-array/-/set-array-1.2.1.tgz",
+      "integrity": "sha512-R8gLRTZeyp03ymzP/6Lil/28tGeGEzhx1q2k703KGWRAI1VdvPIXdG70VJc2pAMw3NA6JKL5hhFu1sJX0Mnn/A==",
       "dev": true,
       "engines": {
         "node": ">=6.0.0"
       }
     },
     "node_modules/@jridgewell/source-map": {
-      "version": "0.3.5",
-      "resolved": "https://registry.npmjs.org/@jridgewell/source-map/-/source-map-0.3.5.tgz",
-      "integrity": "sha512-UTYAUj/wviwdsMfzoSJspJxbkH5o1snzwX0//0ENX1u/55kkZZkcTZP6u9bwKGkv+dkk9at4m1Cpt0uY80kcpQ==",
+      "version": "0.3.6",
+      "resolved": "https://registry.npmjs.org/@jridgewell/source-map/-/source-map-0.3.6.tgz",
+      "integrity": "sha512-1ZJTZebgqllO79ue2bm3rIGud/bOe0pP5BjSRCRxxYkEZS8STV7zN84UBbiYu7jy+eCKSnVIUgoWWE/tt+shMQ==",
       "dev": true,
       "dependencies": {
-        "@jridgewell/gen-mapping": "^0.3.0",
-        "@jridgewell/trace-mapping": "^0.3.9"
+        "@jridgewell/gen-mapping": "^0.3.5",
+        "@jridgewell/trace-mapping": "^0.3.25"
       }
     },
     "node_modules/@jridgewell/sourcemap-codec": {
-      "version": "1.4.15",
-      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.15.tgz",
-      "integrity": "sha512-eF2rxCRulEKXHTRiDrDy6erMYWqNw4LPdQ8UQA4huuxaQsVeRPFl2oM8oDGxMFhJUWZf9McpLtJasDDZb/Bpeg==",
+      "version": "1.5.0",
+      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.0.tgz",
+      "integrity": "sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==",
       "dev": true
     },
     "node_modules/@jridgewell/trace-mapping": {
-      "version": "0.3.20",
-      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.20.tgz",
-      "integrity": "sha512-R8LcPeWZol2zR8mmH3JeKQ6QRCFb7XgUhV9ZlGhHLGyg4wpPiPZNQOOWhFZhxKw8u//yTbNGI42Bx/3paXEQ+Q==",
+      "version": "0.3.25",
+      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.25.tgz",
+      "integrity": "sha512-vNk6aEwybGtawWmy/PzwnGDOjCkLWSD2wqvjGGAgOAwCGWySYXfYoxt00IJkTF+8Lb57DwOb3Aa0o9CApepiYQ==",
       "dev": true,
       "dependencies": {
         "@jridgewell/resolve-uri": "^3.1.0",
@@ -283,7 +368,6 @@
       "version": "2.1.5",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz",
       "integrity": "sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==",
-      "dev": true,
       "dependencies": {
         "@nodelib/fs.stat": "2.0.5",
         "run-parallel": "^1.1.9"
@@ -296,7 +380,6 @@
       "version": "2.0.5",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz",
       "integrity": "sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==",
-      "dev": true,
       "engines": {
         "node": ">= 8"
       }
@@ -305,7 +388,6 @@
       "version": "1.2.8",
       "resolved": "https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz",
       "integrity": "sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==",
-      "dev": true,
       "dependencies": {
         "@nodelib/fs.scandir": "2.1.5",
         "fastq": "^1.6.0"
@@ -314,6 +396,288 @@
         "node": ">= 8"
       }
     },
+    "node_modules/@parcel/watcher": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher/-/watcher-2.5.0.tgz",
+      "integrity": "sha512-i0GV1yJnm2n3Yq1qw6QrUrd/LI9bE8WEBOTtOkpCXHHdyN3TAGgqAK/DAT05z4fq2x04cARXt2pDmjWjL92iTQ==",
+      "hasInstallScript": true,
+      "optional": true,
+      "dependencies": {
+        "detect-libc": "^1.0.3",
+        "is-glob": "^4.0.3",
+        "micromatch": "^4.0.5",
+        "node-addon-api": "^7.0.0"
+      },
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      },
+      "optionalDependencies": {
+        "@parcel/watcher-android-arm64": "2.5.0",
+        "@parcel/watcher-darwin-arm64": "2.5.0",
+        "@parcel/watcher-darwin-x64": "2.5.0",
+        "@parcel/watcher-freebsd-x64": "2.5.0",
+        "@parcel/watcher-linux-arm-glibc": "2.5.0",
+        "@parcel/watcher-linux-arm-musl": "2.5.0",
+        "@parcel/watcher-linux-arm64-glibc": "2.5.0",
+        "@parcel/watcher-linux-arm64-musl": "2.5.0",
+        "@parcel/watcher-linux-x64-glibc": "2.5.0",
+        "@parcel/watcher-linux-x64-musl": "2.5.0",
+        "@parcel/watcher-win32-arm64": "2.5.0",
+        "@parcel/watcher-win32-ia32": "2.5.0",
+        "@parcel/watcher-win32-x64": "2.5.0"
+      }
+    },
+    "node_modules/@parcel/watcher-android-arm64": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-android-arm64/-/watcher-android-arm64-2.5.0.tgz",
+      "integrity": "sha512-qlX4eS28bUcQCdribHkg/herLe+0A9RyYC+mm2PXpncit8z5b3nSqGVzMNR3CmtAOgRutiZ02eIJJgP/b1iEFQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-darwin-arm64": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-arm64/-/watcher-darwin-arm64-2.5.0.tgz",
+      "integrity": "sha512-hyZ3TANnzGfLpRA2s/4U1kbw2ZI4qGxaRJbBH2DCSREFfubMswheh8TeiC1sGZ3z2jUf3s37P0BBlrD3sjVTUw==",
+      "cpu": [
+        "arm64"
+      ],
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-darwin-x64": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-darwin-x64/-/watcher-darwin-x64-2.5.0.tgz",
+      "integrity": "sha512-9rhlwd78saKf18fT869/poydQK8YqlU26TMiNg7AIu7eBp9adqbJZqmdFOsbZ5cnLp5XvRo9wcFmNHgHdWaGYA==",
+      "cpu": [
+        "x64"
+      ],
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-freebsd-x64": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-freebsd-x64/-/watcher-freebsd-x64-2.5.0.tgz",
+      "integrity": "sha512-syvfhZzyM8kErg3VF0xpV8dixJ+RzbUaaGaeb7uDuz0D3FK97/mZ5AJQ3XNnDsXX7KkFNtyQyFrXZzQIcN49Tw==",
+      "cpu": [
+        "x64"
+      ],
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-linux-arm-glibc": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-glibc/-/watcher-linux-arm-glibc-2.5.0.tgz",
+      "integrity": "sha512-0VQY1K35DQET3dVYWpOaPFecqOT9dbuCfzjxoQyif1Wc574t3kOSkKevULddcR9znz1TcklCE7Ht6NIxjvTqLA==",
+      "cpu": [
+        "arm"
+      ],
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-linux-arm-musl": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm-musl/-/watcher-linux-arm-musl-2.5.0.tgz",
+      "integrity": "sha512-6uHywSIzz8+vi2lAzFeltnYbdHsDm3iIB57d4g5oaB9vKwjb6N6dRIgZMujw4nm5r6v9/BQH0noq6DzHrqr2pA==",
+      "cpu": [
+        "arm"
+      ],
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-linux-arm64-glibc": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-glibc/-/watcher-linux-arm64-glibc-2.5.0.tgz",
+      "integrity": "sha512-BfNjXwZKxBy4WibDb/LDCriWSKLz+jJRL3cM/DllnHH5QUyoiUNEp3GmL80ZqxeumoADfCCP19+qiYiC8gUBjA==",
+      "cpu": [
+        "arm64"
+      ],
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-linux-arm64-musl": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-arm64-musl/-/watcher-linux-arm64-musl-2.5.0.tgz",
+      "integrity": "sha512-S1qARKOphxfiBEkwLUbHjCY9BWPdWnW9j7f7Hb2jPplu8UZ3nes7zpPOW9bkLbHRvWM0WDTsjdOTUgW0xLBN1Q==",
+      "cpu": [
+        "arm64"
+      ],
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-linux-x64-glibc": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-glibc/-/watcher-linux-x64-glibc-2.5.0.tgz",
+      "integrity": "sha512-d9AOkusyXARkFD66S6zlGXyzx5RvY+chTP9Jp0ypSTC9d4lzyRs9ovGf/80VCxjKddcUvnsGwCHWuF2EoPgWjw==",
+      "cpu": [
+        "x64"
+      ],
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-linux-x64-musl": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-linux-x64-musl/-/watcher-linux-x64-musl-2.5.0.tgz",
+      "integrity": "sha512-iqOC+GoTDoFyk/VYSFHwjHhYrk8bljW6zOhPuhi5t9ulqiYq1togGJB5e3PwYVFFfeVgc6pbz3JdQyDoBszVaA==",
+      "cpu": [
+        "x64"
+      ],
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-win32-arm64": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-arm64/-/watcher-win32-arm64-2.5.0.tgz",
+      "integrity": "sha512-twtft1d+JRNkM5YbmexfcH/N4znDtjgysFaV9zvZmmJezQsKpkfLYJ+JFV3uygugK6AtIM2oADPkB2AdhBrNig==",
+      "cpu": [
+        "arm64"
+      ],
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-win32-ia32": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-ia32/-/watcher-win32-ia32-2.5.0.tgz",
+      "integrity": "sha512-+rgpsNRKwo8A53elqbbHXdOMtY/tAtTzManTWShB5Kk54N8Q9mzNWV7tV+IbGueCbcj826MfWGU3mprWtuf1TA==",
+      "cpu": [
+        "ia32"
+      ],
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/@parcel/watcher-win32-x64": {
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/@parcel/watcher-win32-x64/-/watcher-win32-x64-2.5.0.tgz",
+      "integrity": "sha512-lPrxve92zEHdgeff3aiu4gDOIt4u7sJYha6wbdEZDCDUhtjTsOMiaJzG5lMY4GkWH8p0fMmO2Ppq5G5XXG+DQw==",
+      "cpu": [
+        "x64"
+      ],
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 10.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
     "node_modules/@pkgjs/parseargs": {
       "version": "0.11.0",
       "resolved": "https://registry.npmjs.org/@pkgjs/parseargs/-/parseargs-0.11.0.tgz",
@@ -334,6 +698,18 @@
         "url": "https://github.com/sindresorhus/is?sponsor=1"
       }
     },
+    "node_modules/@sindresorhus/merge-streams": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/@sindresorhus/merge-streams/-/merge-streams-2.3.0.tgz",
+      "integrity": "sha512-LtoMMhxAlorcGhmFYI+LhPgbPZCkgP6ra1YL604EeF6U98pLlQ3iWIGMdWSC+vWmPBWBNgmDBAhnAobLROJmwg==",
+      "dev": true,
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/@szmarczak/http-timer": {
       "version": "4.0.6",
       "resolved": "https://registry.npmjs.org/@szmarczak/http-timer/-/http-timer-4.0.6.tgz",
@@ -370,11 +746,11 @@
       }
     },
     "node_modules/@types/node": {
-      "version": "20.12.12",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-20.12.12.tgz",
-      "integrity": "sha512-eWLDGF/FOSPtAvEqeRAQ4C8LSA7M1I7i0ky1I8U7kD1J5ITyW3AsRhQrKVoWf5pFKZ2kILsEGJhsI9r93PYnOw==",
+      "version": "22.10.1",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-22.10.1.tgz",
+      "integrity": "sha512-qKgsUwfHZV2WCWLAnVP1JqnpE6Im6h3Y0+fYgMTasNQ7V++CBX5OT1as0g0f+OyubbFqhf6XVNIsmN4IIhEgGQ==",
       "dependencies": {
-        "undici-types": "~5.26.4"
+        "undici-types": "~6.20.0"
       }
     },
     "node_modules/@types/responselike": {
@@ -383,46 +759,29 @@
       "integrity": "sha512-H/+L+UkTV33uf49PH5pCAUBVPNj2nDBXTN+qS1dOwyyg24l3CcicicCA7ca+HMvJBZcFgl5r8e+RR6elsb4Lyw==",
       "dependencies": {
         "@types/node": "*"
-      }
-    },
-    "node_modules/acorn": {
-      "version": "8.11.2",
-      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.11.2.tgz",
-      "integrity": "sha512-nc0Axzp/0FILLEVsm4fNwLCwMttvhEI263QtVPQcbpfZZ3ts0hLsZGOpE6czNlid7CJ9MlyH8reXkpsf3YUY4w==",
-      "dev": true,
-      "bin": {
-        "acorn": "bin/acorn"
-      },
-      "engines": {
-        "node": ">=0.4.0"
-      }
-    },
-    "node_modules/aggregate-error": {
-      "version": "4.0.1",
-      "resolved": "https://registry.npmjs.org/aggregate-error/-/aggregate-error-4.0.1.tgz",
-      "integrity": "sha512-0poP0T7el6Vq3rstR8Mn4V/IQrpBLO6POkUSrN7RhyY+GF/InCFShQzsQ39T25gkHhLgSLByyAz+Kjb+c2L98w==",
-      "dev": true,
-      "dependencies": {
-        "clean-stack": "^4.0.0",
-        "indent-string": "^5.0.0"
+      }
+    },
+    "node_modules/acorn": {
+      "version": "5.7.4",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-5.7.4.tgz",
+      "integrity": "sha512-1D++VG7BhrtvQpNbBzovKNc1FLGGEE/oGe7b9xJm/RFHMBeUaUGpluV9RLjZa47YFdPcDAenEYuq9pQPcMdLJg==",
+      "bin": {
+        "acorn": "bin/acorn"
       },
       "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
+        "node": ">=0.4.0"
       }
     },
     "node_modules/ajv": {
-      "version": "8.12.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.12.0.tgz",
-      "integrity": "sha512-sRu1kpcO9yLtYxBKvqfTeh9KzZEwO3STyX1HT+4CaDzC6HpTGYhIhPIzj9XuKU7KYDwnaeh5hcOwjy1QuJzBPA==",
+      "version": "8.17.1",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz",
+      "integrity": "sha512-B/gBuNg5SiMTrPkC+A2+cW0RszwxYmn6VYxB/inlBStS5nx6xHIt/ehKRhIMhqusl7a8LjQoZnjCs5vhwxOQ1g==",
       "dev": true,
       "dependencies": {
-        "fast-deep-equal": "^3.1.1",
+        "fast-deep-equal": "^3.1.3",
+        "fast-uri": "^3.0.1",
         "json-schema-traverse": "^1.0.0",
-        "require-from-string": "^2.0.2",
-        "uri-js": "^4.2.2"
+        "require-from-string": "^2.0.2"
       },
       "funding": {
         "type": "github",
@@ -430,14 +789,12 @@
       }
     },
     "node_modules/ansi-colors": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-1.1.0.tgz",
-      "integrity": "sha512-SFKX67auSNoVR38N3L+nvsPjOE0bybKTYbkf5tRvushrAPQ9V75huw0ZxBkKVeRU9kqH3d6HA4xTckbwZ4ixmA==",
-      "dependencies": {
-        "ansi-wrap": "^0.1.0"
-      },
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-3.2.4.tgz",
+      "integrity": "sha512-hHUXGagefjN2iRrID63xckIvotOXOojhQKWIPUZ4mNUZ9nLZW+7FMNoE1lOkEhNWYsx/7ysGIuJYCiMAA9FnrA==",
+      "dev": true,
       "engines": {
-        "node": ">=0.10.0"
+        "node": ">=6"
       }
     },
     "node_modules/ansi-escapes": {
@@ -604,6 +961,12 @@
         "node": ">= 4.5.0"
       }
     },
+    "node_modules/b4a": {
+      "version": "1.6.7",
+      "resolved": "https://registry.npmjs.org/b4a/-/b4a-1.6.7.tgz",
+      "integrity": "sha512-OnAYlL5b7LEkALw87fUVafQw5rVR9RjwGd4KUwNQ6DrrNmaVaUCgLipfVlzrPQ4tWOR9P0IXGNOx50jYCCdSJg==",
+      "dev": true
+    },
     "node_modules/bach": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/bach/-/bach-2.0.1.tgz",
@@ -624,9 +987,9 @@
       "integrity": "sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw=="
     },
     "node_modules/bare-events": {
-      "version": "2.2.2",
-      "resolved": "https://registry.npmjs.org/bare-events/-/bare-events-2.2.2.tgz",
-      "integrity": "sha512-h7z00dWdG0PYOQEvChhOSWvOfkIKsdZGkWr083FgN/HyoQuebSew/cgirYqh9SCuy/hRvxc5Vy6Fw8xAmYHLkQ==",
+      "version": "2.5.0",
+      "resolved": "https://registry.npmjs.org/bare-events/-/bare-events-2.5.0.tgz",
+      "integrity": "sha512-/E8dDe9dsbLyh2qrZ64PEPadOQ0F4gbl1sUJOrmph7xOiIxfY8vwab/4bFLh4Y88/Hk/ujKcrQKc+ps0mv873A==",
       "dev": true,
       "optional": true
     },
@@ -650,14 +1013,15 @@
       ]
     },
     "node_modules/better-npm-audit": {
-      "version": "3.7.3",
-      "resolved": "https://registry.npmjs.org/better-npm-audit/-/better-npm-audit-3.7.3.tgz",
-      "integrity": "sha512-zsSiidlP5n7KpCYdAmkellu4JYA4IoRUUwrBMv/R7TwT8vcRfk5CQ2zTg7yUy4bdWkKtAj7VVdPQttdMbx+n5Q==",
+      "version": "3.11.0",
+      "resolved": "https://registry.npmjs.org/better-npm-audit/-/better-npm-audit-3.11.0.tgz",
+      "integrity": "sha512-/Pt05DK6HQaRjWDc5McsCkJBZYfhgQGneKnxzPJExtRq38NttO1Hm30m0GVQeZogE94LVNBVrhWwVsoCo+at3g==",
       "dev": true,
       "dependencies": {
         "commander": "^8.0.0",
         "dayjs": "^1.10.6",
         "lodash.get": "^4.4.2",
+        "semver": "^7.6.3",
         "table": "^6.7.1"
       },
       "bin": {
@@ -679,30 +1043,15 @@
       }
     },
     "node_modules/bl": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/bl/-/bl-5.1.0.tgz",
-      "integrity": "sha512-tv1ZJHLfTDnXE6tMHv73YgSJaWR2AFuPwMntBe7XL/GBFHnT0CLnsHMogfk5+GzCDC5ZWarSCYaIGATZt9dNsQ==",
-      "dev": true,
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz",
+      "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==",
       "dependencies": {
-        "buffer": "^6.0.3",
+        "buffer": "^5.5.0",
         "inherits": "^2.0.4",
         "readable-stream": "^3.4.0"
       }
     },
-    "node_modules/bl/node_modules/readable-stream": {
-      "version": "3.6.2",
-      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz",
-      "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==",
-      "dev": true,
-      "dependencies": {
-        "inherits": "^2.0.3",
-        "string_decoder": "^1.1.1",
-        "util-deprecate": "^1.0.1"
-      },
-      "engines": {
-        "node": ">= 6"
-      }
-    },
     "node_modules/brace-expansion": {
       "version": "1.1.11",
       "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.11.tgz",
@@ -713,21 +1062,20 @@
       }
     },
     "node_modules/braces": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz",
-      "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==",
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
       "dependencies": {
-        "fill-range": "^7.0.1"
+        "fill-range": "^7.1.1"
       },
       "engines": {
         "node": ">=8"
       }
     },
     "node_modules/buffer": {
-      "version": "6.0.3",
-      "resolved": "https://registry.npmjs.org/buffer/-/buffer-6.0.3.tgz",
-      "integrity": "sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA==",
-      "dev": true,
+      "version": "5.7.1",
+      "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
+      "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
       "funding": [
         {
           "type": "github",
@@ -744,7 +1092,7 @@
       ],
       "dependencies": {
         "base64-js": "^1.3.1",
-        "ieee754": "^1.2.1"
+        "ieee754": "^1.1.13"
       }
     },
     "node_modules/buffer-from": {
@@ -816,21 +1164,6 @@
         "fsevents": "~2.3.2"
       }
     },
-    "node_modules/clean-stack": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/clean-stack/-/clean-stack-4.2.0.tgz",
-      "integrity": "sha512-LYv6XPxoyODi36Dp976riBtSY27VmFo+MKqEU9QCCWyTrdEPDog+RWA7xQWHi6Vbp61j5c4cdzzX1NidnwtUWg==",
-      "dev": true,
-      "dependencies": {
-        "escape-string-regexp": "5.0.0"
-      },
-      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
-    },
     "node_modules/cli-cursor": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/cli-cursor/-/cli-cursor-3.1.0.tgz",
@@ -910,6 +1243,36 @@
         "readable-stream": "^2.3.5"
       }
     },
+    "node_modules/cloneable-readable/node_modules/readable-stream": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz",
+      "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==",
+      "dev": true,
+      "dependencies": {
+        "core-util-is": "~1.0.0",
+        "inherits": "~2.0.3",
+        "isarray": "~1.0.0",
+        "process-nextick-args": "~2.0.0",
+        "safe-buffer": "~5.1.1",
+        "string_decoder": "~1.1.1",
+        "util-deprecate": "~1.0.1"
+      }
+    },
+    "node_modules/cloneable-readable/node_modules/safe-buffer": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==",
+      "dev": true
+    },
+    "node_modules/cloneable-readable/node_modules/string_decoder": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
+      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
+      "dev": true,
+      "dependencies": {
+        "safe-buffer": "~5.1.0"
+      }
+    },
     "node_modules/color-convert": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
@@ -973,70 +1336,53 @@
       "integrity": "sha512-ZQBvi1DcpJ4GDqanjucZ2Hj3wEO5pZDS89BWbkcrvdxksJorwUDDZamX9ldFkp9aw2lmBDLgkObEA4DWNJ9FYQ=="
     },
     "node_modules/cross-spawn": {
-      "version": "6.0.5",
-      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.5.tgz",
-      "integrity": "sha512-eTVLrBSt7fjbDygz805pMnstIs2VTBNkRm0qxZd+M7A5XDdxVRWO5MxGBXZhjY4cqLYLdtrGqRf8mBPmzwSpWQ==",
-      "dev": true,
+      "version": "7.0.6",
+      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
+      "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
       "dependencies": {
-        "nice-try": "^1.0.4",
-        "path-key": "^2.0.1",
-        "semver": "^5.5.0",
-        "shebang-command": "^1.2.0",
-        "which": "^1.2.9"
+        "path-key": "^3.1.0",
+        "shebang-command": "^2.0.0",
+        "which": "^2.0.1"
       },
       "engines": {
-        "node": ">=4.8"
+        "node": ">= 8"
       }
     },
     "node_modules/css": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/css/-/css-3.0.0.tgz",
-      "integrity": "sha512-DG9pFfwOrzc+hawpmqX/dHYHJG+Bsdb0klhyi1sDneOgGOXy9wQIC8hzyVp1e4NRYDBdxcylvywPkkXCHAzTyQ==",
+      "version": "2.2.4",
+      "resolved": "https://registry.npmjs.org/css/-/css-2.2.4.tgz",
+      "integrity": "sha512-oUnjmWpy0niI3x/mPL8dVEI1l7MnG3+HHyRPHf+YFSbK+svOhXpmSOcDURUh2aOCgl2grzrOPt1nHLuCVFULLw==",
       "dependencies": {
-        "inherits": "^2.0.4",
+        "inherits": "^2.0.3",
         "source-map": "^0.6.1",
-        "source-map-resolve": "^0.6.0"
-      }
-    },
-    "node_modules/css/node_modules/source-map": {
-      "version": "0.6.1",
-      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/css/node_modules/source-map-resolve": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/source-map-resolve/-/source-map-resolve-0.6.0.tgz",
-      "integrity": "sha512-KXBr9d/fO/bWo97NXsPIAW1bFSBOuCnjbNTBMO7N59hsv5i9yzRDfcYwwt0l04+VqnKC+EwzvJZIP/qkuMgR/w==",
-      "deprecated": "See https://github.com/lydell/source-map-resolve#deprecated",
-      "dependencies": {
-        "atob": "^2.1.2",
-        "decode-uri-component": "^0.2.0"
+        "source-map-resolve": "^0.5.2",
+        "urix": "^0.1.0"
       }
     },
     "node_modules/d": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/d/-/d-1.0.1.tgz",
-      "integrity": "sha512-m62ShEObQ39CfralilEQRjH6oAMtNCV1xJyEx5LpRYUVN+EviphDgUc/F3hnYbADmkiNs67Y+3ylmlG7Lnu+FA==",
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/d/-/d-1.0.2.tgz",
+      "integrity": "sha512-MOqHvMWF9/9MX6nza0KgvFH4HpMU0EF5uUDXqX/BtxtU8NfB0QzRtJ8Oe/6SuS4kbhyzVJwjd97EA4PKrzJ8bw==",
       "dependencies": {
-        "es5-ext": "^0.10.50",
-        "type": "^1.0.1"
+        "es5-ext": "^0.10.64",
+        "type": "^2.7.2"
+      },
+      "engines": {
+        "node": ">=0.12"
       }
     },
     "node_modules/dayjs": {
-      "version": "1.11.10",
-      "resolved": "https://registry.npmjs.org/dayjs/-/dayjs-1.11.10.tgz",
-      "integrity": "sha512-vjAczensTgRcqDERK0SR2XMwsF/tSvnvlv6VcF2GIhg6Sx4yOIt/irsr1RDJsKiIyBzJDpCoXiWWq28MqH2cnQ==",
+      "version": "1.11.13",
+      "resolved": "https://registry.npmjs.org/dayjs/-/dayjs-1.11.13.tgz",
+      "integrity": "sha512-oaMBel6gjolK862uaPQOVTA7q3TZhuSvuMQAAglQDOWYO9A91IrAOUJEyKVlqJlHE0vq5p5UXxzdPfMH/x6xNg==",
       "dev": true
     },
     "node_modules/debug": {
-      "version": "4.3.4",
-      "resolved": "https://registry.npmjs.org/debug/-/debug-4.3.4.tgz",
-      "integrity": "sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==",
+      "version": "4.4.0",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.0.tgz",
+      "integrity": "sha512-6WTZ/IxCY/T6BALoZHaE4ctp9xm+Z5kY/pzYaCHRFeyVhojxlrm+46y68HA6hr0TcwEssoxNiDEUJQjfPZ/RYA==",
       "dependencies": {
-        "ms": "2.1.2"
+        "ms": "^2.1.3"
       },
       "engines": {
         "node": ">=6.0"
@@ -1065,11 +1411,6 @@
         "ms": "^2.1.1"
       }
     },
-    "node_modules/debug-fabulous/node_modules/ms": {
-      "version": "2.1.3",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
-      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="
-    },
     "node_modules/decode-uri-component": {
       "version": "0.2.2",
       "resolved": "https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.2.tgz",
@@ -1131,22 +1472,20 @@
       }
     },
     "node_modules/del": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/del/-/del-7.1.0.tgz",
-      "integrity": "sha512-v2KyNk7efxhlyHpjEvfyxaAihKKK0nWCuf6ZtqZcFFpQRG0bJ12Qsr0RpvsICMjAAZ8DOVCxrlqpxISlMHC4Kg==",
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/del/-/del-8.0.0.tgz",
+      "integrity": "sha512-R6ep6JJ+eOBZsBr9esiNN1gxFbZE4Q2cULkUSFumGYecAiS6qodDvcPx/sFuWHMNul7DWmrtoEOpYSm7o6tbSA==",
       "dev": true,
       "dependencies": {
-        "globby": "^13.1.2",
-        "graceful-fs": "^4.2.10",
+        "globby": "^14.0.2",
         "is-glob": "^4.0.3",
         "is-path-cwd": "^3.0.0",
         "is-path-inside": "^4.0.0",
-        "p-map": "^5.5.0",
-        "rimraf": "^3.0.2",
-        "slash": "^4.0.0"
+        "p-map": "^7.0.2",
+        "slash": "^5.1.0"
       },
       "engines": {
-        "node": ">=14.16"
+        "node": ">=18"
       },
       "funding": {
         "url": "https://github.com/sponsors/sindresorhus"
@@ -1161,6 +1500,18 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/detect-libc": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-1.0.3.tgz",
+      "integrity": "sha512-pGjwhsmsp4kL2RTz08wcOlGN83otlqHeD/Z5T8GXZB+/YcpQ/dgo+lbU8ZsGxV0HIvqqxo9l7mqYwyYMD9bKDg==",
+      "optional": true,
+      "bin": {
+        "detect-libc": "bin/detect-libc.js"
+      },
+      "engines": {
+        "node": ">=0.10"
+      }
+    },
     "node_modules/detect-newline": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/detect-newline/-/detect-newline-2.1.0.tgz",
@@ -1173,7 +1524,6 @@
       "version": "3.0.1",
       "resolved": "https://registry.npmjs.org/dir-glob/-/dir-glob-3.0.1.tgz",
       "integrity": "sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==",
-      "dev": true,
       "dependencies": {
         "path-type": "^4.0.0"
       },
@@ -1181,6 +1531,14 @@
         "node": ">=8"
       }
     },
+    "node_modules/dir-glob/node_modules/path-type": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/path-type/-/path-type-4.0.0.tgz",
+      "integrity": "sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==",
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/each-props": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/each-props/-/each-props-3.0.0.tgz",
@@ -1219,9 +1577,9 @@
       }
     },
     "node_modules/elm-review": {
-      "version": "2.11.2",
-      "resolved": "https://registry.npmjs.org/elm-review/-/elm-review-2.11.2.tgz",
-      "integrity": "sha512-FhZ/m59C9CPWgn34/yvGUoCsSmXDnFFR2GfmuFbcnRwcn2aybsOUav5ET2lXs+4V1zZMRTG6In8cCUooAhwHVg==",
+      "version": "2.12.0",
+      "resolved": "https://registry.npmjs.org/elm-review/-/elm-review-2.12.0.tgz",
+      "integrity": "sha512-so+G1hvCV85A63sQQzEhCNFNYyQVWDexXrz0TNEYg3/IIGHzN1bcRN+W4KJSvvFcmfEImzMSJ9AN20bvemU+4Q==",
       "dependencies": {
         "chalk": "^4.0.0",
         "chokidar": "^3.5.2",
@@ -1231,7 +1589,8 @@
         "find-up": "^4.1.0",
         "folder-hash": "^3.3.0",
         "fs-extra": "^9.0.0",
-        "glob": "^7.1.4",
+        "glob": "^10.2.6",
+        "globby": "^13.2.2",
         "got": "^11.8.5",
         "graceful-fs": "^4.2.11",
         "minimist": "^1.2.6",
@@ -1254,118 +1613,33 @@
         "url": "https://github.com/sponsors/jfmengels"
       }
     },
-    "node_modules/elm-review/node_modules/brace-expansion": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
-      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
-      "dependencies": {
-        "balanced-match": "^1.0.0"
-      }
-    },
-    "node_modules/elm-review/node_modules/cross-spawn": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz",
-      "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==",
-      "dependencies": {
-        "path-key": "^3.1.0",
-        "shebang-command": "^2.0.0",
-        "which": "^2.0.1"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/elm-review/node_modules/minimatch": {
-      "version": "9.0.4",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.4.tgz",
-      "integrity": "sha512-KqWh+VchfxcMNRAJjj2tnsSJdNbHsVgnkBhTNrW7AjVo6OvLtxw8zfT9oLw1JSohlFzJ8jCoTgaoXvJ+kHt6fw==",
-      "dependencies": {
-        "brace-expansion": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/elm-review/node_modules/path-key": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
-      "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/elm-review/node_modules/rimraf": {
-      "version": "5.0.7",
-      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-5.0.7.tgz",
-      "integrity": "sha512-nV6YcJo5wbLW77m+8KjH8aB/7/rxQy9SZ0HY5shnwULfS+9nmTtVXAJET5NdZmCzA4fPI/Hm1wo/Po/4mopOdg==",
+    "node_modules/elm-review/node_modules/globby": {
+      "version": "13.2.2",
+      "resolved": "https://registry.npmjs.org/globby/-/globby-13.2.2.tgz",
+      "integrity": "sha512-Y1zNGV+pzQdh7H39l9zgB4PJqjRNqydvdYCDG4HFXM4XuvSaQQlEc91IU1yALL8gUTDomgBAfz3XJdmUS+oo0w==",
       "dependencies": {
-        "glob": "^10.3.7"
-      },
-      "bin": {
-        "rimraf": "dist/esm/bin.mjs"
+        "dir-glob": "^3.0.1",
+        "fast-glob": "^3.3.0",
+        "ignore": "^5.2.4",
+        "merge2": "^1.4.1",
+        "slash": "^4.0.0"
       },
       "engines": {
-        "node": ">=14.18"
+        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
       },
       "funding": {
-        "url": "https://github.com/sponsors/isaacs"
+        "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/elm-review/node_modules/rimraf/node_modules/glob": {
-      "version": "10.3.16",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-10.3.16.tgz",
-      "integrity": "sha512-JDKXl1DiuuHJ6fVS2FXjownaavciiHNUU4mOvV/B793RLh05vZL1rcPnCSaOgv1hDT6RDlY7AB7ZUvFYAtPgAw==",
-      "dependencies": {
-        "foreground-child": "^3.1.0",
-        "jackspeak": "^3.1.2",
-        "minimatch": "^9.0.1",
-        "minipass": "^7.0.4",
-        "path-scurry": "^1.11.0"
-      },
-      "bin": {
-        "glob": "dist/esm/bin.mjs"
-      },
+    "node_modules/elm-review/node_modules/slash": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/slash/-/slash-4.0.0.tgz",
+      "integrity": "sha512-3dOsAHXXUkQTpOYcoAxLIorMTp4gIQr5IW3iVb7A7lFIp0VHhnynm9izx6TssdrIcVIESAlVjtnO2K8bg+Coew==",
       "engines": {
-        "node": ">=16 || 14 >=14.18"
+        "node": ">=12"
       },
       "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/elm-review/node_modules/shebang-command": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
-      "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
-      "dependencies": {
-        "shebang-regex": "^3.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/elm-review/node_modules/shebang-regex": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz",
-      "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/elm-review/node_modules/which": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
-      "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
-      "dependencies": {
-        "isexe": "^2.0.0"
-      },
-      "bin": {
-        "node-which": "bin/node-which"
-      },
-      "engines": {
-        "node": ">= 8"
+        "url": "https://github.com/sponsors/sindresorhus"
       }
     },
     "node_modules/elm-solve-deps-wasm": {
@@ -1412,12 +1686,15 @@
       }
     },
     "node_modules/es6-symbol": {
-      "version": "3.1.3",
-      "resolved": "https://registry.npmjs.org/es6-symbol/-/es6-symbol-3.1.3.tgz",
-      "integrity": "sha512-NJ6Yn3FuDinBaBRWl/q5X/s4koRHBrgKAu+yGI6JCBeiu3qrcbJhwT2GeR/EXVfylRk8dpQVJoLEFhK+Mu31NA==",
+      "version": "3.1.4",
+      "resolved": "https://registry.npmjs.org/es6-symbol/-/es6-symbol-3.1.4.tgz",
+      "integrity": "sha512-U9bFFjX8tFiATgtkJ1zg25+KviIXpgRvRHS8sau3GfhVzThRQrOeksPeT0BWW2MNZs1OEWJ1DPXOQMn0KKRkvg==",
       "dependencies": {
-        "d": "^1.0.1",
-        "ext": "^1.1.2"
+        "d": "^1.0.2",
+        "ext": "^1.7.0"
+      },
+      "engines": {
+        "node": ">=0.12"
       }
     },
     "node_modules/es6-weak-map": {
@@ -1431,25 +1708,13 @@
         "es6-symbol": "^3.1.1"
       }
     },
-    "node_modules/escalade": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.1.2.tgz",
-      "integrity": "sha512-ErCHMCae19vR8vQGe50xIsVomy19rg6gFu3+r3jkEO46suLMWBksvVyoGgQV+jOfl84ZSOSlmv6Gxa89PmTGmA==",
-      "dev": true,
-      "engines": {
-        "node": ">=6"
-      }
-    },
-    "node_modules/escape-string-regexp": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-5.0.0.tgz",
-      "integrity": "sha512-/veY75JbMK4j1yjvuUxuVsiS/hr/4iHs9FTT6cgTexxdE0Ly/glccBAkloH/DofkjRbZU3bnoj38mOmhkZ0lHw==",
+    "node_modules/escalade": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz",
+      "integrity": "sha512-WUj2qlxaQtO4g6Pq5c29GTcWGDyd8itL8zTlipgECz3JesAiiOKotd8JU6otB3PACgG6xkJUyVhboMS+bje/jA==",
       "dev": true,
       "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
+        "node": ">=6"
       }
     },
     "node_modules/esniff": {
@@ -1466,11 +1731,6 @@
         "node": ">=0.10"
       }
     },
-    "node_modules/esniff/node_modules/type": {
-      "version": "2.7.2",
-      "resolved": "https://registry.npmjs.org/type/-/type-2.7.2.tgz",
-      "integrity": "sha512-dzlvlNlt6AXU7EBSfpAscydQ7gXB+pPGsPnfJnZpiNJBDj7IaJzQlBZYGdEi4R9HmPdBv2XmWJ6YUtoTa7lmCw=="
-    },
     "node_modules/event-emitter": {
       "version": "0.3.5",
       "resolved": "https://registry.npmjs.org/event-emitter/-/event-emitter-0.3.5.tgz",
@@ -1500,17 +1760,24 @@
         "type": "^2.7.2"
       }
     },
-    "node_modules/ext/node_modules/type": {
-      "version": "2.7.2",
-      "resolved": "https://registry.npmjs.org/type/-/type-2.7.2.tgz",
-      "integrity": "sha512-dzlvlNlt6AXU7EBSfpAscydQ7gXB+pPGsPnfJnZpiNJBDj7IaJzQlBZYGdEi4R9HmPdBv2XmWJ6YUtoTa7lmCw=="
-    },
     "node_modules/extend": {
       "version": "3.0.2",
       "resolved": "https://registry.npmjs.org/extend/-/extend-3.0.2.tgz",
       "integrity": "sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==",
       "dev": true
     },
+    "node_modules/extend-shallow": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-3.0.2.tgz",
+      "integrity": "sha512-BwY5b5Ql4+qZoefgMj2NUmx+tehVTH/Kf4k1ZEtOHNFcm2wSxMRo992l6X3TIgni2eZVTZ85xMOjF31fwZAj6Q==",
+      "dependencies": {
+        "assign-symbols": "^1.0.0",
+        "is-extendable": "^1.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/fancy-log": {
       "version": "1.3.3",
       "resolved": "https://registry.npmjs.org/fancy-log/-/fancy-log-1.3.3.tgz",
@@ -1542,7 +1809,6 @@
       "version": "3.3.2",
       "resolved": "https://registry.npmjs.org/fast-glob/-/fast-glob-3.3.2.tgz",
       "integrity": "sha512-oX2ruAFQwf/Orj8m737Y5adxDQO0LAB7/S5MnxCdTNDd4p6BsyIVsv9JQsATbTSq8KHRpLwIHbVlUNatxd+1Ow==",
-      "dev": true,
       "dependencies": {
         "@nodelib/fs.stat": "^2.0.2",
         "@nodelib/fs.walk": "^1.2.3",
@@ -1563,6 +1829,12 @@
         "fastest-levenshtein": "^1.0.7"
       }
     },
+    "node_modules/fast-uri": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.0.3.tgz",
+      "integrity": "sha512-aLrHthzCjH5He4Z2H9YZ+v6Ujb9ocRuW6ZzkJQOrTxleEijANq4v1TsaPaVG1PZcuurEzrLcWRyYBYXD5cEiaw==",
+      "dev": true
+    },
     "node_modules/fastest-levenshtein": {
       "version": "1.0.16",
       "resolved": "https://registry.npmjs.org/fastest-levenshtein/-/fastest-levenshtein-1.0.16.tgz",
@@ -1575,15 +1847,14 @@
       "version": "1.17.1",
       "resolved": "https://registry.npmjs.org/fastq/-/fastq-1.17.1.tgz",
       "integrity": "sha512-sRVD3lWVIXWg6By68ZN7vho9a1pQcN/WBFaAAsDDFzlJjvoGx0P8z7V1t72grFJfJhu3YPZBuu25f7Kaw2jN1w==",
-      "dev": true,
       "dependencies": {
         "reusify": "^1.0.4"
       }
     },
     "node_modules/fill-range": {
-      "version": "7.0.1",
-      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz",
-      "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==",
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+      "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
       "dependencies": {
         "to-regex-range": "^5.0.1"
       },
@@ -1659,17 +1930,6 @@
         "node": ">=6.0.0"
       }
     },
-    "node_modules/folder-hash/node_modules/minimatch": {
-      "version": "3.0.8",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.8.tgz",
-      "integrity": "sha512-6FsRAQsxQ61mw+qP1ZzbL9Bc78x2p5OqNgNpnoAFLTrX8n5Kxph0CsnhmKKNXTWjXqU5L0pGPR7hYk+XWZr60Q==",
-      "dependencies": {
-        "brace-expansion": "^1.1.7"
-      },
-      "engines": {
-        "node": "*"
-      }
-    },
     "node_modules/for-in": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/for-in/-/for-in-1.0.2.tgz",
@@ -1692,9 +1952,9 @@
       }
     },
     "node_modules/foreground-child": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.1.1.tgz",
-      "integrity": "sha512-TMKDUnIte6bfb5nWv7V/caI169OHgvwjb7V4WkeUvbQQdjr5rWKqHFiKWb/fcOwB+CzBT+qbWjvj+DVwRskpIg==",
+      "version": "3.3.0",
+      "resolved": "https://registry.npmjs.org/foreground-child/-/foreground-child-3.3.0.tgz",
+      "integrity": "sha512-Ld2g8rrAyMYFXBhEqMz8ZAHBi4J4uS1i/CxGMDnjyFWddMXLVcDp051DZfu+t7+ab7Wv6SMqpWmyFIj5UbfFvg==",
       "dependencies": {
         "cross-spawn": "^7.0.0",
         "signal-exit": "^4.0.1"
@@ -1706,71 +1966,6 @@
         "url": "https://github.com/sponsors/isaacs"
       }
     },
-    "node_modules/foreground-child/node_modules/cross-spawn": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.3.tgz",
-      "integrity": "sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==",
-      "dependencies": {
-        "path-key": "^3.1.0",
-        "shebang-command": "^2.0.0",
-        "which": "^2.0.1"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
-    "node_modules/foreground-child/node_modules/path-key": {
-      "version": "3.1.1",
-      "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
-      "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/foreground-child/node_modules/shebang-command": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
-      "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
-      "dependencies": {
-        "shebang-regex": "^3.0.0"
-      },
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/foreground-child/node_modules/shebang-regex": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz",
-      "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
-      "engines": {
-        "node": ">=8"
-      }
-    },
-    "node_modules/foreground-child/node_modules/signal-exit": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz",
-      "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==",
-      "engines": {
-        "node": ">=14"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
-    "node_modules/foreground-child/node_modules/which": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
-      "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
-      "dependencies": {
-        "isexe": "^2.0.0"
-      },
-      "bin": {
-        "node-which": "bin/node-which"
-      },
-      "engines": {
-        "node": ">= 8"
-      }
-    },
     "node_modules/fs-extra": {
       "version": "9.1.0",
       "resolved": "https://registry.npmjs.org/fs-extra/-/fs-extra-9.1.0.tgz",
@@ -1801,7 +1996,21 @@
     "node_modules/fs.realpath": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/fs.realpath/-/fs.realpath-1.0.0.tgz",
-      "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw=="
+      "integrity": "sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==",
+      "dev": true
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
+      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
+      "hasInstallScript": true,
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
     },
     "node_modules/function-bind": {
       "version": "1.1.2",
@@ -1836,19 +2045,19 @@
       }
     },
     "node_modules/glob": {
-      "version": "7.2.3",
-      "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
-      "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
+      "version": "10.4.5",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-10.4.5.tgz",
+      "integrity": "sha512-7Bv8RF0k6xjo7d4A/PxYLbUCfb6c+Vpd2/mB2yRDlew7Jb5hEXiCD9ibfO7wpk8i4sevK6DFny9h7EYbM3/sHg==",
       "dependencies": {
-        "fs.realpath": "^1.0.0",
-        "inflight": "^1.0.4",
-        "inherits": "2",
-        "minimatch": "^3.1.1",
-        "once": "^1.3.0",
-        "path-is-absolute": "^1.0.0"
+        "foreground-child": "^3.1.0",
+        "jackspeak": "^3.1.2",
+        "minimatch": "^9.0.4",
+        "minipass": "^7.1.2",
+        "package-json-from-dist": "^1.0.0",
+        "path-scurry": "^1.11.1"
       },
-      "engines": {
-        "node": "*"
+      "bin": {
+        "glob": "dist/esm/bin.mjs"
       },
       "funding": {
         "url": "https://github.com/sponsors/isaacs"
@@ -1909,6 +2118,28 @@
         "node": ">= 10.13.0"
       }
     },
+    "node_modules/glob/node_modules/brace-expansion": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.1.tgz",
+      "integrity": "sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==",
+      "dependencies": {
+        "balanced-match": "^1.0.0"
+      }
+    },
+    "node_modules/glob/node_modules/minimatch": {
+      "version": "9.0.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
+      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
+      "dependencies": {
+        "brace-expansion": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=16 || 14 >=14.17"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
     "node_modules/global-modules": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/global-modules/-/global-modules-1.0.0.tgz",
@@ -1939,20 +2170,33 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/global-prefix/node_modules/which": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/which/-/which-1.3.1.tgz",
+      "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==",
+      "dev": true,
+      "dependencies": {
+        "isexe": "^2.0.0"
+      },
+      "bin": {
+        "which": "bin/which"
+      }
+    },
     "node_modules/globby": {
-      "version": "13.2.2",
-      "resolved": "https://registry.npmjs.org/globby/-/globby-13.2.2.tgz",
-      "integrity": "sha512-Y1zNGV+pzQdh7H39l9zgB4PJqjRNqydvdYCDG4HFXM4XuvSaQQlEc91IU1yALL8gUTDomgBAfz3XJdmUS+oo0w==",
+      "version": "14.0.2",
+      "resolved": "https://registry.npmjs.org/globby/-/globby-14.0.2.tgz",
+      "integrity": "sha512-s3Fq41ZVh7vbbe2PN3nrW7yC7U7MFVc5c98/iTl9c2GawNMKx/J648KQRW6WKkuU8GIbbh2IXfIRQjOZnXcTnw==",
       "dev": true,
       "dependencies": {
-        "dir-glob": "^3.0.1",
-        "fast-glob": "^3.3.0",
+        "@sindresorhus/merge-streams": "^2.1.0",
+        "fast-glob": "^3.3.2",
         "ignore": "^5.2.4",
-        "merge2": "^1.4.1",
-        "slash": "^4.0.0"
+        "path-type": "^5.0.0",
+        "slash": "^5.1.0",
+        "unicorn-magic": "^0.1.0"
       },
       "engines": {
-        "node": "^12.20.0 || ^14.13.1 || >=16.0.0"
+        "node": ">=18"
       },
       "funding": {
         "url": "https://github.com/sponsors/sindresorhus"
@@ -2060,13 +2304,59 @@
         "which": "^1.0.8"
       }
     },
-    "node_modules/gulp-elm/node_modules/ansi-colors": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-3.2.4.tgz",
-      "integrity": "sha512-hHUXGagefjN2iRrID63xckIvotOXOojhQKWIPUZ4mNUZ9nLZW+7FMNoE1lOkEhNWYsx/7ysGIuJYCiMAA9FnrA==",
+    "node_modules/gulp-elm/node_modules/cross-spawn": {
+      "version": "6.0.6",
+      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-6.0.6.tgz",
+      "integrity": "sha512-VqCUuhcd1iB+dsv8gxPttb5iZh/D0iubSP21g36KXdEuf6I5JiioesUVjpCdHV9MZRUfVFlvwtIUyPfxo5trtw==",
+      "dev": true,
+      "dependencies": {
+        "nice-try": "^1.0.4",
+        "path-key": "^2.0.1",
+        "semver": "^5.5.0",
+        "shebang-command": "^1.2.0",
+        "which": "^1.2.9"
+      },
+      "engines": {
+        "node": ">=4.8"
+      }
+    },
+    "node_modules/gulp-elm/node_modules/path-key": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/path-key/-/path-key-2.0.1.tgz",
+      "integrity": "sha512-fEHGKCSmUSDPv4uoj8AlD+joPlq3peND+HRYyxFz4KPw4z926S/b8rIuFs2FYJg3BwsxJf6A9/3eIdLaYC+9Dw==",
       "dev": true,
       "engines": {
-        "node": ">=6"
+        "node": ">=4"
+      }
+    },
+    "node_modules/gulp-elm/node_modules/semver": {
+      "version": "5.7.2",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz",
+      "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==",
+      "dev": true,
+      "bin": {
+        "semver": "bin/semver"
+      }
+    },
+    "node_modules/gulp-elm/node_modules/shebang-command": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-1.2.0.tgz",
+      "integrity": "sha512-EV3L1+UQWGor21OmnvojK36mhg+TyIKDh3iFBKBohr5xeXIhNBcx8oWdgkTEEQ+BEFFYdLRuqMfd5L84N1V5Vg==",
+      "dev": true,
+      "dependencies": {
+        "shebang-regex": "^1.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/gulp-elm/node_modules/shebang-regex": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-1.0.0.tgz",
+      "integrity": "sha512-wpoSFAxys6b2a2wHZ1XpDSgD7N9iVjg29Ph9uV/uaP9Ex/KXlkTZTeddxDPSYQpgvzKLGJke2UU0AzoGCjNIvQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.10.0"
       }
     },
     "node_modules/gulp-elm/node_modules/through2": {
@@ -2079,6 +2369,18 @@
         "readable-stream": "2 || 3"
       }
     },
+    "node_modules/gulp-elm/node_modules/which": {
+      "version": "1.3.1",
+      "resolved": "https://registry.npmjs.org/which/-/which-1.3.1.tgz",
+      "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==",
+      "dev": true,
+      "dependencies": {
+        "isexe": "^2.0.0"
+      },
+      "bin": {
+        "which": "bin/which"
+      }
+    },
     "node_modules/gulp-mode": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/gulp-mode/-/gulp-mode-1.1.0.tgz",
@@ -2111,6 +2413,36 @@
         "node": ">=0.10"
       }
     },
+    "node_modules/gulp-noop/node_modules/readable-stream": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz",
+      "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==",
+      "dev": true,
+      "dependencies": {
+        "core-util-is": "~1.0.0",
+        "inherits": "~2.0.3",
+        "isarray": "~1.0.0",
+        "process-nextick-args": "~2.0.0",
+        "safe-buffer": "~5.1.1",
+        "string_decoder": "~1.1.1",
+        "util-deprecate": "~1.0.1"
+      }
+    },
+    "node_modules/gulp-noop/node_modules/safe-buffer": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==",
+      "dev": true
+    },
+    "node_modules/gulp-noop/node_modules/string_decoder": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
+      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
+      "dev": true,
+      "dependencies": {
+        "safe-buffer": "~5.1.0"
+      }
+    },
     "node_modules/gulp-noop/node_modules/through2": {
       "version": "2.0.5",
       "resolved": "https://registry.npmjs.org/through2/-/through2-2.0.5.tgz",
@@ -2131,9 +2463,9 @@
       }
     },
     "node_modules/gulp-sass": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/gulp-sass/-/gulp-sass-5.1.0.tgz",
-      "integrity": "sha512-7VT0uaF+VZCmkNBglfe1b34bxn/AfcssquLKVDYnCDJ3xNBaW7cUuI3p3BQmoKcoKFrs9jdzUxyb+u+NGfL4OQ==",
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/gulp-sass/-/gulp-sass-6.0.0.tgz",
+      "integrity": "sha512-FGb4Uab4jnH2GnSfBGd6uW3+imvNodAGfsjGcUhEtpNYPVx+TK2tp5uh7MO0sSR7aIf1Sm544werc+zV7ejHHw==",
       "dependencies": {
         "lodash.clonedeep": "^4.5.0",
         "picocolors": "^1.0.0",
@@ -2146,52 +2478,52 @@
         "node": ">=12"
       }
     },
-    "node_modules/gulp-sass/node_modules/replace-ext": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-2.0.0.tgz",
-      "integrity": "sha512-UszKE5KVK6JvyD92nzMn9cDapSk6w/CaFZ96CnmDMUqH9oowfxF/ZjRITD25H4DnOQClLA4/j7jLGXXLVKxAug==",
-      "engines": {
-        "node": ">= 10"
-      }
-    },
-    "node_modules/gulp-sourcemaps": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/gulp-sourcemaps/-/gulp-sourcemaps-3.0.0.tgz",
-      "integrity": "sha512-RqvUckJkuYqy4VaIH60RMal4ZtG0IbQ6PXMNkNsshEGJ9cldUPRb/YCgboYae+CLAs1HQNb4ADTKCx65HInquQ==",
-      "dependencies": {
-        "@gulp-sourcemaps/identity-map": "^2.0.1",
-        "@gulp-sourcemaps/map-sources": "^1.0.0",
-        "acorn": "^6.4.1",
-        "convert-source-map": "^1.0.0",
-        "css": "^3.0.0",
-        "debug-fabulous": "^1.0.0",
-        "detect-newline": "^2.0.0",
-        "graceful-fs": "^4.0.0",
-        "source-map": "^0.6.0",
-        "strip-bom-string": "^1.0.0",
-        "through2": "^2.0.0"
-      },
-      "engines": {
-        "node": ">= 6"
-      }
-    },
-    "node_modules/gulp-sourcemaps/node_modules/acorn": {
-      "version": "6.4.2",
-      "resolved": "https://registry.npmjs.org/acorn/-/acorn-6.4.2.tgz",
-      "integrity": "sha512-XtGIhXwF8YM8bJhGxG5kXgjkEuNGLTkoYqVE+KMR+aspr4KGYmKYg7yUe3KghyQ9yheNwLnjmzh/7+gfDBmHCQ==",
-      "bin": {
-        "acorn": "bin/acorn"
+    "node_modules/gulp-sourcemaps": {
+      "version": "2.6.5",
+      "resolved": "https://registry.npmjs.org/gulp-sourcemaps/-/gulp-sourcemaps-2.6.5.tgz",
+      "integrity": "sha512-SYLBRzPTew8T5Suh2U8jCSDKY+4NARua4aqjj8HOysBh2tSgT9u4jc1FYirAdPx1akUxxDeK++fqw6Jg0LkQRg==",
+      "dependencies": {
+        "@gulp-sourcemaps/identity-map": "1.X",
+        "@gulp-sourcemaps/map-sources": "1.X",
+        "acorn": "5.X",
+        "convert-source-map": "1.X",
+        "css": "2.X",
+        "debug-fabulous": "1.X",
+        "detect-newline": "2.X",
+        "graceful-fs": "4.X",
+        "source-map": "~0.6.0",
+        "strip-bom-string": "1.X",
+        "through2": "2.X"
       },
       "engines": {
-        "node": ">=0.4.0"
+        "node": ">=4"
       }
     },
-    "node_modules/gulp-sourcemaps/node_modules/source-map": {
-      "version": "0.6.1",
-      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-      "engines": {
-        "node": ">=0.10.0"
+    "node_modules/gulp-sourcemaps/node_modules/readable-stream": {
+      "version": "2.3.8",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz",
+      "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==",
+      "dependencies": {
+        "core-util-is": "~1.0.0",
+        "inherits": "~2.0.3",
+        "isarray": "~1.0.0",
+        "process-nextick-args": "~2.0.0",
+        "safe-buffer": "~5.1.1",
+        "string_decoder": "~1.1.1",
+        "util-deprecate": "~1.0.1"
+      }
+    },
+    "node_modules/gulp-sourcemaps/node_modules/safe-buffer": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
+      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
+    },
+    "node_modules/gulp-sourcemaps/node_modules/string_decoder": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
+      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
+      "dependencies": {
+        "safe-buffer": "~5.1.0"
       }
     },
     "node_modules/gulp-sourcemaps/node_modules/through2": {
@@ -2311,35 +2643,24 @@
       ]
     },
     "node_modules/ignore": {
-      "version": "5.3.1",
-      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.1.tgz",
-      "integrity": "sha512-5Fytz/IraMjqpwfd34ke28PTVMjZjJG2MPn5t7OE4eUCUNf8BAa7b5WUS9/Qvr6mwOQS7Mk6vdsMno5he+T8Xw==",
-      "dev": true,
+      "version": "5.3.2",
+      "resolved": "https://registry.npmjs.org/ignore/-/ignore-5.3.2.tgz",
+      "integrity": "sha512-hsBTNUqQTDwkWtcdYI2i06Y/nUBEsNEDJKjWdigLvegy8kDuJAS8uRlpkkcQpyEXL0Z/pjDy5HBmMjRCJ2gq+g==",
       "engines": {
         "node": ">= 4"
       }
     },
     "node_modules/immutable": {
-      "version": "4.3.4",
-      "resolved": "https://registry.npmjs.org/immutable/-/immutable-4.3.4.tgz",
-      "integrity": "sha512-fsXeu4J4i6WNWSikpI88v/PcVflZz+6kMhUfIwc5SY+poQRPnaf5V7qds6SUyUN3cVxEzuCab7QIoLOQ+DQ1wA=="
-    },
-    "node_modules/indent-string": {
-      "version": "5.0.0",
-      "resolved": "https://registry.npmjs.org/indent-string/-/indent-string-5.0.0.tgz",
-      "integrity": "sha512-m6FAo/spmsW2Ab2fU35JTYwtOKa2yAwXSwgjSv1TJzh4Mh7mC3lzAOVLBprb72XsTrgkEIsl7YrFNAiDiRhIGg==",
-      "dev": true,
-      "engines": {
-        "node": ">=12"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/sindresorhus"
-      }
+      "version": "5.0.3",
+      "resolved": "https://registry.npmjs.org/immutable/-/immutable-5.0.3.tgz",
+      "integrity": "sha512-P8IdPQHq3lA1xVeBRi5VPqUm5HDgKnx0Ru51wZz5mjxHr5n3RWhjIpOFU7ybkUxfB+5IToy+OLaHYDBIWsv+uw=="
     },
     "node_modules/inflight": {
       "version": "1.0.6",
       "resolved": "https://registry.npmjs.org/inflight/-/inflight-1.0.6.tgz",
       "integrity": "sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==",
+      "deprecated": "This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.",
+      "dev": true,
       "dependencies": {
         "once": "^1.3.0",
         "wrappy": "1"
@@ -2390,17 +2711,42 @@
       }
     },
     "node_modules/is-core-module": {
-      "version": "2.13.1",
-      "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.13.1.tgz",
-      "integrity": "sha512-hHrIjvZsftOsvKSn2TRYl63zvxsgE0K+0mYMoH6gD4omR5IWB2KynivBQczo3+wF1cCkjzvptnI9Q0sPU66ilw==",
+      "version": "2.15.1",
+      "resolved": "https://registry.npmjs.org/is-core-module/-/is-core-module-2.15.1.tgz",
+      "integrity": "sha512-z0vtXSwucUJtANQWldhbtbt7BnL0vxiFjIdDLAatwhDYty2bad6s+rijD6Ri4YuYJubLzIJLUidCh09e1djEVQ==",
       "dev": true,
       "dependencies": {
-        "hasown": "^2.0.0"
+        "hasown": "^2.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
       },
       "funding": {
         "url": "https://github.com/sponsors/ljharb"
       }
     },
+    "node_modules/is-extendable": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-1.0.1.tgz",
+      "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
+      "dependencies": {
+        "is-plain-object": "^2.0.4"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-extendable/node_modules/is-plain-object": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-2.0.4.tgz",
+      "integrity": "sha512-h5PpgXkWitc38BBMYawTYMWJHFZJVnBquFE57xFpjB8pJFiF6gZ+bU+WyI/yqXiFR5mdLsgYNaPe8uao6Uv9Og==",
+      "dependencies": {
+        "isobject": "^3.0.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/is-extglob": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
@@ -2563,15 +2909,12 @@
       }
     },
     "node_modules/jackspeak": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.1.2.tgz",
-      "integrity": "sha512-kWmLKn2tRtfYMF/BakihVVRzBKOxz4gJMiL2Rj91WnAB5TPZumSH99R/Yf1qE1u4uRimvCSJfm6hnxohXeEXjQ==",
+      "version": "3.4.3",
+      "resolved": "https://registry.npmjs.org/jackspeak/-/jackspeak-3.4.3.tgz",
+      "integrity": "sha512-OGlZQpz2yfahA/Rd1Y8Cd9SIEsqvXkLVoSw/cgwhnhFMDbsQFeZYoJJ7bIZBS9BcamUW96asq/npPWugM+RQBw==",
       "dependencies": {
         "@isaacs/cliui": "^8.0.2"
       },
-      "engines": {
-        "node": ">=14"
-      },
       "funding": {
         "url": "https://github.com/sponsors/isaacs"
       },
@@ -2705,12 +3048,9 @@
       }
     },
     "node_modules/lru-cache": {
-      "version": "10.2.2",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.2.2.tgz",
-      "integrity": "sha512-9hp3Vp2/hFQUiIwKo8XCeFVnrg8Pk3TYNPIR7tJADKi5YfcF7vEaK7avFHTlSy3kOKYaJQaalfEo6YuXdceBOQ==",
-      "engines": {
-        "node": "14 || >=16.14"
-      }
+      "version": "10.4.3",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-10.4.3.tgz",
+      "integrity": "sha512-JNAzZcXrCt42VGLuYz0zfAzDfAvJWW6AfYlDBQyDV5DClI2m5sAmK+OIO7s59XfsRsWHp02jAJrRadPRGTt6SQ=="
     },
     "node_modules/lru-queue": {
       "version": "0.1.0",
@@ -2730,18 +3070,21 @@
       }
     },
     "node_modules/memoizee": {
-      "version": "0.4.15",
-      "resolved": "https://registry.npmjs.org/memoizee/-/memoizee-0.4.15.tgz",
-      "integrity": "sha512-UBWmJpLZd5STPm7PMUlOw/TSy972M+z8gcyQ5veOnSDRREz/0bmpyTfKt3/51DhEBqCZQn1udM/5flcSPYhkdQ==",
+      "version": "0.4.17",
+      "resolved": "https://registry.npmjs.org/memoizee/-/memoizee-0.4.17.tgz",
+      "integrity": "sha512-DGqD7Hjpi/1or4F/aYAspXKNm5Yili0QDAFAY4QYvpqpgiY6+1jOfqpmByzjxbWd/T9mChbCArXAbDAsTm5oXA==",
       "dependencies": {
-        "d": "^1.0.1",
-        "es5-ext": "^0.10.53",
+        "d": "^1.0.2",
+        "es5-ext": "^0.10.64",
         "es6-weak-map": "^2.0.3",
         "event-emitter": "^0.3.5",
         "is-promise": "^2.2.2",
         "lru-queue": "^0.1.0",
         "next-tick": "^1.1.0",
         "timers-ext": "^0.1.7"
+      },
+      "engines": {
+        "node": ">=0.12"
       }
     },
     "node_modules/merge-stream": {
@@ -2754,18 +3097,16 @@
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/merge2/-/merge2-1.4.1.tgz",
       "integrity": "sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==",
-      "dev": true,
       "engines": {
         "node": ">= 8"
       }
     },
     "node_modules/micromatch": {
-      "version": "4.0.5",
-      "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.5.tgz",
-      "integrity": "sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==",
-      "dev": true,
+      "version": "4.0.8",
+      "resolved": "https://registry.npmjs.org/micromatch/-/micromatch-4.0.8.tgz",
+      "integrity": "sha512-PXwfBhYu0hBCPw8Dn0E+WDYb7af3dSLVWKi3HGv84IdF4TyFoC0ysxFd0Goxw7nSv4T/PzEJQxsYsEiFCKo2BA==",
       "dependencies": {
-        "braces": "^3.0.2",
+        "braces": "^3.0.3",
         "picomatch": "^2.3.1"
       },
       "engines": {
@@ -2789,9 +3130,9 @@
       }
     },
     "node_modules/minimatch": {
-      "version": "3.1.2",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
-      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "version": "3.0.8",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.0.8.tgz",
+      "integrity": "sha512-6FsRAQsxQ61mw+qP1ZzbL9Bc78x2p5OqNgNpnoAFLTrX8n5Kxph0CsnhmKKNXTWjXqU5L0pGPR7hYk+XWZr60Q==",
       "dependencies": {
         "brace-expansion": "^1.1.7"
       },
@@ -2808,9 +3149,9 @@
       }
     },
     "node_modules/minipass": {
-      "version": "7.1.1",
-      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.1.tgz",
-      "integrity": "sha512-UZ7eQ+h8ywIRAW1hIEl2AqdwzJucU/Kp59+8kkZeSvafXhZjul247BvIJjEVFVeON6d7lM46XX1HXCduKAS8VA==",
+      "version": "7.1.2",
+      "resolved": "https://registry.npmjs.org/minipass/-/minipass-7.1.2.tgz",
+      "integrity": "sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==",
       "engines": {
         "node": ">=16 || 14 >=14.17"
       }
@@ -2828,9 +3169,9 @@
       }
     },
     "node_modules/ms": {
-      "version": "2.1.2",
-      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
-      "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="
     },
     "node_modules/mute-stdout": {
       "version": "2.0.0",
@@ -2852,6 +3193,12 @@
       "integrity": "sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==",
       "dev": true
     },
+    "node_modules/node-addon-api": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/node-addon-api/-/node-addon-api-7.1.1.tgz",
+      "integrity": "sha512-5m3bsyrjFWE1xf7nz7YXdN4udnVtXK6/Yfgn5qnahL6bCkf2yKt4k3nuTKAtT4r3IG8JNR2ncsIMdZuAzJjHQQ==",
+      "optional": true
+    },
     "node_modules/normalize-path": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
@@ -2962,52 +3309,6 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/ora/node_modules/bl": {
-      "version": "4.1.0",
-      "resolved": "https://registry.npmjs.org/bl/-/bl-4.1.0.tgz",
-      "integrity": "sha512-1W07cM9gS6DcLperZfFSj+bWLtaPGSOHWhPiGzXmvVJbRLdG82sH/Kn8EtW1VqWVA54AKf2h5k5BbnIbwF3h6w==",
-      "dependencies": {
-        "buffer": "^5.5.0",
-        "inherits": "^2.0.4",
-        "readable-stream": "^3.4.0"
-      }
-    },
-    "node_modules/ora/node_modules/buffer": {
-      "version": "5.7.1",
-      "resolved": "https://registry.npmjs.org/buffer/-/buffer-5.7.1.tgz",
-      "integrity": "sha512-EHcyIPBQ4BSGlvjB16k5KgAJ27CIsHY/2JBmCRReo48y9rQ3MaUzWX3KVlBa4U7MyX02HdVj0K7C3WaB3ju7FQ==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/feross"
-        },
-        {
-          "type": "patreon",
-          "url": "https://www.patreon.com/feross"
-        },
-        {
-          "type": "consulting",
-          "url": "https://feross.org/support"
-        }
-      ],
-      "dependencies": {
-        "base64-js": "^1.3.1",
-        "ieee754": "^1.1.13"
-      }
-    },
-    "node_modules/ora/node_modules/readable-stream": {
-      "version": "3.6.2",
-      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz",
-      "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==",
-      "dependencies": {
-        "inherits": "^2.0.3",
-        "string_decoder": "^1.1.1",
-        "util-deprecate": "^1.0.1"
-      },
-      "engines": {
-        "node": ">= 6"
-      }
-    },
     "node_modules/p-cancelable": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/p-cancelable/-/p-cancelable-2.1.1.tgz",
@@ -3042,15 +3343,12 @@
       }
     },
     "node_modules/p-map": {
-      "version": "5.5.0",
-      "resolved": "https://registry.npmjs.org/p-map/-/p-map-5.5.0.tgz",
-      "integrity": "sha512-VFqfGDHlx87K66yZrNdI4YGtD70IRyd+zSvgks6mzHPRNkoKy+9EKP4SFC77/vTTQYmRmti7dvqC+m5jBrBAcg==",
+      "version": "7.0.3",
+      "resolved": "https://registry.npmjs.org/p-map/-/p-map-7.0.3.tgz",
+      "integrity": "sha512-VkndIv2fIB99swvQoA65bm+fsmt6UNdGeIB0oxBs+WhAhdh08QA04JXpI7rbB9r08/nkbysKoya9rtDERYOYMA==",
       "dev": true,
-      "dependencies": {
-        "aggregate-error": "^4.0.0"
-      },
       "engines": {
-        "node": ">=12"
+        "node": ">=18"
       },
       "funding": {
         "url": "https://github.com/sponsors/sindresorhus"
@@ -3064,6 +3362,11 @@
         "node": ">=6"
       }
     },
+    "node_modules/package-json-from-dist": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz",
+      "integrity": "sha512-UEZIS3/by4OC8vL3P2dTXRETpebLI2NiI5vIrjaD/5UtrkFX/tNbwjTSRAGC/+7CAo2pIcBaRgWmcBBHcsaCIw=="
+    },
     "node_modules/parse-filepath": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/parse-filepath/-/parse-filepath-1.0.2.tgz",
@@ -3108,17 +3411,17 @@
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/path-is-absolute/-/path-is-absolute-1.0.1.tgz",
       "integrity": "sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==",
+      "dev": true,
       "engines": {
         "node": ">=0.10.0"
       }
     },
     "node_modules/path-key": {
-      "version": "2.0.1",
-      "resolved": "https://registry.npmjs.org/path-key/-/path-key-2.0.1.tgz",
-      "integrity": "sha512-fEHGKCSmUSDPv4uoj8AlD+joPlq3peND+HRYyxFz4KPw4z926S/b8rIuFs2FYJg3BwsxJf6A9/3eIdLaYC+9Dw==",
-      "dev": true,
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
+      "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
       "engines": {
-        "node": ">=4"
+        "node": ">=8"
       }
     },
     "node_modules/path-parse": {
@@ -3164,18 +3467,21 @@
       }
     },
     "node_modules/path-type": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/path-type/-/path-type-4.0.0.tgz",
-      "integrity": "sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==",
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/path-type/-/path-type-5.0.0.tgz",
+      "integrity": "sha512-5HviZNaZcfqP95rwpv+1HDgUamezbqdSYTyzjTvwtJSnIH+3vnbmWsItli8OFEndS984VT55M3jduxZbX351gg==",
       "dev": true,
       "engines": {
-        "node": ">=8"
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
       }
     },
     "node_modules/picocolors": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.0.0.tgz",
-      "integrity": "sha512-1fygroTLlHu66zi26VoTDv8yRgm0Fccecssto+MhsZ0D/DGW2sm8E8AjW7NU5VVTRt5GxbeZ5qBuJr+HyLYkjQ=="
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
+      "integrity": "sha512-xceH2snhtb5M9liqDsmEw56le376mTZkEX/jEb/RxNFyegNul7eNslCXP9FDj/Lcu0X8KEyMceP2ntpaHrDEVA=="
     },
     "node_modules/picomatch": {
       "version": "2.3.1",
@@ -3202,65 +3508,13 @@
         "node": ">= 0.10"
       }
     },
-    "node_modules/plugin-error/node_modules/extend-shallow": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/extend-shallow/-/extend-shallow-3.0.2.tgz",
-      "integrity": "sha512-BwY5b5Ql4+qZoefgMj2NUmx+tehVTH/Kf4k1ZEtOHNFcm2wSxMRo992l6X3TIgni2eZVTZ85xMOjF31fwZAj6Q==",
-      "dependencies": {
-        "assign-symbols": "^1.0.0",
-        "is-extendable": "^1.0.1"
-      },
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/plugin-error/node_modules/is-extendable": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/is-extendable/-/is-extendable-1.0.1.tgz",
-      "integrity": "sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==",
-      "dependencies": {
-        "is-plain-object": "^2.0.4"
-      },
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/plugin-error/node_modules/is-plain-object": {
-      "version": "2.0.4",
-      "resolved": "https://registry.npmjs.org/is-plain-object/-/is-plain-object-2.0.4.tgz",
-      "integrity": "sha512-h5PpgXkWitc38BBMYawTYMWJHFZJVnBquFE57xFpjB8pJFiF6gZ+bU+WyI/yqXiFR5mdLsgYNaPe8uao6Uv9Og==",
-      "dependencies": {
-        "isobject": "^3.0.1"
-      },
-      "engines": {
-        "node": ">=0.10.0"
-      }
-    },
-    "node_modules/postcss": {
-      "version": "7.0.39",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-7.0.39.tgz",
-      "integrity": "sha512-yioayjNbHn6z1/Bywyb2Y4s3yvDAeXGOyxqD+LnVOinq6Mdmd++SW2wUNVzavyyHxd6+DxzWGIuosg6P1Rj8uA==",
+    "node_modules/plugin-error/node_modules/ansi-colors": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/ansi-colors/-/ansi-colors-1.1.0.tgz",
+      "integrity": "sha512-SFKX67auSNoVR38N3L+nvsPjOE0bybKTYbkf5tRvushrAPQ9V75huw0ZxBkKVeRU9kqH3d6HA4xTckbwZ4ixmA==",
       "dependencies": {
-        "picocolors": "^0.2.1",
-        "source-map": "^0.6.1"
-      },
-      "engines": {
-        "node": ">=6.0.0"
+        "ansi-wrap": "^0.1.0"
       },
-      "funding": {
-        "type": "opencollective",
-        "url": "https://opencollective.com/postcss/"
-      }
-    },
-    "node_modules/postcss/node_modules/picocolors": {
-      "version": "0.2.1",
-      "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-0.2.1.tgz",
-      "integrity": "sha512-cMlDqaLEqfSaW8Z7N5Jw+lyIW869EzT73/F5lhtY9cLGoVxSXznfgfXMO0Z5K0o0Q2TkTXq+0KFsdnSe3jDViA=="
-    },
-    "node_modules/postcss/node_modules/source-map": {
-      "version": "0.6.1",
-      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
       "engines": {
         "node": ">=0.10.0"
       }
@@ -3283,27 +3537,19 @@
       }
     },
     "node_modules/pump": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.0.tgz",
-      "integrity": "sha512-LwZy+p3SFs1Pytd/jYct4wpv49HiYCqd9Rlc5ZVdk0V+8Yzv6jR5Blk3TRmPL1ft69TxP0IMZGJ+WPFU2BFhww==",
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/pump/-/pump-3.0.2.tgz",
+      "integrity": "sha512-tUPXtzlGM8FE3P0ZL6DVs/3P58k9nk8/jZeQCurTJylQA8qFYzHFfhBJkuqyE0FifOsQ0uKWekiZ5g8wtr28cw==",
       "dependencies": {
         "end-of-stream": "^1.1.0",
         "once": "^1.3.1"
       }
     },
-    "node_modules/punycode": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz",
-      "integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==",
-      "dev": true,
-      "engines": {
-        "node": ">=6"
-      }
-    },
     "node_modules/q": {
       "version": "1.5.1",
       "resolved": "https://registry.npmjs.org/q/-/q-1.5.1.tgz",
       "integrity": "sha512-kV/CThkXo6xyFEZUugw/+pIOywXcDbFYgSct5cT3gqlbkBE1SJdwy6UQoZvodiWF/ckQLZyDE/Bu1M6gVu5lVw==",
+      "deprecated": "You or someone you depend on is using Q, the JavaScript Promise library that gave JavaScript developers strong feelings about promises. They can almost certainly migrate to the native JavaScript promise now. Thank you literally everyone for joining me in this bet against the odds. Be excellent to each other.\n\n(For a CapTP with native promises, see @endo/eventual-send and @endo/captp)",
       "dev": true,
       "engines": {
         "node": ">=0.6.0",
@@ -3314,7 +3560,6 @@
       "version": "1.2.3",
       "resolved": "https://registry.npmjs.org/queue-microtask/-/queue-microtask-1.2.3.tgz",
       "integrity": "sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==",
-      "dev": true,
       "funding": [
         {
           "type": "github",
@@ -3348,17 +3593,16 @@
       }
     },
     "node_modules/readable-stream": {
-      "version": "2.3.8",
-      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-2.3.8.tgz",
-      "integrity": "sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==",
+      "version": "3.6.2",
+      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz",
+      "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==",
       "dependencies": {
-        "core-util-is": "~1.0.0",
-        "inherits": "~2.0.3",
-        "isarray": "~1.0.0",
-        "process-nextick-args": "~2.0.0",
-        "safe-buffer": "~5.1.1",
-        "string_decoder": "~1.1.1",
-        "util-deprecate": "~1.0.1"
+        "inherits": "^2.0.3",
+        "string_decoder": "^1.1.1",
+        "util-deprecate": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
       }
     },
     "node_modules/readdirp": {
@@ -3390,12 +3634,11 @@
       "integrity": "sha512-/hS+Y0u3aOfIETiaiirUFwDBDzmXPvO+jAfKTitUngIPzdKc6Z0LoFjM/CK5PL4C+eKwHohlHAb6H0VFfmmUsw=="
     },
     "node_modules/replace-ext": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-1.0.1.tgz",
-      "integrity": "sha512-yD5BHCe7quCgBph4rMQ+0KkIRKwWCrHDOX1p1Gp6HwjPM5kVoCdKGNhN7ydqqsX6lJEnQDKZ/tFMiEdQ1dvPEw==",
-      "dev": true,
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-2.0.0.tgz",
+      "integrity": "sha512-UszKE5KVK6JvyD92nzMn9cDapSk6w/CaFZ96CnmDMUqH9oowfxF/ZjRITD25H4DnOQClLA4/j7jLGXXLVKxAug==",
       "engines": {
-        "node": ">= 0.10"
+        "node": ">= 10"
       }
     },
     "node_modules/replace-homedir": {
@@ -3472,6 +3715,12 @@
         "node": ">= 10.13.0"
       }
     },
+    "node_modules/resolve-url": {
+      "version": "0.2.1",
+      "resolved": "https://registry.npmjs.org/resolve-url/-/resolve-url-0.2.1.tgz",
+      "integrity": "sha512-ZuF55hVUQaaczgOIwqWzkEcEidmlD/xl44x1UZnhOXcYuFN2S6+rcxpG+C1N3So0wvNI3DmJICUFfu2SxhBmvg==",
+      "deprecated": "https://github.com/lydell/resolve-url#deprecated"
+    },
     "node_modules/responselike": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/responselike/-/responselike-2.0.1.tgz",
@@ -3495,26 +3744,29 @@
         "node": ">=8"
       }
     },
+    "node_modules/restore-cursor/node_modules/signal-exit": {
+      "version": "3.0.7",
+      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz",
+      "integrity": "sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ=="
+    },
     "node_modules/reusify": {
       "version": "1.0.4",
       "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.0.4.tgz",
       "integrity": "sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==",
-      "dev": true,
       "engines": {
         "iojs": ">=1.0.0",
         "node": ">=0.10.0"
       }
     },
     "node_modules/rimraf": {
-      "version": "3.0.2",
-      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-3.0.2.tgz",
-      "integrity": "sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==",
-      "dev": true,
+      "version": "5.0.10",
+      "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-5.0.10.tgz",
+      "integrity": "sha512-l0OE8wL34P4nJH/H2ffoaniAokM2qSmrtXHmlpvYr5AVVX8msAyW0l8NVJFDxlSK4u3Uh/f41cQheDVdnYijwQ==",
       "dependencies": {
-        "glob": "^7.1.3"
+        "glob": "^10.3.7"
       },
       "bin": {
-        "rimraf": "bin.js"
+        "rimraf": "dist/esm/bin.mjs"
       },
       "funding": {
         "url": "https://github.com/sponsors/isaacs"
@@ -3524,7 +3776,6 @@
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/run-parallel/-/run-parallel-1.2.0.tgz",
       "integrity": "sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==",
-      "dev": true,
       "funding": [
         {
           "type": "github",
@@ -3544,9 +3795,23 @@
       }
     },
     "node_modules/safe-buffer": {
-      "version": "5.1.2",
-      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.1.2.tgz",
-      "integrity": "sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g=="
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
+      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ]
     },
     "node_modules/safer-buffer": {
       "version": "2.1.2",
@@ -3555,12 +3820,12 @@
       "dev": true
     },
     "node_modules/sass": {
-      "version": "1.77.1",
-      "resolved": "https://registry.npmjs.org/sass/-/sass-1.77.1.tgz",
-      "integrity": "sha512-OMEyfirt9XEfyvocduUIOlUSkWOXS/LAt6oblR/ISXCTukyavjex+zQNm51pPCOiFKY1QpWvEH1EeCkgyV3I6w==",
+      "version": "1.82.0",
+      "resolved": "https://registry.npmjs.org/sass/-/sass-1.82.0.tgz",
+      "integrity": "sha512-j4GMCTa8elGyN9A7x7bEglx0VgSpNUG4W4wNedQ33wSMdnkqQCT8HTwOaVSV4e6yQovcu/3Oc4coJP/l0xhL2Q==",
       "dependencies": {
-        "chokidar": ">=3.0.0 <4.0.0",
-        "immutable": "^4.0.0",
+        "chokidar": "^4.0.0",
+        "immutable": "^5.0.2",
         "source-map-js": ">=0.6.2 <2.0.0"
       },
       "bin": {
@@ -3568,15 +3833,47 @@
       },
       "engines": {
         "node": ">=14.0.0"
+      },
+      "optionalDependencies": {
+        "@parcel/watcher": "^2.4.1"
+      }
+    },
+    "node_modules/sass/node_modules/chokidar": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.1.tgz",
+      "integrity": "sha512-n8enUVCED/KVRQlab1hr3MVpcVMvxtZjmEa956u+4YijlmQED223XMSYj2tLuKvr4jcCTzNNMpQDUer72MMmzA==",
+      "dependencies": {
+        "readdirp": "^4.0.1"
+      },
+      "engines": {
+        "node": ">= 14.16.0"
+      },
+      "funding": {
+        "url": "https://paulmillr.com/funding/"
+      }
+    },
+    "node_modules/sass/node_modules/readdirp": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-4.0.2.tgz",
+      "integrity": "sha512-yDMz9g+VaZkqBYS/ozoBJwaBhTbZo3UNYQHNRw1D3UFQB8oHB4uS/tAODO+ZLjGWmUbKnIlOWO+aaIiAxrUWHA==",
+      "engines": {
+        "node": ">= 14.16.0"
+      },
+      "funding": {
+        "type": "individual",
+        "url": "https://paulmillr.com/funding/"
       }
     },
     "node_modules/semver": {
-      "version": "5.7.2",
-      "resolved": "https://registry.npmjs.org/semver/-/semver-5.7.2.tgz",
-      "integrity": "sha512-cBznnQ9KjJqU67B52RMC65CMarK2600WFnbkcaiwWq3xy/5haFJlshgnpjovMVJ+Hff49d8GEn0b87C5pDQ10g==",
+      "version": "7.6.3",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz",
+      "integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==",
       "dev": true,
       "bin": {
-        "semver": "bin/semver"
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
       }
     },
     "node_modules/semver-greatest-satisfied-range": {
@@ -3592,30 +3889,34 @@
       }
     },
     "node_modules/shebang-command": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-1.2.0.tgz",
-      "integrity": "sha512-EV3L1+UQWGor21OmnvojK36mhg+TyIKDh3iFBKBohr5xeXIhNBcx8oWdgkTEEQ+BEFFYdLRuqMfd5L84N1V5Vg==",
-      "dev": true,
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
+      "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
       "dependencies": {
-        "shebang-regex": "^1.0.0"
+        "shebang-regex": "^3.0.0"
       },
       "engines": {
-        "node": ">=0.10.0"
+        "node": ">=8"
       }
     },
     "node_modules/shebang-regex": {
-      "version": "1.0.0",
-      "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-1.0.0.tgz",
-      "integrity": "sha512-wpoSFAxys6b2a2wHZ1XpDSgD7N9iVjg29Ph9uV/uaP9Ex/KXlkTZTeddxDPSYQpgvzKLGJke2UU0AzoGCjNIvQ==",
-      "dev": true,
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz",
+      "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
       "engines": {
-        "node": ">=0.10.0"
+        "node": ">=8"
       }
     },
     "node_modules/signal-exit": {
-      "version": "3.0.7",
-      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-3.0.7.tgz",
-      "integrity": "sha512-wnD2ZE+l+SPC/uoS0vXeE9L1+0wuaMqKlfz9AMUo38JsyLSBWSFcHR1Rri62LZc12vLr1gb3jl7iwQhgwpAbGQ=="
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz",
+      "integrity": "sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==",
+      "engines": {
+        "node": ">=14"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
     },
     "node_modules/sisteransi": {
       "version": "1.0.5",
@@ -3623,12 +3924,12 @@
       "integrity": "sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg=="
     },
     "node_modules/slash": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/slash/-/slash-4.0.0.tgz",
-      "integrity": "sha512-3dOsAHXXUkQTpOYcoAxLIorMTp4gIQr5IW3iVb7A7lFIp0VHhnynm9izx6TssdrIcVIESAlVjtnO2K8bg+Coew==",
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/slash/-/slash-5.1.0.tgz",
+      "integrity": "sha512-ZA6oR3T/pEyuqwMgAKT0/hAv8oAXckzbkmR0UkUosQ+Mc4RxGoJkRmwHgHufaenlyAgE1Mxgpdcrf75y6XcnDg==",
       "dev": true,
       "engines": {
-        "node": ">=12"
+        "node": ">=14.16"
       },
       "funding": {
         "url": "https://github.com/sponsors/sindresorhus"
@@ -3652,21 +3953,34 @@
       }
     },
     "node_modules/source-map": {
-      "version": "0.5.7",
-      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",
-      "integrity": "sha512-LbrmJOMUSdEVxIKvdcJzQC+nQhe8FUZQTXQy6+I75skNgn3OoQ0DZA8YnFa7gp8tqtL3KPf1kmo0R5DoApeSGQ==",
+      "version": "0.6.1",
+      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
+      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
       "engines": {
         "node": ">=0.10.0"
       }
     },
     "node_modules/source-map-js": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.0.2.tgz",
-      "integrity": "sha512-R0XvVJ9WusLiqTCEiGCmICCMplcCkIwwR11mOSD9CR5u+IXYdiseeEuXCVAjS54zqwkLcPNnmU4OeJ6tUrWhDw==",
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
+      "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==",
       "engines": {
         "node": ">=0.10.0"
       }
     },
+    "node_modules/source-map-resolve": {
+      "version": "0.5.3",
+      "resolved": "https://registry.npmjs.org/source-map-resolve/-/source-map-resolve-0.5.3.tgz",
+      "integrity": "sha512-Htz+RnsXWk5+P2slx5Jh3Q66vhQj1Cllm0zvnaY98+NFx+Dv2CF/f5O/t8x+KaNdrdIAsruNzoh/KpialbqAnw==",
+      "deprecated": "See https://github.com/lydell/source-map-resolve#deprecated",
+      "dependencies": {
+        "atob": "^2.1.2",
+        "decode-uri-component": "^0.2.0",
+        "resolve-url": "^0.2.1",
+        "source-map-url": "^0.4.0",
+        "urix": "^0.1.0"
+      }
+    },
     "node_modules/source-map-support": {
       "version": "0.5.21",
       "resolved": "https://registry.npmjs.org/source-map-support/-/source-map-support-0.5.21.tgz",
@@ -3677,14 +3991,11 @@
         "source-map": "^0.6.0"
       }
     },
-    "node_modules/source-map-support/node_modules/source-map": {
-      "version": "0.6.1",
-      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.6.1.tgz",
-      "integrity": "sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==",
-      "dev": true,
-      "engines": {
-        "node": ">=0.10.0"
-      }
+    "node_modules/source-map-url": {
+      "version": "0.4.1",
+      "resolved": "https://registry.npmjs.org/source-map-url/-/source-map-url-0.4.1.tgz",
+      "integrity": "sha512-cPiFOTLUKvJFIg4SKVScy4ilPPW6rFgMgfuZJPNoDuMs3nC1HbMUycBoJw77xFIp6z1UJQJOfx6C9GMH80DiTw==",
+      "deprecated": "See https://github.com/lydell/source-map-url#deprecated"
     },
     "node_modules/sparkles": {
       "version": "2.1.0",
@@ -3711,24 +4022,25 @@
       "dev": true
     },
     "node_modules/streamx": {
-      "version": "2.16.1",
-      "resolved": "https://registry.npmjs.org/streamx/-/streamx-2.16.1.tgz",
-      "integrity": "sha512-m9QYj6WygWyWa3H1YY69amr4nVgy61xfjys7xO7kviL5rfIEc2naf+ewFiOA+aEJD7y0JO3h2GoiUv4TDwEGzQ==",
+      "version": "2.21.0",
+      "resolved": "https://registry.npmjs.org/streamx/-/streamx-2.21.0.tgz",
+      "integrity": "sha512-Qz6MsDZXJ6ur9u+b+4xCG18TluU7PGlRfXVAAjNiGsFrBUt/ioyLkxbFaKJygoPs+/kW4VyBj0bSj89Qu0IGyg==",
       "dev": true,
       "dependencies": {
-        "fast-fifo": "^1.1.0",
-        "queue-tick": "^1.0.1"
+        "fast-fifo": "^1.3.2",
+        "queue-tick": "^1.0.1",
+        "text-decoder": "^1.1.0"
       },
       "optionalDependencies": {
         "bare-events": "^2.2.0"
       }
     },
     "node_modules/string_decoder": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.1.1.tgz",
-      "integrity": "sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==",
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",
+      "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==",
       "dependencies": {
-        "safe-buffer": "~5.1.0"
+        "safe-buffer": "~5.2.0"
       }
     },
     "node_modules/string-width": {
@@ -3844,9 +4156,9 @@
       }
     },
     "node_modules/table": {
-      "version": "6.8.1",
-      "resolved": "https://registry.npmjs.org/table/-/table-6.8.1.tgz",
-      "integrity": "sha512-Y4X9zqrCftUhMeH2EptSSERdVKt/nEdijTOacGD/97EKjhQ/Qs8RTlEGABSJNNN8lac9kheH+af7yAkEWlgneA==",
+      "version": "6.9.0",
+      "resolved": "https://registry.npmjs.org/table/-/table-6.9.0.tgz",
+      "integrity": "sha512-9kY+CygyYM6j02t5YFHbNz2FN5QmYGv9zAjVp4lCDjlCw7amdckXlEt/bjMhUIfj4ThGRE4gCUH5+yGnNuPo5A==",
       "dev": true,
       "dependencies": {
         "ajv": "^8.0.1",
@@ -3881,10 +4193,44 @@
         "node": ">=6.0.0"
       }
     },
+    "node_modules/temp/node_modules/glob": {
+      "version": "7.2.3",
+      "resolved": "https://registry.npmjs.org/glob/-/glob-7.2.3.tgz",
+      "integrity": "sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==",
+      "deprecated": "Glob versions prior to v9 are no longer supported",
+      "dev": true,
+      "dependencies": {
+        "fs.realpath": "^1.0.0",
+        "inflight": "^1.0.4",
+        "inherits": "2",
+        "minimatch": "^3.1.1",
+        "once": "^1.3.0",
+        "path-is-absolute": "^1.0.0"
+      },
+      "engines": {
+        "node": "*"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/temp/node_modules/minimatch": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-3.1.2.tgz",
+      "integrity": "sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==",
+      "dev": true,
+      "dependencies": {
+        "brace-expansion": "^1.1.7"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
     "node_modules/temp/node_modules/rimraf": {
       "version": "2.6.3",
       "resolved": "https://registry.npmjs.org/rimraf/-/rimraf-2.6.3.tgz",
       "integrity": "sha512-mwqeW5XsA2qAejG46gYdENaxXjx9onRNCfn7L0duuP4hCuTIi/QO7PDK07KJfp1d+izWPrzEJDcSqBa0OZQriA==",
+      "deprecated": "Rimraf versions prior to v4 are no longer supported",
       "dev": true,
       "dependencies": {
         "glob": "^7.1.3"
@@ -3909,9 +4255,9 @@
       }
     },
     "node_modules/terser": {
-      "version": "5.26.0",
-      "resolved": "https://registry.npmjs.org/terser/-/terser-5.26.0.tgz",
-      "integrity": "sha512-dytTGoE2oHgbNV9nTzgBEPaqAWvcJNl66VZ0BkJqlvp71IjO8CxdBx/ykCNb47cLnCmCvRZ6ZR0tLkqvZCdVBQ==",
+      "version": "5.37.0",
+      "resolved": "https://registry.npmjs.org/terser/-/terser-5.37.0.tgz",
+      "integrity": "sha512-B8wRRkmre4ERucLM/uXx4MOV5cbnOlVAqUst+1+iLKPI0dOgFO28f84ptoQt9HEI537PMzfYa/d+GEPKTRXmYA==",
       "dev": true,
       "dependencies": {
         "@jridgewell/source-map": "^0.3.3",
@@ -3926,12 +4272,33 @@
         "node": ">=10"
       }
     },
+    "node_modules/terser/node_modules/acorn": {
+      "version": "8.14.0",
+      "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.14.0.tgz",
+      "integrity": "sha512-cl669nCJTZBsL97OF4kUQm5g5hC2uihk0NxY3WENAC0TYdILVkAyHymAntgxGkl7K+t0cXIrH5siy5S4XkFycA==",
+      "dev": true,
+      "bin": {
+        "acorn": "bin/acorn"
+      },
+      "engines": {
+        "node": ">=0.4.0"
+      }
+    },
     "node_modules/terser/node_modules/commander": {
       "version": "2.20.3",
       "resolved": "https://registry.npmjs.org/commander/-/commander-2.20.3.tgz",
       "integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==",
       "dev": true
     },
+    "node_modules/text-decoder": {
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/text-decoder/-/text-decoder-1.2.2.tgz",
+      "integrity": "sha512-/MDslo7ZyWTA2vnk1j7XoDVfXsGk3tp+zFEJHJGm0UjIlQifonVFwlVbQDFh8KJzTBnT8ie115TYqir6bclddA==",
+      "dev": true,
+      "dependencies": {
+        "b4a": "^1.6.4"
+      }
+    },
     "node_modules/through2": {
       "version": "4.0.2",
       "resolved": "https://registry.npmjs.org/through2/-/through2-4.0.2.tgz",
@@ -3941,20 +4308,6 @@
         "readable-stream": "3"
       }
     },
-    "node_modules/through2/node_modules/readable-stream": {
-      "version": "3.6.2",
-      "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz",
-      "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==",
-      "dev": true,
-      "dependencies": {
-        "inherits": "^2.0.3",
-        "string_decoder": "^1.1.1",
-        "util-deprecate": "^1.0.1"
-      },
-      "engines": {
-        "node": ">= 6"
-      }
-    },
     "node_modules/time-stamp": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/time-stamp/-/time-stamp-1.1.0.tgz",
@@ -3965,12 +4318,15 @@
       }
     },
     "node_modules/timers-ext": {
-      "version": "0.1.7",
-      "resolved": "https://registry.npmjs.org/timers-ext/-/timers-ext-0.1.7.tgz",
-      "integrity": "sha512-b85NUNzTSdodShTIbky6ZF02e8STtVVfD+fu4aXXShEELpozH+bCpJLYMPZbsABN2wDH7fJpqIoXxJpzbf0NqQ==",
+      "version": "0.1.8",
+      "resolved": "https://registry.npmjs.org/timers-ext/-/timers-ext-0.1.8.tgz",
+      "integrity": "sha512-wFH7+SEAcKfJpfLPkrgMPvvwnEtj8W4IurvEyrKsDleXnKLCDw71w8jltvfLa8Rm4qQxxT4jmDBYbJG/z7qoww==",
       "dependencies": {
-        "es5-ext": "~0.10.46",
-        "next-tick": "1"
+        "es5-ext": "^0.10.64",
+        "next-tick": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.12"
       }
     },
     "node_modules/to-regex-range": {
@@ -3997,9 +4353,9 @@
       }
     },
     "node_modules/type": {
-      "version": "1.2.0",
-      "resolved": "https://registry.npmjs.org/type/-/type-1.2.0.tgz",
-      "integrity": "sha512-+5nt5AAniqsCnu2cEQQdpzCAh33kVx8n0VoFidKpB1dVVLAN/F+bgVOqOJqOnEnrhp222clB5p3vUlD+1QAnfg=="
+      "version": "2.7.3",
+      "resolved": "https://registry.npmjs.org/type/-/type-2.7.3.tgz",
+      "integrity": "sha512-8j+1QmAbPvLZow5Qpi6NCaN8FB60p/6x8/vfNqOk/hC+HuvFZhL4+WfekuhQLiqFZXOgQdrs3B+XxEmCc6b3FQ=="
     },
     "node_modules/type-fest": {
       "version": "0.21.3",
@@ -4046,9 +4402,21 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "5.26.5",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz",
-      "integrity": "sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA=="
+      "version": "6.20.0",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-6.20.0.tgz",
+      "integrity": "sha512-Ny6QZ2Nju20vw1SRHe3d9jVu6gJ+4e3+MMpqu7pqE5HT6WsTSlce++GQmK5UXS8mzV8DSYHrQH+Xrf2jVcuKNg=="
+    },
+    "node_modules/unicorn-magic": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/unicorn-magic/-/unicorn-magic-0.1.0.tgz",
+      "integrity": "sha512-lRfVq8fE8gz6QMBuDM6a+LO3IAzTi05H6gCVaUpir2E1Rwpo4ZUog45KpNXKC/Mn3Yb9UDuHumeFTo9iV/D9FQ==",
+      "dev": true,
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
     },
     "node_modules/universalify": {
       "version": "2.0.1",
@@ -4058,14 +4426,11 @@
         "node": ">= 10.0.0"
       }
     },
-    "node_modules/uri-js": {
-      "version": "4.4.1",
-      "resolved": "https://registry.npmjs.org/uri-js/-/uri-js-4.4.1.tgz",
-      "integrity": "sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==",
-      "dev": true,
-      "dependencies": {
-        "punycode": "^2.1.0"
-      }
+    "node_modules/urix": {
+      "version": "0.1.0",
+      "resolved": "https://registry.npmjs.org/urix/-/urix-0.1.0.tgz",
+      "integrity": "sha512-Am1ousAhSLBeB9cG/7k7r2R0zj50uDRlZHPGbazid5s9rlF1F/QKYObEKSIunSjIOkJZqwRRLpvewjEkM7pSqg==",
+      "deprecated": "Please see https://github.com/lydell/urix#deprecated"
     },
     "node_modules/util-deprecate": {
       "version": "1.0.2",
@@ -4120,13 +4485,39 @@
         "node": ">=10.13.0"
       }
     },
-    "node_modules/vinyl-contents/node_modules/replace-ext": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-2.0.0.tgz",
-      "integrity": "sha512-UszKE5KVK6JvyD92nzMn9cDapSk6w/CaFZ96CnmDMUqH9oowfxF/ZjRITD25H4DnOQClLA4/j7jLGXXLVKxAug==",
+    "node_modules/vinyl-contents/node_modules/bl": {
+      "version": "5.1.0",
+      "resolved": "https://registry.npmjs.org/bl/-/bl-5.1.0.tgz",
+      "integrity": "sha512-tv1ZJHLfTDnXE6tMHv73YgSJaWR2AFuPwMntBe7XL/GBFHnT0CLnsHMogfk5+GzCDC5ZWarSCYaIGATZt9dNsQ==",
       "dev": true,
-      "engines": {
-        "node": ">= 10"
+      "dependencies": {
+        "buffer": "^6.0.3",
+        "inherits": "^2.0.4",
+        "readable-stream": "^3.4.0"
+      }
+    },
+    "node_modules/vinyl-contents/node_modules/buffer": {
+      "version": "6.0.3",
+      "resolved": "https://registry.npmjs.org/buffer/-/buffer-6.0.3.tgz",
+      "integrity": "sha512-FTiCpNxtwiZZHEZbcbTIcZjERVICn9yq/pDFkTl95/AxzD1naBctN7YO68riM/gLSDY7sdrMby8hofADYuuqOA==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "dependencies": {
+        "base64-js": "^1.3.1",
+        "ieee754": "^1.2.1"
       }
     },
     "node_modules/vinyl-contents/node_modules/vinyl": {
@@ -4170,15 +4561,6 @@
         "node": ">=10.13.0"
       }
     },
-    "node_modules/vinyl-fs/node_modules/replace-ext": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-2.0.0.tgz",
-      "integrity": "sha512-UszKE5KVK6JvyD92nzMn9cDapSk6w/CaFZ96CnmDMUqH9oowfxF/ZjRITD25H4DnOQClLA4/j7jLGXXLVKxAug==",
-      "dev": true,
-      "engines": {
-        "node": ">= 10"
-      }
-    },
     "node_modules/vinyl-fs/node_modules/vinyl": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/vinyl/-/vinyl-3.0.0.tgz",
@@ -4218,15 +4600,6 @@
       "integrity": "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==",
       "dev": true
     },
-    "node_modules/vinyl-sourcemap/node_modules/replace-ext": {
-      "version": "2.0.0",
-      "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-2.0.0.tgz",
-      "integrity": "sha512-UszKE5KVK6JvyD92nzMn9cDapSk6w/CaFZ96CnmDMUqH9oowfxF/ZjRITD25H4DnOQClLA4/j7jLGXXLVKxAug==",
-      "dev": true,
-      "engines": {
-        "node": ">= 10"
-      }
-    },
     "node_modules/vinyl-sourcemap/node_modules/vinyl": {
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/vinyl/-/vinyl-3.0.0.tgz",
@@ -4251,6 +4624,23 @@
         "source-map": "^0.5.1"
       }
     },
+    "node_modules/vinyl-sourcemaps-apply/node_modules/source-map": {
+      "version": "0.5.7",
+      "resolved": "https://registry.npmjs.org/source-map/-/source-map-0.5.7.tgz",
+      "integrity": "sha512-LbrmJOMUSdEVxIKvdcJzQC+nQhe8FUZQTXQy6+I75skNgn3OoQ0DZA8YnFa7gp8tqtL3KPf1kmo0R5DoApeSGQ==",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/vinyl/node_modules/replace-ext": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/replace-ext/-/replace-ext-1.0.1.tgz",
+      "integrity": "sha512-yD5BHCe7quCgBph4rMQ+0KkIRKwWCrHDOX1p1Gp6HwjPM5kVoCdKGNhN7ydqqsX6lJEnQDKZ/tFMiEdQ1dvPEw==",
+      "dev": true,
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
     "node_modules/wcwidth": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/wcwidth/-/wcwidth-1.0.1.tgz",
@@ -4260,15 +4650,17 @@
       }
     },
     "node_modules/which": {
-      "version": "1.3.1",
-      "resolved": "https://registry.npmjs.org/which/-/which-1.3.1.tgz",
-      "integrity": "sha512-HxJdYWq1MTIQbJ3nw0cqssHoTNU267KlrDuGZ1WYlxDStUtKUhOaJmh112/TZmHxxUfuJqPXSOm7tDyas0OSIQ==",
-      "dev": true,
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
+      "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
       "dependencies": {
         "isexe": "^2.0.0"
       },
       "bin": {
-        "which": "bin/which"
+        "node-which": "bin/node-which"
+      },
+      "engines": {
+        "node": ">= 8"
       }
     },
     "node_modules/wrap-ansi": {
diff --git a/plugins-common/package.json b/plugins-common/package.json
index 136f19498..99167204f 100644
--- a/plugins-common/package.json
+++ b/plugins-common/package.json
@@ -1,7 +1,7 @@
 {
   "devDependencies": {
     "better-npm-audit": "^3.7.3",
-    "del": "^7.1.0",
+    "del": "^8.0.0",
     "elm": "^0.19.1-6",
     "gulp": "^5.0.0",
     "gulp-elm": "^0.8.2",
@@ -13,8 +13,8 @@
   },
   "dependencies": {
     "elm-review": "^2.11.2",
-    "gulp-sass": "^5.1.0",
-    "gulp-sourcemaps": "^3.0.0",
-    "sass": "^1.77.1"
+    "gulp-sass": "^6.0.0",
+    "gulp-sourcemaps": "^2.6.5",
+    "sass": "^1.77.6"
   }
 }
diff --git a/plugins-common/pom-template.xml b/plugins-common/pom-template.xml
index d5d17a953..bb005dfdc 100644
--- a/plugins-common/pom-template.xml
+++ b/plugins-common/pom-template.xml
@@ -163,7 +163,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-shade-plugin</artifactId>
-        <version>3.1.1</version>
+        <version>3.6.0</version>
         <configuration>
           <finalName>${project.artifactId}-${project.version}-jar-with-dependencies</finalName>
         </configuration>
@@ -256,7 +256,6 @@
     <dependency><groupId>co.fs2</groupId><artifactId>fs2-io_${scala-binary-version}</artifactId><scope>provided</scope></dependency>
     <dependency><groupId>com.beachape</groupId><artifactId>enumeratum_${scala-binary-version}</artifactId><scope>provided</scope></dependency>
     <dependency><groupId>com.beachape</groupId><artifactId>enumeratum-macros_${scala-binary-version}</artifactId><scope>provided</scope></dependency>
-    <dependency><groupId>com.chuusai</groupId><artifactId>shapeless_${scala-binary-version}</artifactId><scope>provided</scope><version>${shapeless-version}</version></dependency>
     <dependency><groupId>com.comcast</groupId><artifactId>ip4s-core_${scala-binary-version}</artifactId><scope>provided</scope></dependency>
     <dependency><groupId>com.github.alonsodomin.cron4s</groupId><artifactId>cron4s-core_${scala-binary-version}</artifactId><scope>provided</scope><version>${cron4s-version}</version></dependency>
     <dependency><groupId>com.github.ben-manes.caffeine</groupId><artifactId>caffeine</artifactId><scope>provided</scope><version>${caffeine-version}</version></dependency>
@@ -322,6 +321,7 @@
     <dependency><groupId>org.bouncycastle</groupId><artifactId>bcpkix-${bouncycastle-compat}</artifactId><scope>provided</scope><version>${bouncycastle-version}</version></dependency>
     <dependency><groupId>org.bouncycastle</groupId><artifactId>bcprov-${bouncycastle-compat}</artifactId><scope>provided</scope><version>${bouncycastle-version}</version></dependency>
     <dependency><groupId>org.bouncycastle</groupId><artifactId>bcutil-${bouncycastle-compat}</artifactId><scope>provided</scope><version>${bouncycastle-version}</version></dependency>
+    <dependency><groupId>org.codehaus.janino</groupId><artifactId>janino</artifactId><scope>provided</scope><version>${janino-version}</version></dependency>
     <dependency><groupId>org.checkerframework</groupId><artifactId>checker-qual</artifactId><scope>provided</scope></dependency>
     <dependency><groupId>org.eclipse.jgit</groupId><artifactId>org.eclipse.jgit</artifactId><scope>provided</scope><version>${jgit-version}</version></dependency>
     <dependency><groupId>org.graalvm.js</groupId><artifactId>js-language</artifactId><scope>provided</scope><version>${graalvm-version}</version></dependency>
diff --git a/scale-out-relay/packaging/metadata b/scale-out-relay/packaging/metadata
index d89f4c6e1..611128789 100644
--- a/scale-out-relay/packaging/metadata
+++ b/scale-out-relay/packaging/metadata
@@ -8,5 +8,6 @@
   "jar-files": [ "/opt/rudder/share/plugins/${plugin-name}/${plugin-name}.jar" ],
   "content": {
     "files.txz": "/opt/rudder/share/plugins"
-  }
+  },
+  "requires-license": true
 }
diff --git a/scale-out-relay/src/main/scala-templates/default/com/normation/plugins/scaleoutrelay/EnablePluginImpl.scala b/scale-out-relay/src/main/scala-templates/default/com/normation/plugins/scaleoutrelay/EnablePluginImpl.scala
index f83ba80eb..dace4f9c5 100644
--- a/scale-out-relay/src/main/scala-templates/default/com/normation/plugins/scaleoutrelay/EnablePluginImpl.scala
+++ b/scale-out-relay/src/main/scala-templates/default/com/normation/plugins/scaleoutrelay/EnablePluginImpl.scala
@@ -38,6 +38,6 @@
 package com.normation.plugins.scaleoutrelay
 
 import com.normation.plugins.PluginEnableImpl
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends PluginEnableImpl
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends PluginEnableImpl
diff --git a/scale-out-relay/src/main/scala-templates/limited/com/normation/plugins/scaleoutrelay/EnablePluginImpl.scala b/scale-out-relay/src/main/scala-templates/limited/com/normation/plugins/scaleoutrelay/EnablePluginImpl.scala
index 023c395d3..5ac9b311f 100644
--- a/scale-out-relay/src/main/scala-templates/limited/com/normation/plugins/scaleoutrelay/EnablePluginImpl.scala
+++ b/scale-out-relay/src/main/scala-templates/limited/com/normation/plugins/scaleoutrelay/EnablePluginImpl.scala
@@ -38,7 +38,7 @@
 package com.normation.plugins.scaleoutrelay
 
 import com.normation.plugins.LicensedPluginCheck
-import com.normation.rudder.services.nodes.NodeInfoService
+import com.normation.rudder.facts.nodes.NodeFactRepository
 import com.normation.zio.*
 /*
  * This template file will processed at build time to choose
@@ -47,12 +47,12 @@ import com.normation.zio.*
  *
  * The class will be loaded by ServiceLoader, it needs an empty constructor.
  */
-final class CheckRudderPluginEnableImpl(nodeInfoService: NodeInfoService) extends LicensedPluginCheck {
+final class CheckRudderPluginEnableImpl(nodeFactRepo: NodeFactRepository) extends LicensedPluginCheck {
   // here are processed variables
   def pluginResourcePublickey = "${plugin-resource-publickey}"
   def pluginResourceLicense   = "${plugin-resource-license}"
   def pluginDeclaredVersion   = "${plugin-declared-version}"
   def pluginId                = "${plugin-fullname}"
 
-  override def getNumberOfNodes: Int = nodeInfoService.getNumberOfManagedNodes.runNow
+  override def getNumberOfNodes: Int = nodeFactRepo.getNumberOfManagedNodes().runNow
 }
diff --git a/scale-out-relay/src/main/scala/bootstrap/rudder/plugin/ScaleOutRelayConf.scala b/scale-out-relay/src/main/scala/bootstrap/rudder/plugin/ScaleOutRelayConf.scala
index 9f8964289..25e52bd98 100644
--- a/scale-out-relay/src/main/scala/bootstrap/rudder/plugin/ScaleOutRelayConf.scala
+++ b/scale-out-relay/src/main/scala/bootstrap/rudder/plugin/ScaleOutRelayConf.scala
@@ -52,7 +52,7 @@ import com.normation.plugins.scaleoutrelay.api.ScaleOutRelayApiImpl
 object ScalaOutRelayConf extends RudderPluginModule {
 
   // by build convention, we have only one of that on the classpath
-  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeInfoService)
+  lazy val pluginStatusService = new CheckRudderPluginEnableImpl(RudderConfig.nodeFactRepository)
 
   override lazy val pluginDef: ScalaOutRelayPluginDef = new ScalaOutRelayPluginDef(ScalaOutRelayConf.pluginStatusService)
 
diff --git a/scale-out-relay/src/main/scala/com/normation/plugins/scaleoutrelay/ScaleOutRelayService.scala b/scale-out-relay/src/main/scala/com/normation/plugins/scaleoutrelay/ScaleOutRelayService.scala
index ac3290281..76f18be55 100644
--- a/scale-out-relay/src/main/scala/com/normation/plugins/scaleoutrelay/ScaleOutRelayService.scala
+++ b/scale-out-relay/src/main/scala/com/normation/plugins/scaleoutrelay/ScaleOutRelayService.scala
@@ -113,9 +113,9 @@ class ScaleOutRelayService(
       val msg = s"Promote node ${nodeInfo.id.value} have failed. Change were reverted. Cause was: ${err.fullMsg}"
       (for {
         _ <- ScaleOutRelayLoggerPure.debug(s"[promote ${nodeInfo.id.value}] error, start reverting")
-        _ <- demoteRelay(nodeInfo, objects).catchAll(err =>
-               ScaleOutRelayLoggerPure.debug(s"Error when reverting node promotion: ${err.fullMsg}")
-             )
+        _ <- demoteRelay(nodeInfo, objects)
+               .tapError(err => ScaleOutRelayLoggerPure.debug(s"Error when reverting node promotion: ${err.fullMsg}"))
+               .ignore
         _ <- ScaleOutRelayLoggerPure.error(msg)
       } yield {}) *> Unexpected(msg).fail
     }
@@ -174,10 +174,10 @@ class ScaleOutRelayService(
     val rules      = objects.rules.map(r => {
       woRuleRepository
         .deleteSystemRule(r.id, cc.modId, cc.actor, cc.message)
-        .catchAll { err =>
+        .tapError { err =>
           ScaleOutRelayLoggerPure.info(s"Trying to remove residual object rule ${r.id.serialize}: ${err.fullMsg}")
         }
-        .unit
+        .ignore
     })
 
     (nPromoted :: nBeforePromoted :: targets ::: groups ::: directives ::: rules).accumulate(identity)
diff --git a/scale-out-relay/src/main/scala/com/normation/plugins/scaleoutrelay/api/ScaleOutRelayApi.scala b/scale-out-relay/src/main/scala/com/normation/plugins/scaleoutrelay/api/ScaleOutRelayApi.scala
index 33654b073..ecd6383f2 100644
--- a/scale-out-relay/src/main/scala/com/normation/plugins/scaleoutrelay/api/ScaleOutRelayApi.scala
+++ b/scale-out-relay/src/main/scala/com/normation/plugins/scaleoutrelay/api/ScaleOutRelayApi.scala
@@ -3,6 +3,7 @@ package com.normation.plugins.scaleoutrelay.api
 import com.normation.eventlog.ModificationId
 import com.normation.inventory.domain.NodeId
 import com.normation.plugins.scaleoutrelay.ScaleOutRelayService
+import com.normation.rudder.AuthorizationType
 import com.normation.rudder.api.ApiVersion
 import com.normation.rudder.api.HttpAction.POST
 import com.normation.rudder.facts.nodes.ChangeContext
@@ -29,12 +30,14 @@ object ScaleOutRelayApi extends Enum[ScaleOutRelayApi] with ApiModuleProvider[Sc
     val z              = implicitly[Line].value
     val description    = "Promote a node to relay"
     val (action, path) = POST / "scaleoutrelay" / "promote" / "{nodeId}"
+    val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   final case object DemoteToNode extends ScaleOutRelayApi with OneParam with StartsAtVersion14 {
     val z              = implicitly[Line].value
     val description    = "Demote a relay to a simple node"
     val (action, path) = POST / "scaleoutrelay" / "demote" / "{nodeId}"
+    val authz: List[AuthorizationType] = AuthorizationType.Administration.Write :: Nil
   }
 
   override def endpoints: List[ScaleOutRelayApi] = values.toList.sortBy(_.z)