fix css sanitizer stuff

Add css sanitizer
Fix sanitize and linkify email HTML
2026-06-30 17:24:22 +00:00 · 2026-05-27 13:42:40 -07:00 · 2026-05-27 11:26:46 -07:00 · 2026-05-27 09:03:24 -07:00 · 2026-05-26 19:05:47 +00:00 · 2026-05-26 11:36:05 -07:00
799 changed files with 312146 additions and 169935 deletions
@@ -14,10 +14,6 @@ component_management:
 # https://docs.codecov.com/docs/carryforward-flags
 flags:
  # Backend Python versions
  backend-python-3.10:
    paths:
      - src/**
    carryforward: true
  backend-python-3.11:
    paths:
      - src/**
@@ -26,6 +22,14 @@ flags:
    paths:
      - src/**
    carryforward: true
  backend-python-3.13:
    paths:
      - src/**
    carryforward: true
  backend-python-3.14:
    paths:
      - src/**
    carryforward: true
  # Frontend (shards merge into single flag)
  frontend-node-24.x:
    paths:
@@ -41,9 +45,10 @@ coverage:
    project:
      backend:
        flags:
          - backend-python-3.10
          - backend-python-3.11
          - backend-python-3.12
          - backend-python-3.13
          - backend-python-3.14
        paths:
          - src/**
        # https://docs.codecov.com/docs/commit-status#threshold
@@ -59,9 +64,10 @@ coverage:
    patch:
      backend:
        flags:
          - backend-python-3.10
          - backend-python-3.11
          - backend-python-3.12
          - backend-python-3.13
          - backend-python-3.14
        paths:
          - src/**
        target: 100%
@@ -64,8 +64,6 @@ ARG RUNTIME_PACKAGES="\
  libmagic1 \
  media-types \
  zlib1g \
  # Barcode splitter
  libzbar0 \
  poppler-utils \
  htop \
  sudo"
@@ -89,6 +89,18 @@ Additional tasks are available for common maintenance operations:
 - **Migrate Database**: To apply database migrations.
 - **Create Superuser**: To create an admin user for the application.
 ## Committing from the Host Machine
 The DevContainer automatically installs Git pre-commit hooks during setup. However, these hooks are configured for use inside the container.
 If you want to commit changes from your host machine (outside the DevContainer), you need to set up prek on your host. This installs it as a standalone tool.
 ```bash
 uv tool install prek && prek install
 ```
 After this, you can commit either from inside the DevContainer or from your host machine.
 ## Let's Get Started!
 Follow the steps above to get your development environment up and running. Happy coding!
@@ -3,7 +3,11 @@
    "dockerComposeFile": "docker-compose.devcontainer.sqlite-tika.yml",
    "service": "paperless-development",
    "workspaceFolder": "/usr/src/paperless/paperless-ngx",
-    "postCreateCommand": "/bin/bash -c 'rm -rf .venv/.*  && uv sync --group dev && uv run pre-commit install'",
+    "forwardPorts": [4200, 8000],
    "containerEnv": {
        "UV_CACHE_DIR": "/usr/src/paperless/paperless-ngx/.uv-cache"
    },
    "postCreateCommand": "/bin/bash -c 'rm -rf .venv/.* && uv sync --group dev && uv run prek install'",
    "customizations": {
        "vscode": {
            "extensions": [
@@ -11,7 +15,8 @@
                "ms-python.python",
                "ms-vscode.js-debug-nightly",
                "eamodio.gitlens",
-            "yzhang.markdown-all-in-one"
+                "yzhang.markdown-all-in-one",
                "pnpm.pnpm"
            ],
            "settings": {
                "python.defaultInterpreterPath": "/usr/src/paperless/paperless-ngx/.venv/bin/python",
@@ -33,7 +33,7 @@
 			"label": "Start: Frontend Angular",
 			"description": "Start the Frontend Angular Dev Server",
 			"type": "shell",
-			"command": "pnpm start",
+			"command": "pnpm exec ng serve --host 0.0.0.0",
 			"isBackground": true,
 			"options": {
 				"cwd": "${workspaceFolder}/src-ui"
@@ -116,9 +116,9 @@
 		},
 		{
 			"label": "Maintenance: Build Documentation",
-			"description": "Build the documentation with MkDocs",
+			"description": "Build the documentation with Zensical",
 			"type": "shell",
-			"command": "uv run mkdocs build --config-file mkdocs.yml && uv run mkdocs serve",
+			"command": "uv run zensical build && uv run zensical serve",
 			"group": "none",
 			"presentation": {
 				"echo": true,
@@ -174,12 +174,22 @@
 		{
 			"label": "Maintenance: Install Frontend Dependencies",
 			"description": "Install frontend (pnpm) dependencies",
-			"type": "pnpm",
+			"type": "shell",
-			"script": "install",
+			"command": "pnpm install",
 			"path": "src-ui",
 			"group": "clean",
 			"problemMatcher": [],
-			"detail": "install dependencies from package"
+			"options": {
 				"cwd": "${workspaceFolder}/src-ui"
 			},
 			"presentation": {
 				"echo": true,
 				"reveal": "always",
 				"focus": true,
 				"panel": "shared",
 				"showReuseMessage": false,
 				"clear": true,
 				"revealProblems": "onProblem"
 			}
 		},
 		{
 			"description": "Clean install frontend dependencies and build the frontend for production",
@@ -28,3 +28,4 @@
 ./resources
 # Other stuff
 **/*.drawio.png
 .mypy_baseline
@@ -39,3 +39,6 @@ max_line_length = off
 [Dockerfile*]
 indent_style = space
 [*.toml]
 indent_style = space
@@ -21,6 +21,7 @@ body:
        - [The installation instructions](https://docs.paperless-ngx.com/setup/#installation).
        - [Existing issues and discussions](https://github.com/paperless-ngx/paperless-ngx/search?q=&type=issues).
        - Disable any custom container initialization scripts, if using
        - Remove any third-party parser plugins — issues caused by or requiring changes to a third-party plugin will be closed without investigation.
        If you encounter issues while installing or configuring Paperless-ngx, please post in the ["Support" section of the discussions](https://github.com/paperless-ngx/paperless-ngx/discussions/new?category=support).
  - type: textarea
@@ -37,6 +37,6 @@ NOTE: PRs that do not address the following will not be merged, please do not sk
 - [ ] If applicable, I have included testing coverage for new code in this PR, for [backend](https://docs.paperless-ngx.com/development/#testing) and / or [front-end](https://docs.paperless-ngx.com/development/#testing-and-code-style) changes.
 - [ ] If applicable, I have tested my code for breaking changes & regressions on both mobile & desktop devices, using the latest version of major browsers.
 - [ ] If applicable, I have checked that all tests pass, see [documentation](https://docs.paperless-ngx.com/development/#back-end-development).
- [ ] I have run all `pre-commit` hooks, see [documentation](https://docs.paperless-ngx.com/development/#code-formatting-with-pre-commit-hooks).
+- [ ] I have run all Git `pre-commit` hooks, see [documentation](https://docs.paperless-ngx.com/development/#code-formatting-with-pre-commit-hooks).
 - [ ] I have made corresponding changes to the documentation as needed.
 - [ ] In the description of the PR above I have disclosed the use of AI tools in the coding of this PR.
@@ -12,6 +12,8 @@ updates:
    open-pull-requests-limit: 10
    schedule:
      interval: "monthly"
    cooldown:
      default-days: 7
    labels:
      - "frontend"
      - "dependencies"
@@ -36,7 +38,9 @@ updates:
    directory: "/"
    # Check for updates once a week
    schedule:
-      interval: "weekly"
+      interval: "monthly"
    cooldown:
      default-days: 7
    labels:
      - "backend"
      - "dependencies"
@@ -46,8 +50,8 @@ updates:
        patterns:
          - "*pytest*"
          - "ruff"
-          - "mkdocs-material"
+          - "zensical"
-          - "pre-commit*"
+          - "prek*"
      # Django & DRF Ecosystem
      django-ecosystem:
        patterns:
@@ -69,7 +73,6 @@ updates:
        patterns:
          - "ocrmypdf"
          - "pdf2image"
          - "pyzbar"
          - "zxing-cpp"
          - "tika-client"
          - "gotenberg-client"
@@ -98,6 +101,8 @@ updates:
    schedule:
      # Check for updates to GitHub Actions every month
      interval: "monthly"
    cooldown:
      default-days: 7
    labels:
      - "ci-cd"
      - "dependencies"
@@ -113,7 +118,9 @@ updates:
      - "/"
      - "/.devcontainer/"
    schedule:
-      interval: "weekly"
+      interval: "monthly"
    cooldown:
      default-days: 7
    open-pull-requests-limit: 5
    labels:
      - "dependencies"
@@ -124,7 +131,9 @@ updates:
  - package-ecosystem: "docker-compose"
    directory: "/docker/compose/"
    schedule:
-      interval: "weekly"
+      interval: "monthly"
    cooldown:
      default-days: 7
    open-pull-requests-limit: 5
    labels:
      - "dependencies"
@@ -148,3 +157,16 @@ updates:
      postgres:
        patterns:
          - "docker.io/library/postgres*"
      greenmail:
        patterns:
          - "docker.io/greenmail*"
  - package-ecosystem: "pre-commit" # See documentation for possible values
    directory: "/" # Location of package manifests
    schedule:
      interval: "monthly"
    cooldown:
      default-days: 7
    groups:
      pre-commit-dependencies:
        patterns:
          - "*"
@@ -3,66 +3,123 @@ on:
  push:
    branches-ignore:
      - 'translations**'
    paths:
      - 'src/**'
      - 'pyproject.toml'
      - 'uv.lock'
      - 'docker/compose/docker-compose.ci-test.yml'
      - '.github/workflows/ci-backend.yml'
  pull_request:
    branches-ignore:
      - 'translations**'
    paths:
      - 'src/**'
      - 'pyproject.toml'
      - 'uv.lock'
      - 'docker/compose/docker-compose.ci-test.yml'
      - '.github/workflows/ci-backend.yml'
  workflow_dispatch:
 concurrency:
  group: backend-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 env:
-  DEFAULT_UV_VERSION: "0.9.x"
+  DEFAULT_UV_VERSION: "0.11.x"
  NLTK_DATA: "/usr/share/nltk_data"
 permissions: {}
 jobs:
  changes:
    name: Detect Backend Changes
    runs-on: ubuntu-slim
    permissions:
      contents: read
    outputs:
      backend_changed: ${{ steps.force.outputs.run_all == 'true' || steps.filter.outputs.backend == 'true' }}
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Decide run mode
        id: force
        env:
          EVENT_NAME: ${{ github.event_name }}
          REF_NAME: ${{ github.ref_name }}
        run: |
          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
          elif [[ "${EVENT_NAME}" == "push" && ( "${REF_NAME}" == "main" || "${REF_NAME}" == "dev" ) ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
          else
            echo "run_all=false" >> "$GITHUB_OUTPUT"
          fi
      - name: Set diff range
        id: range
        if: steps.force.outputs.run_all != 'true'
        env:
          BEFORE_SHA: ${{ github.event.before }}
          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
          EVENT_CREATED: ${{ github.event.created }}
          EVENT_NAME: ${{ github.event_name }}
          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
          SHA: ${{ github.sha }}
        run: |
          if [[ "${EVENT_NAME}" == "pull_request" ]]; then
            echo "base=${PR_BASE_SHA}" >> "$GITHUB_OUTPUT"
          elif [[ "${EVENT_CREATED}" == "true" ]]; then
            echo "base=${DEFAULT_BRANCH}" >> "$GITHUB_OUTPUT"
          else
            echo "base=${BEFORE_SHA}" >> "$GITHUB_OUTPUT"
          fi
          echo "ref=${SHA}" >> "$GITHUB_OUTPUT"
      - name: Detect changes
        id: filter
        if: steps.force.outputs.run_all != 'true'
        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
        with:
          base: ${{ steps.range.outputs.base }}
          ref: ${{ steps.range.outputs.ref }}
          filters: |
            backend:
              - 'src/**'
              - 'pyproject.toml'
              - 'uv.lock'
              - 'docker/compose/docker-compose.ci-test.yml'
              - '.github/workflows/ci-backend.yml'
  test:
    needs: changes
    if: needs.changes.outputs.backend_changed == 'true'
    name: "Python ${{ matrix.python-version }}"
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    strategy:
      matrix:
-        python-version: ['3.10', '3.11', '3.12']
+        python-version: ['3.11', '3.12', '3.13', '3.14']
      fail-fast: false
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Start containers
        run: |
          docker compose --file docker/compose/docker-compose.ci-test.yml pull --quiet
          docker compose --file docker/compose/docker-compose.ci-test.yml up --detach
      - name: Set up Python
        id: setup-python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "${{ matrix.python-version }}"
      - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: true
          python-version: ${{ steps.setup-python.outputs.python-version }}
      - name: Install system dependencies
        timeout-minutes: 10
        run: |
          sudo apt-get update -qq
          sudo apt-get install -qq --no-install-recommends \
-            unpaper tesseract-ocr imagemagick ghostscript libzbar0 poppler-utils
+            unpaper tesseract-ocr imagemagick ghostscript poppler-utils
      - name: Configure ImageMagick
        run: |
          sudo cp docker/rootfs/etc/ImageMagick-6/paperless-policy.xml /etc/ImageMagick-6/policy.xml
      - name: Install Python dependencies
        env:
          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          uv sync \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --group testing \
            --frozen
      - name: List installed Python dependencies
@@ -70,29 +127,27 @@ jobs:
          uv pip list
      - name: Install NLTK data
        run: |
-          uv run python -m nltk.downloader punkt punkt_tab snowball_data stopwords -d ${{ env.NLTK_DATA }}
+          uv run python -m nltk.downloader punkt punkt_tab snowball_data stopwords -d "${NLTK_DATA}"
      - name: Run tests
        env:
          NLTK_DATA: ${{ env.NLTK_DATA }}
          PAPERLESS_CI_TEST: 1
-          PAPERLESS_MAIL_TEST_HOST: ${{ secrets.TEST_MAIL_HOST }}
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
          PAPERLESS_MAIL_TEST_USER: ${{ secrets.TEST_MAIL_USER }}
          PAPERLESS_MAIL_TEST_PASSWD: ${{ secrets.TEST_MAIL_PASSWD }}
        run: |
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --dev \
            --frozen \
            pytest
      - name: Upload test results to Codecov
        if: always()
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          flags: backend-python-${{ matrix.python-version }}
          files: junit.xml
          report_type: test_results
      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          flags: backend-python-${{ matrix.python-version }}
          files: coverage.xml
@@ -102,3 +157,91 @@ jobs:
        run: |
          docker compose --file docker/compose/docker-compose.ci-test.yml logs
          docker compose --file docker/compose/docker-compose.ci-test.yml down
  typing:
    needs: changes
    if: needs.changes.outputs.backend_changed == 'true'
    name: Check project typing
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    env:
      DEFAULT_PYTHON: "3.12"
      PAPERLESS_SECRET_KEY: "ci-typing-not-a-real-secret"
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Set up Python
        id: setup-python
        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "${{ env.DEFAULT_PYTHON }}"
      - name: Install uv
        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: true
          python-version: ${{ steps.setup-python.outputs.python-version }}
      - name: Install Python dependencies
        env:
          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          uv sync \
            --python "${PYTHON_VERSION}" \
            --group testing \
            --group typing \
            --frozen
      - name: List installed Python dependencies
        run: |
          uv pip list
      - name: Check typing (pyrefly)
        continue-on-error: true
        run: |
          uv run pyrefly \
            check \
            src/
      - name: Cache Mypy
        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: .mypy_cache
          # Keyed by OS, Python version, and dependency hashes
          key: ${{ runner.os }}-mypy-py${{ env.DEFAULT_PYTHON }}-${{ hashFiles('pyproject.toml', 'uv.lock') }}
          restore-keys: |
            ${{ runner.os }}-mypy-py${{ env.DEFAULT_PYTHON }}-
            ${{ runner.os }}-mypy-
      - name: Check typing (mypy)
        continue-on-error: true
        run: |
          uv run mypy \
            --show-error-codes \
            --warn-unused-configs \
            src/ | uv run mypy-baseline filter
  gate:
    name: Backend CI Gate
    needs: [changes, test, typing]
    if: always()
    runs-on: ubuntu-slim
    steps:
      - name: Check gate
        env:
          BACKEND_CHANGED: ${{ needs.changes.outputs.backend_changed }}
          TEST_RESULT: ${{ needs.test.result }}
          TYPING_RESULT: ${{ needs.typing.result }}
        run: |
          if [[ "${BACKEND_CHANGED}" != "true" ]]; then
            echo "No backend-relevant changes detected."
            exit 0
          fi
          if [[ "${TEST_RESULT}" != "success" ]]; then
            echo "::error::Backend test job result: ${TEST_RESULT}"
            exit 1
          fi
          if [[ "${TYPING_RESULT}" != "success" ]]; then
            echo "::error::Backend typing job result: ${TYPING_RESULT}"
            exit 1
          fi
          echo "Backend checks passed."
@@ -41,19 +41,20 @@ jobs:
      ref-name: ${{ steps.ref.outputs.name }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Determine ref name
        id: ref
        run: |
          ref_name="${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}"
-          # Sanitize by replacing / with - for cache keys
+          # Sanitize by replacing / with - for use in tags and cache keys
-          cache_ref="${ref_name//\//-}"
+          sanitized_ref="${ref_name//\//-}"
          echo "ref_name=${ref_name}"
-          echo "cache_ref=${cache_ref}"
+          echo "sanitized_ref=${sanitized_ref}"
-          echo "name=${ref_name}" >> $GITHUB_OUTPUT
+          echo "name=${sanitized_ref}" >> $GITHUB_OUTPUT
          echo "cache-ref=${cache_ref}" >> $GITHUB_OUTPUT
      - name: Check push permissions
        id: check-push
        env:
@@ -62,12 +63,14 @@ jobs:
          # should-push: Should we push to GHCR?
          # True for:
          #   1. Pushes (tags/dev/beta) - filtered via the workflow triggers
-          #   2. Internal PRs where the branch name starts with 'feature-' - filtered here when a PR is synced
+          #   2. Manual dispatch - always push to GHCR
          #   3. Internal PRs where the branch name starts with 'feature-' or 'fix-'
          should_push="false"
          if [[ "${{ github.event_name }}" == "push" ]]; then
            should_push="true"
          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            should_push="true"
          elif [[ "${{ github.event_name }}" == "pull_request" && "${{ github.event.pull_request.head.repo.full_name }}" == "${{ github.repository }}" ]]; then
            if [[ "${REF_NAME}" == feature-* || "${REF_NAME}" == fix-* ]]; then
              should_push="true"
@@ -86,7 +89,7 @@ jobs:
                push_external="true"
                ;;
            esac
-            case "${{ github.ref }}" in
+            case "${GITHUB_REF}" in
              refs/tags/v*|*beta.rc*)
                push_external="true"
                ;;
@@ -103,9 +106,9 @@ jobs:
          echo "repository=${repo_name}"
          echo "name=${repo_name}" >> $GITHUB_OUTPUT
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -118,7 +121,7 @@ jobs:
          sudo rm -rf "$AGENT_TOOLSDIRECTORY"
      - name: Docker metadata
        id: docker-meta
-        uses: docker/metadata-action@v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: |
            ${{ env.REGISTRY }}/${{ steps.repo.outputs.name }}
@@ -129,7 +132,7 @@ jobs:
            type=semver,pattern={{major}}.{{minor}}
      - name: Build and push by digest
        id: build
-        uses: docker/build-push-action@v6.18.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          file: ./Dockerfile
@@ -139,67 +142,69 @@ jobs:
            PNGX_TAG_VERSION=${{ steps.docker-meta.outputs.version }}
          outputs: type=image,name=${{ env.REGISTRY }}/${{ steps.repo.outputs.name }},push-by-digest=true,name-canonical=true,push=${{ steps.check-push.outputs.should-push }}
          cache-from: |
-            type=registry,ref=${{ env.REGISTRY }}/${{ steps.repo.outputs.name }}/cache/app:${{ steps.ref.outputs.cache-ref }}-${{ matrix.arch }}
+            type=registry,ref=${{ env.REGISTRY }}/${{ steps.repo.outputs.name }}/cache/app:${{ steps.ref.outputs.name }}-${{ matrix.arch }}
            type=registry,ref=${{ env.REGISTRY }}/${{ steps.repo.outputs.name }}/cache/app:dev-${{ matrix.arch }}
-          cache-to: ${{ steps.check-push.outputs.should-push == 'true' && format('type=registry,mode=max,ref={0}/{1}/cache/app:{2}-{3}', env.REGISTRY, steps.repo.outputs.name, steps.ref.outputs.cache-ref, matrix.arch) || '' }}
+          cache-to: ${{ steps.check-push.outputs.should-push == 'true' && format('type=registry,mode=max,ref={0}/{1}/cache/app:{2}-{3}', env.REGISTRY, steps.repo.outputs.name, steps.ref.outputs.name, matrix.arch) || '' }}
      - name: Export digest
        if: steps.check-push.outputs.should-push == 'true'
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          echo "digest=${digest}"
-          touch "/tmp/digests/${digest#sha256:}"
+          echo "${digest}" > "/tmp/digests/digest-${{ matrix.arch }}.txt"
      - name: Upload digest
        if: steps.check-push.outputs.should-push == 'true'
-        uses: actions/upload-artifact@v6.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: digests-${{ matrix.arch }}
-          path: /tmp/digests/*
+          path: /tmp/digests/digest-${{ matrix.arch }}.txt
          if-no-files-found: error
          retention-days: 1
          archive: false
  merge-and-push:
    name: Merge and Push Manifest
    runs-on: ubuntu-24.04
    needs: build-arch
    if: needs.build-arch.outputs.should-push == 'true'
    environment: image-publishing
    permissions:
      contents: read
      packages: write
    steps:
      - name: Download digests
-        uses: actions/download-artifact@v7.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          path: /tmp/digests
-          pattern: digests-*
+          pattern: digest-*.txt
          merge-multiple: true
      - name: List digests
        run: |
          echo "Downloaded digests:"
          ls -la /tmp/digests/
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Docker Hub
        if: needs.build-arch.outputs.push-external == 'true'
-        uses: docker/login-action@v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
      - name: Login to Quay.io
        if: needs.build-arch.outputs.push-external == 'true'
-        uses: docker/login-action@v3.6.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          registry: quay.io
          username: ${{ secrets.QUAY_USERNAME }}
          password: ${{ secrets.QUAY_ROBOT_TOKEN }}
      - name: Docker metadata
        id: docker-meta
-        uses: docker/metadata-action@v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: |
            ${{ env.REGISTRY }}/${{ needs.build-arch.outputs.repository }}
@@ -216,8 +221,9 @@ jobs:
          tags=$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "${DOCKER_METADATA_OUTPUT_JSON}")
          digests=""
-          for digest in *; do
+          for digest_file in digest-*.txt; do
-            digests+="${{ env.REGISTRY }}/${REPOSITORY}@sha256:${digest} "
+            digest=$(cat "${digest_file}")
            digests+="${{ env.REGISTRY }}/${REPOSITORY}@${digest} "
          done
          echo "Creating manifest with tags: ${tags}"
@@ -225,8 +231,10 @@ jobs:
          docker buildx imagetools create ${tags} ${digests}
      - name: Inspect image
        env:
          FIRST_TAG: ${{ fromJSON(steps.docker-meta.outputs.json).tags[0] }}
        run: |
-          docker buildx imagetools inspect ${{ fromJSON(steps.docker-meta.outputs.json).tags[0] }}
+          docker buildx imagetools inspect "${FIRST_TAG}"
      - name: Copy to Docker Hub
        if: needs.build-arch.outputs.push-external == 'true'
        env:
@@ -1,39 +1,84 @@
 name: Documentation
 on:
  push:
-    branches:
+    branches-ignore:
-      - main
+      - 'translations**'
      - dev
    paths:
      - 'docs/**'
      - 'mkdocs.yml'
      - '.github/workflows/ci-docs.yml'
  pull_request:
    paths:
      - 'docs/**'
      - 'mkdocs.yml'
      - '.github/workflows/ci-docs.yml'
  workflow_dispatch:
 concurrency:
  group: docs-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 permissions:
  contents: read
 env:
-  DEFAULT_UV_VERSION: "0.9.x"
+  DEFAULT_UV_VERSION: "0.11.x"
-  DEFAULT_PYTHON_VERSION: "3.11"
+  DEFAULT_PYTHON_VERSION: "3.12"
 jobs:
  changes:
    name: Detect Docs Changes
    runs-on: ubuntu-slim
    outputs:
      docs_changed: ${{ steps.force.outputs.run_all == 'true' || steps.filter.outputs.docs == 'true' }}
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Decide run mode
        id: force
        run: |
          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
          elif [[ "${{ github.event_name }}" == "push" && ( "${{ github.ref_name }}" == "main" || "${{ github.ref_name }}" == "dev" ) ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
          else
            echo "run_all=false" >> "$GITHUB_OUTPUT"
          fi
      - name: Set diff range
        id: range
        if: steps.force.outputs.run_all != 'true'
        run: |
          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
            echo "base=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT"
          elif [[ "${{ github.event.created }}" == "true" ]]; then
            echo "base=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT"
          else
            echo "base=${{ github.event.before }}" >> "$GITHUB_OUTPUT"
          fi
          echo "ref=${{ github.sha }}" >> "$GITHUB_OUTPUT"
      - name: Detect changes
        id: filter
        if: steps.force.outputs.run_all != 'true'
        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
        with:
          base: ${{ steps.range.outputs.base }}
          ref: ${{ steps.range.outputs.ref }}
          filters: |
            docs:
              - 'docs/**'
              - 'zensical.toml'
              - 'pyproject.toml'
              - 'uv.lock'
              - '.github/workflows/ci-docs.yml'
  build:
    needs: changes
    if: needs.changes.outputs.docs_changed == 'true'
    name: Build Documentation
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Set up Python
        id: setup-python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
      - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: true
@@ -47,42 +92,45 @@ jobs:
            --python ${{ steps.setup-python.outputs.python-version }} \
            --dev \
            --frozen \
-            mkdocs build --config-file ./mkdocs.yml
+            zensical build --clean
-      - name: Upload artifact
+      - name: Upload GitHub Pages artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5.0.0
        with:
-          name: documentation
+          path: site
-          path: site/
+          name: github-pages-${{ github.run_id }}-${{ github.run_attempt }}
          retention-days: 7
  deploy:
    name: Deploy Documentation
-    needs: build
+    needs: [changes, build]
-    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.changes.outputs.docs_changed == 'true'
    runs-on: ubuntu-24.04
    permissions:
      pages: write
      id-token: write
    environment:
      name: github-pages
      url: ${{ steps.deployment.outputs.page_url }}
    steps:
-      - name: Checkout
+      - name: Deploy GitHub Pages
-        uses: actions/checkout@v6
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0
-      - name: Set up Python
+        id: deployment
        id: setup-python
        uses: actions/setup-python@v6
        with:
-          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
+          artifact_name: github-pages-${{ github.run_id }}-${{ github.run_attempt }}
-      - name: Install uv
+  gate:
-        uses: astral-sh/setup-uv@v7
+    name: Docs CI Gate
-        with:
+    needs: [changes, build]
-          version: ${{ env.DEFAULT_UV_VERSION }}
+    if: always()
-          enable-cache: true
+    runs-on: ubuntu-slim
-          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
+    steps:
-      - name: Install Python dependencies
+      - name: Check gate
        run: |
-          uv sync --python ${{ steps.setup-python.outputs.python-version }} --dev --frozen
+          if [[ "${{ needs.changes.outputs.docs_changed }}" != "true" ]]; then
-      - name: Deploy documentation
+            echo "No docs-relevant changes detected."
-        run: |
+            exit 0
-          echo "docs.paperless-ngx.com" > "${{ github.workspace }}/docs/CNAME"
+          fi
-          git config --global user.name "${{ github.actor }}"
+
-          git config --global user.email "${{ github.actor }}@users.noreply.github.com"
+          if [[ "${{ needs.build.result }}" != "success" ]]; then
-          uv run \
+            echo "::error::Docs build job result: ${{ needs.build.result }}"
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            exit 1
-            --dev \
+          fi
-            --frozen \
+
-            mkdocs gh-deploy --force --no-history
+          echo "Docs checks passed."
@@ -3,39 +3,96 @@ on:
  push:
    branches-ignore:
      - 'translations**'
    paths:
      - 'src-ui/**'
      - '.github/workflows/ci-frontend.yml'
  pull_request:
    branches-ignore:
      - 'translations**'
    paths:
      - 'src-ui/**'
      - '.github/workflows/ci-frontend.yml'
  workflow_dispatch:
 concurrency:
  group: frontend-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 permissions: {}
 jobs:
-  install-dependencies:
+  changes:
-    name: Install Dependencies
+    name: Detect Frontend Changes
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-slim
    permissions:
      contents: read
    outputs:
      frontend_changed: ${{ steps.force.outputs.run_all == 'true' || steps.filter.outputs.frontend == 'true' }}
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: false
      - name: Decide run mode
        id: force
        env:
          EVENT_NAME: ${{ github.event_name }}
          REF_NAME: ${{ github.ref_name }}
        run: |
          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
          elif [[ "${EVENT_NAME}" == "push" && ( "${REF_NAME}" == "main" || "${REF_NAME}" == "dev" ) ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
          else
            echo "run_all=false" >> "$GITHUB_OUTPUT"
          fi
      - name: Set diff range
        id: range
        if: steps.force.outputs.run_all != 'true'
        env:
          BEFORE_SHA: ${{ github.event.before }}
          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
          EVENT_CREATED: ${{ github.event.created }}
          EVENT_NAME: ${{ github.event_name }}
          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
          SHA: ${{ github.sha }}
        run: |
          if [[ "${EVENT_NAME}" == "pull_request" ]]; then
            echo "base=${PR_BASE_SHA}" >> "$GITHUB_OUTPUT"
          elif [[ "${EVENT_CREATED}" == "true" ]]; then
            echo "base=${DEFAULT_BRANCH}" >> "$GITHUB_OUTPUT"
          else
            echo "base=${BEFORE_SHA}" >> "$GITHUB_OUTPUT"
          fi
          echo "ref=${SHA}" >> "$GITHUB_OUTPUT"
      - name: Detect changes
        id: filter
        if: steps.force.outputs.run_all != 'true'
        uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
        with:
          base: ${{ steps.range.outputs.base }}
          ref: ${{ steps.range.outputs.ref }}
          filters: |
            frontend:
              - 'src-ui/**'
              - '.github/workflows/ci-frontend.yml'
  install-dependencies:
    needs: changes
    if: needs.changes.outputs.frontend_changed == 'true'
    name: Install Dependencies
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@903f9c1a6ebcba6cf41d87230be49611ac97822e # v6.0.3
        with:
          version: 10
      - name: Use Node.js 24
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24.x
          cache: 'pnpm'
          cache-dependency-path: 'src-ui/pnpm-lock.yaml'
      - name: Cache frontend dependencies
        id: cache-frontend-deps
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/.pnpm-store
@@ -45,23 +102,28 @@ jobs:
        run: cd src-ui && pnpm install
  lint:
    name: Lint
-    needs: install-dependencies
+    needs: [changes, install-dependencies]
    if: needs.changes.outputs.frontend_changed == 'true'
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@903f9c1a6ebcba6cf41d87230be49611ac97822e # v6.0.3
        with:
          version: 10
      - name: Use Node.js 24
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24.x
          cache: 'pnpm'
          cache-dependency-path: 'src-ui/pnpm-lock.yaml'
      - name: Cache frontend dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/.pnpm-store
@@ -73,8 +135,11 @@ jobs:
        run: cd src-ui && pnpm run lint
  unit-tests:
    name: "Unit Tests (${{ matrix.shard-index }}/${{ matrix.shard-count }})"
-    needs: install-dependencies
+    needs: [changes, install-dependencies]
    if: needs.changes.outputs.frontend_changed == 'true'
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    strategy:
      fail-fast: false
      matrix:
@@ -83,19 +148,21 @@ jobs:
        shard-count: [4]
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@903f9c1a6ebcba6cf41d87230be49611ac97822e # v6.0.3
        with:
          version: 10
      - name: Use Node.js 24
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24.x
          cache: 'pnpm'
          cache-dependency-path: 'src-ui/pnpm-lock.yaml'
      - name: Cache frontend dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/.pnpm-store
@@ -107,21 +174,24 @@ jobs:
        run: cd src-ui && pnpm run test --max-workers=2 --shard=${{ matrix.shard-index }}/${{ matrix.shard-count }}
      - name: Upload test results to Codecov
        if: always()
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          flags: frontend-node-${{ matrix.node-version }}
          directory: src-ui/
          report_type: test_results
      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
        with:
          flags: frontend-node-${{ matrix.node-version }}
          directory: src-ui/coverage/
  e2e-tests:
    name: "E2E Tests (${{ matrix.shard-index }}/${{ matrix.shard-count }})"
-    needs: install-dependencies
+    needs: [changes, install-dependencies]
    if: needs.changes.outputs.frontend_changed == 'true'
    runs-on: ubuntu-24.04
-    container: mcr.microsoft.com/playwright:v1.57.0-noble
+    permissions:
      contents: read
    container: mcr.microsoft.com/playwright:v1.59.1-noble
    env:
      PLAYWRIGHT_BROWSERS_PATH: /ms-playwright
      PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
@@ -133,19 +203,21 @@ jobs:
        shard-count: [2]
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@903f9c1a6ebcba6cf41d87230be49611ac97822e # v6.0.3
        with:
          version: 10
      - name: Use Node.js 24
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24.x
          cache: 'pnpm'
          cache-dependency-path: 'src-ui/pnpm-lock.yaml'
      - name: Cache frontend dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/.pnpm-store
@@ -159,23 +231,30 @@ jobs:
        run: cd src-ui && pnpm exec playwright test --shard ${{ matrix.shard-index }}/${{ matrix.shard-count }}
  bundle-analysis:
    name: Bundle Analysis
-    needs: [unit-tests, e2e-tests]
+    needs: [changes, unit-tests, e2e-tests]
    if: needs.changes.outputs.frontend_changed == 'true'
    runs-on: ubuntu-24.04
    environment: bundle-analysis
    permissions:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 2
          persist-credentials: false
      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@903f9c1a6ebcba6cf41d87230be49611ac97822e # v6.0.3
        with:
          version: 10
      - name: Use Node.js 24
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24.x
          cache: 'pnpm'
          cache-dependency-path: 'src-ui/pnpm-lock.yaml'
      - name: Cache frontend dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/.pnpm-store
@@ -187,3 +266,49 @@ jobs:
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        run: cd src-ui && pnpm run build --configuration=production
  gate:
    name: Frontend CI Gate
    needs: [changes, install-dependencies, lint, unit-tests, e2e-tests, bundle-analysis]
    if: always()
    runs-on: ubuntu-slim
    steps:
      - name: Check gate
        env:
          BUNDLE_ANALYSIS_RESULT: ${{ needs['bundle-analysis'].result }}
          E2E_RESULT: ${{ needs['e2e-tests'].result }}
          FRONTEND_CHANGED: ${{ needs.changes.outputs.frontend_changed }}
          INSTALL_RESULT: ${{ needs['install-dependencies'].result }}
          LINT_RESULT: ${{ needs.lint.result }}
          UNIT_RESULT: ${{ needs['unit-tests'].result }}
        run: |
          if [[ "${FRONTEND_CHANGED}" != "true" ]]; then
            echo "No frontend-relevant changes detected."
            exit 0
          fi
          if [[ "${INSTALL_RESULT}" != "success" ]]; then
            echo "::error::Frontend install job result: ${INSTALL_RESULT}"
            exit 1
          fi
          if [[ "${LINT_RESULT}" != "success" ]]; then
            echo "::error::Frontend lint job result: ${LINT_RESULT}"
            exit 1
          fi
          if [[ "${UNIT_RESULT}" != "success" ]]; then
            echo "::error::Frontend unit-tests job result: ${UNIT_RESULT}"
            exit 1
          fi
          if [[ "${E2E_RESULT}" != "success" ]]; then
            echo "::error::Frontend e2e-tests job result: ${E2E_RESULT}"
            exit 1
          fi
          if [[ "${BUNDLE_ANALYSIS_RESULT}" != "success" ]]; then
            echo "::error::Frontend bundle-analysis job result: ${BUNDLE_ANALYSIS_RESULT}"
            exit 1
          fi
          echo "Frontend checks passed."
@@ -9,16 +9,20 @@ on:
 concurrency:
  group: lint-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
-  pre-commit:
+  lint:
-    name: Pre-commit Checks
+    name: Linting via prek
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-slim
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Install Python
        uses: actions/setup-python@v6
        with:
-          python-version: "3.11"
+          persist-credentials: false
-      - name: Run pre-commit
+      - name: Install Python
-        uses: pre-commit/action@v3.0.1
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: "3.14"
      - name: Run prek
        uses: j178/prek-action@cbc2f23eb5539cf20d82d1aabd0d0ecbcc56f4e3 # v2.0.2
@@ -8,38 +8,45 @@ concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: false
 env:
-  DEFAULT_UV_VERSION: "0.9.x"
+  DEFAULT_UV_VERSION: "0.11.x"
-  DEFAULT_PYTHON_VERSION: "3.11"
+  DEFAULT_PYTHON_VERSION: "3.12"
 permissions: {}
 jobs:
  wait-for-docker:
    name: Wait for Docker Build
    runs-on: ubuntu-24.04
    permissions:
      checks: read
      statuses: read
    steps:
      - name: Wait for Docker build
-        uses: lewagon/wait-on-check-action@v1.4.1
+        uses: lewagon/wait-on-check-action@9312864dfbc9fd208e9c0417843430751c042800 # v1.7.0
        with:
          ref: ${{ github.sha }}
-          check-name: 'Build Docker Image'
+          check-name: 'Merge and Push Manifest'
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          wait-interval: 60
  build-release:
    name: Build Release
    needs: wait-for-docker
    runs-on: ubuntu-24.04
    permissions:
      contents: read
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      # ---- Frontend Build ----
      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@903f9c1a6ebcba6cf41d87230be49611ac97822e # v6.0.3
        with:
          version: 10
      - name: Use Node.js 24
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24.x
-          cache: 'pnpm'
+          package-manager-cache: false
          cache-dependency-path: 'src-ui/pnpm-lock.yaml'
      - name: Install frontend dependencies
        run: cd src-ui && pnpm install
      - name: Build frontend
@@ -47,45 +54,55 @@ jobs:
      # ---- Backend Setup ----
      - name: Set up Python
        id: setup-python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
      - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
-          enable-cache: true
+          enable-cache: false
          python-version: ${{ steps.setup-python.outputs.python-version }}
      - name: Install Python dependencies
        env:
          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
-          uv sync --python ${{ steps.setup-python.outputs.python-version }} --dev --frozen
+          uv sync --python "${PYTHON_VERSION}" --dev --frozen
      - name: Install system dependencies
        run: |
          sudo apt-get update -qq
          sudo apt-get install -qq --no-install-recommends gettext liblept5
      # ---- Build Documentation ----
      - name: Build documentation
        env:
          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --dev \
            --frozen \
-            mkdocs build --config-file ./mkdocs.yml
+            zensical build --clean
      # ---- Prepare Release ----
      - name: Generate requirements file
        run: |
          uv export --quiet --no-dev --all-extras --format requirements-txt --output-file requirements.txt
      - name: Compile messages
        env:
          PAPERLESS_SECRET_KEY: "ci-release-not-a-real-secret"
          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          cd src/
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            manage.py compilemessages
      - name: Collect static files
        env:
          PAPERLESS_SECRET_KEY: "ci-release-not-a-real-secret"
          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          cd src/
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            manage.py collectstatic --no-input --clear
      - name: Assemble release package
        run: |
@@ -118,7 +135,7 @@ jobs:
          sudo chown -R 1000:1000 paperless-ngx/
          tar -cJf paperless-ngx.tar.xz paperless-ngx/
      - name: Upload release artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: release
          path: dist/paperless-ngx.tar.xz
@@ -127,38 +144,44 @@ jobs:
    name: Publish Release
    needs: build-release
    runs-on: ubuntu-24.04
    permissions:
      contents: write
      pull-requests: write
    outputs:
      prerelease: ${{ steps.get-version.outputs.prerelease }}
      changelog: ${{ steps.create-release.outputs.body }}
      version: ${{ steps.get-version.outputs.version }}
    steps:
      - name: Download release artifact
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: release
          path: ./
      - name: Get version info
        id: get-version
        env:
          REF_NAME: ${{ github.ref_name }}
        run: |
-          echo "version=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+          echo "version=${REF_NAME}" >> $GITHUB_OUTPUT
-          if [[ "${{ github.ref_name }}" == *"-beta.rc"* ]]; then
+          if [[ "${REF_NAME}" == *"-beta.rc"* ]]; then
            echo "prerelease=true" >> $GITHUB_OUTPUT
          else
            echo "prerelease=false" >> $GITHUB_OUTPUT
          fi
      - name: Create release and changelog
        id: create-release
-        uses: release-drafter/release-drafter@v6
+        uses: release-drafter/release-drafter@5de93583980a40bd78603b6dfdcda5b4df377b32 # v7.2.0
        with:
          name: Paperless-ngx ${{ steps.get-version.outputs.version }}
          tag: ${{ steps.get-version.outputs.version }}
          version: ${{ steps.get-version.outputs.version }}
          prerelease: ${{ steps.get-version.outputs.prerelease }}
          publish: true
          commitish: ${{ steps.get-version.outputs.prerelease == 'true' && 'dev' || 'main' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Upload release archive
-        uses: shogo82148/actions-upload-release-asset@v1
+        uses: shogo82148/actions-upload-release-asset@ee2ae851dc5d938b90075b3ef12c540abfd1ee72 # v1.10.1
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          upload_url: ${{ steps.create-release.outputs.upload_url }}
@@ -173,29 +196,39 @@ jobs:
    needs: publish-release
    if: needs.publish-release.outputs.prerelease == 'false'
    runs-on: ubuntu-24.04
    permissions:
      contents: write
      pull-requests: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: main
          persist-credentials: true # for pushing changelog branch
      - name: Set up Python
        id: setup-python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
      - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
-          enable-cache: true
+          enable-cache: false
          python-version: ${{ env.DEFAULT_PYTHON_VERSION }}
      - name: Update changelog
        working-directory: docs
        env:
          CHANGELOG: ${{ needs.publish-release.outputs.changelog }}
          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
          VERSION: ${{ needs.publish-release.outputs.version }}
        run: |
-          git branch ${{ needs.publish-release.outputs.version }}-changelog
+          branch_name="${VERSION}-changelog"
          git checkout ${{ needs.publish-release.outputs.version }}-changelog
-          echo -e "# Changelog\n\n${{ needs.publish-release.outputs.changelog }}\n" > changelog-new.md
+          git branch "${branch_name}"
          git checkout "${branch_name}"
          printf '# Changelog\n\n%s\n' "${CHANGELOG}" > changelog-new.md
          echo "Manually linking usernames"
          sed -i -r 's|@([a-zA-Z0-9_]+) \(\[#|[@\1](https://github.com/\1) ([#|g' changelog-new.md
@@ -208,24 +241,28 @@ jobs:
          mv changelog-new.md changelog.md
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --dev \
-            pre-commit run --files changelog.md || true
+            prek run --files changelog.md || true
          git config --global user.name "github-actions"
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git commit -am "Changelog ${{ needs.publish-release.outputs.version }} - GHA"
+          git commit -am "Changelog ${VERSION} - GHA"
-          git push origin ${{ needs.publish-release.outputs.version }}-changelog
+          git push origin "${branch_name}"
      - name: Create pull request
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          VERSION: ${{ needs.publish-release.outputs.version }}
        with:
          script: |
            const { repo, owner } = context.repo;
            const version = process.env.VERSION;
            const head = `${version}-changelog`;
            const result = await github.rest.pulls.create({
-              title: 'Documentation: Add ${{ needs.publish-release.outputs.version }} changelog',
+              title: `Documentation: Add ${version} changelog`,
              owner,
              repo,
-              head: '${{ needs.publish-release.outputs.version }}-changelog',
+              head,
              base: 'main',
              body: 'This PR is auto-generated by CI.'
            });
@@ -0,0 +1,50 @@
 name: Static Analysis
 on:
  push:
    branches-ignore:
      - 'translations**'
  pull_request:
    branches-ignore:
      - 'translations**'
  workflow_dispatch:
 concurrency:
  group: static-analysis-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 permissions:
  contents: read
 jobs:
  zizmor:
    name: Run zizmor
    runs-on: ubuntu-24.04
    permissions:
      contents: read
      actions: read
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Run zizmor
        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
  semgrep:
    name: Semgrep CE
    runs-on: ubuntu-24.04
    container:
      image: semgrep/semgrep:1.155.0@sha256:cc869c685dcc0fe497c86258da9f205397d8108e56d21a86082ea4886e52784d
    if: github.actor != 'dependabot[bot]'
    permissions:
      contents: read
      security-events: write
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Run Semgrep
        run: semgrep scan --config auto --sarif-output results.sarif
      - name: Upload results to GitHub code scanning
        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        if: always()
        with:
          sarif_file: results.sarif
@@ -12,11 +12,13 @@ on:
 concurrency:
  group: registry-tags-cleanup
  cancel-in-progress: false
 permissions: {}
 jobs:
  cleanup-images:
    name: Cleanup Image Tags for ${{ matrix.primary-name }}
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
    environment: registry-maintenance
    strategy:
      fail-fast: false
      matrix:
@@ -27,7 +29,7 @@ jobs:
    steps:
      - name: Clean temporary images
        if: "${{ env.TOKEN != '' }}"
-        uses: stumpylog/image-cleaner-action/ephemeral@v0.12.0
+        uses: stumpylog/image-cleaner-action/ephemeral@4fe057d991d63b8f6d5d22c40f17c1bca2226537 # v0.12.0
        with:
          token: "${{ env.TOKEN }}"
          owner: "${{ github.repository_owner }}"
@@ -43,6 +45,7 @@ jobs:
    runs-on: ubuntu-24.04
    needs:
      - cleanup-images
    environment: registry-maintenance
    strategy:
      fail-fast: false
      matrix:
@@ -53,7 +56,7 @@ jobs:
    steps:
      - name: Clean untagged images
        if: "${{ env.TOKEN != '' }}"
-        uses: stumpylog/image-cleaner-action/untagged@v0.12.0
+        uses: stumpylog/image-cleaner-action/untagged@4fe057d991d63b8f6d5d22c40f17c1bca2226537 # v0.12.0
        with:
          token: "${{ env.TOKEN }}"
          owner: "${{ github.repository_owner }}"
@@ -34,10 +34,12 @@ jobs:
        # Learn more about CodeQL language support at https://git.io/codeql-language-support
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -45,4 +47,4 @@ jobs:
          # Prefix the list here with "+" to use these queries and those in the config file.
          # queries: ./path/to/local/query, your-org/your-repo/queries@main
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
@@ -6,18 +6,23 @@ on:
  push:
    paths: ['src/locale/**', 'src-ui/messages.xlf', 'src-ui/src/locale/**']
    branches: [dev]
 permissions:
  contents: write
  pull-requests: write
 jobs:
  synchronize-with-crowdin:
    name: Crowdin Sync
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
    environment: translation-sync
    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ secrets.PNGX_BOT_PAT }}
          persist-credentials: false
      - name: crowdin action
-        uses: crowdin/github-action@v2
+        uses: crowdin/github-action@8868a33591d21088edfc398968173a3b98d51706 # v2.16.2
        with:
          upload_translations: false
          download_translations: true
@@ -2,21 +2,33 @@ name: PR Bot
 on:
  pull_request_target:
    types: [opened]
 jobs:
  Anti-slop:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      issues: read
      pull-requests: write
-jobs:
+    steps:
      - uses: peakoss/anti-slop@57858eead489d08b255fab2af45a506c2ca6eab2 # v0.3.0
        with:
          max-failures: 4
          failure-add-pr-labels: 'ai'
          require-pr-template: true
  pr-bot:
    name: Automated PR Bot
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - name: Label PR by file path or branch name
        # see .github/labeler.yml for the labeler config
-        uses: actions/labeler@v6
+        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Label by size
-        uses: Gascon1/pr-size-labeler@v1.3.0
+        uses: Gascon1/pr-size-labeler@deff8ed00a76639a7c0f197525bafa3350ba4c36 # v1.3.0
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          xs_label: 'small-change'
@@ -26,7 +38,7 @@ jobs:
          fail_if_xl: 'false'
          excluded_files: /\.lock$/ /\.txt$/ ^src-ui/pnpm-lock\.yaml$ ^src-ui/messages\.xlf$ ^src/locale/en_US/LC_MESSAGES/django\.po$
      - name: Label by PR title
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const pr = context.payload.pull_request;
@@ -52,7 +64,7 @@ jobs:
            }
      - name: Label bot-generated PRs
        if: ${{ contains(github.actor, 'dependabot') || contains(github.actor, 'crowdin-bot') }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const pr = context.payload.pull_request;
@@ -77,7 +89,7 @@ jobs:
            }
      - name: Welcome comment
        if: ${{ !contains(github.actor, 'bot') }}
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            const pr = context.payload.pull_request;
@@ -19,6 +19,6 @@ jobs:
    if: github.event_name == 'pull_request_target' && (github.event.action == 'opened' || github.event.action == 'reopened') && github.event.pull_request.user.login != 'dependabot'
    steps:
      - name: Label PR with release-drafter
-        uses: release-drafter/release-drafter@v6
+        uses: release-drafter/release-drafter@5de93583980a40bd78603b6dfdcda5b4df377b32 # v7.2.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -3,10 +3,6 @@ on:
  schedule:
    - cron: '0 3 * * *'
  workflow_dispatch:
 permissions:
  issues: write
  pull-requests: write
  discussions: write
 concurrency:
  group: lock
 jobs:
@@ -14,8 +10,11 @@ jobs:
    name: 'Stale'
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
    permissions:
      issues: write
      pull-requests: write
    steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          days-before-stale: 7
          days-before-close: 14
@@ -36,8 +35,12 @@ jobs:
    name: 'Lock Old Threads'
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
    permissions:
      issues: write
      pull-requests: write
      discussions: write
    steps:
-      - uses: dessant/lock-threads@v6
+      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
        with:
          issue-inactive-days: '30'
          pr-inactive-days: '30'
@@ -56,8 +59,10 @@ jobs:
    name: 'Close Answered Discussions'
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
    permissions:
      discussions: write
    steps:
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            function sleep(ms) {
@@ -113,8 +118,10 @@ jobs:
    name: 'Close Outdated Discussions'
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
    permissions:
      discussions: write
    steps:
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            function sleep(ms) {
@@ -205,8 +212,10 @@ jobs:
    name: 'Close Unsupported Feature Requests'
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
    permissions:
      discussions: write
    steps:
-      - uses: actions/github-script@v8
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          script: |
            function sleep(ms) {
@@ -3,30 +3,35 @@ on:
  push:
    branches:
      - dev
 env:
  DEFAULT_UV_VERSION: "0.11.x"
 jobs:
  generate-translate-strings:
    name: Generate Translation Strings
    runs-on: ubuntu-latest
    environment: translation-sync
    permissions:
      contents: write
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        env:
          GH_REF: ${{ github.ref }} # sonar rule:githubactions:S7630 - avoid injection
        with:
          token: ${{ secrets.PNGX_BOT_PAT }}
          ref: ${{ env.GH_REF }}
          persist-credentials: true # for pushing translation branch
      - name: Set up Python
        id: setup-python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
      - name: Install system dependencies
        run: |
          sudo apt-get update -qq
          sudo apt-get install -qq --no-install-recommends gettext
      - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
        with:
          version: ${{ env.DEFAULT_UV_VERSION }}
          enable-cache: true
      - name: Install backend python dependencies
        run: |
@@ -34,20 +39,22 @@ jobs:
            --group dev \
            --frozen
      - name: Generate backend translation strings
        env:
          PAPERLESS_SECRET_KEY: "ci-translate-not-a-real-secret"
        run: cd src/ && uv run manage.py makemessages -l en_US -i "samples*"
      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@903f9c1a6ebcba6cf41d87230be49611ac97822e # v6.0.3
        with:
          version: 10
      - name: Use Node.js 24
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          node-version: 24.x
          cache: 'pnpm'
          cache-dependency-path: 'src-ui/pnpm-lock.yaml'
      - name: Cache frontend dependencies
        id: cache-frontend-deps
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/.pnpm-store
@@ -63,7 +70,7 @@ jobs:
          cd src-ui
          pnpm run ng extract-i18n
      - name: Commit changes
-        uses: stefanzweifel/git-auto-commit-action@v7
+        uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
        with:
          file_pattern: 'src-ui/messages.xlf src/locale/en_US/LC_MESSAGES/django.po'
          commit_message: "Auto translate strings"
@@ -0,0 +1,29 @@
 rules:
  template-injection:
    ignore:
      # github.event_name is a GitHub-internal constant (push/pull_request/etc.),
      # not attacker-controllable.
      - ci-docker.yml:74
      - ci-docs.yml:33
      # github.event.repository.default_branch refers to the target repo's setting,
      # which only admins can change; not influenced by fork PR authors.
      - ci-docs.yml:45
      # steps.setup-python.outputs.python-version is always a semver string (e.g. "3.12.0")
      # produced by actions/setup-python from a hardcoded env var input.
      - ci-docs.yml:88
      - ci-docs.yml:92
      # needs.*.result is always one of: success/failure/cancelled/skipped.
      - ci-docs.yml:131
      - ci-docs.yml:132
      # needs.changes.outputs.* is always "true" or "false".
      - ci-docs.yml:126
      # steps.build.outputs.digest is always a SHA256 digest (sha256:[a-f0-9]{64}).
      - ci-docker.yml:152
  dangerous-triggers:
    ignore:
      # Both workflows use pull_request_target solely to label/comment on fork PRs
      # (requires write-back access unavailable to pull_request). Neither workflow
      # checks out PR code or executes anything from the fork — only reads PR
      # metadata via context/API. Permissions are scoped to pull-requests: write.
      - pr-bot.yml:2
      - project-actions.yml:2
@@ -40,6 +40,7 @@ htmlcov/
 .coverage
 .coverage.*
 .cache
 .uv-cache
 nosetests.xml
 coverage.xml
 *,cover
@@ -53,7 +54,7 @@ junit.xml
 # Django stuff:
 *.log
-# MkDocs documentation
+# Zensical documentation
 site/
 # PyBuilder
@@ -78,6 +79,7 @@ virtualenv
 /docker-compose.env
 /docker-compose.yml
 .ruff_cache/
 .mypy_cache/
 # Used for development
 scripts/import-for-development
@@ -110,3 +112,6 @@ celerybeat-schedule*
 # ignore pnpm package store folder created when setting up the devcontainer
 .pnpm-store/
 # Git worktree local folder
 .worktrees
@@ -1,6 +1,7 @@
 # This file configures pre-commit hooks.
 # See https://pre-commit.com/ for general information
 # See https://pre-commit.com/hooks.html for a listing of possible hooks
 # We actually run via https://github.com/j178/prek which is compatible
 repos:
  # General hooks
  - repo: https://github.com/pre-commit/pre-commit-hooks
@@ -28,7 +29,7 @@ repos:
      - id: check-case-conflict
      - id: detect-private-key
  - repo: https://github.com/codespell-project/codespell
-    rev: v2.4.1
+    rev: v2.4.2
    hooks:
      - id: codespell
        additional_dependencies: [tomli]
@@ -37,7 +38,7 @@ repos:
          - json
  # See https://github.com/prettier/prettier/issues/15742 for the fork reason
  - repo: https://github.com/rbubley/mirrors-prettier
-    rev: 'v3.6.2'
+    rev: 'v3.8.3'
    hooks:
      - id: prettier
        types_or:
@@ -45,16 +46,16 @@ repos:
          - ts
          - markdown
        additional_dependencies:
-          - prettier@3.3.3
+          - prettier@3.8.3
-          - 'prettier-plugin-organize-imports@4.1.0'
+          - 'prettier-plugin-organize-imports@4.3.0'
  # Python hooks
  - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.14.5
+    rev: v0.15.12
    hooks:
      - id: ruff-check
      - id: ruff-format
  - repo: https://github.com/tox-dev/pyproject-fmt
-    rev: "v2.11.1"
+    rev: "v2.21.1"
    hooks:
      - id: pyproject-fmt
  # Dockerfile hooks
@@ -64,7 +65,7 @@ repos:
      - id: hadolint
  # Shell script hooks
  - repo: https://github.com/lovesegfault/beautysh
-    rev: v6.4.2
+    rev: v6.4.3
    hooks:
      - id: beautysh
        types: [file]
@@ -76,7 +77,7 @@ repos:
    hooks:
      - id: shellcheck
  - repo: https://github.com/google/yamlfmt
-    rev: v0.20.0
+    rev: v0.21.0
    hooks:
      - id: yamlfmt
        exclude: "^src-ui/pnpm-lock.yaml"
@@ -5,14 +5,6 @@ const config = {
 	singleQuote: true,
 	// https://prettier.io/docs/en/options.html#trailing-commas
 	trailingComma: 'es5',
 	overrides: [
 		{
 			files: ['docs/*.md'],
 			options: {
 				tabWidth: 4,
 			},
 		},
 	],
 	plugins: [require('prettier-plugin-organize-imports')],
 }
@@ -13,7 +13,9 @@ If you want to implement something big:
 ## Python
-Paperless supports python 3.10 - 3.12 at this time. We format Python code with [ruff](https://docs.astral.sh/ruff/formatter/).
+Paperless-ngx currently supports Python 3.11, 3.12, 3.13, and 3.14. As a policy, we aim to support at least the three most recent Python versions, and drop support for versions as they reach end-of-life. Older versions may be supported if dependencies permit, but this is not guaranteed.
 We format Python code with [ruff](https://docs.astral.sh/ruff/formatter/).
 ## Branches
@@ -30,7 +30,7 @@ RUN set -eux \
 # Purpose: Installs s6-overlay and rootfs
 # Comments:
 #  - Don't leave anything extra in here either
-FROM ghcr.io/astral-sh/uv:0.9.26-python3.12-trixie-slim AS s6-overlay-base
+FROM ghcr.io/astral-sh/uv:0.11.6-python3.12-trixie-slim AS s6-overlay-base
 WORKDIR /usr/src/s6
@@ -45,7 +45,7 @@ ENV \
 ARG TARGETARCH
 ARG TARGETVARIANT
 # Lock this version
-ARG S6_OVERLAY_VERSION=3.2.1.0
+ARG S6_OVERLAY_VERSION=3.2.2.0
 ARG S6_BUILD_TIME_PKGS="curl \
                        xz-utils"
@@ -154,8 +154,6 @@ ARG RUNTIME_PACKAGES="\
  libmagic1 \
  media-types \
  zlib1g \
  # Barcode splitter
  libzbar0 \
  poppler-utils"
 # Install basic runtime packages.
@@ -238,9 +236,11 @@ RUN set -eux \
    && mkdir -m700 --verbose /usr/src/paperless/.gnupg \
  && echo "Adjusting all permissions" \
    && chown --from root:root --changes --recursive paperless:paperless /usr/src/paperless \
  && echo "Making fontconfig cache writable for arbitrary container UIDs" \
    && chmod 1777 /var/cache/fontconfig \
  && echo "Collecting static files" \
-    && s6-setuidgid paperless python3 manage.py collectstatic --clear --no-input --link \
+    && PAPERLESS_SECRET_KEY=build-time-dummy s6-setuidgid paperless python3 manage.py collectstatic --clear --no-input --link \
-    && s6-setuidgid paperless python3 manage.py compilemessages \
+    && PAPERLESS_SECRET_KEY=build-time-dummy s6-setuidgid paperless python3 manage.py compilemessages \
    && /usr/local/bin/deduplicate.py --verbose /usr/src/paperless/static/
 VOLUME ["/usr/src/paperless/data", \
@@ -7,9 +7,9 @@
 <p align="center">
  <picture>
-    <source media="(prefers-color-scheme: dark)" srcset="https://github.com/paperless-ngx/paperless-ngx/blob/main/resources/logo/web/png/White%20logo%20-%20no%20background.png" width="50%">
+    <source media="(prefers-color-scheme: dark)" srcset="https://github.com/paperless-ngx/paperless-ngx/blob/main/docs/assets/logo_full_white.png" width="50%">
-    <source media="(prefers-color-scheme: light)" srcset="https://github.com/paperless-ngx/paperless-ngx/raw/main/resources/logo/web/png/Black%20logo%20-%20no%20background.png" width="50%">
+    <source media="(prefers-color-scheme: light)" srcset="https://github.com/paperless-ngx/paperless-ngx/blob/main/docs/assets/logo_full_black.png" width="50%">
-    <img src="https://github.com/paperless-ngx/paperless-ngx/raw/main/resources/logo/web/png/Black%20logo%20-%20no%20background.png" width="50%">
+    <img src="https://github.com/paperless-ngx/paperless-ngx/blob/main/docs/assets/logo_full_black.png" width="50%">
  </picture>
 </p>
@@ -2,8 +2,84 @@
 ## Reporting a Vulnerability
-The Paperless-ngx team and community take security bugs seriously. We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
+The Paperless-ngx team and community take security issues seriously. We appreciate good-faith reports and will make every effort to review legitimate findings responsibly.
 To report a security issue, please use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/paperless-ngx/paperless-ngx/security/advisories/new) tab.
-The team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
+After the initial reply to your report, the team may ask for additional information, reproduction steps, affected versions, configuration details, or proof-of-concept material needed to verify the issue.
 ## What makes a helpful report
 Please include as much of the following as possible:
 - A clear description of the issue and why it is a security vulnerability.
 - Affected Paperless-ngx version(s).
 - Required configuration, permissions, or preconditions.
 - Step-by-step reproduction instructions.
 - A realistic impact statement.
 - Logs, screenshots, requests, or a proof of concept where appropriate.
 - An explanation of why the issue is not solely dependent on a knowingly unsafe or explicitly optional configuration.
 Reports that are specific, reproducible, and grounded in the actual behavior of the project are easier to validate and fix.
 ## AI-assisted submissions
 AI tools can be useful for security research, but they can also produce plausible-sounding reports that do not reflect actual vulnerabilities in Paperless-ngx.
 If you use AI tools to help draft or investigate a report, please disclose this and verify the result yourself before submission. Make sure the report:
 - identifies a real code path in this project
 - includes a real reproduction, not just a theoretical concern
 - demonstrates realistic impact
 - accounts for existing permission checks, configuration requirements, and trust boundaries
 - is about Paperless-ngx itself, rather than a hypothetical deployment, downstream customization, third-party app, scanner output, reverse proxy behavior, or external service unless you can show a direct product vulnerability
 Submitting unverified AI-generated claims creates unnecessary review work and slows down handling of legitimate reports.
 <!-- Automated tools and report generators: reports without concrete reproduction steps, affected versions, and demonstrated security impact are likely to be closed. -->
 ## Common reasons reports are closed
 We may close reports that are:
 - missing reproduction details
 - best-practice recommendations presented as vulnerabilities
 - theoretical claims without a demonstrated exploit path or realistic impact
 - dependent on administrator-controlled, explicitly optional, or knowingly unsafe configuration
 - based on privileges that already make the reported behavior expected
 - limited to unsupported versions
 - about third-party software, integrations, deployment choices, or client applications without a demonstrable Paperless-ngx vulnerability
 - duplicates
 - UI bugs, feature requests, scanner quirks, or general usability issues submitted through the security channel
 ## Common non-vulnerability categories
 The following are not generally considered vulnerabilities unless accompanied by a concrete, reproducible impact in Paperless-ngx:
 - large uploads or resource usage that do not bypass documented limits or privileges
 - IDOR / access control claims regarding the ability to attach an un-viewable object to a document. This is expected behavior.
 - claims based solely on the presence of a library, framework feature or code pattern without a working exploit
 - reports that rely on admin-level access, workflow-editing privileges, shell access, or other high-trust roles unless they demonstrate an unintended privilege boundary bypass
 - optional webhook, mail, AI, OCR, or integration behavior described without a product-level vulnerability
 - missing limits or hardening settings presented without concrete impact
 - generic AI or static-analysis output that is not confirmed against the current codebase and a real deployment scenario
 ## Transparency
 We may publish anonymized examples or categories of rejected reports to clarify our review standards, reduce duplicate low-quality submissions, and help good-faith reporters send actionable findings.
 A mistaken report made in good faith is not misconduct. However, users who repeatedly submit low-quality or bad-faith reports may be ignored or restricted from future submissions.
 ## Scope and expectations
 Please use the security reporting channel only for security vulnerabilities in Paperless-ngx.
 Please do not use the security advisory system for:
 - support questions
 - general bug reports
 - feature requests
 - browser compatibility issues
 - issues in third-party mobile apps, reverse proxies, or deployment tooling unless you can demonstrate a Paperless-ngx vulnerability
 The team will review reports as time permits, but submission does not guarantee that a report is valid, in scope, or will result in a fix. Reports that do not describe a reproducible product-level issue may be closed without extended back-and-forth.
@@ -4,7 +4,7 @@
 # correct networking for the tests
 services:
  gotenberg:
-    image: docker.io/gotenberg/gotenberg:8.25
+    image: docker.io/gotenberg/gotenberg:8.27
    hostname: gotenberg
    container_name: gotenberg
    network_mode: host
@@ -18,8 +18,29 @@ services:
      - "--log-level=warn"
      - "--log-format=text"
  tika:
-    image: docker.io/apache/tika:latest
+    image: docker.io/apache/tika:3.2.3.0
    hostname: tika
    container_name: tika
    network_mode: host
    restart: unless-stopped
  greenmail:
    image: docker.io/greenmail/standalone:2.1.8
    hostname: greenmail
    container_name: greenmail
    environment:
      # Enable only IMAP for now (SMTP available via 3025 if needed later)
      GREENMAIL_OPTS: >-
        -Dgreenmail.setup.test.imap -Dgreenmail.users=test@localhost:test -Dgreenmail.users.login=test@localhost -Dgreenmail.verbose
    ports:
      - "3143:3143" # IMAP
    restart: unless-stopped
  nginx:
    image: docker.io/nginx:1.29.5-alpine
    hostname: nginx
    container_name: nginx
    ports:
      - "8080:8080"
    restart: unless-stopped
    volumes:
      - ../../docs/assets:/usr/share/nginx/html/assets:ro
      - ./test-nginx.conf:/etc/nginx/conf.d/default.conf:ro
@@ -17,9 +17,9 @@
 # (if doing so please consider security measures such as reverse proxy)
 #PAPERLESS_URL=https://paperless.example.com
-# Adjust this key if you plan to make paperless available publicly. It should
+# Required. A unique secret key for session tokens and signing.
-# be a very long sequence of random characters. You don't need to remember it.
+# Generate with: python3 -c "import secrets; print(secrets.token_urlsafe(64))"
-#PAPERLESS_SECRET_KEY=change-me
+PAPERLESS_SECRET_KEY=change-me
 # Use this variable to set a timezone for the Paperless Docker containers. Defaults to UTC.
 #PAPERLESS_TIME_ZONE=America/Los_Angeles
@@ -72,7 +72,7 @@ services:
      PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://gotenberg:3000
      PAPERLESS_TIKA_ENDPOINT: http://tika:9998
  gotenberg:
-    image: docker.io/gotenberg/gotenberg:8.25
+    image: docker.io/gotenberg/gotenberg:8.27
    restart: unless-stopped
    # The gotenberg chromium route is used to convert .eml files. We do not
    # want to allow external content like tracking pixels or even javascript.
@@ -56,6 +56,7 @@ services:
    environment:
      PAPERLESS_REDIS: redis://broker:6379
      PAPERLESS_DBHOST: db
      PAPERLESS_DBENGINE: postgres
    env_file:
      - stack.env
 volumes:
@@ -62,11 +62,12 @@ services:
    environment:
      PAPERLESS_REDIS: redis://broker:6379
      PAPERLESS_DBHOST: db
      PAPERLESS_DBENGINE: postgresql
      PAPERLESS_TIKA_ENABLED: 1
      PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://gotenberg:3000
      PAPERLESS_TIKA_ENDPOINT: http://tika:9998
  gotenberg:
-    image: docker.io/gotenberg/gotenberg:8.25
+    image: docker.io/gotenberg/gotenberg:8.27
    restart: unless-stopped
    # The gotenberg chromium route is used to convert .eml files. We do not
    # want to allow external content like tracking pixels or even javascript.
@@ -56,6 +56,7 @@ services:
    environment:
      PAPERLESS_REDIS: redis://broker:6379
      PAPERLESS_DBHOST: db
      PAPERLESS_DBENGINE: postgresql
 volumes:
  data:
  media:
@@ -51,11 +51,12 @@ services:
    env_file: docker-compose.env
    environment:
      PAPERLESS_REDIS: redis://broker:6379
      PAPERLESS_DBENGINE: sqlite
      PAPERLESS_TIKA_ENABLED: 1
      PAPERLESS_TIKA_GOTENBERG_ENDPOINT: http://gotenberg:3000
      PAPERLESS_TIKA_ENDPOINT: http://tika:9998
  gotenberg:
-    image: docker.io/gotenberg/gotenberg:8.25
+    image: docker.io/gotenberg/gotenberg:8.27
    restart: unless-stopped
    # The gotenberg chromium route is used to convert .eml files. We do not
    # want to allow external content like tracking pixels or even javascript.
@@ -42,6 +42,7 @@ services:
    env_file: docker-compose.env
    environment:
      PAPERLESS_REDIS: redis://broker:6379
      PAPERLESS_DBENGINE: sqlite
 volumes:
  data:
  media:
@@ -0,0 +1,14 @@
 server {
    listen 8080;
    server_name localhost;
    root /usr/share/nginx/html;
    # Enable CORS for test requests
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS' always;
    location / {
        try_files $uri $uri/ =404;
    }
 }
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py management_command "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py management_command "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py management_command "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -10,8 +10,10 @@ cd "${PAPERLESS_SRC_DIR}"
 # The whole migrate, with flock, needs to run as the right user
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py check --tag compatibility paperless || exit 1
 	exec s6-setlock -n "${data_dir}/migration_lock" python3 manage.py migrate --skip-checks --no-input
 else
 	s6-setuidgid paperless python3 manage.py check --tag compatibility paperless  || exit 1
 	exec s6-setuidgid paperless \
 		s6-setlock -n "${data_dir}/migration_lock" \
 		python3 manage.py migrate --skip-checks --no-input
@@ -2,6 +2,17 @@
 # shellcheck shell=bash
 declare -r log_prefix="[init-user]"
 # When the container is started as a non-root user (e.g. via `user: 999:999`
 # in Docker Compose), usermod/groupmod require root and are meaningless.
 # USERMAP_* variables only apply to the root-started path.
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	if [[ -n "${USERMAP_UID}" || -n "${USERMAP_GID}" ]]; then
 		echo "${log_prefix} WARNING: USERMAP_UID/USERMAP_GID are set but have no effect when the container is started as a non-root user"
 	fi
 	echo "${log_prefix} Running as non-root user ($(id --user):$(id --group)), skipping UID/GID remapping"
 	exit 0
 fi
 declare -r usermap_original_uid=$(id -u paperless)
 declare -r usermap_original_gid=$(id -g paperless)
 declare -r usermap_new_uid=${USERMAP_UID:-$usermap_original_uid}
@@ -3,26 +3,10 @@
 declare -r log_prefix="[init-index]"
-declare -r index_version=9
+echo "${log_prefix} Checking search index..."
 declare -r data_dir="${PAPERLESS_DATA_DIR:-/usr/src/paperless/data}"
 declare -r index_version_file="${data_dir}/.index_version"
 update_index () {
 	echo "${log_prefix} Search index out of date. Updating..."
 cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
-		python3 manage.py document_index reindex --no-progress-bar
+	python3 manage.py document_index reindex --if-needed --no-progress-bar
 		echo ${index_version} | tee "${index_version_file}" > /dev/null
 else
-		s6-setuidgid paperless python3 manage.py document_index reindex --no-progress-bar
+	s6-setuidgid paperless python3 manage.py document_index reindex --if-needed --no-progress-bar
 		echo ${index_version} | s6-setuidgid paperless tee "${index_version_file}" > /dev/null
 	fi
 }
 if [[ (! -f "${index_version_file}") ]]; then
 	echo "${log_prefix} No index version file found"
 	update_index
 elif [[ $(<"${index_version_file}") != "$index_version" ]]; then
 	echo "${log_prefix} index version updated"
 	update_index
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py convert_mariadb_uuid "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py convert_mariadb_uuid "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py convert_mariadb_uuid "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py createsuperuser "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py createsuperuser "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py createsuperuser "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py document_archiver "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_archiver "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_archiver "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py document_create_classifier "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_create_classifier "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_create_classifier "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py document_exporter "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_exporter "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_exporter "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py document_fuzzy_match "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_fuzzy_match "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_fuzzy_match "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py document_importer "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_importer "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_importer "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py document_index "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_index "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_index "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py document_renamer "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_renamer "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_renamer "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py document_retagger "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_retagger "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_retagger "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py document_sanity_checker "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_sanity_checker "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_sanity_checker "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py document_thumbnails "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py document_thumbnails "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py document_thumbnails "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py mail_fetcher "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py mail_fetcher "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py mail_fetcher "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py manage_superuser "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py manage_superuser "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py manage_superuser "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -7,6 +7,11 @@ cd "${PAPERLESS_SRC_DIR}"
 if [[ -n "${USER_IS_NON_ROOT}" ]]; then
 	python3 manage.py prune_audit_logs "$@"
-elif [[ $(id -un) == "paperless" ]]; then
+elif [[ $(id -u) == 0 ]]; then
 	s6-setuidgid paperless python3 manage.py prune_audit_logs "$@"
 elif [[ $(id -un) == "paperless" ]]; then
 	python3 manage.py prune_audit_logs "$@"
 else
 	echo "Unknown user."
 	exit 1
 fi
@@ -34,7 +34,6 @@ Options available to docker installations:
  order to access them.
  Paperless uses 4 volumes:
  - `paperless_media`: This is where your documents are stored.
  - `paperless_data`: This is where auxiliary data is stored. This
    folder also contains the SQLite database, if you use it.
@@ -62,6 +61,10 @@ copies you created in the steps above.
 ## Updating Paperless {#updating}
 !!! warning
    Please review the [migration instructions](migration-v3.md) before upgrading Paperless-ngx to v3.0, it includes some breaking changes that require manual intervention before upgrading.
 ### Docker Route {#docker-updating}
 If a new release of paperless-ngx is available, upgrading depends on how
@@ -177,6 +180,16 @@ following:
    This might not actually do anything. Not every new paperless version
    comes with new database migrations.
 4.  Rebuild the search index if needed.
    ```shell-session
    cd src
    python3 manage.py document_index reindex --if-needed
    ```
    This is a no-op if the index is already up to date, so it is safe to
    run on every upgrade.
 ### Database Upgrades
 Paperless-ngx is compatible with Django-supported versions of PostgreSQL and MariaDB and it is generally
@@ -345,11 +358,12 @@ document_importer source
 ```
 | Option              | Required | Default | Description                                                                                                  |
-| ------------------- | -------- | ------- | ------------------------------------------------------------------------- |
+| ------------------- | -------- | ------- | ------------------------------------------------------------------------------------------------------------ |
 | source              | Yes      | N/A     | The directory containing an export                                                                           |
 | `--no-progress-bar` | No       | False   | If provided, the progress bar will be hidden                                                                 |
 | `--data-only`       | No       | False   | If provided, only import data, do not import document files or thumbnails                                    |
 | `--passphrase`      | No       | N/A     | If your export was encrypted with a passphrase, must be provided                                             |
 | `--batch-size`      | No       | 500     | Number of database records inserted per batch. Lower values reduce peak memory usage on very large installs. |
 When you use the provided docker compose script, put the export inside
 the `export` folder in your paperless source directory. Specify
@@ -450,17 +464,42 @@ the search yields non-existing documents or won't find anything, you
 may need to recreate the index manually.
 ```
-document_index {reindex,optimize}
+document_index {reindex,optimize} [--recreate] [--if-needed]
 ```
-Specify `reindex` to have the index created from scratch. This may take
+Specify `reindex` to rebuild the index from all documents in the database. This
-some time.
+may take some time.
-Specify `optimize` to optimize the index. This updates certain aspects
+Pass `--recreate` to wipe the existing index before rebuilding. Use this when the
-of the index and usually makes queries faster and also ensures that the
+index is corrupted or you want a fully clean rebuild.
-autocompletion works properly. This command is regularly invoked by the
+
 Pass `--if-needed` to skip the rebuild if the index is already up to date (schema
 version and search language match). Safe to run on every startup or upgrade.
 Specify `optimize` to optimize the index. This command is regularly invoked by the
 task scheduler.
 !!! note
    The `optimize` subcommand is deprecated and is now a no-op. Tantivy manages
    segment merging automatically; no manual optimization step is needed.
 !!! note
    **Docker users:** On every startup, the container runs
    `document_index reindex --if-needed` automatically. Schema changes, language
    changes, and missing indexes are all detected and rebuilt before the webserver
    starts. No manual step is required.
    **Bare metal users:** Run the following command after each upgrade (and after
    changing `PAPERLESS_SEARCH_LANGUAGE`). It is a no-op if the index is already
    up to date:
    ```shell-session
    cd src
    python3 manage.py document_index reindex --if-needed
    ```
 ### Clearing the database read cache
 If the database read cache is enabled, **you must run this command** after making any changes to the database outside the application context.
@@ -582,7 +621,7 @@ document.
 ### Detecting duplicates {#fuzzy_duplicate}
-Paperless already catches and prevents upload of exactly matching documents,
+Paperless-ngx already catches and warns of exactly matching documents,
 however a new scan of an existing document may not produce an exact bit for bit
 duplicate. But the content should be exact or close, allowing detection.
@@ -262,6 +262,10 @@ your files differently, you can do that by adjusting the
 or using [storage paths (see below)](#storage-paths). Paperless adds the
 correct file extension e.g. `.pdf`, `.jpg` automatically.
 When a document has file versions, each version uses the same naming rules and
 storage path resolution as any other document file, with an added version suffix
 such as `_v1`, `_v2`, etc.
 This variable allows you to configure the filename (folders are allowed)
 using placeholders. For example, configuring this to
@@ -353,6 +357,8 @@ If paperless detects that two documents share the same filename,
 paperless will automatically append `_01`, `_02`, etc to the filename.
 This happens if all the placeholders in a filename evaluate to the same
 value.
 For versioned files, this counter is appended after the version suffix
 (for example `statement_v2_01.pdf`).
 If there are any errors in the placeholders included in `PAPERLESS_FILENAME_FORMAT`,
 paperless will fall back to using the default naming scheme instead.
@@ -431,8 +437,10 @@ This allows for complex logic to be included in the format, including [logical s
 and [filters](https://jinja.palletsprojects.com/en/3.1.x/templates/#id11) to manipulate the [variables](#filename-format-variables)
 provided. The template is provided as a string, potentially multiline, and rendered into a single line.
-In addition, the entire Document instance is available to be utilized in a more advanced way, as well as some variables which only make sense to be accessed
+In addition, a limited `document` object is available for advanced templates.
-with more complex logic.
+This object includes common metadata fields such as `id`, `pk`, `title`, `content`, `page_count`, `created`, `added`, `modified`, `mime_type`,
 `checksum`, `archive_checksum`, `archive_serial_number`, `filename`, `archive_filename`, and `original_filename`.
 Related values are available as nested objects with limited fields, for example document.correspondent.name, etc.
 #### Custom Jinja2 Filters
@@ -715,6 +723,81 @@ services:
 1. Note the `:ro` tag means the folder will be mounted as read only. This is for extra security against changes
 ## Installing third-party parser plugins {#parser-plugins}
 Third-party parser plugins extend Paperless-ngx to support additional file
 formats. A plugin is a Python package that advertises itself under the
 `paperless_ngx.parsers` entry point group. Refer to the
 [developer documentation](development.md#making-custom-parsers) for how to
 create one.
 !!! warning "Third-party plugins are not officially supported"
    The Paperless-ngx maintainers do not provide support for third-party
    plugins. Issues caused by or requiring changes to a third-party plugin
    will be closed without further investigation. Always reproduce problems
    with all plugins removed before filing a bug report.
 ### Docker
 Use a [custom container initialization script](#custom-container-initialization)
 to install the package before the webserver starts. Create a shell script and
 mount it into `/custom-cont-init.d`:
 ```bash
 #!/bin/bash
 # /path/to/my/scripts/install-parsers.sh
 pip install my-paperless-parser-package
 ```
 Mount it in your `docker-compose.yml`:
 ```yaml
 services:
  webserver:
    # ...
    volumes:
      - /path/to/my/scripts:/custom-cont-init.d:ro
 ```
 The script runs as `root` before the webserver starts, so the package will be
 available when Paperless-ngx discovers plugins at startup.
 ### Bare metal
 Install the package into the same Python environment that runs Paperless-ngx.
 If you followed the standard bare-metal install guide, that is the `paperless`
 user's environment:
 ```bash
 sudo -Hu paperless pip3 install my-paperless-parser-package
 ```
 If you are using `uv` or a virtual environment, activate it first and then run:
 ```bash
 uv pip install my-paperless-parser-package
 # or
 pip install my-paperless-parser-package
 ```
 Restart all Paperless-ngx services after installation so the new plugin is
 discovered.
 ### Verifying installation
 On the next startup, check the application logs for a line confirming
 discovery:
 ```
 Loaded third-party parser 'My Parser' v1.0.0 by Acme Corp (entrypoint: 'my_parser').
 ```
 If this line does not appear, verify that the package is installed in the
 correct environment and that its `pyproject.toml` declares the
 `paperless_ngx.parsers` entry point.
 ## MySQL Caveats {#mysql-caveats}
 ### Case Sensitivity
@@ -759,7 +842,7 @@ MariaDB: `mariadb-tzinfo-to-sql /usr/share/zoneinfo | mariadb -u root mysql -p`
 ## Barcodes {#barcodes}
-Paperless is able to utilize barcodes for automatically performing some tasks.
+Paperless is able to utilize barcodes for automatically performing some tasks. Barcodes are only supported for PDF documents or TIFF, [if enabled](configuration.md#PAPERLESS_CONSUMER_BARCODE_TIFF_SUPPORT).
 At this time, the library utilized for detection of barcodes supports the following types:
@@ -774,7 +857,6 @@ At this time, the library utilized for detection of barcodes supports the follow
 - QR Code
 - SQ Code
 You may check for updates on the [zbar library homepage](https://github.com/mchehab/zbar).
 For usage in Paperless, the type of barcode does not matter, only the contents of it.
 For how to enable barcode usage, see [the configuration](configuration.md#barcodes).
@@ -783,9 +865,17 @@ below.
 ### Document Splitting {#document-splitting}
-When enabled, Paperless will look for a barcode with the configured value and create a new document
+If document splitting is enabled, Paperless splits _after_ a separator barcode by default.
-starting from the next page. The page with the barcode on it will _not_ be retained. It
+This means:
-is expected to be a page existing only for triggering the split.
+
 - any page containing the configured separator barcode starts a new document, starting with the **next** page
 - pages containing the separator barcode are discarded
 This is intended for dedicated separator sheets such as PATCH-T pages.
 If [`PAPERLESS_CONSUMER_BARCODE_RETAIN_SPLIT_PAGES`](configuration.md#PAPERLESS_CONSUMER_BARCODE_RETAIN_SPLIT_PAGES)
 is enabled, the page containing the separator barcode is retained instead. In this mode,
 each page containing the separator barcode becomes the **first** page of a new document.
 ### Archive Serial Number Assignment
@@ -794,8 +884,9 @@ archive serial number, allowing quick reference back to the original, paper docu
 If document splitting via barcode is also enabled, documents will be split when an ASN
 barcode is located. However, differing from the splitting, the page with the
-barcode _will_ be retained. This allows application of a barcode to any page, including
+barcode _will_ be retained. Each detected ASN barcode starts a new document _starting with
-one which holds data to keep in the document.
+that page_. This allows placing ASN barcodes on content pages that should remain part of
 the document.
 ### Tag Assignment
@@ -805,6 +896,27 @@ See the relevant settings [`PAPERLESS_CONSUMER_ENABLE_TAG_BARCODE`](configuratio
 and [`PAPERLESS_CONSUMER_TAG_BARCODE_MAPPING`](configuration.md#PAPERLESS_CONSUMER_TAG_BARCODE_MAPPING)
 for more information.
 #### Splitting on Tag Barcodes
 By default, tag barcodes only assign tags to documents without splitting them. However,
 you can enable document splitting on tag barcodes by setting
 [`PAPERLESS_CONSUMER_TAG_BARCODE_SPLIT`](configuration.md#PAPERLESS_CONSUMER_TAG_BARCODE_SPLIT)
 to `true`.
 When enabled, documents will be split at pages containing tag barcodes, similar to how
 ASN barcodes work. Key features:
 - The page with the tag barcode is **retained** in the resulting document
 - **Each split document extracts its own tags** - only tags on pages within that document are assigned
 - Multiple tag barcodes can trigger multiple splits in the same document
 - Works seamlessly with ASN barcodes - each split document gets its own ASN and tags
 This is useful for batch scanning where you place tag barcode pages between different
 documents to both separate and categorize them in a single operation.
 **Example:** A 6-page scan with TAG:invoice on page 3 and TAG:receipt on page 5 will create
 three documents: pages 1-2 (no tags), pages 3-4 (tagged "invoice"), and pages 5-6 (tagged "receipt").
 ## Automatic collation of double-sided documents {#collate}
 !!! note
@@ -1,4 +1,4 @@
-# The REST API
+# REST API
 Paperless-ngx now ships with a fully-documented REST API and a browsable
 web interface to explore it. The API browsable interface is available at
@@ -8,7 +8,7 @@ Further documentation is provided here for some endpoints and features.
 ## Authorization
-The REST api provides four different forms of authentication.
+The REST api provides five different forms of authentication.
 1.  Basic authentication
@@ -52,12 +52,24 @@ The REST api provides four different forms of authentication.
    [configuration](configuration.md#PAPERLESS_ENABLE_HTTP_REMOTE_USER_API)),
    you can authenticate against the API using Remote User auth.
 5.  Headless OIDC via [`django-allauth`](https://codeberg.org/allauth/django-allauth)
    `django-allauth` exposes API endpoints under `api/auth/` which enable tools
    like third-party apps to authenticate with social accounts that are
    configured. See
    [here](advanced_usage.md#openid-connect-and-social-authentication) for more
    information on social accounts.
 ## Searching for documents
-Full text searching is available on the `/api/documents/` endpoint. Two
+Full text searching is available on the `/api/documents/` endpoint. The
-specific query parameters cause the API to return full text search
+following query parameters cause the API to return Tantivy-backed search
 results:
 - `/api/documents/?text=your%20search%20query`: Search title and content
  using simple substring-style search.
 - `/api/documents/?title_search=your%20search%20query`: Search title only
  using simple substring-style search.
 - `/api/documents/?query=your%20search%20query`: Search for a document
  using a full text query. For details on the syntax, see [Basic Usage - Searching](usage.md#basic-usage_searching).
 - `/api/documents/?more_like_id=1234`: Search for documents similar to
@@ -159,9 +171,8 @@ Query parameters:
 - `term`: The incomplete term.
 - `limit`: Amount of results. Defaults to 10.
-Results returned by the endpoint are ordered by importance of the term
+Results are ordered by how many of the user's visible documents contain
-in the document index. The first result is the term that has the highest
+each matching word. The first result is the word that appears in the most documents.
 [Tf/Idf](https://en.wikipedia.org/wiki/Tf%E2%80%93idf) score in the index.
 ```json
 ["term1", "term3", "term6", "term4"]
@@ -203,6 +214,21 @@ However, querying the tasks endpoint with the returned UUID e.g.
 `/api/tasks/?task_id={uuid}` will provide information on the state of the
 consumption including the ID of a created document if consumption succeeded.
 ## Document Versions
 Document versions are file-level versions linked to one root document.
 - Root document metadata (title, tags, correspondent, document type, storage path, custom fields, permissions) remains shared.
 - Version-specific file data (file, mime type, checksums, archive info, extracted text content) belongs to the selected/latest version.
 Version-aware endpoints:
 - `GET /api/documents/{id}/`: returns root document data; `content` resolves to latest version content by default. Use `?version={version_id}` to resolve content for a specific version.
 - `PATCH /api/documents/{id}/`: content updates target the selected version (`?version={version_id}`) or latest version by default; non-content metadata updates target the root document.
 - `GET /api/documents/{id}/download/`, `GET /api/documents/{id}/preview/`, `GET /api/documents/{id}/thumb/`, `GET /api/documents/{id}/metadata/`: accept `?version={version_id}`.
 - `POST /api/documents/{id}/update_version/`: uploads a new version using multipart form field `document` and optional `version_label`.
 - `DELETE /api/documents/{root_id}/versions/{version_id}/`: deletes a non-root version.
 ## Permissions
 All objects (documents, tags, etc.) allow setting object-level permissions
@@ -282,52 +308,16 @@ The following methods are supported:
    - `"merge": true or false` (defaults to false)
  - The `merge` flag determines if the supplied permissions will overwrite all existing permissions (including
    removing them) or be merged with existing permissions.
 -   `edit_pdf`
    -   Requires `parameters`:
        -   `"doc_ids": [DOCUMENT_ID]` A list of a single document ID to edit.
        -   `"operations": [OPERATION, ...]` A list of operations to perform on the documents. Each operation is a dictionary
            with the following keys:
            -   `"page": PAGE_NUMBER` The page number to edit (1-based).
            -   `"rotate": DEGREES` Optional rotation in degrees (90, 180, 270).
            -   `"doc": OUTPUT_DOCUMENT_INDEX` Optional index of the output document for split operations.
    -   Optional `parameters`:
        -   `"delete_original": true` to delete the original documents after editing.
        -   `"update_document": true` to update the existing document with the edited PDF.
        -   `"include_metadata": true` to copy metadata from the original document to the edited document.
 -   `remove_password`
    -   Requires `parameters`:
        -   `"password": "PASSWORD_STRING"` The password to remove from the PDF documents.
    -   Optional `parameters`:
        -   `"update_document": true` to replace the existing document with the password-less PDF.
        -   `"delete_original": true` to delete the original document after editing.
        -   `"include_metadata": true` to copy metadata from the original document to the new password-less document.
 -   `merge`
    -   No additional `parameters` required.
    -   The ordering of the merged document is determined by the list of IDs.
    -   Optional `parameters`:
        -   `"metadata_document_id": DOC_ID` apply metadata (tags, correspondent, etc.) from this document to the merged document.
        -   `"delete_originals": true` to delete the original documents. This requires the calling user being the owner of
            all documents that are merged.
 -   `split`
    -   Requires `parameters`:
        -   `"pages": [..]` The list should be a list of pages and/or a ranges, separated by commas e.g. `"[1,2-3,4,5-7]"`
    -   Optional `parameters`:
        -   `"delete_originals": true` to delete the original document after consumption. This requires the calling user being the owner of
            the document.
    -   The split operation only accepts a single document.
 -   `rotate`
    -   Requires `parameters`:
        -   `"degrees": DEGREES`. Must be an integer i.e. 90, 180, 270
 -   `delete_pages`
    -   Requires `parameters`:
        -   `"pages": [..]` The list should be a list of integers e.g. `"[2,3,4]"`
    -   The delete_pages operation only accepts a single document.
 - `modify_custom_fields`
  - Requires `parameters`:
    - `"add_custom_fields": { CUSTOM_FIELD_ID: VALUE }`: JSON object consisting of custom field id:value pairs to add to the document, can also be a list of custom field IDs
      to add with empty values.
    - `"remove_custom_fields": [CUSTOM_FIELD_ID]`: custom field ids to remove from the document.
 #### Document-editing operations
 Beginning with version 10+, the API supports individual endpoints for document-editing operations (`merge`, `rotate`, `edit_pdf`, etc), thus their documentation can be found in the API spec / viewer. Legacy document-editing methods via `/api/documents/bulk_edit/` are still supported for compatibility, are deprecated and clients should migrate to the individual endpoints before they are removed in a future version.
 ### Objects
 Bulk editing for objects (tags, document types etc.) currently supports set permissions or delete
@@ -346,41 +336,38 @@ operations, using the endpoint: `/api/bulk_edit_objects/`, which requires a json
 ## API Versioning
-The REST API is versioned since Paperless-ngx 1.3.0.
+The REST API is versioned.
 - Versioning ensures that changes to the API don't break older
  clients.
 - Clients specify the specific version of the API they wish to use
  with every request and Paperless will handle the request using the
  specified API version.
-   Even if the underlying data model changes, older API versions will
+- Even if the underlying data model changes, supported older API
-    always serve compatible data.
+  versions continue to serve compatible data.
-   If no version is specified, Paperless will serve version 1 to ensure
+- If no version is specified, Paperless serves the configured default
-    compatibility with older clients that do not request a specific API
+  API version (currently `10`).
-    version.
+- Supported API versions are currently `9` and `10`.
 API versions are specified by submitting an additional HTTP `Accept`
 header with every request:
 ```
-Accept: application/json; version=6
+Accept: application/json; version=10
 ```
-If an invalid version is specified, Paperless 1.3.0 will respond with
+If an invalid version is specified, Paperless responds with
-"406 Not Acceptable" and an error message in the body. Earlier
+`406 Not Acceptable` and an error message in the body.
 versions of Paperless will serve API version 1 regardless of whether a
 version is specified via the `Accept` header.
 If a client wishes to verify whether it is compatible with any given
 server, the following procedure should be performed:
-1.  Perform an _authenticated_ request against any API endpoint. If the
+1.  Perform an _authenticated_ request against any API endpoint. The
-    server is on version 1.3.0 or newer, the server will add two custom
+    server will add two custom headers to the response:
    headers to the response:
    ```
-    X-Api-Version: 2
+    X-Api-Version: 10
-    X-Version: 1.3.0
+    X-Version: <server-version>
    ```
 2.  Determine whether the client is compatible with this server based on
@@ -443,3 +430,18 @@ Initial API version.
 - The document `created` field is now a date, not a datetime. The
  `created_date` field is considered deprecated and will be removed in a
  future version.
 #### Version 10
 - The `show_on_dashboard` and `show_in_sidebar` fields of saved views have been
  removed. Relevant settings are now stored in the UISettings model. Compatibility is maintained
  for versions < 10 until support for API v9 is dropped.
 - Document-editing operations such as `merge`, `rotate`, and `edit_pdf` have been
  moved from the bulk edit endpoint to their own individual endpoints. Using these methods via
  the bulk edit endpoint is still supported for compatibility with versions < 10 until support
  for API v9 is dropped.
 - The `all` parameter of list endpoints is now deprecated and will be removed in a future version.
 - The bulk edit objects endpoint now supports `all` and `filters` parameters to avoid having to send
  large lists of object IDs for operations affecting many objects.
 - The legacy `title_content` document search parameter is deprecated and will be removed in a future version.
  Clients should use `text` for simple title-and-content search and `title_search` for title-only search.
@@ -1,13 +1,31 @@
 :root>* {
-    --md-primary-fg-color: #17541f;
+    --paperless-green: #17541f;
-    --md-primary-fg-color--dark: #17541f;
+    --paperless-green-accent: #2b8a38;
-    --md-primary-fg-color--light: #17541f;
+    --md-primary-fg-color: var(--paperless-green);
-    --md-accent-fg-color: #2b8a38;
+    --md-primary-fg-color--dark: var(--paperless-green);
    --md-primary-fg-color--light: var(--paperless-green-accent);
    --md-accent-fg-color: var(--paperless-green-accent);
    --md-typeset-a-color: #21652a;
 }
 .md-header,
 .md-tabs {
    background-color: var(--paperless-green);
    color: #fff;
 }
 .md-tabs__link {
    color: rgba(255, 255, 255, 0.82);
 }
 .md-tabs__link:hover,
 .md-tabs__link--active {
    color: #fff;
 }
 [data-md-color-scheme="slate"] {
    --md-hue: 222;
    --md-default-bg-color: hsla(var(--md-hue), 15%, 10%, 1);
 }
@media (min-width: 768px) {
@@ -69,8 +87,8 @@ h4 code {
 }
 /* Hide config vars from sidebar, toc and move the border on mobile case their hidden */
-.md-nav.md-nav--secondary .md-nav__item .md-nav__link[href*="PAPERLESS_"],
+.md-nav.md-nav--secondary .md-nav__item:has(> .md-nav__link[href*="PAPERLESS_"]),
-.md-nav.md-nav--secondary .md-nav__item .md-nav__link[href*="USERMAP_"] {
+.md-nav.md-nav--secondary .md-nav__item:has(> .md-nav__link[href*="USERMAP_"]) {
    display: none;
 }
@@ -83,18 +101,3 @@ h4 code {
        border-top: .05rem solid var(--md-default-fg-color--lightest);
    }
 }
 /* Show search shortcut key */
 [data-md-toggle="search"]:not(:checked) ~ .md-header .md-search__form::after {
    position: absolute;
    top: .3rem;
    right: .3rem;
    display: block;
    padding: .1rem .4rem;
    color: var(--md-default-fg-color--lighter);
    font-weight: bold;
    font-size: .8rem;
    border: .05rem solid var(--md-default-fg-color--lighter);
    border-radius: .1rem;
    content: "/";
  }
@@ -1,12 +0,0 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- Generator: Adobe Illustrator 27.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 <svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
 	 viewBox="0 0 1000 1000" style="enable-background:new 0 0 1000 1000;" xml:space="preserve">
 <style type="text/css">
 	.st0{fill:#FFFFFF;}
 </style>
 <path class="st0" d="M299,891.7c-4.2-19.8-12.5-59.6-13.6-59.6c-176.7-105.7-155.8-288.7-97.3-393.4
 	c12.5,131.8,245.8,222.8,109.8,383.9c-1.1,2,6.2,27.2,12.5,50.2c27.2-46,68-101.4,65.8-106.7C208.9,358.2,731.9,326.9,840.6,73.7
 	c49.1,244.8-25.1,623.5-445.5,719.7c-2,1.1-76.3,131.8-79.5,132.9c0-2-31.4-1.1-27.2-11.5C290.7,908.4,294.8,900.1,299,891.7
 	L299,891.7z M293.8,793.4c53.3-61.8-9.4-167.4-47.1-201.9C310.5,701.3,306.3,765.1,293.8,793.4L293.8,793.4z"/>
 </svg>
@@ -1,68 +1,19 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="UTF-8"?>
-<!-- Generator: Adobe Illustrator 27.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg id="Layer_1" xmlns="http://www.w3.org/2000/svg" version="1.1" viewBox="0 0 2670 860">
-<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+  <path id="leaf" style="fill:#005616;" d="M2227.4,821.2c-6.1-17.8-18.1-53.6-19.2-53.4-174.7-77.8-159.8-201.2-117.5-304.2,26.3,120.1,235.3,130.3,128,294.1-.7,2,8.8,24.3,17.1,44.9,19.9-45.4,51.3-101.1,48.8-105.7-199.9-357.4,278.8-444.7,350.7-690.2,72.6,220.1,46.5,577.5-330.4,713.3-1.8,1.2-55.6,130-58.5,131.4-.2-1.9-29.1,2.5-26.4-7.6,1.4-6.2,4.2-14.2,7.2-22.4h0v-.2h.2,0ZM2211.7,731.2c42.3-62.9-11.1-105.7-49.8-133.2,71,94,58.1,105.7,49.8,133.2h0Z"/>
-	 viewBox="0 0 2962.2 860.2" style="enable-background:new 0 0 2962.2 860.2;" xml:space="preserve">
+  <g id="text" style="fill: #000;">
-<style type="text/css">
+    <path class="st1" d="M654.6,393.2l-.7,137.7h-85.5V188.7h85.4c.4,11.3-.3,21.7,1.3,33.8,23.1-34.1,62.3-50,101.1-38.3,16.5,5,29.6,16.4,39.7,30,34.4,46.5,35.1,134,3.6,182.2-10.1,14.4-22.5,26.9-39,33.4-39.5,15.7-81,1.1-105.9-36.6h0ZM721,362.2c21-26.1,21-82.7-.4-108.4-13.2-15.9-36.4-16.1-49.9-.4-22.2,25.8-21.7,85.3.5,110.1,13.6,15.2,36.6,15,49.7-1.3h.1Z"/>
-	.st0{fill:#17541F;stroke:#000000;stroke-miterlimit:10;}
+    <path class="st1" d="M164,301l-72.8.7v126.1H3.4V98.1l159.7.5c31.3,0,58.9,13.6,79.4,36.1,30.8,37.6,30.9,91.7.6,129.6-20.1,22.8-47.6,36.5-79,36.8h-.1ZM176.8,199.8c0-20.8-15.1-35-34.7-35l-51,.2v69.5l53.6-.2c18.5,0,32-15.8,32.2-34.5h-.1Z"/>
-</style>
+    <polygon class="st1" points="1338.2 427.8 1338 366 1412.4 365.8 1412.5 139.3 1338.1 139.1 1338.1 77.4 1498.1 77.4 1498.1 365.7 1572.3 365.9 1572.5 427.7 1338.2 427.8"/>
-<path d="M1055.6,639.7v-20.6c-18,20-43.1,30.1-75.4,30.1c-22.4,0-42.8-5.8-61-17.5c-18.3-11.7-32.5-27.8-42.9-48.3
+    <path class="st1" d="M1741.8,364.3c9.1-8.6,14-18.1,17.7-30.3l68.4,13.3c-10.5,45.2-46.5,79.2-92.3,86.7-59.2,9.6-118.7-14.2-138.6-73.7-10.9-32.7-10.7-68.6.6-100.9,17.7-50.6,64.3-80.5,117.1-79.1,76.5,2,113.4,65.4,111.1,136.1h-155.4c-.7,12.5,3,25,9.7,35.9,13.2,21.3,40.9,26.9,61.5,12h.2ZM1749.4,273.1c-2.4-10.8-6.9-18-13.9-24.6-12.8-8.3-30.1-9.5-43.4-1.1-9.3,5.8-14.6,15.1-18,25.7h75.3Z"/>
-	c-10.3-20.5-15.5-43.3-15.5-68.4c0-25.1,5.2-48,15.5-68.5s24.6-36.6,42.9-48.3s38.6-17.5,61-17.5c32.3,0,57.5,10,75.4,30.1v-20.6
+    <path class="st1" d="M1010.3,364.3c9.1-8.5,13.9-18.1,17.7-30.3l68.4,13.3c-10.4,45.2-46.5,79.2-92.3,86.7-59.3,9.6-118.8-14.2-138.7-73.9-10.8-32.3-10.6-67.4.2-99.3,17.3-51.2,64.2-81.8,117.6-80.4,76.6,2,113.5,65.3,111.1,136.1h-155.6c-.2,12.7,3.2,25.1,9.9,35.9,13.2,21.3,40.9,27,61.5,12h.2ZM1018,273.2c-2.4-9.4-6.3-18.5-14.2-24.4-12.3-9.1-30.4-9.4-43.3-1.3-9.3,5.9-14.4,15.1-17.9,25.6h75.4Z"/>
-	h85.3v249.6L1055.6,639.7L1055.6,639.7z M1059.1,514.9c0-17.4-5.2-31.9-15.5-43.8c-10.3-11.8-23.9-17.7-40.6-17.7
+    <path class="st1" d="M424.3,376.9c-7.1,13.6-12.5,25.7-23.2,35.5-14.3,13.3-32.6,19.3-52.3,19.4-40.4.2-75.6-23.1-73.6-65.7.9-20.1,9.7-37.2,26.5-49.2,30.5-21.8,55.8-22.4,87.8-40.6,8.1-4.6,18.2-15.3,12.4-22.2s-5-3-8-3.7h-96.3v-61.8h109.6c14.7.6,28.1,2.2,41.7,7.2,23.7,8.8,39.6,29.5,39.8,55.2l.7,90.6c0,13.5,11,23,23.7,23.9l10.1.7v61.3h-29.9c-13.1,0-25.9-3-37.3-8.6-16.9-8.2-26.9-22.2-31.6-42.2h0v.2h-.1ZM364.9,370.1c6.8,5.9,16.2,6.5,24.8,2.7,18.1-7.9,16.5-38.3,16.1-55-3.6,4.3-7.4,9-12.5,11.2l-21.1,9.3c-5.8,2.5-10.6,8-11.8,13s-1,13.8,4.7,18.7h-.2Z"/>
-	c-16.8,0-30.2,5.9-40.4,17.7c-10.2,11.8-15.3,26.4-15.3,43.8c0,17.4,5.1,31.9,15.3,43.8c10.2,11.8,23.6,17.7,40.4,17.7
+    <path class="st1" d="M1943,430.1c-33.5-8.9-68.5-33.6-78.9-68.9l66.6-27.2c11.8,22.1,31.6,42.1,57.2,39.8,4.3-.4,9.3-3.1,11.2-6,7.8-12.5-4.3-24.3-16.2-30.7l-47.3-25.2c-32.2-17.1-57.7-50.7-41.6-87.4,11.9-27,48.1-35,75.3-36h99.2v61.8h-88.6c-2.5.4-6.2,2.3-7,4.2s.7,7,2.7,8.2c31.6,18.6,88.3,38.3,103.8,72,10.4,22.6,6.7,50-9.2,69.1-29.5,35.7-86.1,36.9-127,26.1v.2h-.2,0Z"/>
-	c16.8,0,30.3-5.9,40.6-17.7C1054,546.9,1059.1,532.3,1059.1,514.9z"/>
+    <path class="st1" d="M1318.2,264.3l-68.5.2c-19.4,0-30.1,10.8-31.6,30.2v133.1h-85.7v-239h85.6l1,58.9,11.9-25.1c14.3-30.5,56.9-36.5,87.4-33.6v75.4h-.1Z"/>
-<path d="M1417.8,398.2c18.3,11.7,32.5,27.8,42.9,48.3c10.3,20.5,15.5,43.3,15.5,68.5c0,25.1-5.2,48-15.5,68.4
+    <path class="st1" d="M2232.8,374.2c-26,1.2-44.6-18.4-56.5-40.1l-66.5,27.3c10.8,35.9,46.2,60.4,80.3,69.2h0c10.6,2.6,22,4.5,33.7,5.2,3.2-7.9,6.8-15.6,10.8-23.4,18.5-35.9,44.3-68.4,73.8-98.8-23.6-21.1-62.6-36.7-87-50.6-2.2-1.2-3.6-6.7-2.7-8.7.9-2,4.5-3.5,7.4-3.9h88.2v-61.8h-97.4c-27,.7-63.8,8.2-76.5,34.8-8.3,17.5-6.8,38.5,3.5,54.9,9.3,14.9,22.2,25.8,37.7,33.9l45.8,24.3c11.5,6.1,24.7,17,17.9,30.5-2.1,4.1-7.4,6.5-12.6,7.2h.1Z"/>
-	c-10.3,20.5-24.6,36.6-42.9,48.3s-38.6,17.5-61,17.5c-32.3,0-57.5-10-75.4-30.1v165.6h-85.3V390.2h85.3v20.6
+    <path class="st1" d="M1547.6,801.6h81.2c11.6-.2,23.2-3.8,31.9-11.2,7.3-6.2,11.7-15.4,13.9-24.8l16.8-72.7c-7.2,9-12.8,16.9-20.7,24.2-18.3,16.8-42.3,23.8-66.9,19.5-32.5-5.7-46.7-34.7-47-65.6-.5-44,18.9-93.6,57.6-117.1,18-10.9,39.5-13.9,60-9.6,12.4,2.6,22.1,9.9,29.1,20,5.8,8.4,7.8,17.2,10.8,27.8l10.7-45.4,15.6.3-50.6,219.5c-2.9,12.6-8.9,24.6-18.4,32.9-12,10.4-28.1,15.1-44,15.2l-82.9.2,2.7-13.1h.2ZM1691.8,673.5c12.9-26.3,20.1-60.3,11-88.6-5.1-15.8-17.9-26.5-34.2-28.8-20.7-2.9-40.3,2.9-55.9,16.8-13.6,12.1-23.5,26.7-30.3,43.7-9.8,24.4-14.8,56.5-4.6,81.1,5,12.1,14.7,21.3,27.6,24.7,39,10.3,70.1-16,86.4-49h0Z"/>
-	c18-20,43.1-30.1,75.4-30.1C1379.2,380.7,1399.5,386.6,1417.8,398.2z M1389.5,514.9c0-17.4-5.1-31.9-15.3-43.8
+    <path class="st1" d="M1441.6,556.8c-43.6-8.7-84.4,29.7-93.8,70l-24.8,106.6h-15.7l43.1-186.4,15.6-.2-8.6,39.5c22.3-28.9,53.9-49.3,90.7-42.5,16.8,3.1,29.1,15.6,32.1,32.4,2.1,11.6,1.6,23.4-1.1,35.3l-28.1,122.2h-15.6c0,0,27.5-119.9,27.5-119.9,4.7-20.6,5.9-51.3-21.2-56.7v-.3Z"/>
-	c-10.2-11.8-23.6-17.7-40.4-17.7s-30.2,5.9-40.4,17.7c-10.2,11.8-15.3,26.4-15.3,43.8c0,17.4,5.1,31.9,15.3,43.8
+    <path class="st1" d="M1958.9,733.3h-16.2l-38.2-90.1-79.8,90.3-19.3-.2,77.6-87.2c5.1-5.7,11-10.1,17.2-14.5-4.6-4.7-8.5-9.6-11.3-15.3l-33.9-69.3,16.2-.2,35.3,74.1,69-73.9c6.6-.3,12.7-.3,19.6.2l-63.1,66.6c-6.4,6.8-13.4,12.5-20.9,18,3.4,3.4,7.5,7.5,9.6,12.4l38.3,89.2h-.1Z"/>
-	c10.2,11.8,23.6,17.7,40.4,17.7s30.2-5.9,40.4-17.7S1389.5,532.3,1389.5,514.9z"/>
+    <path class="st1" d="M1224.4,635.4H3.4c1.1-5.6,1.9-9.5,3.1-13.9h1220.9l-2.9,13.9h0Z"/>
 <path d="M1713.6,555.3l53,49.4c-28.1,29.6-66.7,44.4-115.8,44.4c-28.1,0-53-5.8-74.5-17.5s-38.2-27.7-49.8-48
 	c-11.7-20.3-17.7-43.2-18-68.7c0-24.8,5.9-47.5,17.7-68c11.8-20.5,28.1-36.7,48.7-48.5s43.5-17.7,68.7-17.7
 	c24.8,0,47.6,6.1,68.2,18.2s37,29.5,49.1,52.3c12.1,22.7,18.2,49.1,18.2,79l-0.4,11.7h-181.8c3.6,11.4,10.5,20.7,20.9,28.1
 	c10.3,7.3,21.3,11,33,11c14.4,0,26.3-2.2,35.7-6.5C1695.8,570.1,1704.9,563.7,1713.6,555.3z M1596.9,486.2h92.9
 	c-2.1-12.3-7.5-22.1-16.2-29.4s-18.7-11-30.1-11s-21.5,3.7-30.3,11S1599,473.9,1596.9,486.2z"/>
 <path d="M1908.8,418.4c7.8-10.8,17.2-19,28.3-24.7s22-8.5,32.8-8.5c11.4,0,20,1.6,26,4.9l-10.8,72.7c-8.4-2.1-15.7-3.1-22-3.1
 	c-17.1,0-30.4,4.3-39.9,12.8c-9.6,8.5-14.4,24.2-14.4,46.9v120.3h-85.3V390.2h85.3V418.4L1908.8,418.4z"/>
 <path d="M2113,258.2v381.5h-85.3V258.2H2113z"/>
 <path d="M2360.8,555.3l53,49.4c-28.1,29.6-66.7,44.4-115.8,44.4c-28.1,0-53-5.8-74.5-17.5s-38.2-27.7-49.8-48
 	c-11.7-20.3-17.7-43.2-18-68.7c0-24.8,5.9-47.5,17.7-68s28.1-36.7,48.7-48.5c20.6-11.8,43.5-17.7,68.7-17.7
 	c24.8,0,47.6,6.1,68.2,18.2c20.6,12.1,37,29.5,49.1,52.3c12.1,22.7,18.2,49.1,18.2,79l-0.4,11.7h-181.8
 	c3.6,11.4,10.5,20.7,20.9,28.1c10.3,7.3,21.3,11,33,11c14.4,0,26.3-2.2,35.7-6.5C2343.1,570.1,2352.1,563.7,2360.8,555.3z
 	 M2244.1,486.2h92.9c-2.1-12.3-7.5-22.1-16.2-29.4s-18.7-11-30.1-11s-21.5,3.7-30.3,11C2251.7,464.1,2246.2,473.9,2244.1,486.2z"/>
 <path d="M2565.9,446.3c-9.9,0-17.1,1.1-21.5,3.4c-4.5,2.2-6.7,5.9-6.7,11s3.4,8.8,10.3,11.2c6.9,2.4,18,4.9,33.2,7.6
 	c20,3,37,6.7,50.9,11.2s26,12.1,36.1,22.9c10.2,10.8,15.3,25.9,15.3,45.3c0,29.9-10.9,52.4-32.8,67.6
 	c-21.8,15.1-50.3,22.7-85.3,22.7c-25.7,0-49.5-3.7-71.4-11c-21.8-7.3-37.4-14.7-46.7-22.2l33.7-60.6c10.2,9,23.4,15.8,39.7,20.4
 	c16.3,4.6,31.3,7,45.1,7c19.7,0,29.6-5.2,29.6-15.7c0-5.4-3.3-9.4-9.9-11.9c-6.6-2.5-17.2-5.2-31.9-7.9c-18.9-3.3-34.9-7.2-48-11.7
 	c-13.2-4.5-24.6-12.2-34.3-23.1c-9.7-10.9-14.6-26-14.6-45.1c0-27.2,9.7-48.5,29-63.7c19.3-15.3,46-22.9,80.1-22.9
 	c23.3,0,44.4,3.6,63.3,10.8c18.9,7.2,34,14.5,45.3,22l-32.8,58.8c-10.8-7.5-23.2-13.7-37.3-18.6
 	C2590.5,448.7,2577.6,446.3,2565.9,446.3z"/>
 <path d="M2817.3,446.3c-9.9,0-17.1,1.1-21.5,3.4c-4.5,2.2-6.7,5.9-6.7,11s3.4,8.8,10.3,11.2c6.9,2.4,18,4.9,33.2,7.6
 	c20,3,37,6.7,50.9,11.2s26,12.1,36.1,22.9c10.2,10.8,15.3,25.9,15.3,45.3c0,29.9-10.9,52.4-32.8,67.6
 	c-21.8,15.1-50.3,22.7-85.3,22.7c-25.7,0-49.5-3.7-71.4-11c-21.8-7.3-37.4-14.7-46.7-22.2l33.7-60.6c10.2,9,23.4,15.8,39.7,20.4
 	c16.3,4.6,31.3,7,45.1,7c19.8,0,29.6-5.2,29.6-15.7c0-5.4-3.3-9.4-9.9-11.9c-6.6-2.5-17.2-5.2-31.9-7.9c-18.9-3.3-34.9-7.2-48-11.7
 	c-13.2-4.5-24.6-12.2-34.3-23.1c-9.7-10.9-14.6-26-14.6-45.1c0-27.2,9.7-48.5,29-63.7c19.3-15.3,46-22.9,80.1-22.9
 	c23.3,0,44.4,3.6,63.3,10.8c18.9,7.2,34,14.5,45.3,22l-32.8,58.8c-10.8-7.5-23.2-13.7-37.3-18.6
 	C2841.8,448.7,2828.9,446.3,2817.3,446.3z"/>
 <g>
 	<path d="M2508,724h60.2v17.3H2508V724z"/>
 	<path d="M2629.2,694.4c4.9-2,10.2-3.1,16-3.1c10.9,0,19.5,3.4,25.9,10.2s9.6,16.7,9.6,29.6v57.3h-19.6v-52.6
 		c0-9.3-1.7-16.2-5.1-20.7c-3.4-4.5-9.1-6.7-17-6.7c-6.5,0-11.8,2.4-16.1,7.1c-4.3,4.8-6.4,11.5-6.4,20.2v52.6h-19.6v-94.6h19.6v9.5
 		C2620.2,699.4,2624.4,696.4,2629.2,694.4z"/>
 	<path d="M2790.3,833.2c-8.6,6.8-19.4,10.2-32.3,10.2c-7.9,0-15.2-1.4-21.9-4.1s-12.1-6.8-16.3-12.2s-6.6-11.9-7.1-19.6h19.6
 		c0.7,6.1,3.5,10.8,8.4,13.9c4.9,3.2,10.7,4.8,17.4,4.8c7,0,13.1-2,18.2-6c5.1-4,7.7-10.3,7.7-18.9v-24.7c-3.6,3.4-8,6.2-13.3,8.2
 		c-5.2,2.1-10.7,3.1-16.3,3.1c-8.7,0-16.6-2.1-23.7-6.4c-7.1-4.3-12.6-10-16.7-17.3c-4-7.3-6-15.5-6-24.6s2-17.3,6-24.7
 		s9.6-13.2,16.7-17.4c7.1-4.3,15-6.4,23.7-6.4c5.7,0,11.1,1,16.3,3.1s9.6,4.8,13.3,8.2v-8.8h19.4v107.8
 		C2803.2,815.9,2798.9,826.4,2790.3,833.2z M2782.2,755.7c2.6-4.7,3.8-10,3.8-15.9s-1.3-11.2-3.8-16c-2.6-4.8-6.1-8.5-10.5-11.1
 		c-4.5-2.7-9.5-4-15.1-4c-5.8,0-10.9,1.4-15.4,4.3c-4.5,2.8-7.9,6.6-10.3,11.4c-2.4,4.8-3.6,9.9-3.6,15.5c0,5.4,1.2,10.5,3.6,15.3
 		c2.4,4.8,5.8,8.6,10.3,11.5s9.6,4.3,15.4,4.3c5.6,0,10.6-1.4,15.1-4.1C2776.1,764.1,2779.6,760.4,2782.2,755.7z"/>
 	<path d="M2843.5,788.4h-21.6l37.9-48l-36.4-46.6h22.6l25.7,33.3l25.8-33.3h21.6l-36.2,45.9l37.9,48.6h-22.6l-27.4-35L2843.5,788.4z
 		"/>
  </g>
 <path d="M835.8,319.2c-11.5-18.9-27.4-33.7-47.6-44.7c-20.2-10.9-43-16.4-68.5-16.4h-90.6c-8.6,39.6-21.3,77.2-38,112.4
 	c-10,21-21.3,41-33.9,59.9v209.2H647v-135h72.7c25.4,0,48.3-5.5,68.5-16.4s36.1-25.8,47.6-44.7c11.5-18.9,17.3-39.5,17.3-61.9
 	C853.1,358.9,847.4,338.1,835.8,319.2z M747,416.6c-9.4,9-21.8,13.5-37,13.5l-62.8,0.4v-93.4l62.8-0.4c15.3,0,27.6,4.5,37,13.5
 	s14.1,20,14.1,33.2C761.1,396.6,756.4,407.7,747,416.6z"/>
 <path class="st0" d="M164.7,698.7c-3.5-16.5-10.4-49.6-11.3-49.6c-147.1-88-129.7-240.3-81-327.4C82.8,431.4,277,507.1,163.8,641.2
 	c-0.9,1.7,5.2,22.6,10.4,41.8c22.6-38.3,56.6-84.4,54.8-88.8C89.7,254.7,525,228.6,615.5,17.9c40.9,203.7-20.9,518.9-370.8,599
 	c-1.7,0.9-63.5,109.7-66.2,110.6c0-1.7-26.1-0.9-22.6-9.6C157.8,712.6,161.2,705.7,164.7,698.7L164.7,698.7z M160.4,616.9
 	c44.4-51.4-7.8-139.3-39.2-168C174.3,540.2,170.8,593.3,160.4,616.9L160.4,616.9z"/>
 </svg>
@@ -0,0 +1,19 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <svg id="Layer_1" xmlns="http://www.w3.org/2000/svg" version="1.1" viewBox="0 0 2670 860">
  <path id="leaf" style="fill:#005616;" d="M2227.4,821.2c-6.1-17.8-18.1-53.6-19.2-53.4-174.7-77.8-159.8-201.2-117.5-304.2,26.3,120.1,235.3,130.3,128,294.1-.7,2,8.8,24.3,17.1,44.9,19.9-45.4,51.3-101.1,48.8-105.7-199.9-357.4,278.8-444.7,350.7-690.2,72.6,220.1,46.5,577.5-330.4,713.3-1.8,1.2-55.6,130-58.5,131.4-.2-1.9-29.1,2.5-26.4-7.6,1.4-6.2,4.2-14.2,7.2-22.4h0v-.2h.2,0ZM2211.7,731.2c42.3-62.9-11.1-105.7-49.8-133.2,71,94,58.1,105.7,49.8,133.2h0Z"/>
  <g id="text" style="fill: #eee;">
    <path class="st1" d="M654.6,393.2l-.7,137.7h-85.5V188.7h85.4c.4,11.3-.3,21.7,1.3,33.8,23.1-34.1,62.3-50,101.1-38.3,16.5,5,29.6,16.4,39.7,30,34.4,46.5,35.1,134,3.6,182.2-10.1,14.4-22.5,26.9-39,33.4-39.5,15.7-81,1.1-105.9-36.6h0ZM721,362.2c21-26.1,21-82.7-.4-108.4-13.2-15.9-36.4-16.1-49.9-.4-22.2,25.8-21.7,85.3.5,110.1,13.6,15.2,36.6,15,49.7-1.3h.1Z"/>
    <path class="st1" d="M164,301l-72.8.7v126.1H3.4V98.1l159.7.5c31.3,0,58.9,13.6,79.4,36.1,30.8,37.6,30.9,91.7.6,129.6-20.1,22.8-47.6,36.5-79,36.8h-.1ZM176.8,199.8c0-20.8-15.1-35-34.7-35l-51,.2v69.5l53.6-.2c18.5,0,32-15.8,32.2-34.5h-.1Z"/>
    <polygon class="st1" points="1338.2 427.8 1338 366 1412.4 365.8 1412.5 139.3 1338.1 139.1 1338.1 77.4 1498.1 77.4 1498.1 365.7 1572.3 365.9 1572.5 427.7 1338.2 427.8"/>
    <path class="st1" d="M1741.8,364.3c9.1-8.6,14-18.1,17.7-30.3l68.4,13.3c-10.5,45.2-46.5,79.2-92.3,86.7-59.2,9.6-118.7-14.2-138.6-73.7-10.9-32.7-10.7-68.6.6-100.9,17.7-50.6,64.3-80.5,117.1-79.1,76.5,2,113.4,65.4,111.1,136.1h-155.4c-.7,12.5,3,25,9.7,35.9,13.2,21.3,40.9,26.9,61.5,12h.2ZM1749.4,273.1c-2.4-10.8-6.9-18-13.9-24.6-12.8-8.3-30.1-9.5-43.4-1.1-9.3,5.8-14.6,15.1-18,25.7h75.3Z"/>
    <path class="st1" d="M1010.3,364.3c9.1-8.5,13.9-18.1,17.7-30.3l68.4,13.3c-10.4,45.2-46.5,79.2-92.3,86.7-59.3,9.6-118.8-14.2-138.7-73.9-10.8-32.3-10.6-67.4.2-99.3,17.3-51.2,64.2-81.8,117.6-80.4,76.6,2,113.5,65.3,111.1,136.1h-155.6c-.2,12.7,3.2,25.1,9.9,35.9,13.2,21.3,40.9,27,61.5,12h.2ZM1018,273.2c-2.4-9.4-6.3-18.5-14.2-24.4-12.3-9.1-30.4-9.4-43.3-1.3-9.3,5.9-14.4,15.1-17.9,25.6h75.4Z"/>
    <path class="st1" d="M424.3,376.9c-7.1,13.6-12.5,25.7-23.2,35.5-14.3,13.3-32.6,19.3-52.3,19.4-40.4.2-75.6-23.1-73.6-65.7.9-20.1,9.7-37.2,26.5-49.2,30.5-21.8,55.8-22.4,87.8-40.6,8.1-4.6,18.2-15.3,12.4-22.2s-5-3-8-3.7h-96.3v-61.8h109.6c14.7.6,28.1,2.2,41.7,7.2,23.7,8.8,39.6,29.5,39.8,55.2l.7,90.6c0,13.5,11,23,23.7,23.9l10.1.7v61.3h-29.9c-13.1,0-25.9-3-37.3-8.6-16.9-8.2-26.9-22.2-31.6-42.2h0v.2h-.1ZM364.9,370.1c6.8,5.9,16.2,6.5,24.8,2.7,18.1-7.9,16.5-38.3,16.1-55-3.6,4.3-7.4,9-12.5,11.2l-21.1,9.3c-5.8,2.5-10.6,8-11.8,13s-1,13.8,4.7,18.7h-.2Z"/>
    <path class="st1" d="M1943,430.1c-33.5-8.9-68.5-33.6-78.9-68.9l66.6-27.2c11.8,22.1,31.6,42.1,57.2,39.8,4.3-.4,9.3-3.1,11.2-6,7.8-12.5-4.3-24.3-16.2-30.7l-47.3-25.2c-32.2-17.1-57.7-50.7-41.6-87.4,11.9-27,48.1-35,75.3-36h99.2v61.8h-88.6c-2.5.4-6.2,2.3-7,4.2s.7,7,2.7,8.2c31.6,18.6,88.3,38.3,103.8,72,10.4,22.6,6.7,50-9.2,69.1-29.5,35.7-86.1,36.9-127,26.1v.2h-.2,0Z"/>
    <path class="st1" d="M1318.2,264.3l-68.5.2c-19.4,0-30.1,10.8-31.6,30.2v133.1h-85.7v-239h85.6l1,58.9,11.9-25.1c14.3-30.5,56.9-36.5,87.4-33.6v75.4h-.1Z"/>
    <path class="st1" d="M2232.8,374.2c-26,1.2-44.6-18.4-56.5-40.1l-66.5,27.3c10.8,35.9,46.2,60.4,80.3,69.2h0c10.6,2.6,22,4.5,33.7,5.2,3.2-7.9,6.8-15.6,10.8-23.4,18.5-35.9,44.3-68.4,73.8-98.8-23.6-21.1-62.6-36.7-87-50.6-2.2-1.2-3.6-6.7-2.7-8.7.9-2,4.5-3.5,7.4-3.9h88.2v-61.8h-97.4c-27,.7-63.8,8.2-76.5,34.8-8.3,17.5-6.8,38.5,3.5,54.9,9.3,14.9,22.2,25.8,37.7,33.9l45.8,24.3c11.5,6.1,24.7,17,17.9,30.5-2.1,4.1-7.4,6.5-12.6,7.2h.1Z"/>
    <path class="st1" d="M1547.6,801.6h81.2c11.6-.2,23.2-3.8,31.9-11.2,7.3-6.2,11.7-15.4,13.9-24.8l16.8-72.7c-7.2,9-12.8,16.9-20.7,24.2-18.3,16.8-42.3,23.8-66.9,19.5-32.5-5.7-46.7-34.7-47-65.6-.5-44,18.9-93.6,57.6-117.1,18-10.9,39.5-13.9,60-9.6,12.4,2.6,22.1,9.9,29.1,20,5.8,8.4,7.8,17.2,10.8,27.8l10.7-45.4,15.6.3-50.6,219.5c-2.9,12.6-8.9,24.6-18.4,32.9-12,10.4-28.1,15.1-44,15.2l-82.9.2,2.7-13.1h.2ZM1691.8,673.5c12.9-26.3,20.1-60.3,11-88.6-5.1-15.8-17.9-26.5-34.2-28.8-20.7-2.9-40.3,2.9-55.9,16.8-13.6,12.1-23.5,26.7-30.3,43.7-9.8,24.4-14.8,56.5-4.6,81.1,5,12.1,14.7,21.3,27.6,24.7,39,10.3,70.1-16,86.4-49h0Z"/>
    <path class="st1" d="M1441.6,556.8c-43.6-8.7-84.4,29.7-93.8,70l-24.8,106.6h-15.7l43.1-186.4,15.6-.2-8.6,39.5c22.3-28.9,53.9-49.3,90.7-42.5,16.8,3.1,29.1,15.6,32.1,32.4,2.1,11.6,1.6,23.4-1.1,35.3l-28.1,122.2h-15.6c0,0,27.5-119.9,27.5-119.9,4.7-20.6,5.9-51.3-21.2-56.7v-.3Z"/>
    <path class="st1" d="M1958.9,733.3h-16.2l-38.2-90.1-79.8,90.3-19.3-.2,77.6-87.2c5.1-5.7,11-10.1,17.2-14.5-4.6-4.7-8.5-9.6-11.3-15.3l-33.9-69.3,16.2-.2,35.3,74.1,69-73.9c6.6-.3,12.7-.3,19.6.2l-63.1,66.6c-6.4,6.8-13.4,12.5-20.9,18,3.4,3.4,7.5,7.5,9.6,12.4l38.3,89.2h-.1Z"/>
    <path class="st1" d="M1224.4,635.4H3.4c1.1-5.6,1.9-9.5,3.1-13.9h1220.9l-2.9,13.9h0Z"/>
  </g>
 </svg>
@@ -1,69 +1,19 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="UTF-8"?>
-<!-- Generator: Adobe Illustrator 27.0.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg id="Layer_1" xmlns="http://www.w3.org/2000/svg" version="1.1" viewBox="0 0 2670 860">
-<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+  <path id="leaf" style="fill:#005616;" d="M2227.4,821.2c-6.1-17.8-18.1-53.6-19.2-53.4-174.7-77.8-159.8-201.2-117.5-304.2,26.3,120.1,235.3,130.3,128,294.1-.7,2,8.8,24.3,17.1,44.9,19.9-45.4,51.3-101.1,48.8-105.7-199.9-357.4,278.8-444.7,350.7-690.2,72.6,220.1,46.5,577.5-330.4,713.3-1.8,1.2-55.6,130-58.5,131.4-.2-1.9-29.1,2.5-26.4-7.6,1.4-6.2,4.2-14.2,7.2-22.4h0v-.2h.2,0ZM2211.7,731.2c42.3-62.9-11.1-105.7-49.8-133.2,71,94,58.1,105.7,49.8,133.2h0Z"/>
-	 viewBox="0 0 2962.2 860.2" style="enable-background:new 0 0 2962.2 860.2;" xml:space="preserve">
+  <g id="text" style="fill: #fff;">
-<style type="text/css">
+    <path class="st1" d="M654.6,393.2l-.7,137.7h-85.5V188.7h85.4c.4,11.3-.3,21.7,1.3,33.8,23.1-34.1,62.3-50,101.1-38.3,16.5,5,29.6,16.4,39.7,30,34.4,46.5,35.1,134,3.6,182.2-10.1,14.4-22.5,26.9-39,33.4-39.5,15.7-81,1.1-105.9-36.6h0ZM721,362.2c21-26.1,21-82.7-.4-108.4-13.2-15.9-36.4-16.1-49.9-.4-22.2,25.8-21.7,85.3.5,110.1,13.6,15.2,36.6,15,49.7-1.3h.1Z"/>
-	.st0{fill:#FFFFFF;stroke:#000000;stroke-miterlimit:10;}
+    <path class="st1" d="M164,301l-72.8.7v126.1H3.4V98.1l159.7.5c31.3,0,58.9,13.6,79.4,36.1,30.8,37.6,30.9,91.7.6,129.6-20.1,22.8-47.6,36.5-79,36.8h-.1ZM176.8,199.8c0-20.8-15.1-35-34.7-35l-51,.2v69.5l53.6-.2c18.5,0,32-15.8,32.2-34.5h-.1Z"/>
-	.st1{fill:#17541F;stroke:#000000;stroke-miterlimit:10;}
+    <polygon class="st1" points="1338.2 427.8 1338 366 1412.4 365.8 1412.5 139.3 1338.1 139.1 1338.1 77.4 1498.1 77.4 1498.1 365.7 1572.3 365.9 1572.5 427.7 1338.2 427.8"/>
-</style>
+    <path class="st1" d="M1741.8,364.3c9.1-8.6,14-18.1,17.7-30.3l68.4,13.3c-10.5,45.2-46.5,79.2-92.3,86.7-59.2,9.6-118.7-14.2-138.6-73.7-10.9-32.7-10.7-68.6.6-100.9,17.7-50.6,64.3-80.5,117.1-79.1,76.5,2,113.4,65.4,111.1,136.1h-155.4c-.7,12.5,3,25,9.7,35.9,13.2,21.3,40.9,26.9,61.5,12h.2ZM1749.4,273.1c-2.4-10.8-6.9-18-13.9-24.6-12.8-8.3-30.1-9.5-43.4-1.1-9.3,5.8-14.6,15.1-18,25.7h75.3Z"/>
-<path class="st0" d="M1055.6,639.7v-20.6c-18,20-43.1,30.1-75.4,30.1c-22.4,0-42.8-5.8-61-17.5c-18.3-11.7-32.5-27.8-42.9-48.3
+    <path class="st1" d="M1010.3,364.3c9.1-8.5,13.9-18.1,17.7-30.3l68.4,13.3c-10.4,45.2-46.5,79.2-92.3,86.7-59.3,9.6-118.8-14.2-138.7-73.9-10.8-32.3-10.6-67.4.2-99.3,17.3-51.2,64.2-81.8,117.6-80.4,76.6,2,113.5,65.3,111.1,136.1h-155.6c-.2,12.7,3.2,25.1,9.9,35.9,13.2,21.3,40.9,27,61.5,12h.2ZM1018,273.2c-2.4-9.4-6.3-18.5-14.2-24.4-12.3-9.1-30.4-9.4-43.3-1.3-9.3,5.9-14.4,15.1-17.9,25.6h75.4Z"/>
-	c-10.3-20.5-15.5-43.3-15.5-68.4c0-25.1,5.2-48,15.5-68.5s24.6-36.6,42.9-48.3s38.6-17.5,61-17.5c32.3,0,57.5,10,75.4,30.1v-20.6
+    <path class="st1" d="M424.3,376.9c-7.1,13.6-12.5,25.7-23.2,35.5-14.3,13.3-32.6,19.3-52.3,19.4-40.4.2-75.6-23.1-73.6-65.7.9-20.1,9.7-37.2,26.5-49.2,30.5-21.8,55.8-22.4,87.8-40.6,8.1-4.6,18.2-15.3,12.4-22.2s-5-3-8-3.7h-96.3v-61.8h109.6c14.7.6,28.1,2.2,41.7,7.2,23.7,8.8,39.6,29.5,39.8,55.2l.7,90.6c0,13.5,11,23,23.7,23.9l10.1.7v61.3h-29.9c-13.1,0-25.9-3-37.3-8.6-16.9-8.2-26.9-22.2-31.6-42.2h0v.2h-.1ZM364.9,370.1c6.8,5.9,16.2,6.5,24.8,2.7,18.1-7.9,16.5-38.3,16.1-55-3.6,4.3-7.4,9-12.5,11.2l-21.1,9.3c-5.8,2.5-10.6,8-11.8,13s-1,13.8,4.7,18.7h-.2Z"/>
-	h85.3v249.6L1055.6,639.7L1055.6,639.7z M1059.1,514.9c0-17.4-5.2-31.9-15.5-43.8c-10.3-11.8-23.9-17.7-40.6-17.7
+    <path class="st1" d="M1943,430.1c-33.5-8.9-68.5-33.6-78.9-68.9l66.6-27.2c11.8,22.1,31.6,42.1,57.2,39.8,4.3-.4,9.3-3.1,11.2-6,7.8-12.5-4.3-24.3-16.2-30.7l-47.3-25.2c-32.2-17.1-57.7-50.7-41.6-87.4,11.9-27,48.1-35,75.3-36h99.2v61.8h-88.6c-2.5.4-6.2,2.3-7,4.2s.7,7,2.7,8.2c31.6,18.6,88.3,38.3,103.8,72,10.4,22.6,6.7,50-9.2,69.1-29.5,35.7-86.1,36.9-127,26.1v.2h-.2,0Z"/>
-	c-16.8,0-30.2,5.9-40.4,17.7c-10.2,11.8-15.3,26.4-15.3,43.8c0,17.4,5.1,31.9,15.3,43.8c10.2,11.8,23.6,17.7,40.4,17.7
+    <path class="st1" d="M1318.2,264.3l-68.5.2c-19.4,0-30.1,10.8-31.6,30.2v133.1h-85.7v-239h85.6l1,58.9,11.9-25.1c14.3-30.5,56.9-36.5,87.4-33.6v75.4h-.1Z"/>
-	c16.8,0,30.3-5.9,40.6-17.7C1054,546.9,1059.1,532.3,1059.1,514.9z"/>
+    <path class="st1" d="M2232.8,374.2c-26,1.2-44.6-18.4-56.5-40.1l-66.5,27.3c10.8,35.9,46.2,60.4,80.3,69.2h0c10.6,2.6,22,4.5,33.7,5.2,3.2-7.9,6.8-15.6,10.8-23.4,18.5-35.9,44.3-68.4,73.8-98.8-23.6-21.1-62.6-36.7-87-50.6-2.2-1.2-3.6-6.7-2.7-8.7.9-2,4.5-3.5,7.4-3.9h88.2v-61.8h-97.4c-27,.7-63.8,8.2-76.5,34.8-8.3,17.5-6.8,38.5,3.5,54.9,9.3,14.9,22.2,25.8,37.7,33.9l45.8,24.3c11.5,6.1,24.7,17,17.9,30.5-2.1,4.1-7.4,6.5-12.6,7.2h.1Z"/>
-<path class="st0" d="M1417.8,398.2c18.3,11.7,32.5,27.8,42.9,48.3c10.3,20.5,15.5,43.3,15.5,68.5c0,25.1-5.2,48-15.5,68.4
+    <path class="st1" d="M1547.6,801.6h81.2c11.6-.2,23.2-3.8,31.9-11.2,7.3-6.2,11.7-15.4,13.9-24.8l16.8-72.7c-7.2,9-12.8,16.9-20.7,24.2-18.3,16.8-42.3,23.8-66.9,19.5-32.5-5.7-46.7-34.7-47-65.6-.5-44,18.9-93.6,57.6-117.1,18-10.9,39.5-13.9,60-9.6,12.4,2.6,22.1,9.9,29.1,20,5.8,8.4,7.8,17.2,10.8,27.8l10.7-45.4,15.6.3-50.6,219.5c-2.9,12.6-8.9,24.6-18.4,32.9-12,10.4-28.1,15.1-44,15.2l-82.9.2,2.7-13.1h.2ZM1691.8,673.5c12.9-26.3,20.1-60.3,11-88.6-5.1-15.8-17.9-26.5-34.2-28.8-20.7-2.9-40.3,2.9-55.9,16.8-13.6,12.1-23.5,26.7-30.3,43.7-9.8,24.4-14.8,56.5-4.6,81.1,5,12.1,14.7,21.3,27.6,24.7,39,10.3,70.1-16,86.4-49h0Z"/>
-	c-10.3,20.5-24.6,36.6-42.9,48.3s-38.6,17.5-61,17.5c-32.3,0-57.5-10-75.4-30.1v165.6h-85.3V390.2h85.3v20.6
+    <path class="st1" d="M1441.6,556.8c-43.6-8.7-84.4,29.7-93.8,70l-24.8,106.6h-15.7l43.1-186.4,15.6-.2-8.6,39.5c22.3-28.9,53.9-49.3,90.7-42.5,16.8,3.1,29.1,15.6,32.1,32.4,2.1,11.6,1.6,23.4-1.1,35.3l-28.1,122.2h-15.6c0,0,27.5-119.9,27.5-119.9,4.7-20.6,5.9-51.3-21.2-56.7v-.3Z"/>
-	c18-20,43.1-30.1,75.4-30.1C1379.2,380.7,1399.5,386.6,1417.8,398.2z M1389.5,514.9c0-17.4-5.1-31.9-15.3-43.8
+    <path class="st1" d="M1958.9,733.3h-16.2l-38.2-90.1-79.8,90.3-19.3-.2,77.6-87.2c5.1-5.7,11-10.1,17.2-14.5-4.6-4.7-8.5-9.6-11.3-15.3l-33.9-69.3,16.2-.2,35.3,74.1,69-73.9c6.6-.3,12.7-.3,19.6.2l-63.1,66.6c-6.4,6.8-13.4,12.5-20.9,18,3.4,3.4,7.5,7.5,9.6,12.4l38.3,89.2h-.1Z"/>
-	c-10.2-11.8-23.6-17.7-40.4-17.7s-30.2,5.9-40.4,17.7c-10.2,11.8-15.3,26.4-15.3,43.8c0,17.4,5.1,31.9,15.3,43.8
+    <path class="st1" d="M1224.4,635.4H3.4c1.1-5.6,1.9-9.5,3.1-13.9h1220.9l-2.9,13.9h0Z"/>
 	c10.2,11.8,23.6,17.7,40.4,17.7s30.2-5.9,40.4-17.7S1389.5,532.3,1389.5,514.9z"/>
 <path class="st0" d="M1713.6,555.3l53,49.4c-28.1,29.6-66.7,44.4-115.8,44.4c-28.1,0-53-5.8-74.5-17.5s-38.2-27.7-49.8-48
 	c-11.7-20.3-17.7-43.2-18-68.7c0-24.8,5.9-47.5,17.7-68c11.8-20.5,28.1-36.7,48.7-48.5s43.5-17.7,68.7-17.7
 	c24.8,0,47.6,6.1,68.2,18.2s37,29.5,49.1,52.3c12.1,22.7,18.2,49.1,18.2,79l-0.4,11.7h-181.8c3.6,11.4,10.5,20.7,20.9,28.1
 	c10.3,7.3,21.3,11,33,11c14.4,0,26.3-2.2,35.7-6.5C1695.8,570.1,1704.9,563.7,1713.6,555.3z M1596.9,486.2h92.9
 	c-2.1-12.3-7.5-22.1-16.2-29.4s-18.7-11-30.1-11s-21.5,3.7-30.3,11S1599,473.9,1596.9,486.2z"/>
 <path class="st0" d="M1908.8,418.4c7.8-10.8,17.2-19,28.3-24.7s22-8.5,32.8-8.5c11.4,0,20,1.6,26,4.9l-10.8,72.7
 	c-8.4-2.1-15.7-3.1-22-3.1c-17.1,0-30.4,4.3-39.9,12.8c-9.6,8.5-14.4,24.2-14.4,46.9v120.3h-85.3V390.2h85.3V418.4L1908.8,418.4z"/>
 <path class="st0" d="M2113,258.2v381.5h-85.3V258.2H2113z"/>
 <path class="st0" d="M2360.8,555.3l53,49.4c-28.1,29.6-66.7,44.4-115.8,44.4c-28.1,0-53-5.8-74.5-17.5s-38.2-27.7-49.8-48
 	c-11.7-20.3-17.7-43.2-18-68.7c0-24.8,5.9-47.5,17.7-68s28.1-36.7,48.7-48.5c20.6-11.8,43.5-17.7,68.7-17.7
 	c24.8,0,47.6,6.1,68.2,18.2c20.6,12.1,37,29.5,49.1,52.3c12.1,22.7,18.2,49.1,18.2,79l-0.4,11.7h-181.8
 	c3.6,11.4,10.5,20.7,20.9,28.1c10.3,7.3,21.3,11,33,11c14.4,0,26.3-2.2,35.7-6.5C2343.1,570.1,2352.1,563.7,2360.8,555.3z
 	 M2244.1,486.2h92.9c-2.1-12.3-7.5-22.1-16.2-29.4s-18.7-11-30.1-11s-21.5,3.7-30.3,11C2251.7,464.1,2246.2,473.9,2244.1,486.2z"/>
 <path class="st0" d="M2565.9,446.3c-9.9,0-17.1,1.1-21.5,3.4c-4.5,2.2-6.7,5.9-6.7,11s3.4,8.8,10.3,11.2c6.9,2.4,18,4.9,33.2,7.6
 	c20,3,37,6.7,50.9,11.2s26,12.1,36.1,22.9c10.2,10.8,15.3,25.9,15.3,45.3c0,29.9-10.9,52.4-32.8,67.6
 	c-21.8,15.1-50.3,22.7-85.3,22.7c-25.7,0-49.5-3.7-71.4-11c-21.8-7.3-37.4-14.7-46.7-22.2l33.7-60.6c10.2,9,23.4,15.8,39.7,20.4
 	c16.3,4.6,31.3,7,45.1,7c19.7,0,29.6-5.2,29.6-15.7c0-5.4-3.3-9.4-9.9-11.9c-6.6-2.5-17.2-5.2-31.9-7.9c-18.9-3.3-34.9-7.2-48-11.7
 	c-13.2-4.5-24.6-12.2-34.3-23.1c-9.7-10.9-14.6-26-14.6-45.1c0-27.2,9.7-48.5,29-63.7c19.3-15.3,46-22.9,80.1-22.9
 	c23.3,0,44.4,3.6,63.3,10.8c18.9,7.2,34,14.5,45.3,22l-32.8,58.8c-10.8-7.5-23.2-13.7-37.3-18.6
 	C2590.5,448.7,2577.6,446.3,2565.9,446.3z"/>
 <path class="st0" d="M2817.3,446.3c-9.9,0-17.1,1.1-21.5,3.4c-4.5,2.2-6.7,5.9-6.7,11s3.4,8.8,10.3,11.2c6.9,2.4,18,4.9,33.2,7.6
 	c20,3,37,6.7,50.9,11.2s26,12.1,36.1,22.9c10.2,10.8,15.3,25.9,15.3,45.3c0,29.9-10.9,52.4-32.8,67.6
 	c-21.8,15.1-50.3,22.7-85.3,22.7c-25.7,0-49.5-3.7-71.4-11c-21.8-7.3-37.4-14.7-46.7-22.2l33.7-60.6c10.2,9,23.4,15.8,39.7,20.4
 	c16.3,4.6,31.3,7,45.1,7c19.8,0,29.6-5.2,29.6-15.7c0-5.4-3.3-9.4-9.9-11.9c-6.6-2.5-17.2-5.2-31.9-7.9c-18.9-3.3-34.9-7.2-48-11.7
 	c-13.2-4.5-24.6-12.2-34.3-23.1c-9.7-10.9-14.6-26-14.6-45.1c0-27.2,9.7-48.5,29-63.7c19.3-15.3,46-22.9,80.1-22.9
 	c23.3,0,44.4,3.6,63.3,10.8c18.9,7.2,34,14.5,45.3,22l-32.8,58.8c-10.8-7.5-23.2-13.7-37.3-18.6
 	C2841.8,448.7,2828.9,446.3,2817.3,446.3z"/>
 <g>
 	<path class="st0" d="M2508,724h60.2v17.3H2508V724z"/>
 	<path class="st0" d="M2629.2,694.4c4.9-2,10.2-3.1,16-3.1c10.9,0,19.5,3.4,25.9,10.2s9.6,16.7,9.6,29.6v57.3h-19.6v-52.6
 		c0-9.3-1.7-16.2-5.1-20.7c-3.4-4.5-9.1-6.7-17-6.7c-6.5,0-11.8,2.4-16.1,7.1c-4.3,4.8-6.4,11.5-6.4,20.2v52.6h-19.6v-94.6h19.6v9.5
 		C2620.2,699.4,2624.4,696.4,2629.2,694.4z"/>
 	<path class="st0" d="M2790.3,833.2c-8.6,6.8-19.4,10.2-32.3,10.2c-7.9,0-15.2-1.4-21.9-4.1s-12.1-6.8-16.3-12.2s-6.6-11.9-7.1-19.6
 		h19.6c0.7,6.1,3.5,10.8,8.4,13.9c4.9,3.2,10.7,4.8,17.4,4.8c7,0,13.1-2,18.2-6c5.1-4,7.7-10.3,7.7-18.9v-24.7
 		c-3.6,3.4-8,6.2-13.3,8.2c-5.2,2.1-10.7,3.1-16.3,3.1c-8.7,0-16.6-2.1-23.7-6.4c-7.1-4.3-12.6-10-16.7-17.3c-4-7.3-6-15.5-6-24.6
 		s2-17.3,6-24.7s9.6-13.2,16.7-17.4c7.1-4.3,15-6.4,23.7-6.4c5.7,0,11.1,1,16.3,3.1s9.6,4.8,13.3,8.2v-8.8h19.4v107.8
 		C2803.2,815.9,2798.9,826.4,2790.3,833.2z M2782.2,755.7c2.6-4.7,3.8-10,3.8-15.9s-1.3-11.2-3.8-16c-2.6-4.8-6.1-8.5-10.5-11.1
 		c-4.5-2.7-9.5-4-15.1-4c-5.8,0-10.9,1.4-15.4,4.3c-4.5,2.8-7.9,6.6-10.3,11.4c-2.4,4.8-3.6,9.9-3.6,15.5c0,5.4,1.2,10.5,3.6,15.3
 		c2.4,4.8,5.8,8.6,10.3,11.5s9.6,4.3,15.4,4.3c5.6,0,10.6-1.4,15.1-4.1C2776.1,764.1,2779.6,760.4,2782.2,755.7z"/>
 	<path class="st0" d="M2843.5,788.4h-21.6l37.9-48l-36.4-46.6h22.6l25.7,33.3l25.8-33.3h21.6l-36.2,45.9l37.9,48.6h-22.6l-27.4-35
 		L2843.5,788.4z"/>
  </g>
 <path class="st0" d="M835.8,319.2c-11.5-18.9-27.4-33.7-47.6-44.7c-20.2-10.9-43-16.4-68.5-16.4h-90.6c-8.6,39.6-21.3,77.2-38,112.4
 	c-10,21-21.3,41-33.9,59.9v209.2H647v-135h72.7c25.4,0,48.3-5.5,68.5-16.4s36.1-25.8,47.6-44.7c11.5-18.9,17.3-39.5,17.3-61.9
 	C853.1,358.9,847.4,338.1,835.8,319.2z M747,416.6c-9.4,9-21.8,13.5-37,13.5l-62.8,0.4v-93.4l62.8-0.4c15.3,0,27.6,4.5,37,13.5
 	s14.1,20,14.1,33.2C761.1,396.6,756.4,407.7,747,416.6z"/>
 <path class="st1" d="M164.7,698.7c-3.5-16.5-10.4-49.6-11.3-49.6c-147.1-88-129.7-240.3-81-327.4C82.8,431.4,277,507.1,163.8,641.2
 	c-0.9,1.7,5.2,22.6,10.4,41.8c22.6-38.3,56.6-84.4,54.8-88.8C89.7,254.7,525,228.6,615.5,17.9c40.9,203.7-20.9,518.9-370.8,599
 	c-1.7,0.9-63.5,109.7-66.2,110.6c0-1.7-26.1-0.9-22.6-9.6C157.8,712.6,161.2,705.7,164.7,698.7L164.7,698.7z M160.4,616.9
 	c44.4-51.4-7.8-139.3-39.2-168C174.3,540.2,170.8,593.3,160.4,616.9L160.4,616.9z"/>
 </svg>
@@ -0,0 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <svg id="Layer_1" xmlns="http://www.w3.org/2000/svg" version="1.1" viewBox="0 0 1000 1000">
  <defs>
    <style>
      .st0 {
        fill: #005616;
      }
    </style>
  </defs>
  <path class="st0" d="M341,949.1c-6.9-20.3-20.7-61.2-21.9-61-199.6-88.9-182.5-229.8-134.3-347.5,30,137.2,268.8,148.9,146.2,336-.9,2.2,10,27.8,19.5,51.3,22.7-51.9,58.6-115.5,55.8-120.8C178,398.7,724.9,299,807.1,18.5c83,251.5,53.1,659.8-377.4,814.9-2,1.4-63.5,148.6-66.9,150.2-.2-2.1-33.2,2.9-30.1-8.7,1.6-7,4.8-16.2,8.2-25.6h0v-.2h.1ZM323.1,846.2c48.3-71.9-12.7-120.8-56.9-152.2,81.2,107.4,66.4,120.8,56.9,152.2h0Z"/>
 </svg>
@@ -0,0 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <svg id="Layer_1" xmlns="http://www.w3.org/2000/svg" version="1.1" viewBox="0 0 1000 1000">
  <defs>
    <style>
      .st0 {
        fill: #fff;
      }
    </style>
  </defs>
  <path class="st0" d="M341,949.1c-6.9-20.3-20.7-61.2-21.9-61-199.6-88.9-182.5-229.8-134.3-347.5,30,137.2,268.8,148.9,146.2,336-.9,2.2,10,27.8,19.5,51.3,22.7-51.9,58.6-115.5,55.8-120.8C178,398.7,724.9,299,807.1,18.5c83,251.5,53.1,659.8-377.4,814.9-2,1.4-63.5,148.6-66.9,150.2-.2-2.1-33.2,2.9-30.1-8.7,1.6-7,4.8-16.2,8.2-25.6h0v-.2h.1ZM323.1,846.2c48.3-71.9-12.7-120.8-56.9-152.2,81.2,107.4,66.4,120.8,56.9,152.2h0Z"/>
 </svg>
@@ -1,5 +1,204 @@
 # Changelog
 ## paperless-ngx 2.20.15
 ### Security
 - Resolve [GHSA-96jx-fj7m-qh6x](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-8c6x-pfjq-9gr7)
 ### Bug Fixes
 - Fix: use only allauth login/logout endpoints [@shamoon](https://github.com/shamoon) ([#12639](https://github.com/paperless-ngx/paperless-ngx/pull/12639))
 - Fix: correctly scope mail account enumeration [@shamoon](https://github.com/shamoon) ([#12636](https://github.com/paperless-ngx/paperless-ngx/pull/12636))
 - Fix: prevent intermediate change event when CustomFieldQueryAtom operator changes type [@ggouzi](https://github.com/ggouzi) ([#12597](https://github.com/paperless-ngx/paperless-ngx/pull/12597))
 - Fix: reject invalid requests to API notes endpoint [@ggouzi](https://github.com/ggouzi) ([#12582](https://github.com/paperless-ngx/paperless-ngx/pull/12582))
 ### All App Changes
 <details>
 <summary>4 changes</summary>
 - Fix: use only allauth login/logout endpoints [@shamoon](https://github.com/shamoon) ([#12639](https://github.com/paperless-ngx/paperless-ngx/pull/12639))
 - Fix: correctly scope mail account enumeration [@shamoon](https://github.com/shamoon) ([#12636](https://github.com/paperless-ngx/paperless-ngx/pull/12636))
 - Fix: prevent intermediate change event when CustomFieldQueryAtom operator changes type [@ggouzi](https://github.com/ggouzi) ([#12597](https://github.com/paperless-ngx/paperless-ngx/pull/12597))
 - Fix: reject invalid requests to API notes endpoint [@ggouzi](https://github.com/ggouzi) ([#12582](https://github.com/paperless-ngx/paperless-ngx/pull/12582))
 </details>
 ## paperless-ngx 2.20.14
 ### Bug Fixes
 - Fix: do not submit permissions for non-owners [@shamoon](https://github.com/shamoon) ([#12571](https://github.com/paperless-ngx/paperless-ngx/pull/12571))
 - Fix: prevent duplicate parent tag IDs [@shamoon](https://github.com/shamoon) ([#12522](https://github.com/paperless-ngx/paperless-ngx/pull/12522))
 - Fix: dont defer tag change application in workflows [@shamoon](https://github.com/shamoon) ([#12478](https://github.com/paperless-ngx/paperless-ngx/pull/12478))
 - Fix: limit share link viewset actions [@shamoon](https://github.com/shamoon) ([#12461](https://github.com/paperless-ngx/paperless-ngx/pull/12461))
 - Fix: add fallback ordering for documents by id after created [@shamoon](https://github.com/shamoon) ([#12440](https://github.com/paperless-ngx/paperless-ngx/pull/12440))
 - Fixhancement: default mail-created correspondent matching to exact [@shamoon](https://github.com/shamoon) ([#12414](https://github.com/paperless-ngx/paperless-ngx/pull/12414))
 - Fix: validate date CF value in serializer [@shamoon](https://github.com/shamoon) ([#12410](https://github.com/paperless-ngx/paperless-ngx/pull/12410))
 ### All App Changes
 <details>
 <summary>7 changes</summary>
 - Fix: do not submit permissions for non-owners [@shamoon](https://github.com/shamoon) ([#12571](https://github.com/paperless-ngx/paperless-ngx/pull/12571))
 - Fix: prevent duplicate parent tag IDs [@shamoon](https://github.com/shamoon) ([#12522](https://github.com/paperless-ngx/paperless-ngx/pull/12522))
 - Fix: dont defer tag change application in workflows [@shamoon](https://github.com/shamoon) ([#12478](https://github.com/paperless-ngx/paperless-ngx/pull/12478))
 - Fix: limit share link viewset actions [@shamoon](https://github.com/shamoon) ([#12461](https://github.com/paperless-ngx/paperless-ngx/pull/12461))
 - Fix: add fallback ordering for documents by id after created [@shamoon](https://github.com/shamoon) ([#12440](https://github.com/paperless-ngx/paperless-ngx/pull/12440))
 - Fixhancement: default mail-created correspondent matching to exact [@shamoon](https://github.com/shamoon) ([#12414](https://github.com/paperless-ngx/paperless-ngx/pull/12414))
 - Fix: validate date CF value in serializer [@shamoon](https://github.com/shamoon) ([#12410](https://github.com/paperless-ngx/paperless-ngx/pull/12410))
 </details>
 ## paperless-ngx 2.20.13
 ### Bug Fixes
 - Fix: suggest corrections only if visible results
 - Fix: require view permission for more-like search
 - Fix: validate document link targets
 - Fix: enforce permissions when attaching accounts to mail rules
 ## paperless-ngx 2.20.12
 ### Security
 - Resolve [GHSA-96jx-fj7m-qh6x](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-96jx-fj7m-qh6x)
 ### Bug Fixes
 - Fix: Scope the workflow saves to prevent clobbering filename/archive_filename [@stumpylog](https://github.com/stumpylog) ([#12390](https://github.com/paperless-ngx/paperless-ngx/pull/12390))
 - Fix: don't try to usermod/groupmod when non-root + update docs (#<!---->12365) [@stumpylog](https://github.com/stumpylog) ([#12391](https://github.com/paperless-ngx/paperless-ngx/pull/12391))
 - Fix: avoid moving files if already moved [@shamoon](https://github.com/shamoon) ([#12389](https://github.com/paperless-ngx/paperless-ngx/pull/12389))
 - Fix: remove pagination from document notes api spec [@shamoon](https://github.com/shamoon) ([#12388](https://github.com/paperless-ngx/paperless-ngx/pull/12388))
 - Fix: fix file button hover color in dark mode [@shamoon](https://github.com/shamoon) ([#12367](https://github.com/paperless-ngx/paperless-ngx/pull/12367))
 - Fixhancement: only offer basic auth for appropriate requests [@shamoon](https://github.com/shamoon) ([#12362](https://github.com/paperless-ngx/paperless-ngx/pull/12362))
 ### All App Changes
 <details>
 <summary>5 changes</summary>
 - Fix: Scope the workflow saves to prevent clobbering filename/archive_filename [@stumpylog](https://github.com/stumpylog) ([#12390](https://github.com/paperless-ngx/paperless-ngx/pull/12390))
 - Fix: avoid moving files if already moved [@shamoon](https://github.com/shamoon) ([#12389](https://github.com/paperless-ngx/paperless-ngx/pull/12389))
 - Fix: remove pagination from document notes api spec [@shamoon](https://github.com/shamoon) ([#12388](https://github.com/paperless-ngx/paperless-ngx/pull/12388))
 - Fix: fix file button hover color in dark mode [@shamoon](https://github.com/shamoon) ([#12367](https://github.com/paperless-ngx/paperless-ngx/pull/12367))
 - Fixhancement: only offer basic auth for appropriate requests [@shamoon](https://github.com/shamoon) ([#12362](https://github.com/paperless-ngx/paperless-ngx/pull/12362))
 </details>
 ## paperless-ngx 2.20.11
 ### Security
 - Resolve [GHSA-59xh-5vwx-4c4q](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-59xh-5vwx-4c4q)
 ### Bug Fixes
 - Fix: correct dropdown list active color in dark mode [@shamoon](https://github.com/shamoon) ([#12328](https://github.com/paperless-ngx/paperless-ngx/pull/12328))
 - Fixhancement: clear descendant selections in dropdown when parent toggled [@shamoon](https://github.com/shamoon) ([#12326](https://github.com/paperless-ngx/paperless-ngx/pull/12326))
 - Fix: prevent wrapping with larger amounts of tags on small cards, reset moreTags setting to correct count [@shamoon](https://github.com/shamoon) ([#12302](https://github.com/paperless-ngx/paperless-ngx/pull/12302))
 - Fix: prevent stale db filename during workflow actions [@shamoon](https://github.com/shamoon) ([#12289](https://github.com/paperless-ngx/paperless-ngx/pull/12289))
 ### All App Changes
 <details>
 <summary>4 changes</summary>
 - Fix: correct dropdown list active color in dark mode [@shamoon](https://github.com/shamoon) ([#12328](https://github.com/paperless-ngx/paperless-ngx/pull/12328))
 - Fixhancement: clear descendant selections in dropdown when parent toggled [@shamoon](https://github.com/shamoon) ([#12326](https://github.com/paperless-ngx/paperless-ngx/pull/12326))
 - Fix: prevent wrapping with larger amounts of tags on small cards, reset moreTags setting to correct count [@shamoon](https://github.com/shamoon) ([#12302](https://github.com/paperless-ngx/paperless-ngx/pull/12302))
 - Fix: prevent stale db filename during workflow actions [@shamoon](https://github.com/shamoon) ([#12289](https://github.com/paperless-ngx/paperless-ngx/pull/12289))
 </details>
 ## paperless-ngx 2.20.10
 ### Bug Fixes
 - Fix: support string coercion in filepath jinja templates [@shamoon](https://github.com/shamoon) ([#12244](https://github.com/paperless-ngx/paperless-ngx/pull/12244))
 - Fix: apply ordering after annotating tag document count [@shamoon](https://github.com/shamoon) ([#12238](https://github.com/paperless-ngx/paperless-ngx/pull/12238))
 - Fix: enforce path limit for db filename fields [@shamoon](https://github.com/shamoon) ([#12235](https://github.com/paperless-ngx/paperless-ngx/pull/12235))
 ### All App Changes
 <details>
 <summary>3 changes</summary>
 - Fix: support string coercion in filepath jinja templates [@shamoon](https://github.com/shamoon) ([#12244](https://github.com/paperless-ngx/paperless-ngx/pull/12244))
 - Fix: apply ordering after annotating tag document count [@shamoon](https://github.com/shamoon) ([#12238](https://github.com/paperless-ngx/paperless-ngx/pull/12238))
 - Fix: enforce path limit for db filename fields [@shamoon](https://github.com/shamoon) ([#12235](https://github.com/paperless-ngx/paperless-ngx/pull/12235))
 </details>
 ## paperless-ngx 2.20.9
 ### Security
 - Resolve [GHSA-386h-chg4-cfw9](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-386h-chg4-cfw9)
 ### Bug Fixes
 - Fixhancement: config option reset [@shamoon](https://github.com/shamoon) ([#12176](https://github.com/paperless-ngx/paperless-ngx/pull/12176))
 - Fix: correct page count by separating display vs collection sizes for tags [@shamoon](https://github.com/shamoon) ([#12170](https://github.com/paperless-ngx/paperless-ngx/pull/12170))
 ### All App Changes
 <details>
 <summary>2 changes</summary>
 - Fixhancement: config option reset [@shamoon](https://github.com/shamoon) ([#12176](https://github.com/paperless-ngx/paperless-ngx/pull/12176))
 - Fix: correct page count by separating display vs collection sizes for tags [@shamoon](https://github.com/shamoon) ([#12170](https://github.com/paperless-ngx/paperless-ngx/pull/12170))
 </details>
 ## paperless-ngx 2.20.8
 ### Security
 - Resolve [GHSA-7qqc-wrcw-2fj9](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-7qqc-wrcw-2fj9)
 ## paperless-ngx 2.20.7
 ### Security
 - Resolve [GHSA-x395-6h48-wr8v](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-x395-6h48-wr8v)
 ### Bug Fixes
 - Performance fix: use subqueries to improve object retrieval in large installs [@shamoon](https://github.com/shamoon) ([#11950](https://github.com/paperless-ngx/paperless-ngx/pull/11950))
 - Fix: correct user dropdown button icon styling [@shamoon](https://github.com/shamoon) ([#12092](https://github.com/paperless-ngx/paperless-ngx/issues/12092))
 - Fix: fix broken docker create_classifier command in 2.20.6 [@shamoon](https://github.com/shamoon) ([#11965](https://github.com/paperless-ngx/paperless-ngx/issues/11965))
 ### All App Changes
 <details>
 <summary>3 changes</summary>
 - Performance fix: use subqueries to improve object retrieval in large installs [@shamoon](https://github.com/shamoon) ([#11950](https://github.com/paperless-ngx/paperless-ngx/pull/11950))
 - Fix: correct user dropdown button icon styling [@shamoon](https://github.com/shamoon) ([#12092](https://github.com/paperless-ngx/paperless-ngx/issues/12092))
 - Fix: fix broken docker create_classifier command in 2.20.6 [@shamoon](https://github.com/shamoon) ([#11965](https://github.com/paperless-ngx/paperless-ngx/issues/11965))
 </details>
 ## paperless-ngx 2.20.6
 ### Security
 - Resolve [GHSA-jqwv-hx7q-fxh3](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-jqwv-hx7q-fxh3) and [GHSA-w47q-3m69-84v8](https://github.com/paperless-ngx/paperless-ngx/security/advisories/GHSA-w47q-3m69-84v8)
 ### Bug Fixes
 - Fix: extract all ids for nested tags [@shamoon](https://github.com/shamoon) ([#11888](https://github.com/paperless-ngx/paperless-ngx/pull/11888))
 - Fixhancement: change date calculation for 'this year' to include future documents [@shamoon](https://github.com/shamoon) ([#11884](https://github.com/paperless-ngx/paperless-ngx/pull/11884))
 - Fix: Running management scripts under rootless could fail [@stumpylog](https://github.com/stumpylog) ([#11870](https://github.com/paperless-ngx/paperless-ngx/pull/11870))
 - Fix: use correct field id for overrides [@shamoon](https://github.com/shamoon) ([#11869](https://github.com/paperless-ngx/paperless-ngx/pull/11869))
 ### All App Changes
 <details>
 <summary>3 changes</summary>
 - Fix: extract all ids for nested tags [@shamoon](https://github.com/shamoon) ([#11888](https://github.com/paperless-ngx/paperless-ngx/pull/11888))
 - Fixhancement: change date calculation for 'this year' to include future documents [@shamoon](https://github.com/shamoon) ([#11884](https://github.com/paperless-ngx/paperless-ngx/pull/11884))
 - Fix: use correct field id for overrides [@shamoon](https://github.com/shamoon) ([#11869](https://github.com/paperless-ngx/paperless-ngx/pull/11869))
 </details>
 ## paperless-ngx 2.20.5
 ### Bug Fixes
@@ -6171,7 +6370,6 @@ This release contains new database migrations.
 ### paperless-ng 1.1.0
 - Document processing status
  - Paperless now shows the status of processing documents on the
    dashboard in real time.
  - Status notifications when
@@ -6216,7 +6414,6 @@ This release contains new database migrations.
 - Official support for Python 3.9.
 - Other changes and fixes
  - Adjusted the default parallelization settings to run more than
    one task in parallel on systems with 4 or less cores. This
    addresses issues with paperless not consuming any new files when
@@ -51,137 +51,190 @@ matcher.
 ### Database
 By default, Paperless uses **SQLite** with a database stored at `data/db.sqlite3`.
-To switch to **PostgreSQL** or **MariaDB**, set [`PAPERLESS_DBHOST`](#PAPERLESS_DBHOST) and optionally configure other
+For multi-user or higher-throughput deployments, **PostgreSQL** (recommended) or
-database-related environment variables.
+**MariaDB** can be used instead by setting [`PAPERLESS_DBENGINE`](#PAPERLESS_DBENGINE)
 and the relevant connection variables.
 #### [`PAPERLESS_DBENGINE=<engine>`](#PAPERLESS_DBENGINE) {#PAPERLESS_DBENGINE}
 : Specifies the database engine to use. Accepted values are `sqlite`, `postgresql`,
 and `mariadb`.
    Defaults to `sqlite` if not set.
    PostgreSQL and MariaDB both require [`PAPERLESS_DBHOST`](#PAPERLESS_DBHOST) to be
    set. SQLite does not use any other connection variables; the database file is always
    located at `<PAPERLESS_DATA_DIR>/db.sqlite3`.
    !!! warning
        Using MariaDB comes with some caveats.
        See [MySQL Caveats](advanced_usage.md#mysql-caveats).
 #### [`PAPERLESS_DBHOST=<hostname>`](#PAPERLESS_DBHOST) {#PAPERLESS_DBHOST}
-: If unset, Paperless uses **SQLite** by default.
+: Hostname of the PostgreSQL or MariaDB database server. Required when
-
+`PAPERLESS_DBENGINE` is `postgresql` or `mariadb`.
    Set `PAPERLESS_DBHOST` to switch to PostgreSQL or MariaDB instead.
 #### [`PAPERLESS_DBENGINE=<engine_name>`](#PAPERLESS_DBENGINE) {#PAPERLESS_DBENGINE}
 : Optional. Specifies the database engine to use when connecting to a remote database.
 Available options are `postgresql` and `mariadb`.
    Defaults to `postgresql` if `PAPERLESS_DBHOST` is set.
    !!! warning
        Using MariaDB comes with some caveats. See [MySQL Caveats](advanced_usage.md#mysql-caveats).
 #### [`PAPERLESS_DBPORT=<port>`](#PAPERLESS_DBPORT) {#PAPERLESS_DBPORT}
 : Port to use when connecting to PostgreSQL or MariaDB.
-    Default is `5432` for PostgreSQL and `3306` for MariaDB.
+    Defaults to `5432` for PostgreSQL and `3306` for MariaDB.
 #### [`PAPERLESS_DBNAME=<name>`](#PAPERLESS_DBNAME) {#PAPERLESS_DBNAME}
-: Name of the database to connect to when using PostgreSQL or MariaDB.
+: Name of the PostgreSQL or MariaDB database to connect to.
-    Defaults to "paperless".
+    Defaults to `paperless`.
-#### [`PAPERLESS_DBUSER=<name>`](#PAPERLESS_DBUSER) {#PAPERLESS_DBUSER}
+#### [`PAPERLESS_DBUSER=<user>`](#PAPERLESS_DBUSER) {#PAPERLESS_DBUSER}
 : Username for authenticating with the PostgreSQL or MariaDB database.
-    Defaults to "paperless".
+    Defaults to `paperless`.
 #### [`PAPERLESS_DBPASS=<password>`](#PAPERLESS_DBPASS) {#PAPERLESS_DBPASS}
 : Password for the PostgreSQL or MariaDB database user.
-    Defaults to "paperless".
+    Defaults to `paperless`.
-#### [`PAPERLESS_DBSSLMODE=<mode>`](#PAPERLESS_DBSSLMODE) {#PAPERLESS_DBSSLMODE}
+#### [`PAPERLESS_DB_OPTIONS=<options>`](#PAPERLESS_DB_OPTIONS) {#PAPERLESS_DB_OPTIONS}
-: SSL mode to use when connecting to PostgreSQL or MariaDB.
+: Advanced database connection options as a comma-delimited key-value string.
 Keys and values are separated by `=`. Dot-notation produces nested option
 dictionaries; for example, `pool.max_size=20` sets
 `OPTIONS["pool"]["max_size"] = 20`.
-    See [the official documentation about
+    Options specified here are merged over the engine defaults. Unrecognised keys
-    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    are passed through to the underlying database driver without validation, so a
    typo will be silently ignored rather than producing an error.
-    See [the official documentation about
+    Refer to your database driver's documentation for the full set of accepted keys:
    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-mode).
-    *Note*: SSL mode values differ between PostgreSQL and MariaDB.
+    - PostgreSQL: [libpq connection parameters](https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS)
    - MariaDB: [MariaDB Connector/Python](https://mariadb.com/kb/en/mariadb-connector-python/)
    - SQLite: [SQLite PRAGMA statements](https://www.sqlite.org/pragma.html)
-    Default is `prefer` for PostgreSQL and `PREFERRED` for MariaDB.
+    !!! note "PostgreSQL connection pooling"
-#### [`PAPERLESS_DBSSLROOTCERT=<ca-path>`](#PAPERLESS_DBSSLROOTCERT) {#PAPERLESS_DBSSLROOTCERT}
+        Pool size is controlled via `pool.min_size` and `pool.max_size`. When
        configuring pooling, ensure your PostgreSQL `max_connections` is large enough
        to handle all pool connections across all workers:
        `(web_workers + celery_workers) * pool.max_size + safety_margin`.
-: Path to the SSL root certificate used to verify the database server.
+    !!! note "SQLite defaults"
-    See [the official documentation about
+        SQLite connections are pre-configured with WAL journal mode, optimised
-    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
+        synchronous and cache settings, and a 5-second busy timeout. These defaults
-    Changes the location of `root.crt`.
+        suit most deployments. To override `init_command`, use `;` between PRAGMAs
        within the value and `,` between options:
-    See [the official documentation about
+        ```bash
-    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-ca).
+        PAPERLESS_DB_OPTIONS="init_command=PRAGMA journal_mode=DELETE;PRAGMA synchronous=FULL,transaction_mode=DEFERRED"
        ```
-    Defaults to unset, using the standard location in the home directory.
+    !!! note "MariaDB: READ COMMITTED isolation level"
-#### [`PAPERLESS_DBSSLCERT=<client-cert-path>`](#PAPERLESS_DBSSLCERT) {#PAPERLESS_DBSSLCERT}
+        MariaDB connections default to `READ COMMITTED` isolation level, which
        eliminates gap locking and reduces deadlock frequency. If binary logging is
        enabled on your MariaDB server, this requires `binlog_format=ROW` (the
        default for most managed MariaDB instances). Statement-based replication is
        not compatible with `READ COMMITTED`.
-: Path to the client SSL certificate used when connecting securely.
+    **Examples:**
-    See [the official documentation about
+    ```bash title="PostgreSQL: require SSL, set a custom CA certificate, and limit the pool size"
-    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    PAPERLESS_DB_OPTIONS="sslmode=require,sslrootcert=/certs/ca.pem,pool.max_size=5"
    ```
-    See [the official documentation about
+    ```bash title="MariaDB: require SSL with a custom CA certificate"
-    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-cert).
+    PAPERLESS_DB_OPTIONS="ssl_mode=REQUIRED,ssl.ca=/certs/ca.pem"
    ```
-    Changes the location of `postgresql.crt`.
+    ```bash title="PostgreSQL or MariaDB: set a connection timeout"
    PAPERLESS_DB_OPTIONS="connect_timeout=10"
    ```
-    Defaults to unset, using the standard location in the home directory.
+#### ~~[`PAPERLESS_DBSSLMODE`](#PAPERLESS_DBSSLMODE)~~ {#PAPERLESS_DBSSLMODE}
-#### [`PAPERLESS_DBSSLKEY=<client-cert-key>`](#PAPERLESS_DBSSLKEY) {#PAPERLESS_DBSSLKEY}
+!!! failure "Removed in v3"
-: Path to the client SSL private key used when connecting securely.
+    Use [`PAPERLESS_DB_OPTIONS`](#PAPERLESS_DB_OPTIONS) instead.
-    See [the official documentation about
+    ```bash title="PostgreSQL"
-    sslmode for PostgreSQL](https://www.postgresql.org/docs/current/libpq-ssl.html).
+    PAPERLESS_DB_OPTIONS="sslmode=require"
    ```
-    See [the official documentation about
+    ```bash title="MariaDB"
-    sslmode for MySQL and MariaDB](https://dev.mysql.com/doc/refman/8.0/en/connection-options.html#option_general_ssl-key).
+    PAPERLESS_DB_OPTIONS="ssl_mode=REQUIRED"
    ```
-    Changes the location of `postgresql.key`.
+#### ~~[`PAPERLESS_DBSSLROOTCERT`](#PAPERLESS_DBSSLROOTCERT)~~ {#PAPERLESS_DBSSLROOTCERT}
-    Defaults to unset, using the standard location in the home directory.
+!!! failure "Removed in v3"
-#### [`PAPERLESS_DB_TIMEOUT=<int>`](#PAPERLESS_DB_TIMEOUT) {#PAPERLESS_DB_TIMEOUT}
+    Use [`PAPERLESS_DB_OPTIONS`](#PAPERLESS_DB_OPTIONS) instead.
-: Sets how long a database connection should wait before timing out.
+    ```bash title="PostgreSQL"
    PAPERLESS_DB_OPTIONS="sslrootcert=/path/to/ca.pem"
    ```
-    For SQLite, this sets how long to wait if the database is locked.
+    ```bash title="MariaDB"
-    For PostgreSQL or MariaDB, this sets the connection timeout.
+    PAPERLESS_DB_OPTIONS="ssl.ca=/path/to/ca.pem"
    ```
-    Defaults to unset, which uses Django’s built-in defaults.
+#### ~~[`PAPERLESS_DBSSLCERT`](#PAPERLESS_DBSSLCERT)~~ {#PAPERLESS_DBSSLCERT}
-#### [`PAPERLESS_DB_POOLSIZE=<int>`](#PAPERLESS_DB_POOLSIZE) {#PAPERLESS_DB_POOLSIZE}
+!!! failure "Removed in v3"
-: Defines the maximum number of database connections to keep in the pool.
+    Use [`PAPERLESS_DB_OPTIONS`](#PAPERLESS_DB_OPTIONS) instead.
-    Only applies to PostgreSQL. This setting is ignored for other database engines.
+    ```bash title="PostgreSQL"
    PAPERLESS_DB_OPTIONS="sslcert=/path/to/client.crt"
    ```
-    The value must be greater than or equal to 1 to be used.
+    ```bash title="MariaDB"
-    Defaults to unset, which disables connection pooling.
+    PAPERLESS_DB_OPTIONS="ssl.cert=/path/to/client.crt"
    ```
-    !!! note
+#### ~~[`PAPERLESS_DBSSLKEY`](#PAPERLESS_DBSSLKEY)~~ {#PAPERLESS_DBSSLKEY}
-        A pool of 8-10 connections per worker is typically sufficient.
+!!! failure "Removed in v3"
        If you encounter error messages such as `couldn't get a connection`
        or database connection timeouts, you probably need to increase the pool size.
-    !!! warning
+    Use [`PAPERLESS_DB_OPTIONS`](#PAPERLESS_DB_OPTIONS) instead.
        Make sure your PostgreSQL `max_connections` setting is large enough to handle the connection pools:
        `(NB_PAPERLESS_WORKERS + NB_CELERY_WORKERS) × POOL_SIZE + SAFETY_MARGIN`. For example, with
        4 Paperless workers and 2 Celery workers, and a pool size of 8:``(4 + 2) × 8 + 10 = 58`,
        so `max_connections = 60` (or even more) is appropriate.
-        This assumes only Paperless-ngx connects to your PostgreSQL instance. If you have other applications,
+    ```bash title="PostgreSQL"
-        you should increase `max_connections` accordingly.
+    PAPERLESS_DB_OPTIONS="sslkey=/path/to/client.key"
    ```
    ```bash title="MariaDB"
    PAPERLESS_DB_OPTIONS="ssl.key=/path/to/client.key"
    ```
 #### ~~[`PAPERLESS_DB_TIMEOUT`](#PAPERLESS_DB_TIMEOUT)~~ {#PAPERLESS_DB_TIMEOUT}
 !!! failure "Removed in v3"
    Use [`PAPERLESS_DB_OPTIONS`](#PAPERLESS_DB_OPTIONS) instead.
    ```bash title="SQLite"
    PAPERLESS_DB_OPTIONS="timeout=30"
    ```
    ```bash title="PostgreSQL or MariaDB"
    PAPERLESS_DB_OPTIONS="connect_timeout=30"
    ```
 #### ~~[`PAPERLESS_DB_POOLSIZE`](#PAPERLESS_DB_POOLSIZE)~~ {#PAPERLESS_DB_POOLSIZE}
 !!! failure "Removed in v3"
    Use [`PAPERLESS_DB_OPTIONS`](#PAPERLESS_DB_OPTIONS) instead.
    ```bash
    PAPERLESS_DB_OPTIONS="pool.max_size=10"
    ```
 #### [`PAPERLESS_DB_READ_CACHE_ENABLED=<bool>`](#PAPERLESS_DB_READ_CACHE_ENABLED) {#PAPERLESS_DB_READ_CACHE_ENABLED}
@@ -367,6 +420,12 @@ Defaults to `/usr/share/nltk_data`
 : This is where paperless will store the classification model.
    !!! warning
        The classification model uses Python's pickle serialization format.
        Ensure this file is only writable by the paperless user, as a
        maliciously crafted model file could execute arbitrary code when loaded.
    Defaults to `PAPERLESS_DATA_DIR/classification_model.pickle`.
 ## Logging
@@ -387,14 +446,20 @@ Defaults to `/usr/share/nltk_data`
 #### [`PAPERLESS_SECRET_KEY=<key>`](#PAPERLESS_SECRET_KEY) {#PAPERLESS_SECRET_KEY}
-: Paperless uses this to make session tokens. If you expose paperless
+: **Required.** Paperless uses this to make session tokens and sign
-on the internet, you need to change this, since the default secret
+sensitive data. Paperless will refuse to start if this is not set.
 is well known.
    Use any sequence of characters. The more, the better. You don't
-    need to remember this. Just face-roll your keyboard.
+    need to remember this. You can generate a suitable key with:
-    Default is listed in the file `src/paperless/settings.py`.
+        python3 -c "import secrets; print(secrets.token_urlsafe(64))"
    !!! warning
        This setting has no default value. You **must** set it before
        starting Paperless. Existing installations that relied on the
        previous default value should set `PAPERLESS_SECRET_KEY` to
        that value to avoid invalidating existing sessions and tokens.
 #### [`PAPERLESS_URL=<url>`](#PAPERLESS_URL) {#PAPERLESS_URL}
@@ -453,8 +518,25 @@ do CORS calls. Set this to your public domain name.
 fail2ban with log entries for failed authorization attempts. Value should be
 IP address(es).
    This setting also controls allauth's
    [`ALLAUTH_TRUSTED_PROXY_COUNT`](https://docs.allauth.org/en/latest/account/configuration.html),
    which is set to the number of proxies listed here. Without this,
    allauth cannot determine the client IP address for rate limiting when
    running behind a reverse proxy, resulting in a `403 Forbidden` on login.
    Defaults to empty string.
 #### [`PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER=<header-name>`](#PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER) {#PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER}
 : Sets allauth's
 [`ALLAUTH_TRUSTED_CLIENT_IP_HEADER`](https://docs.allauth.org/en/latest/account/configuration.html).
 Use this when your reverse proxy sets a dedicated header for the real
 client IP instead of `X-Forwarded-For`, for example `X-Real-IP` (nginx)
 or `CF-Connecting-IP` (Cloudflare). When set, this takes precedence over
 [`PAPERLESS_TRUSTED_PROXIES`](#PAPERLESS_TRUSTED_PROXIES).
    Defaults to none.
 #### [`PAPERLESS_FORCE_SCRIPT_NAME=<path>`](#PAPERLESS_FORCE_SCRIPT_NAME) {#PAPERLESS_FORCE_SCRIPT_NAME}
 : To host paperless under a subpath url like example.com/paperless you
@@ -639,6 +721,9 @@ See the corresponding [django-allauth documentation](https://docs.allauth.org/en
 for a list of provider configurations. You will also need to include the relevant Django 'application' inside the
 [PAPERLESS_APPS](#PAPERLESS_APPS) setting to activate that specific authentication provider (e.g. `allauth.socialaccount.providers.openid_connect` for the [OIDC Connect provider](https://docs.allauth.org/en/latest/socialaccount/providers/openid_connect.html)).
 : For OpenID Connect providers, set `settings.token_auth_method` if your identity provider
 requires a specific token endpoint authentication method.
    Defaults to None, which does not enable any third party authentication systems.
 #### [`PAPERLESS_SOCIAL_AUTO_SIGNUP=<bool>`](#PAPERLESS_SOCIAL_AUTO_SIGNUP) {#PAPERLESS_SOCIAL_AUTO_SIGNUP}
@@ -659,7 +744,7 @@ system. See the corresponding
 : Sync groups from the third party authentication system (e.g. OIDC) to Paperless-ngx. When enabled, users will be added or removed from groups based on their group membership in the third party authentication system. Groups must already exist in Paperless-ngx and have the same name as in the third party authentication system. Groups are updated upon logging in via the third party authentication system, see the corresponding [django-allauth documentation](https://docs.allauth.org/en/dev/socialaccount/signals.html).
-: In order to pass groups from the authentication system you will need to update your [PAPERLESS_SOCIALACCOUNT_PROVIDERS](#PAPERLESS_SOCIALACCOUNT_PROVIDERS) setting by adding a top-level "SCOPES" setting which includes "groups", e.g.:
+: In order to pass groups from the authentication system you will need to update your [PAPERLESS_SOCIALACCOUNT_PROVIDERS](#PAPERLESS_SOCIALACCOUNT_PROVIDERS) setting by adding a top-level "SCOPES" setting which includes "groups", or the custom groups claim configured in [`PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS_CLAIM`](#PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS_CLAIM) e.g.:
    ```json
    {"openid_connect":{"SCOPE": ["openid","profile","email","groups"]...
@@ -667,6 +752,12 @@ system. See the corresponding
    Defaults to False
 #### [`PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS_CLAIM=<str>`](#PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS_CLAIM) {#PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS_CLAIM}
 : Allows you to define a custom groups claim. See [PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS](#PAPERLESS_SOCIAL_ACCOUNT_SYNC_GROUPS) which is required for this setting to take effect.
    Defaults to "groups"
 #### [`PAPERLESS_SOCIAL_ACCOUNT_DEFAULT_GROUPS=<comma-separated-list>`](#PAPERLESS_SOCIAL_ACCOUNT_DEFAULT_GROUPS) {#PAPERLESS_SOCIAL_ACCOUNT_DEFAULT_GROUPS}
 : A list of group names that users who signup via social accounts will be added to upon signup. Groups listed here must already exist.
@@ -726,6 +817,14 @@ If both the [PAPERLESS_ACCOUNT_DEFAULT_GROUPS](#PAPERLESS_ACCOUNT_DEFAULT_GROUPS
    Defaults to 1209600 (2 weeks)
 #### [`PAPERLESS_TOKEN_THROTTLE_RATE=<rate>`](#PAPERLESS_TOKEN_THROTTLE_RATE) {#PAPERLESS_TOKEN_THROTTLE_RATE}
 : Rate limit for the API token authentication endpoint (`/api/token/`), used to mitigate brute-force login attempts.
 Uses Django REST Framework's [throttle rate format](https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy),
 e.g. `5/min`, `100/hour`, `1000/day`.
    Defaults to `5/min`
 ## OCR settings {#ocr}
 Paperless uses [OCRmyPDF](https://ocrmypdf.readthedocs.io/en/latest/)
@@ -757,11 +856,14 @@ parsing documents.
 #### [`PAPERLESS_OCR_MODE=<mode>`](#PAPERLESS_OCR_MODE) {#PAPERLESS_OCR_MODE}
-: Tell paperless when and how to perform ocr on your documents. Three
+: Tell paperless when and how to perform ocr on your documents. Four
 modes are available:
-    -   `skip`: Paperless skips all pages and will perform ocr only on
+    -   `auto` (default): Paperless detects whether a document already
-        pages where no text is present. This is the safest option.
+        has embedded text via pdftotext. If sufficient text is found,
        OCR is skipped for that document (`--skip-text`). If no text is
        present, OCR runs normally. This is the safest option for mixed
        document collections.
    -   `redo`: Paperless will OCR all pages of your documents and
        attempt to replace any existing text layers with new text. This
@@ -779,24 +881,59 @@ modes are available:
        significantly larger and text won't appear as sharp when zoomed
        in.
-    The default is `skip`, which only performs OCR when necessary and
+    -   `off`: Paperless never invokes the OCR engine. For PDFs, text
-    always creates archived documents.
+        is extracted via pdftotext only. For image documents, text will
        be empty. Archive file generation still works via format
        conversion (no Tesseract or Ghostscript required).
-    Read more about this in the [OCRmyPDF
+    The default is `auto`.
    For the `skip`, `redo`, and `force` modes, read more about OCR
    behaviour in the [OCRmyPDF
    documentation](https://ocrmypdf.readthedocs.io/en/latest/advanced.html#when-ocr-is-skipped).
-#### [`PAPERLESS_OCR_SKIP_ARCHIVE_FILE=<mode>`](#PAPERLESS_OCR_SKIP_ARCHIVE_FILE) {#PAPERLESS_OCR_SKIP_ARCHIVE_FILE}
+#### [`PAPERLESS_ARCHIVE_FILE_GENERATION=<mode>`](#PAPERLESS_ARCHIVE_FILE_GENERATION) {#PAPERLESS_ARCHIVE_FILE_GENERATION}
-: Specify when you would like paperless to skip creating an archived
+: Controls when paperless creates a PDF/A archive version of your
-version of your documents. This is useful if you don't want to have two
+documents. Archive files are stored alongside the original and are used
-almost-identical versions of your documents in the media folder.
+for display in the web interface.
-    -   `never`: Never skip creating an archived version.
+    -   `auto` (default): Produce archives for scanned or image-based
-    -   `with_text`: Skip creating an archived version for documents
+        documents. Skip archive generation for born-digital PDFs that
-    that already have embedded text.
+        already contain embedded text. This is the recommended setting
-    -   `always`: Always skip creating an archived version.
+        for mixed document collections.
    -   `always`: Always produce a PDF/A archive when the parser
        supports it, regardless of whether the document already has
        text.
    -   `never`: Never produce an archive. Only the original file is
        stored. Saves disk space but the web viewer will display the
        original file directly.
-    The default is `never`.
+    **Behaviour by file type and mode** (`auto` column shows the default):
    | Document type              | `never` | `auto` (default)           | `always` |
    | -------------------------- | ------- | -------------------------- | -------- |
    | Scanned image (TIFF, JPEG) | No      | **Yes**                    | Yes      |
    | Image-based PDF            | No      | **Yes** (short/no text, untagged) | Yes |
    | Born-digital PDF           | No      | No (tagged or has embedded text)  | Yes |
    | Plain text, email, HTML    | No      | No                         | No       |
    | DOCX / ODT (via Tika)      | Yes\*   | Yes\*                      | Yes\*    |
    \* Tika always produces a PDF rendition for display; this counts as
    the archive regardless of the setting.
    !!! note
        This setting applies to the built-in Tesseract parser. Parsers
        that must always convert documents to PDF for display (e.g. DOCX,
        ODT via Tika) will produce a PDF regardless of this setting.
    !!! note
        The **remote OCR parser** (Azure AI) always produces a searchable
        PDF and stores it as the archive copy, regardless of this setting.
        `ARCHIVE_FILE_GENERATION=never` has no effect when the remote
        parser handles a document.
 #### [`PAPERLESS_OCR_CLEAN=<mode>`](#PAPERLESS_OCR_CLEAN) {#PAPERLESS_OCR_CLEAN}
@@ -1059,6 +1196,32 @@ should be a valid crontab(5) expression describing when to run.
    Defaults to `0 0 * * *` or daily at midnight.
 #### [`PAPERLESS_SEARCH_LANGUAGE=<language>`](#PAPERLESS_SEARCH_LANGUAGE) {#PAPERLESS_SEARCH_LANGUAGE}
 : Sets the stemmer language for the full-text search index.
 Stemming improves recall by matching word variants (e.g. "running" matches "run").
 Changing this setting causes the index to be rebuilt automatically on next startup.
 An invalid value raises an error at startup.
 : Use the ISO 639-1 two-letter code (e.g. `en`, `de`, `fr`). Lowercase full names
 (e.g. `english`, `german`, `french`) are also accepted. The capitalized names shown
 in the [Tantivy Language enum](https://docs.rs/tantivy/latest/tantivy/tokenizer/enum.Language.html)
 documentation are **not** valid — use the lowercase equivalent.
 : If not set, paperless infers the language from
 [`PAPERLESS_OCR_LANGUAGE`](#PAPERLESS_OCR_LANGUAGE). If the OCR language has no
 Tantivy stemmer equivalent, stemming is disabled.
    Defaults to unset (inferred from `PAPERLESS_OCR_LANGUAGE`).
 #### [`PAPERLESS_ADVANCED_FUZZY_SEARCH_THRESHOLD=<float>`](#PAPERLESS_ADVANCED_FUZZY_SEARCH_THRESHOLD) {#PAPERLESS_ADVANCED_FUZZY_SEARCH_THRESHOLD}
 : When set to a float value, approximate/fuzzy matching is applied alongside exact
 matching. Fuzzy results rank below exact matches. A value of `0.5` is a reasonable
 starting point. Leave unset to disable fuzzy matching entirely.
    Defaults to unset (disabled).
 #### [`PAPERLESS_SANITY_TASK_CRON=<cron expression>`](#PAPERLESS_SANITY_TASK_CRON) {#PAPERLESS_SANITY_TASK_CRON}
 : Configures the scheduled sanity checker frequency. The value should be a
@@ -1146,8 +1309,9 @@ via the consumption directory, you can disable the consumer to save resources.
 #### [`PAPERLESS_CONSUMER_DELETE_DUPLICATES=<bool>`](#PAPERLESS_CONSUMER_DELETE_DUPLICATES) {#PAPERLESS_CONSUMER_DELETE_DUPLICATES}
-: When the consumer detects a duplicate document, it will not touch
+: As of version 3.0 Paperless-ngx allows duplicate documents to be consumed by default, _except_ when
-the original document. This default behavior can be changed here.
+this setting is enabled. When enabled, Paperless will check if a document with the same hash already
 exists in the system and delete the duplicate file from the consumption directory without consuming it.
    Defaults to false.
@@ -1215,14 +1379,6 @@ using Python's `re.match()`, which anchors at the start of the filename.
    The default ignores are `[.stfolder, .stversions, .localized, @eaDir, .Spotlight-V100, .Trashes, __MACOSX]` and cannot be overridden.
 #### [`PAPERLESS_CONSUMER_BARCODE_SCANNER=<string>`](#PAPERLESS_CONSUMER_BARCODE_SCANNER) {#PAPERLESS_CONSUMER_BARCODE_SCANNER}
 : Sets the barcode scanner used for barcode functionality.
    Currently, "PYZBAR" (the default) or "ZXING" might be selected.
    If you have problems that your Barcodes/QR-Codes are not detected
    (especially with bad scan quality and/or small codes), try the other one.
 #### [`PAPERLESS_PRE_CONSUME_SCRIPT=<filename>`](#PAPERLESS_PRE_CONSUME_SCRIPT) {#PAPERLESS_PRE_CONSUME_SCRIPT}
 : After some initial validation, Paperless can trigger an arbitrary
@@ -1357,6 +1513,14 @@ ports.
 ## Incoming Mail {#incoming_mail}
 #### [`PAPERLESS_EMAIL_ALLOW_INTERNAL_HOSTS=<bool>`](#PAPERLESS_EMAIL_ALLOW_INTERNAL_HOSTS) {#PAPERLESS_EMAIL_ALLOW_INTERNAL_HOSTS}
 : If set to false, incoming mail account connections are blocked when the
 configured IMAP hostname resolves to a non-public address (for example,
 localhost, link-local, or RFC1918 private ranges).
    Defaults to true, which allows internal hosts.
 ### Email OAuth {#email_oauth}
 #### [`PAPERLESS_OAUTH_CALLBACK_BASE_URL=<str>`](#PAPERLESS_OAUTH_CALLBACK_BASE_URL) {#PAPERLESS_OAUTH_CALLBACK_BASE_URL}
@@ -1550,6 +1714,20 @@ assigns or creates tags if a properly formatted barcode is detected.
    Please refer to the Python regex documentation for more information.
 #### [`PAPERLESS_CONSUMER_TAG_BARCODE_SPLIT=<bool>`](#PAPERLESS_CONSUMER_TAG_BARCODE_SPLIT) {#PAPERLESS_CONSUMER_TAG_BARCODE_SPLIT}
 : Enables splitting of documents on tag barcodes, similar to how ASN barcodes work.
    When enabled, documents will be split into separate PDFs at pages containing
    tag barcodes that match the configured `PAPERLESS_CONSUMER_TAG_BARCODE_MAPPING`
    patterns. The page with the tag barcode will be retained in the new document.
    Each split document will have the detected tags assigned to it.
    This only has an effect if `PAPERLESS_CONSUMER_ENABLE_TAG_BARCODE` is also enabled.
    Defaults to false.
 ## Audit Trail
 #### [`PAPERLESS_AUDIT_LOG_ENABLED=<bool>`](#PAPERLESS_AUDIT_LOG_ENABLED) {#PAPERLESS_AUDIT_LOG_ENABLED}
@@ -1610,6 +1788,16 @@ processing. This only has an effect if
    Defaults to `0 1 * * *`, once per day.
 ## Share links
 #### [`PAPERLESS_SHARE_LINK_BUNDLE_CLEANUP_CRON=<cron expression>`](#PAPERLESS_SHARE_LINK_BUNDLE_CLEANUP_CRON) {#PAPERLESS_SHARE_LINK_BUNDLE_CLEANUP_CRON}
 : Controls how often Paperless-ngx removes expired share link bundles (and their generated ZIP archives).
 : If set to the string "disable", expired bundles are not cleaned up automatically.
    Defaults to `0 2 * * *`, once per day at 02:00.
 ## Binaries
 There are a few external software packages that Paperless expects to
@@ -1843,52 +2031,73 @@ suggestions. This setting is required to be set to true in order to use the AI f
 #### [`PAPERLESS_AI_LLM_EMBEDDING_BACKEND=<str>`](#PAPERLESS_AI_LLM_EMBEDDING_BACKEND) {#PAPERLESS_AI_LLM_EMBEDDING_BACKEND}
-: The embedding backend to use for RAG. This can be either "openai" or "huggingface".
+: The embedding backend to use for RAG. This can be "openai-like", "huggingface", or
 "ollama". The "openai-like" backend uses an OpenAI-compatible embeddings API.
    Defaults to None.
 #### [`PAPERLESS_AI_LLM_EMBEDDING_MODEL=<str>`](#PAPERLESS_AI_LLM_EMBEDDING_MODEL) {#PAPERLESS_AI_LLM_EMBEDDING_MODEL}
-: The model to use for the embedding backend for RAG. This can be set to any of the embedding models supported by the current embedding backend. If not supplied, defaults to "text-embedding-3-small" for OpenAI and "sentence-transformers/all-MiniLM-L6-v2" for Huggingface.
+: The model to use for the embedding backend for RAG. This can be set to any of the embedding
 models supported by the current embedding backend. If not supplied, defaults to
 "text-embedding-3-small" for the OpenAI-compatible backend,
 "sentence-transformers/all-MiniLM-L6-v2" for Huggingface, and "embeddinggemma" for Ollama.
    Defaults to None.
 #### [`PAPERLESS_AI_LLM_EMBEDDING_ENDPOINT=<str>`](#PAPERLESS_AI_LLM_EMBEDDING_ENDPOINT) {#PAPERLESS_AI_LLM_EMBEDDING_ENDPOINT}
 : The endpoint / url to use for the embedding backend. If not supplied, embeddings use
 `PAPERLESS_AI_LLM_ENDPOINT`.
    Defaults to None.
 #### [`PAPERLESS_AI_LLM_BACKEND=<str>`](#PAPERLESS_AI_LLM_BACKEND) {#PAPERLESS_AI_LLM_BACKEND}
-: The AI backend to use. This can be either "openai" or "ollama". If set to "ollama", the AI
+: The AI backend to use. This can be either "openai-like" or "ollama". If set to "ollama", the AI
-features will be run locally on your machine. If set to "openai", the AI features will be run
+features will be run locally on your machine. If set to "openai-like", the AI features will use
-using the OpenAI API. This setting is required to be set to use the AI features.
+an OpenAI-compatible API endpoint, including OpenAI itself and compatible providers. This
 setting is required to be set to use the AI features.
    Defaults to None.
    !!! note
-        The OpenAI API is a paid service. You will need to set up an OpenAI account and
+        Remote AI providers may be paid services. If you use a hosted OpenAI-compatible API, you
-        will be charged for usage incurred by Paperless-ngx features and your document data
+        are responsible for any usage charges incurred by Paperless-ngx features, and your
-        will (of course) be sent to the OpenAI API. Paperless-ngx does not endorse the use of the
+        document data will be sent to the provider you configure.
        OpenAI API in any way.
-        Refer to the OpenAI terms of service, and use at your own risk.
+        Paperless-ngx does not endorse any specific provider. Refer to your provider's terms of
        service and privacy policy, and use at your own risk.
 #### [`PAPERLESS_AI_LLM_MODEL=<str>`](#PAPERLESS_AI_LLM_MODEL) {#PAPERLESS_AI_LLM_MODEL}
-: The model to use for the AI backend, i.e. "gpt-3.5-turbo", "gpt-4" or any of the models supported by the
+: The model to use for the AI backend, i.e. "gpt-3.5-turbo", "gpt-4" or any of the models supported
-current backend. If not supplied, defaults to "gpt-3.5-turbo" for OpenAI and "llama3.1" for Ollama.
+by the current backend. If not supplied, defaults to "gpt-3.5-turbo" for the OpenAI-compatible
 backend and "llama3.1" for Ollama.
    Defaults to None.
 #### [`PAPERLESS_AI_LLM_API_KEY=<str>`](#PAPERLESS_AI_LLM_API_KEY) {#PAPERLESS_AI_LLM_API_KEY}
-: The API key to use for the AI backend. This is required for the OpenAI backend (optional for others).
+: The API key to use for the AI backend. This is typically required for the OpenAI-compatible
 backend (optional for others).
    Defaults to None.
 #### [`PAPERLESS_AI_LLM_ENDPOINT=<str>`](#PAPERLESS_AI_LLM_ENDPOINT) {#PAPERLESS_AI_LLM_ENDPOINT}
-: The endpoint / url to use for the AI backend. This is required for the Ollama backend (optional for others).
+: The endpoint / url to use for the AI backend. This is required for the Ollama backend and may be
 used with the OpenAI-compatible backend to target a custom provider or local gateway.
    Defaults to None.
 #### [`PAPERLESS_AI_LLM_ALLOW_INTERNAL_ENDPOINTS=<bool>`](#PAPERLESS_AI_LLM_ALLOW_INTERNAL_ENDPOINTS) {#PAPERLESS_AI_LLM_ALLOW_INTERNAL_ENDPOINTS}
 : If set to false, Paperless blocks AI endpoint URLs that resolve to non-public addresses (e.g., localhost, etc).
    Defaults to true, which allows internal endpoints.
 #### [`PAPERLESS_AI_LLM_INDEX_TASK_CRON=<cron expression>`](#PAPERLESS_AI_LLM_INDEX_TASK_CRON) {#PAPERLESS_AI_LLM_INDEX_TASK_CRON}
 : Configures the schedule to update the AI embeddings of text content and metadata for all documents. Only performed if
@@ -75,13 +75,13 @@ first-time setup.
 4.  Install the Python dependencies:
    ```bash
-    $ uv sync --group dev
+    uv sync --group dev
    ```
 5.  Install pre-commit hooks:
    ```bash
-    $ uv run pre-commit install
+    uv run prek install
    ```
 6.  Apply migrations and create a superuser (also can be done via the web UI) for your development instance:
@@ -89,12 +89,11 @@ first-time setup.
    ```bash
    # src/
-    $ uv run manage.py migrate
+    uv run manage.py migrate
-    $ uv run manage.py createsuperuser
+    uv run manage.py createsuperuser
    ```
 7.  You can now either ...
    - install Redis or
    - use the included `scripts/start_services.sh` to use Docker to fire
@@ -103,7 +102,7 @@ first-time setup.
    - spin up a bare Redis container
-        ```
+      ```bash
      docker run -d -p 6379:6379 --restart unless-stopped redis:latest
      ```
@@ -118,18 +117,18 @@ work well for development, but you can use whatever you want.
 Configure the IDE to use the `src/`-folder as the base source folder.
 Configure the following launch configurations in your IDE:
-   `python3 manage.py runserver`
+- `uv run manage.py runserver`
-   `python3 manage.py document_consumer`
+- `uv run manage.py document_consumer`
-   `celery --app paperless worker -l DEBUG` (or any other log level)
+- `uv run celery --app paperless worker -l DEBUG` (or any other log level)
 To start them all:
 ```bash
 # src/
-$ python3 manage.py runserver & \
+uv run manage.py runserver & \
-  python3 manage.py document_consumer & \
+  uv run manage.py document_consumer & \
-  celery --app paperless worker -l DEBUG
+  uv run celery --app paperless worker -l DEBUG
 ```
 You might need the front end to test your back end code.
@@ -140,8 +139,8 @@ To build the front end once use this command:
 ```bash
 # src-ui/
-$ pnpm install
+pnpm install
-$ ng build --configuration production
+pnpm ng build --configuration production
 ```
 ### Testing
@@ -199,7 +198,7 @@ The front end is built using AngularJS. In order to get started, you need Node.j
 4.  You can launch a development server by running:
    ```bash
-    ng serve
+    pnpm ng serve
    ```
    This will automatically update whenever you save. However, in-place
@@ -217,21 +216,21 @@ commit. See [above](#code-formatting-with-pre-commit-hooks) for installation ins
 command such as
 ```bash
-$ git ls-files -- '*.ts' | xargs pre-commit run prettier --files
+git ls-files -- '*.ts' | xargs uv run prek run prettier --files
 ```
 Front end testing uses Jest and Playwright. Unit tests and e2e tests,
 respectively, can be run non-interactively with:
 ```bash
-$ ng test
+pnpm ng test
-$ npx playwright test
+pnpm playwright test
 ```
 Playwright also includes a UI which can be run with:
 ```bash
-$ npx playwright test --ui
+pnpm playwright test --ui
 ```
 ### Building the frontend
@@ -239,7 +238,7 @@ $ npx playwright test --ui
 In order to build the front end and serve it as part of Django, execute:
 ```bash
-$ ng build --configuration production
+pnpm ng build --configuration production
 ```
 This will build the front end and put it in a location from which the
@@ -312,10 +311,10 @@ end (such as error messages).
 - The source language of the project is "en_US".
 - Localization files end up in the folder `src/locale/`.
 - In order to extract strings from the application, call
-    `python3 manage.py makemessages -l en_US`. This is important after
+  `uv run manage.py makemessages -l en_US`. This is important after
  making changes to translatable strings.
 - The message files need to be compiled for them to show up in the
-    application. Call `python3 manage.py compilemessages` to do this.
+  application. Call `uv run manage.py compilemessages` to do this.
  The generated files don't get committed into git, since these are
  derived artifacts. The build pipeline takes care of executing this
  command.
@@ -338,13 +337,13 @@ LANGUAGES = [
 ## Building the documentation
-The documentation is built using material-mkdocs, see their [documentation](https://squidfunk.github.io/mkdocs-material/reference/).
+The documentation is built using Zensical, see their [documentation](https://zensical.org/docs/).
 If you want to build the documentation locally, this is how you do it:
 1.  Build the documentation
    ```bash
-    $ uv run mkdocs build --config-file mkdocs.yml
+    $ uv run zensical build
    ```
    _alternatively..._
@@ -355,10 +354,10 @@ If you want to build the documentation locally, this is how you do it:
    something.
    ```bash
-    $ uv run mkdocs serve
+    $ uv run zensical serve
    ```
-## Building the Docker image
+## Building the Docker image {#docker_build}
 The docker image is primarily built by the GitHub actions workflow, but
 it can be faster when developing to build and tag an image locally.
@@ -371,88 +370,505 @@ docker build --file Dockerfile --tag paperless:local .
 ## Extending Paperless-ngx
-Paperless-ngx does not have any fancy plugin systems and will probably never
+Paperless-ngx supports third-party document parsers via a Python entry point
-have. However, some parts of the application have been designed to allow
+plugin system. Plugins are distributed as ordinary Python packages and
-easy integration of additional features without any modification to the
+discovered automatically at startup — no changes to the Paperless-ngx source
-base code.
+are required.
 !!! warning "Third-party plugins are not officially supported"
    The Paperless-ngx maintainers do not provide support for third-party
    plugins. Issues that are caused by or require changes to a third-party
    plugin will be closed without further investigation. If you believe you
    have found a bug in Paperless-ngx itself (not in a plugin), please
    reproduce it with all third-party plugins removed before filing an issue.
 ### Making custom parsers
-Paperless-ngx uses parsers to add documents. A parser is
+Paperless-ngx uses parsers to add documents. A parser is responsible for:
 responsible for:
-   Retrieving the content from the original
+- Extracting plain-text content from the document
-   Creating a thumbnail
+- Generating a thumbnail image
-   _optional:_ Retrieving a created date from the original
+- _optional:_ Detecting the document's creation date
-   _optional:_ Creating an archived document from the original
+- _optional:_ Producing a searchable PDF archive copy
-Custom parsers can be added to Paperless-ngx to support more file types. In
+Custom parsers are distributed as ordinary Python packages and registered
-order to do that, you need to write the parser itself and announce its
+via a [setuptools entry point](https://setuptools.pypa.io/en/latest/userguide/entry_point.html).
-existence to Paperless-ngx.
+No changes to the Paperless-ngx source are required.
-The parser itself must extend `documents.parsers.DocumentParser` and
+#### 1. Implementing the parser class
-must implement the methods `parse` and `get_thumbnail`. You can provide
+
-your own implementation to `get_date` if you don't want to rely on
+Your parser must satisfy the `ParserProtocol` structural interface defined in
-Paperless-ngx' default date guessing mechanisms.
+`paperless.parsers`. The simplest approach is to write a plain class — no base
 class is required, only the right attributes and methods.
 **Class-level identity attributes**
 The registry reads these before instantiating the parser, so they must be
 plain class attributes (not instance attributes or properties):
 ```python
-class MyCustomParser(DocumentParser):
+class MyCustomParser:
-
+    name    = "My Format Parser"   # human-readable name shown in logs
-    def parse(self, document_path, mime_type):
+    version = "1.0.0"              # semantic version string
-        # This method does not return anything. Rather, you should assign
+    author  = "Acme Corp"          # author / organisation
-        # whatever you got from the document to the following fields:
+    url     = "https://example.com/my-parser"  # docs or issue tracker
        # The content of the document.
        self.text = "content"
        # Optional: path to a PDF document that you created from the original.
        self.archive_path = os.path.join(self.tempdir, "archived.pdf")
        # Optional: "created" date of the document.
        self.date = get_created_from_metadata(document_path)
    def get_thumbnail(self, document_path, mime_type):
        # This should return the path to a thumbnail you created for this
        # document.
        return os.path.join(self.tempdir, "thumb.webp")
 ```
-If you encounter any issues during parsing, raise a
+**Declaring supported MIME types**
 `documents.parsers.ParseError`.
-The `self.tempdir` directory is a temporary directory that is guaranteed
+Return a `dict` mapping MIME type strings to preferred file extensions
-to be empty and removed after consumption finished. You can use that
+(including the leading dot). Paperless-ngx uses the extension when storing
-directory to store any intermediate files and also use it to store the
+archive copies and serving files for download.
 thumbnail / archived document.
 After that, you need to announce your parser to Paperless-ngx. You need to
 connect a handler to the `document_consumer_declaration` signal. Have a
 look in the file `src/paperless_tesseract/apps.py` on how that's done.
 The handler is a method that returns information about your parser:
 ```python
-def myparser_consumer_declaration(sender, **kwargs):
+@classmethod
 def supported_mime_types(cls) -> dict[str, str]:
    return {
-        "parser": MyCustomParser,
+        "application/x-my-format": ".myf",
-        "weight": 0,
+        "application/x-my-format-alt": ".myf",
        "mime_types": {
            "application/pdf": ".pdf",
            "image/jpeg": ".jpg",
        }
    }
 ```
-   `parser` is a reference to a class that extends `DocumentParser`.
+**Scoring**
-   `weight` is used whenever two or more parsers are able to parse a
+
-    file: The parser with the higher weight wins. This can be used to
+When more than one parser can handle a file, the registry calls `score()` on
-    override the parsers provided by Paperless-ngx.
+each candidate and picks the one with the highest result and equal scores favor third-party parsers over built-ins. Return `None` to
-   `mime_types` is a dictionary. The keys are the mime types your
+decline handling a file even though the MIME type is listed as supported (for
-    parser supports and the value is the default file extension that
+example, when a required external service is not configured).
-    Paperless-ngx should use when storing files and serving them for
+
-    download. We could guess that from the file extensions, but some
+| Score  | Meaning                                                                           |
-    mime types have many extensions associated with them and the Python
+| ------ | --------------------------------------------------------------------------------- |
-    methods responsible for guessing the extension do not always return
+| `None` | Decline — do not handle this file                                                 |
-    the same value.
+| `10`   | Default priority used by all built-in parsers                                     |
 | `20`   | Priority used by the remote OCR built-in parser, allowing it to replace Tesseract |
 | `> 10` | Override a built-in parser for the same MIME type                                 |
 ```python
@classmethod
 def score(
    cls,
    mime_type: str,
    filename: str,
    path: "Path | None" = None,
 ) -> int | None:
    # Inspect filename or file bytes here if needed.
    return 10
 ```
 **Archive and rendition flags**
 ```python
@property
 def can_produce_archive(self) -> bool:
    """True if parse() can produce a searchable PDF archive copy."""
    return True   # or False if your parser doesn't produce PDFs
@property
 def requires_pdf_rendition(self) -> bool:
    """True if the original format cannot be displayed by a browser
    (e.g. DOCX, ODT) and the PDF output must always be kept."""
    return False
 ```
 **Context manager — temp directory lifecycle**
 Paperless-ngx always uses parsers as context managers. Create a temporary
 working directory in `__enter__` (or `__init__`) and remove it in `__exit__`
 regardless of whether an exception occurred. Store intermediate files,
 thumbnails, and archive PDFs inside this directory.
 ```python
 import shutil
 import tempfile
 from pathlib import Path
 from typing import Self
 from types import TracebackType
 from django.conf import settings
 class MyCustomParser:
    ...
    def __init__(self, logging_group: object = None) -> None:
        settings.SCRATCH_DIR.mkdir(parents=True, exist_ok=True)
        self._tempdir = Path(
            tempfile.mkdtemp(prefix="paperless-", dir=settings.SCRATCH_DIR)
        )
        self._text: str | None = None
        self._archive_path: Path | None = None
    def __enter__(self) -> Self:
        return self
    def __exit__(
        self,
        exc_type: type[BaseException] | None,
        exc_val: BaseException | None,
        exc_tb: TracebackType | None,
    ) -> None:
        shutil.rmtree(self._tempdir, ignore_errors=True)
 ```
 **Optional context — `configure()`**
 The consumer calls `configure()` with a `ParserContext` after instantiation
 and before `parse()`. If your parser doesn't need context, a no-op
 implementation is fine:
 ```python
 from paperless.parsers import ParserContext
 def configure(self, context: ParserContext) -> None:
    pass   # override if you need context.mailrule_id, etc.
 ```
 **Parsing**
 `parse()` is the core method. It must not return a value; instead, store
 results in instance attributes and expose them via the accessor methods below.
 Raise `documents.parsers.ParseError` on any unrecoverable failure.
 ```python
 from documents.parsers import ParseError
 def parse(
    self,
    document_path: Path,
    mime_type: str,
    *,
    produce_archive: bool = True,
 ) -> None:
    try:
        self._text = extract_text_from_my_format(document_path)
    except Exception as e:
        raise ParseError(f"Failed to parse {document_path}: {e}") from e
    if produce_archive and self.can_produce_archive:
        archive = self._tempdir / "archived.pdf"
        convert_to_pdf(document_path, archive)
        self._archive_path = archive
 ```
 **Result accessors**
 ```python
 def get_text(self) -> str | None:
    return self._text
 def get_date(self) -> "datetime.datetime | None":
    # Return a datetime extracted from the document, or None to let
    # Paperless-ngx use its default date-guessing logic.
    return None
 def get_archive_path(self) -> Path | None:
    return self._archive_path
 def get_page_count(self, document_path: Path, mime_type: str) -> int | None:
    # If the format doesn't have the concept of pages, return None
    return count_pages(document_path)
 ```
 **Thumbnail**
 `get_thumbnail()` may be called independently of `parse()`. Return the path
 to a WebP image inside `self._tempdir`. The image should be roughly 500 × 700
 pixels.
 ```python
 def get_thumbnail(self, document_path: Path, mime_type: str) -> Path:
    thumb = self._tempdir / "thumb.webp"
    render_thumbnail(document_path, thumb)
    return thumb
 ```
 **Optional methods**
 These are called by the API on demand, not during the consumption pipeline.
 Implement them if your format supports the information; otherwise return
 `None` / `[]`.
 ```python
 def extract_metadata(
    self,
    document_path: Path,
    mime_type: str,
 ) -> "list[MetadataEntry]":
    # Must never raise. Return [] if metadata cannot be read.
    from paperless.parsers import MetadataEntry
    return [
        MetadataEntry(
            namespace="https://example.com/ns/",
            prefix="ex",
            key="Author",
            value="Alice",
        )
    ]
 ```
 #### 2. Registering via entry point
 Add the following to your package's `pyproject.toml`. The key (left of `=`)
 is an arbitrary name used only in log output; the value is the
 `module:ClassName` import path.
 ```toml
 [project.entry-points."paperless_ngx.parsers"]
 my_parser = "my_package.parsers:MyCustomParser"
 ```
 Install your package into the same Python environment as Paperless-ngx (or
 add it to the Docker image), and the parser will be discovered automatically
 on the next startup. No configuration changes are needed.
 To verify discovery, check the application logs at startup for a line like:
 ```
 Loaded third-party parser 'My Format Parser' v1.0.0 by Acme Corp (entrypoint: 'my_parser').
 ```
 #### 3. Utilities
 `paperless.parsers.utils` provides helpers you can import directly:
 | Function                                | Description                                                      |
 | --------------------------------------- | ---------------------------------------------------------------- |
 | `read_file_handle_unicode_errors(path)` | Read a file as UTF-8, replacing invalid bytes instead of raising |
 | `get_page_count_for_pdf(path)`          | Count pages in a PDF using pikepdf                               |
 | `extract_pdf_metadata(path)`            | Extract XMP metadata from a PDF as a `list[MetadataEntry]`       |
 #### Minimal example
 A complete, working parser for a hypothetical plain-XML format:
 ```python
 from __future__ import annotations
 import shutil
 import tempfile
 from pathlib import Path
 from typing import Self
 from types import TracebackType
 import xml.etree.ElementTree as ET
 from django.conf import settings
 from documents.parsers import ParseError
 from paperless.parsers import ParserContext
 class XmlDocumentParser:
    name    = "XML Parser"
    version = "1.0.0"
    author  = "Acme Corp"
    url     = "https://example.com/xml-parser"
    @classmethod
    def supported_mime_types(cls) -> dict[str, str]:
        return {"application/xml": ".xml", "text/xml": ".xml"}
    @classmethod
    def score(cls, mime_type: str, filename: str, path: Path | None = None) -> int | None:
        return 10
    @property
    def can_produce_archive(self) -> bool:
        return False
    @property
    def requires_pdf_rendition(self) -> bool:
        return False
    def __init__(self, logging_group: object = None) -> None:
        settings.SCRATCH_DIR.mkdir(parents=True, exist_ok=True)
        self._tempdir = Path(tempfile.mkdtemp(prefix="paperless-", dir=settings.SCRATCH_DIR))
        self._text: str | None = None
    def __enter__(self) -> Self:
        return self
    def __exit__(self, exc_type, exc_val, exc_tb) -> None:
        shutil.rmtree(self._tempdir, ignore_errors=True)
    def configure(self, context: ParserContext) -> None:
        pass
    def parse(self, document_path: Path, mime_type: str, *, produce_archive: bool = True) -> None:
        try:
            tree = ET.parse(document_path)
            self._text = " ".join(tree.getroot().itertext())
        except ET.ParseError as e:
            raise ParseError(f"XML parse error: {e}") from e
    def get_text(self) -> str | None:
        return self._text
    def get_date(self):
        return None
    def get_archive_path(self) -> Path | None:
        return None
    def get_thumbnail(self, document_path: Path, mime_type: str) -> Path:
        from PIL import Image, ImageDraw
        img = Image.new("RGB", (500, 700), color="white")
        ImageDraw.Draw(img).text((10, 10), "XML Document", fill="black")
        out = self._tempdir / "thumb.webp"
        img.save(out, format="WEBP")
        return out
    def get_page_count(self, document_path: Path, mime_type: str) -> int | None:
        return None
    def extract_metadata(self, document_path: Path, mime_type: str) -> list:
        return []
 ```
 ### Developing date parser plugins
 Paperless-ngx uses a plugin system for date parsing, allowing you to extend or replace the default date parsing behavior. Plugins are discovered using [Python entry points](https://setuptools.pypa.io/en/latest/userguide/entry_point.html).
 #### Creating a Date Parser Plugin
 To create a custom date parser plugin, you need to:
 1. Create a class that inherits from `DateParserPluginBase`
 2. Implement the required abstract method
 3. Register your plugin via an entry point
 ##### 1. Implementing the Parser Class
 Your parser must extend `documents.plugins.date_parsing.DateParserPluginBase` and implement the `parse` method:
 ```python
 from collections.abc import Iterator
 import datetime
 from documents.plugins.date_parsing import DateParserPluginBase
 class MyDateParserPlugin(DateParserPluginBase):
    """
    Custom date parser implementation.
    """
    def parse(self, filename: str, content: str) -> Iterator[datetime.datetime]:
        """
        Parse dates from the document's filename and content.
        Args:
            filename: The original filename of the document
            content: The extracted text content of the document
        Yields:
            datetime.datetime: Valid datetime objects found in the document
        """
        # Your parsing logic here
        # Use self.config to access configuration settings
        # Example: parse dates from filename first
        if self.config.filename_date_order:
            # Your filename parsing logic
            yield some_datetime
        # Then parse dates from content
        # Your content parsing logic
        yield another_datetime
 ```
 ##### 2. Configuration and Helper Methods
 Your parser instance is initialized with a `DateParserConfig` object accessible via `self.config`. This provides:
 - `languages: list[str]` - List of language codes for date parsing
 - `timezone_str: str` - Timezone string for date localization
 - `ignore_dates: set[datetime.date]` - Dates that should be filtered out
 - `reference_time: datetime.datetime` - Current time for filtering future dates
 - `filename_date_order: str | None` - Date order preference for filenames (e.g., "DMY", "MDY")
 - `content_date_order: str` - Date order preference for content
 The base class provides two helper methods you can use:
 ```python
 def _parse_string(
    self,
    date_string: str,
    date_order: str,
 ) -> datetime.datetime | None:
    """
    Parse a single date string using dateparser with configured settings.
    """
 def _filter_date(
    self,
    date: datetime.datetime | None,
 ) -> datetime.datetime | None:
    """
    Validate a parsed datetime against configured rules.
    Filters out dates before 1900, future dates, and ignored dates.
    """
 ```
 ##### 3. Resource Management (Optional)
 If your plugin needs to acquire or release resources (database connections, API clients, etc.), override the context manager methods. Paperless-ngx will always use plugins as context managers, ensuring resources can be released even in the event of errors.
 ##### 4. Registering Your Plugin
 Register your plugin using a setuptools entry point in your package's `pyproject.toml`:
 ```toml
 [project.entry-points."paperless_ngx.date_parsers"]
 my_parser = "my_package.parsers:MyDateParserPlugin"
 ```
 The entry point name (e.g., `"my_parser"`) is used for sorting when multiple plugins are found. Paperless-ngx will use the first plugin alphabetically by name if multiple plugins are discovered.
 #### Plugin Discovery
 Paperless-ngx automatically discovers and loads date parser plugins at runtime. The discovery process:
 1. Queries the `paperless_ngx.date_parsers` entry point group
 2. Validates that each plugin is a subclass of `DateParserPluginBase`
 3. Sorts valid plugins alphabetically by entry point name
 4. Uses the first valid plugin, or falls back to the default `RegexDateParserPlugin` if none are found
 If multiple plugins are installed, a warning is logged indicating which plugin was selected.
 #### Example: Simple Date Parser
 Here's a minimal example that only looks for ISO 8601 dates:
 ```python
 import datetime
 import re
 from collections.abc import Iterator
 from documents.plugins.date_parsing.base import DateParserPluginBase
 class ISODateParserPlugin(DateParserPluginBase):
    """
    Parser that only matches ISO 8601 formatted dates (YYYY-MM-DD).
    """
    ISO_REGEX = re.compile(r"\b(\d{4}-\d{2}-\d{2})\b")
    def parse(self, filename: str, content: str) -> Iterator[datetime.datetime]:
        # Combine filename and content for searching
        text = f"{filename} {content}"
        for match in self.ISO_REGEX.finditer(text):
            date_string = match.group(1)
            # Use helper method to parse with configured timezone
            date = self._parse_string(date_string, "YMD")
            # Use helper method to validate the date
            filtered_date = self._filter_date(date)
            if filtered_date is not None:
                yield filtered_date
 ```
 ## Using Visual Studio Code devcontainer
@@ -471,7 +887,6 @@ To get started:
 2. VS Code will prompt you with "Reopen in container". Do so and wait for the environment to start.
 3. In case your host operating system is Windows:
   - The Source Control view in Visual Studio Code might show: "The detected Git repository is potentially unsafe as the folder is owned by someone other than the current user." Use "Manage Unsafe Repositories" to fix this.
   - Git might have detecteded modifications for all files, because Windows is using CRLF line endings. Run `git checkout .` in the containers terminal to fix this issue.
@@ -1,3 +1,7 @@
 ---
 title: FAQs
 ---
 # Frequently Asked Questions
 ## _What's the general plan for Paperless-ngx?_
@@ -63,8 +67,10 @@ elsewhere. Here are a couple notes about that.
  Paperless also supports various Office documents (.docx, .doc, odt,
  .ppt, .pptx, .odp, .xls, .xlsx, .ods).
-Paperless-ngx determines the type of a file by inspecting its content.
+Paperless-ngx determines the type of a file by inspecting its content
-The file extensions do not matter.
+rather than its file extensions. However, files processed via the
 consumption directory will be rejected if they have a file extension that
 not supported by any of the available parsers.
 ## _Will paperless-ngx run on Raspberry Pi?_
@@ -1,6 +1,10 @@
 ---
 title: Home
 ---
 <div class="grid-left" markdown>
 ![image](assets/logo_full_black.svg#only-light){.index-logo}
-![image](assets/logo_full_white.svg#only-dark){.index-logo}
+![image](assets/logo_full_eee.svg#only-dark){.index-logo}
 **Paperless-ngx** is a _community-supported_ open-source document management system that transforms your
 physical documents into a searchable online archive so you can keep, well, _less paper_.
@@ -0,0 +1,328 @@
 # v3 Migration Guide
 ## Pre-Requisites
 Upgrading to Paperless-ngx v3 can only be performed from version 2.20.15. If you are running an older version, please upgrade to v2.20.15 before proceeding with the v3 upgrade.
 ## Secret Key is Now Required
 The `PAPERLESS_SECRET_KEY` environment variable is now required. This is a critical security setting used for cryptographic signing and should be set to a long, random value.
 ### Action Required
 If you are upgrading an existing installation, you must now set `PAPERLESS_SECRET_KEY` explicitly.
 If your installation was relying on the previous built-in default key, you have two options:
 - Set `PAPERLESS_SECRET_KEY` to that previous value to preserve existing sessions and tokens.
 - Set `PAPERLESS_SECRET_KEY` to a new random value to improve security, understanding that this will invalidate existing sessions and other signed tokens.
 For new installations, or if you choose to rotate the key, you may generate a new secret key with:
 ```bash
 python3 -c "import secrets; print(secrets.token_urlsafe(64))"
 ```
 ## Consumer Settings Changes
 The v3 consumer command uses a [different library](https://watchfiles.helpmanual.io/) to unify
 the watching for new files in the consume directory. For the user, this removes several configuration options related to delays and retries
 and replaces with a single unified setting. It also adjusts how the consumer ignore filtering happens, replaced `fnmatch` with `regex` and
 separating the directory ignore from the file ignore.
 ### Summary
 | Old Setting                    | New Setting                                                                         | Notes                                                                                |
 | ------------------------------ | ----------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |
 | `CONSUMER_POLLING`             | [`CONSUMER_POLLING_INTERVAL`](configuration.md#PAPERLESS_CONSUMER_POLLING_INTERVAL) | Renamed for clarity                                                                  |
 | `CONSUMER_INOTIFY_DELAY`       | [`CONSUMER_STABILITY_DELAY`](configuration.md#PAPERLESS_CONSUMER_STABILITY_DELAY)   | Unified for all modes                                                                |
 | `CONSUMER_POLLING_DELAY`       | _Removed_                                                                           | Use `CONSUMER_STABILITY_DELAY`                                                       |
 | `CONSUMER_POLLING_RETRY_COUNT` | _Removed_                                                                           | Automatic with stability tracking                                                    |
 | `CONSUMER_IGNORE_PATTERNS`     | [`CONSUMER_IGNORE_PATTERNS`](configuration.md#PAPERLESS_CONSUMER_IGNORE_PATTERNS)   | **Now regex, not fnmatch**; user patterns are added to (not replacing) default ones  |
 | _New_                          | [`CONSUMER_IGNORE_DIRS`](configuration.md#PAPERLESS_CONSUMER_IGNORE_DIRS)           | Additional directories to ignore; user entries are added to (not replacing) defaults |
 ## Duplicate Handling Changes
 Paperless-ngx v3 no longer rejects duplicate documents by default. Instead, it now allows duplicates but adds a way to identify them via the UI. To (re-)enable duplicate rejection, set `PAPERLESS_CONSUMER_DELETE_DUPLICATES=true` in your environment.
 ## Encryption Support
 Document and thumbnail encryption is no longer supported. This was previously deprecated in [paperless-ng 0.9.3](https://github.com/paperless-ngx/paperless-ngx/blob/dev/docs/changelog.md#paperless-ng-093)
 Users must decrypt their document using the `decrypt_documents` command before upgrading.
 ## Barcode Scanner Changes
 Support for [pyzbar](https://github.com/NaturalHistoryMuseum/pyzbar) has been removed. The underlying libzbar library has
 seen no updates in 16 years and is largely unmaintained, and the pyzbar Python wrapper last saw a release in March 2022. In
 practice, pyzbar struggled with barcode detection reliability, particularly on skewed, low-contrast, or partially
 obscured barcodes. [zxing-cpp](https://github.com/zxing-cpp/zxing-cpp) is actively maintained, significantly more
 reliable at finding barcodes, and now ships pre-built wheels for both x86_64 and arm64, removing the need to build the library.
 The `CONSUMER_BARCODE_SCANNER` setting has been removed. zxing-cpp is now the only backend.
 ### Summary
 | Old Setting                | New Setting | Notes                             |
 | -------------------------- | ----------- | --------------------------------- |
 | `CONSUMER_BARCODE_SCANNER` | _Removed_   | zxing-cpp is now the only backend |
 ### Action Required
 - If you were already using `CONSUMER_BARCODE_SCANNER=ZXING`, simply remove the setting.
 - If you had `CONSUMER_BARCODE_SCANNER=PYZBAR` or were using the default, no functional changes are needed beyond
  removing the setting. zxing-cpp supports all the same barcode formats and you should see improved detection
  reliability.
 - The `libzbar0` / `libzbar-dev` system packages are no longer required and can be removed from any custom Docker
  images or host installations.
 ## Database Engine
 `PAPERLESS_DBENGINE` is now required to use PostgreSQL or MariaDB. Previously, the
 engine was inferred from the presence of `PAPERLESS_DBHOST`, with `PAPERLESS_DBENGINE`
 only needed to select MariaDB over PostgreSQL.
 SQLite users require no changes, though they may explicitly set their engine if desired.
 #### Action Required
 PostgreSQL and MariaDB users must add `PAPERLESS_DBENGINE` to their environment:
 ```yaml
 # v2 (PostgreSQL inferred from PAPERLESS_DBHOST)
 PAPERLESS_DBHOST: postgres
 # v3 (engine must be explicit)
 PAPERLESS_DBENGINE: postgresql
 PAPERLESS_DBHOST: postgres
 ```
 See [`PAPERLESS_DBENGINE`](configuration.md#PAPERLESS_DBENGINE) for accepted values.
 ## Database Advanced Options
 The individual SSL, timeout, and pooling variables have been removed in favor of a
 single [`PAPERLESS_DB_OPTIONS`](configuration.md#PAPERLESS_DB_OPTIONS) string. This
 consolidates a growing set of engine-specific variables into one place, and allows
 any option supported by the underlying database driver to be set without requiring a
 dedicated environment variable for each.
 The removed variables and their replacements are:
 | Removed Variable          | Replacement in `PAPERLESS_DB_OPTIONS`                                        |
 | ------------------------- | ---------------------------------------------------------------------------- |
 | `PAPERLESS_DBSSLMODE`     | `sslmode=<value>` (PostgreSQL) or `ssl_mode=<value>` (MariaDB)               |
 | `PAPERLESS_DBSSLROOTCERT` | `sslrootcert=<path>` (PostgreSQL) or `ssl.ca=<path>` (MariaDB)               |
 | `PAPERLESS_DBSSLCERT`     | `sslcert=<path>` (PostgreSQL) or `ssl.cert=<path>` (MariaDB)                 |
 | `PAPERLESS_DBSSLKEY`      | `sslkey=<path>` (PostgreSQL) or `ssl.key=<path>` (MariaDB)                   |
 | `PAPERLESS_DB_POOLSIZE`   | `pool.max_size=<value>` (PostgreSQL only)                                    |
 | `PAPERLESS_DB_TIMEOUT`    | `timeout=<value>` (SQLite) or `connect_timeout=<value>` (PostgreSQL/MariaDB) |
 The deprecated variables will continue to function for now but will be removed in a
 future release. A deprecation warning is logged at startup for each deprecated variable
 that is still set.
 #### Action Required
 Users with any of the deprecated variables set should migrate to `PAPERLESS_DB_OPTIONS`.
 Multiple options are combined in a single value:
 ```bash
 PAPERLESS_DB_OPTIONS="sslmode=require,sslrootcert=/certs/ca.pem,pool.max_size=10"
 ```
 ## OCR and Archive File Generation Settings
 The settings that control OCR behaviour and archive file generation have been redesigned. The old settings that coupled these two concerns together are **removed** — old values are not silently honoured; a startup warning is logged if any removed variable is still set in your environment.
 ### Removed settings
 | Removed Setting                             | Replacement                                                           |
 | ------------------------------------------- | --------------------------------------------------------------------- |
 | `PAPERLESS_OCR_MODE=skip`                   | `PAPERLESS_OCR_MODE=auto` (new default)                               |
 | `PAPERLESS_OCR_MODE=skip_noarchive`         | `PAPERLESS_OCR_MODE=auto` + `PAPERLESS_ARCHIVE_FILE_GENERATION=never` |
 | `PAPERLESS_OCR_SKIP_ARCHIVE_FILE=never`     | `PAPERLESS_ARCHIVE_FILE_GENERATION=always`                            |
 | `PAPERLESS_OCR_SKIP_ARCHIVE_FILE=with_text` | `PAPERLESS_ARCHIVE_FILE_GENERATION=auto` (new default)                |
 | `PAPERLESS_OCR_SKIP_ARCHIVE_FILE=always`    | `PAPERLESS_ARCHIVE_FILE_GENERATION=never`                             |
 ### What changed and why
 Previously, `OCR_MODE` conflated two independent concerns: whether to run OCR and whether to produce an archive. `skip` meant "skip OCR if text exists, but always produce an archive". `skip_noarchive` meant "skip OCR if text exists, and also skip the archive". This made it impossible to, for example, disable OCR entirely while still producing archives.
 The new settings are independent:
 - [`PAPERLESS_OCR_MODE`](configuration.md#PAPERLESS_OCR_MODE) controls OCR: `auto` (default), `force`, `redo`, `off`.
 - [`PAPERLESS_ARCHIVE_FILE_GENERATION`](configuration.md#PAPERLESS_ARCHIVE_FILE_GENERATION) controls archive production: `auto` (default), `always`, `never`.
 ### Database configuration
 If you changed OCR settings via the admin UI (ApplicationConfiguration), the database values are **migrated automatically** during the upgrade. `mode` values (`skip` / `skip_noarchive`) are mapped to their new equivalents and `skip_archive_file` values are converted to the new `archive_file_generation` field. After upgrading, review the OCR settings in the admin UI to confirm the migrated values match your intent.
 ### Action Required
 Remove any `PAPERLESS_OCR_SKIP_ARCHIVE_FILE` variable from your environment. If you relied on `OCR_MODE=skip` or `OCR_MODE=skip_noarchive`, update accordingly:
 ```bash
 # v2: skip OCR when text present, always archive
 PAPERLESS_OCR_MODE=skip
 # v3: equivalent (auto is the new default)
 # No change needed — auto is the default
 # v2: skip OCR when text present, skip archive too
 PAPERLESS_OCR_MODE=skip_noarchive
 # v3: equivalent
 PAPERLESS_OCR_MODE=auto
 PAPERLESS_ARCHIVE_FILE_GENERATION=never
 # v2: always skip archive
 PAPERLESS_OCR_SKIP_ARCHIVE_FILE=always
 # v3: equivalent
 PAPERLESS_ARCHIVE_FILE_GENERATION=never
 # v2: skip archive only for born-digital docs
 PAPERLESS_OCR_SKIP_ARCHIVE_FILE=with_text
 # v3: equivalent (auto is the new default)
 PAPERLESS_ARCHIVE_FILE_GENERATION=auto
 ```
 ### Remote OCR parser
 If you use the **remote OCR parser** (Azure AI), note that it always produces a
 searchable PDF and stores it as the archive copy. `ARCHIVE_FILE_GENERATION=never`
 has no effect for documents handled by the remote parser — the archive is produced
 unconditionally by the remote engine.
 # Search Index (Whoosh -> Tantivy)
 The full-text search backend has been replaced with [Tantivy](https://github.com/quickwit-oss/tantivy).
 The index format is incompatible with Whoosh, so **the search index is automatically rebuilt from
 scratch on first startup after upgrading**. No manual action is required for the rebuild itself.
 ### Note and custom field search syntax
 The old Whoosh index exposed `note` and `custom_field` as flat text fields that were included in
 unqualified searches (e.g. just typing `invoice` would match note content). With Tantivy these are
 now structured JSON fields accessed via dotted paths:
 | Old syntax           | New syntax                  |
 | -------------------- | --------------------------- |
 | `note:query`         | `notes.note:query`          |
 | `custom_field:query` | `custom_fields.value:query` |
 **Saved views are migrated automatically.** Any saved view filter rule that used an explicit
 `note:` or `custom_field:` field prefix in a fulltext query is rewritten to the new syntax by a
 data migration that runs on upgrade.
 **Unqualified queries are not migrated.** If you had a saved view with a plain search term (e.g.
 `invoice`) that happened to match note content or custom field values, it will no longer return
 those matches. Update those queries to use the explicit prefix, for example:
 ```
 invoice OR notes.note:invoice OR custom_fields.value:invoice
 ```
 Custom field names can also be searched with `custom_fields.name:fieldname`.
 ## OpenID Connect Token Endpoint Authentication
 Some existing OpenID Connect setups may require an explicit token endpoint authentication method after upgrading to v3.
 #### Action Required
 If OIDC login fails at the callback with an `invalid_client` error, add `token_auth_method` to the provider `settings` in
 [`PAPERLESS_SOCIALACCOUNT_PROVIDERS`](configuration.md#PAPERLESS_SOCIALACCOUNT_PROVIDERS).
 For example:
 ```json
 {
  "openid_connect": {
    "APPS": [
      {
        ...
        "settings": {
          "server_url": "https://login.example.com",
          "token_auth_method": "client_secret_basic"
        }
      }
    ]
  }
 }
 ```
 ## Task History Cleared on Upgrade
 The task tracking system has been redesigned in this release. All existing task history records are dropped from the database during the upgrade. Previously completed, failed, or acknowledged tasks will no longer appear in the task list after upgrading.
 No user action is required.
 ## Consume Script Positional Arguments Removed
 Pre- and post-consumption scripts no longer receive positional arguments. All information is
 now passed exclusively via environment variables, which have been available since earlier versions.
 ### Pre-consumption script
 Previously, the original file path was passed as `$1`. It is now only available as
 `DOCUMENT_SOURCE_PATH`.
 **Before:**
 ```bash
 #!/usr/bin/env bash
 # $1 was the original file path
 process_document "$1"
 ```
 **After:**
 ```bash
 #!/usr/bin/env bash
 process_document "${DOCUMENT_SOURCE_PATH}"
 ```
 ### Post-consumption script
 Previously, document metadata was passed as positional arguments `$1` through `$8`:
 | Argument | Environment Variable Equivalent |
 | -------- | ------------------------------- |
 | `$1`     | `DOCUMENT_ID`                   |
 | `$2`     | `DOCUMENT_FILE_NAME`            |
 | `$3`     | `DOCUMENT_SOURCE_PATH`          |
 | `$4`     | `DOCUMENT_THUMBNAIL_PATH`       |
 | `$5`     | `DOCUMENT_DOWNLOAD_URL`         |
 | `$6`     | `DOCUMENT_THUMBNAIL_URL`        |
 | `$7`     | `DOCUMENT_CORRESPONDENT`        |
 | `$8`     | `DOCUMENT_TAGS`                 |
 **Before:**
 ```bash
 #!/usr/bin/env bash
 DOCUMENT_ID=$1
 CORRESPONDENT=$7
 TAGS=$8
 ```
 **After:**
 ```bash
 #!/usr/bin/env bash
 # Use environment variables directly
 echo "Document ${DOCUMENT_ID} from ${DOCUMENT_CORRESPONDENT} tagged: ${DOCUMENT_TAGS}"
 ```
 ### Action Required
 Update any pre- or post-consumption scripts that read `$1`, `$2`, etc. to use the
 corresponding environment variables instead. Environment variables have been the preferred
 option since v1.8.0.
 ## Reverse Proxy and Login Rate Limiting
 Allauth changed how it determines the client IP address for login rate limiting. Users running
 behind a reverse proxy may need to set
 [`PAPERLESS_TRUSTED_PROXIES`](configuration.md#PAPERLESS_TRUSTED_PROXIES),
 [`PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER`](configuration.md#PAPERLESS_ALLAUTH_TRUSTED_CLIENT_IP_HEADER),
 or both, to avoid `403 Forbidden` errors on login.
@@ -1,25 +0,0 @@
 # v3 Migration Guide
 ## Consumer Settings Changes
 The v3 consumer command uses a [different library](https://watchfiles.helpmanual.io/) to unify
 the watching for new files in the consume directory. For the user, this removes several configuration options related to delays and retries
 and replaces with a single unified setting. It also adjusts how the consumer ignore filtering happens, replaced `fnmatch` with `regex` and
 separating the directory ignore from the file ignore.
 ### Summary
 | Old Setting                    | New Setting                                                                         | Notes                                                                                |
 | ------------------------------ | ----------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ |
 | `CONSUMER_POLLING`             | [`CONSUMER_POLLING_INTERVAL`](configuration.md#PAPERLESS_CONSUMER_POLLING_INTERVAL) | Renamed for clarity                                                                  |
 | `CONSUMER_INOTIFY_DELAY`       | [`CONSUMER_STABILITY_DELAY`](configuration.md#PAPERLESS_CONSUMER_STABILITY_DELAY)   | Unified for all modes                                                                |
 | `CONSUMER_POLLING_DELAY`       | _Removed_                                                                           | Use `CONSUMER_STABILITY_DELAY`                                                       |
 | `CONSUMER_POLLING_RETRY_COUNT` | _Removed_                                                                           | Automatic with stability tracking                                                    |
 | `CONSUMER_IGNORE_PATTERNS`     | [`CONSUMER_IGNORE_PATTERNS`](configuration.md#PAPERLESS_CONSUMER_IGNORE_PATTERNS)   | **Now regex, not fnmatch**; user patterns are added to (not replacing) default ones  |
 | _New_                          | [`CONSUMER_IGNORE_DIRS`](configuration.md#PAPERLESS_CONSUMER_IGNORE_DIRS)           | Additional directories to ignore; user entries are added to (not replacing) defaults |
 ## Encryption Support
 Document and thumbnail encryption is no longer supported. This was previously deprecated in [paperless-ng 0.9.3](https://github.com/paperless-ngx/paperless-ngx/blob/dev/docs/changelog.md#paperless-ng-093)
 Users must decrypt their document using the `decrypt_documents` command before upgrading.
@@ -1,52 +1,77 @@
-## Installation
+---
 title: Setup
 ---
-You can go multiple routes to setup and run Paperless:
+# Installation
-   [Use the script to setup a Docker install](#docker_script)
+!!! tip "Quick Start"
 -   [Use the Docker compose templates](#docker)
 -   [Build the Docker image yourself](#docker_build)
 -   [Install Paperless-ngx directly on your system manually ("bare metal")](#bare_metal)
 -   A user-maintained list of commercial hosting providers can be found [in the wiki](https://github.com/paperless-ngx/paperless-ngx/wiki/Related-Projects)
-The Docker routes are quick & easy. These are the recommended routes.
+    If you just want Paperless-ngx running quickly, use our installation script:
-This configures all the stuff from the above automatically so that it
+    ```shell-session
-just works and uses sensible defaults for all configuration options.
+    bash -c "$(curl --location --silent --show-error https://raw.githubusercontent.com/paperless-ngx/paperless-ngx/main/install-paperless-ngx.sh)"
-Here you find a cheat-sheet for docker beginners: [CLI
+    ```
-Basics](https://www.sehn.tech/refs/devops-with-docker/)
+    _If piping into a shell directly from the internet makes you nervous, inspect [the script](https://github.com/paperless-ngx/paperless-ngx/blob/main/install-paperless-ngx.sh) first!_
-The bare metal route is complicated to setup but makes it easier should
+## Overview
 you want to contribute some code back. You need to configure and run the
 above mentioned components yourself.
-### Use the Installation Script {#docker_script}
+Choose the installation route that best fits your setup:
-Paperless provides an interactive installation script to setup a Docker Compose
+| Route                                                                                                             | Best for                                                                            | Effort |
-installation. The script asks for a couple configuration options, and will then create the
+| ----------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------- | ------ |
-necessary configuration files, pull the docker image, start Paperless-ngx and create your superuser
+| [Installation script](#docker_script)                                                                             | Fastest first-time setup with guided prompts (recommended for most users)           | Low    |
-account. The script essentially automatically performs the steps described in [Docker setup](#docker).
+| [Docker Compose templates](#docker)                                                                               | Manual control over compose files and settings                                      | Medium |
 | [Bare metal](#bare_metal)                                                                                         | Advanced setups, packaging, and development-adjacent workflows                      | High   |
 | [Hosted providers (wiki)](https://github.com/paperless-ngx/paperless-ngx/wiki/Related-Projects#hosting-providers) | Managed hosting options maintained by the community &mdash; check details carefully | Varies |
-1.  Make sure that Docker and Docker Compose are [installed](https://docs.docker.com/engine/install/){:target="\_blank"}.
+For most users, Docker is the best option. It is faster to set up,
 easier to maintain, and ships with sensible defaults.
-2.  Download and run the installation script:
+The bare-metal route gives you more control, but it requires manual
 installation and operation of all components. It is usually best suited
 for advanced users and contributors.
 !!! info
    Because [superuser](usage.md#superusers) accounts have full access to all objects and documents, you may want to create a separate user account for daily use,
    or "downgrade" your superuser account to a normal user account after setup.
 ## Installation Script {#docker_script}
 Paperless-ngx provides an interactive script for Docker Compose setups.
 It asks a few configuration questions, then creates the required files,
 pulls the image, starts the containers, and creates your [superuser](usage.md#superusers)
 account. In short, it automates the [Docker Compose setup](#docker) described below.
 #### Prerequisites
 - Docker and Docker Compose must be [installed](https://docs.docker.com/engine/install/){:target="\_blank"}.
 - macOS users will need [GNU sed](https://formulae.brew.sh/formula/gnu-sed) with support for running as `sed` as well as [wget](https://formulae.brew.sh/formula/wget).
 #### Run the installation script
 ```shell-session
 bash -c "$(curl --location --silent --show-error https://raw.githubusercontent.com/paperless-ngx/paperless-ngx/main/install-paperless-ngx.sh)"
 ```
-    !!! note
+#### After installation
-        macOS users will need to install [gnu-sed](https://formulae.brew.sh/formula/gnu-sed) with support
+Paperless-ngx should be available at `http://127.0.0.1:8000` (or similar,
-        for running as `sed` as well as [wget](https://formulae.brew.sh/formula/wget).
+depending on your configuration) and you will be able to login with the
 credentials you provided during the installation script.
-### Use Docker Compose {#docker}
+## Docker Compose Install {#docker}
-1.  Make sure that Docker and Docker Compose are [installed](https://docs.docker.com/engine/install/){:target="\_blank"}.
+#### Prerequisites
-2.  Go to the [/docker/compose directory on the project
+- Docker and Docker Compose must be [installed](https://docs.docker.com/engine/install/){:target="\_blank"}.
 #### Installation
 1.  Go to the [/docker/compose directory on the project
    page](https://github.com/paperless-ngx/paperless-ngx/tree/main/docker/compose){:target="\_blank"}
-    and download one of the `docker-compose.*.yml` files, depending on which database backend
+    and download one `docker-compose.*.yml` file for your preferred
-    you want to use. Place the files in a local directory and rename it `docker-compose.yml`. Download the
+    database backend. Save it in a local directory as `docker-compose.yml`.
-    `docker-compose.env` file and the `.env` file as well in the same directory.
+    Also download `docker-compose.env` and `.env` into that same directory.
    If you want to enable optional support for Office and other documents, download a
    file with `-tika` in the file name.
@@ -56,15 +81,16 @@ account. The script essentially automatically performs the steps described in [D
        For new installations, it is recommended to use PostgreSQL as the
        database backend.
-3.  Modify `docker-compose.yml` as needed. For example, you may want to change the paths to the
+2.  Modify `docker-compose.yml` as needed. For example, you may want to
-    consumption, media etc. directories to use 'bind mounts'.
+    change the paths for `consume`, `media`, and other directories to
    use bind mounts.
    Find the line that specifies where to mount the directory, e.g.:
    ```yaml
    - ./consume:/usr/src/paperless/consume
    ```
-    Replace the part _before_ the colon with a local directory of your choice:
+    Replace the part _before_ the colon with your local directory:
    ```yaml
    - /home/jonaswinkler/paperless-inbox:/usr/src/paperless/consume
@@ -78,38 +104,15 @@ account. The script essentially automatically performs the steps described in [D
      - 8010:8000
    ```
-    **Rootless**
+3.  Modify `docker-compose.env` with any configuration options you need.
    !!! warning
        It is currently not possible to run the container rootless if additional languages are specified via `PAPERLESS_OCR_LANGUAGES`.
    If you want to run Paperless as a rootless container, you will need
    to do the following in your `docker-compose.yml`:
    -   set the `user` running the container to map to the `paperless`
        user in the container. This value (`user_id` below), should be
        the same id that `USERMAP_UID` and `USERMAP_GID` are set to in
        the next step. See `USERMAP_UID` and `USERMAP_GID`
        [here](configuration.md#docker).
    Your entry for Paperless should contain something like:
    > ```
    > webserver:
    >   image: ghcr.io/paperless-ngx/paperless-ngx:latest
    >   user: <user_id>
    > ```
 4.  Modify `docker-compose.env` with any configuration options you'd like.
    See the [configuration documentation](configuration.md) for all options.
    You may also need to set `USERMAP_UID` and `USERMAP_GID` to
-    the uid and gid of your user on the host system. Use `id -u` and
+    the UID and GID of your user on the host system. Use `id -u` and
-    `id -g` to get these. This ensures that both the container and the host
+    `id -g` to get these values. This ensures both the container and the
-    user have write access to the consumption directory. If your UID
+    host user can write to the consumption directory. If your UID and
-    and GID on the host system is 1000 (the default for the first normal
+    GID are `1000` (the default for the first normal user on many
-    user on most systems), it will work out of the box without any
+    systems), this usually works out of the box without
    modifications. Run `id "username"` to check.
    !!! note
@@ -118,79 +121,55 @@ account. The script essentially automatically performs the steps described in [D
        appending `_FILE` to configuration values. For example [`PAPERLESS_DBUSER`](configuration.md#PAPERLESS_DBUSER)
        can be set using `PAPERLESS_DBUSER_FILE=/var/run/secrets/password.txt`.
-    !!! warning
+4.  Run `docker compose pull`. This pulls the image from the GitHub container registry
-
+    by default, but you can pull from Docker Hub by changing the `image`
        Some file systems such as NFS network shares don't support file
        system notifications with `inotify`. When storing the consumption
        directory on such a file system, paperless will not pick up new
        files with the default configuration. You will need to use
        [`PAPERLESS_CONSUMER_POLLING_INTERVAL`](configuration.md#PAPERLESS_CONSUMER_POLLING_INTERVAL), which will disable inotify.
 5.  Run `docker compose pull`. This will pull the image from the GitHub container registry
    by default but you can change the image to pull from Docker Hub by changing the `image`
    line to `image: paperlessngx/paperless-ngx:latest`.
-6.  Run `docker compose up -d`. This will create and start the necessary containers.
+5.  Run `docker compose up -d`. This will create and start the necessary containers.
-7.  Congratulations! Your Paperless-ngx instance should now be accessible at `http://127.0.0.1:8000`
+#### After installation
    (or similar, depending on your configuration). When you first access the web interface, you will be
    prompted to create a superuser account.
-### Build the Docker image yourself {#docker_build}
+Your Paperless-ngx instance should now be accessible at
 `http://127.0.0.1:8000` (or similar, depending on your configuration).
 When you first access the web interface, you will be prompted to create
 a [superuser](usage.md#superusers) account.
-1.  Clone the entire repository of paperless:
+#### Optional Advanced Compose Configurations {#advanced_compose data-toc-label="Advanced Compose Configurations"}
-    ```shell-session
+**Rootless**
    git clone https://github.com/paperless-ngx/paperless-ngx
    ```
-    The main branch always reflects the latest stable version.
+!!! warning
-2.  Copy one of the `docker/compose/docker-compose.*.yml` to
+    It is not possible to run the container rootless if additional languages are specified via `PAPERLESS_OCR_LANGUAGES`.
    `docker-compose.yml` in the root folder, depending on which database
    backend you want to use. Copy `docker-compose.env` into the project
    root as well.
-3.  In the `docker-compose.yml` file, find the line that instructs
+If you want to run Paperless as a rootless container, set `user:` in `docker-compose.yml` to the UID and GID of your host user (use `id -u` and `id -g` to find these values). The container process starts directly as that user with no internal privilege remapping:
    Docker Compose to pull the paperless image from Docker Hub:
 ```yaml
 webserver:
  image: ghcr.io/paperless-ngx/paperless-ngx:latest
  user: '1000:1000'
 ```
-    and replace it with a line that instructs Docker Compose to build
+Do not combine this with `USERMAP_UID` or `USERMAP_GID`, which are intended for the non-rootless case described in step 3.
    the image from the current working directory instead:
-    ```yaml
+**File systems without inotify support (e.g. NFS)**
    webserver:
        build:
            context: .
    ```
-4.  Follow the [Docker setup](#docker) above except when asked to run
+Some file systems, such as NFS network shares, don't support file system
-    `docker compose pull` to pull the image, run
+notifications with `inotify`. When the consumption directory is on such a
 file system, Paperless-ngx will not pick up new files with the default
 configuration. Use [`PAPERLESS_CONSUMER_POLLING`](configuration.md#PAPERLESS_CONSUMER_POLLING)
 to enable polling and disable inotify. See [here](configuration.md#polling).
-    ```shell-session
+## Bare Metal Install {#bare_metal}
    docker compose build
    ```
-    instead to build the image.
+#### Prerequisites
-### Bare Metal Route {#bare_metal}
+- Paperless runs on Linux only, Windows is not supported.
 - Python 3.11, 3.12, 3.13, or 3.14 is required. As a policy, Paperless-ngx aims to support at least the three most recent Python versions and drops support for versions as they reach end-of-life. Newer versions may work, but some dependencies may not be fully compatible.
-Paperless runs on linux only. The following procedure has been tested on
+#### Installation
 a minimal installation of Debian/Buster, which is the current stable
 release at the time of writing. Windows is not and will never be
 supported.
 Paperless requires Python 3. At this time, 3.10 - 3.12 are tested versions.
 Newer versions may work, but some dependencies may not fully support newer versions.
 Support for older Python versions may be dropped as they reach end of life or as newer versions
 are released, dependency support is confirmed, etc.
 1.  Install dependencies. Paperless requires the following packages.
 1.  Install dependencies. Paperless requires the following packages:
    - `python3`
    - `python3-pip`
    - `python3-dev`
@@ -203,18 +182,16 @@ are released, dependency support is confirmed, etc.
    - `libpq-dev` for PostgreSQL
    - `libmagic-dev` for mime type detection
    - `mariadb-client` for MariaDB compile time
    -   `libzbar0` for barcode detection
    - `poppler-utils` for barcode detection
    Use this list for your preferred package management:
    ```
-    python3 python3-pip python3-dev imagemagick fonts-liberation gnupg libpq-dev default-libmysqlclient-dev pkg-config libmagic-dev libzbar0 poppler-utils
+    python3 python3-pip python3-dev imagemagick fonts-liberation gnupg libpq-dev default-libmysqlclient-dev pkg-config libmagic-dev poppler-utils
    ```
    These dependencies are required for OCRmyPDF, which is used for text
    recognition.
    - `unpaper`
    - `ghostscript`
    - `icc-profiles-free`
@@ -234,13 +211,11 @@ are released, dependency support is confirmed, etc.
    ```
    On Raspberry Pi, these libraries are required as well:
    - `libatlas-base-dev`
    - `libxslt1-dev`
    - `mime-support`
    You will also need these for installing some of the python dependencies:
    - `build-essential`
    - `python3-setuptools`
    - `python3-wheel`
@@ -253,8 +228,8 @@ are released, dependency support is confirmed, etc.
 2.  Install `redis` >= 6.0 and configure it to start automatically.
-3.  Optional. Install `postgresql` and configure a database, user and
+3.  Optional: Install `postgresql` and configure a database, user, and
-    password for paperless. If you do not wish to use PostgreSQL,
+    password for Paperless-ngx. If you do not wish to use PostgreSQL,
    MariaDB and SQLite are available as well.
    !!! note
@@ -263,62 +238,59 @@ are released, dependency support is confirmed, etc.
        extension](https://code.djangoproject.com/wiki/JSON1Extension) is
        enabled. This is usually the case, but not always.
-4.  Create a system user with a new home folder under which you wish
+4.  Create a system user with a new home folder in which you want
-    to run paperless.
+    to run Paperless-ngx.
    ```shell-session
    adduser paperless --system --home /opt/paperless --group
    ```
-5.  Get the release archive from
+5.  Download a release archive from
-    <https://github.com/paperless-ngx/paperless-ngx/releases> for example with
+    <https://github.com/paperless-ngx/paperless-ngx/releases>. For example:
    ```shell-session
-    curl -O -L https://github.com/paperless-ngx/paperless-ngx/releases/download/v1.10.2/paperless-ngx-v1.10.2.tar.xz
+    curl -O -L https://github.com/paperless-ngx/paperless-ngx/releases/download/vX.Y.Z/paperless-ngx-vX.Y.Z.tar.xz
    ```
    Extract the archive with
    ```shell-session
-    tar -xf paperless-ngx-v1.10.2.tar.xz
+    tar -xf paperless-ngx-vX.Y.Z.tar.xz
    ```
-    and copy the contents to the
+    and copy the contents to the home directory of the user you created
-    home folder of the user you created before (`/opt/paperless`).
+    earlier (`/opt/paperless`).
-    Optional: If you cloned the git repo, you will have to
+    Optional: If you cloned the Git repository, you will need to
-    compile the frontend yourself, see [here](development.md#front-end-development)
+    compile the frontend yourself. See [here](development.md#front-end-development)
    and use the `build` step, not `serve`.
-6.  Configure paperless. See [configuration](configuration.md) for details.
+6.  Configure Paperless-ngx. See [configuration](configuration.md) for details.
    Edit the included `paperless.conf` and adjust the settings to your
-    needs. Required settings for getting
+    needs. Required settings for getting Paperless-ngx running are:
-    paperless running are:
+    - [`PAPERLESS_REDIS`](configuration.md#PAPERLESS_REDIS) should point to your Redis server, such as
-
+      `redis://localhost:6379`.
-    -   [`PAPERLESS_REDIS`](configuration.md#PAPERLESS_REDIS) should point to your redis server, such as
+    - [`PAPERLESS_DBENGINE`](configuration.md#PAPERLESS_DBENGINE) is optional, and should be one of `postgres`,
        <redis://localhost:6379>.
    -   [`PAPERLESS_DBENGINE`](configuration.md#PAPERLESS_DBENGINE) optional, and should be one of `postgres`,
      `mariadb`, or `sqlite`
    - [`PAPERLESS_DBHOST`](configuration.md#PAPERLESS_DBHOST) should be the hostname on which your
      PostgreSQL server is running. Do not configure this to use
      SQLite instead. Also configure port, database name, user and
      password as necessary.
-    -   [`PAPERLESS_CONSUMPTION_DIR`](configuration.md#PAPERLESS_CONSUMPTION_DIR) should point to a folder which
+    - [`PAPERLESS_CONSUMPTION_DIR`](configuration.md#PAPERLESS_CONSUMPTION_DIR) should point to the folder
-        paperless should watch for documents. You might want to have
+      that Paperless-ngx should watch for incoming documents.
-        this somewhere else. Likewise, [`PAPERLESS_DATA_DIR`](configuration.md#PAPERLESS_DATA_DIR) and
+      Likewise, [`PAPERLESS_DATA_DIR`](configuration.md#PAPERLESS_DATA_DIR) and
-        [`PAPERLESS_MEDIA_ROOT`](configuration.md#PAPERLESS_MEDIA_ROOT) define where paperless stores its data.
+      [`PAPERLESS_MEDIA_ROOT`](configuration.md#PAPERLESS_MEDIA_ROOT) define where Paperless-ngx stores its data.
-        If you like, you can point both to the same directory.
+      If needed, these can point to the same directory.
    - [`PAPERLESS_SECRET_KEY`](configuration.md#PAPERLESS_SECRET_KEY) should be a random sequence of
      characters. It's used for authentication. Failure to do so
      allows third parties to forge authentication credentials.
-    -   [`PAPERLESS_URL`](configuration.md#PAPERLESS_URL) if you are behind a reverse proxy. This should
+    - Set [`PAPERLESS_URL`](configuration.md#PAPERLESS_URL) if you are behind a reverse proxy. This should
      point to your domain. Please see
      [configuration](configuration.md) for more
      information.
-    Many more adjustments can be made to paperless, especially the OCR
+    You can make many more adjustments, especially for OCR.
-    part. The following options are recommended for everyone:
+    The following options are recommended for most users:
    - Set [`PAPERLESS_OCR_LANGUAGE`](configuration.md#PAPERLESS_OCR_LANGUAGE) to the language most of your
      documents are written in.
    - Set [`PAPERLESS_TIME_ZONE`](configuration.md#PAPERLESS_TIME_ZONE) to your local time zone.
@@ -327,15 +299,13 @@ are released, dependency support is confirmed, etc.
        Ensure your Redis instance [is secured](https://redis.io/docs/latest/operate/oss_and_stack/management/security/).
-7.  Create the following directories if they are missing:
+7.  Create the following directories if they do not already exist:
    - `/opt/paperless/media`
    - `/opt/paperless/data`
    - `/opt/paperless/consume`
-    Adjust as necessary if you configured different folders.
+    Adjust these paths if you configured different folders.
-    Ensure that the paperless user has write permissions for every one
+    Then verify that the `paperless` user has write permissions:
    of these folders with
    ```shell-session
    ls -l -d /opt/paperless/media
@@ -349,45 +319,44 @@ are released, dependency support is confirmed, etc.
    sudo chown paperless:paperless /opt/paperless/consume
    ```
-8.  Install python requirements from the `requirements.txt` file.
+8.  Install Python dependencies from `requirements.txt`.
    ```shell-session
    sudo -Hu paperless pip3 install -r requirements.txt
    ```
-    This will install all python dependencies in the home directory of
+    This will install all Python dependencies in the home directory of
    the new paperless user.
    !!! tip
-        It is up to you if you wish to use a virtual environment or not for the Python
+        You can use a virtual environment if you prefer. If you do,
-        dependencies.  This is an alternative to the above and may require adjusting
+        you may need to adjust the example scripts for your virtual
-        the example scripts to utilize the virtual environment paths
+        environment paths.
    !!! tip
        If you use modern Python tooling, such as `uv`, installation will not include
-        dependencies for Postgres or Mariadb.  You can select those extras with `--extra <EXTRA>`
+        dependencies for PostgreSQL or MariaDB. You can select those
-        or all with `--all-extras`
+        extras with `--extra <EXTRA>`, or install all extras with
        `--all-extras`.
-9.  Go to `/opt/paperless/src`, and execute the following command:
+9.  Go to `/opt/paperless/src` and execute the following command:
    ```bash
    # This creates the database schema.
    sudo -Hu paperless python3 manage.py migrate
    ```
-    When you first access the web interface you will be prompted to create a superuser account.
+10. Optional: Test that Paperless-ngx is working by running
 10. Optional: Test that paperless is working by executing
    ```bash
    # Manually starts the webserver
    sudo -Hu paperless python3 manage.py runserver
    ```
-    and pointing your browser to http://localhost:8000 if
+    Then point your browser to `http://localhost:8000` if
-    accessing from the same devices on which paperless is installed.
+    accessing from the same device on which Paperless-ngx is installed.
    If accessing from another machine, set up systemd services. You may need
    to set `PAPERLESS_DEBUG=true` in order for the development server to work
    normally in your browser.
@@ -395,23 +364,23 @@ are released, dependency support is confirmed, etc.
    !!! warning
        This is a development server which should not be used in production.
-        It is not audited for security and performance is inferior to
+        It is not audited for security, and performance is inferior to
-        production ready web servers.
+        production-ready web servers.
    !!! tip
        This will not start the consumer. Paperless does this in a separate
        process.
-11. Setup systemd services to run paperless automatically. You may use
+11. Set up systemd services to run Paperless-ngx automatically. You may use
    the service definition files included in the `scripts` folder as a
    starting point.
-    Paperless needs the `webserver` script to run the webserver, the
+    Paperless needs:
-    `consumer` script to watch the input folder, `taskqueue` for the
+    - The `webserver` script to run the webserver.
-    background workers used to handle things like document consumption
+    - The `consumer` script to watch the input folder.
-    and the `scheduler` script to run tasks such as email checking at
+    - The `taskqueue` script for background workers (document consumption, etc.).
-    certain times .
+    - The `scheduler` script for periodic tasks such as email checking.
    !!! note
@@ -420,9 +389,9 @@ are released, dependency support is confirmed, etc.
        `Require=paperless-webserver.socket` in the `webserver` script
        and configure `granian` to listen on port 80 (set `GRANIAN_PORT`).
-    These services rely on redis and optionally the database server, but
+    These services rely on Redis and optionally the database server, but
    don't need to be started in any particular order. The example files
-    depend on redis being started. If you use a database server, you
+    depend on Redis being started. If you use a database server, you
    should add additional dependencies.
    !!! note
@@ -432,18 +401,15 @@ are released, dependency support is confirmed, etc.
    !!! warning
-        If celery won't start (check with
+        If Celery won't start, check
        `sudo systemctl status paperless-task-queue.service` for
-        paperless-task-queue.service and paperless-scheduler.service
+        `paperless-task-queue.service` and `paperless-scheduler.service`.
-        ) you need to change the path in the files. Example:
+        You may need to change the path in the files. Example:
        `ExecStart=/opt/paperless/.local/bin/celery --app paperless worker --loglevel INFO`
-12. Optional: Install a samba server and make the consumption folder
+12. Configure ImageMagick to allow processing of PDF documents. Most
    available as a network share.
 13. Configure ImageMagick to allow processing of PDF documents. Most
    distributions have this disabled by default, since PDF documents can
-    contain malware. If you don't do this, paperless will fall back to
+    contain malware. If you don't do this, Paperless-ngx will fall back to
    Ghostscript for certain steps such as thumbnail generation.
    Edit `/etc/ImageMagick-6/policy.xml` and adjust
@@ -458,32 +424,38 @@ are released, dependency support is confirmed, etc.
    <policy domain="coder" rights="read|write" pattern="PDF" />
    ```
-14. Optional: Install the
+**Optional: Install the [jbig2enc](https://ocrmypdf.readthedocs.io/en/latest/jbig2.html) encoder.**
-    [jbig2enc](https://ocrmypdf.readthedocs.io/en/latest/jbig2.html)
+This will reduce the size of generated PDF documents. You'll most likely need to compile this yourself, because this
-    encoder. This will reduce the size of generated PDF documents.
+software has been patented until around 2017 and binary packages are not available for most distributions.
    You'll most likely need to compile this by yourself, because this
    software has been patented until around 2017 and binary packages are
    not available for most distributions.
-15. Optional: If using the NLTK machine learning processing (see
+**Optional: download the NLTK data**
-    [`PAPERLESS_ENABLE_NLTK`](configuration.md#PAPERLESS_ENABLE_NLTK) for details),
+If using the NLTK machine-learning processing (see [`PAPERLESS_ENABLE_NLTK`](configuration.md#PAPERLESS_ENABLE_NLTK) for details),
-    download the NLTK data for the Snowball
+download the NLTK data for the Snowball Stemmer, Stopwords and Punkt tokenizer to `/usr/share/nltk_data`. Refer to the [NLTK
-    Stemmer, Stopwords and Punkt tokenizer to `/usr/share/nltk_data`. Refer to the [NLTK
+instructions](https://www.nltk.org/data.html) for details on how to download the data.
    instructions](https://www.nltk.org/data.html) for details on how to
    download the data.
-# Migrating to Paperless-ngx
+#### After installation
-Migration is possible both from Paperless-ng or directly from the
+Your Paperless-ngx instance should now be accessible at `http://localhost:8000` (or similar, depending on your configuration).
-'original' Paperless.
+When you first access the web interface you will be prompted to create a [superuser](usage.md#superusers) account.
-## Migrating from Paperless-ng
+## Build the Docker image yourself {#docker_build data-toc-label="Building the Docker image"}
-Paperless-ngx is meant to be a drop-in replacement for Paperless-ng and
+Building the Docker image yourself is typically used for development, but it can also be used for production
-thus upgrading should be trivial for most users, especially when using
+if you want to customize the image. See [Building the Docker image](development.md#docker_build) in the
-docker. However, as with any major change, it is recommended to take a
+development documentation.
 ## Migrating to Paperless-ngx
 You can migrate to Paperless-ngx from Paperless-ng or from the original
 Paperless project.
 <h3 id="migration_ng">Migrating from Paperless-ng</h3>
 Paperless-ngx is meant to be a drop-in replacement for Paperless-ng, and
 upgrading should be trivial for most users, especially when using
 Docker. However, as with any major change, it is recommended to take a
 full backup first. Once you are ready, simply change the docker image to
-point to the new source. E.g. if using Docker Compose, edit
+point to the new source. For example, if using Docker Compose, edit
 `docker-compose.yml` and change:
 ```
@@ -496,66 +468,64 @@ to
 image: ghcr.io/paperless-ngx/paperless-ngx:latest
 ```
-and then run `docker compose up -d` which will pull the new image
+and then run `docker compose up -d`, which will pull the new image and
-recreate the container. That's it!
+recreate the container. That's it.
 Users who installed with the bare-metal route should also update their
 Git clone to point to `https://github.com/paperless-ngx/paperless-ngx`,
-e.g. using the command
+for example using:
 `git remote set-url origin https://github.com/paperless-ngx/paperless-ngx`
 and then pull the latest version.
-## Migrating from Paperless
+<h3 id="migration_paperless">Migrating from Paperless</h3>
-At its core, paperless-ngx is still paperless and fully compatible.
+At its core, Paperless-ngx is still Paperless and fully compatible.
 However, some things have changed under the hood, so you need to adapt
-your setup depending on how you installed paperless.
+your setup depending on how you installed Paperless.
-This setup describes how to update an existing paperless Docker
+This section describes how to update an existing Paperless Docker
-installation. The important things to keep in mind are as follows:
+installation. Keep these points in mind:
 - Read the [changelog](changelog.md) and
  take note of breaking changes.
-   You should decide if you want to stick with SQLite or want to
+- Decide whether to stay on SQLite or migrate to PostgreSQL.
-    migrate your database to PostgreSQL. See [documentation](#sqlite_to_psql)
+  Both work fine with Paperless-ngx.
-    for details on
+  However, if you already have a database server running
-    how to move your data from SQLite to PostgreSQL. Both work fine with
+  for other services, you might as well use it for Paperless as well.
-    paperless. However, if you already have a database server running
+- The task scheduler of Paperless, which is used to execute periodic
    for other services, you might as well use it for paperless as well.
 -   The task scheduler of paperless, which is used to execute periodic
  tasks such as email checking and maintenance, requires a
-    [redis](https://redis.io/) message broker instance. The
+  [Redis](https://redis.io/) message broker instance. The
  Docker Compose route takes care of that.
 - The layout of the folder structure for your documents and data
-    remains the same, so you can just plug your old docker volumes into
+  remains the same, so you can plug your old Docker volumes into
  paperless-ngx and expect it to find everything where it should be.
-Migration to paperless-ngx is then performed in a few simple steps:
+Migration to Paperless-ngx is then performed in a few simple steps:
-1.  Stop paperless.
+1.  Stop Paperless.
    ```bash
    cd /path/to/current/paperless
    docker compose down
    ```
-2.  Do a backup for two purposes: If something goes wrong, you still
+2.  Create a backup for two reasons: if something goes wrong, you still
-    have your data. Second, if you don't like paperless-ngx, you can
+    have your data; and if you don't like paperless-ngx, you can
-    switch back to paperless.
+    switch back to Paperless.
-3.  Download the latest release of paperless-ngx. You can either go with
+3.  Download the latest release of Paperless-ngx. You can either use
    the Docker Compose files from
    [here](https://github.com/paperless-ngx/paperless-ngx/tree/main/docker/compose)
    or clone the repository to build the image yourself (see
-    [above](#docker_build)). You can
+    [development docs](development.md#docker_build)). You can either replace your current paperless
-    either replace your current paperless folder or put paperless-ngx in
+    folder or put Paperless-ngx in
    a different location.
    !!! warning
        Paperless-ngx includes a `.env` file. This will set the project name
-        for docker compose to `paperless`, which will also define the name
+        for Docker Compose to `paperless`, which will also define the
-        of the volumes by paperless-ngx. However, if you experience that
+        volume names created by Paperless-ngx. However, if you notice that
        paperless-ngx is not using your old paperless volumes, verify the
        names of your volumes with
@@ -571,10 +541,10 @@ Migration to paperless-ngx is then performed in a few simple steps:
    after you migrated your existing SQLite database.
 5.  Adjust `docker-compose.yml` and `docker-compose.env` to your needs.
-    See [Docker setup](#docker) details on
+    See [Docker setup](#docker) for details on
-    which edits are advised.
+    which edits are recommended.
-6.  [Update paperless.](administration.md#updating)
+6.  Follow the update procedure in [Update paperless](administration.md#updating).
 7.  In order to find your existing documents with the new search
    feature, you need to invoke a one-time operation that will create
@@ -585,136 +555,93 @@ Migration to paperless-ngx is then performed in a few simple steps:
    ```
    This will migrate your database and create the search index. After
-    that, paperless will take care of maintaining the index by itself.
+    that, Paperless-ngx will maintain the index automatically.
-8.  Start paperless-ngx.
+8.  Start Paperless-ngx.
    ```bash
    docker compose up -d
    ```
-    This will run paperless in the background and automatically start it
+    This will run Paperless-ngx in the background and automatically start it
    on system boot.
-9.  Paperless installed a permanent redirect to `admin/` in your
+9.  Paperless may have installed a permanent redirect to `admin/` in your
    browser. This redirect is still in place and prevents access to the
-    new UI. Clear your browsing cache in order to fix this.
+    new UI. Clear your browser cache to fix this.
 10. Optionally, follow the instructions below to migrate your existing
    data to PostgreSQL.
-## Migrating from LinuxServer.io Docker Image
+<h3 id="migration_lsio">Migrating from LinuxServer.io Docker Image</h3>
-As with any upgrades and large changes, it is highly recommended to
+As with any upgrade or large change, it is highly recommended to
 create a backup before starting. This assumes the image was running
 using Docker Compose, but the instructions are translatable to Docker
 commands as well.
-1.  Stop and remove the paperless container
+1.  Stop and remove the Paperless container.
-2.  If using an external database, stop the container
+2.  If using an external database, stop that container.
-3.  Update Redis configuration
+3.  Update Redis configuration.
    1. If `REDIS_URL` is already set, change it to [`PAPERLESS_REDIS`](configuration.md#PAPERLESS_REDIS)
       and continue to step 4.
-    1. Otherwise, in the `docker-compose.yml` add a new service for
+    1. Otherwise, add a new Redis service in `docker-compose.yml`,
-       Redis, following [the example compose
+       following [the example compose
       files](https://github.com/paperless-ngx/paperless-ngx/tree/main/docker/compose)
    1. Set the environment variable [`PAPERLESS_REDIS`](configuration.md#PAPERLESS_REDIS) so it points to
-       the new Redis container
+       the new Redis container.
-4.  Update user mapping
+4.  Update user mapping.
    1. If set, change the environment variable `PUID` to `USERMAP_UID`.
-    1. If set, change the environment variable `PUID` to `USERMAP_UID`
+    1. If set, change the environment variable `PGID` to `USERMAP_GID`.
-    1. If set, change the environment variable `PGID` to `USERMAP_GID`
+5.  Update configuration paths.
-
+    1. Set the environment variable [`PAPERLESS_DATA_DIR`](configuration.md#PAPERLESS_DATA_DIR) to `/config`.
 5.  Update configuration paths
    1. Set the environment variable [`PAPERLESS_DATA_DIR`](configuration.md#PAPERLESS_DATA_DIR) to `/config`
 6.  Update media paths
 6.  Update media paths.
    1. Set the environment variable [`PAPERLESS_MEDIA_ROOT`](configuration.md#PAPERLESS_MEDIA_ROOT) to
-       `/data/media`
+       `/data/media`.
 7.  Update timezone
 7.  Update timezone.
    1. Set the environment variable [`PAPERLESS_TIME_ZONE`](configuration.md#PAPERLESS_TIME_ZONE) to the same
-       value as `TZ`
+       value as `TZ`.
-8.  Modify the `image:` to point to
+8.  Modify `image:` to point to
    `ghcr.io/paperless-ngx/paperless-ngx:latest` or a specific version
    if preferred.
 9.  Start the containers as before, using `docker compose`.
-## Moving data from SQLite to PostgreSQL or MySQL/MariaDB {#sqlite_to_psql}
+## Running Paperless-ngx on less powerful devices {#less-powerful-devices data-toc-label="Less Powerful Devices"}
-The best way to migrate between database types is to perform an [export](administration.md#exporter) and then
+Paperless runs on Raspberry Pi. Some tasks can be slow on lower-powered
-[import](administration.md#importer) into a clean installation of Paperless-ngx.
+hardware, but a few settings can improve performance:
 ## Moving back to Paperless
 Lets say you migrated to Paperless-ngx and used it for a while, but
 decided that you don't like it and want to move back (If you do, send
 me a mail about what part you didn't like!), you can totally do that
 with a few simple steps.
 Paperless-ngx modified the database schema slightly, however, these
 changes can be reverted while keeping your current data, so that your
 current data will be compatible with original Paperless. Thumbnails
 were also changed from PNG to WEBP format and will need to be
 re-generated.
 Execute this:
 ```shell-session
 $ cd /path/to/paperless
 $ docker compose run --rm webserver migrate documents 0023
 ```
 Or without docker:
 ```shell-session
 $ cd /path/to/paperless/src
 $ python3 manage.py migrate documents 0023
 ```
 After regenerating thumbnails, you'll need to clear your cookies
 (Paperless-ngx comes with updated dependencies that do cookie-processing
 differently) and probably your cache as well.
 # Considerations for less powerful devices {#less-powerful-devices}
 Paperless runs on Raspberry Pi. However, some things are rather slow on
 the Pi and configuring some options in paperless can help improve
 performance immensely:
 - Stick with SQLite to save some resources. See [troubleshooting](troubleshooting.md#log-reports-creating-paperlesstask-failed)
  if you encounter issues with SQLite locking.
 - If you do not need the filesystem-based consumer, consider disabling it
  entirely by setting [`PAPERLESS_CONSUMER_DISABLE`](configuration.md#PAPERLESS_CONSUMER_DISABLE) to `true`.
-   Consider setting [`PAPERLESS_OCR_PAGES`](configuration.md#PAPERLESS_OCR_PAGES) to 1, so that paperless will
+- Consider setting [`PAPERLESS_OCR_PAGES`](configuration.md#PAPERLESS_OCR_PAGES) to 1, so that Paperless
-    only OCR the first page of your documents. In most cases, this page
+  OCRs only the first page of your documents. In most cases, this page
  contains enough information to be able to find it.
 - [`PAPERLESS_TASK_WORKERS`](configuration.md#PAPERLESS_TASK_WORKERS) and [`PAPERLESS_THREADS_PER_WORKER`](configuration.md#PAPERLESS_THREADS_PER_WORKER) are
  configured to use all cores. The Raspberry Pi models 3 and up have 4
-    cores, meaning that paperless will use 2 workers and 2 threads per
+  cores, meaning that Paperless will use 2 workers and 2 threads per
  worker. This may result in sluggish response times during
  consumption, so you might want to lower these settings (example: 2
  workers and 1 thread to always have some computing power left for
  other tasks).
-   Keep [`PAPERLESS_OCR_MODE`](configuration.md#PAPERLESS_OCR_MODE) at its default value `skip` and consider
+- Keep [`PAPERLESS_OCR_MODE`](configuration.md#PAPERLESS_OCR_MODE) at its default value `auto` and consider
-    OCR'ing your documents before feeding them into paperless. Some
+  OCRing your documents before feeding them into Paperless. Some
  scanners are able to do this!
-   Set [`PAPERLESS_OCR_SKIP_ARCHIVE_FILE`](configuration.md#PAPERLESS_OCR_SKIP_ARCHIVE_FILE) to `with_text` to skip archive
+- Set [`PAPERLESS_ARCHIVE_FILE_GENERATION`](configuration.md#PAPERLESS_ARCHIVE_FILE_GENERATION) to `never` to skip archive
-    file generation for already ocr'ed documents, or `always` to skip it
+  file generation entirely, saving disk space at the cost of in-browser PDF/A viewing.
    for all documents.
 - If you want to perform OCR on the device, consider using
  `PAPERLESS_OCR_CLEAN=none`. This will speed up OCR times and use
  less memory at the expense of slightly worse OCR results.
-   If using docker, consider setting [`PAPERLESS_WEBSERVER_WORKERS`](configuration.md#PAPERLESS_WEBSERVER_WORKERS) to 1. This will save some memory.
+- If using Docker, consider setting [`PAPERLESS_WEBSERVER_WORKERS`](configuration.md#PAPERLESS_WEBSERVER_WORKERS) to 1. This will save some memory.
 - Consider setting [`PAPERLESS_ENABLE_NLTK`](configuration.md#PAPERLESS_ENABLE_NLTK) to false, to disable the
  more advanced language processing, which can take more memory and
  processing time.
@@ -726,17 +653,19 @@ For details, refer to [configuration](configuration.md).
    Updating the
    [automatic matching algorithm](advanced_usage.md#automatic-matching) takes quite a bit of time. However, the update mechanism
    checks if your data has changed before doing the heavy lifting. If you
-    experience the algorithm taking too much cpu time, consider changing the
+    experience the algorithm taking too much CPU time, consider changing the
    schedule in the admin interface to daily. You can also manually invoke
    the task by changing the date and time of the next run to today/now.
    The actual matching of the algorithm is fast and works on Raspberry Pi
    as well as on any other device.
-# Using nginx as a reverse proxy {#nginx}
+## Additional considerations
-Please see [the wiki](https://github.com/paperless-ngx/paperless-ngx/wiki/Using-a-Reverse-Proxy-with-Paperless-ngx#nginx) for user-maintained documentation of using nginx with Paperless-ngx.
+**Using a reverse proxy with Paperless-ngx**
-# Enhancing security {#security}
+Please see [the wiki](https://github.com/paperless-ngx/paperless-ngx/wiki/Using-a-Reverse-Proxy-with-Paperless-ngx#nginx) for user-maintained documentation on using nginx with Paperless-ngx.
-Please see [the wiki](https://github.com/paperless-ngx/paperless-ngx/wiki/Using-Security-Tools-with-Paperless-ngx) for user-maintained documentation of how to configure security tools like Fail2ban with Paperless-ngx.
+**Enhancing security**
 Please see [the wiki](https://github.com/paperless-ngx/paperless-ngx/wiki/Using-Security-Tools-with-Paperless-ngx) for user-maintained documentation on configuring security tools like Fail2ban with Paperless-ngx.
@@ -1,4 +1,8 @@
-# Usage Overview
+---
 title: Basic Usage
 ---
 # Usage
 Paperless-ngx is an application that manages your personal documents. With
 the (optional) help of a document scanner (see [the scanners wiki](https://github.com/paperless-ngx/paperless-ngx/wiki/Scanner-&-Software-Recommendations)), Paperless-ngx transforms your unwieldy
@@ -85,6 +89,17 @@ You can view the document, edit its metadata, assign tags, correspondents,
 document types, and custom fields. You can also view the document history,
 download the document or share it via a share link.
 ### Document File Versions
 Think of versions as **file history** for a document.
 - Versions track the underlying file and extracted text content (OCR/text).
 - Metadata such as tags, correspondent, document type, storage path and custom fields stay on the "root" document.
 - Version files follow normal filename formatting (including storage paths) and add a `_vN` suffix (for example `_v1`, `_v2`).
 - By default, search and document content use the latest version.
 - In document detail, selecting a version switches the preview, file metadata and content (and download etc buttons) to that version.
 - Deleting a non-root version keeps metadata and falls back to the latest remaining version.
 ### Management Lists
 Paperless-ngx includes management lists for tags, correspondents, document types
@@ -119,9 +134,9 @@ following operations on your documents:
 !!! tip
    This process can be configured to fit your needs. If you don't want
-    paperless to create archived versions for digital documents, you can
+    paperless to create archived versions for born-digital documents, set
-    configure that by configuring
+    [`PAPERLESS_ARCHIVE_FILE_GENERATION=auto`](configuration.md#PAPERLESS_ARCHIVE_FILE_GENERATION)
-    `PAPERLESS_OCR_SKIP_ARCHIVE_FILE=with_text`. Please read the
+    (the default). To skip archives entirely, use `never`. Please read the
    [relevant section in the documentation](configuration.md#ocr).
 !!! note
@@ -216,7 +231,6 @@ different means. These are as follows:
  documents (the IMAP standard calls these "keywords"). Paperless
  will not consume mails already tagged. Not all mail servers support
  this feature!
  - **Apple Mail support:** Apple Mail clients allow differently colored tags. For this to work use `apple:<color>` (e.g. _apple:green_) as a custom tag. Available colors are _red_, _orange_, _yellow_, _blue_, _green_, _violet_ and _grey_.
 !!! warning
@@ -288,13 +302,19 @@ Paperless-ngx includes several features that use AI to enhance the document mana
 !!! warning
-    Remember that Paperless-ngx will send document content to the AI provider you have configured, so consider the privacy implications of using these features, especially if using a remote model (e.g. OpenAI), instead of the default local model.
+    Remember that Paperless-ngx will send document content to the AI provider you have configured,
    so consider the privacy implications of using these features, especially if using a remote
    model or API provider instead of the default local model.
 The AI features work by creating an embedding of the text content and metadata of documents, which is then used for various tasks such as similarity search and question answering. This uses the FAISS vector store.
 ### AI-Enhanced Suggestions
-If enabled, Paperless-ngx can use an AI LLM model to suggest document titles, dates, tags, correspondents and document types for documents. This feature will always be "opt-in" and does not disable the existing classifier-based suggestion system. Currently, both remote (via the OpenAI API) and local (via Ollama) models are supported, see [configuration](configuration.md#ai) for details.
+If enabled, Paperless-ngx can use an AI LLM model to suggest document titles, dates, tags,
 correspondents and document types for documents. This feature will always be "opt-in" and does not
 disable the existing classifier-based suggestion system. Currently, both remote
 (via OpenAI-compatible APIs) and local (via Ollama) models are supported, see
 [configuration](configuration.md#ai) for details.
 ### Document Chat
@@ -308,12 +328,14 @@ or using [email](#workflow-action-email) or [webhook](#workflow-action-webhook)
 ### Share Links
-"Share links" are shareable public links to files and can be created and managed under the 'Send' button on the document detail screen.
+"Share links" are public links to files (or an archive of files) and can be created and managed under the 'Send' button on the document detail screen or from the bulk editor.
-   Share links do not require a user to login and thus link directly to a file.
+- Share links do not require a user to login and thus link directly to a file or bundled download.
 - Links are unique and are of the form `{paperless-url}/share/{randomly-generated-slug}`.
 - Links can optionally have an expiration time set.
 - After a link expires or is deleted users will be redirected to the regular paperless-ngx login.
 - From the document detail screen you can create a share link for that single document.
 - From the bulk editor you can create a **share link bundle** for any selection. Paperless-ngx prepares a ZIP archive in the background and exposes a single share link. You can revisit the "Manage share link bundles" dialog to monitor progress, retry failed bundles, or delete links.
 !!! tip
@@ -366,6 +388,11 @@ permissions can be granted to limit access to certain parts of the UI (and corre
 Superusers can access all parts of the front and backend application as well as any and all objects. Superuser status can only be granted by another superuser.
 !!! tip
    Because superuser accounts can see all objects and documents, you may want to use a regular account for day-to-day use. Additional superuser accounts can
    be created via [cli](administration.md#create-superuser) or granted superuser status from an existing superuser account.
 #### Admin Status
 Admin status (Django 'staff status') grants access to viewing the paperless logs and the system status dialog
@@ -378,13 +405,14 @@ determine if a user can create, edit, delete or view _any_ documents, but indivi
 still have "object-level" permissions.
 | Type             | Details                                                                                                                                                                                                                         |
-| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | AppConfig        | _Change_ or higher permissions grants access to the "Application Configuration" area.                                                                                                                                           |
 | Correspondent    | Add, edit, delete or view Correspondents.                                                                                                                                                                                       |
 | CustomField      | Add, edit, delete or view Custom Fields.                                                                                                                                                                                        |
 | Document         | Add, edit, delete or view Documents.                                                                                                                                                                                            |
 | DocumentType     | Add, edit, delete or view Document Types.                                                                                                                                                                                       |
 | Group            | Add, edit, delete or view Groups.                                                                                                                                                                                               |
 | GlobalStatistics | View aggregate object counts and statistics. This does not grant access to view individual documents.                                                                                                                           |
 | MailAccount      | Add, edit, delete or view Mail Accounts.                                                                                                                                                                                        |
 | MailRule         | Add, edit, delete or view Mail Rules.                                                                                                                                                                                           |
 | Note             | Add, edit, delete or view Notes.                                                                                                                                                                                                |
@@ -392,9 +420,10 @@ still have "object-level" permissions.
 | SavedView        | Add, edit, delete or view Saved Views.                                                                                                                                                                                          |
 | ShareLink        | Add, delete or view Share Links.                                                                                                                                                                                                |
 | StoragePath      | Add, edit, delete or view Storage Paths.                                                                                                                                                                                        |
 | SystemMonitoring | View the system status dialog, tasks summary and their API endpoints. Admin users also retain system status access.                                                                                                             |
 | Tag              | Add, edit, delete or view Tags.                                                                                                                                                                                                 |
 | UISettings       | Add, edit, delete or view the UI settings that are used by the web app.<br/>:warning: **Users that will access the web UI must be granted at least _View_ permissions.**                                                        |
-| User          | Add, edit, delete or view Users.                                                                                                                                                                                                |
+| User             | Add, edit, delete or view other user accounts via Settings > Users & Groups and `/api/users/`. These permissions are not needed for users to edit their own profile via "My Profile" or `/api/profile/`.                        |
 | Workflow         | Add, edit, delete or view Workflows.<br/>Note that Workflows are global; all users who can access workflows see the same set. Workflows have other permission implications — see [Workflow permissions](#workflow-permissions). |
 #### Detailed Explanation of Object Permissions {#object-permissions}
@@ -405,6 +434,8 @@ still have "object-level" permissions.
 | View  | Confers the ability to view (not edit) a document, tag, etc.<br/>Users without 'view' (or higher) permissions will be shown _'Private'_ in place of the object name for example when viewing a document with a tag for which the user doesn't have permissions.                                                                          |
 | Edit  | Confers the ability to edit (and view) a document, tag, etc.                                                                                                                                                                                                                                                                             |
 For related metadata such as tags, correspondents, document types, and storage paths, object visibility and document assignment are intentionally distinct. A user may still retain or submit a known object ID when editing a document even if that related object is displayed as _Private_ or omitted from search and selection results. This allows documents to preserve existing assignments that the current user cannot necessarily inspect in detail.
 ### Password reset
 In order to enable the password reset feature you will need to setup an SMTP backend, see
@@ -558,10 +589,22 @@ For security reasons, webhooks can be limited to specific ports and disallowed f
 [configuration settings](configuration.md#workflow-webhooks) to change this behavior. If you are allowing non-admins to create workflows,
 you may want to adjust these settings to prevent abuse.
 ##### Move to Trash {#workflow-action-move-to-trash}
 "Move to Trash" actions move the document to the trash. The document can be restored
 from the trash until the trash is emptied (after the configured delay or manually).
 The "Move to Trash" action will always be executed at the end of the workflow run,
 regardless of its position in the action list. After a "Move to Trash" action is executed
 no other workflow will be executed on the document.
 If a "Move to Trash" action is executed in a consume pipeline, the consumption
 will be aborted and the file will be deleted.
 #### Workflow placeholders
-Titles can be assigned by workflows using [Jinja templates](https://jinja.palletsprojects.com/en/3.1.x/templates/).
+Titles and webhook payloads can be generated by workflows using [Jinja templates](https://jinja.palletsprojects.com/en/3.1.x/templates/).
-This allows for complex logic to be used to generate the title, including [logical structures](https://jinja.palletsprojects.com/en/3.1.x/templates/#list-of-control-structures)
+This allows for complex logic to be used, including [logical structures](https://jinja.palletsprojects.com/en/3.1.x/templates/#list-of-control-structures)
 and [filters](https://jinja.palletsprojects.com/en/3.1.x/templates/#id11).
 The template is provided as a string.
@@ -583,8 +626,8 @@ applied. You can use the following placeholders in the template with any trigger
 - `{{added_day}}`: added day
 - `{{added_time}}`: added time in HH:MM format
 - `{{original_filename}}`: original file name without extension
-   `{{filename}}`: current file name without extension
+- `{{filename}}`: current file name without extension (for "added" workflows this may not be final yet, you can use `{{original_filename}}`)
-   `{{doc_title}}`: current document title
+- `{{doc_title}}`: current document title (cannot be used in title assignment)
 The following placeholders are only available for "added" or "updated" triggers
@@ -593,7 +636,7 @@ The following placeholders are only available for "added" or "updated" triggers
 - `{{created_year_short}}`: created year
 - `{{created_month}}`: created month
 - `{{created_month_name}}`: created month name
-   `{created_month_name_short}}`: created month short name
+- `{{created_month_name_short}}`: created month short name
 - `{{created_day}}`: created day
 - `{{created_time}}`: created time in HH:MM format
 - `{{doc_url}}`: URL to the document in the web UI. Requires the `PAPERLESS_URL` setting to be set.
@@ -771,13 +814,20 @@ contract you signed 8 years ago).
 When you search paperless for a document, it tries to match this query
 against your documents. Paperless will look for matching documents by
-inspecting their content, title, correspondent, type and tags. Paperless
+inspecting their content, title, correspondent, type, tags, notes, and
-returns a scored list of results, so that documents matching your query
+custom field values. Paperless returns a scored list of results, so that
-better will appear further up in the search results.
+documents matching your query better will appear further up in the search
 results.
 By default, paperless returns only documents which contain all words
-typed in the search bar. However, paperless also offers advanced search
+typed in the search bar. A few things to know about how matching works:
-syntax if you want to drill down the results further.
+
 - **Word-order-independent**: "invoice unpaid" and "unpaid invoice" return the same results.
 - **Accent-insensitive**: searching `resume` also finds `résumé`, `cafe` finds `café`.
 - **Separator-agnostic**: punctuation and separators are stripped during indexing, so
  searching a partial number like `1312` finds documents containing `A-1312/B`.
 Paperless also offers advanced search syntax if you want to drill down further.
 Matching documents with logical expressions:
@@ -806,18 +856,70 @@ Matching inexact words:
 produ*name
 ```
 Matching natural date keywords:
 ```
 added:today
 modified:yesterday
 created:"previous week"
 added:"previous month"
 modified:"this year"
 ```
 Supported date keywords: `today`, `yesterday`, `previous week`,
 `this month`, `previous month`, `this year`, `previous year`,
 `previous quarter`.
 #### Searching custom fields
 Custom field values are included in the full-text index, so a plain search
 already matches documents whose custom field values contain your search terms.
 To narrow by field name or value specifically:
 ```
 custom_fields.value:policy
 custom_fields.name:"Contract Number"
 custom_fields.name:Insurance custom_fields.value:policy
 ```
 - `custom_fields.value` matches against the value of any custom field.
 - `custom_fields.name` matches the name of the field (use quotes for multi-word names).
 - Combine both to find documents where a specific named field contains a specific value.
 Because separators are stripped during indexing, individual parts of formatted
 codes are searchable on their own. A value stored as `A-1312/99.50` produces the
 tokens `a`, `1312`, `99`, `50` — each searchable independently:
 ```
 custom_fields.value:1312
 custom_fields.name:"Contract Number" custom_fields.value:1312
 ```
 !!! note
-    Inexact terms are hard for search indexes. These queries might take a
+    Custom date fields do not support relative date syntax (e.g. `[now to 2 weeks]`).
-    while to execute. That's why paperless offers auto complete and query
+    For date ranges on custom date fields, use the document list filters in the web UI.
-    correction.
+
 #### Searching notes
 Notes content is included in full-text search automatically. To search
 by note author or content specifically:
 ```
 notes.user:alice
 notes.note:reminder
 notes.user:alice notes.note:insurance
 ```
 All of these constructs can be combined as you see fit. If you want to
-learn more about the query language used by paperless, paperless uses
+learn more about the query language used by paperless, see the
-Whoosh's default query language. Head over to [Whoosh query
+[Tantivy query language documentation](https://docs.rs/tantivy/latest/tantivy/query/struct.QueryParser.html).
-language](https://whoosh.readthedocs.io/en/latest/querylang.html). For
+
-details on what date parsing utilities are available, see [Date
+!!! note
-parsing](https://whoosh.readthedocs.io/en/latest/dates.html#parsing-date-queries).
+
    Fuzzy (approximate) matching can be enabled by setting
    [`PAPERLESS_ADVANCED_FUZZY_SEARCH_THRESHOLD`](configuration.md#PAPERLESS_ADVANCED_FUZZY_SEARCH_THRESHOLD).
    When enabled, paperless will include near-miss results ranked below exact matches.
 ## Keyboard shortcuts / hotkeys
@@ -975,7 +1077,6 @@ Paperless-ngx consists of the following components:
  with a scheduler that executes certain commands periodically.
  This task processor is responsible for:
  - Consuming documents. When the consumer finds new documents, it
    notifies the task processor to start a consumption task.
  - The task processor also performs the consumption of any
@@ -1,87 +0,0 @@
 site_name: Paperless-ngx
 theme:
  name: material
  logo: assets/logo.svg
  font:
    text: Roboto
    code: Roboto Mono
  palette:
    # Palette toggle for automatic mode
    - media: "(prefers-color-scheme)"
      toggle:
        icon: material/brightness-auto
        name: Switch to light mode
    # Palette toggle for light mode
    - media: "(prefers-color-scheme: light)"
      scheme: default
      toggle:
        icon: material/brightness-7
        name: Switch to dark mode
    # Palette toggle for dark mode
    - media: "(prefers-color-scheme: dark)"
      scheme: slate
      toggle:
        icon: material/brightness-4
        name: Switch to system preference
  features:
    - navigation.tabs
    - navigation.top
    - toc.integrate
    - content.code.annotate
  icon:
    repo: fontawesome/brands/github
  favicon: assets/favicon.png
 repo_url: https://github.com/paperless-ngx/paperless-ngx
 repo_name: paperless-ngx/paperless-ngx
 edit_uri: blob/main/docs/
 extra_css:
  - assets/extra.css
 markdown_extensions:
  - attr_list
  - md_in_html
  - def_list
  - admonition
  - tables
  - pymdownx.highlight:
      anchor_linenums: true
  - pymdownx.superfences
  - pymdownx.inlinehilite
  - pymdownx.snippets
  - pymdownx.tilde
  - footnotes
  - pymdownx.superfences:
      custom_fences:
        - name: mermaid
          class: mermaid
          format: !!python/name:pymdownx.superfences.fence_code_format
  - pymdownx.emoji:
      emoji_index: !!python/name:material.extensions.emoji.twemoji
      emoji_generator: !!python/name:material.extensions.emoji.to_svg
 strict: true
 nav:
  - index.md
  - setup.md
  - 'Basic Usage': usage.md
  - configuration.md
  - administration.md
  - advanced_usage.md
  - 'REST API': api.md
  - development.md
  - 'FAQs': faq.md
  - troubleshooting.md
  - 'Migration to v3': migration.md
  - changelog.md
 copyright: Copyright &copy; 2016 - 2026 Daniel Quinn, Jonas Winkler, and the Paperless-ngx team
 extra:
  social:
    - icon: fontawesome/brands/github
      link: https://github.com/paperless-ngx/paperless-ngx
    - icon: fontawesome/brands/docker
      link: https://hub.docker.com/r/paperlessngx/paperless-ngx
    - icon: material/chat
      link: https://matrix.to/#/#paperless:matrix.org
 plugins:
  - search
  - glightbox:
      skip_classes:
        - no-lightbox
@@ -30,9 +30,25 @@
 			"**/.idea": true,
 			"**/.venv": true,
 			"**/.coverage": true,
-			"**/coverage.json": true
+			"**/coverage.json": true,
 			"htmlcov/": true,
 			"coverage.xml": true,
 			"junit.xml": true
 		},
-		"python.defaultInterpreterPath": ".venv/bin/python3",
+		"python.languageServer": "Pylance",
 		"python.defaultInterpreterPath": "${workspaceFolder:paperless-ngx}/.venv/bin/python3",
 		"python.analysis.extraPaths": ["${workspaceFolder:paperless-ngx}/src"],
 		"python.analysis.inlayHints.pytestParameters": true,
 		"python.testing.pytestEnabled": true,
 		"python.testing.unittestEnabled": false,
 		"[python]": {
 			"editor.defaultFormatter": "charliermarsh.ruff",
 			"editor.formatOnSave": true,
 			"editor.codeActionsOnSave": {
 				"source.fixAll.ruff": "explicit",
 				"source.organizeImports.ruff": "explicit"
 			}
 		}
 	},
 	"extensions": {
 		"recommendations": ["ms-python.python", "charliermarsh.ruff", "editorconfig.editorconfig"],
@@ -23,7 +23,8 @@
 # Security and hosting
-#PAPERLESS_SECRET_KEY=change-me
+# Required. Generate with: python3 -c "import secrets; print(secrets.token_urlsafe(64))"
 PAPERLESS_SECRET_KEY=change-me
 #PAPERLESS_URL=https://example.com
 #PAPERLESS_CSRF_TRUSTED_ORIGINS=https://example.com # can be set using PAPERLESS_URL
 #PAPERLESS_ALLOWED_HOSTS=example.com,www.example.com # can be set using PAPERLESS_URL
@@ -66,6 +67,7 @@
 #PAPERLESS_CONSUMER_BARCODE_DPI=300
 #PAPERLESS_CONSUMER_ENABLE_TAG_BARCODE=false
 #PAPERLESS_CONSUMER_TAG_BARCODE_MAPPING={"TAG:(.*)": "\\g<1>"}
 #PAPERLESS_CONSUMER_TAG_BARCODE_SPLIT=false
 #PAPERLESS_CONSUMER_ENABLE_COLLATE_DOUBLE_SIDED=false
 #PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_SUBDIR_NAME=double-sided
 #PAPERLESS_CONSUMER_COLLATE_DOUBLE_SIDED_TIFF_SUPPORT=false
@@ -1,12 +1,11 @@
 [project]
 name = "paperless-ngx"
-version = "2.20.5"
+version = "3.0.0"
 description = "A community-supported supercharged document management system: scan, index and archive all your physical documents"
 readme = "README.md"
-requires-python = ">=3.10"
+requires-python = ">=3.11"
 classifiers = [
  "Programming Language :: Python :: 3 :: Only",
  "Programming Language :: Python :: 3.10",
  "Programming Language :: Python :: 3.11",
  "Programming Language :: Python :: 3.12",
  "Programming Language :: Python :: 3.13",
@@ -14,53 +13,54 @@ classifiers = [
 ]
 # TODO: Move certain things to groups and then utilize that further
 # This will allow testing to not install a webserver, mysql, etc
 dependencies = [
  "azure-ai-documentintelligence>=1.0.2",
  "babel>=2.17",
-  "bleach~=6.3.0",
+  "bleach[css]~=6.3.0",
-  "celery[redis]~=5.5.1",
+  "celery[redis]~=5.6.2",
  "channels~=4.2",
  "channels-redis~=4.2",
  "concurrent-log-handler~=0.9.25",
  "dateparser~=1.2",
  # WARNING: django does not use semver.
  #          Only patch versions are guaranteed to not introduce breaking changes.
-  "django~=5.2.5",
+  "django~=5.2.13",
-  "django-allauth[mfa,socialaccount]~=65.13.1",
+  "django-allauth[mfa,socialaccount]~=65.16.0",
  "django-auditlog~=3.4.1",
-  "django-cachalot~=2.8.0",
+  "django-cachalot~=2.9.0",
  "django-celery-results~=2.6.0",
  "django-compression-middleware~=0.5.0",
  "django-cors-headers~=4.9.0",
  "django-extensions~=4.1",
  "django-filter~=25.1",
-  "django-guardian~=3.2.0",
+  "django-guardian~=3.3.0",
  "django-multiselectfield~=1.0.1",
  "django-rich~=2.2.0",
  "django-soft-delete~=1.0.18",
-  "django-treenode>=0.23.2",
+  "django-treenode>=0.24",
  "djangorestframework~=3.16",
  "djangorestframework-guardian~=0.4.0",
  "drf-spectacular~=0.28",
-  "drf-spectacular-sidecar~=2025.10.1",
+  "drf-spectacular-sidecar~=2026.5.1",
  "drf-writable-nested~=0.7.1",
  "faiss-cpu>=1.10",
-  "filelock~=3.20.0",
+  "filelock~=3.29.0",
  "flower~=2.0.1",
-  "gotenberg-client~=0.13.1",
+  "gotenberg-client~=0.14.0",
  "httpx-oauth~=0.16",
-  "imap-tools~=1.11.0",
+  "ijson>=3.2",
  "imap-tools~=1.12.1",
  "jinja2~=3.1.5",
  "langdetect~=1.0.9",
-  "llama-index-core>=0.14.12",
+  "llama-index-core>=0.14.21",
  "llama-index-embeddings-huggingface>=0.6.1",
-  "llama-index-embeddings-openai>=0.5.1",
+  "llama-index-embeddings-ollama>=0.9",
  "llama-index-embeddings-openai-like>=0.2.2",
  "llama-index-llms-ollama>=0.9.1",
-  "llama-index-llms-openai>=0.6.13",
+  "llama-index-llms-openai-like>=0.7.1",
  "llama-index-vector-stores-faiss>=0.5.2",
  "nltk~=3.9.1",
-  "ocrmypdf~=16.13.0",
+  "ocrmypdf~=17.4.2",
-  "openai>=1.76",
+  "openai>=2.32",
  "pathvalidate~=3.3.1",
  "pdf2image~=1.17.0",
  "python-dateutil~=2.9.0",
@@ -68,77 +68,75 @@ dependencies = [
  "python-gnupg~=0.5.4",
  "python-ipware~=3.0.0",
  "python-magic~=0.4.27",
-  "pyzbar~=0.1.9",
+  "rapidfuzz~=3.14.5",
  "rapidfuzz~=3.14.0",
  "redis[hiredis]~=5.2.1",
-  "regex>=2025.9.18",
+  "regex>=2026.4.4",
-  "scikit-learn~=1.7.0",
+  "scikit-learn~=1.8.0",
-  "sentence-transformers>=4.1",
+  "sentence-transformers>=5.4.1",
  "setproctitle~=1.3.4",
-  "tika-client~=0.10.0",
+  "tantivy~=0.26.0",
-  "torch~=2.9.1",
+  "tika-client~=0.11.0",
-  "tqdm~=4.67.1",
+  "torch~=2.11.0",
  "watchfiles>=1.1.1",
-  "whitenoise~=6.9",
+  "whitenoise~=6.11",
-  "whoosh-reloaded>=2.7.5",
+  "zxing-cpp~=3.0.0",
  "zxing-cpp~=2.3.0",
 ]
-
+[project.optional-dependencies]
-optional-dependencies.mariadb = [
+mariadb = [
  "mysqlclient~=2.2.7",
 ]
-optional-dependencies.postgres = [
+postgres = [
-  "psycopg[c,pool]==3.2.12",
+  "psycopg[c,pool]==3.3",
  # Direct dependency for proper resolution of the pre-built wheels
-  "psycopg-c==3.2.12",
+  "psycopg-c==3.3",
  "psycopg-pool==3.3",
 ]
-optional-dependencies.webserver = [
+webserver = [
-  "granian[uvloop]~=2.5.1",
+  "granian[uvloop]~=2.7.0",
 ]
 [dependency-groups]
 dev = [
-  { "include-group" = "docs" },
+  { include-group = "docs" },
-  { "include-group" = "testing" },
+  { include-group = "lint" },
-  { "include-group" = "lint" },
+  { include-group = "testing" },
 ]
 docs = [
-  "mkdocs-glightbox~=0.5.1",
+  "zensical>=0.0.36",
-  "mkdocs-material~=9.7.0",
+]
 lint = [
  "prek~=0.3.10",
  "ruff~=0.15.12",
 ]
 testing = [
  "daphne",
  "factory-boy~=3.3.1",
  "faker~=40.15.0",
  "imagehash",
-  "pytest~=8.4.1",
+  "pytest~=9.0.3",
-  "pytest-cov~=7.0.0",
+  "pytest-cov~=7.1.0",
-  "pytest-django~=4.11.1",
+  "pytest-django~=4.12.0",
-  "pytest-env",
+  "pytest-env~=1.6.0",
  "pytest-httpx",
-  "pytest-mock",
+  "pytest-mock~=3.15.1",
-  "pytest-rerunfailures",
+  # "pytest-randomly~=4.0.1",
  "pytest-rerunfailures~=16.1",
  "pytest-sugar",
-  "pytest-xdist",
+  "pytest-xdist~=3.8.0",
  "time-machine>=2.13",
 ]
 lint = [
  "pre-commit~=4.5.1",
  "pre-commit-uv~=4.2.0",
  "ruff~=0.14.0",
 ]
 typing = [
  "celery-types",
  "django-filter-stubs",
  "django-stubs[compatible-mypy]",
  "djangorestframework-stubs[compatible-mypy]",
  "lxml-stubs",
  "microsoft-python-type-stubs @ git+https://github.com/microsoft/python-type-stubs.git",
  "mypy",
  "mypy-baseline",
  "pyrefly",
  "types-bleach",
  "types-channels",
  "types-colorama",
  "types-dateparser",
  "types-markdown",
@@ -146,40 +144,33 @@ typing = [
  "types-python-dateutil",
  "types-pytz",
  "types-redis",
-  "types-setuptools",
+  "types-regex",
-  "types-tqdm",
+  "types-setuptools"
 ]
 [tool.uv]
-required-version = ">=0.5.14"
+required-version = ">=0.9.0"
 package = false
 environments = [
  "sys_platform == 'darwin'",
  "sys_platform == 'linux'",
 ]
-
+package = false
 [tool.uv.sources]
 # Markers are chosen to select these almost exclusively when building the Docker image
 psycopg-c = [
  { url = "https://github.com/paperless-ngx/builder/releases/download/psycopg-bookworm-3.2.12/psycopg_c-3.2.12-cp312-cp312-linux_x86_64.whl", marker = "sys_platform == 'linux' and platform_machine == 'x86_64' and python_version == '3.12'" },
  { url = "https://github.com/paperless-ngx/builder/releases/download/psycopg-bookworm-3.2.12/psycopg_c-3.2.12-cp312-cp312-linux_aarch64.whl", marker = "sys_platform == 'linux' and platform_machine == 'aarch64' and python_version == '3.12'" },
 ]
 zxing-cpp = [
  { url = "https://github.com/paperless-ngx/builder/releases/download/zxing-2.3.0/zxing_cpp-2.3.0-cp312-cp312-linux_x86_64.whl", marker = "sys_platform == 'linux' and platform_machine == 'x86_64' and python_version == '3.12'" },
  { url = "https://github.com/paperless-ngx/builder/releases/download/zxing-2.3.0/zxing_cpp-2.3.0-cp312-cp312-linux_aarch64.whl", marker = "sys_platform == 'linux' and platform_machine == 'aarch64' and python_version == '3.12'" },
 ]
 torch = [
  { index = "pytorch-cpu" },
 ]
 [[tool.uv.index]]
 name = "pytorch-cpu"
 url = "https://download.pytorch.org/whl/cpu"
 explicit = true
 [tool.uv.sources]
 # Markers are chosen to select these almost exclusively when building the Docker image
 psycopg-c = [
  { url = "https://github.com/paperless-ngx/builder/releases/download/psycopg-trixie-3.3.0/psycopg_c-3.3.0-cp312-cp312-linux_x86_64.whl", marker = "sys_platform == 'linux' and platform_machine == 'x86_64' and python_version == '3.12'" },
  { url = "https://github.com/paperless-ngx/builder/releases/download/psycopg-trixie-3.3.0/psycopg_c-3.3.0-cp312-cp312-linux_aarch64.whl", marker = "sys_platform == 'linux' and platform_machine == 'aarch64' and python_version == '3.12'" },
 ]
 torch = [
  { index = "pytorch-cpu" },
 ]
 [tool.ruff]
-target-version = "py310"
+target-version = "py311"
 line-length = 88
 src = [
  "src",
@@ -188,10 +179,12 @@ respect-gitignore = true
 # https://docs.astral.sh/ruff/settings/
 fix = true
 show-fixes = true
 output-format = "grouped"
 [tool.ruff.format]
 line-ending = "lf"
 [tool.ruff.lint]
 # https://docs.astral.sh/ruff/rules/
-lint.extend-select = [
+extend-select = [
  "COM",  # https://docs.astral.sh/ruff/rules/#flake8-commas-com
  "DJ",   # https://docs.astral.sh/ruff/rules/#flake8-django-dj
  "EXE",  # https://docs.astral.sh/ruff/rules/#flake8-executable-exe
@@ -216,102 +209,52 @@ lint.extend-select = [
  "UP",   # https://docs.astral.sh/ruff/rules/#pyupgrade-up
  "W",    # https://docs.astral.sh/ruff/rules/#pycodestyle-e-w
 ]
-lint.ignore = [
+ignore = [
  "DJ001",
  "PLC0415",
  "RUF012",
  "SIM105",
 ]
 # Migrations
-lint.per-file-ignores."*/migrations/*.py" = [
+per-file-ignores."*/migrations/*.py" = [
  "E501",
  "SIM",
  "T201",
 ]
 # Testing
-lint.per-file-ignores."*/tests/*.py" = [
+per-file-ignores."*/tests/*.py" = [
  "E501",
  "SIM117",
 ]
-lint.per-file-ignores.".github/scripts/*.py" = [
+per-file-ignores.".github/scripts/*.py" = [
  "E501",
  "INP001",
  "SIM117",
 ]
 # Docker specific
-lint.per-file-ignores."docker/rootfs/usr/local/bin/wait-for-redis.py" = [
+per-file-ignores."docker/rootfs/usr/local/bin/wait-for-redis.py" = [
  "INP001",
  "T201",
 ]
-lint.per-file-ignores."docker/wait-for-redis.py" = [
+per-file-ignores."docker/wait-for-redis.py" = [
  "INP001",
  "T201",
 ]
-lint.per-file-ignores."src/documents/models.py" = [
+per-file-ignores."src/documents/models.py" = [
  "SIM115",
 ]
-lint.per-file-ignores."src/paperless_tesseract/tests/test_parser.py" = [
+isort.force-single-line = true
  "RUF001",
 ]
 lint.isort.force-single-line = true
 [tool.codespell]
 write-changes = true
 ignore-words-list = "criterias,afterall,valeu,ureue,equest,ure,assertIn,Oktober,commitish"
-skip = "src-ui/src/locale/*,src-ui/pnpm-lock.yaml,src-ui/e2e/*,src/paperless_mail/tests/samples/*,src/documents/tests/samples/*,*.po,*.json"
+skip = """\
  src-ui/src/locale/*,src-ui/pnpm-lock.yaml,src-ui/e2e/*,src/paperless_mail/tests/samples/*,src/paperless/tests/samples\
  /mail/*,src/documents/tests/samples/*,*.po,*.json\
  """
-[tool.pytest.ini_options]
+[tool.pyproject-fmt]
-minversion = "8.0"
+table_format = "long"
 pythonpath = [
  "src",
 ]
 testpaths = [
  "src/documents/tests/",
  "src/paperless/tests/",
  "src/paperless_mail/tests/",
  "src/paperless_tesseract/tests/",
  "src/paperless_tika/tests",
  "src/paperless_text/tests/",
  "src/paperless_remote/tests/",
  "src/paperless_ai/tests",
 ]
 addopts = [
  "--pythonwarnings=all",
  "--cov",
  "--cov-report=html",
  "--cov-report=xml",
  "--numprocesses=auto",
  "--maxprocesses=16",
  "--quiet",
  "--durations=50",
  "--junitxml=junit.xml",
  "-o junit_family=legacy",
 ]
 norecursedirs = [ "src/locale/", ".venv/", "src-ui/" ]
 DJANGO_SETTINGS_MODULE = "paperless.settings"
 [tool.pytest_env]
 PAPERLESS_DISABLE_DBHANDLER = "true"
 PAPERLESS_CACHE_BACKEND = "django.core.cache.backends.locmem.LocMemCache"
 [tool.coverage.run]
 source = [
  "src/",
 ]
 omit = [
  "*/tests/*",
  "manage.py",
  "paperless/wsgi.py",
  "paperless/auth.py",
 ]
 [tool.coverage.report]
 exclude_also = [
  "if settings.AUDIT_LOG_ENABLED:",
  "if AUDIT_LOG_ENABLED:",
  "if TYPE_CHECKING:",
 ]
 [tool.mypy]
 mypy_path = "src"
@@ -326,5 +269,81 @@ disallow_untyped_defs = true
 warn_redundant_casts = true
 warn_unused_ignores = true
 [tool.pyrefly]
 search-path = [ "src" ]
 baseline = ".pyrefly-baseline.json"
 python-platform = "linux"
 [tool.django-stubs]
 django_settings_module = "paperless.settings"
 [tool.pytest]
 minversion = "9.0"
 pythonpath = [ "src" ]
 strict_config = true
 strict_markers = true
 strict_parametrization_ids = true
 strict_xfail = true
 testpaths = [
  "src/documents/tests/",
  "src/paperless/tests/",
  "src/paperless_mail/tests/",
  "src/paperless_ai/tests",
 ]
 addopts = [
  "--pythonwarnings=all",
  "--cov",
  "--cov-report=html",
  "--cov-report=xml",
  "--numprocesses=auto",
  "--maxprocesses=16",
  "--dist=loadscope",
  "--durations=50",
  "--durations-min=0.5",
  "--junitxml=junit.xml",
  "-o",
  "junit_family=legacy",
 ]
 norecursedirs = [ "src/locale/", ".venv/", "src-ui/" ]
 DJANGO_SETTINGS_MODULE = "paperless.settings"
 markers = [
  "live: Integration tests requiring external services (Gotenberg, Tika, nginx, etc)",
  "nginx: Tests that make HTTP requests to the local nginx service",
  "gotenberg: Tests requiring Gotenberg service",
  "tika: Tests requiring Tika service",
  "greenmail: Tests requiring Greenmail service",
  "date_parsing: Tests which cover date parsing from content or filename",
  "management: Tests which cover management commands/functionality",
  "search: Tests for the Tantivy search backend",
  "api: Tests for REST API endpoints",
 ]
 [tool.pytest_env]
 PAPERLESS_SECRET_KEY = "test-secret-key-do-not-use-in-production"
 PAPERLESS_DISABLE_DBHANDLER = "true"
 PAPERLESS_CACHE_BACKEND = "django.core.cache.backends.locmem.LocMemCache"
 PAPERLESS_CHANNELS_BACKEND = "channels.layers.InMemoryChannelLayer"
 # I don't think anything hits this, but just in case, basically infinite
 PAPERLESS_TOKEN_THROTTLE_RATE = "1000/min"
 [tool.coverage.report]
 exclude_also = [
  "if settings.AUDIT_LOG_ENABLED:",
  "if AUDIT_LOG_ENABLED:",
  "if TYPE_CHECKING:",
 ]
 [tool.coverage.run]
 source = [
  "src/",
 ]
 omit = [
  "*/tests/*",
  "manage.py",
  "paperless/wsgi.py",
  "paperless/auth.py",
 ]
 [tool.mypy-baseline]
 baseline_path = ".mypy-baseline.txt"
 sort_baseline = true
 ignore_categories = [ "note" ]
@@ -1,16 +0,0 @@
                         9w
                       {@@N
                     Q@@@@H
                  G@@@@@@@\
               SilN@@@@@@@
            *Q  *@@@@@@@@S        /= = = = = = = = = = = = = = = = = =\
          *@   B@@@@@@@@N        ||                                   ||
 N       R$  A@@@@@@@@@@         ||           PAPERLESS-NGX           ||
 x@@     $U  B@@@@@@@@@R          ||                                   ||
 N@@N^   @  N@@@@@@@@@*            \= = = = = = = = = = = = = = = = = =/
 |@@@u   @ E@@@@@@@@l
 Q@@@ \ Px@@@@@@P
  1@@S`  @@@o'
    z$  ;
       v
      /
@@ -1,329 +0,0 @@
 %PDF-1.6
 %âãÏÓ
 3 0 obj
 <</Metadata 7 0 R/OCProperties<</D<</ON[8 0 R 22 0 R]/Order 23 0 R/RBGroups[]>>/OCGs[8 0 R 22 0 R]>>/Pages 4 0 R/Type/Catalog>>
 endobj
 7 0 obj
 <</Length 8109/Subtype/XML/Type/Metadata>>stream
 <?xpacket begin="ï»¿" id="W5M0MpCehiHzreSzNTczkc9d"?>
 <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 7.1-c000 79.a8731b9, 2021/09/09-00:37:38        ">
   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
      <rdf:Description rdf:about=""
            xmlns:xmp="http://ns.adobe.com/xap/1.0/"
            xmlns:xmpGImg="http://ns.adobe.com/xap/1.0/g/img/"
            xmlns:pdf="http://ns.adobe.com/pdf/1.3/"
            xmlns:xmpTPg="http://ns.adobe.com/xap/1.0/t/pg/"
            xmlns:stDim="http://ns.adobe.com/xap/1.0/sType/Dimensions#"
            xmlns:xmpG="http://ns.adobe.com/xap/1.0/g/"
            xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/"
            xmlns:dc="http://purl.org/dc/elements/1.1/"
            xmlns:illustrator="http://ns.adobe.com/illustrator/1.0/">
         <xmp:CreateDate>2018-12-29T21:47:38Z</xmp:CreateDate>
         <xmp:CreatorTool>Chromium</xmp:CreatorTool>
         <xmp:ModifyDate>2022-02-26T20:11:14-08:00</xmp:ModifyDate>
         <xmp:MetadataDate>2022-02-26T20:11:14-08:00</xmp:MetadataDate>
         <xmp:Thumbnails>
            <rdf:Alt>
               <rdf:li rdf:parseType="Resource">
                  <xmpGImg:width>256</xmpGImg:width>
                  <xmpGImg:height>76</xmpGImg:height>
                  <xmpGImg:format>JPEG</xmpGImg:format>
                  <xmpGImg:image>/9j/4AAQSkZJRgABAgEASABIAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAAAAEA&#xA;AQBIAAAAAQAB/+4ADkFkb2JlAGTAAAAAAf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoK&#xA;DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8f&#xA;Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8AAEQgATAEAAwER&#xA;AAIRAQMRAf/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAAAAAA&#xA;AQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPB&#xA;UtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE&#xA;1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZ&#xA;qbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNhIgZxgZEy&#xA;obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp&#xA;0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo&#xA;+DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8A9U4q7FXYq7FXYqlnmXzJ&#xA;pHlvR7jV9VmENpAP9k7n7MaD9pm7DBKQAssZSAFl5x+RvnjUfN2r+br+8+BWmtJLaCtVijZZUVB8&#xA;liFT3O+VYp8RLVhnxEvWsub3Yq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq&#xA;7FXYq7FXYq7FXYq7FWG+f/zU8seTLdlvJfrWqMKwaZCw9U1Gxc7iNfdvoByueQRa55BF8t+evzB8&#xA;w+c9T+t6pLxgjJFpYx1EMKn+Ud2PdjufltmJOZlzcOczI7vVP+cVYSbjzJNX4VSzSnuxmP8Axrl2&#xA;n6t2m6voLMlynYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7&#xA;FVk88FvBJPPIsMESl5ZZCFRVUVLMx2AA74q8A/Mv/nIqV2l0ryYeEYqkusuPiPY/V0Ybf67fQB1z&#xA;GyZugcXJn6B4TcXFxczyXFxK808rF5ZZGLuzHclmNSScxnGU8VfTH/OMOlNB5R1LUXFDfXnBPdII&#xA;wAf+CkYZl4Bs5enGz2TL3IdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirs&#xA;VdirsVYj5X/MGw13zf5i8vRFRJosiJDv8UqgcJ2/55zfD92QjOyQ1xnZIZdk2x8v/np+a1zr2qTe&#xA;XNJmMeh2MhjuHQ0+tTIaMWI6xow+EdD9rwpiZclmhycPNks0OTyPKGh2Kr4YZZ5khhQySysEjjUV&#xA;ZmY0AA8ScVfbnkXy2nlryjpeiinqWkAE5HQzPV5SPnIxzYQjQp2MI0KT3JMnYq7FXYq7FXYq7FXY&#xA;q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXw9oPm/WdE8zx+Y7OWl+szTSg14SCQ1kj&#xA;cd1etD/XNeJEG3XRkQbfUt9+Ytlqv5U6n5q0ZykqWcw9Ov7y3uuPHi3TdGYH3G/fMwzuNhzDkuNh&#xA;8f5guC7FXYq9q/5x5/LaXUNTTzdqUVNPsWP6NRx/e3A29QA/sxdj/N8jmRhhe7kYMdmy+ksynLdi&#xA;rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir4a836BP5f8AM2pa&#xA;NOpVrOd40r+1HWsbivZkIYZr5CjTrpRo0y3ytqd6dCuLK3J9DzFYXmn3cP8ANe6dCLi3kUdjJG6R&#xA;e5qcnE7e9nE7e953lTU7FXrv5W/kPquuzQ6r5kiew0RSHS1eqXFyOwpsY4z3Y7n9nryF+PCTuW/H&#xA;hJ3PJ9NWlpbWltFa2sSwW0CiOGGMBURFFAqgdAMywHMAVcVdirsVdirsVdirsVdirsVdirsVdirs&#xA;VdirsVdirsVdirsVdirsVdirsVdirsVdiryr86/yjfzbbprOjKq69aJwaI0UXMQ3Ccugdf2SevQ9&#xA;qU5cfFuObRlxcW45vL/ym0y40i+vNc8xwvZaP5Raa5uopk4yPezxCGKDi1DypuPeleuU4xW56NOI&#xA;VueiJ8n/APOP2q+Z7WLXbq6j0XStQLT2tmqNNOsLMSgoxRQCv2TyO29MMcJO6Y4Cd3snk78mvI3l&#xA;Z0uLa0N7qKUIvrykrqw7otAifNVr75fHEA5EcUYs4yxsdirsVdirsVdirsVdirsVdirsVdirsVdi&#xA;rsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVeRedfy/wBa8z/mjBbyQyxeUJYra81aQlfSnntP&#xA;URUWhrUpIqUNNqnsMolAmXk0TgTLyeuIiIioihUUBVVRQADYAAZe3t4q7FXYq7FXYq7FXYq7FXYq&#xA;7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7&#xA;FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7F&#xA;XYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq//2Q==</xmpGImg:image>
               </rdf:li>
            </rdf:Alt>
         </xmp:Thumbnails>
         <pdf:Producer>Skia/PDF m64</pdf:Producer>
         <xmpTPg:NPages>1</xmpTPg:NPages>
         <xmpTPg:HasVisibleTransparency>False</xmpTPg:HasVisibleTransparency>
         <xmpTPg:HasVisibleOverprint>False</xmpTPg:HasVisibleOverprint>
         <xmpTPg:MaxPageSize rdf:parseType="Resource">
            <stDim:w>2409.000000</stDim:w>
            <stDim:h>909.000000</stDim:h>
            <stDim:unit>Pixels</stDim:unit>
         </xmpTPg:MaxPageSize>
         <xmpTPg:PlateNames>
            <rdf:Seq>
               <rdf:li>Cyan</rdf:li>
               <rdf:li>Magenta</rdf:li>
               <rdf:li>Yellow</rdf:li>
               <rdf:li>Black</rdf:li>
            </rdf:Seq>
         </xmpTPg:PlateNames>
         <xmpTPg:SwatchGroups>
            <rdf:Seq>
               <rdf:li rdf:parseType="Resource">
                  <xmpG:groupName>Default Swatch Group</xmpG:groupName>
                  <xmpG:groupType>0</xmpG:groupType>
               </rdf:li>
            </rdf:Seq>
         </xmpTPg:SwatchGroups>
         <xmpMM:InstanceID>uuid:e5f59418-0be8-dd42-a564-bc1f41615750</xmpMM:InstanceID>
         <xmpMM:RenditionClass>proof:pdf</xmpMM:RenditionClass>
         <xmpMM:DocumentID>uuid:c2483dfa-3a53-3149-80a7-6822614a9dee</xmpMM:DocumentID>
         <dc:format>application/pdf</dc:format>
         <illustrator:CreatorSubTool>Adobe Illustrator</illustrator:CreatorSubTool>
      </rdf:Description>
   </rdf:RDF>
 </x:xmpmeta>
 <?xpacket end="w"?>
 endstream
 endobj
 4 0 obj
 <</Count 1/Kids[5 0 R]/Type/Pages>>
 endobj
 5 0 obj
 <</ArtBox[152.941 154.947 2262.04 755.845]/BleedBox[0.0 0.0 2409.0 909.0]/Contents 24 0 R/CropBox[0.0 0.0 2409.0 909.0]/LastModified(D:20220226201114-08'00')/MediaBox[0 0 2409 909]/Parent 4 0 R/PieceInfo<</Illustrator 25 0 R>>/Resources<</ExtGState<</GS0 26 0 R>>/Properties<</MC0 22 0 R>>>>/Thumb 27 0 R/TrimBox[0.0 0.0 2409.0 909.0]/Type/Page>>
 endobj
 24 0 obj
 <</Filter/FlateDecode/Length 3540>>stream
 H‰ì—ÍŽ¹„ïýõU"™ü½Z|2Ã?ÀÀ»{Øõûþ"ÉªîI¼;ö° i²ø“ÌŒˆÌüð·�Û‡¿~ÛŸþüq»ý|ÛcK™ÿvýúå_·nÿ¾ÅMÿ~ùñöá/ÿÛ�ÿ¹ýÌ0ð/n}Ô£Æ´ÙÈG¨£l/Ÿnú¢ÿc:jÛnGëeKv¤·=Æ#uÛ,�?/·=v¾o9%—mOý¨ŒòÑjÛvf»ÕsÈâ’Ž1Òõ½¦£Ç¡Í¹¥moáH9?œÝ&¿{Ø¶÷xX�—ak´rýÞÏokç~š½ŽÞïg¯»÷Óòbx€¿olßïÆëm¡ÝWÌ—ï§õË3WLÏíËüpYÜæŸ8‘«»butŒûtM´ÂÄØ^ñn9d+²®6;†ž3ÚÑ
 Æ—vd³k,—q©õûŠÞ�Ò5¶£h>†8ßÕË8Jä’ÐqN«G	Yf–#Ëá5ÏD“sø’ÇÑkòM<»š<š�¡=xÅru¯X~œGh)k†qÈ¹¾Æ�ºûsÝÂ%Íß";
 þ’Ñ=\ŽXÚ†�Ùâý-]&t‡¯�eã±Yn[ÎÀµ·Ë[k¨Mwžß9¾Qw6öÍ`‹ÖªÇßÇ|m-›2çÏÆŠÕˆMÁ»‡wNütûáö÷öÅhíˆ±~“<þ�ìzæ_á„Z¬�Ôô[Ë�,©_¬ãÅžh¸ä��èÊ�ü“ê<ÐOÛ.úsŸé§‹ïô›vío¦Ÿ^öH?=ü‘òÌ3ÿ›¯ò/á<Ÿn\Ü’€Ú‚^áL¹i!“P^ÀF£`�Â]°?Ç|Î˜¯‰wœ‹v|'–8²˜']^|_ÌtƒïÌm\8îÔÝã�ù<»‡'mÈD%–ûŠ*q™uÕ‘vßÕGÑ_3‘4aèöëä}Ó_˜»¨pnülb‘‰	î.H+ÌæiÚÉÄeû�©…r¢öÿ]aDò�¶Ç ¾¼%XêÚHŒrdE…ÕÁ*g§ÌÏ×[„hl_�
 `F,�B|Rä.¹\È¶%Òf†tX–�ÿú,�tÑ-É�ÕÇ	�øk'²	X;
 u�‹à]Ê{#ÔpsD™¬ë‰{!“�Á"Nr
 õ
 T;ïˆÁt#Ž
 ekìiÒdq>Ú8’¼}Ž_n+‡�ø²øwPX´‘†&‚üà˜0ÖHÖ‰…%îÊäQÂ TVÝ¢“¾“qûð@^©¸àå4¡%¸¥Ì¡é]Ië=]3~å^a£ÁÝèçg’ÄJÆB5�ÎÖ0;°¯‘�\É‚).�Y¬qf;ÆckÈŽŸév5^©ø±s�ˆIâàzŽk÷�³ÑpQÇ8Ç±%ËŠÁWx[ -6Çˆz||š‚=¦ŠG^ÇúØ�-J…†,%y›Ðò´kÌß�<Jüš4™ªÂÃ@ËrÐÖü¿óþŠ›y`’·«ÞžÐXåyðnÜ.OÅîâpå	Ž5œX�íš(è¯ˆq2Ø‚ÀSÚÊ&wÉ¥1{¼ZÂQãˆyØž~ßÏ˜Z”ÛU¢e…_B~1µ4¤ã( ·á`ÐÎýØŽátóÒ“7FÈcªkA	Xû3Ž¯çÈ#«d³Æà3@Ièr}�V
 F	“Ôa½9xIéÉëØ¡ZŠaGx°¤9”v`R#þýšÀR³Š‹z„d79LKžùTôt¥+\7†Ò•
 ™¢ì VApï®¡àcÄ/Ma}I*9ÂãÏ=\EH¬¼³Éæ ]¶k'©»/z‡ãCÂÀèòm%
 peJ—”Tpž¢ö›•´<)iùº’Bõ ¤ý%ý
 JjßIIíû)i{£¤í;)©ýO%Ío•´þ_Jê”äØìB*–KH‘ão	éP]$™É¨Sù�¨Tˆ)ÔUgRBÜÎ.“I¿_µj¢À—"¿$d'|í>Zò¥Êüœa½÷‚T1ÝËGpe>]¬j.Ì“Œf¥¼ãÓüÏ2þkb]QÁ¾[¡[ìŽ¥1Èdî^®-…jTá.É Žàâ¤‚}  qVÂ®Ñå<ú–¾œÛ9\Ô“©lë¨Ò9dÕ`7Ë×„ô¡))	#b5O‰¨B¬i^Ì+šËtW³ÔÐ„Ü(E*^5|„Àj¾�å}^ÖâÃS¥í¢Ê¿z³dòQi*«Eõ>›�hDƒ/:~Œj.mf>1µN[x»/T_ œéÏðD”]¡ÏþU.Ò'zÕT«	�ªÓ•ú�D,WtaŸv¶kBšžo+¥ç5ì$tóôyNdÏÌî—t5¡ë,ìO®DÖ¼óÌ’8äæLîzÒÌgÖšš²§Áî4xy	ìêw¡fÞKé“VÄÙyrsqè}øÆ®/8ªw*^"H[’JùY+Ám’Èœc¸g³=[3@TË!#aâÍC[’¬B˜½œ÷‰KE–R™?ý¾F¸�:‚fr�	cÂ�ÂOÎ*Ï¼té±ÍÖ¶™·¶
 	©‡ƒd2sôpƒý«7óÚ(†I÷�½Þ8«9¶)) ¦5Ï„8_³ÔBC¢0;Œb,˜‘"ir}ØfŽ~–´IÙˆã7%ý!i_”´ü,iù¤åß«¤…º$M
 _#Q“~¨¥w5%ûwÓ´þžšÖÞ_ÓâïUÓâ¯Ô´þŽ’Ö…SÒ�«'I£‚³Ä e5-I•vOŽß£0ý¦çJA
 %/HÞ“J˜NÙ£fÞÝÐáuN^;¢4•«¯ŽÙOY<‡ÞD9~ð dU¸·žüPþ[Xç™ÙUN�I¹†IÎŸÏ	’éü¨›m•°o'L"RÏ	Ž ·¨N‹Ñ§~N’�¡;n‚ÛÃÅÁôWXBÓ‘¶Æ™÷Ñ‹ªvo±‹ÊøÀ’ïÃ¿ôú„ÉYŒŸ �XÖî#ìÕI²&x™š"EZò>ŸÁ£A˜Y[ÞI59¸$ÕiŸº0uo¸RÖðÇ¾’þ(õI:DÐ{Le�<‘dÇõ¼�Š¼!x”–ÝA=Î�àDg5.¯I®Hy?×ðA.Ò ¸(fŒ©å³‚ªæÚàrJ£·²dCÅL
 L¿²¢†qJgb›I�cWœÝ%d Éd³zªì:ü;ö¶8¶sæÒ¸VÏÃbS¢—Ü°èg‡êÈ?Ý‘],g'&Sò˜©>Î]Fw°$ÝµLßWÊÖK³ûÒgÚ¤ÈX`ÓÁ«ID"‹ÃEJ'‘õÓquô[Ê+¶�PÛIÎ™äB³’%ìkoýä¢ÉÀê�ã¿8Ø<ch¦‹Q}ñîŠ›	
 Í›GáARýÀÛ�Á „–WªEì†ÊT3‹›ˆÓhó”c2uõL_dd÷�½ÍqQ‰A,Zð¤©|žìšyõ¸ôu[Ô-ØÕ”ˆ¹ÍñÃRóŽ”ÏÐèíêlcñØ%2ìÊžå…mó±E÷ºÐôVH3Êžé,g~R�†#¼Z�Ù>OîÅ!:;ÈP„n
 I‘æ&øzszV7¡„Â»¢3¦”ÈXŽªÅY>F=:ûê˜ecô‚¶¬ÔV^Òilc=Þ$�^É$¯K’l•Rjþ’dI€ÇäNÉôòL‰JY˜š¤TYÀÅÝqL�U¥Žaæzê¢HŽ$ôú(D/T›Û¯±	î¿d—=rÛ0F{ŸÂÐ YgRú*â"irÿ"ï-@HŠ{R$±ûí÷ã„6§�©á¯g3[ýÂ~¢»i<�o¯ÀƒÎfû5Ë2�Fç66¢M‘³)t+
 b÷ó¸ÚbJRT8kÝÊÛÚ®éÝb£Ø¦©«vAaÀùuôÞiVË&1Vµé9cD�åJÞ {µ�5pÁÇk’‡Uâ:/~¬fŠàh½¸k6y]gÓó¯™eM†~Â«=<Ç0>ñcíÌµ{4UoÞüýßqz?5[ø§.í²užIà&)�ýTù¹ êTçR¹8µ/oð{í4†aý?ÁÏå8FŒRÏ�ù>0%Ý'ó�2pÿÞJ‚{€3J/nV†›•˜æšr7P?H™öA«ßÝNœº»Pþ¹ª‡Ïîm´€Ž�"Fàr‹�§ÇOØdš«e»ê²†AÂš…¾Öf=*V;J<}ç]Ë˜ä8x3ÊXá¼E®œÔÀÊ:G8û‘hÐñ`×¼©&gT<Õ‘ŸÖV7öÙ…}pËÛµH-Z3?þy~ØÖÆ51¨EjWeœ÷œ�ìY63Ó»YSn£Ö³ä·i3ï¼?Bþ›:[@Å9L7¡u´ÖÝ
 Ìµ^CA†I|T“0Êçk'Çœ&ã*Tü›)þß_Ï³Ës�æÒójoNÙâ„ƒÍá
 ú.¸(‚ç¤ê�åy(Å@™7mÚÌ˜Ê¶PuÚÚªÚœ”P°¶�åJçUÒÙÃgéˆ^À’}æÉ–t9jËjHÉ5t]î!:>H|H>@‰êDë8p€s:¿â‰ÜlSÀ¬Ì
 EŒ÷¨/^6“p=ëR [�B°Ú ëIžf�ŽÝ-Ð‰µ+‡®ªÆ\q²9EÂÊ$NÅ“ƒ:=á
 aÇ¸Çy§Ñ±œÝVö�$8(fóÉ~†/ç{²'<RdN87¸.O9ƒÛºû¶ÅWÜvås˜ÙvÁÖüS ²^ÚxŸÔùóëÇ'ÿþ	0B¸|–
 endstream
 endobj
 27 0 obj
 <</BitsPerComponent 8/ColorSpace 28 0 R/Filter[/ASCII85Decode/FlateDecode]/Height 39/Length 181/Width 105>>stream
 8;Z]!\Ij?G$j8@t/k5dUU3<am*`9`037'CAm[R>[,!)9)1.3+''h?`o>gmB[ET8ck
@lE>-DRC'5>'BJ23HlQilI&Ga&7If\2VcDkpR`P&Ag+(rGsf,$]V4,Oi!oYPO?6G/
 Ye+**Y]%)+Lu]7C/1+obTM<jR!k7bhp#"6_FO&2i!:ndgO8~>
 endstream
 endobj
 28 0 obj
 [/Indexed/DeviceRGB 255 29 0 R]
 endobj
 29 0 obj
 <</Filter[/ASCII85Decode/FlateDecode]/Length 428>>stream
 8;X]O>EqN@%''O_@%e@?J;%+8(9e>X=MR6S?i^YgA3=].HDXF.R$lIL@"pJ+EP(%0
 b]6ajmNZn*!='OQZeQ^Y*,=]?C.B+\Ulg9dhD*"iC[;*=3`oP1[!S^)?1)IZ4dup`
 E1r!/,*0[*9.aFIR2&b-C#s<Xl5FH@[<=!#6V)uDBXnIr.F>oRZ7Dl%MLY\.?d>Mn
 6%Q2oYfNRF$$+ON<+]RUJmC0I<jlL.oXisZ;SYU[/7#<&37rclQKqeJe#,UF7Rgb1
 VNWFKf>nDZ4OTs0S!saG>GGKUlQ*Q?45:CI&4J'_2j<etJICj7e7nPMb=O6S7UOH<
 PO7r\I.Hu&e0d&E<.')fERr/l+*W,)q^D*ai5<uuLX.7g/>$XKrcYp0n+Xl_nU*O(
 l[$6Nn+Z_Nq0]s7hs]`XX1nZ8&94a\~>
 endstream
 endobj
 22 0 obj
 <</Intent 30 0 R/Name(Layer 1)/Type/OCG/Usage 31 0 R>>
 endobj
 30 0 obj
 [/View/Design]
 endobj
 31 0 obj
 <</CreatorInfo<</Creator(Adobe Illustrator 26.0)/Subtype/Artwork>>>>
 endobj
 26 0 obj
 <</AIS false/BM/Normal/CA 1.0/OP false/OPM 1/SA true/SMask/None/Type/ExtGState/ca 1.0/op false>>
 endobj
 25 0 obj
 <</LastModified(D:20220226201114-08'00')/Private 32 0 R>>
 endobj
 32 0 obj
 <</AIMetaData 33 0 R/AIPDFPrivateData1 34 0 R/ContainerVersion 12/CreatorVersion 26/RoundtripStreamType 2/RoundtripVersion 26>>
 endobj
 33 0 obj
 <</Length 1444>>stream
 %!PS-Adobe-3.0 
 %%Creator: Adobe Illustrator(R) 24.0
 %%AI8_CreatorVersion: 26.0.3
 %%For: (Michael Shamoon) ()
 %%Title: (White logo - no background.pdf)
 %%CreationDate: 2/26/22 8:11 PM
 %%Canvassize: 16383
 %%BoundingBox: 152 154 2263 756
 %%HiResBoundingBox: 152.941359391029 154.946950299891 2262.04187549133 755.845102922764
 %%DocumentProcessColors: Cyan Magenta Yellow Black
 %AI5_FileFormat 14.0
 %AI12_BuildNumber: 778
 %AI3_ColorUsage: Color
 %AI7_ImageSettings: 0
 %%RGBProcessColor: 0 0 0 ([Registration])
 %AI3_Cropmarks: 0 0 2409 909
 %AI3_TemplateBox: 1203.5 454.5 1203.5 454.5
 %AI3_TileBox: 826.5 166.5 1560.5 742.5
 %AI3_DocumentPreview: None
 %AI5_ArtSize: 14400 14400
 %AI5_RulerUnits: 6
 %AI24_LargeCanvasScale: 1
 %AI9_ColorModel: 1
 %AI5_ArtFlags: 0 0 0 1 0 0 1 0 0
 %AI5_TargetResolution: 800
 %AI5_NumLayers: 1
 %AI17_Begin_Content_if_version_gt:24 4
 %AI10_OpenToVie: -2651 3020 0.25059563884769 0 7787.44597860344 8164.54751330906 2548 1389 18 0 0 6 45 0 0 0 1 1 0 1 1 0 1
 %AI17_Alternate_Content
 %AI9_OpenToView: -2651 3020 0.25059563884769 2548 1389 18 0 0 6 45 0 0 0 1 1 0 1 1 0 1
 %AI17_End_Versioned_Content
 %AI5_OpenViewLayers: 7
 %AI17_Begin_Content_if_version_gt:24 4
 %AI17_Alternate_Content
 %AI17_End_Versioned_Content
 %%PageOrigin:704 -46
 %AI7_GridSettings: 72 8 72 8 1 0 0.800000011920929 0.800000011920929 0.800000011920929 0.899999976158142 0.899999976158142 0.899999976158142
 %AI9_Flatten: 1
 %AI12_CMSettings: 00.MS
 %%EndComments
 endstream
 endobj
 34 0 obj
 <</Length 33953>>stream
 %AI24_ZStandard_Data(µ/ýX<ž¿EZ-�D¤™€æ£Ù¥¶[ã*DÞJï§ënYÉwzOê°@Yþ=
 )œàr�²
 }€h>@>@$F"ôãr�’.)™�HØ
 KË†�j…Ãq
 E`ð è‡YXZª>Tü!ò¹TÕ¸A×À”Ÿ�Qìt€h4îRØdBFs2Ê�š�´lÉµdˆ:-¢Hæd”–
 â€àd”ÙÅ�ŠKÑ™‡c4(Vš¦X‰b'S6 1Å
 “y8p+cÁa3á.±€_&ÔAõ!êl&\âeÑñáÀºPÀêpM´,0O´ˆbÇµ@U»Œˆ:‰•Pm�2ŸƒMK¢€Dv´X$+Q@ƒI±H"H¦”( Š
 £°:Ïš€@ìHE;Ù•Î¤‚‚¡€G*ŠˆŒÃf4À±ŒÒÙŒv¤‚À*�X—N«³Ù„É,¤€¸¤¤Èô¡ð0!i™],
 ±A"˜ˆ"+2‰b'ƒÒpâ`"KDÂŽ
 H*2‰@bƒ´A—ÖÀ à>)¹É®D‚Ë¢d¦€x!Ù)“`Ñp°/&‘¥³	±T›uY”•fEÔµHÊñhiùÀRAl²ËDÔÙp@#j@!âUÂ5€…¥eD‰AK†¨³É®—¡(„t6ê°‰ø‰0Àˆ:„�ÎFÃ@s"Rél"²%Z%„¨\2xT2 )‰�]«ÑÃ†Ae�±z„�‡
 c“ñ’‘Àép° m…“]‚Bl�F*‹„,¢ÓÙhˆX$š] ¢Ø!e'£ÌðÅÎAFgb© ²kJÃ‰“e>‘¤•AFg£±±9HP�}è0eVˆ
 ê%ÔÙì«XVo (|6Ù•¡©i†ìZHX Ð0aàTÁHDà"Dãj!mZÑ*::T¡Ü–Ð+¤·-»F^žÁÛha°qzò²d D+ =‚L```Š
 ¢Vv��,NÁã˜B !ÂÈVÜ£Ä°É.…Œ†ƒØ24 +bÀƒ ”†‡ÀB@J;ÛöÒÀÉƒ´à@<˜ ³É.æhN®8¼³ÙPp >Ÿ’ƒø8" Ž��(ä:BŸƒç!SL§a£NüQ:%hÄ‡à‚“]Áj=™‰Xx(¾¤œ»Iˆ“+Íã¨ìCàÀ”…�ÆFBc<ˆ88 ¬xD'Ü'%³Ë�¥Ñ±9Cf¡¡!"G¾ )XŒGv"»4O„Âˆ„Æ ‚%UÊ@:½™3ht6YI'ÄÒ’]ûÁ2Ze´
 |IvÒ°�]J6`úHqL x,hJ`8m<¢ËA
 ËCÀÈ`G(¥†”ŠuHm*J"ë)!Àì:Ù@X8² ‘ñ +©YXZv˜(|ïµÙgc€!x ‚®d×Kv2Ê•�ÕYP•xŒü™�´ì8ÑTÙ5‚NcÁb¡€³0*Í³m™B!m[F@vQ|
 øä¢W	+®@¡o`Ä°i}$GsÓñ`mÙ•€ ¡!«!@ÁlZ
 *Ö¶5˜²ÃdB
 \
 ˜¼lÙ•ÀÑœô, œdÅÈ(Ó9XR…ˆf5Œbò&/›Ë‚�)#H0Ù5 p'ZNé‚Ùpd[JAÂ$³‹aÄhY¸P@±HŽ„LR »$X0HHH4JL": 
 ‡‰Ñ™|¼�‰ÕGƒ€‡�GÆV)"€r¢±Â¡’:øÈhD\h#Š�	G*È®d�‚86.¶.ÙI,T2±<Á#‰¨ÈÕ«´Ñ+»Tá+R€Hˆe$b¤¡/F�Åq…‡‚Vv…|F;ð¤hàã$A”¤�þX¤X2‚Çâ¸	I(³c[6
 ^%4p‘1”!!-Ò 4+ž]Ò9`%T¬€tÉg°6¬MƒpÀ‘Âydq\v]t(”pTLn² Ù@ù ÙH²%úŽÁƒƒŒNÁÉ¦jS´<ã"¨áhNNlidó`1l[vYtÅÄA…Š@”'ŒlaÈ.
 ˆŽPŽ„tLa€O€C†rd£%SàN^¶ìZ©
 XX<Yì‘€¬-»V�´ñP>-’ídca
 =’-»VÞFCJ
 L‰°°-²AV†£9iÒ�l ,†mcU œ„¼¬Z°–ÕÙe€u6/°‚] �l+o£á‚¥‚xNž@½m¬Š
 'V%mÙ?Œôäƒ¢-�Î€ÍSÒE,<¤•H7Tüa†¢a“]ïbƒ´ Yu"P<Z `;(‘w6+Pˆ�É£ÀqU ’…ì
 e‹óÀñ=X´\„pJ,`”ÞÈcñbqñ‚qØ¶�f2ÊÎ	†CŸ&"RrB"ãaBÂ…å�AQ´¬€0çUœ�Œ‡÷¼@Œô‚]IE,X$›]¬Žòè(Áð`FD)Ÿ-$5a�&wAC@c|2NFÙ2á��BiãJpx xŽ½8� °²qe>òŒ<$r‰@AùKh™)€±á
 ©Y2Eàqp2NNüÐâ!Ò%Œdp"-=¼Ä-Ä�ª€Y�]šÆSïAPÒæ„@%Aòá0hÑ@8¨+ P´È Y Ââ<lh"D'qä,Žcygã0q2J�SJÅ3á™Ë‚Ê&#Y)œˆø`¸ðd×‘’XŒŠ‡��ÅËzH+›–Âce2;!™"5lŒXD1Ñêp`
 ^ÐÐk±á$·V6‹
 '9(›?ñÎ&»0Í¤*i ‡[À®V´U	CêTaJ‘°VJ;™H›èÓ
 �22ÃiEúDè§”S+¥™$L)ÕGâÓ"¡¨¶’'UR'Õ©EÚh¥T¡–ÆByáxyj±4ÐžP¬T)%‘Á²©ÐÚ<-ª-ô°l$‹MkUJeÑZ‹j[)©R*‹H›hÒ&z¤
 M©N›
 õRO›
 …:‘R(-/+Z‹´i)Mtú¨P<š
 ©E"hÒ&ÚÕP§ŽçKÊ¨XH[Çê´•XÈ¥ J±¤^0Ö)E…i¬EJ�R‹„”^XXé„ZHXëE5	…‘N˜V"¡V˜ª…™4-…½¨ØTXÂ	K�H**©SëdÒ°”
 K‘P+ìE5€Æby`.ÊH‘0	ÓP§,EÂTR'H,,¥ca˜¶ÒÂ´�„i,m¥#9À°”
 3i,„Jh*¤“(£UÂíô�¢
 h±H!ˆM…Ê–ÓÖ±qªØH¦©Åae¬Jx´µy>ÊbÙH*ÚF‡I”¡*áùd<EU@ÓP%Hc½h(”ª”:m(Í¤j1VÕb¡Z¬Õ
 Õbm«•Ém+ÕßÂ{Qß'Bƒm°2´”ZJºÒR¹•:¹–Ò¾˜X+•[ ´R¥R$Ò©•"¹U´Öi«–[ ”zIq¬Í´ Z±6ŠªÀê„*¹UZZ'É™¶’6ÕÊê„Jq¦•ÒN,%
 Åm¨ÒŠÊ¦r¦”R9±4“CQ@QµR§MK�P)šÉ±´¨¬ËÖ©…¢*pJ ÅÚT)©“¦BZ¥IÓP(	Å±´¨¤T‹¥m«U‰¤¢¥kEZµ¨JŠr¬Õ¦™H+,ÇZÀm«
 …”Ò@�Z¹"¡6MUª´"€ÓP¤jUb9ÓVêèªVŠ†‚ê4RËÉm«Õú«ZT)Û
 erT
 J@C9ÖŠQ^X®•JÙ\JŠÊm«Õ¦	pÚ@Ø(˜IK�R4Pf#¥N(º±[À±V,––j‘P)-�åX«MÅ ZqÛjUÚK‹Êªµi¤T%·
 ÀŠ”2�FPph)›–�ÒpÊÀ°\	OéÂT))	Õ–"¡PV'–JcmšÚ–A¡H(”ª¤’"mš
 iåPT8œK•:aª_jGr`¨Jx°U	Ï
 µ:¡>Ê"�PìÔJyÆ‘�q82"0Õo±H-Õ3i¦MUÒ68h¬–Æby4
 ©µ©Vˆà´J'PcP�T´
 €†Zµ¨JØê„*¡H(˜
 [j+uÚV›&€jµÂÒ,°(áÑÖËªõ‚ÁX+D‚µ¼œLš�k;…¾þ¯Tñµ©Åqb�>R´ŠÝÛÇ×¨s×ý‘R•4Žh¦”
 ¥}ž2Äà§¦»å†*©Ó
 ë”"}hœZ$”¶‘®€åJ•�i*¤•©m-ê%$áaÉŒR*œ6ÕÈ7E«à@¡´w¤hºoS´ŠÕ…Ò>ÚÒX))¤–;í†˜»�
 K)R‹u©¤NÐN°SZ+îº™.¡o´R´ŠÖ)åÑJÑ*Fè%Ò
 #]%åÑJ¤PkEå´á˜ŠzCl**db:m¢¿Ì¢ÚZ,mSÙ´‹´�©Z/LÂÃÂ"µ¨V¬
 ¥*µ;LB‘L&Òê13�6l€RJÛH+VŠ´µ°(áQÁZ/*–’*Å²p{�tB‘°S+EzÚ
 €ÖÂ´Ô	ÕzQa›–‚%JJuj‘P/-'¶i+Ò
 ‹
 ÓZ$”ŠuÂrÃÛT(U‰„Eg÷'€“„§uB�PHh˜&À¦±´-S•ðxHÚæY©¶RX¢EÕj©P2õ©gª‹©»Ò2�€ðÃÝ·®0B—ùZ+*'me€´Òö¢âÐJ'” …¥¥T)“ÆRR¡ô„¢ql$X`m$X`-C‹ªÅz)™°R™ª%¤	¤¡V-$Ö‚,õ‚rÚZ-RJÛL¨ÓJ‰�ÕÒ84
 é´‘PR‹d"µ´–Õø‚"	�ÒLª”‚fR¥P-0d4“ê¢Â„ÃÀ`ÒZ%
 ¥q°$2J¥‚Ixxp0
 J¢h)Ú“L/ª‚F¦Vh…«€!JLQ˜Ùðdd0eÙH�P+Ö	”ÁZ)	Îó?a|3b©µ�.2˜Jê´µ84“ªtJyp0�b¦�¤BimžŒIv%`šM©NK•‘ÁL²kCÕ�Ò6Z©“*EÒ68X@Ú6Ï)¥:µJ§Œc’]¤	M©“ÞÞëT‘q•2®K (Z«¥¡H¦T–¢�8ØÅÀ¹L ˜bzm€`y™°$!€Y`©0Å
 `‰M`y
 ‚ååÁÓÇêõ½5£K,>�Ð·ß‹�
 »ŸëoG�ÿ\bþbÇþ×ºû]^X^$½0°ÔP«–çJÀ´ÒÓ�´P/¤
 D s-`)¨Rœ‹¥¡hq´6OÌLÅ2W1Í\šÌeJE8LÃY)½¨:0ŽfÓL¶i*¤ÉSPpL£H+˜)õ¢Zµ¨>ZëôÂ�mš)uJYi‘2@ZZŠ„Êh¥N¤Š�”"¡4N,SJCA`+,”SÅJ©EÇ¦j�L˜§VI[±6tZY‘6•
 Eú´6Okó¬´H)ŒTJ¥ê@©TØ
 ëeƒÀ6Õ"•´k
 U:µ6RFë„R¡´À±R¡4R-›*Ee0
 ¦m$TH³:‘\Ó¨¤N%ÒÖ�e0M«¤@ÁÀLšN›ªUÒ>2—*%%±zQm¢ÔIå•a/.•Ô©•:m)Õ…Éê¥¥q¨¨Pª-#Ë.V+¥µ´¨>¦TD–].Óâc²)Õ"¡BÛ
 ]ßÇ¸17ª&tÛ7�6‘É·Öù©“ÊiÃÐTHÙ@;}¸I31¥" µH©Mk¡<&¯ÞØƒŠEÈŠÁöÅ^ÆdVÿv×O!ÖÍùàGïvÿ±Äâû†�ŸGO_—Xn2¦þV[ÐNªŽ”¶Â0I•ðdWc½-LRN&”ÖJ©>&©“ŠaòÊÚ´H-/°õ‚R±´�–¦²‘:”„
 µ6�‰£4“Ê"Jx²K±
 E*qh*©Â¤WÂ“][`µN)�MC½ldvs´6�–R]`ÐNhÛ�¹ËçO1wo!êä®½1wœ«µH¨U‹Ö3b1{Y,©e¥Ú4$)Õé¤¢mÈ$¶!ÚÈ²+±–JêÔjiš
 ©EÂä%<Ù…-h*$–‡	Kx²þc›†ÒòraB�^ LV%<ŠµH-›*¤¡N!—ðdK‰„‚À B¡´ŒÔJi*$,Eàƒ-°6Jõa±´’jËh¥´–—’
 ”eW¿ß�›ê
 �ûcÌÛj§Û·‹i„1nz|]»bqS#GgíèXÚÆi”e×óÇøíbíŠ+¶„JêdJ½¨ ²ìbÈO±M'‹$@ŠôÉ²Ë"S]€Ø.ç-g±E¥T'MŠiåL©Õ¦ÂR"¡`ª¦€©TT(Lk�Vd°
 Õ:udÙ¥É`š”JÕBZáÀPi¥t²È`›*”e»to±…”êÄÚ´(áÉ²+]/¦ÙÈlªik±^P(	[ØT-’¶}²ìÂÒ±‚†¢2y820YÙ•±¡4"2*’…QDJVd ¤<ž“Š&#%dìiPYp4^ÖÃÒá”a�l8³À)ÉdDØøD€€~(Zf—·´à‡ED(¤�Ð'äã$¤Ñ$ÞÙ´Š…+‰w6™!�M’xg“v$Þ1(øH†‡MLˆÈ8PûD¼'³«€t²,R²'+’""%ïl^CÄöK±áÞÙ¨èïl4$(�MàðÎ†óÑí€Ò;€¶;¸$„“Ù¥ÞÙd†I$âTðÂáQ�"$" £å
 B#ÍBdŒ¨"¥”áÉ.‡‚Ø`xpÐl‡w6
 °™Œ’=4JªÞÙ@	‡’r4¼³Ñ…’f„EÂÂ”4¼³qå�ÂHó¡`¤ÎÔ*"Í®„”Œ‚„HU>+…ö%	Ù¥PÚTlH¨¡X9HÐä„|#±+‰’¼gôÀ9'
 \êÄ$eQÒÀÉƒgÙ(
 æ�<# (Q'U!ÂPÂ"2XbˆÁÄâ<˜>/»@6D$ŸˆD‰€^>ÙëŒ "LšÝ8h8y6T²÷Ð9Ü†*P6º-¨,8Ùo”ôeÃâäIÈtlx41a€é=-*%Œñ¶Á�NŽ�’›Ãˆ[�Š*°<h<¨´ÓÊ  2$<n
 Võp¡"ºàh\<$ Ëê!»T¤¤KËƒ{HyOL�¨4m©L)†+ã`¯¼:ð`<+AQUÃJÅé§B”(,’U‰8©z‰Ð¯XV[œ`8ôæAä*Dª¹È®‰K,àT	˜qT”Â;…ME‚0•Dhf¡ãB@ 6ÓMJ8'ä"Qì¸�sRa”ÐàœÜP-'�…¥eÆ„¤%)b€§{Ta…E²FÊ"CpÂ10m0x˜3.=ïl|#šÈg™0„æƒñ˜Yœ„,>ž¡£A}´<»º@‹“.
 [2)©ÅÉÌƒŠ4KZ%�–�{-,™‹ÅÉš0¦dQØÄ‚¢%,I€„…“
 ,mb
 'U+;[‚ÂI%€ÂI�DŠ&Ç…Ô¤”f·CAB8i’uh¡ìÁ¨'4ŸT<8©ád‹ÛœŒ’@Ag³éðÎ†Y8,8L ƒƒà‘ÁÉF'7Œ’ÂŠe5Di8q ´‘EepÒdÀ
 Ov=dpòãáÀº!âäKÉjF@ !ÁÀ”NBTò•4”(†G…¡€9…OgÓ�]ú‘pNkÁ#¥+2—ƒ�V@K’–—É‚NvTTtÅ¡Ê01	mº"%FÞÁ±HÀT¬\0 &“L#È`bf!%]:Õ‹J+…Â‚²¸h("((+#¬% x	ÙBDR!šKÈJ�ˆ2‚bÒÙ¬j$¤b1Ê–��-#¤£ÊxaÉ XÉè¸|
 XZ†HÉ†’Qb’ÑÙ”Œ”„d¤>20(ÑJvµ´Šhd$„d’]ªÌÈÈ‚`5ó²/B ¶Ž
 â ¢ð…ÒË–]"*[âJL"�. ðFa@Ãà¤¾,Æ³*Ã;ÉˆBqá�b ˆ˜ØÚõIGND\&·L‹“.	�Mr\g$B7£„ÎF¡3¡{‘ÐÙhš“#ƒÑ‹†€ˆ\y
 +b€!`y°V\Âˆ‡ƒ€Í¦ºèŒãZà4lÛGÛlÖ…ÄÉ�„Î®ìZølMv1H 0ô¶aLBÙURÀ£Ã3‚°á°ðÙ4
 ±‚�†æôÉ¸�8ùH(OÅbò<{@â„f;(Ð( ²+¡À‰‡´¼Æ‹Â¦¢-%“õ°D2ž àppD Øxéð‡–ìÊ®ìú`áäÁ	&“°mÌÄ"cb�¦ÃGh0Yò‘€Y¸ Á„œ+m0,�
 ¦â€£€áˆQÀ,‚sÚ„+m0ÙõàJL¹Ð`^‹„"¤íJëXx>X¬;„P6ª
 •lptEB�”G’’ñ°�d(2sàò±Ê®ìÊ®ì:€xÈ®UÈÆÁÇÃ	Ç%õÀqBŠÈ®ìÊ.6™À”
 C*`46V.	˜Ì.J�ò\ P%!ÕTKå
 WtÕ€²Q‰–Gçmxt�)è‹	b?
 ŸìÚh˜ �ñÛ–]Ù•±à°m ‚�Î(»v@vµxFíZÙ•]$�è`¡%ÂÀB;<Rë@ E?% Íãá�Îv‘’Xˆ‚L³R‰H³‹€³4ˆD PÃ‡D•±Þ�FR,ŸÏŠcðÒÙD�L†"»NZÄÂÃFÅ�I¨eBÔ1è08lbvm°L0<(IË$4@€s �]+
 *¤Z›]ÙuÁ:� 
 ±N- Çãò §ŒQÄHÉ§Ã“]& /Œ¸D,<|HTYv‰öck‘ÐQyaL�|²Ë´QC'ˆ¡‚ÖÆyÀÈ ½€
 JPPŽ�B²E0¬:R.NÞÈ3`…ôJU‚gÂ7 Ð…FÉó�«ÏEÄ€ˆMñ¡"<n	¼Œˆ³Kãå`E%0‹édjeÁa±TW,#šÅ`É‘Sf9&!NF ˜xt2–
 fåm4¬¼�†ÍÊ€I$Â�H#—_Á¼pxX¶¨1d×6à£Ã³"rÚD°'ÃÑqÄ¤tBŠ@}x�`e�ÒØ4dhiÂlÙFª�ƒ�‡Í tú<¸„F"T²iÈpÀ(�6eá”TCÊg;Ùp “•†“ÒfWsŒDè–ÊV8..ä àa óÂá™x$@™žì:q…H20 R ‘†
 t@‚am°4R@
 êðdW…Á(Á$´‚ñN"0-“�DÅÇƒöÁJ÷ hÊâ`X:L*@L‚ó	mæÂ•6šŒÈ3a2IÀ„µÁ<dD6˜‹Žf7@	#šÅ¨Ú€'N#�÷ŒN¢€ƒÉf×æ	
 …‘/�@	AÃ;Þpivé…w6Ri(5€‚(±	'5'=#Õ \xgƒ¡¢! Ÿ„(»”Â;
 Ï¬è˜<,'ŸÑÇw6
 õHPŠMC‡DóNn2JSfÕ¡¸øpà‰†Þ,$œ\äÄIpŸ”$Á<ì�*¤³ÙŒ6.)š‘w6€v0j™xgã2-Nf:CË-Ä;ÒŠ!¤�Óá IÀŒ^6˜‰Ž&#r¡¡@0iÉÁ�
 qvq¼†�„çá=.4»‘
@‹:©XpX ½ 8¡(çäY-NF–R„Av2àŒ†¨³qïl„ÂÓ :XY
 5jy›ˆe•'³k31¡ÎãAPGp2J�–€Š5ÐÅÎA�ƒ”Ê‚�¤ ò:xâ�Í(äáÀ(.â�
 ´ØˆP«8xˆ@,Ê’X>$Íx AU4@RçÁÂITv2JWAá¤„€’
 1eV�‹@,GÃÁ*|�44¡	'£t(œÌ®g`JRBÊ	wxg³a*N %M	ˆ�Ëê)O‡gEñ+ŸÏg¡Áã¥g#„“$€(ŒÐ[ù¤hJ4È‚Fƒ~t#ÂI�+Ðl�Ku80H'Y&É*
 ‹ds#ƒ“®"ƒ“/
 œLp‚n>±E%ÁÉ(×CÄÉìjµÄÞ¸ACÄIN…ˆ“›GÃÁ–(„D%›‘†àd”šQveÅCÉ‰u*6áAÀBI„",,d2¦Ì.’Lw8©Òé±úpà‘(<#��ˆ
 Ç9÷Iyg“0 )#ïlXXZfä#çœŒ’5â‚“Q&˜€@lH[áxHÃÁRÐ˜„FZ
 H*!1Ê„^²Ð¦dÀ
 «BÕâ�,ºÒ3¢‘RÀtP'
 ¦Ä€£€É`�†�¥³ÁL�2�	 /!RE‚Zˆ�°<œ4¤¼ÇåKëa@,™]--ÒÒá!Å‚£áðPR‘Š¦ä†1@RÉiÃ(H„X¡ÍH„0¨x…ˆmt°âÏÂ vƒÇÉA�;yÙ@©Ì”-.�ŒÅ&n>J"šìbX)ÈlCq1sñR›K�Ç
 G+J;¨àH±dÕGÁÂ+	àl„<˜
 ˆÍJ©ÁÓªð„D@-VCO*TCÃ@³ÙµzH±à€hØ0Ë„?`H¤
 G°^¸R¡ –”*Ã;“V�YGGÈƒIY¼`€@
  `Ä–ÈJ(‚Ì'd,+"ŽŒÅ2@2ŒŠÉÇCJ¼aŒL'…ƒÖn[k£9™�&/ÛGJ_6ÕkãDlÛ¦‘±8Éì:á“lñ†I¦€””$Æ
 Ij<D2ó¡0 _J>ÕÊ�LYayäÇI¢##[päŠ†ÂH•”–Š4¹�¨H…¨!ÊŠ“*”
 ŠP.(ˆHN�ˆˆT±œ:6Ù²Á `]:O�‡Y•`<z€1ØŒd˜�”Ñ±áÕ3! Åy8mt:N8*<!ëA°øð�£°àdB>T³k´y,<ŒÄò°±%OJ&ºx'UîÄ"[5t^V^V<D8¼÷IQpŸ”ä|4¸ÌB
--- a/Show More
+++ b/Show More