diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index c59aeef03e5..8106685b3e7 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,33 +1,8 @@
 # syntax = docker/dockerfile:1.4
 
-ARG RUBY_VERSION=3.3
+ARG RUBY_VERSION=3.3.5
+FROM ghcr.io/rails/devcontainer/images/ruby:$RUBY_VERSION
 
-FROM ruby:${RUBY_VERSION}-alpine
-
-ENV USERNAME=vscode \
-    UID=1000 \
-    GID=1000
-
-# Install the git-credential-manager package via the dotnet tooling to 
-RUN apk update && apk add --no-cache \
-    github-cli \
-    git \
-    build-base \
-    bash \
-    mandoc \
-    man-pages \
-    tzdata \
-    libpq-dev \
-    libmagic \
-    nodejs \
-    sudo
-
-# create non-root group and user
-RUN addgroup -g $GID $USERNAME \
-    && adduser -s /bin/bash -u $UID -G $USERNAME $USERNAME --disabled-password --gecos ""
-
-# set sudo permissions for vscode user
-RUN echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME
-RUN chmod 0440 /etc/sudoers.d/$USERNAME
-
-USER $USERNAME
+RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
+    && apt-get -y install --no-install-recommends pkg-config \
+    && apt-get clean && rm -rf /var/lib/apt/lists/*
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 5053ae30358..d05adf8a1e8 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -5,12 +5,13 @@
     "docker-compose.yml",
     "../docker-compose.yml"
   ],
-  "service": "app",
+  "service": "rails-app",
   "runServices": [
     "db",
     "cache",
     "search",
-    "toxiproxy"
+    "toxiproxy",
+    "selenium"
   ],
   "forwardPorts": [
     3000, // Rails
@@ -23,10 +24,20 @@
   "onCreateCommand": "bin/setup",
   // Use 'updateContentCommand' to run commands when the container is updated.
   "updateContentCommand": "bin/setup",
+  // Features to add to the dev container. More info: https://containers.dev/features.
+  "features": {
+    "ghcr.io/devcontainers/features/github-cli:1": {},
+    // "ghcr.io/rails/devcontainer/features/activestorage": {},
+    "ghcr.io/rails/devcontainer/features/postgres-client": {}
+  },
   // Configure tool-specific properties.
   "containerEnv": {
     "EDITOR": "code --wait",
-    "GIT_EDITOR": "code --wait"
+    "GIT_EDITOR": "code --wait",
+    "CAPYBARA_SERVER_PORT": "45678",
+    "SELENIUM_HOST": "selenium",
+    "ELASTICSEARCH_URL": "http://search:9200",
+    "DATABASE_URL": "postgres://postgres@db:5432"
   },
   "customizations": {
     "codespaces": {
diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
index 26bfabc6840..9607a18c49f 100644
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -1,12 +1,16 @@
-version: "3"
 services:
-  app:
+  rails-app:
     build:
       context: .
       dockerfile: Dockerfile
-    command: /bin/sh -c "while sleep 1000; do :; done"
+    command: sleep infinity
     volumes:
       - ../..:/workspaces:cached
-    environment:
-      - ELASTICSEARCH_URL=http://search:9200
-      - DATABASE_URL=postgres://postgres@db:5432
+    depends_on:
+      - search
+      - db
+      - selenium
+
+  selenium:
+    image: selenium/standalone-chromium
+    restart: unless-stopped
diff --git a/.github/actions/setup-rubygems.org/action.yml b/.github/actions/setup-rubygems.org/action.yml
index c1af62e1fea..f72039cf3e6 100644
--- a/.github/actions/setup-rubygems.org/action.yml
+++ b/.github/actions/setup-rubygems.org/action.yml
@@ -7,6 +7,10 @@ inputs:
   rubygems-version:
     description: "RubyGems version to use"
     required: true
+  install-avo-pro:
+    description: "Install Avo gem"
+    required: false
+    default: "true"
 runs:
   using: "composite"
   steps:
@@ -14,7 +18,12 @@ runs:
       shell: bash
       run: |
         docker compose up -d --wait
-    - uses: ruby/setup-ruby@3783f195e29b74ae398d7caca108814bbafde90e # v1.180.1
+    - name: Configure bundler environment
+      shell: bash
+      if: github.secret_source != 'None' && inputs.install-avo-pro == 'true'
+      run: |
+        printf "BUNDLE_WITH=avo\nRAILS_GROUPS=avo\n" >> $GITHUB_ENV
+    - uses: ruby/setup-ruby@52753b7da854d5c07df37391a986c76ab4615999 # v1.191.0
       with:
         ruby-version: ${{ inputs.ruby-version }}
         bundler-cache: true
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 361185db215..7b2938fd879 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -26,7 +26,7 @@ permissions: # added using https://github.com/step-security/secure-workflows
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       actions: read
       contents: read
@@ -41,11 +41,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/init@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +58,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/autobuild@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -71,6 +71,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/analyze@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 7ddff773819..1cce01e300f 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -12,24 +12,24 @@ permissions:
 jobs:
   build:
     name: Docker build (and optional push)
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     env:
-      RUBYGEMS_VERSION: 3.5.14
-      RUBY_VERSION: 3.3.3
+      RUBYGEMS_VERSION: "3.5.20"
+      RUBY_VERSION: "3.3.5"
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # master
+        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # master
       - name: Cache Docker layers
-        uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-rubygems-${{ hashFiles('**/Gemfile.lock') }}
           restore-keys: |
             ${{ runner.os }}-rubygems-org
       - name: Install and start services (needed for image test)
-        run: docker-compose up -d
+        run: docker compose up -d
       - name: Configure AWS credentials from Production account
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         if: github.secret_source != 'None'
@@ -41,6 +41,8 @@ jobs:
         uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
       - name: build, test and optionally push docker image
         run: ./script/build_docker.sh
+        env:
+          BUNDLE_PACKAGER__DEV: ${{ secrets.BUNDLE_PACKAGER__DEV }}
       # Temp fix
       # https://github.com/docker/build-push-action/issues/252
       # https://github.com/moby/buildkit/issues/1896
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index e27fe434e21..8b9819d6de8 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -10,37 +10,37 @@ permissions:
 jobs:
   rubocop:
     name: Rubocop
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: ruby/setup-ruby@97e35c5302afcf3f5ac1df3fca9343d32536b286 # v1.184.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
         with:
           bundler-cache: true
       - name: Rubocop
         run: bundle exec rubocop
   brakeman:
     name: Brakeman
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: ruby/setup-ruby@97e35c5302afcf3f5ac1df3fca9343d32536b286 # v1.184.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
         with:
           bundler-cache: true
       - name: Brakeman
         run: bundle exec brakeman
   importmap:
     name: Importmap Verify
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: ruby/setup-ruby@97e35c5302afcf3f5ac1df3fca9343d32536b286 # v1.184.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
         with:
           bundler-cache: true
       - name: Importmap Verify
         run: bundle exec rake importmap:verify
   kubeconform:
     name: Kubeconform
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       matrix:
         kubernetes_version: ["1.29.1"]
@@ -50,8 +50,8 @@ jobs:
     steps:
       - name: login to Github Packages
         run: echo "${{ github.token }}" | docker login https://ghcr.io -u ${GITHUB_ACTOR} --password-stdin
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: ruby/setup-ruby@97e35c5302afcf3f5ac1df3fca9343d32536b286 # v1.184.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: ruby/setup-ruby@a2bbe5b1b236842c1cb7dd11e8e3b51e0a616acc # v1.202.0
         with:
           bundler-cache: true
       - name: krane render
@@ -60,12 +60,27 @@ jobs:
         env:
           ENVIRONMENT: "${{ matrix.environment }}"
           REVISION: "${{ github.sha }}"
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: "${{ matrix.environment }}.rendered.yaml"
           path: "config/deploy/${{ matrix.environment }}.rendered.yaml"
       - name: kubeconform
-        uses: docker://ghcr.io/yannh/kubeconform:v0.6.3
+        uses: docker://ghcr.io/yannh/kubeconform@sha256:03f6b236ef64f20b4bc950209d6254b109e23b4b05e7811649f59eae5659fa58 # v0.6.3
         with:
           entrypoint: "/kubeconform"
           args: "-strict -summary -output json --kubernetes-version ${{ matrix.kubernetes_version }} config/deploy/${{ matrix.environment }}.rendered.yaml"
+  frizbee:
+    name: Frizbee
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: segiddins/frizbee-action@c162fdaa6c73525a577d2d6eb193683dfc9ba2be # segiddins/run-in-place
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          action_paths: '[".github/workflows", ".github/actions"]'
+          dockerfiles: '["./Dockerfile", ".devcontainer/Dockerfile"]'
+          docker_compose: '["./docker-compose.yml", ".devcontainer/docker-compose.yml"]'
+          fail_on_unpinned: true
+          open_pr: false
+          repo_root: "."
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 6c7bd34107c..77d45a51c4d 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -20,7 +20,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecards analysis
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write
@@ -32,12 +32,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v3.1.0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v3.1.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/upload-sarif@ea9e4e37992a54ee68a9622e985e60c8e8f12d9f # v3.27.4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index bcdfd2a0249..29f6aae442a 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -15,7 +15,7 @@ jobs:
   status_check:
     name: All required tests passing check
     needs: [rails]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: always()
     steps:
       - run: /bin/${{ (needs.rails.result == 'success' || needs.rails.result == 'skipped') }}
@@ -26,29 +26,37 @@ jobs:
       matrix:
         rubygems:
           - name: locked
-            version: "3.5.14"
+            version: "3.5.20"
           - name: latest
             version: latest
-        ruby_version: ["3.3.3"]
+        ruby_version: ["3.3.5"]
         tests:
           - name: general
             command: test
           - name: system
             command: test:system
+        include:
+          - rubygems: { name: latest, version: latest }
+            ruby_version: "3.3.5"
+            tests: { name: "avo without pro", command: "test test/*/avo" }
     name: Rails tests ${{ matrix.tests.name }} (RubyGems ${{ matrix.rubygems.name }}, Ruby ${{ matrix.ruby_version }})
     runs-on: ubuntu-22.04
     env:
       RUBYGEMS_VERSION: ${{ matrix.rubygems.version }}
       # Fail hard when Toxiproxy is not running to ensure all tests (even Toxiproxy optional ones) are passing
       REQUIRE_TOXIPROXY: true
+      REQUIRE_AVO_PRO: ${{ github.secret_source != 'None' && matrix.tests.name != 'avo without pro' }}
+      AVO_LICENSE_KEY: ${{ secrets.AVO_LICENSE_KEY }}
+      BUNDLE_PACKAGER__DEV: ${{ secrets.BUNDLE_PACKAGER__DEV }}
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup rubygems.org
         uses: ./.github/actions/setup-rubygems.org
         with:
           ruby-version: ${{ matrix.ruby_version }}
           rubygems-version: ${{ matrix.rubygems.version }}
+          install-avo-pro: ${{ matrix.tests.name != 'avo without pro' }}
 
       - name: Tests ${{ matrix.tests.name }}
         id: test-all
@@ -56,7 +64,7 @@ jobs:
 
       - name: Save capybara screenshots
         if: ${{ failure() && steps.test-all.outcome == 'failure' }}
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: capybara-screenshots-${{ matrix.tests.name }}-${{ matrix.rubygems.name }}
           path: tmp/capybara
@@ -64,6 +72,6 @@ jobs:
 
       - name: Upload coverage to Codecov
         if: matrix.rubygems.name == 'locked' && (success() || failure())
-        uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
+        uses: codecov/codecov-action@3b1354a6c45db9f1008891f4eafc1a7e94ce1d18 # v5.0.1
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.gitignore b/.gitignore
index 1f91c4ccd45..80cf647e05c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,7 +24,7 @@ latest_dump
 coverage
 REVISION
 /.env*
+/.pumaenv.local
 /doc/erd.*
-
 /app/assets/builds/*
 !/app/assets/builds/.keep
diff --git a/.pumaenv b/.pumaenv
new file mode 100644
index 00000000000..57afa2d530a
--- /dev/null
+++ b/.pumaenv
@@ -0,0 +1 @@
+[[ -e ".pumaenv.local" ]] && source .pumaenv.local
diff --git a/.rubocop.yml b/.rubocop.yml
index b9f77f71b2e..f7a301544aa 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -148,9 +148,6 @@ Style/StringLiterals:
 Style/FrozenStringLiteralComment:
   Enabled: false
 
-Security/MarshalLoad:
-  Enabled: false
-
 Style/EmptyMethod:
   EnforcedStyle: expanded
 
diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
index f9e7b1044fb..995a27e1011 100644
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -1,13 +1,13 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2022-06-17 19:11:11 UTC using RuboCop version 1.26.1.
+# on 2024-07-03 00:52:11 UTC using RuboCop version 1.60.1.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
 # versions of RuboCop, may require this file to be generated again.
 
-# Offense count: 15
-# This cop supports safe auto-correction (--auto-correct).
+# Offense count: 30
+# This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: TreatCommentsAsGroupSeparators, ConsiderPunctuation, Include.
 # Include: **/*.gemfile, **/Gemfile, **/gems.rb
 Bundler/OrderedGems:
@@ -21,26 +21,25 @@ Lint/DuplicateMethods:
     - 'test/functional/api/v1/rubygems_controller_test.rb'
 
 # Offense count: 1
-# This cop supports unsafe auto-correction (--auto-correct-all).
-# Configuration parameters: AllowComments.
+# This cop supports unsafe autocorrection (--autocorrect-all).
 Lint/UselessMethodDefinition:
   Exclude:
     - 'config/initializers/gem_version_monkeypatch.rb'
 
-# Offense count: 5
-# Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
-# IgnoredMethods: refine
+# Offense count: 16
+# Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns.
+# AllowedMethods: refine
 Metrics/BlockLength:
-  Max: 64
+  Max: 61
 
 # Offense count: 1
-# Configuration parameters: IgnoredMethods.
+# Configuration parameters: AllowedMethods, AllowedPatterns, Max.
 Metrics/CyclomaticComplexity:
-  Max: 10
   Exclude:
     - 'app/models/concerns/rubygem_searchable.rb'
 
 # Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: EnforcedStyleForLeadingUnderscores.
 # SupportedStylesForLeadingUnderscores: disallowed, required, optional
 Naming/MemoizedInstanceVariableName:
@@ -48,44 +47,39 @@ Naming/MemoizedInstanceVariableName:
     - 'lib/rubygem_fs.rb'
 
 # Offense count: 16
-# Configuration parameters: EnforcedStyle, CheckMethodNames, CheckSymbols, AllowedIdentifiers.
+# Configuration parameters: EnforcedStyle, CheckMethodNames, CheckSymbols, AllowedIdentifiers, AllowedPatterns.
 # SupportedStyles: snake_case, normalcase, non_integer
-# AllowedIdentifiers: capture3, iso8601, rfc1123_date, rfc822, rfc2822, rfc3339
+# AllowedIdentifiers: capture3, iso8601, rfc1123_date, rfc822, rfc2822, rfc3339, x86_64
 Naming/VariableNumber:
   Exclude:
     - 'test/functional/api/v1/downloads_controller_test.rb'
-    - 'test/models/gem_download_test.rb'
     - 'test/models/concerns/rubygem_searchable_test.rb'
+    - 'test/models/gem_download_test.rb'
 
 # Offense count: 1
-Rails/DeprecatedActiveModelErrorsMethods:
+# Configuration parameters: Database, Include.
+# SupportedDatabases: mysql, postgresql
+# Include: db/**/*.rb
+Rails/BulkChangeTable:
   Exclude:
-    - 'app/models/rubygem.rb'
+    - 'db/migrate/20240522185716_create_good_job_process_lock_ids.rb'
 
-# Offense count: 78
-# This cop supports unsafe auto-correction (--auto-correct-all).
+# Offense count: 83
+# This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: Whitelist, AllowedMethods, AllowedReceivers.
-# Whitelist: find_by_sql
-# AllowedMethods: find_by_sql
-# AllowedReceivers: Gem::Specification
+# Whitelist: find_by_sql, find_by_token_for
+# AllowedMethods: find_by_sql, find_by_token_for
+# AllowedReceivers: Gem::Specification, page
 Rails/DynamicFindBy:
   Enabled: false
 
-# Offense count: 2
+# Offense count: 6
 # Configuration parameters: Include.
 # Include: app/models/**/*.rb
 Rails/HasManyOrHasOneDependent:
   Exclude:
     - 'app/models/rubygem.rb'
 
-# Offense count: 7
-# This cop supports safe auto-correction (--auto-correct).
-# Configuration parameters: Include.
-# Include: spec/**/*, test/**/*
-Rails/HttpPositionalArguments:
-  Exclude:
-    - 'test/unit/gemcutter/middleware/redirector_test.rb'
-
 # Offense count: 1
 # Configuration parameters: Include.
 # Include: spec/**/*.rb, test/**/*.rb
@@ -93,7 +87,7 @@ Rails/I18nLocaleAssignment:
   Exclude:
     - 'test/test_helper.rb'
 
-# Offense count: 6
+# Offense count: 7
 Rails/I18nLocaleTexts:
   Exclude:
     - 'app/mailers/mailer.rb'
@@ -107,11 +101,10 @@ Rails/OutputSafety:
     - 'app/helpers/application_helper.rb'
     - 'app/helpers/rubygems_helper.rb'
 
-# Offense count: 7
-# This cop supports safe auto-correction (--auto-correct).
+# Offense count: 6
+# This cop supports unsafe autocorrection (--autocorrect-all).
 Rails/RedundantPresenceValidationOnBelongsTo:
   Exclude:
-    - 'app/models/api_key.rb'
     - 'app/models/api_key_rubygem_scope.rb'
     - 'app/models/deletion.rb'
     - 'app/models/ownership_call.rb'
@@ -120,13 +113,13 @@ Rails/RedundantPresenceValidationOnBelongsTo:
     - 'app/models/version.rb'
 
 # Offense count: 1
-# This cop supports safe auto-correction (--auto-correct).
+# This cop supports unsafe autocorrection (--autocorrect-all).
 Rails/RelativeDateConstant:
   Exclude:
     - 'app/models/gem_typo.rb'
 
-# Offense count: 43
-# This cop supports safe auto-correction (--auto-correct).
+# Offense count: 39
+# This cop supports unsafe autocorrection (--autocorrect-all).
 Security/JSONLoad:
   Exclude:
     - 'config/initializers/yaml_renderer.rb'
@@ -144,7 +137,7 @@ Security/JSONLoad:
     - 'test/models/web_hook_test.rb'
 
 # Offense count: 2
-# This cop supports safe auto-correction (--auto-correct).
+# This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedOctalStyle.
 # SupportedOctalStyles: zero_with_o, zero_only
 Style/NumericLiteralPrefix:
@@ -152,8 +145,8 @@ Style/NumericLiteralPrefix:
     - 'test/models/pusher_test.rb'
 
 # Offense count: 3
-# This cop supports unsafe auto-correction (--auto-correct-all).
-# Configuration parameters: EnforcedStyle, IgnoredMethods.
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: EnforcedStyle, AllowedMethods, AllowedPatterns.
 # SupportedStyles: predicate, comparison
 Style/NumericPredicate:
   Exclude:
diff --git a/.ruby-version b/.ruby-version
index 619b5376684..fa7adc7ac72 100644
--- a/.ruby-version
+++ b/.ruby-version
@@ -1 +1 @@
-3.3.3
+3.3.5
diff --git a/Dockerfile b/Dockerfile
index 64d7cf992f9..5f90f78e023 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
-# syntax = docker/dockerfile:1.4
+# syntax = docker/dockerfile:1.10
 
 # Make sure RUBY_VERSION matches the Ruby version in .ruby-version and Gemfile
-ARG RUBY_VERSION=3.3.3
+ARG RUBY_VERSION=3.3.5
 ARG ALPINE_VERSION=3.20
 FROM ruby:$RUBY_VERSION-alpine${ALPINE_VERSION} as base
 
@@ -40,18 +40,23 @@ RUN \
   build-base \
   linux-headers \
   zlib-dev \
-  tzdata
+  tzdata \
+  git
 
 WORKDIR /app
 
 ENV RAILS_ENV="production"
+ARG BUNDLE_WITH=""
 
 # Install application gems
 COPY Gemfile* .ruby-version /app/
-RUN --mount=type=cache,id=bld-gem-cache,sharing=locked,target=/srv/vendor <<BASH
+RUN --mount=type=cache,id=bld-gem-cache,sharing=locked,target=/srv/vendor \
+  --mount=type=secret,id=BUNDLE_PACKAGER__DEV,env=BUNDLE_PACKAGER__DEV \
+  <<BASH
   set -ex
 
   bundle config set --local without 'development test'
+  [ -z ${BUNDLE_WITH:-} ] || bundle config set --local with ${BUNDLE_WITH}
   bundle config set --local path /srv/vendor
   bundle install --jobs 20 --retry 5
   bundle clean
@@ -66,10 +71,10 @@ RUN --mount=type=cache,id=bld-gem-cache,sharing=locked,target=/srv/vendor <<BASH
   rm /app/vendor/ruby/*/extensions/*/*/*/gem_make.out
 
   # Remove avo source maps (8+ MB!)
-  rm /app/vendor/ruby/*/gems/avo-*/public/avo-assets/*.js.map
+  find /app/vendor/ruby -type f -name '*.js.map' -exec rm {} \;
 
   # Remove ruby 2.x source code
-  find /app/vendor/ruby/*/gems/debase-ruby_core_source-*/lib/debase/ruby_core_source -maxdepth 1 -type d -name 'ruby-2.*' -exec rm -r {} \;
+  find /app/vendor/ruby/*/gems/datadog-ruby_core_source-*/lib/datadog/ruby_core_source -maxdepth 1 -type d -name 'ruby-2.*' -exec rm -r {} \;
 
   # Remove datadog precompiled binaries for other platforms
   find /app/vendor/ruby/*/gems/libdatadog-*/vendor/libdatadog-*/ -mindepth 1 -maxdepth 1 -not -name "$(ruby -e 'puts RbConfig::CONFIG["arch"]')" -exec rm -r {} \;
diff --git a/Gemfile b/Gemfile
index 6fd4d845d5d..1ecd30dbcc9 100644
--- a/Gemfile
+++ b/Gemfile
@@ -2,27 +2,28 @@ source "https://rubygems.org"
 
 ruby file: ".ruby-version"
 
-gem "rails", "~> 7.1.0", ">= 7.1.3.2"
+gem "rails", "~> 7.2.1"
 gem "rails-i18n", "~> 7.0"
 
-gem "aws-sdk-s3", "~> 1.156"
-gem "aws-sdk-sqs", "~> 1.80"
+gem "aws-sdk-s3", "~> 1.171"
+gem "aws-sdk-sqs", "~> 1.88"
 gem "bootsnap", "~> 1.18"
-gem "clearance", "~> 2.7"
+gem "clearance", "~> 2.9"
 gem "dalli", "~> 3.2"
-gem "datadog", "~> 2.1", require: "datadog/auto_instrument"
-gem "dogstatsd-ruby", "~> 5.5"
-gem "google-protobuf", "~> 4.27"
-gem "faraday", "~> 2.9"
+gem "datadog", "~> 2.7"
+gem "dogstatsd-ruby", "~> 5.6"
+gem "google-protobuf", "~> 4.28"
+gem "faraday", "~> 2.12"
 gem "faraday-retry", "~> 2.2"
-gem "good_job", "~> 3.29"
+gem "faraday-restrict-ip-addresses", "~> 0.3.0", require: "faraday/restrict_ip_addresses"
+gem "good_job", "~> 3.99"
 gem "gravtastic", "~> 3.2"
-gem "honeybadger", "~> 5.5.1" # see https://github.com/rubygems/rubygems.org/pull/4598
+gem "honeybadger", "~> 5.5.1", require: false # see https://github.com/rubygems/rubygems.org/pull/4598
 gem "http_accept_language", "~> 2.1"
 gem "kaminari", "~> 1.2"
-gem "launchdarkly-server-sdk", "~> 8.6"
+gem "launchdarkly-server-sdk", "~> 8.8"
 gem "mail", "~> 2.8"
-gem "octokit", "~> 9.1"
+gem "octokit", "~> 9.2"
 gem "omniauth-github", "~> 2.0"
 gem "omniauth", "~> 2.1"
 gem "omniauth-rails_csrf_protection", "~> 1.0"
@@ -30,17 +31,17 @@ gem "openid_connect", "~> 2.3"
 gem "pg", "~> 1.5"
 gem "puma", "~> 6.4"
 gem "rack", "~> 3.1"
-gem "rackup", "~> 2.1"
-gem "rack-utf8_sanitizer", "~> 1.8"
+gem "rackup", "~> 2.2"
+gem "rack-sanitizer", "~> 2.0"
 gem "rbtrace", "~> 0.5.1"
 gem "rdoc", "~> 6.7"
-gem "roadie-rails", "~> 3.2"
+gem "roadie-rails", "~> 3.3"
 gem "ruby-magic", "~> 0.6"
 gem "shoryuken", "~> 6.2", require: false
-gem "statsd-instrument", "~> 3.8"
+gem "statsd-instrument", "~> 3.9"
 gem "validates_formatting_of", "~> 0.9"
-gem "opensearch-ruby", "~> 3.3"
-gem "searchkick", "~> 5.3"
+gem "opensearch-ruby", "~> 3.4"
+gem "searchkick", "~> 5.4"
 gem "faraday_middleware-aws-sigv4", "~> 1.0"
 gem "xml-simple", "~> 1.1"
 gem "compact_index", "~> 0.15.0"
@@ -49,46 +50,50 @@ gem "rqrcode", "~> 2.1"
 gem "rotp", "~> 6.2"
 gem "unpwn", "~> 1.0"
 gem "webauthn", "~> 3.1"
-gem "browser", "~> 6.0"
+gem "browser", "~> 6.1"
 gem "bcrypt", "~> 3.1"
-gem "maintenance_tasks", "~> 2.7"
-gem "strong_migrations", "~> 2.0"
+gem "maintenance_tasks", "~> 2.8"
+gem "strong_migrations", "~> 2.1"
 gem "phlex-rails", "~> 1.2"
-gem "discard", "~> 1.3"
+gem "discard", "~> 1.4"
 gem "user_agent_parser", "~> 2.18"
-gem "pghero", "~> 3.5"
+gem "pghero", "~> 3.6"
 gem "timescaledb", "~> 0.3.0"
+gem "faraday-multipart", "~> 1.0"
 
 # Admin dashboard
-gem "avo", "~> 2.51"
-gem "view_component", "~> 3.12"
-gem "pundit", "~> 2.3"
-gem "chartkick", "~> 5.0"
-gem "groupdate", "~> 6.2"
+gem "avo", "~> 3.13"
+gem "pagy", "~> 8.4"
+gem "view_component", "~> 3.14.0"
+gem "pundit", "~> 2.4"
+gem "chartkick", "~> 5.1"
+gem "groupdate", "~> 6.5"
+gem "prop_initializer", "~> 0.2"
+
+group :avo, optional: true do
+  source "https://packager.dev/avo-hq/" do
+    gem "avo-advanced", "~> 3.14"
+  end
+end
 
 # Logging
 gem "amazing_print", "~> 1.6"
-gem "rails_semantic_logger", "~> 4.16"
-gem "pp", "0.5.0"
+gem "rails_semantic_logger", "~> 4.17"
+gem "pp", "0.6.1"
 
 # Former default gems
 gem "csv", "~> 3.3" # zeitwerk-2.6.12
 gem "observer", "~> 0.1.2" # launchdarkly-server-sdk-8.0.0
 
 # Assets
-gem "sprockets-rails", "~> 3.5"
+gem "propshaft", "~> 1.1.0"
 gem "importmap-rails", "~> 2.0"
 gem "stimulus-rails", "~> 1.3" # this adds stimulus-loading.js so it must be available at runtime
+gem "local_time", "~> 3.0"
 gem "better_html", "~> 2.1"
 
 group :assets, :development do
-  gem "tailwindcss-rails", "~> 2.6"
-end
-
-group :assets do
-  gem "dartsass-sprockets", "~> 3.1"
-  gem "terser", "~> 1.2"
-  gem "autoprefixer-rails", "~> 10.4"
+  gem "tailwindcss-rails", "~> 3.0"
 end
 
 group :development, :test do
@@ -98,7 +103,7 @@ group :development, :test do
   gem "dotenv-rails", "~> 3.1"
   gem "lookbook", "~> 2.3"
 
-  gem "brakeman", "~> 6.1", require: false
+  gem "brakeman", "~> 6.2", require: false
 
   # used to find n+1 queries
   gem "prosopite", "~> 1.4"
@@ -118,26 +123,29 @@ group :development do
   gem "listen", "~> 3.9"
   gem "letter_opener", "~> 1.10"
   gem "letter_opener_web", "~> 3.0"
-  gem "derailed_benchmarks", "~> 2.1"
-  gem "memory_profiler", "~> 1.0"
+  gem "derailed_benchmarks", "~> 2.2"
+  gem "memory_profiler", "~> 1.1"
 end
 
 group :test do
-  gem "datadog-ci", "~> 1.1"
-  gem "minitest", "~> 5.24", require: false
-  gem "minitest-retry", "~> 0.2.2"
+  gem "datadog-ci", "~> 1.8"
+  gem "minitest", "~> 5.25", require: false
+  gem "minitest-retry", "~> 0.2.3"
   gem "capybara", "~> 3.40"
   gem "launchy", "~> 3.0"
   gem "rack-test", "~> 2.1", require: "rack/test"
   gem "rails-controller-testing", "~> 1.0"
-  gem "mocha", "~> 2.4", require: false
+  gem "mocha", "~> 2.5", require: false
   gem "shoulda-context", "~> 3.0.0.rc1"
-  gem "shoulda-matchers", "~> 6.2"
-  gem "selenium-webdriver", "~> 4.22"
-  gem "webmock", "~> 3.23"
+  gem "shoulda-matchers", "~> 6.4"
+  gem "selenium-webdriver", "~> 4.26"
+  gem "webmock", "~> 3.24"
   gem "simplecov", "~> 0.22", require: false
   gem "simplecov-cobertura", "~> 2.1", require: false
   gem "aggregate_assertions", "~> 0.2.0"
   gem "minitest-gcstats", "~> 1.3"
   gem "minitest-reporters", "~> 1.7"
+  gem "gem_server_conformance", "~> 0.1.4"
 end
+
+gem "avo_upgrade", "~> 0.1.1", group: :development
diff --git a/Gemfile.lock b/Gemfile.lock
index 2dc46337f37..6baade10b9f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,51 +1,74 @@
+GEM
+  remote: https://packager.dev/avo-hq/
+  specs:
+    avo-advanced (3.14.0)
+      avo (= 3.14.0)
+      avo-dynamic_filters (= 3.14.0)
+      avo-pro (= 3.14.0)
+      zeitwerk (>= 2.6.12)
+    avo-dashboards (3.14.0)
+      avo (= 3.14.0)
+      turbo-rails
+      view_component (>= 3.7.0)
+      zeitwerk (>= 2.6.12)
+    avo-dynamic_filters (3.14.0)
+      avo (= 3.14.0)
+      ransack (>= 4.2.0)
+      view_component (>= 3.7.0)
+      zeitwerk (>= 2.6.12)
+    avo-menu (3.14.0)
+      avo (= 3.14.0)
+      docile
+      zeitwerk (>= 2.6.12)
+    avo-pro (3.14.0)
+      avo (= 3.14.0)
+      avo-dashboards (= 3.14.0)
+      avo-menu (= 3.14.0)
+      zeitwerk (>= 2.6.12)
+
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.1.3.4)
-      actionpack (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
+    actioncable (7.2.1.1)
+      actionpack (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
       zeitwerk (~> 2.6)
-    actionmailbox (7.1.3.4)
-      actionpack (= 7.1.3.4)
-      activejob (= 7.1.3.4)
-      activerecord (= 7.1.3.4)
-      activestorage (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
-      mail (>= 2.7.1)
-      net-imap
-      net-pop
-      net-smtp
-    actionmailer (7.1.3.4)
-      actionpack (= 7.1.3.4)
-      actionview (= 7.1.3.4)
-      activejob (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
-      mail (~> 2.5, >= 2.5.4)
-      net-imap
-      net-pop
-      net-smtp
+    actionmailbox (7.2.1.1)
+      actionpack (= 7.2.1.1)
+      activejob (= 7.2.1.1)
+      activerecord (= 7.2.1.1)
+      activestorage (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
+      mail (>= 2.8.0)
+    actionmailer (7.2.1.1)
+      actionpack (= 7.2.1.1)
+      actionview (= 7.2.1.1)
+      activejob (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
+      mail (>= 2.8.0)
       rails-dom-testing (~> 2.2)
-    actionpack (7.1.3.4)
-      actionview (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
+    actionpack (7.2.1.1)
+      actionview (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
       nokogiri (>= 1.8.5)
       racc
-      rack (>= 2.2.4)
+      rack (>= 2.2.4, < 3.2)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    actiontext (7.1.3.4)
-      actionpack (= 7.1.3.4)
-      activerecord (= 7.1.3.4)
-      activestorage (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
+      useragent (~> 0.16)
+    actiontext (7.2.1.1)
+      actionpack (= 7.2.1.1)
+      activerecord (= 7.2.1.1)
+      activestorage (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.1.3.4)
-      activesupport (= 7.1.3.4)
+    actionview (7.2.1.1)
+      activesupport (= 7.2.1.1)
       builder (~> 3.1)
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
@@ -53,31 +76,32 @@ GEM
     active_link_to (1.0.5)
       actionpack
       addressable
-    activejob (7.1.3.4)
-      activesupport (= 7.1.3.4)
+    activejob (7.2.1.1)
+      activesupport (= 7.2.1.1)
       globalid (>= 0.3.6)
-    activemodel (7.1.3.4)
-      activesupport (= 7.1.3.4)
-    activerecord (7.1.3.4)
-      activemodel (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
+    activemodel (7.2.1.1)
+      activesupport (= 7.2.1.1)
+    activerecord (7.2.1.1)
+      activemodel (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
       timeout (>= 0.4.0)
-    activestorage (7.1.3.4)
-      actionpack (= 7.1.3.4)
-      activejob (= 7.1.3.4)
-      activerecord (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
+    activestorage (7.2.1.1)
+      actionpack (= 7.2.1.1)
+      activejob (= 7.2.1.1)
+      activerecord (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
       marcel (~> 1.0)
-    activesupport (7.1.3.4)
+    activesupport (7.2.1.1)
       base64
       bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
+      logger (>= 1.4.2)
       minitest (>= 5.1)
-      mutex_m
-      tzinfo (~> 2.0)
+      securerandom (>= 0.3)
+      tzinfo (~> 2.0, >= 2.0.5)
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
     aes_key_wrap (1.1.0)
@@ -91,46 +115,47 @@ GEM
       ffi-compiler (~> 1.0)
     ast (2.4.2)
     attr_required (1.0.2)
-    autoprefixer-rails (10.4.16.0)
-      execjs (~> 2)
-    avo (2.51.0)
-      actionview (>= 6.0)
+    avo (3.14.0)
+      actionview (>= 6.1)
       active_link_to
-      activerecord (>= 6.0)
+      activerecord (>= 6.1)
+      activesupport (>= 6.1)
       addressable
       docile
-      dry-initializer
-      httparty
       inline_svg
       meta-tags
-      pagy
-      turbo-rails
-      turbo_power (~> 0.5.0)
-      view_component (>= 2.54.0)
-      zeitwerk (>= 2.6.2)
+      pagy (>= 7.0.0)
+      prop_initializer (>= 0.2.0)
+      turbo-rails (>= 2.0.0)
+      turbo_power (>= 0.6.0)
+      view_component (>= 3.7.0)
+      zeitwerk (>= 2.6.12)
+    avo_upgrade (0.1.1)
+      rails (>= 6.0.0)
+      zeitwerk
     awrence (1.2.1)
     aws-eventstream (1.3.0)
-    aws-partitions (1.950.0)
-    aws-sdk-core (3.201.0)
+    aws-partitions (1.1008.0)
+    aws-sdk-core (3.213.0)
       aws-eventstream (~> 1, >= 1.3.0)
-      aws-partitions (~> 1, >= 1.651.0)
-      aws-sigv4 (~> 1.8)
+      aws-partitions (~> 1, >= 1.992.0)
+      aws-sigv4 (~> 1.9)
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.88.0)
-      aws-sdk-core (~> 3, >= 3.201.0)
+    aws-sdk-kms (1.95.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.156.0)
-      aws-sdk-core (~> 3, >= 3.201.0)
+    aws-sdk-s3 (1.171.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
-    aws-sdk-sqs (1.80.0)
-      aws-sdk-core (~> 3, >= 3.201.0)
+    aws-sdk-sqs (1.88.0)
+      aws-sdk-core (~> 3, >= 3.210.0)
       aws-sigv4 (~> 1.5)
-    aws-sigv4 (1.8.0)
+    aws-sigv4 (1.10.1)
       aws-eventstream (~> 1, >= 1.0.2)
     base64 (0.2.0)
     bcrypt (3.1.20)
-    benchmark-ips (2.12.0)
+    benchmark-ips (2.14.0)
     better_html (2.1.1)
       actionview (>= 6.0)
       activesupport (>= 6.0)
@@ -144,11 +169,11 @@ GEM
     bloomer (1.0.0)
       bitarray
       msgpack
-    bootsnap (1.18.3)
+    bootsnap (1.18.4)
       msgpack (~> 1.2)
-    brakeman (6.1.2)
+    brakeman (6.2.2)
       racc
-    browser (6.0.0)
+    browser (6.1.0)
     builder (3.3.0)
     byebug (11.1.3)
     capybara (3.40.0)
@@ -161,11 +186,11 @@ GEM
       regexp_parser (>= 1.5, < 3.0)
       xpath (~> 3.2)
     cbor (0.5.9.8)
-    chartkick (5.0.7)
+    chartkick (5.1.2)
     childprocess (5.0.0)
     choice (0.2.0)
     chunky_png (1.4.0)
-    clearance (2.7.2)
+    clearance (2.9.2)
       actionmailer (>= 5.0)
       activemodel (>= 5.0)
       activerecord (>= 5.0)
@@ -175,7 +200,7 @@ GEM
       railties (>= 5.0)
     coderay (1.1.3)
     compact_index (0.15.0)
-    concurrent-ruby (1.3.3)
+    concurrent-ruby (1.3.4)
     connection_pool (2.4.1)
     cose (1.3.0)
       cbor (~> 0.5.9)
@@ -184,97 +209,121 @@ GEM
       bigdecimal
       rexml
     crass (1.0.6)
-    css_parser (1.17.1)
+    css_parser (1.19.1)
       addressable
     csv (3.3.0)
     dalli (3.2.8)
-    dartsass-sprockets (3.1.0)
-      railties (>= 4.0.0)
-      sassc-embedded (~> 1.69)
-      sprockets (> 3.0)
-      sprockets-rails
-      tilt
-    datadog (2.1.0)
-      debase-ruby_core_source (= 3.3.1)
-      libdatadog (~> 9.0.0.1.0)
-      libddwaf (~> 1.14.0.0.0)
+    datadog (2.7.0)
+      datadog-ruby_core_source (~> 3.3)
+      libdatadog (~> 14.1.0.1.0)
+      libddwaf (~> 1.15.0.0.0)
       msgpack
-    datadog-ci (1.1.0)
-      datadog (~> 2.0)
+    datadog-ci (1.8.1)
+      datadog (~> 2.4)
       msgpack
-    date (3.3.4)
-    dead_end (4.0.0)
-    debase-ruby_core_source (3.3.1)
-    derailed_benchmarks (2.1.2)
+    datadog-ruby_core_source (3.3.6)
+    date (3.4.0)
+    derailed_benchmarks (2.2.1)
+      base64
       benchmark-ips (~> 2)
-      dead_end
-      get_process_mem (~> 0)
+      bigdecimal
+      drb
+      get_process_mem
       heapy (~> 0)
+      logger
       memory_profiler (>= 0, < 2)
       mini_histogram (>= 0.3.0)
+      mutex_m
+      ostruct
       rack (>= 1)
       rack-test
       rake (> 10, < 14)
-      ruby-statistics (>= 2.1)
+      ruby-statistics (>= 4.0.1)
+      ruby2_keywords
       thor (>= 0.19, < 2)
-    discard (1.3.0)
-      activerecord (>= 4.2, < 8)
-    docile (1.4.0)
-    dogstatsd-ruby (5.6.1)
+    diff-lcs (1.5.1)
+    discard (1.4.0)
+      activerecord (>= 4.2, < 9.0)
+    docile (1.4.1)
+    dogstatsd-ruby (5.6.3)
     domain_name (0.6.20240107)
-    dotenv (3.1.2)
-    dotenv-rails (3.1.2)
-      dotenv (= 3.1.2)
+    dotenv (3.1.4)
+    dotenv-rails (3.1.4)
+      dotenv (= 3.1.4)
       railties (>= 6.1)
     drb (2.2.1)
-    dry-initializer (3.1.1)
     email_validator (2.2.4)
       activemodel
     erubi (1.13.0)
     et-orbi (1.2.11)
       tzinfo
-    execjs (2.9.1)
-    factory_bot (6.4.5)
+    factory_bot (6.5.0)
       activesupport (>= 5.0.0)
-    factory_bot_rails (6.4.3)
-      factory_bot (~> 6.4)
+    factory_bot_rails (6.4.4)
+      factory_bot (~> 6.5)
       railties (>= 5.0.0)
-    faraday (2.9.2)
-      faraday-net_http (>= 2.0, < 3.2)
+    faraday (2.12.1)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
     faraday-follow_redirects (0.3.0)
       faraday (>= 1, < 3)
-    faraday-net_http (3.1.0)
-      net-http
+    faraday-multipart (1.0.4)
+      multipart-post (~> 2)
+    faraday-net_http (3.4.0)
+      net-http (>= 0.5.0)
+    faraday-restrict-ip-addresses (0.3.0)
+      faraday (> 1.0, < 3.0)
     faraday-retry (2.2.1)
       faraday (~> 2.0)
     faraday_middleware-aws-sigv4 (1.0.1)
       aws-sigv4 (~> 1.0)
       faraday (>= 2.0, < 3)
     ffi (1.17.0)
+    ffi (1.17.0-aarch64-linux-gnu)
+    ffi (1.17.0-arm64-darwin)
+    ffi (1.17.0-x86_64-darwin)
+    ffi (1.17.0-x86_64-linux-gnu)
+    ffi (1.17.0-x86_64-linux-musl)
     ffi-compiler (1.3.2)
       ffi (>= 1.15.5)
       rake
-    fugit (1.11.0)
+    fugit (1.11.1)
       et-orbi (~> 1, >= 1.2.11)
       raabro (~> 1.4)
-    get_process_mem (0.2.7)
+    gem_server_conformance (0.1.4)
+      rspec (~> 3.0)
+    get_process_mem (1.0.0)
+      bigdecimal (>= 2.0)
       ffi (~> 1.0)
     globalid (1.2.1)
       activesupport (>= 6.1)
-    good_job (3.29.5)
+    good_job (3.99.1)
       activejob (>= 6.0.0)
       activerecord (>= 6.0.0)
       concurrent-ruby (>= 1.0.2)
       fugit (>= 1.1)
       railties (>= 6.0.0)
       thor (>= 0.14.1)
-    google-protobuf (4.27.2)
+    google-protobuf (4.28.3)
+      bigdecimal
+      rake (>= 13)
+    google-protobuf (4.28.3-aarch64-linux)
+      bigdecimal
+      rake (>= 13)
+    google-protobuf (4.28.3-arm64-darwin)
+      bigdecimal
+      rake (>= 13)
+    google-protobuf (4.28.3-x86_64-darwin)
+      bigdecimal
+      rake (>= 13)
+    google-protobuf (4.28.3-x86_64-linux)
       bigdecimal
       rake (>= 13)
     gravtastic (3.2.6)
-    groupdate (6.4.0)
-      activesupport (>= 6.1)
-    hashdiff (1.1.0)
+    groupdate (6.5.1)
+      activesupport (>= 7)
+    hashdiff (1.1.1)
     hashie (5.0.0)
     heapy (0.2.0)
       thor
@@ -287,32 +336,28 @@ GEM
       http-cookie (~> 1.0)
       http-form_data (~> 2.2)
       llhttp-ffi (~> 0.5.0)
-    http-cookie (1.0.6)
+    http-cookie (1.0.7)
       domain_name (~> 0.5)
     http-form_data (2.3.0)
     http_accept_language (2.1.1)
-    httparty (0.22.0)
-      csv
-      mini_mime (>= 1.0.0)
-      multi_xml (>= 0.5.2)
-    i18n (1.14.5)
+    i18n (1.14.6)
       concurrent-ruby (~> 1.0)
-    importmap-rails (2.0.1)
+    importmap-rails (2.0.3)
       actionpack (>= 6.0.0)
       activesupport (>= 6.0.0)
       railties (>= 6.0.0)
-    inline_svg (1.9.0)
+    inline_svg (1.10.0)
       activesupport (>= 3.0)
       nokogiri (>= 1.6)
     io-console (0.7.2)
-    irb (1.13.2)
+    irb (1.14.1)
       rdoc (>= 4.0.0)
       reline (>= 0.4.2)
     jmespath (1.6.2)
     job-iteration (1.5.1)
       activejob (>= 5.2)
-    json (2.7.2)
-    json-jwt (1.16.6)
+    json (2.8.2)
+    json-jwt (1.16.7)
       activesupport (>= 4.2)
       aes_key_wrap
       base64
@@ -333,13 +378,14 @@ GEM
       kaminari-core (= 1.2.2)
     kaminari-core (1.2.2)
     language_server-protocol (3.17.0.3)
-    launchdarkly-server-sdk (8.6.0)
+    launchdarkly-server-sdk (8.8.2)
       concurrent-ruby (~> 1.1)
       http (>= 4.4.0, < 6.0.0)
       json (~> 2.3)
       ld-eventsource (= 2.2.2)
       observer (~> 0.1.2)
       semantic (~> 1.6)
+      zlib (~> 3.1)
     launchy (3.0.1)
       addressable (~> 2.8)
       childprocess (~> 5.0)
@@ -353,8 +399,18 @@ GEM
       letter_opener (~> 1.9)
       railties (>= 6.1)
       rexml
-    libdatadog (9.0.0.1.0)
-    libddwaf (1.14.0.0.0)
+    libdatadog (14.1.0.1.0)
+    libdatadog (14.1.0.1.0-aarch64-linux)
+    libdatadog (14.1.0.1.0-x86_64-linux)
+    libddwaf (1.15.0.0.0)
+      ffi (~> 1.0)
+    libddwaf (1.15.0.0.0-aarch64-linux)
+      ffi (~> 1.0)
+    libddwaf (1.15.0.0.0-arm64-darwin)
+      ffi (~> 1.0)
+    libddwaf (1.15.0.0.0-x86_64-darwin)
+      ffi (~> 1.0)
+    libddwaf (1.15.0.0.0-x86_64-linux)
       ffi (~> 1.0)
     listen (3.9.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
@@ -362,11 +418,12 @@ GEM
     llhttp-ffi (0.5.0)
       ffi-compiler (~> 1.0)
       rake (~> 13.0)
-    logger (1.6.0)
-    loofah (2.22.0)
+    local_time (3.0.2)
+    logger (1.6.1)
+    loofah (2.23.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
-    lookbook (2.3.2)
+    lookbook (2.3.4)
       activemodel
       css_parser
       htmlbeautifier (~> 1.3)
@@ -383,7 +440,7 @@ GEM
       net-imap
       net-pop
       net-smtp
-    maintenance_tasks (2.7.1)
+    maintenance_tasks (2.8.0)
       actionpack (>= 6.0)
       activejob (>= 6.0)
       activerecord (>= 6.0)
@@ -393,14 +450,14 @@ GEM
       zeitwerk (>= 2.6.2)
     marcel (1.0.4)
     matrix (0.4.2)
-    memory_profiler (1.0.2)
-    meta-tags (2.21.0)
-      actionpack (>= 6.0.0, < 7.2)
+    memory_profiler (1.1.0)
+    meta-tags (2.22.1)
+      actionpack (>= 6.0.0, < 8.1)
     method_source (1.1.0)
     mini_histogram (0.3.1)
     mini_mime (1.1.5)
-    mini_portile2 (2.8.7)
-    minitest (5.24.1)
+    mini_portile2 (2.8.8)
+    minitest (5.25.1)
     minitest-gcstats (1.3.1)
       minitest (~> 5.0)
     minitest-reporters (1.7.1)
@@ -408,18 +465,19 @@ GEM
       builder
       minitest (>= 5.0)
       ruby-progressbar
-    minitest-retry (0.2.2)
+    minitest-retry (0.2.3)
       minitest (>= 5.0)
-    mocha (2.4.0)
+    mocha (2.5.0)
       ruby2_keywords (>= 0.0.5)
-    msgpack (1.7.2)
+    msgpack (1.7.5)
     multi_json (1.15.0)
     multi_xml (0.7.1)
       bigdecimal (~> 3.1)
+    multipart-post (2.4.1)
     mutex_m (0.2.0)
-    net-http (0.4.1)
+    net-http (0.5.0)
       uri
-    net-imap (0.4.14)
+    net-imap (0.5.1)
       date
       net-protocol
     net-pop (0.1.2)
@@ -428,10 +486,18 @@ GEM
       timeout
     net-smtp (0.5.0)
       net-protocol
-    nio4r (2.7.0)
-    nokogiri (1.16.6)
+    nio4r (2.7.3)
+    nokogiri (1.16.7)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
+    nokogiri (1.16.7-aarch64-linux)
+      racc (~> 1.4)
+    nokogiri (1.16.7-arm64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.16.7-x86_64-darwin)
+      racc (~> 1.4)
+    nokogiri (1.16.7-x86_64-linux)
+      racc (~> 1.4)
     oauth2 (2.0.9)
       faraday (>= 0.17.3, < 3.0)
       jwt (>= 1.0, < 3.0)
@@ -440,7 +506,7 @@ GEM
       snaky_hash (~> 2.0)
       version_gem (~> 1.1)
     observer (0.1.2)
-    octokit (9.1.0)
+    octokit (9.2.0)
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
     omniauth (2.1.2)
@@ -456,7 +522,7 @@ GEM
     omniauth-rails_csrf_protection (1.0.2)
       actionpack (>= 4.2)
       omniauth (~> 2.0)
-    openid_connect (2.3.0)
+    openid_connect (2.3.1)
       activemodel
       attr_required (>= 1.0.0)
       email_validator
@@ -469,48 +535,66 @@ GEM
       tzinfo
       validate_url
       webfinger (~> 2.0)
-    opensearch-ruby (3.3.0)
+    opensearch-ruby (3.4.0)
       faraday (>= 1.0, < 3)
       multi_json (>= 1.0)
     openssl (3.2.0)
     openssl-signature_algorithm (1.3.0)
       openssl (> 2.0)
     optimist (3.1.0)
-    pagy (8.4.0)
-    parallel (1.25.1)
-    parser (3.3.3.0)
+    ostruct (0.6.0)
+    pagy (8.6.3)
+    parallel (1.26.3)
+    parser (3.3.5.0)
       ast (~> 2.4.1)
       racc
-    pg (1.5.6)
+    pg (1.5.9)
     pg_query (5.1.0)
       google-protobuf (>= 3.22.3)
-    pghero (3.5.0)
-      activerecord (>= 6)
-    phlex (1.10.2)
-    phlex-rails (1.2.1)
-      phlex (~> 1.10.0)
-      railties (>= 6.1, < 8)
-    pp (0.5.0)
+    pghero (3.6.1)
+      activerecord (>= 6.1)
+    phlex (1.11.0)
+    phlex-rails (1.2.2)
+      phlex (>= 1.10, < 2)
+      railties (>= 6.1, < 9)
+    pp (0.6.1)
       prettyprint
     prettyprint (0.2.0)
+    prop_initializer (0.2.0)
+      zeitwerk (>= 2.6.18)
+    propshaft (1.1.0)
+      actionpack (>= 7.0.0)
+      activesupport (>= 7.0.0)
+      rack
+      railties (>= 7.0.0)
     prosopite (1.4.2)
+    protobug (0.1.0)
+    protobug_googleapis_field_behavior_protos (0.1.0)
+      protobug (= 0.1.0)
+      protobug_well_known_protos (= 0.1.0)
+    protobug_sigstore_protos (0.1.0)
+      protobug (= 0.1.0)
+      protobug_googleapis_field_behavior_protos (= 0.1.0)
+      protobug_well_known_protos (= 0.1.0)
+    protobug_well_known_protos (0.1.0)
+      protobug (= 0.1.0)
     pry (0.14.1)
       coderay (~> 1.1)
       method_source (~> 1.0)
     pry-byebug (3.10.1)
       byebug (~> 11.0)
       pry (>= 0.13, < 0.15)
-    psych (5.1.2)
+    psych (5.2.0)
       stringio
-    public_suffix (6.0.0)
-    puma (6.4.2)
+    public_suffix (6.0.1)
+    puma (6.4.3)
       nio4r (~> 2.0)
-    pundit (2.3.2)
+    pundit (2.4.0)
       activesupport (>= 3.0.0)
     pwned (2.3.0)
     raabro (1.4.0)
-    racc (1.8.0)
-    rack (3.1.6)
+    racc (1.8.1)
+    rack (3.1.8)
     rack-attack (6.7.0)
       rack (>= 1.0, < 4)
     rack-oauth2 (2.2.1)
@@ -523,29 +607,28 @@ GEM
     rack-protection (4.0.0)
       base64 (>= 0.1.0)
       rack (>= 3.0.0, < 4)
+    rack-sanitizer (2.0.3)
+      rack (>= 1.0, < 4.0)
     rack-session (2.0.0)
       rack (>= 3.0.0)
     rack-test (2.1.0)
       rack (>= 1.3)
-    rack-utf8_sanitizer (1.9.1)
-      rack (>= 1.0, < 4.0)
-    rackup (2.1.0)
+    rackup (2.2.1)
       rack (>= 3)
-      webrick (~> 1.8)
-    rails (7.1.3.4)
-      actioncable (= 7.1.3.4)
-      actionmailbox (= 7.1.3.4)
-      actionmailer (= 7.1.3.4)
-      actionpack (= 7.1.3.4)
-      actiontext (= 7.1.3.4)
-      actionview (= 7.1.3.4)
-      activejob (= 7.1.3.4)
-      activemodel (= 7.1.3.4)
-      activerecord (= 7.1.3.4)
-      activestorage (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
+    rails (7.2.1.1)
+      actioncable (= 7.2.1.1)
+      actionmailbox (= 7.2.1.1)
+      actionmailer (= 7.2.1.1)
+      actionpack (= 7.2.1.1)
+      actiontext (= 7.2.1.1)
+      actionview (= 7.2.1.1)
+      activejob (= 7.2.1.1)
+      activemodel (= 7.2.1.1)
+      activerecord (= 7.2.1.1)
+      activestorage (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
       bundler (>= 1.15.0)
-      railties (= 7.1.3.4)
+      railties (= 7.2.1.1)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
@@ -562,23 +645,27 @@ GEM
     rails-html-sanitizer (1.6.0)
       loofah (~> 2.21)
       nokogiri (~> 1.14)
-    rails-i18n (7.0.9)
+    rails-i18n (7.0.10)
       i18n (>= 0.7, < 2)
       railties (>= 6.0.0, < 8)
-    rails_semantic_logger (4.16.0)
+    rails_semantic_logger (4.17.0)
       rack
       railties (>= 5.1)
-      semantic_logger (~> 4.13)
-    railties (7.1.3.4)
-      actionpack (= 7.1.3.4)
-      activesupport (= 7.1.3.4)
-      irb
+      semantic_logger (~> 4.16)
+    railties (7.2.1.1)
+      actionpack (= 7.2.1.1)
+      activesupport (= 7.2.1.1)
+      irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
       thor (~> 1.0, >= 1.2.2)
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
     rake (13.2.1)
+    ransack (4.2.1)
+      activerecord (>= 6.1.5)
+      activesupport (>= 6.1.5)
+      i18n
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
@@ -590,87 +677,98 @@ GEM
       psych (>= 4.0.0)
     redcarpet (3.6.0)
     regexp_parser (2.9.2)
-    reline (0.5.9)
+    reline (0.5.11)
       io-console (~> 0.5)
-    rexml (3.3.1)
-      strscan
+    rexml (3.3.9)
     roadie (5.2.1)
       css_parser (~> 1.4)
       nokogiri (~> 1.15)
-    roadie-rails (3.2.0)
-      railties (>= 5.1, < 8.0)
+    roadie-rails (3.3.0)
+      railties (>= 5.1, < 8.1)
       roadie (~> 5.0)
     rotp (6.3.0)
-    rouge (4.3.0)
+    rouge (4.4.0)
     rqrcode (2.2.0)
       chunky_png (~> 1.0)
       rqrcode_core (~> 1.0)
     rqrcode_core (1.2.0)
-    rubocop (1.64.1)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.1)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.1)
+    rubocop (1.66.1)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
-      regexp_parser (>= 1.8, < 3.0)
-      rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.31.1, < 2.0)
+      regexp_parser (>= 2.4, < 3.0)
+      rubocop-ast (>= 1.32.2, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.31.3)
+    rubocop-ast (1.32.3)
       parser (>= 3.3.1.0)
     rubocop-capybara (2.21.0)
       rubocop (~> 1.41)
     rubocop-factory_bot (2.26.1)
       rubocop (~> 1.61)
-    rubocop-minitest (0.35.0)
+    rubocop-minitest (0.36.0)
       rubocop (>= 1.61, < 2.0)
       rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-performance (1.21.1)
+    rubocop-performance (1.22.1)
       rubocop (>= 1.48.1, < 2.0)
       rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rails (2.25.1)
+    rubocop-rails (2.26.2)
       activesupport (>= 4.2.0)
       rack (>= 1.1)
-      rubocop (>= 1.33.0, < 2.0)
+      rubocop (>= 1.52.0, < 2.0)
       rubocop-ast (>= 1.31.1, < 2.0)
     ruby-graphviz (1.2.5)
       rexml
     ruby-magic (0.6.0)
       mini_portile2 (~> 2.8)
     ruby-progressbar (1.13.0)
-    ruby-statistics (3.0.2)
+    ruby-statistics (4.0.1)
     ruby2_keywords (0.0.5)
     rubyzip (2.3.2)
     safety_net_attestation (0.4.0)
       jwt (~> 2.0)
-    sass-embedded (1.72.0)
-      google-protobuf (>= 3.25, < 5.0)
-      rake (>= 13.0.0)
-    sassc-embedded (1.70.1)
-      sass-embedded (~> 1.70)
     sawyer (0.9.2)
       addressable (>= 2.3.5)
       faraday (>= 0.17.3, < 3)
-    searchkick (5.3.1)
+    searchkick (5.4.0)
       activemodel (>= 6.1)
       hashie
-    selenium-webdriver (4.22.0)
+    securerandom (0.3.2)
+    selenium-webdriver (4.26.0)
       base64 (~> 0.2)
       logger (~> 1.4)
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2, < 3.0)
       websocket (~> 1.0)
     semantic (1.6.1)
-    semantic_logger (4.15.0)
+    semantic_logger (4.16.0)
       concurrent-ruby (~> 1.0)
     shoryuken (6.2.1)
       aws-sdk-core (>= 2)
       concurrent-ruby
       thor
     shoulda-context (3.0.0.rc1)
-    shoulda-matchers (6.2.0)
+    shoulda-matchers (6.4.0)
       activesupport (>= 5.2.0)
+    sigstore (0.1.1)
+      net-http
+      protobug_sigstore_protos (~> 0.1.0)
+      uri
     simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
@@ -684,32 +782,30 @@ GEM
     snaky_hash (2.0.1)
       hashie
       version_gem (~> 1.1, >= 1.1.1)
-    sprockets (4.2.1)
-      concurrent-ruby (~> 1.0)
-      rack (>= 2.2.4, < 4)
-    sprockets-rails (3.5.1)
-      actionpack (>= 6.1)
-      activesupport (>= 6.1)
-      sprockets (>= 3.0.0)
-    statsd-instrument (3.8.0)
-    stimulus-rails (1.3.3)
+    statsd-instrument (3.9.7)
+    stimulus-rails (1.3.4)
       railties (>= 6.0.0)
-    stringio (3.1.1)
-    strong_migrations (2.0.0)
+    stringio (3.1.2)
+    strong_migrations (2.1.0)
       activerecord (>= 6.1)
-    strscan (3.1.0)
     swd (2.0.3)
       activesupport (>= 3)
       attr_required (>= 0.0.5)
       faraday (~> 2.0)
       faraday-follow_redirects
-    tailwindcss-rails (2.6.1)
+    tailwindcss-rails (3.0.0)
       railties (>= 7.0.0)
     terser (1.2.3)
       execjs (>= 0.3.0, < 3)
-    thor (1.3.1)
     tilt (2.3.0)
-    timeout (0.4.1)
+         tailwindcss-ruby
+    tailwindcss-ruby (3.4.14)
+    tailwindcss-ruby (3.4.14-aarch64-linux)
+    tailwindcss-ruby (3.4.14-arm64-darwin)
+    tailwindcss-ruby (3.4.14-x86_64-darwin)
+    tailwindcss-ruby (3.4.14-x86_64-linux)
+    thor (1.3.2)
+    timeout (0.4.2)
     timescaledb (0.3.0)
       activerecord
       activesupport
@@ -719,27 +815,27 @@ GEM
       bindata (~> 2.4)
       openssl (> 2.0)
       openssl-signature_algorithm (~> 1.0)
-    turbo-rails (1.5.0)
+    turbo-rails (2.0.11)
       actionpack (>= 6.0.0)
-      activejob (>= 6.0.0)
       railties (>= 6.0.0)
-    turbo_power (0.5.0)
-      turbo-rails (~> 1.3)
+    turbo_power (0.6.2)
+      turbo-rails (>= 1.3.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (2.5.0)
+    unicode-display_width (2.6.0)
     unpwn (1.0.0)
       bloomer (~> 1.0)
       pwned (~> 2.0)
-    uri (0.13.0)
+    uri (1.0.2)
     user_agent_parser (2.18.0)
+    useragent (0.16.10)
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
       public_suffix
     validates_formatting_of (0.9.0)
       activemodel
     version_gem (1.1.1)
-    view_component (3.12.1)
+    view_component (3.14.0)
       activesupport (>= 5.2.0, < 8.0)
       concurrent-ruby (~> 1.0)
       method_source (~> 1.0)
@@ -756,12 +852,11 @@ GEM
       activesupport
       faraday (~> 2.0)
       faraday-follow_redirects
-    webmock (3.23.1)
+    webmock (3.24.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    webrick (1.8.1)
-    websocket (1.2.10)
+    websocket (1.2.11)
     websocket-driver (0.7.6)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
@@ -769,92 +864,106 @@ GEM
       rexml
     xpath (3.2.0)
       nokogiri (~> 1.8)
-    yard (0.9.36)
-    zeitwerk (2.6.16)
+    yard (0.9.37)
+    zeitwerk (2.7.1)
+    zlib (3.1.1)
 
 PLATFORMS
+  aarch64-linux
+  arm64-darwin
+  arm64-linux
   ruby
+  x86_64-darwin
+  x86_64-linux
+  x86_64-linux-musl
 
 DEPENDENCIES
   aggregate_assertions (~> 0.2.0)
   amazing_print (~> 1.6)
-  autoprefixer-rails (~> 10.4)
-  avo (~> 2.51)
-  aws-sdk-s3 (~> 1.156)
-  aws-sdk-sqs (~> 1.80)
+  avo (~> 3.13)
+  avo-advanced (~> 3.14)!
+  avo_upgrade (~> 0.1.1)
+  aws-sdk-s3 (~> 1.171)
+  aws-sdk-sqs (~> 1.88)
   bcrypt (~> 3.1)
   better_html (~> 2.1)
   bootsnap (~> 1.18)
-  brakeman (~> 6.1)
-  browser (~> 6.0)
+  brakeman (~> 6.2)
+  browser (~> 6.1)
   capybara (~> 3.40)
-  chartkick (~> 5.0)
-  clearance (~> 2.7)
+  chartkick (~> 5.1)
+  clearance (~> 2.9)
   compact_index (~> 0.15.0)
   csv (~> 3.3)
   dalli (~> 3.2)
-  dartsass-sprockets (~> 3.1)
-  datadog (~> 2.1)
-  datadog-ci (~> 1.1)
-  derailed_benchmarks (~> 2.1)
-  discard (~> 1.3)
-  dogstatsd-ruby (~> 5.5)
+  datadog (~> 2.7)
+  datadog-ci (~> 1.8)
+  derailed_benchmarks (~> 2.2)
+  discard (~> 1.4)
+  dogstatsd-ruby (~> 5.6)
   dotenv-rails (~> 3.1)
   factory_bot_rails (~> 6.4)
-  faraday (~> 2.9)
+  faraday (~> 2.12)
+  faraday-multipart (~> 1.0)
+  faraday-restrict-ip-addresses (~> 0.3.0)
   faraday-retry (~> 2.2)
   faraday_middleware-aws-sigv4 (~> 1.0)
-  good_job (~> 3.29)
-  google-protobuf (~> 4.27)
+  gem_server_conformance (~> 0.1.4)
+  good_job (~> 3.99)
+  google-protobuf (~> 4.28)
   gravtastic (~> 3.2)
-  groupdate (~> 6.2)
+  groupdate (~> 6.5)
   honeybadger (~> 5.5.1)
   http_accept_language (~> 2.1)
   importmap-rails (~> 2.0)
   kaminari (~> 1.2)
-  launchdarkly-server-sdk (~> 8.6)
+  launchdarkly-server-sdk (~> 8.8)
   launchy (~> 3.0)
   letter_opener (~> 1.10)
   letter_opener_web (~> 3.0)
   listen (~> 3.9)
+  local_time (~> 3.0)
   lookbook (~> 2.3)
   mail (~> 2.8)
-  maintenance_tasks (~> 2.7)
-  memory_profiler (~> 1.0)
-  minitest (~> 5.24)
+  maintenance_tasks (~> 2.8)
+  memory_profiler (~> 1.1)
+  minitest (~> 5.25)
   minitest-gcstats (~> 1.3)
   minitest-reporters (~> 1.7)
-  minitest-retry (~> 0.2.2)
-  mocha (~> 2.4)
+  minitest-retry (~> 0.2.3)
+  mocha (~> 2.5)
   observer (~> 0.1.2)
-  octokit (~> 9.1)
+  octokit (~> 9.2)
   omniauth (~> 2.1)
   omniauth-github (~> 2.0)
   omniauth-rails_csrf_protection (~> 1.0)
   openid_connect (~> 2.3)
-  opensearch-ruby (~> 3.3)
+  opensearch-ruby (~> 3.4)
+  pagy (~> 8.4)
   pg (~> 1.5)
   pg_query (~> 5.1)
-  pghero (~> 3.5)
+  pghero (~> 3.6)
   phlex-rails (~> 1.2)
-  pp (= 0.5.0)
+  pp (= 0.6.1)
+  prop_initializer (~> 0.2)
+  propshaft (~> 1.1.0)
   prosopite (~> 1.4)
   pry-byebug (~> 3.10)
   puma (~> 6.4)
-  pundit (~> 2.3)
+  pundit (~> 2.4)
   rack (~> 3.1)
   rack-attack (~> 6.6)
+  rack-sanitizer (~> 2.0)
   rack-test (~> 2.1)
-  rack-utf8_sanitizer (~> 1.8)
-  rackup (~> 2.1)
-  rails (~> 7.1.0, >= 7.1.3.2)
+  rackup (~> 2.2)
+  rails (~> 7.2.1)
   rails-controller-testing (~> 1.0)
   rails-erd (~> 1.7)
   rails-i18n (~> 7.0)
-  rails_semantic_logger (~> 4.16)
+  rails_semantic_logger (~> 4.17)
   rbtrace (~> 0.5.1)
   rdoc (~> 6.7)
-  roadie-rails (~> 3.2)
+  roadie-rails (~> 3.3)
   rotp (~> 6.2)
   rqrcode (~> 2.1)
   rubocop (~> 1.64)
@@ -864,42 +973,41 @@ DEPENDENCIES
   rubocop-performance (~> 1.21)
   rubocop-rails (~> 2.25)
   ruby-magic (~> 0.6)
-  searchkick (~> 5.3)
-  selenium-webdriver (~> 4.22)
+  searchkick (~> 5.4)
+  selenium-webdriver (~> 4.26)
   shoryuken (~> 6.2)
   shoulda-context (~> 3.0.0.rc1)
-  shoulda-matchers (~> 6.2)
+  shoulda-matchers (~> 6.4)
+  sigstore (~> 0.1.1)
   simplecov (~> 0.22)
   simplecov-cobertura (~> 2.1)
-  sprockets-rails (~> 3.5)
-  statsd-instrument (~> 3.8)
+  statsd-instrument (~> 3.9)
   stimulus-rails (~> 1.3)
-  strong_migrations (~> 2.0)
-  tailwindcss-rails (~> 2.6)
-  terser (~> 1.2)
-  timescaledb (~> 0.3.0)
+  strong_migrations (~> 2.1)
+  tailwindcss-rails (~> 3.0)
+  timescaledb (~> 0.3)
   toxiproxy (~> 2.0)
   unpwn (~> 1.0)
   user_agent_parser (~> 2.18)
   validates_formatting_of (~> 0.9)
-  view_component (~> 3.12)
+  view_component (~> 3.14.0)
   webauthn (~> 3.1)
-  webmock (~> 3.23)
+  webmock (~> 3.24)
   xml-simple (~> 1.1)
 
 CHECKSUMS
-  actioncable (7.1.3.4) sha256=787ba8651caaa93d5c161f0d1110105300974be65e89483071146fc42d4bd310
-  actionmailbox (7.1.3.4) sha256=a3fd3019a44597e49ae18b4ed5c68e0f21c1d1b389bbcc10be357e205a83cad0
-  actionmailer (7.1.3.4) sha256=1f196096740587b08ef935db8a672971f448cadb8299e3d9a7bc24088a2a0351
-  actionpack (7.1.3.4) sha256=dcafc71bec6a975c3984a1ed8e698e2f9afeeb441c838766c16c29633705edd2
-  actiontext (7.1.3.4) sha256=84964dae95a3c99819d42641084f21e28de502fcefa6efb9df3805d6c439b784
-  actionview (7.1.3.4) sha256=41fcf5242dec11e100a0ba3d3717612c6534e8571c8a290a5b2a950aa58b615b
+  actioncable (7.2.1.1) sha256=56a57b5a3615cabe754d6cf6ad4ab7a2aa10209638a94b56598311c411869980
+  actionmailbox (7.2.1.1) sha256=839f3b406f049a9dafd8e00695282025e2e1d9d7caafc852fd6156609d262346
+  actionmailer (7.2.1.1) sha256=95aeb7eb76dc0a90917c7a3a7ad3e01464a43bf81d6c51022045ae4c7fdc627b
+  actionpack (7.2.1.1) sha256=a7c1654012de62713252459eb15f3918f7aa119d906a15f74e76a0ed4e8e5bc7
+  actiontext (7.2.1.1) sha256=66675be781ea2a75c1958698c4083742608696e1116a9935602a6caba90305d5
+  actionview (7.2.1.1) sha256=a0136e499a54eb394d97a9fc6960a2b2920ddd55911f94b09cbe7b9295cd90c9
   active_link_to (1.0.5) sha256=4830847b3d14589df1e9fc62038ceec015257fce975ec1c2a77836c461b139ba
-  activejob (7.1.3.4) sha256=3f8aeef0fdfb2dd65f9a663828dbcc8ca187e70ef0c5a773c5fe4dd67e040f62
-  activemodel (7.1.3.4) sha256=f4c838ea76dfca8967e433ac89603342ae20b65dd61366e62f07120a08e1ad72
-  activerecord (7.1.3.4) sha256=784eeca4d6f23391d445552d6675a47c594555361c3b042108d29f0c7b9230f2
-  activestorage (7.1.3.4) sha256=f2020ea0a77e105e480a9a15251c91d615eecb4b28a1a80968d6fb6a5dcb0a2e
-  activesupport (7.1.3.4) sha256=455bbc43d82e5ba20daa25f0888b80c9f7e2d80ca0cc96cea3e6acfec3e40309
+  activejob (7.2.1.1) sha256=27cd7e7c52a1355d90761212b32614249a0ea0164bccec1fb5a15ef26e47da28
+  activemodel (7.2.1.1) sha256=315d5d2e3d3a5f850a9bea0a69d175bdbf3c5a06a98014006dde73dc83dc4603
+  activerecord (7.2.1.1) sha256=c124a4e4ddfa93e7f198bfdb464dcb8cc5908c89e9c22ec4248ec52ce719aa6b
+  activestorage (7.2.1.1) sha256=f699a54809413424c7aafcb7a0fa4a2ea56366e0e92603bc80d51168d5ac6bbb
+  activesupport (7.2.1.1) sha256=bd4c1b0e5f758c8ccd16250f43b32925e33521e3c0d77c1574588f0d02f83bb2
   addressable (2.8.7) sha256=462986537cf3735ab5f3c0f557f14155d778f4b43ea4f485a9deb9c8f7c58232
   aes_key_wrap (1.1.0) sha256=b935f4756b37375895db45669e79dfcdc0f7901e12d4e08974d5540c8e0776a5
   aggregate_assertions (0.2.0) sha256=9bc51a48323a8e7b82f47cc38d48132817247345e5a8713686c9d65b25daca9e
@@ -909,280 +1017,319 @@ CHECKSUMS
   argon2 (2.3.0) sha256=980ef65172bf512ad37b6cbb0d61eef40b6dccab6a7db4e70557527e1dce9557
   ast (2.4.2) sha256=1e280232e6a33754cde542bc5ef85520b74db2aac73ec14acef453784447cc12
   attr_required (1.0.2) sha256=f0ebfc56b35e874f4d0ae799066dbc1f81efefe2364ca3803dc9ea6a4de6cb99
-  autoprefixer-rails (10.4.16.0) sha256=40c4b14d6f26f66026cd0d4631baf18d6c56aab425b36059c8abbda17f19a706
-  avo (2.51.0) sha256=0d5785cda01b5b0d2575e7419cda4dc7a5d7805068f160d48ecc7458ee74ec03
+  avo (3.14.0) sha256=ae8744b3bde7c9b3d41869e58214abf288d7ef6f230420746f012df083f1c0be
+  avo-advanced (3.14.0) sha256=9b4a450819e7ea4aa2b25ff07d4e6f0bd36bcb6c99e86469a2fd1be733b9fe17
+  avo-dashboards (3.14.0) sha256=5b2c30fee710fdfec6d47d940d5018cb1afcd2020720e5ef436001dc2ee6387b
+  avo-dynamic_filters (3.14.0) sha256=05fd9e5846ad247310fbffed61b40be310d9334646e8d59afe6c724faff5b28e
+  avo-menu (3.14.0) sha256=f07243d2a52921d28718d7d9bdddb11eaebdc0dd5b07deed7a7fb767550be554
+  avo-pro (3.14.0) sha256=0a20743f5c5e685a9088c9b753bc8419a68aac57f7fa2966485e9ceb61a82c5f
+  avo_upgrade (0.1.1) sha256=8d841083b9956392f5c8fe195f25bec0d139e3646d276f8a59e66b7d2e9ebf30
   awrence (1.2.1) sha256=dd1d214c12a91f449d1ef81d7ee3babc2816944e450752e7522c65521872483e
   aws-eventstream (1.3.0) sha256=f1434cc03ab2248756eb02cfa45e900e59a061d7fbdc4a9fd82a5dd23d796d3f
-  aws-partitions (1.950.0) sha256=b980ec8f8b014be08fe0f65182dee16afc06d04a2175177c17fa45eee44147ec
-  aws-sdk-core (3.201.0) sha256=18fda4d14362eea4cb0bff54bc68222bd46b5e705ec84468954aaf7cf9a8360c
-  aws-sdk-kms (1.88.0) sha256=13588d90df1eece81f6d79bd304b3857dc3168e7ea75c933b3b835cfe8a0e309
-  aws-sdk-s3 (1.156.0) sha256=9302da1d1a70363308854d5065035f6c72cf8b8af895d8789487cd5c6b076a46
-  aws-sdk-sqs (1.80.0) sha256=ae0bdced7aa958ddd99d28f709abe244839d58fbf1f2a628bcd9a5629a7444c2
-  aws-sigv4 (1.8.0) sha256=84dd99768b91b93b63d1d8e53ee837cfd06ab402812772a7899a78f9f9117cbc
+  aws-partitions (1.1008.0) sha256=6fb5e6b843ea1169480c804fc861a5de7407762097de75cf4734fbcd35466227
+  aws-sdk-core (3.213.0) sha256=6ca685be1d72d61776fdaaddf3c293e45a472ff0dd0b624880e7813d0c82db19
+  aws-sdk-kms (1.95.0) sha256=2ae508c642ddc59baa1296229108e9601a2fa00e57cf7a2153c9488f0587fd5e
+  aws-sdk-s3 (1.171.0) sha256=94a2210c20f6102d8867937b021ef40683aa351e28912ac9cc6ef20509f85f4f
+  aws-sdk-sqs (1.88.0) sha256=3e4e022b9af1796eb87bb368a8bb2001ebcad3b5025d76aa9ba731acea01a2eb
+  aws-sigv4 (1.10.1) sha256=8a140753f34de18125686b11e7adaed4ca3db06dfb50a478993bd437f7a203bb
   base64 (0.2.0) sha256=0f25e9b21a02a0cc0cea8ef92b2041035d39350946e8789c562b2d1a3da01507
   bcrypt (3.1.20) sha256=8410f8c7b3ed54a3c00cd2456bf13917d695117f033218e2483b2e40b0784099
-  benchmark-ips (2.12.0) sha256=09dd4d5be05db42470e7e7b01be7310564073a054e35d9d9ec7840c523f3dbcb
+  benchmark-ips (2.14.0) sha256=b72bc8a65d525d5906f8cd94270dccf73452ee3257a32b89fbd6684d3e8a9b1d
   better_html (2.1.1) sha256=046c3551d1488a3f2939a7cac6fabf2bde08c32e135c91fcd683380118e5af55
   bigdecimal (3.1.8) sha256=a89467ed5a44f8ae01824af49cbc575871fa078332e8f77ea425725c1ffe27be
   bindata (2.5.0) sha256=29dccb8ba1cc9de148f24bb88930840c62db56715f0f80eccadd624d9f3d2623
   bitarray (1.2.0) sha256=7f9f31fadbd87bf51544cf13058e81cd6ec408ff40f127902cef3d6767b23f11
   bloomer (1.0.0) sha256=57a0d3a78628db9a92c6723f06c67697e420abcdb05aa757c6dfae607251d272
-  bootsnap (1.18.3) sha256=d7b70de761e2fb1d63d21dd941b393c881c5cab5575211369cede788dfc034eb
-  brakeman (6.1.2) sha256=7716769c18f2c4a52d7a74d2cb5a614be0c46d8aad3fbe7ca089dbb7c98bd4d3
-  browser (6.0.0) sha256=0399f0f12c925e529aa995b096a3824384e00ea2c7241fbb4b707d2a25e87920
+  bootsnap (1.18.4) sha256=ac4c42af397f7ee15521820198daeff545e4c360d2772c601fbdc2c07d92af55
+  brakeman (6.2.2) sha256=d502d653699f4d451b21225ff4d19a9ec9345d23eaab5576e246185ffd7bf618
+  browser (6.1.0) sha256=b9104e9d094800ec8243ad787f2289ea25b23921eb88c315cea53c89305424c7
   builder (3.3.0) sha256=497918d2f9dca528fdca4b88d84e4ef4387256d984b8154e9d5d3fe5a9c8835f
   byebug (11.1.3) sha256=2485944d2bb21283c593d562f9ae1019bf80002143cc3a255aaffd4e9cf4a35b
   capybara (3.40.0) sha256=42dba720578ea1ca65fd7a41d163dd368502c191804558f6e0f71b391054aeef
   cbor (0.5.9.8) sha256=9ee097fc58d9bc5e406d112cd2d4e112c7354ec16f8b6ff34e4732c1e44b4eb7
-  chartkick (5.0.7) sha256=fe52cfd34a51ff0c42dabe26c59a827ffc5c74de56816eddcb74b7c639938893
+  chartkick (5.1.2) sha256=1bb981ebb567c6bc6d1f555fba3dc5b4a7d1e7d170ea7d6980b4badf0032305a
   childprocess (5.0.0) sha256=0746b7ab1d6c68156e64a3767631d7124121516192c0492929a7f0af7310d835
   choice (0.2.0) sha256=a19617f7dfd4921b38a85d0616446620de685a113ec6d1ecc85bdb67bf38c974
   chunky_png (1.4.0) sha256=89d5b31b55c0cf4da3cf89a2b4ebc3178d8abe8cbaf116a1dba95668502fdcfe
-  clearance (2.7.2) sha256=68bb326c1045cf71e608b1a3a90b8144f06018458384769456ed335c6c254822
+  clearance (2.9.2) sha256=d4981644d7b78ec26b95ed72b9c65a22b4ce2efe7ffb81f9dd4c4b43cf03d159
   coderay (1.1.3) sha256=dc530018a4684512f8f38143cd2a096c9f02a1fc2459edcfe534787a7fc77d4b
   compact_index (0.15.0) sha256=5c6c404afca8928a7d9f4dde9524f6e1610db17e675330803055db282da84a8b
-  concurrent-ruby (1.3.3) sha256=4f9cd28965c4dcf83ffd3ea7304f9323277be8525819cb18a3b61edcb56a7c6a
+  concurrent-ruby (1.3.4) sha256=d4aa926339b0a86b5b5054a0a8c580163e6f5dcbdfd0f4bb916b1a2570731c32
   connection_pool (2.4.1) sha256=0f40cf997091f1f04ff66da67eabd61a9fe0d4928b9a3645228532512fab62f4
   cose (1.3.0) sha256=63247c66a5bc76e53926756574fe3724cc0a88707e358c90532ae2a320e98601
   crack (1.0.0) sha256=c83aefdb428cdc7b66c7f287e488c796f055c0839e6e545fec2c7047743c4a49
   crass (1.0.6) sha256=dc516022a56e7b3b156099abc81b6d2b08ea1ed12676ac7a5657617f012bd45d
-  css_parser (1.17.1) sha256=eb730f2d26591a843e52bd3d0efd76abdfeec8bad728e0b2ac821fc10bb018e6
+  css_parser (1.19.1) sha256=1940dce01e3b9be18d6880e6d65162d984cc04ff28998cf4759beb999275209e
   csv (3.3.0) sha256=0bbd1defdc31134abefed027a639b3723c2753862150f4c3ee61cab71b20d67d
   dalli (3.2.8) sha256=2e63595084d91fae2655514a02c5d4fc0f16c0799893794abe23bf628bebaaa5
-  dartsass-sprockets (3.1.0) sha256=c238ec9f7f496489ac5a7813cd1f83d1e077a1826921acefc7e290a521b7a20a
-  datadog (2.1.0) sha256=6a9be58bb3dc01e1890d1b3452cef262de925bda9ad0bfdb8bb854f5f9384e0b
-  datadog-ci (1.1.0) sha256=15153b9f15deb5e55e81c91aaff6911c8dc7f4e2f139f80e803d079890739fbd
-  date (3.3.4) sha256=971f2cb66b945bcbea4ddd9c7908c9400b31a71bc316833cb42fa584b59d3291
-  dead_end (4.0.0) sha256=695c8438993bb4c5415b1618a1b6e0afcae849ef2812fb8cb3846723904307eb
-  debase-ruby_core_source (3.3.1) sha256=ed904cae290edf0cf274ad707f8981bf1cefad8081e78d4bb71be2a483bc2c08
-  derailed_benchmarks (2.1.2) sha256=eaadc6206ceeb5538ff8f5e04a0023d54ebdd95d04f33e8960fb95a5f189a14f
-  discard (1.3.0) sha256=55218997ca4dc11f0594f1bb2d1196c4a959ceb562f1ab6490130233598dda67
-  docile (1.4.0) sha256=5f1734bde23721245c20c3d723e76c104208e1aa01277a69901ce770f0ebb8d3
-  dogstatsd-ruby (5.6.1) sha256=615dd1328c57ab66fb48cbf83b38ce2060d8353707be0bc3deb0ae960a659982
+  datadog (2.7.0) sha256=cea0c125acff6630966a2ad0bc01863ba1e1ff2886b4d38dc29f254f89ad02a2
+  datadog-ci (1.8.1) sha256=c461acd83d36b5894716ea7b1c207fd4b7fa103994c0773e3936a68da4dfa594
+  datadog-ruby_core_source (3.3.6) sha256=007c72450d3f5838c6d0ae4a6a77e5008bb29dd97d10ea3bf367f978d7c02f36
+  date (3.4.0) sha256=2e7fadaded625c9b3e35e254e42068d4bd8b8646ceab0744cbcbcfdafaa0a711
+  derailed_benchmarks (2.2.1) sha256=654280664fded41c9cd8fc27fc0fcfaf096023afab90eb4ac1185ba70c5d4439
+  diff-lcs (1.5.1) sha256=273223dfb40685548436d32b4733aa67351769c7dea621da7d9dd4813e63ddfe
+  discard (1.4.0) sha256=6efcd2a53ddf96781f81b825d398f1c88ab88c0faa84e131bea6e16ef95d65d0
+  docile (1.4.1) sha256=96159be799bfa73cdb721b840e9802126e4e03dfc26863db73647204c727f21e
+  dogstatsd-ruby (5.6.3) sha256=9702f3ddd4dbdbf0073edc4c70ed81dd00aa53677705eaebadcde6717c003b1c
   domain_name (0.6.20240107) sha256=5f693b2215708476517479bf2b3802e49068ad82167bcd2286f899536a17d933
-  dotenv (3.1.2) sha256=08036c2aa1246590034a83df2adc85b72cb4944692c49da24d8e911f97924478
-  dotenv-rails (3.1.2) sha256=66d2ad1a5aca1de742dd8ec2ceed2148675c73617a3b8d7703ef86ed47ca5d6a
+  dotenv (3.1.4) sha256=6dc502e718ea0d3542673345da05c7a69039840898e251757adb3405d2b35629
+  dotenv-rails (3.1.4) sha256=a7d75f6ab3cc7f1b28e7deb0462efb155878e4e87ce3cc6e42ce35bea61c6fe4
   drb (2.2.1) sha256=e9d472bf785f558b96b25358bae115646da0dbfd45107ad858b0bc0d935cb340
-  dry-initializer (3.1.1) sha256=4d267dea367ccabe498b259c62b909b99d577d6db547d9510561999403546dec
   email_validator (2.2.4) sha256=5ab238095bec7aef9389f230e9e0c64c5081cdf91f19d6c5cecee0a93af20604
   erubi (1.13.0) sha256=fca61b47daefd865d0fb50d168634f27ad40181867445badf6427c459c33cd62
   et-orbi (1.2.11) sha256=d26e868cc21db88280a9ec1a50aa3da5d267eb9b2037ba7b831d6c2731f5df64
-  execjs (2.9.1) sha256=e8fd066f6df60c8e8fbebc32c6fb356b5212c77374e8416a9019ca4bb154dcfb
-  factory_bot (6.4.5) sha256=d71dd29bc95f0ec2bf27e3dd9b1b4d557bd534caca744663cb7db4bacf3198be
-  factory_bot_rails (6.4.3) sha256=ea73ceac1c0ff3dc11fff390bf2ea8a2604066525ed8ecd3b3bc2c267226dcc8
-  faraday (2.9.2) sha256=6595edbe3b4663223e52a315f6bf2bca97ea1527bab7e02a926bf8afcf7423a4
+  factory_bot (6.5.0) sha256=6374b3a3593b8077ee9856d553d2e84d75b47b912cc24eafea4062f9363d2261
+  factory_bot_rails (6.4.4) sha256=139e17caa2c50f098fddf5e5e1f29e8067352024e91ca1186d018b36589e5c88
+  faraday (2.12.1) sha256=23f2128bf5d40533806b3a3f0444cca218d76d0af25320db8e782bf42ae0aa6f
   faraday-follow_redirects (0.3.0) sha256=d92d975635e2c7fe525dd494fcd4b9bb7f0a4a0ec0d5f4c15c729530fdb807f9
-  faraday-net_http (3.1.0) sha256=1627be414960d0131691190ff524506ba6607402a50fb6eccda9e64ca60f859f
+  faraday-multipart (1.0.4) sha256=9012021ab57790f7d712f590b48d5f948b19b43cfa11ca83e6459f06090b0725
+  faraday-net_http (3.4.0) sha256=a1f1e4cd6a2cf21599c8221595e27582d9936819977bbd4089a601f24c64e54a
+  faraday-restrict-ip-addresses (0.3.0) sha256=2db7f6da6f59fa73a9d4ffe96b2b46a4b2b2c4d177e44a1962c1921d32ec7279
   faraday-retry (2.2.1) sha256=4146fed14549c0580bf14591fca419a40717de0dd24f267a8ec2d9a728677608
   faraday_middleware-aws-sigv4 (1.0.1) sha256=a001ea4f687ca1c60bad8f2a627196905ce3dbf285e461dc153240e92eaabe8f
   ffi (1.17.0) sha256=51630e43425078311c056ca75f961bb3bda1641ab36e44ad4c455e0b0e4a231c
+  ffi (1.17.0-aarch64-linux-gnu) sha256=228c8fb79e6b018a31c75414115a75ca65f74e8138b2c9c97d22041e4e12f2c1
+  ffi (1.17.0-arm64-darwin) sha256=609c874e76614542c6d485b0576e42a7a38ffcdf086612f9a300c4ec3fcd0d12
+  ffi (1.17.0-x86_64-darwin) sha256=fdcd48c69db3303ef95aec5c64d6275fcf9878a02c0bec0afddc506ceca0f56b
+  ffi (1.17.0-x86_64-linux-gnu) sha256=1015e59d5919dd6bbcb0704325b0bd639be664a79b1e2189943ceb18faa34198
+  ffi (1.17.0-x86_64-linux-musl) sha256=6573299eedf8dd16668f8a435b72c4236b61bca0279bb73c811e3cbdb395e877
   ffi-compiler (1.3.2) sha256=a94f3d81d12caf5c5d4ecf13980a70d0aeaa72268f3b9cc13358bcc6509184a0
-  fugit (1.11.0) sha256=addc9cd3031611921d1dbac094de3a645bc8858828639fd035c9cedd3b460bb9
-  get_process_mem (0.2.7) sha256=4afd3c3641dd6a817c09806c7d6d509d8a9984512ac38dea8b917426bbf77eba
+  fugit (1.11.1) sha256=e89485e7be22226d8e9c6da411664d0660284b4b1c08cacb540f505907869868
+  gem_server_conformance (0.1.4) sha256=ee404d5405eabcb6f7ab440d2193177375481a77bfa0ec3106165dd6c8e733bb
+  get_process_mem (1.0.0) sha256=d54024f3bcbf776a4d6e0155ec2b21bc3ba44e2fd158c4c00c80aa8a36e0b4aa
   globalid (1.2.1) sha256=70bf76711871f843dbba72beb8613229a49429d1866828476f9c9d6ccc327ce9
-  good_job (3.29.5) sha256=3d71236c7e89b9678ba0cf16d6a93b9ee2ff12795959a0c10f77fd52f6479a13
-  google-protobuf (4.27.2) sha256=9f69eb20acde6e3cf3cd197c09f38911cd7eed5fdf1bf4d4bce4c55e9dc9966f
+  good_job (3.99.1) sha256=7d3869d8a8ee8ef7048fee5d746f41c21987b7822c20038a2f773036bef0830a
+  google-protobuf (4.28.3) sha256=c0ed86d6595257123ea9806dceed6ae158b6f8afde550cda2f565c5fa1df29b5
+  google-protobuf (4.28.3-aarch64-linux) sha256=7715ac58bad92f3297d02ed302879f03b6994fedcc63d20ec9bfd16b793c95ee
+  google-protobuf (4.28.3-arm64-darwin) sha256=cde7fa6b63349c79b1e9d815e6b4e3090bd98b7ac460bb282de3af03c4b9c0d5
+  google-protobuf (4.28.3-x86_64-darwin) sha256=f2c3aa765d43bd6aa62f5cb48f7c59e6b49a38dc65332b61625f26f7cb4c37f9
+  google-protobuf (4.28.3-x86_64-linux) sha256=2e4a2558b863024b296ac1dbceebb707c95f057a0ae1b5023a16440f209ba05a
   gravtastic (3.2.6) sha256=ef98abcecf7c402b61cff1ae7c50a2c6d97dd22bac21ea9b421ce05bc03d734f
-  groupdate (6.4.0) sha256=65940645bf2a48f9b2d10ab7a1d19bdc78f3c89559d8fce39cea3448a15aec54
-  hashdiff (1.1.0) sha256=b5465f0e7375f1ee883f53a766ece4dbc764b7674a7c5ffd76e79b2f5f6fc9c9
+  groupdate (6.5.1) sha256=a0a78d051a510d61864fe987f00089d8f03739741eadc41e6ad4ea6f786da110
+  hashdiff (1.1.1) sha256=c7966316726e0ceefe9f5c6aef107ebc3ccfef8b6db55fe3934f046b2cf0936a
   hashie (5.0.0) sha256=9d6c4e51f2a36d4616cbc8a322d619a162d8f42815a792596039fc95595603da
   heapy (0.2.0) sha256=74141e845d61ffc7c1e8bf8b127c8cf94544ec7a1181aec613288682543585ea
   honeybadger (5.5.1) sha256=22350ccfc9f3bac4bf7c5c733d5263d21dc57adeba16f14054428d9cc63fb56d
   htmlbeautifier (1.4.3) sha256=b43d08f7e2aa6ae1b5a6f0607b4ed8954c8d4a8e85fd2336f975dda1e4db385b
   htmlentities (4.3.4) sha256=125a73c6c9f2d1b62100b7c3c401e3624441b663762afa7fe428476435a673da
   http (5.2.0) sha256=b99ed3c65376e0fd8107647fbaf5a8ab4f66c347d1271fb74cea757e209c6115
-  http-cookie (1.0.6) sha256=7713d3196f21ff5ab0944011d7d4e619b62ec082374a52de2193ccfe78924044
+  http-cookie (1.0.7) sha256=cb7a399f3344f720b8a0f3b0765f29b62608ebb9c3ce4abf4d6eeff2caf42253
   http-form_data (2.3.0) sha256=cc4eeb1361d9876821e31d7b1cf0b68f1cf874b201d27903480479d86448a5f3
   http_accept_language (2.1.1) sha256=0043f0d55a148cf45b604dbdd197cb36437133e990016c68c892d49dbea31634
-  httparty (0.22.0) sha256=78652a5c9471cf0093d3b2083c2295c9c8f12b44c65112f1846af2b71430fa6c
-  i18n (1.14.5) sha256=26dcbc05e364b57e27ab430148b3377bc413987d34cc042336271d8f42e9d1b9
-  importmap-rails (2.0.1) sha256=e739a6e70c09f797688c6983fa79567ec1edc9becc30d55b3f7cc897b1825586
-  inline_svg (1.9.0) sha256=f44c5e3d2e401fd619ad3047b7c8cee384517d855edb1d1fb1a248d3cae535d6
+  i18n (1.14.6) sha256=dc229a74f5d181f09942dd60ab5d6e667f7392c4ee826f35096db36d1fe3614c
+  importmap-rails (2.0.3) sha256=c56764941f9b637791fb87123b38f206f27cc55ef03cb19894f1994184e98cc8
+  inline_svg (1.10.0) sha256=5b652934236fd9f8adc61f3fd6e208b7ca3282698b19f28659971da84bf9a10f
   io-console (0.7.2) sha256=f0dccff252f877a4f60d04a4dc6b442b185ebffb4b320ab69212a92b48a7a221
-  irb (1.13.2) sha256=e72928d8047a515cd868967ecafbe5388097402449fb8ef658c33db6ccde8117
+  irb (1.14.1) sha256=5975003b58d36efaf492380baa982ceedf5aed36967a4d5b40996bc5c66e80f8
   jmespath (1.6.2) sha256=238d774a58723d6c090494c8879b5e9918c19485f7e840f2c1c7532cf84ebcb1
   job-iteration (1.5.1) sha256=1428ad5b308adbaae8776c16b7792a846eb1ad7f4ab3c6e0f9668dd2ab1179e5
-  json (2.7.2) sha256=1898b5cbc81cd36c0fd4d0b7ad2682c39fb07c5ff682fc6265f678f550d4982c
-  json-jwt (1.16.6) sha256=ab451f9cd8743cecc4137f4170806046c1d8a6d4ee6e8570e0b5c958409b266c
+  json (2.8.2) sha256=dd4fa6c9c81daecf72b86ea36e56ed8955fdbb4d4dc379c93d313a59344486cf
+  json-jwt (1.16.7) sha256=ccabff4c6d1a14276b23178e8bebe513ef236399b72a0b886d7ed94800d172a5
   jwt (2.7.1) sha256=07357cd2f180739b2f8184eda969e252d850ac996ed0a23f616e8ff0a90ae19b
   kaminari (1.2.2) sha256=c4076ff9adccc6109408333f87b5c4abbda5e39dc464bd4c66d06d9f73442a3e
   kaminari-actionview (1.2.2) sha256=1330f6fc8b59a4a4ef6a549ff8a224797289ebf7a3a503e8c1652535287cc909
   kaminari-activerecord (1.2.2) sha256=0dd3a67bab356a356f36b3b7236bcb81cef313095365befe8e98057dd2472430
   kaminari-core (1.2.2) sha256=3bd26fec7370645af40ca73b9426a448d09b8a8ba7afa9ba3c3e0d39cdbb83ff
   language_server-protocol (3.17.0.3) sha256=3d5c58c02f44a20d972957a9febe386d7e7468ab3900ce6bd2b563dd910c6b3f
-  launchdarkly-server-sdk (8.6.0) sha256=c18c62d08f90b795105e98f07a24997a5628126623fadbd3b80c0d23b9409b75
+  launchdarkly-server-sdk (8.8.2) sha256=7a65646751b7e37389d8b0a2717eef1584b0d5829ba2c3efbc09d0e80047ac49
   launchy (3.0.1) sha256=b7fa60bda0197cf57614e271a250a8ca1f6a34ab889a3c73f67ec5d57c8a7f2c
   ld-eventsource (2.2.2) sha256=5ea087a6f06bbd8e325d2c1aaead50f37f13d025b952985739e9380a78a96beb
   letter_opener (1.10.0) sha256=2ff33f2e3b5c3c26d1959be54b395c086ca6d44826e8bf41a14ff96fdf1bdbb2
   letter_opener_web (3.0.0) sha256=3f391efe0e8b9b24becfab5537dfb17a5cf5eb532038f947daab58cb4b749860
-  libdatadog (9.0.0.1.0) sha256=2a24dd3ee462e59de04f098687ed3d98823042aebfdd3f1b75fd92374b926f07
-  libddwaf (1.14.0.0.0) sha256=b91ea9675f7d79d1cd10dd6513e3706760ac442cb8902164fbcef79b7082a8fd
+  libdatadog (14.1.0.1.0) sha256=6b5c7d03a6f67e148425d98cc5f43a6b1a85da32862e7689cb08db94cabc151e
+  libdatadog (14.1.0.1.0-aarch64-linux) sha256=cdde91ca08c8cface9420f00a217fd0140337ec24c962342dffc9a1b3fdf5691
+  libdatadog (14.1.0.1.0-x86_64-linux) sha256=136a79e3abc24b07376a1e2a8be9ddc5212b002bcad546af866385b4d986b28e
+  libddwaf (1.15.0.0.0) sha256=5a0b6bb1bf9208cc3c8df4393e0f19ae1faf9846e8e8dbc2e10ecd5cb3c756f0
+  libddwaf (1.15.0.0.0-aarch64-linux) sha256=1630f38b57bc1a20bc1102bfbfc328fd7c522cf5828aebb02dbb45460cb834e7
+  libddwaf (1.15.0.0.0-arm64-darwin) sha256=714d497c080a385ad1a735b9163d58ea67a861df8d61e8f5669dbfdf8df744ea
+  libddwaf (1.15.0.0.0-x86_64-darwin) sha256=76a9361fb90ecfefc7e95871612851ec56603c6cea88538d102b790101e86250
+  libddwaf (1.15.0.0.0-x86_64-linux) sha256=331c2e54679a6ecb4fa9d4940e29c6c732efb3f407cb83dfc0671daca99d568e
   listen (3.9.0) sha256=db9e4424e0e5834480385197c139cb6b0ae0ef28cc13310cfd1ca78377d59c67
   llhttp-ffi (0.5.0) sha256=496f40ad44bcbf99de02da1f26b1ad64e6593cd487b931508a86228e2a3af0fa
-  logger (1.6.0) sha256=0ab7c120262dd8de2a18cb8d377f1f318cbe98535160a508af9e7710ff43ef3e
-  loofah (2.22.0) sha256=10d76e070c86b12fec74b6a9515fd1940f4459198b991342d0a7897d86c372fe
-  lookbook (2.3.2) sha256=abcdefeb13d9150ab30ab8022a2f459db85cbd02e90a0e8e066b32f9048e160a
+  local_time (3.0.2) sha256=cb8abb2d56726ae285d00b0bd7f4c34bafc38c0c1cbc70ddc28f3a5661168d9d
+  logger (1.6.1) sha256=3ad9587ed3940bf7897ea64a673971415523f4f7d6b22c5e3af5219705669653
+  loofah (2.23.1) sha256=d0a07422cb3b69272e124afa914ef6d517e30d5496b7f1c1fc5b95481f13f75e
+  lookbook (2.3.4) sha256=16484c9eb514ac0c23c4b59cfd5a52697141d35056e3a9c2a22b314c1b887605
   mail (2.8.1) sha256=ec3b9fadcf2b3755c78785cb17bc9a0ca9ee9857108a64b6f5cfc9c0b5bfc9ad
-  maintenance_tasks (2.7.1) sha256=2f1f42239a11f5b30ef34e821f1beb42010d08e81634d8945884aba8bdb982db
+  maintenance_tasks (2.8.0) sha256=7ee8aa37ab39c6c3a5f4637878c1a343cc296596742248112458b922968d4a16
   marcel (1.0.4) sha256=0d5649feb64b8f19f3d3468b96c680bae9746335d02194270287868a661516a4
   matrix (0.4.2) sha256=71083ccbd67a14a43bfa78d3e4dc0f4b503b9cc18e5b4b1d686dc0f9ef7c4cc0
-  memory_profiler (1.0.2) sha256=0e7c5c2a1a7bea5b5a05b9df25b2d628afa0db37b9344ba42b42eb8a604762df
-  meta-tags (2.21.0) sha256=cfaa2ccd32b2700c3538c9eae647191295a06f47f0d8558e685a6a7158171cfb
+  memory_profiler (1.1.0) sha256=79a17df7980a140c83c469785905409d3027ca614c42c086089d128b805aa8f8
+  meta-tags (2.22.1) sha256=e5ae1febbd320d396c7226d7edb868e5d63466c14b9c8b06622a1a74e6dce354
   method_source (1.1.0) sha256=181301c9c45b731b4769bc81e8860e72f9161ad7d66dd99103c9ab84f560f5c5
   mini_histogram (0.3.1) sha256=6a114b504e4618b0e076cc672996036870f7cc6f16b8e5c25c0c637726d2dd94
   mini_mime (1.1.5) sha256=8681b7e2e4215f2a159f9400b5816d85e9d8c6c6b491e96a12797e798f8bccef
-  mini_portile2 (2.8.7) sha256=13eef5ab459bbfd33d61e539564ec25a9c2cf593b0a5ea6d4d7ef8c19b162ee0
-  minitest (5.24.1) sha256=31ec31ac9088d9e21fcc5a5487912234de83966f24368241b2bef03d7012464a
+  mini_portile2 (2.8.8) sha256=8e47136cdac04ce81750bb6c09733b37895bf06962554e4b4056d78168d70a75
+  minitest (5.25.1) sha256=3db6795a80634def1cf86fda79d2d83b59b25ce5e186fa675f73c565589d2ad8
   minitest-gcstats (1.3.1) sha256=cb25490f93aac02e3a5ff307e560d41afcdcafa7952c1c32efdeb9886b1f4711
   minitest-reporters (1.7.1) sha256=5060413a0c95b8c32fe73e0606f3631c173a884d7900e50013e15094eb50562c
-  minitest-retry (0.2.2) sha256=ea39f8abc3d67a8145ead04ff3828eb45169655c9e6078f182c0271516c03fb0
-  mocha (2.4.0) sha256=dae4d68652b7b70c711e57cfcc1778bed6d740933edb692ac83741346bc7f7af
-  msgpack (1.7.2) sha256=59ab62fd8a4d0dfbde45009f87eb6f158ab2628a7c48886b0256f175166baaa8
+  minitest-retry (0.2.3) sha256=7b7f4896efb9b931a1acb442a40e5273c441f44946cf4c6a8eb8895838e7bf29
+  mocha (2.5.0) sha256=7852595064e8ef4c6a3f6d8a5a5ab8c705168f913bb17929ab1c35f4dd4c7717
+  msgpack (1.7.5) sha256=ffb04979f51e6406823c03abe50e1da2c825c55a37dee138518cdd09d9d3aea8
   multi_json (1.15.0) sha256=1fd04138b6e4a90017e8d1b804c039031399866ff3fbabb7822aea367c78615d
   multi_xml (0.7.1) sha256=4fce100c68af588ff91b8ba90a0bb3f0466f06c909f21a32f4962059140ba61b
+  multipart-post (2.4.1) sha256=9872d03a8e552020ca096adadbf5e3cb1cd1cdd6acd3c161136b8a5737cdb4a8
   mutex_m (0.2.0) sha256=b6ef0c6c842ede846f2ec0ade9e266b1a9dac0bc151682b04835e8ebd54840d5
-  net-http (0.4.1) sha256=a96efc5ea18bcb9715e24dda4159d10f67ff0345c8a980d04630028055b2c282
-  net-imap (0.4.14) sha256=a2184b3f09a4f7ca27998d113fd6df8cd0dd56b91e5bf0d6387b8350bb438065
+  net-http (0.5.0) sha256=ed7f88205afe03bf53142a4b81ded91f2c01522dcf03089cb6ad4acb476ce1da
+  net-imap (0.5.1) sha256=c0ceb85d8459f7081d5ed1ac86159f8e80d25e704eb52dbf0d9f703b7bc838d7
   net-pop (0.1.2) sha256=848b4e982013c15b2f0382792268763b748cce91c9e91e36b0f27ed26420dff3
   net-protocol (0.2.2) sha256=aa73e0cba6a125369de9837b8d8ef82a61849360eba0521900e2c3713aa162a8
   net-smtp (0.5.0) sha256=5fc0415e6ea1cc0b3dfea7270438ec22b278ca8d524986a3ae4e5ae8d087b42a
-  nio4r (2.7.0) sha256=9586a685eca8246d6406e712a525e705d15bb88f709d78fc3f141e864df97276
-  nokogiri (1.16.6) sha256=935fe4dd67d4377f4a05002acb1ffbadbcae265ea8e7869fc40e3a8121f3e1ef
+  nio4r (2.7.3) sha256=54b94cdd4b8f9dc39aaad5f699e97afae13efb44f2b180a6e724df76105ff604
+  nokogiri (1.16.7) sha256=f819cbfdfb0a7b19c9c52c6f2ca63df0e58a6125f4f139707b586b9511d7fe95
+  nokogiri (1.16.7-aarch64-linux) sha256=78778d35f165b59513be31c0fe232c63a82cf97626ffba695b5f822e5da1d74b
+  nokogiri (1.16.7-arm64-darwin) sha256=276dcea1b988a5b22b5acc1ba901d24b8e908c40b71dccd5d54a2ae279480dad
+  nokogiri (1.16.7-x86_64-darwin) sha256=630732b80fc572690eab50c73a1f18988f3ac401ed0b67ca9956ba2b1e2c3faa
+  nokogiri (1.16.7-x86_64-linux) sha256=9e1e428641d5942af877c60b418c71163560e9feb4a5c4015f3230a8b86a40f6
   oauth2 (2.0.9) sha256=b21f9defcf52dc1610e0dfab4c868342173dcd707fd15c777d9f4f04e153f7fb
   observer (0.1.2) sha256=d8a3107131ba661138d748e7be3dbafc0d82e732fffba9fccb3d7829880950ac
-  octokit (9.1.0) sha256=7849a659d2722c629181f48d1d7e567c9539f1a85c9676144dbdbfc6ce288253
+  octokit (9.2.0) sha256=4fa47ff35ce654127edf2c836ab9269bcc8829f5542dc1e86871f697ce7f4316
   omniauth (2.1.2) sha256=def03277298b8f8a5d3ff16cdb2eb5edb9bffed60ee7dda24cc0c89b3ae6a0ce
   omniauth-github (2.0.1) sha256=8ff8e70ac6d6db9d52485eef52cfa894938c941496e66b52b5e2773ade3ccad4
   omniauth-oauth2 (1.8.0) sha256=b2f8e9559cc7e2d4efba57607691d6d2b634b879fc5b5b6ccfefa3da85089e78
   omniauth-rails_csrf_protection (1.0.2) sha256=1170fd672aff092b9b7ebebc1453559f073ed001e3ce62a1df616e32f8dc5fe0
-  openid_connect (2.3.0) sha256=0dbb9cefeb11e0a65e706349266355bbbb060382ae138fc9e199ab1aa622744c
-  opensearch-ruby (3.3.0) sha256=f490c0150bdb2a6444f1d4ec128e9947aadb1c74f0315a29c574c0d31acfeced
+  openid_connect (2.3.1) sha256=5d808380cff80d78e3d3d54cfaebe2d6461d835c674faa29e2314a402c1b2182
+  opensearch-ruby (3.4.0) sha256=0a8621686bed3c59b4c23e08cbaef873685a3fe4568e9d2703155ca92b8ca05d
   openssl (3.2.0) sha256=3c4bb8760977b4becd2819c6c2569bcf5c6f48b32b9f7a4ce1fd37f996378d14
   openssl-signature_algorithm (1.3.0) sha256=a3b40b5e8276162d4a6e50c7c97cdaf1446f9b2c3946a6fa2c14628e0c957e80
   optimist (3.1.0) sha256=81886f53ee8919f330aa30076d320d88eef9bc85aae2275376b4afb007c69260
-  pagy (8.4.0) sha256=21dd68453d24e752a1bc81aef5b6f1346ff95e1c2e5b53448355f7856f3ef901
-  parallel (1.25.1) sha256=12e089b9aa36ea2343f6e93f18cfcebd031798253db8260590d26a7f70b1ab90
-  parser (3.3.3.0) sha256=a2e23c90918d9b7e866b18dca2b6835f227769dd2fa8e59c5841f3389cf53eeb
-  pg (1.5.6) sha256=4bc3ad2438825eea68457373555e3fd4ea1a82027b8a6be98ef57c0d57292b1c
+  ostruct (0.6.0) sha256=3b1736c99f4d985de36bde1155be5e22aaf6e564b30ff9bd481e2ef7c2d9ba85
+  pagy (8.6.3) sha256=537b2ee3119f237dd6c4a0d0a35c67a77b9d91ebb9d4f85e31407c2686774fb2
+  parallel (1.26.3) sha256=d86babb7a2b814be9f4b81587bf0b6ce2da7d45969fab24d8ae4bf2bb4d4c7ef
+  parser (3.3.5.0) sha256=f30ebb71b7830c2e7cdc4b2b0e0ec2234900e3fca3fe2fba47f78be759181ab3
+  pg (1.5.9) sha256=761efbdf73b66516f0c26fcbe6515dc7500c3f0aa1a1b853feae245433c64fdc
   pg_query (5.1.0) sha256=b7f7f47c864f08ccbed46a8244906fb6ee77ee344fd27250717963928c93145d
-  pghero (3.5.0) sha256=7b459d383673e358017d0dd210c11b6a82bbfb340c73236ba0e50bb6c0351e6a
-  phlex (1.10.2) sha256=49dca7df081258f937be5e4ee0a81b11743f2b4fea25ac7537912b9c9344b1e6
-  phlex-rails (1.2.1) sha256=1d80709c02114cda869951d22bfca189b5f208d1eb89f2e6fafbe3c0240a822f
-  pp (0.5.0) sha256=f8f40bc2ba9e1ab351b9458151da3a89f46034f7f599a8e0a06abb9b9f4411dd
+  pghero (3.6.1) sha256=e6d4f6ec3979d4828dafcd1eaa4214e70279fe2502b9fe5bd632d8333aa79cd4
+  phlex (1.11.0) sha256=979548e79a205c981612f1ab613addc8fa128c8092694d02f41aad4cea905e73
+  phlex-rails (1.2.2) sha256=a20218449e71bc9fa5a71b672fbede8a654c6b32a58f1c4ea83ddc1682307a4c
+  pp (0.6.1) sha256=16d45bd9972616e81090ba08e119161131eb5b6348e85e43c4efffc8c5fe9fea
   prettyprint (0.2.0) sha256=2bc9e15581a94742064a3cc8b0fb9d45aae3d03a1baa6ef80922627a0766f193
+  prop_initializer (0.2.0) sha256=bd27704d0df8c59c3baf0df5cf448eba2b140fb9934fb31b2e379b5c842d8820
+  propshaft (1.1.0) sha256=d389361faf66aeb17e8d204828962c1e506edd14a1a17adb3fa475435c070f6b
   prosopite (1.4.2) sha256=b2e422e2d9dbf3ce20130ded3252fe14adb3833555eacd451f5015d8c9177e79
+  protobug (0.1.0) sha256=5bf1356cedf99dcf311890743b78f5e602f62ca703e574764337f1996b746bf2
+  protobug_googleapis_field_behavior_protos (0.1.0) sha256=db48ef6a5913b2355b4a6931ab400a9e3e995fb48499977a3ad0be6365f9e265
+  protobug_sigstore_protos (0.1.0) sha256=4ad1eebaf6454131b6f432dda50ad0e513773613474b92470847614a5acacce1
+  protobug_well_known_protos (0.1.0) sha256=356757f562453bb34a28f12e8e9fa357346cca35a6807a549837c3fe256bb5b3
   pry (0.14.1) sha256=99b6df0665875dd5a39d85e0150aa5a12e2bb4fef401b6c4f64d32ee502f8454
   pry-byebug (3.10.1) sha256=c8f975c32255bfdb29e151f5532130be64ff3d0042dc858d0907e849125581f8
-  psych (5.1.2) sha256=337322f58fc2bf24827d2b9bd5ab595f6a72971867d151bb39980060ea40a368
-  public_suffix (6.0.0) sha256=d2c8e12e076813f8fca0307205c088c6903adc70b92c65ab22479dfa9bc0a89e
-  puma (6.4.2) sha256=3eb41999d00733280be3faeb00d610331b6965a537a8cd3d905f316c38575b44
-  pundit (2.3.2) sha256=7ca09a5801ebaedad1966f7eb0b1c52ecb8c94b3b6ab70122cb22856ac187fa3
+  psych (5.2.0) sha256=6603fe756bcaf14daa25bc17625f36c90931dcf70452ac1e8da19760dc310573
+  public_suffix (6.0.1) sha256=61d44e1cab5cbbbe5b31068481cf16976dd0dc1b6b07bd95617ef8c5e3e00c6f
+  puma (6.4.3) sha256=24a4645c006811d83f2480057d1f54a96e7627b6b90e1c99b260b9dc630eb43e
+  pundit (2.4.0) sha256=43e6d27a9df082c04f0020999ce4dcf6742ecc5775d102ef2bfe9df041417572
   pwned (2.3.0) sha256=63f5a9576f109203684e9dd053f815649fd5bc0a0348b7190568272641b22353
   raabro (1.4.0) sha256=d4fa9ff5172391edb92b242eed8be802d1934b1464061ae5e70d80962c5da882
-  racc (1.8.0) sha256=09349a65c37c4fe710a435f25c9f1652e39f29ad6b1fa08d4a8d30c0553d3a08
-  rack (3.1.6) sha256=08cd573725c9c223bb0466d483153cae9bb3606d17760328c814902e6bf83c32
+  racc (1.8.1) sha256=4a7f6929691dbec8b5209a0b373bc2614882b55fc5d2e447a21aaa691303d62f
+  rack (3.1.8) sha256=d3fbcbca43dc2b43c9c6d7dfbac01667ae58643c42cea10013d0da970218a1b1
   rack-attack (6.7.0) sha256=3ca47e8f66cd33b2c96af53ea4754525cd928ed3fa8da10ee6dad0277791d77c
   rack-oauth2 (2.2.1) sha256=c73aa87c508043e2258f02b4fb110cacba9b37d2ccf884e22487d014a120d1a5
   rack-protection (4.0.0) sha256=d0db6185caa46a8c0d134c2c6b4803f4f392a67b2984da311409cb505f67bbf6
+  rack-sanitizer (2.0.3) sha256=3e492e1b56b0005fb1b56d77dff996821059aad4321634883ae3c42c865f9af0
   rack-session (2.0.0) sha256=db04b2063e180369192a9046b4559af311990af38c6a93d4c600cee4eb6d4e81
   rack-test (2.1.0) sha256=0c61fc61904049d691922ea4bb99e28004ed3f43aa5cfd495024cc345f125dfb
-  rack-utf8_sanitizer (1.9.1) sha256=6414b70172f5678e23044abf1d00f6a32e62a335507c9548bc5caf9e3bff6da0
-  rackup (2.1.0) sha256=6ecb884a581990332e45ee17bdfdc14ccbee46c2f710ae1566019907869a6c4d
-  rails (7.1.3.4) sha256=3a7fca9df74ee641dc1e89b8302ac6d03f22883de771e786a0e9f3094e5aa6ad
+  rackup (2.2.1) sha256=f737191fd5c5b348b7f0a4412a3b86383f88c43e13b8217b63d4c8d90b9e798d
+  rails (7.2.1.1) sha256=79dbdb6feebf78c1172b643a273a4b1c6c8a18e101a4bb1c838be611a3cdcae7
   rails-controller-testing (1.0.5) sha256=741448db59366073e86fc965ba403f881c636b79a2c39a48d0486f2607182e94
   rails-dom-testing (2.2.0) sha256=e515712e48df1f687a1d7c380fd7b07b8558faa26464474da64183a7426fa93b
   rails-erd (1.7.2) sha256=0b17d0fba25d319d8da8af7a3e5e2149d02d6187cc7351e8be43423f07c48bcd
   rails-html-sanitizer (1.6.0) sha256=86e9f19d2e6748890dcc2633c8945ca45baa08a1df9d8c215ce17b3b0afaa4de
-  rails-i18n (7.0.9) sha256=c184db80a7c7bf21c14e0e400fe9e27c4c20312f019aaff5b364a82858dc1369
-  rails_semantic_logger (4.16.0) sha256=766f6cd482f3c811083b24777ea8ac04bb7f44c4fdb189cf1af3ae2b9b844cf6
-  railties (7.1.3.4) sha256=6c6049f3a788669d94f95c7bf6378204ae94098567cc25237e3c73dac4a21afc
+  rails-i18n (7.0.10) sha256=efae16e0ac28c0f42e98555c8db1327d69ab02058c8b535e0933cb106dd931ca
+  rails_semantic_logger (4.17.0) sha256=cc10cca01491736596cd5ab40b52b3bbf98338d9d1f5a7916b2be10231615047
+  railties (7.2.1.1) sha256=16ac9ddd079b8e8c4c3386234512c301ab7a302bce3cbe0560ac44cec7d88453
   rainbow (3.1.1) sha256=039491aa3a89f42efa1d6dec2fc4e62ede96eb6acd95e52f1ad581182b79bc6a
   rake (13.2.1) sha256=46cb38dae65d7d74b6020a4ac9d48afed8eb8149c040eccf0523bec91907059d
+  ransack (4.2.1) sha256=e0f688c6ef35abe0bad3cf5afc1b050f36a819bdd56eb454c955c63cdd1bef40
   rb-fsevent (0.11.2) sha256=43900b972e7301d6570f64b850a5aa67833ee7d87b458ee92805d56b7318aefe
   rb-inotify (0.10.1) sha256=050062d4f31d307cca52c3f6a7f4b946df8de25fc4bd373e1a5142e41034a7ca
   rbtrace (0.5.1) sha256=e8cba64d462bfb8ba102d7be2ecaacc789247d52ac587d8003549d909cb9c5dc
   rdoc (6.7.0) sha256=b17d5f0f57b0853d7b880d4360a32c7caf8dbb81f8503a36426df809e617f379
   redcarpet (3.6.0) sha256=8ad1889c0355ff4c47174af14edd06d62f45a326da1da6e8a121d59bdcd2e9e9
   regexp_parser (2.9.2) sha256=5a27e767ad634f8a4b544520d5cd28a0db7aa1198a5d7c9d7e11d7b3d9066446
-  reline (0.5.9) sha256=5d2dd7ed0fd078e79a05e4eaa47dc91b8dacec7358e9e1dd6d9c4636cff7d378
-  rexml (3.3.1) sha256=34af9fb38eff6c451abd187c53fded98378aa91766d4c62fbbce10e40ed7c325
+  reline (0.5.11) sha256=868d5f4dbfd9caafa70182f7f6fa258b70baee4e565d7cd9e70b4d5b11a7cb65
+  rexml (3.3.9) sha256=d71875b85299f341edf47d44df0212e7658cbdf35aeb69cefdb63f57af3137c9
   roadie (5.2.1) sha256=e4a4f61ce792bd91b228b6844b4bad6b160cdc1b8df86c81a8b983082a5001d6
-  roadie-rails (3.2.0) sha256=90a534857fcfe9fdbe4f9ebfdbc47e5d33462c4f36f478fc80ba6a7b6257433f
+  roadie-rails (3.3.0) sha256=4080f67a635962fb3df77ed42b2992ff41ee6502b60b5f4609a9fb9eb06c0a5e
   rotp (6.3.0) sha256=75d40087e65ed0d8022c33055a6306c1c400d1c12261932533b5d6cbcd868854
-  rouge (4.3.0) sha256=9ee3d9ec53338e78c03fff0cbcd08881d80d69152349b046761e48ccf2de581c
+  rouge (4.4.0) sha256=7a6d6d951e3202e4ce3926838625fa6edeb35680e6d1e3817f53c14212220b64
   rqrcode (2.2.0) sha256=23eea88bb44c7ee6d6cab9354d08c287f7ebcdc6112e1fe7bcc2d010d1ffefc1
   rqrcode_core (1.2.0) sha256=cf4989dc82d24e2877984738c4ee569308625fed2a810960f1b02d68d0308d1a
-  rubocop (1.64.1) sha256=3145bf1863771e400a1c041060e751e5ff0edd9ceb99d01df36db1902f611f3b
-  rubocop-ast (1.31.3) sha256=1b07d618d8776993ec6053a706d1c09f0bf15139fd69415924656cbff07e7818
+  rspec (3.13.0) sha256=d490914ac1d5a5a64a0e1400c1d54ddd2a501324d703b8cfe83f458337bab993
+  rspec-core (3.13.0) sha256=557792b4e88da883d580342b263d9652b6a10a12d5bda9ef967b01a48f15454c
+  rspec-expectations (3.13.1) sha256=814cf8dadc797b00be55a84d7bc390c082735e5c914e62cbe8d0e19774b74200
+  rspec-mocks (3.13.1) sha256=087189899c337937bcf1d66a50dc3fc999ac88335bbeba4d385c2a38c87d7b38
+  rspec-support (3.13.1) sha256=48877d4f15b772b7538f3693c22225f2eda490ba65a0515c4e7cf6f2f17de70f
+  rubocop (1.66.1) sha256=0679c263b1164fd003b8590ae83b3e9e9bf72282d411755f227f1d6268ee5ee7
+  rubocop-ast (1.32.3) sha256=40201e861c73a3c2d59428c7627828ef81fb2f8a306bc4a1c1801452afe3fe0f
   rubocop-capybara (2.21.0) sha256=5d264efdd8b6c7081a3d4889decf1451a1cfaaec204d81534e236bc825b280ab
   rubocop-factory_bot (2.26.1) sha256=8de13cd4edcee5ca800f255188167ecef8dbfc3d1fae9f15734e9d2e755392aa
-  rubocop-minitest (0.35.0) sha256=8411f3a858a445f1930f41876eabf4a0511aa258b339ec19010fdca159272e00
-  rubocop-performance (1.21.1) sha256=5cf20002a544275ad6aa99abca4b945d2a2ed71be925c38fe83700360ed8734e
-  rubocop-rails (2.25.1) sha256=4988933ee02fdb213d22d0f61dc57d6c582317b43867d5106ea1c7a628aae6a5
+  rubocop-minitest (0.36.0) sha256=1d15850849c685ff4b6d64dd801ec2d13eb2fe56b6f7ce9aab93d1b0508e7b9f
+  rubocop-performance (1.22.1) sha256=9ed9737af1ee90655654b483e0eac4e64702139e85d33335bf744b57a309a679
+  rubocop-rails (2.26.2) sha256=f5561a09d6afd2f54316f3f0f6057338ca55b6c24a25ba6a938d3ed0fded84ad
   ruby-graphviz (1.2.5) sha256=1c2bb44e3f6da9e2b829f5e7fd8d75a521485fb6b4d1fc66ff0f93f906121504
   ruby-magic (0.6.0) sha256=7b2138877b7d23aff812c95564eba6473b74b815ef85beb0eb792e729a2b6101
   ruby-progressbar (1.13.0) sha256=80fc9c47a9b640d6834e0dc7b3c94c9df37f08cb072b7761e4a71e22cff29b33
-  ruby-statistics (3.0.2) sha256=fb53e7a9f9681dac144c02539d3535fb2e8fae626f78b907219b0586ff53ec20
+  ruby-statistics (4.0.1) sha256=aede68e6261b979431b31ba39aa661844c18f97a89966768cb60edf2a56b6782
   ruby2_keywords (0.0.5) sha256=ffd13740c573b7301cf7a2e61fc857b2a8e3d3aff32545d6f8300d8bae10e3ef
   rubyzip (2.3.2) sha256=3f57e3935dc2255c414484fbf8d673b4909d8a6a57007ed754dde39342d2373f
   safety_net_attestation (0.4.0) sha256=96be2d74e7ed26453a51894913449bea0e072f44490021545ac2d1c38b0718ce
-  sass-embedded (1.72.0) sha256=05d3e53092022a4b4eef5b76b9597c7f2af4e4efb06812e1a60e3601189a3d2e
-  sassc-embedded (1.70.1) sha256=a95172c9c6725dfc412c702a0e705fb8a5bcb3aac2a32586b18e5432987103d3
   sawyer (0.9.2) sha256=fa3a72d62a4525517b18857ddb78926aab3424de0129be6772a8e2ba240e7aca
-  searchkick (5.3.1) sha256=dc1181543f6a68354e380651f235fa7f3df6a09e4cd67fc284dc293fa9860f57
-  selenium-webdriver (4.22.0) sha256=644370abcdcf1f14b2581c125d39014a1933b20e355c74b0dc5d0ca877a45d66
+  searchkick (5.4.0) sha256=75d7256d3ec2af2dc11c2ba8160c86d80451f3f86447aae2ace1f79553de0bf3
+  securerandom (0.3.2) sha256=e8b2ffa651dfbbb26eb4bfb8ddcfff94221a93e3f118f39e0f7f94c14fea9dc0
+  selenium-webdriver (4.26.0) sha256=bb0426ffe50e5940a6a5ed2978b4dfb1cb29e0e1c4d0a420d6aabf0f6c8e0690
   semantic (1.6.1) sha256=3cdbb48f59198ebb782a3fdfb87b559e0822a311610db153bae22777a7d0c163
-  semantic_logger (4.15.0) sha256=ec4f56122b5d2e2117d148b86c69fb62c1194a2b01a271be04ba8678a85f81ff
+  semantic_logger (4.16.0) sha256=ffba0bd0e008ceaf6be26da588f610a61208b9a9f55676b32729e962904023d9
   shoryuken (6.2.1) sha256=95ddc0a717624a54e799d25a0a05100cb5a0c3728a96211935c214faaf16b3b6
   shoulda-context (3.0.0.rc1) sha256=6e0d9d52ab798c13bc2b490c8537d4bf30cfd318a1ea839c39a66d1d293c6a1a
-  shoulda-matchers (6.2.0) sha256=a702c059c5f3bbda2295827231a28654e33063d7c4d409662980ec630207d8dd
+  shoulda-matchers (6.4.0) sha256=9055bb7f4bb342125fb860809798855c630e05ef5e75837b3168b8e6ee1608b0
+  sigstore (0.1.1) sha256=0c2c3c5d175b204252eeb1507bfb79e330009188d160525d2871b5272f958897
   simplecov (0.22.0) sha256=fe2622c7834ff23b98066bb0a854284b2729a569ac659f82621fc22ef36213a5
   simplecov-cobertura (2.1.0) sha256=2c6532e34df2e38a379d72cef9a05c3b16c64ce90566beebc6887801c4ad3f02
   simplecov-html (0.12.3) sha256=4b1aad33259ffba8b29c6876c12db70e5750cb9df829486e4c6e5da4fa0aa07b
   simplecov_json_formatter (0.1.4) sha256=529418fbe8de1713ac2b2d612aa3daa56d316975d307244399fa4838c601b428
   smart_properties (1.17.0) sha256=f9323f8122e932341756ddec8e0ac9ec6e238408a7661508be99439ca6d6384b
   snaky_hash (2.0.1) sha256=1ac87ec157fcfe7a460e821e0cd48ae1e6f5e3e082ab520f03f31a9259dbdc31
-  sprockets (4.2.1) sha256=951b13dd2f2fcae840a7184722689a803e0ff9d2702d902bd844b196da773f97
-  sprockets-rails (3.5.1) sha256=c44626cb3887a1a8b572ca258685db33b4ebd041aa73428a716eac444ee5ef48
-  statsd-instrument (3.8.0) sha256=122e294845d9a05a74fa53a859010424b455b44f1605abac3108fbbabb2aa7cd
-  stimulus-rails (1.3.3) sha256=4d1f9ab1d64e605f4c9cdd4cc530a9538b510606d32d02249d106256845c562c
-  stringio (3.1.1) sha256=53456e14175c594e0e8eb2206a1be33f3974d4fe21c131e628908b05c8c2ae1e
-  strong_migrations (2.0.0) sha256=88750f294403e18ec674eda6901f2fc195f553ed6a7928c52e8a3f5b57ff501d
-  strscan (3.1.0) sha256=01b8a81d214fbf7b5308c6fb51b5972bbfc4a6aa1f166fd3618ba97e0fcd5555
+  statsd-instrument (3.9.7) sha256=98feeeb39f95f2805c2070b46ae3e72e30679758301ba2f78d075e5b49edf6a5
+  stimulus-rails (1.3.4) sha256=765676ffa1f33af64ce026d26b48e8ffb2e0b94e0f50e9119e11d6107d67cb06
+  stringio (3.1.2) sha256=204f1828f85cdb39d57cac4abc6dc44b04505a223f131587f2e20ae3729ba131
+  strong_migrations (2.1.0) sha256=d48015334c4f9276a2e82e0ed6a2f610424afdbccae64a761b8c900aa10092f9
   swd (2.0.3) sha256=4cdbe2a4246c19f093fce22e967ec3ebdd4657d37673672e621bf0c7eb770655
-  tailwindcss-rails (2.6.1) sha256=60e66e243761402f9ce834132f59dd6c08b6fea5987e321bd9886dd0b0ce04ac
-  terser (1.2.3) sha256=c03111b9b01a7e70cd456b5d9aedf0a56fb99314a19311c4278c01ccebe3da9c
-  thor (1.3.1) sha256=fa7e3471d4f6a27138e3d9c9b0d4daac9c3d7383927667ae83e9ab42ae7401ef
-  tilt (2.3.0) sha256=82dd903d61213c63679d28e404ee8e10d1b0fdf5270f1ad0898ec314cc3e745c
-  timeout (0.4.1) sha256=6f1f4edd4bca28cffa59501733a94215407c6960bd2107331f0280d4abdebb9a
+  tailwindcss-rails (3.0.0) sha256=ee9e5956411968fa445d2bb514c8fb70b239ca2e6f2d5bae06b161e2bee19446
+  tailwindcss-ruby (3.4.14) sha256=80e0eb4f369ca48c00b688f88730c5fefe2ea9821f16f03a86dd2a6bf56dda3a
+  tailwindcss-ruby (3.4.14-aarch64-linux) sha256=e4d15a6c8d06cf0c1f45e2582836c92be718e9bc9025067af282816b6336575f
+  tailwindcss-ruby (3.4.14-arm64-darwin) sha256=439ea278878d42b40f775db3783b8fd7d25fa969fd8c11f42436ba064752ae3a
+  tailwindcss-ruby (3.4.14-x86_64-darwin) sha256=add1f6c63cfb7851557323ef7bc7ed49d927ba610b4b363d1066389232ade3ef
+  tailwindcss-ruby (3.4.14-x86_64-linux) sha256=c23dec24cb855d748750e8f4bca1b048a1e617f381e81336c8ab65ede7e84d5c
+  thor (1.3.2) sha256=eef0293b9e24158ccad7ab383ae83534b7ad4ed99c09f96f1a6b036550abbeda
+  timeout (0.4.2) sha256=8aca2d5ff98eb2f7a501c03f8c3622065932cc58bc58f725cd50a09e63b4cc19
   timescaledb (0.3.0) sha256=9ce2b39417d30544054cb609fbd84e18e304c7b7952a793846b8f4489551a28f
   toxiproxy (2.0.2) sha256=2e3b53604fb921d40da3db8f78a52b3133fcae33e93d440725335b15974e440a
   tpm-key_attestation (0.12.0) sha256=e133d80cf24fef0e7a7dfad00fd6aeff01fc79875fbfc66cd8537bbd622b1e6d
-  turbo-rails (1.5.0) sha256=b426cc762fb0940277729b3f1751a9f0bd269f5613c1d62ac73e5f0be7c7a83e
-  turbo_power (0.5.0) sha256=869726c3a4308b038d6244f7a80eb1331bdd3171fa320dddcff71899fcae24fb
+  turbo-rails (2.0.11) sha256=fc47674736372780abd2a4dc0d84bef242f5ca156a457cd7fa6308291e397fcf
+  turbo_power (0.6.2) sha256=c9080d0d1bb79deed67bee2a7654dd38f9c903b57ad52b98d19d000958fde2cc
   tzinfo (2.0.6) sha256=8daf828cc77bcf7d63b0e3bdb6caa47e2272dcfaf4fbfe46f8c3a9df087a829b
-  unicode-display_width (2.5.0) sha256=7e7681dcade1add70cb9fda20dd77f300b8587c81ebbd165d14fd93144ff0ab4
+  unicode-display_width (2.6.0) sha256=12279874bba6d5e4d2728cef814b19197dbb10d7a7837a869bab65da943b7f5a
   unpwn (1.0.0) sha256=6239d17d46a882b3719b24fb79c78a34caff89d57ab0f5e546be5b5c882bc7d3
-  uri (0.13.0) sha256=26553c2a9399762e1e8bebd4444b4361c4b21298cf1c864b22eeabc9c4998f24
+  uri (1.0.2) sha256=b303504ceb7e5905771fa7fa14b649652fa949df18b5880d69cfb12494791e27
   user_agent_parser (2.18.0) sha256=aa943b91da8906cace7d3fe16b450c9d77b68f571485c11e577af97aecb25584
+  useragent (0.16.10) sha256=1794380d9ea5c087d687bbfe14752f81839293f238c1132ef05c9344f09e65bb
   validate_url (1.0.15) sha256=72fe164c0713d63a9970bd6700bea948babbfbdcec392f2342b6704042f57451
   validates_formatting_of (0.9.0) sha256=139590a4b87596dbfb04d93e897bd2e6d30fb849d04fab0343e71ed2ca856e7e
   version_gem (1.1.1) sha256=3c2da6ded29045ddcc0387e152dc634e1f0c490b7128dce0697ccc1cf0915b6c
-  view_component (3.12.1) sha256=f2ce2ad2945389f4bbd4ff77465605e9019041e5c804d16d093791be2542b18b
+  view_component (3.14.0) sha256=96816de1c40d276d9fac49316ee4d196de90b1ce6eb39373b887c639749e630c
   webauthn (3.1.0) sha256=e545fcf17d8a6b821161a37c1c4bc8c3d2ead0ff6ff3b098f57f417e731790b7
   webfinger (2.1.3) sha256=567a52bde77fb38ca6b67e55db755f988766ec4651c1d24916a65aa70540695c
-  webmock (3.23.1) sha256=0fa738c0767d1c4ec8cc57f6b21998f0c238c8a5b32450df1c847f2767140d95
-  webrick (1.8.1) sha256=19411ec6912911fd3df13559110127ea2badd0c035f7762873f58afc803e158f
-  websocket (1.2.10) sha256=2cc1a4a79b6e63637b326b4273e46adcddf7871caa5dc5711f2ca4061a629fa8
+  webmock (3.24.0) sha256=be01357f6fc773606337ca79f3ba332b7d52cbe5c27587671abc0572dbec7122
+  websocket (1.2.11) sha256=b7e7a74e2410b5e85c25858b26b3322f29161e300935f70a0e0d3c35e0462737
   websocket-driver (0.7.6) sha256=f69400be7bc197879726ad8e6f5869a61823147372fd8928836a53c2c741d0db
   websocket-extensions (0.1.5) sha256=1c6ba63092cda343eb53fc657110c71c754c56484aad42578495227d717a8241
   xml-simple (1.1.9) sha256=d21131e519c86f1a5bc2b6d2d57d46e6998e47f18ed249b25cad86433dbd695d
   xpath (3.2.0) sha256=6dfda79d91bb3b949b947ecc5919f042ef2f399b904013eb3ef6d20dd3a4082e
-  yard (0.9.36) sha256=5505736c1b00c926f71053a606ab75f02070c5960d0778b901fe9d8b0a470be4
-  zeitwerk (2.6.16) sha256=17df48537f09a937804f79bd9a92817da3b199e268634972d0e98a21ca588e21
+  yard (0.9.37) sha256=a6e910399e78e613f80ba9add9ba7c394b1a935f083cccbef82903a3d2a26992
+  zeitwerk (2.7.1) sha256=0945986050e4907140895378e74df1fe882a2271ed087cc6c6d6b00d415a2756
+  zlib (3.1.1) sha256=f61bb03139bbe256c36ba99ef9fece1fb223e9034ed9e5fa3ddb1588d99abc71
 
 RUBY VERSION
-   ruby 3.3.3p89
+   ruby 3.3.5p100
 
 BUNDLED WITH
-   2.5.14
+   2.5.21
diff --git a/app/assets/config/manifest.js b/app/assets/config/manifest.js
deleted file mode 100644
index 2b38b4b8101..00000000000
--- a/app/assets/config/manifest.js
+++ /dev/null
@@ -1,6 +0,0 @@
-//= link application.css
-//= link_tree ../../../vendor/assets/images
-//= link_tree ../builds
-//= link_tree ../../javascript .js
-//= link_tree ../../javascript/src .js
-//= link_tree ../../../vendor/javascript .js
diff --git a/app/assets/images/icons.svg b/app/assets/images/icons.svg
new file mode 100644
index 00000000000..f261c13645c
--- /dev/null
+++ b/app/assets/images/icons.svg
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="utf-8"?>
+<svg xmlns="http://www.w3.org/2000/svg">
+  <defs>
+    <!-- Material icons, 300 weight, optical size 24px (with a few exceptions) -->
+    <symbol id="account-box" viewBox="0 -960 960 960"><path d="M190.26-224.1q56.97-54.49 130.5-87.01 73.54-32.53 159.17-32.53 85.63 0 159.24 32.53 73.6 32.52 130.57 87.01v-533.33q0-4.62-3.84-8.47-3.85-3.84-8.47-3.84H202.57q-4.62 0-8.47 3.84-3.84 3.85-3.84 8.47v533.33Zm290.69-205.03q54.02 0 91.54-37.51Q610-504.15 610-558.18q0-54.02-37.51-91.54-37.52-37.51-91.54-37.51-54.03 0-91.54 37.51-37.51 37.52-37.51 91.54 0 54.03 37.51 91.54 37.51 37.51 91.54 37.51ZM202.57-140q-25.79 0-44.18-18.39T140-202.57v-554.86q0-25.79 18.39-44.18T202.57-820h554.86q25.79 0 44.18 18.39T820-757.43v554.86q0 25.79-18.39 44.18T757.43-140H202.57Zm22.04-50.26h510.37q-59.85-53.46-123.89-78.29-64.04-24.84-131.22-24.84-66.41 0-130.91 24.84-64.5 24.83-124.35 78.29Zm256.47-289.12q-32.82 0-55.88-23.05-23.05-23.06-23.05-55.75t23.05-55.74q23.06-23.05 55.75-23.05t55.74 23.1q23.05 23.11 23.05 55.56 0 32.82-23.1 55.88-23.11 23.05-55.56 23.05ZM480-497.26Z"/></symbol>
+    <symbol id="arrow-circle-down" viewBox="0 -960 960 960"><path d="m454-447.84-49.31-49.31q-8.31-8.31-18.19-8.31t-18.19 8.31q-8.31 8.3-8.31 18.44 0 10.15 8.31 18.32l89.91 89.91q9.7 9.71 22.35 9.71 12.64 0 22.12-9.85l89.77-89.77q8.31-8.17 8.31-18.32 0-10.14-8.31-18.44-8.31-8.31-18.45-8.31-10.14 0-18.32 8.31l-49.31 49.31v-138.52q0-10.93-7.41-18.32-7.42-7.4-18.39-7.4-10.96 0-18.77 7.4-7.81 7.39-7.81 18.32v138.52ZM480.34-116q-75.11 0-141.48-28.42-66.37-28.42-116.18-78.21-49.81-49.79-78.25-116.09Q116-405.01 116-480.39q0-75.38 28.42-141.25t78.21-115.68q49.79-49.81 116.09-78.25Q405.01-844 480.39-844q75.38 0 141.25 28.42t115.68 78.21q49.81 49.79 78.25 115.85Q844-555.45 844-480.34q0 75.11-28.42 141.48-28.42 66.37-78.21 116.18-49.79 49.81-115.85 78.25Q555.45-116 480.34-116Zm-.34-52q130 0 221-91t91-221q0-130-91-221t-221-91q-130 0-221 91t-91 221q0 130 91 221t221 91Zm0-312Z"/></symbol>
+    <symbol id="arrow-circle-right" viewBox="0 -960 960 960"><path d="m512.23-450-53.31 53.31q-8.3 8.31-8.11 20.69.19 12.38 8.5 20.69t20.95 8.31q12.64 0 20.82-8.31l99.38-99.38q10.85-10.85 10.85-25.31 0-14.46-10.85-25.31l-99.77-99.77q-8.31-8.3-20.69-8.3t-20.69 8.3q-8.31 8.31-8.31 20.95 0 12.64 8.31 20.82L512.23-510H360q-12.75 0-21.37 8.63-8.63 8.63-8.63 21.38 0 12.76 8.63 21.37Q347.25-450 360-450h152.23Zm-32.16 350q-78.84 0-148.21-29.92t-120.68-81.21q-51.31-51.29-81.25-120.63Q100-401.1 100-479.93q0-78.84 29.92-148.21t81.21-120.68q51.29-51.31 120.63-81.25Q401.1-860 479.93-860q78.84 0 148.21 29.92t120.68 81.21q51.31 51.29 81.25 120.63Q860-558.9 860-480.07q0 78.84-29.92 148.21t-81.21 120.68q-51.29 51.31-120.63 81.25Q558.9-100 480.07-100Zm-.07-60q134 0 227-93t93-227q0-134-93-227t-227-93q-134 0-227 93t-93 227q0 134 93 227t227 93Zm0-320Z"/></symbol>
+    <symbol id="arrow-drop-down" viewBox="0 -960 960 960"><path d="M460.81-393.04 334.76-519.08q-2.6-2.61-4.1-5.83-1.5-3.21-1.5-6.89 0-7.35 4.97-12.78 4.97-5.42 13.1-5.42h265.54q8.13 0 13.1 5.48 4.97 5.47 4.97 12.77 0 1.83-5.61 12.67L499.19-393.04q-4.34 4.35-8.98 6.35-4.64 2-10.21 2-5.57 0-10.21-2-4.64-2-8.98-6.35Z"/></symbol>
+    <symbol id="arrow-forward-ios" viewBox="0 -960 960 960"><path d="M593.23-480 291.92-781.31q-11.92-11.92-11.61-28.38.31-16.46 12.23-28.39Q304.46-850 320.92-850t28.39 11.92l306.23 306.85q10.84 10.85 16.07 24.31 5.24 13.46 5.24 26.92t-5.24 26.92q-5.23 13.46-16.07 24.31L348.69-121.92q-11.92 11.92-28.07 11.61-16.16-.31-28.08-12.23-11.92-11.92-11.92-28.38t11.92-28.39L593.23-480Z"/></symbol>
+    <symbol id="arrow-forward" viewBox="0 -960 960 960"><path d="M665.08-450H180v-60h485.08L437.23-737.85 480-780l300 300-300 300-42.77-42.15L665.08-450Z"/></symbol>
+    <symbol id="check-circle" viewBox="0 -960 960 960"><path d="m423.23-394.15-92.92-92.93q-8.31-8.3-20.89-8.5-12.57-.19-21.27 8.5-8.69 8.7-8.69 21.08 0 12.38 8.69 21.08l109.77 109.77q10.85 10.84 25.31 10.84 14.46 0 25.31-10.84l222.54-222.54q8.3-8.31 8.5-20.89.19-12.57-8.5-21.27-8.7-8.69-21.08-8.69-12.38 0-21.08 8.69l-205.69 205.7ZM480.07-100q-78.84 0-148.21-29.92t-120.68-81.21q-51.31-51.29-81.25-120.63Q100-401.1 100-479.93q0-78.84 29.92-148.21t81.21-120.68q51.29-51.31 120.63-81.25Q401.1-860 479.93-860q78.84 0 148.21 29.92t120.68 81.21q51.31 51.29 81.25 120.63Q860-558.9 860-480.07q0 78.84-29.92 148.21t-81.21 120.68q-51.29 51.31-120.63 81.25Q558.9-100 480.07-100Zm-.07-60q134 0 227-93t93-227q0-134-93-227t-227-93q-134 0-227 93t-93 227q0 134 93 227t227 93Zm0-320Z"/></symbol>
+    <symbol id="chevron-right" viewBox="0 -960 960 960"><path d="M517.85-480 354.92-642.92q-8.3-8.31-8.5-20.89-.19-12.57 8.5-21.27 8.7-8.69 21.08-8.69 12.38 0 21.08 8.69l179.77 179.77q5.61 5.62 7.92 11.85 2.31 6.23 2.31 13.46t-2.31 13.46q-2.31 6.23-7.92 11.85L397.08-274.92q-8.31 8.3-20.89 8.5-12.57.19-21.27-8.5-8.69-8.7-8.69-21.08 0-12.38 8.69-21.08L517.85-480Z"/></symbol>
+    <symbol id="close" viewBox="0 -960 960 960"><path d="M480-437.85 277.08-234.92q-8.31 8.3-20.89 8.5-12.57.19-21.27-8.5-8.69-8.7-8.69-21.08 0-12.38 8.69-21.08L437.85-480 234.92-682.92q-8.3-8.31-8.5-20.89-.19-12.57 8.5-21.27 8.7-8.69 21.08-8.69 12.38 0 21.08 8.69L480-522.15l202.92-202.93q8.31-8.3 20.89-8.5 12.57-.19 21.27 8.5 8.69 8.7 8.69 21.08 0 12.38-8.69 21.08L522.15-480l202.93 202.92q8.3 8.31 8.5 20.89.19 12.57-8.5 21.27-8.7 8.69-21.08 8.69-12.38 0-21.08-8.69L480-437.85Z"/></symbol>
+    <symbol id="content-copy" viewBox="0 -960 960 960"><path d="M362.31-260Q332-260 311-281q-21-21-21-51.31v-455.38Q290-818 311-839q21-21 51.31-21h335.38Q728-860 749-839q21 21 21 51.31v455.38Q770-302 749-281q-21 21-51.31 21H362.31Zm0-60h335.38q4.62 0 8.46-3.85 3.85-3.84 3.85-8.46v-455.38q0-4.62-3.85-8.46-3.84-3.85-8.46-3.85H362.31q-4.62 0-8.46 3.85-3.85 3.84-3.85 8.46v455.38q0 4.62 3.85 8.46 3.84 3.85 8.46 3.85Zm-140 200Q192-120 171-141q-21-21-21-51.31v-485.38q0-12.77 8.62-21.39 8.61-8.61 21.38-8.61t21.39 8.61q8.61 8.62 8.61 21.39v485.38q0 4.62 3.85 8.46 3.84 3.85 8.46 3.85h365.38q12.77 0 21.39 8.61 8.61 8.62 8.61 21.39 0 12.77-8.61 21.38-8.62 8.62-21.39 8.62H222.31ZM350-320v-480 480Z"/></symbol>
+    <symbol id="error" viewBox="0 -960 960 960"><path d="M480-290.77q13.73 0 23.02-9.29t9.29-23.02q0-13.73-9.29-23.02-9.29-9.28-23.02-9.28t-23.02 9.28q-9.29 9.29-9.29 23.02t9.29 23.02q9.29 9.29 23.02 9.29Zm.01-146.15q12.76 0 21.37-8.63 8.62-8.62 8.62-21.37v-180q0-12.75-8.63-21.38-8.63-8.62-21.38-8.62-12.76 0-21.37 8.62-8.62 8.63-8.62 21.38v180q0 12.75 8.63 21.37 8.63 8.63 21.38 8.63Zm.06 336.92q-78.84 0-148.21-29.92t-120.68-81.21q-51.31-51.29-81.25-120.63Q100-401.1 100-479.93q0-78.84 29.92-148.21t81.21-120.68q51.29-51.31 120.63-81.25Q401.1-860 479.93-860q78.84 0 148.21 29.92t120.68 81.21q51.31 51.29 81.25 120.63Q860-558.9 860-480.07q0 78.84-29.92 148.21t-81.21 120.68q-51.29 51.31-120.63 81.25Q558.9-100 480.07-100Zm-.07-60q134 0 227-93t93-227q0-134-93-227t-227-93q-134 0-227 93t-93 227q0 134 93 227t227 93Zm0-320Z"/></symbol>
+    <symbol id="history" viewBox="0 -960 960 960"><path d="M479.23-140q-120.61 0-212.61-73.62-92-73.61-117.93-188.38-3.23-11.92 3.89-21.92 7.11-10 20.15-11.62 12.27-1.61 22 4.85t13.58 19Q231.15-319 306.73-259.5t172.5 59.5q117 0 198.5-81.5t81.5-198.5q0-117-81.5-198.5T479.23-760q-65.54 0-122.84 29.12-57.31 29.11-98.7 80.11h74.62q12.75 0 21.37 8.63 8.63 8.63 8.63 21.38 0 12.76-8.63 21.37-8.62 8.62-21.37 8.62H195.39q-15.37 0-25.76-10.4-10.4-10.39-10.4-25.76v-136.92q0-12.75 8.63-21.37 8.63-8.63 21.39-8.63 12.75 0 21.37 8.63 8.61 8.62 8.61 21.37v64.77q48.69-57.46 116.62-89.19Q403.77-820 479.23-820q70.8 0 132.63 26.77t107.83 72.77q46 46 72.77 107.82 26.77 61.83 26.77 132.62t-26.77 132.63q-26.77 61.85-72.77 107.85-46 46-107.83 72.77Q550.03-140 479.23-140Zm31.15-352.15 110 110q8.31 8.3 8.5 20.88.2 12.58-8.5 21.27-8.69 8.69-21.07 8.69-12.39 0-21.08-8.69l-117-117q-5.61-5.62-8.23-12.24-2.61-6.62-2.61-13.68V-650q0-12.75 8.62-21.38 8.63-8.62 21.39-8.62 12.75 0 21.37 8.62 8.61 8.63 8.61 21.38v157.85Z"/></symbol>
+    <symbol id="house-siding" viewBox="0 -960 960 960"><path d="M273.85-260v90q0 12.75-8.63 21.37-8.63 8.63-21.39 8.63-12.75 0-21.37-8.63-8.61-8.62-8.61-21.37v-374.08L120-473.46q-10.54 7.31-22.31 6.19-11.77-1.12-19.46-11.65-7.69-10.54-6.27-22.31 1.43-11.77 11.96-19.46L436-787.23q9.85-7.23 21.08-10.65 11.24-3.43 22.92-3.43 11.68 0 22.92 3.43 11.23 3.42 21.08 10.65l352.46 266.54q9.92 7.69 11.65 19.46 1.73 11.77-5.96 22.31-7.69 10.53-19.46 11.65-11.77 1.12-22.31-6.19l-93.84-70.62V-170q0 12.75-8.63 21.37-8.63 8.63-21.39 8.63-12.75 0-21.37-8.63-8.61-8.62-8.61-21.37v-90H273.85Zm0-215.38h412.69v-95.39H273.85v95.39Zm0 155.38h412.69v-95.39H273.85V-320Zm54.61-310.77h303.08L480-744.39 328.46-630.77Z"/></symbol>
+    <symbol id="keyboard-arrow-down" viewBox="0 -960 960 960"><path d="M480-372.92q-7.23 0-13.46-2.31t-11.85-7.92L274.92-562.92q-8.3-8.31-8.5-20.89-.19-12.57 8.5-21.27 8.7-8.69 21.08-8.69 12.38 0 21.08 8.69L480-442.15l162.92-162.93q8.31-8.3 20.89-8.5 12.57-.19 21.27 8.5 8.69 8.7 8.69 21.08 0 12.38-8.69 21.08L505.31-383.15q-5.62 5.61-11.85 7.92-6.23 2.31-13.46 2.31Z"/></symbol>
+    <symbol id="language" viewBox="0 -960 960 960"><path d="M480-100q-78.15 0-147.5-29.96t-120.96-81.58q-51.62-51.61-81.58-120.96T100-480q0-78.77 29.96-147.81t81.58-120.65q51.61-51.62 120.96-81.58T480-860q78.77 0 147.81 29.96t120.65 81.58q51.62 51.61 81.58 120.65T860-480q0 78.15-29.96 147.5t-81.58 120.96q-51.61 51.62-120.65 81.58T480-100Zm0-60.85q30.62-40.61 51.54-81.92 20.92-41.31 34.08-90.31H394.38q13.93 50.54 34.47 91.85 20.53 41.31 51.15 80.38Zm-77.46-11q-23-33-41.31-75.03-18.31-42.04-28.46-86.2H197.08q31.69 62.31 85 104.7 53.31 42.38 120.46 56.53Zm154.92 0q67.15-14.15 120.46-56.53 53.31-42.39 85-104.7H627.23q-12.08 44.54-30.39 86.58-18.3 42.04-39.38 74.65ZM171.92-393.08h148.7q-3.77-22.3-5.47-43.73-1.69-21.42-1.69-43.19 0-21.77 1.69-43.19 1.7-21.43 5.47-43.73h-148.7q-5.77 20.38-8.84 42.38-3.08 22-3.08 44.54t3.08 44.54q3.07 22 8.84 42.38Zm208.69 0h198.78q3.76-22.3 5.46-43.34 1.69-21.04 1.69-43.58t-1.69-43.58q-1.7-21.04-5.46-43.34H380.61q-3.76 22.3-5.46 43.34-1.69 21.04-1.69 43.58t1.69 43.58q1.7 21.04 5.46 43.34Zm258.77 0h148.7q5.77-20.38 8.84-42.38 3.08-22 3.08-44.54t-3.08-44.54q-3.07-22-8.84-42.38h-148.7q3.77 22.3 5.47 43.73 1.69 21.42 1.69 43.19 0 21.77-1.69 43.19-1.7 21.43-5.47 43.73Zm-12.15-233.84h135.69Q730.85-690 678.5-731.62q-52.35-41.61-121.04-56.92 23 34.92 40.92 76.39 17.93 41.46 28.85 85.23Zm-232.85 0h171.24q-13.93-50.16-35.04-92.43-21.12-42.27-50.58-79.8-29.46 37.53-50.58 79.8-21.11 42.27-35.04 92.43Zm-197.3 0h135.69q10.92-43.77 28.85-85.23 17.92-41.47 40.92-76.39-69.08 15.31-121.23 57.12-52.16 41.8-84.23 104.5Z"/></symbol>
+    <symbol id="link" viewBox="0 -960 960 960"><path d="M432.31-298.46H281.54q-75.34 0-128.44-53.1Q100-404.65 100-479.98q0-75.33 53.1-128.44 53.1-53.12 128.44-53.12h150.77v60H281.54q-50.39 0-85.96 35.58Q160-530.38 160-480q0 50.38 35.58 85.96 35.57 35.58 85.96 35.58h150.77v60ZM330-450v-60h300v60H330Zm197.69 151.54v-60h150.77q50.39 0 85.96-35.58Q800-429.62 800-480q0-50.38-35.58-85.96-35.57-35.58-85.96-35.58H527.69v-60h150.77q75.34 0 128.44 53.1Q860-555.35 860-480.02q0 75.33-53.1 128.44-53.1 53.12-128.44 53.12H527.69Z"/></symbol>
+    <symbol id="logout" viewBox="0 -960 960 960"><path d="M224.62-160q-27.62 0-46.12-18.5Q160-197 160-224.62v-510.76q0-27.62 18.5-46.12Q197-800 224.62-800h236.15q8.54 0 14.27 5.73t5.73 14.27q0 8.54-5.73 14.27T460.77-760H224.62q-9.24 0-16.93 7.69-7.69 7.69-7.69 16.93v510.76q0 9.24 7.69 16.93 7.69 7.69 16.93 7.69h236.15q8.54 0 14.27 5.73t5.73 14.27q0 8.54-5.73 14.27T460.77-160H224.62Zm497.76-300H387.69q-8.54 0-14.27-5.73T367.69-480q0-8.54 5.73-14.27t14.27-5.73h334.69l-78.84-78.85q-5.62-5.61-6-13.53-.39-7.93 6-14.54 6.38-6.62 14.15-6.73 7.77-.12 14.39 6.5l104.54 104.53q9.69 9.7 9.69 22.62 0 12.92-9.69 22.62L672.08-352.85q-5.85 5.85-13.89 6.12-8.04.27-14.65-6.35-6.39-6.61-6.27-14.27.11-7.65 6.5-14.03L722.38-460Z"/></symbol>
+    <symbol id="mail" viewBox="0 -960 960 960"><path d="M172.31-180Q142-180 121-201q-21-21-21-51.31v-455.38Q100-738 121-759q21-21 51.31-21h615.38Q818-780 839-759q21 21 21 51.31v455.38Q860-222 839-201q-21 21-51.31 21H172.31ZM800-662.31 499.46-469.92q-4.61 2.61-9.54 4.11-4.92 1.5-9.92 1.5t-9.92-1.5q-4.93-1.5-9.54-4.11L160-662.31v410q0 5.39 3.46 8.85t8.85 3.46h615.38q5.39 0 8.85-3.46t3.46-8.85v-410ZM480-520l313.85-200h-627.7L480-520ZM160-662.31v9.23-45.73 1.19V-720v22.38-1.27V-653.08v-9.23V-240v-422.31Z"/></symbol>
+    <symbol id="menu" viewBox="0 -960 960 960"><path d="M170-254.62q-12.75 0-21.37-8.63-8.63-8.62-8.63-21.38 0-12.75 8.63-21.37 8.62-8.61 21.37-8.61h620q12.75 0 21.37 8.62 8.63 8.63 8.63 21.39 0 12.75-8.63 21.37-8.62 8.61-21.37 8.61H170ZM170-450q-12.75 0-21.37-8.63-8.63-8.63-8.63-21.38 0-12.76 8.63-21.37Q157.25-510 170-510h620q12.75 0 21.37 8.63 8.63 8.63 8.63 21.38 0 12.76-8.63 21.37Q802.75-450 790-450H170Zm0-195.39q-12.75 0-21.37-8.62-8.63-8.63-8.63-21.39 0-12.75 8.63-21.37 8.62-8.61 21.37-8.61h620q12.75 0 21.37 8.63 8.63 8.62 8.63 21.38 0 12.75-8.63 21.37-8.62 8.61-21.37 8.61H170Z"/></symbol>
+    <symbol id="notifications" viewBox="0 -960 960 960"><path d="M210-204.62q-12.75 0-21.37-8.62-8.63-8.63-8.63-21.39 0-12.75 8.63-21.37 8.62-8.61 21.37-8.61h42.31v-298.47q0-80.69 49.81-142.69 49.8-62 127.88-79.31V-810q0-20.83 14.57-35.42Q459.14-860 479.95-860q20.82 0 35.43 14.58Q530-830.83 530-810v24.92q78.08 17.31 127.88 79.31 49.81 62 49.81 142.69v298.47H750q12.75 0 21.37 8.62 8.63 8.63 8.63 21.39 0 12.75-8.63 21.37-8.62 8.61-21.37 8.61H210Zm270-293.07Zm-.07 405.38q-29.85 0-51.04-21.24-21.2-21.24-21.2-51.07h144.62q0 29.93-21.26 51.12-21.26 21.19-51.12 21.19Zm-167.62-172.3h335.38v-298.47q0-69.46-49.11-118.57-49.12-49.12-118.58-49.12-69.46 0-118.58 49.12-49.11 49.11-49.11 118.57v298.47Z"/></symbol>
+    <symbol id="rss-feed" viewBox="0 -960 960 960"><path d="M204.62-140q-26.66 0-45.64-18.98T140-204.62q0-26.65 18.98-45.63 18.98-18.98 45.64-18.98 26.65 0 45.63 18.98 18.98 18.98 18.98 45.63 0 26.66-18.98 45.64T204.62-140Zm530.83 0q-19.53 0-32.42-14.66-12.9-14.66-15.11-34.73-8.69-99.3-50-186.11-41.3-86.81-108.46-153.96-67.15-67.16-153.96-108.46-86.81-41.31-186.11-50-20.07-2.23-34.73-15.21Q140-716.1 140-735.38q0-19.56 13.96-31.98 13.96-12.41 32.81-10.79 119.15 8.69 222.81 57.5 103.65 48.8 182.96 128.11 79.31 79.31 128.11 182.96 48.81 103.66 57.5 222.81 1.62 18.85-10.78 32.81Q754.98-140 735.45-140Zm-230.83 0q-18.85 0-32.04-13.66-13.19-13.65-16.66-32.49-7.46-53.24-30.53-98.39Q402.31-329.69 366-366q-36.31-36.31-81.46-59.39-45.15-23.07-98.39-30.53-18.84-3.47-32.49-16.66Q140-485.77 140-504.55q0-19.53 13.96-32.1 13.96-12.58 32.81-9.73 71.08 8.07 132.85 38.46 61.76 30.38 109.84 78.46 48.08 48.08 78.46 109.84 30.39 61.77 38.46 132.85 2.85 18.85-9.79 32.81Q523.95-140 504.62-140Z"/></symbol>
+    <symbol id="search" viewBox="0 -960 960 960"><path d="M379.69-339.85q-102.01 0-172.77-70.74t-70.76-171.85q0-101.1 70.74-171.84 70.74-70.74 171.99-70.74 101.25 0 171.97 70.74 70.73 70.74 70.73 171.85 0 42.3-14.39 81.84-14.38 39.54-40.53 70.69l239.07 238q7.23 6.94 7.43 17.89.19 10.96-7.43 18.45-7.61 7.48-18.38 7.48-10.76 0-18.08-7.61L530.87-394.1q-29.9 25.86-69.4 40.06-39.51 14.19-81.78 14.19Zm-.41-50.25q80.41 0 136.23-55.96 55.82-55.97 55.82-136.38t-55.82-136.37q-55.82-55.96-136.23-55.96-80.75 0-136.81 55.96t-56.06 136.37q0 80.41 56.06 136.38 56.06 55.96 136.81 55.96Z"/></symbol>
+    <symbol id="settings" viewBox="0 -960 960 960"><path d="M435.69-100q-20.46 0-35.34-13.58-14.89-13.57-18.12-33.42l-9.77-74.85q-16.07-5.38-32.96-15.07-16.88-9.7-30.19-20.77L240-228.23q-18.85 8.31-37.88 1.61-19.04-6.69-29.58-24.3l-45.08-78.16q-10.54-17.61-6.07-37.27 4.46-19.65 20.46-32.42l59.92-45q-1.38-8.92-1.96-17.92-.58-9-.58-17.93 0-8.53.58-17.34t1.96-19.27l-59.92-45q-16-12.77-20.27-32.62-4.27-19.84 6.27-37.46l44.69-77q10.54-17.23 29.58-24.11 19.03-6.89 37.88 1.42l68.92 29.08q14.47-11.46 30.89-20.96t32.27-15.27L382.23-813q3.23-19.85 18.12-33.42Q415.23-860 435.69-860h88.62q20.46 0 35.34 13.58 14.89 13.57 18.12 33.42l9.77 75.23q18 6.54 32.57 15.27 14.58 8.73 29.43 20.58L720.39-731q18.84-8.31 37.88-1.42 19.04 6.88 29.57 24.11l44.7 77.39q10.54 17.61 6.07 37.27-4.46 19.65-20.46 32.42l-61.46 46.15q2.15 9.69 2.35 18.12.19 8.42.19 16.96 0 8.15-.39 16.58-.38 8.42-2.76 19.27l60.3 45.38q16 12.77 20.66 32.42 4.65 19.66-5.89 37.27l-45.31 77.77q-10.53 17.62-29.76 24.31-19.23 6.69-38.08-1.62l-68.46-29.46q-14.85 11.85-30.31 20.96-15.46 9.12-31.69 14.89L577.77-147q-3.23 19.85-18.12 33.42Q544.77-100 524.31-100h-88.62Zm4.31-60h78.62L533-267.15q30.62-8 55.96-22.73 25.35-14.74 48.89-37.89L737.23-286l39.39-68-86.77-65.38q5-15.54 6.8-30.47 1.81-14.92 1.81-30.15 0-15.62-1.81-30.15-1.8-14.54-6.8-29.7L777.38-606 738-674l-100.54 42.38q-20.08-21.46-48.11-37.92-28.04-16.46-56.73-23.31L520-800h-79.38l-13.24 106.77q-30.61 7.23-56.53 22.15-25.93 14.93-49.47 38.46L222-674l-39.38 68L269-541.62q-5 14.24-7 29.62t-2 32.38q0 15.62 2 30.62 2 15 6.62 29.62l-86 65.38L222-286l99-42q22.77 23.38 48.69 38.31 25.93 14.92 57.31 22.92L440-160Zm40.46-200q49.92 0 84.96-35.04 35.04-35.04 35.04-84.96 0-49.92-35.04-84.96Q530.38-600 480.46-600q-50.54 0-85.27 35.04T360.46-480q0 49.92 34.73 84.96Q429.92-360 480.46-360ZM480-480Z"/></symbol>
+    <symbol id="space-dashboard" viewBox="0 -960 960 960"><path d="M212.31-140Q182-140 161-161q-21-21-21-51.31v-535.38Q140-778 161-799q21-21 51.31-21h535.38Q778-820 799-799q21 21 21 51.31v535.38Q820-182 799-161q-21 21-51.31 21H212.31Zm0-60H450v-560H212.31q-4.62 0-8.46 3.85-3.85 3.84-3.85 8.46v535.38q0 4.62 3.85 8.46 3.84 3.85 8.46 3.85ZM510-200h237.69q4.62 0 8.46-3.85 3.85-3.84 3.85-8.46V-480H510v280Zm0-340h250v-207.69q0-4.62-3.85-8.46-3.84-3.85-8.46-3.85H510v220Z"/></symbol>
+    <symbol id="tune" viewBox="0 -960 960 960"><path d="M479.99-130q-12.76 0-21.37-8.63Q450-147.25 450-160v-160q0-12.75 8.63-21.37 8.63-8.63 21.38-8.63 12.76 0 21.37 8.63Q510-332.75 510-320v50h290q12.75 0 21.37 8.63 8.63 8.63 8.63 21.38 0 12.76-8.63 21.37Q812.75-210 800-210H510v50q0 12.75-8.63 21.37-8.63 8.63-21.38 8.63ZM160-210q-12.75 0-21.37-8.63-8.63-8.63-8.63-21.38 0-12.76 8.63-21.37Q147.25-270 160-270h160q12.75 0 21.37 8.63 8.63 8.63 8.63 21.38 0 12.76-8.63 21.37Q332.75-210 320-210H160Zm159.99-160q-12.76 0-21.37-8.63Q290-387.25 290-400v-50H160q-12.75 0-21.37-8.63-8.63-8.63-8.63-21.38 0-12.76 8.63-21.37Q147.25-510 160-510h130v-50q0-12.75 8.63-21.37 8.63-8.63 21.38-8.63 12.76 0 21.37 8.63Q350-572.75 350-560v160q0 12.75-8.63 21.37-8.63 8.63-21.38 8.63ZM480-450q-12.75 0-21.37-8.63-8.63-8.63-8.63-21.38 0-12.76 8.63-21.37Q467.25-510 480-510h320q12.75 0 21.37 8.63 8.63 8.63 8.63 21.38 0 12.76-8.63 21.37Q812.75-450 800-450H480Zm159.99-160q-12.76 0-21.37-8.63Q610-627.25 610-640v-160q0-12.75 8.63-21.37 8.63-8.63 21.38-8.63 12.76 0 21.37 8.63Q670-812.75 670-800v50h130q12.75 0 21.37 8.63 8.63 8.63 8.63 21.38 0 12.76-8.63 21.37Q812.75-690 800-690H670v50q0 12.75-8.63 21.37-8.63 8.63-21.38 8.63ZM160-690q-12.75 0-21.37-8.63-8.63-8.63-8.63-21.38 0-12.76 8.63-21.37Q147.25-750 160-750h320q12.75 0 21.37 8.63 8.63 8.63 8.63 21.38 0 12.76-8.63 21.37Q492.75-690 480-690H160Z"/></symbol>
+    <symbol id="warning" viewBox="0 -960 960 960"><path d="M137.02-140q-10.17 0-18.27-4.97t-12.59-13.11q-4.68-8.08-5.15-17.5-.47-9.42 5.08-18.66l342.43-591.52q5.56-9.24 13.9-13.66 8.35-4.42 17.58-4.42 9.23 0 17.58 4.42 8.34 4.42 13.9 13.66l342.43 591.52q5.55 9.24 5.08 18.66-.47 9.42-5.15 17.5-4.49 8.14-12.59 13.11-8.1 4.97-18.27 4.97H137.02ZM178-200h604L480-720 178-200Zm302-47.69q13.73 0 23.02-9.29t9.29-23.02q0-13.73-9.29-23.02T480-312.31q-13.73 0-23.02 9.29T447.69-280q0 13.73 9.29 23.02t23.02 9.29Zm.01-104.62q12.76 0 21.37-8.62 8.62-8.63 8.62-21.38v-140q0-12.75-8.63-21.37-8.63-8.63-21.38-8.63-12.76 0-21.37 8.63-8.62 8.62-8.62 21.37v140q0 12.75 8.63 21.38 8.63 8.62 21.38 8.62ZM480-460Z"/></symbol>
+
+    <!-- Custom Icons -->
+    <symbol id="logo" viewBox="0 0 32 32"><path d="M10.4 10.5l-3.9 4L16 24l9.6-9.5-3.9-4H10.4ZM16 29 4.7 22.5V9.5L16 3 27.3 9.5v13L16 29ZM2 8V24l14 8 14-8V8L16 0 2 8Z"/></symbol>
+    <symbol id="gems" viewBox="0 0 24 24"><path d="m8.22 8.29-2.63 2.7L12 17.4l6.48-6.41-2.63-2.7H8.22ZM12 20.77 4.37 16.39V7.61L12 3.23l7.63 4.38v8.78L12 20.77ZM2.55 6.6V17.4L12 22.8l9.45-5.4V6.6L12 1.2 2.55 6.6Z"/></symbol>
+    <symbol id="organizations" viewBox="0 0 24 24"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.59 13.45c-.39-.4-.59-.88-.59-1.44 0-.57.2-1.05.59-1.44s.87-.58 1.43-.58c.57 0 1.05.19 1.44.58.39.39.58.87.58 1.44 0 .56-.19 1.04-.58 1.44-.39.39-.87.59-1.44.59-.56 0-1.04-.2-1.43-.59Zm5.87.86c-.26-.26-.39-.58-.39-.95 0-.38.13-.7.39-.96.27-.26.58-.39.95-.39.39 0 .71.13.97.39.25.26.38.58.38.96 0 .37-.13.69-.38.95-.26.27-.58.4-.97.4-.37 0-.68-.13-.95-.4Zm-10.79 0c-.26-.26-.39-.58-.39-.95 0-.38.13-.7.39-.96.27-.26.59-.39.96-.39.38 0 .7.13.96.39s.39.58.39.96c0 .37-.13.69-.39.95-.26.27-.58.4-.96.4-.37 0-.69-.13-.96-.4ZM2.57 6.62V17.41l9.44 5.39 9.44-5.39V6.62l-9.44-5.4-9.44 5.4Zm1.35 10 .06.04c.1-.33.33-.61.7-.83.5-.3 1.15-.45 1.95-.45.14 0 .28.01.42.01.13.01.26.02.39.04-.16.23-.28.47-.36.73s-.12.53-.12.82v1.38l1.02.58V16.98c0-.73.37-1.32 1.12-1.77.74-.44 1.72-.67 2.92-.67 1.21 0 2.19.23 2.93.67.75.45 1.12 1.04 1.12 1.77v1.95l1.01-.58V16.98c0-.29-.04-.56-.11-.82-.07-.26-.18-.5-.33-.73.12-.02.25-.03.38-.04.13 0 .26-.01.39-.01.81 0 1.47.15 1.96.45.36.22.59.49.69.82l.04-.03V7.4L12.01 2.78 3.92 7.4v9.22Z"/></symbol>
+    <symbol id="ruby-central" viewBox="0 0 60 60"><path fill-rule="evenodd" clip-rule="evenodd" d="M9.362 11.513a9.603 9.603 0 0 1 9.604-9.604h21.131a9.605 9.605 0 0 1 9.605 9.604v21.131a9.606 9.606 0 0 1-9.605 9.605h-21.13a9.605 9.605 0 0 1-9.605-9.605v-21.13ZM44.33 21.886c0 8.063-6.537 14.6-14.6 14.6s-14.599-6.537-14.599-14.6 6.536-14.6 14.6-14.6 14.599 6.537 14.599 14.6ZM27.164 13.05c-.984 0-1.92.418-2.577 1.149L21.4 17.742a3.467 3.467 0 0 0-.1 4.518l5.916 7.196a3.467 3.467 0 0 0 5.354 0l5.916-7.196a3.467 3.467 0 0 0-.1-4.518l-3.187-3.544a3.467 3.467 0 0 0-2.577-1.15h-5.458ZM26.591 16a.77.77 0 0 1 .573-.254h5.458c.219 0 .426.093.573.254l3.186 3.545a.77.77 0 0 1 .022 1.004l-5.915 7.197a.77.77 0 0 1-1.19 0l-5.915-7.197a.77.77 0 0 1 .022-1.004L26.591 16Zm32.113 40.033c.05.049.108.074.178.074h.868a.24.24 0 0 0 .177-.074.238.238 0 0 0 .073-.177v-6.917a.24.24 0 0 0-.073-.18.243.243 0 0 0-.177-.072h-.868a.245.245 0 0 0-.178.073.246.246 0 0 0-.073.179v6.917c0 .07.025.13.073.177Zm-4.164.178c-.361 0-.689-.07-.982-.209a1.907 1.907 0 0 1-.7-.576 1.403 1.403 0 0 1-.25-.814 1.365 1.365 0 0 1 .584-1.16c.397-.293.92-.488 1.568-.585l1.432-.21v-.218c0-.293-.073-.52-.22-.68-.146-.16-.397-.24-.752-.24a1.112 1.112 0 0 0-.617.156.91.91 0 0 0-.345.398.266.266 0 0 1-.24.135h-.826c-.076 0-.135-.02-.177-.062a.256.256 0 0 1-.053-.168 1.062 1.062 0 0 1 .137-.407c.083-.16.216-.314.397-.46.18-.153.414-.282.7-.386.286-.105.63-.157 1.034-.157.44 0 .808.055 1.109.167a1.862 1.862 0 0 1 .73.428c.182.181.314.395.398.638.083.243.125.501.125.773v3.282a.24.24 0 0 1-.073.177.243.243 0 0 1-.177.074h-.847a.258.258 0 0 1-.189-.074.267.267 0 0 1-.062-.177v-.408a1.655 1.655 0 0 1-.366.376 2.124 2.124 0 0 1-.565.283 2.533 2.533 0 0 1-.773.104Zm.356-.993c.244 0 .463-.052.658-.156a1.08 1.08 0 0 0 .47-.48c.119-.224.178-.503.178-.837v-.22l-1.045.167c-.41.063-.717.164-.92.303-.2.14-.303.31-.303.513a.61.61 0 0 0 .137.397.95.95 0 0 0 .365.24c.146.048.3.073.46.073Zm-5.827.815a.243.243 0 0 0 .177.074h.909c.077 0 .14-.025.188-.074a.243.243 0 0 0 .074-.177v-2.873c0-.328.09-.586.272-.774.187-.188.449-.283.783-.283h.815c.077 0 .136-.023.178-.073a.243.243 0 0 0 .073-.178v-.752a.243.243 0 0 0-.073-.177.222.222 0 0 0-.178-.073h-.428c-.335 0-.63.06-.889.177a1.579 1.579 0 0 0-.617.513v-.43a.237.237 0 0 0-.083-.187.243.243 0 0 0-.177-.073h-.847a.25.25 0 0 0-.25.26v4.923c0 .07.023.13.073.177Zm-1.774.074c-.418 0-.77-.074-1.056-.22a1.4 1.4 0 0 1-.637-.648c-.14-.292-.21-.654-.21-1.086V51.78h-.825a.243.243 0 0 1-.178-.073.246.246 0 0 1-.073-.179v-.606c0-.07.025-.129.073-.177a.243.243 0 0 1 .178-.073h.825v-1.734c0-.071.021-.13.064-.18a.256.256 0 0 1 .187-.072h.846a.246.246 0 0 1 .251.252v1.734h1.307c.07 0 .13.024.178.073a.243.243 0 0 1 .073.177v.606c0 .07-.025.13-.073.179a.243.243 0 0 1-.178.073H46.74v2.268c0 .285.05.507.147.668.105.16.283.24.533.24h.722c.07 0 .127.025.177.074a.243.243 0 0 1 .073.177v.648a.24.24 0 0 1-.073.177.245.245 0 0 1-.177.074h-.847Zm-8.542-.074a.243.243 0 0 0 .177.074h.92a.24.24 0 0 0 .178-.074.238.238 0 0 0 .073-.177V52.98c0-.403.108-.72.324-.95.216-.23.505-.346.867-.346.377 0 .662.116.857.345.202.23.304.548.304.951v2.875c0 .07.024.13.072.177.05.049.108.074.179.074h.918c.071 0 .13-.025.179-.074a.243.243 0 0 0 .073-.177v-2.937c0-.488-.088-.906-.262-1.253a1.844 1.844 0 0 0-.72-.806 2.053 2.053 0 0 0-1.108-.292c-.418 0-.77.076-1.056.23a2.18 2.18 0 0 0-.69.554v-.429a.243.243 0 0 0-.072-.177.24.24 0 0 0-.178-.073h-.858a.238.238 0 0 0-.177.073.243.243 0 0 0-.073.177v4.933c0 .07.024.13.073.177Zm-3.443.178c-.774 0-1.387-.223-1.84-.67-.453-.445-.696-1.079-.73-1.9a2.545 2.545 0 0 1-.012-.263c0-.111.004-.198.011-.26.027-.523.147-.976.355-1.36.216-.382.513-.675.889-.877.376-.208.818-.313 1.327-.313.563 0 1.037.118 1.42.355.384.23.674.554.869.972.194.411.291.888.291 1.431v.22a.238.238 0 0 1-.073.178.253.253 0 0 1-.187.073h-3.47v.083c.007.244.052.47.136.68a1.233 1.233 0 0 0 .387.49c.174.126.38.19.616.19a1.3 1.3 0 0 0 .491-.084 1.293 1.293 0 0 0 .502-.397c.063-.085.111-.133.146-.147a.407.407 0 0 1 .177-.03h.9c.069 0 .125.02.167.061a.174.174 0 0 1 .063.157c-.007.111-.067.248-.179.408a1.938 1.938 0 0 1-.459.47 2.71 2.71 0 0 1-.763.386 3.322 3.322 0 0 1-1.034.147Zm-1.15-3.292h2.309v-.03c0-.273-.045-.51-.135-.712a1.12 1.12 0 0 0-.397-.48 1.082 1.082 0 0 0-.627-.178 1.08 1.08 0 0 0-.627.178 1.112 1.112 0 0 0-.397.48 1.838 1.838 0 0 0-.126.711v.031Zm-6.727 2.958c.453.223 1.003.334 1.65.334.475 0 .9-.062 1.275-.187a3.02 3.02 0 0 0 .962-.513c.265-.222.47-.48.617-.773a2.222 2.222 0 0 0 .23-.951.17.17 0 0 0-.063-.157.211.211 0 0 0-.157-.063h-.993a.313.313 0 0 0-.187.052c-.05.035-.085.102-.106.199-.11.453-.303.767-.574.94-.272.168-.61.251-1.013.251-.467 0-.84-.129-1.119-.386-.279-.265-.428-.697-.449-1.295a24.37 24.37 0 0 1 0-1.757c.021-.6.17-1.028.45-1.284.277-.266.651-.398 1.118-.398.403 0 .74.084 1.013.251.271.166.464.48.574.94a.354.354 0 0 0 .106.198.313.313 0 0 0 .187.054h.993a.211.211 0 0 0 .157-.064.171.171 0 0 0 .063-.156 2.218 2.218 0 0 0-.847-1.714 2.898 2.898 0 0 0-.962-.523 4.018 4.018 0 0 0-1.274-.188c-.64 0-1.188.115-1.641.345a2.408 2.408 0 0 0-1.034.972c-.237.425-.37.93-.397 1.515a37.886 37.886 0 0 0 0 1.86c.027.593.16 1.102.397 1.526.237.418.578.742 1.024.972Zm-7.801 2.216a.2.2 0 0 1-.147-.064.199.199 0 0 1-.063-.146V57.8a.474.474 0 0 1 .042-.083l.816-1.934-2.007-4.734a.482.482 0 0 1-.041-.147.25.25 0 0 1 .073-.156.196.196 0 0 1 .156-.073h.847c.083 0 .146.02.187.063a.424.424 0 0 1 .095.135l1.39 3.417 1.43-3.417a.314.314 0 0 1 .095-.135c.042-.042.104-.063.189-.063h.835a.2.2 0 0 1 .147.063.186.186 0 0 1 .073.145.468.468 0 0 1-.042.168l-2.957 6.845a.417.417 0 0 1-.105.135c-.041.043-.105.064-.188.064h-.825Zm-4.87-2.09c.272.138.61.208 1.013.208.37 0 .69-.058.962-.178.272-.125.498-.299.68-.522.18-.222.32-.484.417-.783a3.8 3.8 0 0 0 .168-1.003 6.92 6.92 0 0 0 .01-.335c0-.105-.004-.22-.01-.345a3.348 3.348 0 0 0-.158-.972 2.281 2.281 0 0 0-.428-.784 1.828 1.828 0 0 0-.679-.533 2.278 2.278 0 0 0-.962-.188 2.123 2.123 0 0 0-.96.199 1.983 1.983 0 0 0-.648.491v-2.32a.246.246 0 0 0-.074-.178.223.223 0 0 0-.177-.073h-.889a.243.243 0 0 0-.177.073.246.246 0 0 0-.074.179v6.917c0 .07.025.13.074.177a.243.243 0 0 0 .177.074h.826a.22.22 0 0 0 .177-.074.238.238 0 0 0 .073-.177v-.386c.175.216.394.393.66.532Zm1.327-1.098c-.167.126-.4.188-.7.188-.285 0-.519-.066-.7-.198a1.197 1.197 0 0 1-.387-.502 2.28 2.28 0 0 1-.135-.637 6.72 6.72 0 0 1 0-.805c.006-.21.055-.408.146-.595a1.2 1.2 0 0 1 .397-.482c.174-.125.4-.187.68-.187.298 0 .532.065.7.198a1 1 0 0 1 .354.502c.077.208.122.438.137.69.013.208.013.417 0 .627a2.39 2.39 0 0 1-.137.689 1.065 1.065 0 0 1-.355.512ZM8.603 56.21c-.425 0-.794-.094-1.108-.282a1.93 1.93 0 0 1-.71-.815 2.912 2.912 0 0 1-.25-1.254v-2.937c0-.07.023-.129.073-.177a.238.238 0 0 1 .177-.073h.92a.22.22 0 0 1 .177.073.243.243 0 0 1 .073.177v2.874c0 .864.38 1.296 1.139 1.296.362 0 .648-.116.857-.345.216-.23.324-.547.324-.951v-2.874c0-.07.024-.129.074-.177a.238.238 0 0 1 .177-.073h.92c.07 0 .129.023.177.073a.243.243 0 0 1 .074.177v4.933c0 .07-.025.13-.074.177a.243.243 0 0 1-.177.074h-.847a.258.258 0 0 1-.188-.074.267.267 0 0 1-.062-.177v-.428a2.031 2.031 0 0 1-.7.574c-.28.14-.627.209-1.046.209Zm-8.53-.178c.05.05.109.074.178.074h.951c.077 0 .136-.024.177-.074a.238.238 0 0 0 .074-.177v-2.509h1.453l1.348 2.478a.84.84 0 0 0 .147.187c.062.064.152.095.27.095h.952a.199.199 0 0 0 .145-.062.197.197 0 0 0 .074-.158.252.252 0 0 0-.031-.114l-1.526-2.665a2.12 2.12 0 0 0 1.014-.742c.257-.342.386-.77.386-1.285 0-.746-.243-1.315-.73-1.704-.489-.39-1.154-.585-1.997-.585H.251a.238.238 0 0 0-.177.073.253.253 0 0 0-.074.188v6.803c0 .07.025.13.074.177Zm2.853-3.866H1.453V49.95h1.473c.432 0 .75.102.952.303.209.196.313.467.313.816s-.104.62-.313.815c-.21.188-.526.282-.952.282Z"/></symbol>
+    <symbol id="dnsimple" viewBox="0 0 60 60"><path fill-rule="evenodd" clip-rule="evenodd" d="M6.175 24.787a3.92 3.92 0 0 0-.843.075v2.802c-.392-.151-.844-.226-1.446-.226-2.139 0-3.887 1.461-3.887 3.811 0 2.41 1.597 3.736 3.947 3.736 1.16 0 2.35-.316 3.088-.708v-9.415a4.242 4.242 0 0 0-.859-.075Zm-2.259 8.707c-1.296 0-2.184-.874-2.184-2.275 0-1.386.949-2.275 2.214-2.275.512 0 .979.061 1.386.317v4.007a3.742 3.742 0 0 1-1.416.226Zm8.421-6.086c-1.537 0-2.787.602-3.42 1.13v6.221c.286.06.573.075.844.075.286 0 .587-.015.858-.075v-5.393c.332-.196.919-.391 1.582-.391 1.1 0 1.732.497 1.732 1.807v3.977c.302.06.573.075.859.075.271 0 .573-.015.859-.075v-4.384c0-1.641-1.01-2.967-3.314-2.967ZM19.974 35c1.958 0 3.103-.904 3.103-2.395 0-1.416-1.129-1.943-2.681-2.184-1.22-.196-1.537-.422-1.537-.889 0-.452.392-.738 1.296-.738.859 0 1.597.256 2.094.542.346-.271.572-.693.648-1.22-.467-.332-1.386-.693-2.682-.693-1.808 0-2.998.904-2.998 2.229 0 1.507 1.206 1.974 2.471 2.17 1.28.195 1.687.467 1.687.949 0 .482-.361.858-1.371.858-1.13 0-1.762-.391-2.199-.708-.362.226-.648.633-.783 1.175.406.347 1.355.904 2.952.904Zm5.483-8.451a1.09 1.09 0 0 0 1.085-1.084 1.09 1.09 0 0 0-1.085-1.085c-.617 0-1.114.482-1.114 1.085 0 .602.497 1.084 1.114 1.084Zm0 8.285c.287 0 .573-.015.844-.075v-7.125a4.01 4.01 0 0 0-.844-.075c-.286 0-.572.015-.858.075v7.125c.286.06.587.075.858.075Zm10.892-7.426c-.964 0-1.838.376-2.426.828-.527-.512-1.31-.828-2.335-.828-1.491 0-2.786.633-3.359 1.13v6.221c.286.06.573.075.844.075.286 0 .587-.015.858-.075v-5.393a2.92 2.92 0 0 1 1.462-.391c1.16 0 1.596.738 1.596 1.762v4.022c.287.06.573.075.874.075.271 0 .573-.015.844-.075v-4.534c0-.226-.03-.452-.076-.663.347-.286.829-.587 1.522-.587 1.16 0 1.612.738 1.612 1.762v4.022c.271.06.557.075.858.075.272 0 .573-.015.844-.075v-4.534c0-1.552-1.055-2.817-3.118-2.817Zm8.134.015c-1.355 0-2.485.527-3.178 1.1v9.023c.301.06.572.075.858.075.287 0 .573-.015.844-.075v-2.772c.452.151.934.211 1.537.211 1.988 0 3.781-1.401 3.781-3.811 0-2.471-1.657-3.751-3.842-3.751Zm-.06 6.041c-.557 0-1.009-.091-1.416-.287v-3.841a2.842 2.842 0 0 1 1.401-.346c1.311 0 2.199.828 2.199 2.199 0 1.416-.888 2.275-2.184 2.275Zm6.312 1.37c.286 0 .587-.015.859-.075v-9.882a4.308 4.308 0 0 0-.874-.075c-.286 0-.573.015-.844.075v9.882c.301.06.588.075.859.075Zm9.264-4.187c0-1.913-1.356-3.224-3.269-3.224-2.033 0-3.585 1.597-3.585 3.811 0 2.335 1.537 3.751 3.676 3.751 1.431 0 2.365-.527 2.967-1.009a1.76 1.76 0 0 0-.738-1.16c-.467.331-1.069.738-2.109.738-1.19 0-1.913-.723-2.048-1.898h5.046c.045-.392.06-.633.06-1.009Zm-5.091-.121c.12-.979.768-1.717 1.822-1.717 1.16.015 1.597.874 1.597 1.717h-3.419Z"/></symbol>
+    <symbol id="datadog" viewBox="0 0 60 60"><path d="M58.339 56.312v2.096c-.384.101-.728.15-1.03.15-2.034 0-3.05-1.075-3.05-3.224 0-1.986 1.078-2.978 3.233-2.978.898 0 1.735.167 2.51.503v-1.505c-.775-.29-1.653-.438-2.636-.438-3.221 0-4.834 1.471-4.834 4.418 0 3.109 1.584 4.666 4.751 4.666 1.09 0 1.995-.159 2.718-.476V54.84h-2.686l-.561 1.473h1.585Zm-11.376 2.245c1.807 0 2.71-1.041 2.71-3.124 0-2.051-.903-3.078-2.71-3.078-1.854 0-2.78 1.027-2.78 3.078 0 2.083.926 3.124 2.78 3.124Zm-4.508-3.086c0-3.038 1.504-4.555 4.508-4.555 2.957 0 4.436 1.517 4.436 4.555 0 3.02-1.479 4.529-4.436 4.529-2.871 0-4.373-1.51-4.508-4.53Zm-7.56 3.024h1.978c1.86 0 2.793-1.094 2.793-3.282 0-1.864-.932-2.794-2.793-2.794h-1.978v6.076Zm2.229 1.44h-3.89V50.98h3.89c2.803 0 4.205 1.412 4.205 4.233 0 3.148-1.402 4.723-4.205 4.723Zm-12.777 0h-1.709l3.81-8.955h1.79l3.89 8.956H30.34l-1.13-2.443h-2.874l.57-1.44h1.865L27.3 52.69l-2.954 7.246Zm-7.665-8.955h6.81v1.44h-2.574v7.516h-1.661V52.42h-2.575v-1.44ZM9.84 59.936H8.133l3.81-8.956h1.787l3.892 8.956h-1.789l-1.13-2.443H11.83l.571-1.44h1.864l-1.47-3.363-2.954 7.246Zm-8.176-1.441H3.64c1.863 0 2.792-1.094 2.792-3.282 0-1.864-.93-2.794-2.792-2.794H1.665v6.076Zm2.227 1.44H.002V50.98h3.89c2.803 0 4.206 1.412 4.206 4.233 0 3.148-1.403 4.723-4.206 4.723ZM29.864 14.47c.32-.304-1.597-.704-3.085.31-1.097.75-1.132 2.354-.082 3.264.105.09.192.154.273.206a9.513 9.513 0 0 1 2.767-.816c.223-.248.482-.686.417-1.477-.087-1.075-.902-.905-.29-1.486Zm10.065 5.833c-.18-.1-1.03-.06-1.627.01-1.137.135-2.364.529-2.633.739-.49.378-.268 1.037.095 1.307 1.012.757 1.9 1.264 2.838 1.14.575-.075 1.082-.986 1.442-1.813.245-.569.245-1.183-.115-1.383Zm-3.882-6.725c-.066.15-.169.248-.015.734l.01.028.025.063.064.146c.278.569.584 1.105 1.095 1.38.133-.023.269-.038.41-.045.481-.021.784.055.976.159a2.14 2.14 0 0 0 .01-.442c-.038-.721.142-1.947-1.243-2.592-.523-.242-1.257-.168-1.5.136a.634.634 0 0 1 .115.025c.37.128.12.256.053.408Zm14.266 9.879-1.194.227L46.828.002 7.77 4.53l4.812 39.046 4.571-.664c-.364-.52-.932-1.152-1.904-1.959-1.346-1.118-.87-3.018-.076-4.218 1.05-2.027 6.464-4.603 6.158-7.843-.11-1.178-.297-2.712-1.391-3.763-.04.436.033.856.033.856s-.45-.572-.673-1.354c-.222-.3-.396-.395-.633-.795-.168.463-.146 1-.146 1s-.368-.868-.426-1.6c-.219.327-.274.95-.274.95s-.477-1.368-.368-2.105c-.218-.642-.863-1.914-.681-4.807 1.192.835 3.816.637 4.838-.87.34-.499.573-1.86-.168-4.546-.477-1.721-1.656-4.284-2.117-5.257l-.054.04c.242.783.742 2.425.933 3.222.58 2.415.736 3.256.464 4.37-.232.968-.788 1.601-2.196 2.309-1.409.71-3.279-1.018-3.397-1.114-1.368-1.09-2.426-2.869-2.544-3.733-.123-.946.544-1.514.882-2.287a8.6 8.6 0 0 0-1.02.383s.642-.664 1.432-1.238a8.26 8.26 0 0 0 .864-.641c-.5-.009-.904.005-.904.005s.832-.45 1.695-.777c-.63-.029-1.236-.005-1.236-.005s1.858-.832 3.328-1.442c1.009-.414 1.995-.291 2.55.51.727 1.05 1.49 1.62 3.11 1.973.995-.44 1.297-.667 2.545-1.007 1.1-1.21 1.963-1.366 1.963-1.366s-.427.393-.542 1.01c.623-.491 1.306-.902 1.306-.902s-.264.327-.51.846l.057.085c.728-.436 1.583-.78 1.583-.78s-.244.31-.531.709c.548-.005 1.66.023 2.092.072 2.55.056 3.078-2.722 4.056-3.07 1.225-.438 1.773-.702 3.86 1.348 1.79 1.76 3.19 4.91 2.495 5.615-.583.586-1.732-.228-3.005-1.816a6.865 6.865 0 0 1-1.42-3.097 3.043 3.043 0 0 0-.984-1.684s.453 1.012.453 1.904c0 .488.061 2.31.843 3.332-.078.15-.114.74-.2.853-.908-1.099-2.861-1.885-3.178-2.117 1.076.883 3.553 2.911 4.504 4.855.9 1.838.37 3.523.825 3.96.129.125 1.935 2.374 2.282 3.504.607 1.97.036 4.04-.757 5.324l-2.214.345c-.324-.09-.543-.135-.834-.303.161-.283.48-.99.483-1.136l-.125-.219c-.69.976-1.844 1.924-2.803 2.469-1.256.712-2.702.602-3.644.31-2.673-.824-5.202-2.63-5.81-3.105 0 0-.02.379.095.464.674.76 2.218 2.135 3.71 3.094l-3.181.35 1.504 11.712c-.666.096-.77.143-1.5.247-.644-2.274-1.875-3.758-3.22-4.622-1.186-.763-2.823-.935-4.39-.624l-.1.116c1.089-.113 2.374.044 3.695.88 1.297.82 2.341 2.938 2.726 4.212.493 1.63.832 3.372-.493 5.22-.942 1.313-3.695 2.038-5.918.468.594.955 1.396 1.737 2.477 1.884 1.605.218 3.129-.061 4.176-1.137.895-.92 1.37-2.845 1.245-4.872l1.417-.205.511 3.637 23.449-2.823-1.913-18.66ZM27.86 28.834l2.951-.406c.477.215.81.297 1.382.442.89.232 1.924.455 3.451-.314.356-.177 1.096-.854 1.395-1.24l12.087-2.193 1.233 14.924-20.708 3.732-1.79-14.945Zm17.149 4.953-3.96-2.611-3.301 5.517-3.842-1.123-3.382 5.161.174 1.625 18.388-3.388-1.07-11.489-3.007 6.308Z"/></symbol>
+    <symbol id="fastly" viewBox="0 0 60 60"><path d="M40.845 36.419h4.699v-2.393h-1.558V18.379h-3.141v18.04ZM.008 34.026h1.6v-7.55h-1.6v-2.078l1.6-.263v-2.103c0-2.546.554-3.653 3.797-3.653.698 0 1.533.103 2.264.24l-.434 2.561a6.106 6.106 0 0 0-1.047-.093c-1.141 0-1.43.11-1.43 1.234v1.822h2.375v2.342H4.758v7.55h1.584v2.393H.016v-2.402H.008Zm39.228-.757c-.494.102-.92.093-1.235.102-1.294.034-1.183-.391-1.183-1.617v-5.278h2.469v-2.342h-2.469V18.38h-3.15v14.029c0 2.759.681 4.01 3.644 4.01.698 0 1.668-.18 2.392-.34l-.468-2.81Zm19.563.775c.664 0 1.2.528 1.2 1.192 0 .663-.536 1.183-1.2 1.183a1.186 1.186 0 0 1-1.101-.728 1.186 1.186 0 0 1-.091-.456c0-.672.536-1.191 1.192-1.191Zm0 2.187a1 1 0 0 0 .996-1.004.99.99 0 0 0-.996-.987.983.983 0 0 0-.996.987c0 .553.451 1.004.996 1.004Zm.221-.417-.238-.348h-.17v.349h-.264v-1.167h.485c.29 0 .468.145.468.4 0 .188-.094.315-.247.366l.29.4h-.324Zm-.409-.587h.214c.118 0 .204-.05.204-.179 0-.119-.085-.17-.196-.17h-.222v.349Zm-28.868-8.76v-.417c-.953-.17-1.897-.179-2.409-.179-1.464 0-1.642.775-1.642 1.2 0 .597.204.92 1.787 1.27 2.324.518 4.648 1.063 4.648 3.94 0 2.733-1.405 4.138-4.358 4.138-1.975 0-3.899-.426-5.364-.8v-2.35h2.384v.418c1.03.195 2.103.178 2.665.178 1.566 0 1.813-.843 1.813-1.285 0-.622-.451-.92-1.916-1.218-2.758-.468-4.954-1.413-4.954-4.214 0-2.656 1.78-3.695 4.733-3.695 2.001 0 3.525.307 4.989.682v2.332h-2.376Zm-14.752 1.882-1.158 1.012a.616.616 0 0 0-.639 1.014.616.616 0 0 0 1.033-.299.617.617 0 0 0-.02-.34l1.022-1.14-.238-.248Z"/><path d="M20.068 23.47h-3.15v.886a6.38 6.38 0 0 0-2.12-.792v-1.073h.383v-.8h-3.167v.8h.384v1.081a6.48 6.48 0 0 0-5.261 6.368 6.469 6.469 0 0 0 1.899 4.588 6.48 6.48 0 0 0 4.587 1.9c1.209 0 2.35-.333 3.32-.912l.562.911h3.329v-3.15h-.766V23.47Zm-3.116 6.657a3.343 3.343 0 0 1-3.15 3.142v-.375h-.375v.375a3.332 3.332 0 0 1-3.124-3.15h.375v-.374h-.375a3.342 3.342 0 0 1 3.124-3.124v.374h.375v-.375a3.333 3.333 0 0 1 3.15 3.141h-.375v.375h.375v-.009Zm36.555-5.992h6.495v2.34h-1.549l-3.984 9.8c-1.141 2.749-3.013 5.345-5.874 5.345-.698 0-1.635-.076-2.282-.23l.281-2.86c.418.076.962.128 1.243.128 1.328 0 2.818-.818 3.286-2.248l-4.035-9.935h-1.55v-2.341h6.496v2.341h-1.549l2.29 5.627 2.29-5.627h-1.55v-2.341h-.008Z"/></symbol>
+    <symbol id="honeybadger" viewBox="0 0 60 60"><path fill-rule="evenodd" clip-rule="evenodd" d="m37.902 14.22 7.608 7.607-15.506 15.507-1.687-1.687-2.292 2.29 2.451 2.452a2.161 2.161 0 0 0 3.056 0l17.034-17.034a2.16 2.16 0 0 0 0-3.055l-9.3-9.298-1.364 3.218Zm-.284-4.866-1.364 3.218-2.87-2.87 2.291-2.29 1.943 1.942Zm-3.47-3.472-2.616-2.615a2.161 2.161 0 0 0-3.056 0L11.444 20.3a2.161 2.161 0 0 0 0 3.055l9.984 9.984 1.462-3.119-8.391-8.393L30.004 6.323l1.853 1.85 2.29-2.29ZM23.051 34.964l1.462-3.12 2.276 2.275-2.293 2.29-1.445-1.445Z"/><path d="M39.405 5.158c.232-.546-.459-1.013-.879-.592L19.967 23.125h7.56l-6.016 14.81c-.221.547.466 1.003.882.586L40.49 20.424h-7.561l6.476-15.266Z"/><path fill-rule="evenodd" clip-rule="evenodd" d="m5.662 57.367 1.744-11.959H5.465l-.715 4.864H2.989l.715-4.864H1.762L.004 57.367h1.941l.78-5.308h1.762l-.78 5.308h1.955Zm3.62-2.397c1.942 0 2.705-.82 3.107-3.75.375-2.783-.276-3.697-2.08-3.697-1.913 0-2.732.941-3.078 3.804-.36 2.81.374 3.643 2.052 3.643Zm.196-1.371c-.486 0-.611-.47-.348-2.285.25-1.882.486-2.432 1.04-2.432.486 0 .583.442.333 2.298-.249 1.84-.486 2.419-1.025 2.419Zm5.672-5.323c.43-.404 1.054-.753 1.608-.753 1.124 0 1.513.766 1.318 2.11l-.777 5.175h-1.803l.736-4.972c.068-.484-.028-.727-.388-.727-.278 0-.541.243-.707.404l-.778 5.295h-1.802l1.04-7.124h1.526l.027.592Zm22.967-.592-.21.525a1.545 1.545 0 0 0-1.33-.686c-1.318 0-2.122 1.05-2.455 3.83-.333 2.756.306 3.617 1.345 3.617.624 0 1.11-.296 1.47-.712l.014.55h1.665l1.053-7.124h-1.552Zm-1.056 5.39c-.151.19-.442.39-.692.39-.445 0-.583-.417-.347-2.15.25-1.841.513-2.272.956-2.272.265 0 .486.188.611.39l-.528 3.643Zm8.558-7.666-1.387 9.4h-1.65l-.015-.55c-.36.43-.86.712-1.47.712-1.04 0-1.692-.86-1.344-3.617.333-2.78 1.122-3.83 2.454-3.83.514 0 .915.215 1.206.552l.403-2.667h1.803Zm-3.967 5.906c-.249 1.733-.097 2.15.347 2.15.236 0 .541-.2.693-.39l.527-3.642c-.125-.202-.36-.39-.61-.39-.444 0-.707.43-.957 2.272Zm-15.81 6.05h21.502a2.584 2.584 0 0 0 2.559-2.223l1.054-7.457h-1.553l-.166.538c-.278-.39-.75-.699-1.262-.699-1.4 0-2.164.766-2.552 3.75-.374 2.715.236 3.548 1.332 3.548.554 0 1.067-.24 1.413-.644l-.055.51c-.149.639-.804 1.145-1.882 1.145H26.71c-.255.603-.503 1.09-.797 1.45l-.07.082Zm21.842-4.02c-.444 0-.61-.39-.374-2.084.236-1.774.513-2.218.97-2.218.25 0 .473.188.596.377l-.512 3.535c-.152.188-.445.39-.68.39Zm7.461.994c-.734.43-1.498.632-2.164.632-1.553 0-2.26-1.344-1.955-3.63.36-2.741 1.387-3.817 3.148-3.817 1.096 0 1.775.565 1.775 1.56 0 1.33-.749 2.782-3.189 3.226 0 .072.004.126.008.174.003.04.005.079.005.12.013.552.306.848.791.848.333 0 .72-.108 1.276-.363l.305 1.25Zm-1.18-5.484c-.428 0-.818.645-1.053 2.07a1.557 1.557 0 0 0 1.414-1.546c0-.323-.11-.524-.36-.524Zm3.46 5.954.734-4.879c.36-.322.763-.497 1.165-.497.112 0 .208 0 .32.013l.36-1.733a.932.932 0 0 0-.568-.189c-.528 0-.985.418-1.318 1.009l-.027-.848h-1.415l-1.055 7.124h1.804Zm-34.924-.47c-.736.43-1.498.632-2.164.632-1.553 0-2.26-1.344-1.954-3.63.36-2.741 1.385-3.817 3.146-3.817 1.097 0 1.776.565 1.776 1.56 0 1.33-.749 2.782-3.189 3.226 0 .072.004.126.007.174.003.04.006.079.006.12.015.552.305.848.791.848.333 0 .721-.108 1.275-.363l.306 1.25Zm-1.18-5.484c-.429 0-.817.645-1.052 2.07a1.557 1.557 0 0 0 1.413-1.546c0-.323-.11-.524-.36-.524Zm9.85 6.116c1.58 0 2.19-1.25 2.524-4.167.318-2.608-.195-3.28-1.29-3.28-.554 0-1.04.23-1.47.565l.36-2.482h-1.802l-1.346 9.202h1.637l.166-.537c.236.39.666.7 1.22.7Zm-.347-1.506a.675.675 0 0 1-.624-.39l.541-3.655c.208-.215.484-.377.749-.377.416 0 .499.416.319 1.828-.166 1.681-.444 2.594-.985 2.594Zm-5.516-.59 1.566-5.19h1.859L25.96 54.89c-.764 1.962-1.193 2.474-2.4 2.474H6.626l.225-1.532h16.414c.557 0 .864-.387.864-.89l-.624-7.258h1.956l-.153 5.19Z"/></symbol>
+    <symbol id="domainr" viewBox="0 0 60 60"><path d="M30.02 0a22.501 22.501 0 0 1 15.899 6.582A22.515 22.515 0 0 1 52.5 22.473c0 5.96-2.378 11.676-6.582 15.89a22.5 22.5 0 0 1-15.899 6.583H10.236a.733.733 0 0 1-.626-.35.887.887 0 0 1-.11-.354c0-.125.025-.25.086-.361l1.152-2.306a.959.959 0 0 1 .883-.537H30.02a18.57 18.57 0 0 0 18.57-18.565A18.57 18.57 0 0 0 30.02 3.91H14.048a.409.409 0 0 0-.184.046.466.466 0 0 0-.135.129.309.309 0 0 0-.049.179c-.012.064.012.126.037.184l1.066 2.12a.429.429 0 0 0 .184.199c.074.049.16.073.258.073H30.02a15.64 15.64 0 0 1 15.641 15.634A15.647 15.647 0 0 1 30.02 38.106H13.656a.733.733 0 0 1-.626-.35.887.887 0 0 1-.11-.352.75.75 0 0 1 .086-.363l4.572-9.145a.96.96 0 0 1 .87-.538H30.02a4.89 4.89 0 0 0 4.89-4.885 4.89 4.89 0 0 0-4.89-4.885h-9.132a.405.405 0 0 0-.184.047.466.466 0 0 0-.135.129.309.309 0 0 0-.049.179c-.012.062.012.125.037.182l1.066 2.121c.037.08.098.15.172.199a.525.525 0 0 0 .27.073h7.955c.527 0 1.017.206 1.385.573.368.367.576.864.576 1.382 0 .518-.208 1.015-.576 1.382a1.949 1.949 0 0 1-1.385.572h-10.1a.999.999 0 0 1-.515-.147 1.054 1.054 0 0 1-.356-.39l-4.584-9.145a.735.735 0 0 1-.074-.362c0-.126.037-.248.11-.356a.671.671 0 0 1 .258-.256.744.744 0 0 1 .368-.092H30.02a8.81 8.81 0 0 1 6.227 2.576 8.82 8.82 0 0 1 2.574 6.218 8.819 8.819 0 0 1-2.574 6.218 8.809 8.809 0 0 1-6.227 2.576h-9.426a.503.503 0 0 0-.442.274l-1.066 2.12a.462.462 0 0 0-.037.183.32.32 0 0 0 .061.178.29.29 0 0 0 .135.13c.05.03.11.046.172.046H30.02a11.75 11.75 0 0 0 8.299-3.435 11.743 11.743 0 0 0 3.432-8.29 11.743 11.743 0 0 0-3.432-8.291 11.75 11.75 0 0 0-8.299-3.434H13.08a.999.999 0 0 1-.515-.147 1.053 1.053 0 0 1-.356-.39L7.625 1.065A.735.735 0 0 1 7.55.703a.62.62 0 0 1 .11-.354.757.757 0 0 1 .258-.256.745.745 0 0 1 .368-.094H30.02ZM6.423 59.86h-2.17l.013-1.39h2.157c.638 0 1.153-.137 1.582-.412.429-.274.747-.668.968-1.18.208-.511.319-1.122.319-1.83v-.55c0-.55-.062-1.037-.184-1.46a3.019 3.019 0 0 0-.54-1.068 2.397 2.397 0 0 0-.882-.657 3.022 3.022 0 0 0-1.201-.223H4.217v-1.398h2.268c.674 0 1.299.114 1.85.343a4.016 4.016 0 0 1 1.447.97c.417.424.723.932.944 1.522.22.592.33 1.253.33 1.984v.538c0 .73-.11 1.391-.33 1.983a4.233 4.233 0 0 1-.944 1.521c-.404.42-.895.743-1.459.971-.564.225-1.2.336-1.9.336Zm-1.2-10.168V59.86H3.468V49.692h1.753Zm7.109 6.474v-.161c0-.544.073-1.05.233-1.515.159-.47.392-.878.686-1.222a3.16 3.16 0 0 1 1.103-.81 3.62 3.62 0 0 1 1.483-.293c.552 0 1.042.098 1.471.293.442.19.81.46 1.116.81.306.344.527.751.686 1.222.16.466.246.97.246 1.515v.16c0 .546-.086 1.051-.246 1.516-.159.465-.38.872-.686 1.222a3.27 3.27 0 0 1-1.103.81A3.58 3.58 0 0 1 15.85 60a3.74 3.74 0 0 1-1.496-.287 3.27 3.27 0 0 1-1.103-.81 3.783 3.783 0 0 1-.686-1.222 4.64 4.64 0 0 1-.233-1.515Zm1.68-.161v.16c0 .34.036.661.097.964.074.303.184.569.331.797.147.228.343.407.576.537.233.13.515.196.834.196.306 0 .576-.065.809-.196.233-.13.417-.31.576-.537.147-.228.257-.494.319-.797a4.07 4.07 0 0 0 .11-.963v-.161c0-.335-.037-.652-.11-.95a2.173 2.173 0 0 0-.331-.803 1.59 1.59 0 0 0-.576-.544 1.554 1.554 0 0 0-.81-.202c-.318 0-.6.067-.833.202-.22.13-.417.311-.564.544s-.257.501-.33.803a4.706 4.706 0 0 0-.099.95Zm8.433-2.165v6.02h-1.68v-7.556h1.581l.099 1.536Zm-.27 1.963-.576-.008c0-.52.061-1.002.196-1.445.135-.442.319-.826.576-1.152.245-.331.564-.584.932-.761.38-.182.809-.272 1.311-.272.343 0 .65.051.944.153.282.098.527.254.748.468.208.215.368.49.478.824.122.336.184.74.184 1.215v5.035h-1.692v-4.888c0-.368-.049-.656-.16-.866a.973.973 0 0 0-.465-.447 1.73 1.73 0 0 0-.723-.14c-.319 0-.589.061-.81.182-.22.12-.404.286-.539.496-.134.21-.245.451-.306.726a4.033 4.033 0 0 0-.098.88Zm4.682-.448-.784.176c0-.456.061-.888.184-1.292a3.4 3.4 0 0 1 .564-1.075c.257-.313.564-.557.931-.733a2.854 2.854 0 0 1 1.263-.266c.392 0 .735.054 1.03.16.318.103.576.266.784.49.22.222.38.513.49.872.11.354.172.782.172 1.285v4.888h-1.692v-4.896c0-.38-.06-.676-.171-.886a.836.836 0 0 0-.454-.433 1.884 1.884 0 0 0-.723-.126c-.257 0-.49.05-.686.147a1.383 1.383 0 0 0-.503.399 1.839 1.839 0 0 0-.306.578c-.062.22-.099.457-.099.712Zm10.628 2.99v-3.604c0-.27-.049-.502-.147-.698a1.066 1.066 0 0 0-.454-.454 1.526 1.526 0 0 0-.735-.16c-.282 0-.515.046-.711.14a1.206 1.206 0 0 0-.478.377.91.91 0 0 0-.16.537h-1.679c0-.298.074-.586.22-.866.148-.28.356-.528.626-.748.27-.218.6-.39.98-.516s.81-.188 1.288-.188c.564 0 1.079.095 1.508.286.44.19.796.48 1.041.866.258.381.38.862.38 1.438v3.36c0 .344.025.653.074.928.049.27.123.505.22.706v.111H37.73a2.797 2.797 0 0 1-.184-.691 4.8 4.8 0 0 1-.06-.824Zm.233-3.08.025 1.04h-1.214c-.306 0-.588.031-.821.091a1.69 1.69 0 0 0-.6.251c-.148.112-.27.248-.356.406-.074.158-.11.337-.11.537 0 .201.048.385.134.552.098.163.233.291.405.384.183.094.404.14.662.14a1.835 1.835 0 0 0 1.507-.734c.147-.208.233-.407.245-.593l.54.747a2.3 2.3 0 0 1-.282.615c-.135.219-.319.427-.54.628a2.616 2.616 0 0 1-1.801.67 2.92 2.92 0 0 1-1.324-.293 2.395 2.395 0 0 1-.907-.803 2.067 2.067 0 0 1-.331-1.152c0-.4.073-.754.233-1.062.147-.311.367-.572.661-.782a3.338 3.338 0 0 1 1.091-.474c.43-.112.92-.168 1.471-.168h1.312Zm5.014-2.96v7.555H41.04v-7.556h1.692ZM40.93 50.32c0-.256.085-.468.245-.635.184-.173.417-.259.723-.259.294 0 .527.086.699.259a.848.848 0 0 1 .257.635c0 .251-.086.46-.257.629-.172.168-.405.251-.699.251-.306 0-.54-.083-.723-.251a.883.883 0 0 1-.245-.629Zm5.307 3.596v5.943h-1.679v-7.556h1.594l.085 1.613Zm-.294 1.886-.54-.008c0-.534.074-1.026.221-1.473.148-.446.356-.831.613-1.152.27-.321.576-.568.944-.74a2.82 2.82 0 0 1 1.238-.265c.356 0 .687.051.98.153.295.098.553.258.76.482.222.224.38.514.491.874.11.353.172.788.172 1.305v4.881H49.13v-4.888c0-.363-.061-.65-.16-.86a.946.946 0 0 0-.453-.453 1.711 1.711 0 0 0-.735-.14 1.59 1.59 0 0 0-.772.182 1.74 1.74 0 0 0-.589.496c-.147.21-.27.451-.355.726a2.938 2.938 0 0 0-.123.88Zm8.287-2.06v6.117h-1.692v-7.556h1.606l.086 1.438Zm2.304-1.488-.012 1.564a4.306 4.306 0 0 0-.687-.055c-.282 0-.539.042-.76.125a1.418 1.418 0 0 0-.882.894 2.574 2.574 0 0 0-.147.72l-.38.028c0-.476.049-.915.135-1.32a3.48 3.48 0 0 1 .429-1.068c.183-.308.429-.548.71-.72.282-.173.613-.258.993-.258a2.13 2.13 0 0 1 .601.09Z"/></symbol>
+    <symbol id="mend-io" viewBox="0 0 60 60"><path d="M43.39 27.355c-2.24 5.173-7.39 8.79-13.39 8.79-.25 0-.49-.006-.73-.018-7.72-.38-13.87-6.763-13.87-14.58 0-1.31.18-2.576.5-3.78.33-.352.79-.57 1.31-.57.99 0 1.81.818 1.81 1.824v.587c0 .01-.01.02-.01.028v4.44a3.33 3.33 0 0 0 3.32 3.331 3.33 3.33 0 0 0 3.32-3.331v-3.582c0-.012-.01-.022-.01-.035v-1.438c0-1.006.81-1.825 1.81-1.825s1.81.82 1.81 1.825v5.055c0 1.837 1.49 3.331 3.31 3.331a3.33 3.33 0 0 0 3.32-3.331V19.02c0-1.006.81-1.825 1.81-1.825.99 0 1.8.82 1.8 1.825v5.055a3.33 3.33 0 0 0 3.32 3.331c.19 0 .38-.02.57-.052Z"/><path d="M44.59 21.55c0 1.322-.18 2.598-.5 3.818v.006c-.01.002-.01.005-.01.005v.002c-.33.32-.77.52-1.27.52-.99 0-1.8-.819-1.8-1.824v-5.055a3.331 3.331 0 0 0-3.32-3.332c-1.83 0-3.31 1.496-3.31 3.333v5.055c0 1.006-.81 1.825-1.81 1.825s-1.81-.82-1.81-1.825v-5.055c0-1.837-1.48-3.333-3.31-3.333a3.331 3.331 0 0 0-3.32 3.333v5.055c0 1.006-.81 1.825-1.8 1.825-1 0-1.81-.82-1.81-1.825v-5.055c0-1.836-1.49-3.33-3.31-3.332h-.01c-.2 0-.4.021-.6.057C18.85 10.573 24 6.956 30 6.956c.07 0 .15 0 .23.002 7.95.126 14.36 6.61 14.36 14.594M.11 52.772a.408.408 0 0 1-.11-.289v-7.528c0-.117.04-.214.11-.289a.4.4 0 0 1 .29-.111h1.75c.11 0 .21.038.28.111a.38.38 0 0 1 .12.289v.544c.24-.32.57-.584.98-.792.41-.209.87-.313 1.39-.313 1.17 0 1.98.459 2.43 1.378.26-.406.61-.737 1.07-.994.46-.256.95-.384 1.48-.384.87 0 1.58.296 2.13.89.55.592.83 1.476.83 2.651v4.548c0 .107-.04.2-.11.28a.382.382 0 0 1-.29.121H10.6a.421.421 0 0 1-.3-.112.376.376 0 0 1-.12-.289v-4.436c0-.534-.11-.918-.32-1.154-.22-.234-.52-.352-.89-.352-.35 0-.63.12-.85.36-.23.241-.34.623-.34 1.146v4.436c0 .107-.04.2-.11.28a.382.382 0 0 1-.29.121H5.52a.414.414 0 0 1-.29-.112.408.408 0 0 1-.11-.289v-4.436c0-.523-.11-.905-.34-1.146a1.15 1.15 0 0 0-.87-.36c-.36 0-.63.12-.86.36-.23.241-.35.617-.35 1.129v4.453c0 .107-.03.2-.11.28a.367.367 0 0 1-.29.121H.4a.382.382 0 0 1-.29-.112Zm15.07-.768c-.74-.694-1.13-1.703-1.16-3.028v-.56c.05-1.26.44-2.246 1.18-2.955.74-.71 1.74-1.066 2.99-1.066.91 0 1.67.185 2.3.553.62.368 1.09.873 1.41 1.513.31.641.47 1.378.47 2.211v.384c0 .107-.04.199-.11.28-.08.08-.17.12-.29.12h-5.13v.112c.02.502.15.908.37 1.217.23.31.55.464.98.464.27 0 .48-.056.66-.168.17-.112.32-.248.46-.408.1-.117.17-.19.23-.216.06-.026.15-.04.28-.04h1.99c.09 0 .18.029.25.088s.1.136.1.232c0 .278-.16.598-.47.961-.32.364-.77.678-1.37.945-.6.267-1.3.4-2.12.4-1.28 0-2.29-.347-3.02-1.041v.002Zm4.37-4.133v-.031c0-.523-.12-.938-.36-1.241-.24-.305-.57-.457-1-.457-.43 0-.75.152-.99.457-.24.303-.36.718-.36 1.241v.031h2.71Zm4.1 4.901a.408.408 0 0 1-.11-.289v-7.528c0-.117.04-.214.11-.289a.418.418 0 0 1 .29-.111h1.85c.11 0 .21.038.29.111a.38.38 0 0 1 .12.289v.608c.29-.352.66-.635 1.11-.849.46-.214.97-.32 1.55-.32.94 0 1.7.318 2.29.954.59.635.88 1.524.88 2.666v4.469c0 .107-.04.2-.11.28a.382.382 0 0 1-.29.121h-2.02c-.1 0-.2-.04-.28-.121a.383.383 0 0 1-.12-.28v-4.372c0-.503-.12-.89-.37-1.162-.24-.273-.59-.408-1.05-.408-.46 0-.8.135-1.06.408-.26.272-.38.659-.38 1.162v4.372c0 .107-.04.2-.12.28a.36.36 0 0 1-.28.121h-2.01a.414.414 0 0 1-.29-.112Zm10.53-.712c-.58-.657-.9-1.583-.95-2.78l-.02-.561.02-.577c.04-1.153.36-2.066.95-2.739.59-.672 1.41-1.009 2.44-1.009.97 0 1.76.316 2.36.945v-3.428a.382.382 0 0 1 .4-.4h1.95c.12 0 .21.038.29.112.07.075.11.171.11.288v10.572c0 .106-.04.199-.11.279a.382.382 0 0 1-.29.121h-1.81c-.11 0-.2-.04-.28-.121a.383.383 0 0 1-.12-.279v-.514c-.59.715-1.42 1.073-2.5 1.073s-1.86-.328-2.44-.985v.003Zm4.4-1.618c.23-.305.36-.696.4-1.177.01-.139.01-.342.01-.608 0-.267 0-.454-.01-.593-.03-.437-.16-.8-.4-1.089-.25-.288-.61-.433-1.08-.433-.5 0-.86.15-1.08.448-.22.3-.34.711-.37 1.234-.02.107-.02.272-.02.497 0 .224 0 .389.02.496.03.523.15.934.37 1.234.22.299.58.448 1.08.448.51 0 .84-.152 1.08-.457Zm9.06-7.2c-.08-.075-.11-.17-.11-.288v-1.442c0-.117.03-.214.11-.288a.382.382 0 0 1 .29-.112h1.92c.12 0 .21.038.29.112.07.074.11.171.11.288v1.442c0 .117-.04.213-.11.288a.397.397 0 0 1-.29.112h-1.92a.382.382 0 0 1-.29-.112Zm.02 9.53a.376.376 0 0 1-.12-.288v-7.529c0-.117.04-.213.12-.288a.374.374 0 0 1 .28-.112h1.89c.12 0 .22.038.29.112a.37.37 0 0 1 .11.288v7.529c0 .106-.03.199-.11.28a.37.37 0 0 1-.29.12h-1.89a.374.374 0 0 1-.28-.112Zm5.02-.672c-.72-.631-1.11-1.517-1.17-2.659-.01-.139-.02-.379-.02-.721 0-.341.01-.581.02-.72.06-1.131.46-2.015 1.2-2.651.74-.636 1.74-.954 3.03-.954 1.28 0 2.3.318 3.04.954.74.636 1.14 1.519 1.2 2.651.01.139.02.379.02.72 0 .342-.01.583-.02.721-.06 1.142-.45 2.028-1.17 2.659-.71.63-1.74.944-3.07.944-1.34 0-2.35-.314-3.06-.944Zm4.1-1.433c.22-.284.35-.719.38-1.305.01-.107.02-.32.02-.642 0-.321-.01-.533-.02-.641-.03-.577-.16-1.008-.39-1.297-.23-.289-.57-.433-1.03-.433-.89 0-1.36.577-1.41 1.73l-.02.641.02.642c.02.588.14 1.023.37 1.305.23.283.58.424 1.04.424.46 0 .81-.141 1.04-.424Zm-12.16 2.217a1.45 1.45 0 1 0 0-2.9 1.45 1.45 0 0 0 0 2.9Z"/></symbol>
+    <symbol id="github" viewBox="0 0 24 24"><path d="M12 2C17.525 2 22 6.58819 22 12.2529C21.9995 14.4012 21.3419 16.4952 20.1198 18.2402C18.8977 19.9852 17.1727 21.2933 15.1875 21.9804C14.6875 22.0829 14.5 21.7625 14.5 21.4934C14.5 21.1474 14.5125 20.0452 14.5125 18.6738C14.5125 17.7126 14.2 17.0974 13.8375 16.777C16.0625 16.5207 18.4 15.6492 18.4 11.7147C18.4 10.5868 18.0125 9.67689 17.375 8.95918C17.475 8.70286 17.825 7.65193 17.275 6.24215C17.275 6.24215 16.4375 5.9602 14.525 7.29308C13.725 7.06239 12.875 6.94704 12.025 6.94704C11.175 6.94704 10.325 7.06239 9.525 7.29308C7.6125 5.97301 6.775 6.24215 6.775 6.24215C6.225 7.65193 6.575 8.70286 6.675 8.95918C6.0375 9.67689 5.65 10.5997 5.65 11.7147C5.65 15.6364 7.975 16.5207 10.2 16.777C9.9125 17.0334 9.65 17.4819 9.5625 18.1484C8.9875 18.4175 7.55 18.8533 6.65 17.3025C6.4625 16.9949 5.9 16.2388 5.1125 16.2516C4.275 16.2644 4.775 16.7386 5.125 16.9308C5.55 17.1743 6.0375 18.0843 6.15 18.3791C6.35 18.9558 7 20.058 9.5125 19.5838C9.5125 20.4425 9.525 21.2499 9.525 21.4934C9.525 21.7625 9.3375 22.0701 8.8375 21.9804C6.8458 21.3007 5.11342 19.9952 3.88611 18.2492C2.65881 16.5031 1.9989 14.4052 2 12.2529C2 6.58819 6.475 2 12 2Z"/></symbol>
+    <symbol id="mastodon" viewBox="0 0 24 24"><path d="M23.193 7.879c0-5.207-3.411-6.732-3.411-6.732C18.062.357 15.109.025 12.04 0h-.076c-3.068.025-6.019.357-7.74 1.147 0 0-3.411 1.526-3.411 6.732 0 1.191-.023 2.617.015 4.129.123 5.092.933 10.111 5.641 11.356 2.171.575 4.034.695 5.534.613 2.722-.152 4.249-.972 4.249-.972l-.09-1.975s-1.945.614-4.129.539c-2.165-.075-4.448-.233-4.799-2.891a5.626 5.626 0 0 1-.048-.745s2.124.519 4.817.643c1.646.076 3.19-.096 4.759-.283 3.007-.359 5.625-2.211 5.954-3.905.52-2.668.477-6.509.477-6.509Zm-4.023 6.709h-2.498v-6.12c0-1.289-.542-1.944-1.628-1.944-1.2 0-1.802.777-1.802 2.312v3.35H10.76v-3.35c0-1.535-.601-2.312-1.803-2.312-1.086 0-1.628.655-1.628 1.944v6.12H4.832V8.284c0-1.289.327-2.313.987-3.07.68-.757 1.569-1.146 2.674-1.146 1.278 0 2.247.491 2.886 1.473L12 6.585l.623-1.044c.64-.982 1.609-1.473 2.887-1.473 1.104 0 1.994.389 2.674 1.146.658.757.986 1.781.986 3.07v6.304Z"/></symbol>
+    <symbol id="x-twitter" viewBox="0 0 24 24"><path d="M16.39 19.89h2.44L7.6 4.17H5.16M21 21H15.64l-4.91-6.99L4.59 21H3l7.03-7.99L3 3H8.36l4.65 6.62L18.83 3h1.59l-6.71 7.62"/></symbol>
+  </defs>
+</svg>
diff --git a/app/assets/stylesheets/application.css b/app/assets/stylesheets/application.css
index 60707cefb77..dceb43dbed2 100644
--- a/app/assets/stylesheets/application.css
+++ b/app/assets/stylesheets/application.css
@@ -1,8 +1,26 @@
-/*
- * This is a manifest file that'll automatically include all the stylesheets available in this directory
- * and any sub-directories. You're free to add application-wide styles to this file and they'll appear at
- * the top of the compiled file, but it's generally better to create a new file per style scope.
- *= require_self
- *= require github_buttons
- *= require_tree .
-*/
+@import url("base.css");
+@import url("layout.css");
+@import url("suggest-list.css");
+@import url("type.css");
+@import url("github_buttons.css");
+
+@import url("modules/badge.css");
+@import url("modules/button.css");
+@import url("modules/dependencies.css");
+@import url("modules/error.css");
+@import url("modules/footer.css");
+@import url("modules/form.css");
+@import url("modules/gem.css");
+@import url("modules/gems.css");
+@import url("modules/header.css");
+@import url("modules/home.css");
+@import url("modules/mfa.css");
+@import url("modules/nav/nav--paginated.css");
+@import url("modules/nav/nav--v.css");
+@import url("modules/news.css");
+@import url("modules/org.css");
+@import url("modules/owners.css");
+@import url("modules/search.css");
+@import url("modules/shared.css");
+@import url("modules/stats.css");
+@import url("modules/status-icon.css");
diff --git a/app/assets/stylesheets/application.tailwind.css b/app/assets/stylesheets/application.tailwind.css
index 3bbac920f0d..2e81a977bc0 100644
--- a/app/assets/stylesheets/application.tailwind.css
+++ b/app/assets/stylesheets/application.tailwind.css
@@ -1,3 +1,4 @@
-/* @tailwind base; */ /* base disabled because the resets break the current site */ 
+@config "../../../config/tailwind.config.js";
+@tailwind base;
 @tailwind components;
 @tailwind utilities;
diff --git a/app/assets/stylesheets/hammy.css b/app/assets/stylesheets/hammy.css
new file mode 100644
index 00000000000..d783d05bab0
--- /dev/null
+++ b/app/assets/stylesheets/hammy.css
@@ -0,0 +1,22 @@
+/*
+ * This is a manifest file that'll automatically include all the stylesheets available in this directory
+ * and any sub-directories. You're free to add application-wide styles to this file and they'll appear at
+ * the top of the compiled file, but it's generally better to create a new file per style scope.
+ *= require_self
+*/
+
+/* Default browser style adds a max width that is hard to override with tailwind directly */
+dialog:modal {
+  max-width: 100vw;
+}
+
+/* Hide scrollbar for Chrome, Safari and Opera */
+.no-scrollbar::-webkit-scrollbar {
+  display: none;
+}
+
+/* Hide scrollbar for IE, Edge and Firefox */
+.no-scrollbar {
+  -ms-overflow-style: none;  /* IE and Edge */
+  scrollbar-width: none;  /* Firefox */
+}
diff --git a/app/assets/stylesheets/modules/gem.css b/app/assets/stylesheets/modules/gem.css
index 22c4eba7734..71a6dd657e0 100644
--- a/app/assets/stylesheets/modules/gem.css
+++ b/app/assets/stylesheets/modules/gem.css
@@ -96,6 +96,14 @@
   font-size: 18px;
   color: #141c22; }
 
+.gem__rubygem-version-age {
+  margin-top: 10px;
+  margin-bottom: 30px;
+  display: block;
+  font-weight: 800;
+  font-size: 14px;
+  color: #141c22; }
+
 .gem__code-wrap {
   margin-top: 12px;
   position: relative;
@@ -179,35 +187,6 @@
 .gem__code__icon.static {
   position: static; }
 
-.gem__code__tooltip--copy,
-.gem__code__tooltip--copied {
-  display: none; }
-
-.clipboard-is-hover,
-.clipboard-is-active {
-  display: block;
-  position: absolute;
-  top: 45px;
-  right: 0;
-  width: auto;
-  padding-left: 10px;
-  padding-right: 10px;
-  z-index: 1;
-  border-radius: 6px;
-  background-color: #141c22;
-  text-transform: none;
-  line-height: 30px;
-  text-align: center;
-  color: #ffffff; }
-  .clipboard-is-hover:before,
-  .clipboard-is-active:before {
-    content: "";
-    position: absolute;
-    top: -15px;
-    right: 8px;
-    border: 8px solid transparent;
-    border-bottom: 8px solid #141c22; }
-
 .gem__link:before {
   margin-right: 16px; }
 
@@ -286,3 +265,23 @@
 .gem__dependencies:not(:first-of-type) {
   margin-top: 36px;
 }
+
+.gem__attestation {
+  display: flex;
+  flex-direction: row;
+  margin-top: 16px; }
+  .gem__attestation__built_on {
+    flex-grow: 1; }
+  .gem__attestation__grid {
+    display: grid;
+    grid-template-rows: repeat(3, 1rem);
+    grid-row-gap: 18px;
+    grid-column-gap: 16px; }
+    .gem__attestation__grid p {
+      height: 100%;
+      display: block; }
+    .gem__attestation__grid__left {
+      grid-template-columns: 24px max-content; }
+    .gem__attestation__grid__right {
+      grid-template-columns: max-content 1fr; }
+
diff --git a/app/assets/stylesheets/modules/shared.css b/app/assets/stylesheets/modules/shared.css
index 08ece7df3a0..499adb14719 100644
--- a/app/assets/stylesheets/modules/shared.css
+++ b/app/assets/stylesheets/modules/shared.css
@@ -183,6 +183,20 @@ span.github-btn {
   margin-top: 5px;
 }
 
+.recovery-code-list {
+  border: none;
+  padding: 10px 20px;
+  font-size: 1.2em;
+  font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;
+  resize: none;
+  background: none;
+}
+
+.recovery-code-list:focus {
+  background: none;
+  outline: none;
+}
+
 .recovery-code-list__item {
   font-family: SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;
 }
diff --git a/app/assets/stylesheets/tailwind.deprecated.css b/app/assets/stylesheets/tailwind.deprecated.css
new file mode 100644
index 00000000000..cbb0ee2e997
--- /dev/null
+++ b/app/assets/stylesheets/tailwind.deprecated.css
@@ -0,0 +1,6 @@
+/*
+ * This is the old tailwind build that used `tw-` prefixes.
+ * We no longer compute this build and the tailwind config for this is gone.
+ * It's only here until the prefixed `tw-` classes are replaced by the new design.
+ */
+.tw-mx-auto{margin-left:auto;margin-right:auto}.tw-my-4{margin-bottom:1rem;margin-top:1rem}.\!tw-mb-0{margin-bottom:0!important}.tw-mt-2{margin-top:.5rem}.tw-mt-4{margin-top:1rem}.tw-flex{display:flex}.tw-flex-col{flex-direction:column}.tw-items-baseline{align-items:baseline}.tw-gap-2{gap:.5rem}.tw-gap-4{gap:1rem}.tw-space-y-2>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(.5rem*var(--tw-space-y-reverse));margin-top:calc(.5rem*(1 - var(--tw-space-y-reverse)))}.tw-space-y-4>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-bottom:calc(1rem*var(--tw-space-y-reverse));margin-top:calc(1rem*(1 - var(--tw-space-y-reverse)))}.tw-divide-y>:not([hidden])~:not([hidden]){--tw-divide-y-reverse:0;border-bottom-width:calc(1px*var(--tw-divide-y-reverse));border-top-width:calc(1px*(1 - var(--tw-divide-y-reverse)))}.tw-break-all{word-break:break-all}.tw-border{border-width:1px}.tw-border-solid{border-style:solid}.tw-border-red-500{--tw-border-opacity:1;border-color:rgb(239 68 68/var(--tw-border-opacity))}.\!tw-bg-white{--tw-bg-opacity:1!important;background-color:rgb(255 255 255/var(--tw-bg-opacity))!important}.tw-p-5{padding:1.25rem}.\!tw-py-0{padding-bottom:0!important;padding-top:0!important}.\!tw-text-start{text-align:start!important}@media (min-width:640px){.sm\:tw-flex{display:flex}.sm\:tw-grid{display:grid}.sm\:tw-grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}.sm\:tw-flex-row{flex-direction:row}.sm\:tw-items-baseline{align-items:baseline}}
diff --git a/app/avo/actions/add_owner.rb b/app/avo/actions/add_owner.rb
index bd98d1b8993..5f853c89e25 100644
--- a/app/avo/actions/add_owner.rb
+++ b/app/avo/actions/add_owner.rb
@@ -1,10 +1,14 @@
-class AddOwner < BaseAction
+class Avo::Actions::AddOwner < Avo::Actions::ApplicationAction
   self.name = "Add owner"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") && view == :show
   }
 
-  field :owner, as: :select_record, searchable: true, name: "New owner", use_resource: UserResource
+  def fields
+    field :owner, as: :select_record, searchable: true, name: "New owner", use_resource: Avo::Resources::User
+
+    super
+  end
 
   self.message = lambda {
     "Are you sure you would like to add an owner to #{record.name}?"
@@ -12,7 +16,7 @@ class AddOwner < BaseAction
 
   self.confirm_button_label = "Add owner"
 
-  class ActionHandler < ActionHandler
+  class ActionHandler < Avo::Actions::ActionHandler
     set_callback :handle, :before do
       @owner = fields[:owner]
       error "Must specify a valid user to add as owner" if @owner.blank?
@@ -22,16 +26,16 @@ class ActionHandler < ActionHandler
       error "Cannot add #{@owner.name} as an owner since they are unconfirmed" if @owner.unconfirmed?
     end
 
-    def do_handle_model(rubygem)
+    def do_handle_record(rubygem)
       @rubygem = rubygem
       super
     end
 
-    set_callback :handle_model, :before do
+    set_callback :handle_record, :before do
       error "Cannot add #{@owner.name} as an owner since they are already an owner of #{@rubygem.name}" if @owner.rubygems.include?(@rubygem)
     end
 
-    def handle_model(rubygem)
+    def handle_record(rubygem)
       authorizer = User.security_user
       rubygem.ownerships.create!(user: @owner, authorizer: authorizer, confirmed_at: Time.current)
       succeed "Added #{@owner.name} to #{@rubygem.name}"
diff --git a/app/avo/actions/base_action.rb b/app/avo/actions/application_action.rb
similarity index 64%
rename from app/avo/actions/base_action.rb
rename to app/avo/actions/application_action.rb
index 4e985aef5b2..dc5998bd2ac 100644
--- a/app/avo/actions/base_action.rb
+++ b/app/avo/actions/application_action.rb
@@ -1,17 +1,12 @@
-class BaseAction < Avo::BaseAction
+class Avo::Actions::ApplicationAction < Avo::BaseAction
   include SemanticLogger::Loggable
 
-  field :comment, as: :textarea, required: true,
-    help: "A comment explaining why this action was taken.<br>Will be saved in the audit log.<br>Must be more than 10 characters."
-
-  def self.inherited(base)
-    super
-    base.items_holder = Avo::ItemsHolder.new
-    base.items_holder.instance_variable_get(:@items).replace items_holder.instance_variable_get(:@items).deep_dup
-    base.items_holder.invalid_fields.replace items_holder.invalid_fields.deep_dup
+  def fields
+    field :comment, as: :textarea, required: true,
+      help: "A comment explaining why this action was taken.<br>Will be saved in the audit log.<br>Must be more than 10 characters."
   end
 
-  class ActionHandler
+  class Avo::Actions::ActionHandler
     include Auditable
     include SemanticLogger::Loggable
 
@@ -20,7 +15,7 @@ class ActionHandler
       result_lambda.call
       target.errored?
     }
-    define_callbacks :handle_model, terminator: lambda { |target, result_lambda|
+    define_callbacks :handle_record, terminator: lambda { |target, result_lambda|
       result_lambda.call
       target.errored?
     }
@@ -35,18 +30,20 @@ def initialize( # rubocop:disable Metrics/ParameterLists
       arguments:,
       resource:,
       action:,
-      models: nil
+      query:,
+      records: nil
     )
-      @models = models
+      @records = records
       @fields = fields
       @current_user = current_user
       @arguments = arguments
       @resource = resource
+      @query = query
 
       @action = action
     end
 
-    attr_reader :models, :fields, :current_user, :arguments, :resource
+    attr_reader :records, :fields, :current_user, :arguments, :resource, :query
 
     delegate :error, :avo, :keep_modal_open, :redirect_to, :inform, :action_name, :succeed, :logger,
       to: :@action
@@ -60,7 +57,7 @@ def initialize( # rubocop:disable Metrics/ParameterLists
         block.call
       rescue StandardError => e
         Rails.error.report(e, handled: true)
-        error e.message.truncate(300)
+        error e.message
       end
     }
 
@@ -72,9 +69,17 @@ def do_handle
       keep_modal_open if errored?
     end
 
-    def do_handle_model(model)
-      run_callbacks :handle_model do
-        handle_model(model)
+    def handle_record(record)
+      raise NotImplementedError, "#{self.class}#handle_record is not implemented"
+    end
+
+    def handle_standalone
+      raise NotImplementedError, "#{self.class}#handle_standalone is not implemented"
+    end
+
+    def do_handle_record(record)
+      run_callbacks :handle_record do
+        handle_record(record)
       end
     end
 
@@ -89,7 +94,7 @@ def do_handle_standalone
         action: action_name,
         fields:,
         arguments:,
-        models:
+        models: records
       ) do
         run_callbacks :handle_standalone do
           handle_standalone
@@ -99,17 +104,17 @@ def do_handle_standalone
     end
 
     def handle
-      return do_handle_standalone if models.nil?
-      models.each do |model|
+      return do_handle_standalone if @action.class.standalone
+      records.each do |record|
         _, audit = in_audited_transaction(
-          auditable: model,
+          auditable: record,
           admin_github_user: current_user,
           action: action_name,
           fields:,
           arguments:,
-          models:
+          models: records
         ) do
-          do_handle_model(model)
+          do_handle_record(record)
         end
         redirect_to avo.resources_audit_path(audit)
       end
@@ -117,9 +122,9 @@ def handle
   end
 
   def handle(**args)
-    "#{self.class}::ActionHandler"
-      .constantize
+    action_handler = self.class.const_get(:ActionHandler)
       .new(**args, arguments:, action: self)
-      .do_handle
+
+    action_handler.do_handle
   end
 end
diff --git a/app/avo/actions/block_user.rb b/app/avo/actions/block_user.rb
index d73eb3fb7f8..2ec8e9ca525 100644
--- a/app/avo/actions/block_user.rb
+++ b/app/avo/actions/block_user.rb
@@ -1,4 +1,4 @@
-class BlockUser < BaseAction
+class Avo::Actions::BlockUser < Avo::Actions::ApplicationAction
   self.name = "Block User"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") && view == :show
@@ -10,8 +10,8 @@ class BlockUser < BaseAction
 
   self.confirm_button_label = "Block User"
 
-  class ActionHandler < ActionHandler
-    def handle_model(user)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(user)
       user.block!
     end
   end
diff --git a/app/avo/actions/change_user_email.rb b/app/avo/actions/change_user_email.rb
index 949a0f82feb..5b84a4ddaf0 100644
--- a/app/avo/actions/change_user_email.rb
+++ b/app/avo/actions/change_user_email.rb
@@ -1,5 +1,8 @@
-class ChangeUserEmail < BaseAction
-  field :from_email, name: "Email", as: :text, required: true
+class Avo::Actions::ChangeUserEmail < Avo::Actions::ApplicationAction
+  def fields
+    field :from_email, name: "Email", as: :text, required: true
+    super
+  end
 
   self.name = "Change User Email"
   self.visible = lambda {
@@ -8,8 +11,8 @@ class ChangeUserEmail < BaseAction
 
   self.confirm_button_label = "Change User Email"
 
-  class ActionHandler < ActionHandler
-    def handle_model(user)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(user)
       user.email = fields["from_email"]
       user.email_confirmed = false
       user.generate_confirmation_token
diff --git a/app/avo/actions/create_user.rb b/app/avo/actions/create_user.rb
index 8abd11d3969..80ec4ed66e5 100644
--- a/app/avo/actions/create_user.rb
+++ b/app/avo/actions/create_user.rb
@@ -1,6 +1,4 @@
-class CreateUser < BaseAction
-  field :email, name: "Email", as: :text, required: true
-
+class Avo::Actions::CreateUser < Avo::Actions::ApplicationAction
   self.name = "Create User"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") && view == :index && !Rails.env.production?
@@ -9,7 +7,12 @@ class CreateUser < BaseAction
 
   self.confirm_button_label = "Create User"
 
-  class ActionHandler < ActionHandler
+  def fields
+    field :email, name: "Email", as: :text, required: true
+    super
+  end
+
+  class ActionHandler < Avo::Actions::ActionHandler
     def handle_standalone
       user = User.new(
         email: fields["email"],
diff --git a/app/avo/actions/delete_webhook.rb b/app/avo/actions/delete_webhook.rb
index 4a696fbc5c8..da6959c8ed3 100644
--- a/app/avo/actions/delete_webhook.rb
+++ b/app/avo/actions/delete_webhook.rb
@@ -1,4 +1,4 @@
-class DeleteWebhook < BaseAction
+class Avo::Actions::DeleteWebhook < Avo::Actions::ApplicationAction
   self.name = "Delete Webhook"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") && view == :show
@@ -10,8 +10,8 @@ class DeleteWebhook < BaseAction
 
   self.confirm_button_label = "Delete Webhook"
 
-  class ActionHandler < ActionHandler
-    def handle_model(webhook)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(webhook)
       webhook.destroy!
       WebHooksMailer.webhook_deleted(webhook.user_id, webhook.rubygem_id, webhook.url, webhook.failure_count).deliver_later
     end
diff --git a/app/avo/actions/onboard_organization.rb b/app/avo/actions/onboard_organization.rb
new file mode 100644
index 00000000000..96708a56a6a
--- /dev/null
+++ b/app/avo/actions/onboard_organization.rb
@@ -0,0 +1,16 @@
+class Avo::Actions::OnboardOrganization < Avo::Actions::ApplicationAction
+  self.name = "Onboard Organization"
+  self.visible = lambda {
+    current_user.team_member?("rubygems-org") && view == :show
+  }
+
+  self.message = lambda {
+    "Are you sure you would like to onboard this organization?"
+  }
+
+  self.confirm_button_label = "Onboard"
+
+  def handle(query:, **_)
+    query.each(&:onboard!)
+  end
+end
diff --git a/app/avo/actions/refresh_oidc_provider.rb b/app/avo/actions/refresh_oidc_provider.rb
index c53e53d766f..eac8c960589 100644
--- a/app/avo/actions/refresh_oidc_provider.rb
+++ b/app/avo/actions/refresh_oidc_provider.rb
@@ -1,4 +1,4 @@
-class RefreshOIDCProvider < BaseAction
+class Avo::Actions::RefreshOIDCProvider < Avo::Actions::ApplicationAction
   self.name = "Refresh OIDC Provider"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") && view == :show
@@ -10,8 +10,8 @@ class RefreshOIDCProvider < BaseAction
 
   self.confirm_button_label = "Refresh"
 
-  class ActionHandler < ActionHandler
-    def handle_model(provider)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(provider)
       RefreshOIDCProviderJob.perform_now(provider:)
     end
   end
diff --git a/app/avo/actions/release_reserved_namespace.rb b/app/avo/actions/release_reserved_namespace.rb
index 1cbbe8b793c..8ae227a433f 100644
--- a/app/avo/actions/release_reserved_namespace.rb
+++ b/app/avo/actions/release_reserved_namespace.rb
@@ -1,4 +1,4 @@
-class ReleaseReservedNamespace < BaseAction
+class Avo::Actions::ReleaseReservedNamespace < Avo::Actions::ApplicationAction
   self.name = "Release reserved namespace"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") && view == :show
@@ -10,8 +10,8 @@ class ReleaseReservedNamespace < BaseAction
 
   self.confirm_button_label = "Release namespace"
 
-  class ActionHandler < ActionHandler
-    def handle_model(rubygem)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(rubygem)
       rubygem.release_reserved_namespace!
     end
   end
diff --git a/app/avo/actions/reset_api_key.rb b/app/avo/actions/reset_api_key.rb
index 9f5240c4958..51b89340bb3 100644
--- a/app/avo/actions/reset_api_key.rb
+++ b/app/avo/actions/reset_api_key.rb
@@ -1,4 +1,4 @@
-class ResetApiKey < BaseAction
+class Avo::Actions::ResetApiKey < Avo::Actions::ApplicationAction
   self.name = "Reset Api Key"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") && view == :show
@@ -8,15 +8,18 @@ class ResetApiKey < BaseAction
   }
   self.confirm_button_label = "Reset Api Key"
 
-  field :template, as: :select,
-    options: {
-      "Public Gem": :public_gem_reset_api_key,
-      Honeycomb: :honeycomb_reset_api_key
-    },
-    help: "Select mailer template"
+  def fields
+    field :template, as: :select,
+      options: {
+        "Public Gem": :public_gem_reset_api_key,
+        Honeycomb: :honeycomb_reset_api_key
+      },
+      help: "Select mailer template"
+    super
+  end
 
-  class ActionHandler < ActionHandler
-    def handle_model(user)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(user)
       user.reset_api_key!
 
       Mailer.reset_api_key(user, fields["template"]).deliver_later
diff --git a/app/avo/actions/reset_user_2fa.rb b/app/avo/actions/reset_user_2fa.rb
index 03e19a1d518..c775f717593 100644
--- a/app/avo/actions/reset_user_2fa.rb
+++ b/app/avo/actions/reset_user_2fa.rb
@@ -1,4 +1,4 @@
-class ResetUser2fa < BaseAction
+class Avo::Actions::ResetUser2fa < Avo::Actions::ApplicationAction
   self.name = "Reset User 2FA"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") && view == :show
@@ -10,8 +10,8 @@ class ResetUser2fa < BaseAction
 
   self.confirm_button_label = "Reset MFA"
 
-  class ActionHandler < ActionHandler
-    def handle_model(user)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(user)
       user.disable_totp!
       user.password = SecureRandom.hex(20).encode("UTF-8")
       user.save!
diff --git a/app/avo/actions/restore_version.rb b/app/avo/actions/restore_version.rb
index 2a5bf7f250f..bfb80bdba34 100644
--- a/app/avo/actions/restore_version.rb
+++ b/app/avo/actions/restore_version.rb
@@ -1,17 +1,17 @@
-class RestoreVersion < BaseAction
+class Avo::Actions::RestoreVersion < Avo::Actions::ApplicationAction
   self.name = "Restore version"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") &&
       view == :show &&
-      resource.model.deletion.present?
+      resource.record.deletion.present?
   }
   self.message = lambda {
     "Are you sure you would like to restore #{record.slug} with "
   }
   self.confirm_button_label = "Restore version"
 
-  class ActionHandler < ActionHandler
-    def handle_model(version)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(version)
       version.deletion&.restore!
     end
   end
diff --git a/app/avo/actions/unblock_user.rb b/app/avo/actions/unblock_user.rb
new file mode 100644
index 00000000000..d8e7305bb07
--- /dev/null
+++ b/app/avo/actions/unblock_user.rb
@@ -0,0 +1,18 @@
+class Avo::Actions::UnblockUser < Avo::Actions::ApplicationAction
+  self.name = "Unblock User"
+  self.visible = lambda {
+    current_user.team_member?("rubygems-org") && view == :show && record.blocked?
+  }
+
+  self.message = lambda {
+    "Are you sure you would like to unblock user #{record.handle} with #{record.blocked_email}?"
+  }
+
+  self.confirm_button_label = "Unblock User"
+
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(user)
+      user.unblock!
+    end
+  end
+end
diff --git a/app/avo/actions/upload_info_file.rb b/app/avo/actions/upload_info_file.rb
index 38740af0a4f..264dd083ac9 100644
--- a/app/avo/actions/upload_info_file.rb
+++ b/app/avo/actions/upload_info_file.rb
@@ -1,12 +1,12 @@
-class UploadInfoFile < BaseAction
+class Avo::Actions::UploadInfoFile < Avo::Actions::ApplicationAction
   self.name = "Upload Info File"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") && view == :show
   }
   self.confirm_button_label = "Upload"
 
-  class ActionHandler < ActionHandler
-    def handle_model(rubygem)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(rubygem)
       UploadInfoFileJob.perform_later(rubygem_name: rubygem.name)
 
       succeed("Upload job scheduled")
diff --git a/app/avo/actions/upload_names_file.rb b/app/avo/actions/upload_names_file.rb
index 1ab53b4ce95..c9eac66a398 100644
--- a/app/avo/actions/upload_names_file.rb
+++ b/app/avo/actions/upload_names_file.rb
@@ -1,4 +1,4 @@
-class UploadNamesFile < BaseAction
+class Avo::Actions::UploadNamesFile < Avo::Actions::ApplicationAction
   self.name = "Upload Names File"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") && view == :index
@@ -6,7 +6,7 @@ class UploadNamesFile < BaseAction
   self.standalone = true
   self.confirm_button_label = "Upload"
 
-  class ActionHandler < ActionHandler
+  class ActionHandler < Avo::Actions::ActionHandler
     def handle_standalone
       UploadNamesFileJob.perform_later
 
diff --git a/app/avo/actions/upload_versions_file.rb b/app/avo/actions/upload_versions_file.rb
index ee5f700a02a..7a14e02a864 100644
--- a/app/avo/actions/upload_versions_file.rb
+++ b/app/avo/actions/upload_versions_file.rb
@@ -1,4 +1,4 @@
-class UploadVersionsFile < BaseAction
+class Avo::Actions::UploadVersionsFile < Avo::Actions::ApplicationAction
   self.name = "Upload Versions File"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") && view == :index
@@ -6,7 +6,7 @@ class UploadVersionsFile < BaseAction
   self.standalone = true
   self.confirm_button_label = "Upload"
 
-  class ActionHandler < ActionHandler
+  class ActionHandler < Avo::Actions::ActionHandler
     def handle_standalone
       UploadVersionsFileJob.perform_later
 
diff --git a/app/avo/actions/version_after_write.rb b/app/avo/actions/version_after_write.rb
index 94490970847..cfbe40a9933 100644
--- a/app/avo/actions/version_after_write.rb
+++ b/app/avo/actions/version_after_write.rb
@@ -1,9 +1,9 @@
-class VersionAfterWrite < BaseAction
+class Avo::Actions::VersionAfterWrite < Avo::Actions::ApplicationAction
   self.name = "Run version post-write job"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") &&
       view == :show &&
-      resource.model.deletion.blank?
+      resource.record.deletion.blank?
   }
 
   self.message = lambda {
@@ -12,8 +12,8 @@ class VersionAfterWrite < BaseAction
 
   self.confirm_button_label = "Run Job"
 
-  class ActionHandler < ActionHandler
-    def handle_model(version)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(version)
       AfterVersionWriteJob.new(version: version).perform(version: version)
     end
   end
diff --git a/app/avo/actions/yank_rubygem.rb b/app/avo/actions/yank_rubygem.rb
index 21c9771ef37..ddc86f8a855 100644
--- a/app/avo/actions/yank_rubygem.rb
+++ b/app/avo/actions/yank_rubygem.rb
@@ -1,17 +1,18 @@
-class YankRubygem < BaseAction
+class Avo::Actions::YankRubygem < Avo::Actions::ApplicationAction
   OPTION_ALL = "All".freeze
 
-  field :version, as: :select,
-    options: lambda { |model:, resource:, view:, field:| # rubocop:disable Lint/UnusedBlockArgument
-      [OPTION_ALL] + model.versions.indexed.pluck(:number, :id)
-    },
-    help: "Select Version which needs to be yanked."
+  def fields
+    field :version, as: :select,
+      options: -> { [OPTION_ALL] + record.versions.indexed.pluck(:number, :id) },
+      help: "Select Version which needs to be yanked."
+    super
+  end
 
   self.name = "Yank Rubygem"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") &&
       view == :show &&
-      resource.model.versions.indexed.present?
+      resource.record.versions.indexed.present?
   }
 
   self.message = lambda {
@@ -20,8 +21,8 @@ class YankRubygem < BaseAction
 
   self.confirm_button_label = "Yank Rubygem"
 
-  class ActionHandler < ActionHandler
-    def handle_model(rubygem)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(rubygem)
       version_id = fields["version"]
       version_id_to_yank = version_id if version_id != OPTION_ALL
 
diff --git a/app/avo/actions/yank_rubygems_for_user.rb b/app/avo/actions/yank_rubygems_for_user.rb
index d6f5e00e334..ba3edb0b157 100644
--- a/app/avo/actions/yank_rubygems_for_user.rb
+++ b/app/avo/actions/yank_rubygems_for_user.rb
@@ -1,9 +1,9 @@
-class YankRubygemsForUser < BaseAction
+class Avo::Actions::YankRubygemsForUser < Avo::Actions::ApplicationAction
   self.name = "Yank all Rubygems"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") &&
       view == :show &&
-      resource.model.rubygems.present?
+      resource.record.rubygems.present?
   }
 
   self.message = lambda {
@@ -12,8 +12,8 @@ class YankRubygemsForUser < BaseAction
 
   self.confirm_button_label = "Yank all Rubygems"
 
-  class ActionHandler < ActionHandler
-    def handle_model(user)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(user)
       user.rubygems.find_each do |rubygem|
         rubygem.yank_versions!(force: true)
       end
diff --git a/app/avo/actions/yank_user.rb b/app/avo/actions/yank_user.rb
index 1f4f34acdf8..9a0612048cf 100644
--- a/app/avo/actions/yank_user.rb
+++ b/app/avo/actions/yank_user.rb
@@ -1,4 +1,4 @@
-class YankUser < BaseAction
+class Avo::Actions::YankUser < Avo::Actions::ApplicationAction
   self.name = "Yank User"
   self.visible = lambda {
     current_user.team_member?("rubygems-org") && view == :show
@@ -8,8 +8,8 @@ class YankUser < BaseAction
   }
   self.confirm_button_label = "Yank User"
 
-  class ActionHandler < ActionHandler
-    def handle_model(user)
+  class ActionHandler < Avo::Actions::ActionHandler
+    def handle_record(user)
       user.rubygems.find_each do |rubygem|
         rubygem.yank_versions!(force: true)
       end
diff --git a/app/avo/cards/dashboard_welcome_card.rb b/app/avo/cards/dashboard_welcome_card.rb
index 8cbadb73c47..e5d37e51490 100644
--- a/app/avo/cards/dashboard_welcome_card.rb
+++ b/app/avo/cards/dashboard_welcome_card.rb
@@ -1,4 +1,4 @@
-class DashboardWelcomeCard < Avo::Dashboards::PartialCard
+class Avo::Cards::DashboardWelcomeCard < Avo::Cards::PartialCard
   self.id = "dashboard_welcome_card"
   self.label = "Welcome to the RubyGems.org admin dashboard!"
   self.partial = "avo/cards/dashboard_welcome_card"
diff --git a/app/avo/cards/pushes_chart.rb b/app/avo/cards/pushes_chart.rb
index 5d45743df0b..523970c762f 100644
--- a/app/avo/cards/pushes_chart.rb
+++ b/app/avo/cards/pushes_chart.rb
@@ -1,4 +1,4 @@
-class PushesChart < Avo::Dashboards::ChartkickCard
+class Avo::Cards::PushesChart < Avo::Cards::ChartkickCard
   self.id = "pushes_chart"
   self.label = "Pushes by day"
   self.chart_type = :line_chart
diff --git a/app/avo/cards/rubygems_metric.rb b/app/avo/cards/rubygems_metric.rb
index 03f9dfc57a6..cd74a871bed 100644
--- a/app/avo/cards/rubygems_metric.rb
+++ b/app/avo/cards/rubygems_metric.rb
@@ -1,4 +1,4 @@
-class RubygemsMetric < Avo::Dashboards::MetricCard
+class Avo::Cards::RubygemsMetric < Avo::Cards::MetricCard
   self.id = "rubygems_metric"
   self.label = "RubyGems "
   self.cols = 2
diff --git a/app/avo/cards/users_metric.rb b/app/avo/cards/users_metric.rb
index 18033d49463..e9eb71941f2 100644
--- a/app/avo/cards/users_metric.rb
+++ b/app/avo/cards/users_metric.rb
@@ -1,4 +1,4 @@
-class UsersMetric < Avo::Dashboards::MetricCard
+class Avo::Cards::UsersMetric < Avo::Cards::MetricCard
   self.id = "users_metric"
   self.label = "Total users"
   self.cols = 2
diff --git a/app/avo/cards/versions_metric.rb b/app/avo/cards/versions_metric.rb
index fefa912a30f..0c245831f40 100644
--- a/app/avo/cards/versions_metric.rb
+++ b/app/avo/cards/versions_metric.rb
@@ -1,4 +1,4 @@
-class VersionsMetric < Avo::Dashboards::MetricCard
+class Avo::Cards::VersionsMetric < Avo::Cards::MetricCard
   self.id = "versions_metric"
   self.label = "Versions pushed"
 
diff --git a/app/avo/dashboards/dashy.rb b/app/avo/dashboards/dashy.rb
index 3a5ef54376c..18e8c43ebff 100644
--- a/app/avo/dashboards/dashy.rb
+++ b/app/avo/dashboards/dashy.rb
@@ -1,21 +1,22 @@
-class Dashy < Avo::Dashboards::BaseDashboard
+class Avo::Dashboards::Dashy < Avo::Dashboards::BaseDashboard
   self.id = "dashy"
-  self.name = "Dashy"
+  self.name = "Avo::Dashboards::Dashy"
   self.grid_cols = 6
   self.visible = lambda {
     current_user.team_member?("rubygems-org")
   }
 
-  # cards go here
-  card DashboardWelcomeCard
+  def cards
+    card Avo::Cards::DashboardWelcomeCard
 
-  divider label: "Metrics"
+    divider label: "Metrics"
 
-  card UsersMetric
-  card VersionsMetric
-  card RubygemsMetric
+    card Avo::Cards::UsersMetric
+    card Avo::Cards::VersionsMetric
+    card Avo::Cards::RubygemsMetric
 
-  divider label: "Charts"
+    divider label: "Charts"
 
-  card PushesChart
+    card Avo::Cards::PushesChart
+  end
 end
diff --git a/app/avo/fields/array_of_field.rb b/app/avo/fields/array_of_field.rb
index 7688f1662ed..d86dba064d2 100644
--- a/app/avo/fields/array_of_field.rb
+++ b/app/avo/fields/array_of_field.rb
@@ -1,9 +1,9 @@
-class ArrayOfField < Avo::Fields::BaseField
+class Avo::Fields::ArrayOfField < Avo::Fields::BaseField
   def initialize(name, field:, field_options: {}, **args, &block)
     super(name, **args, &nil)
 
     @make_field = lambda do |id:, index: nil, value: nil|
-      items_holder = Avo::ItemsHolder.new
+      items_holder = Avo::Resources::Items::Holder.new
       items_holder.field(id, name: index&.to_s || self.name, as: field, required: -> { false }, value:, **field_options, &block)
       items_holder.items.sole.hydrate(view:, resource:)
     end
diff --git a/app/avo/fields/audited_changes_field.rb b/app/avo/fields/audited_changes_field.rb
index 4d4398abcb3..3f4e8b522bb 100644
--- a/app/avo/fields/audited_changes_field.rb
+++ b/app/avo/fields/audited_changes_field.rb
@@ -1,2 +1,2 @@
-class AuditedChangesField < Avo::Fields::BaseField
+class Avo::Fields::AuditedChangesField < Avo::Fields::BaseField
 end
diff --git a/app/avo/fields/event_additional_field.rb b/app/avo/fields/event_additional_field.rb
index 3e42dc93235..faf2f30f69f 100644
--- a/app/avo/fields/event_additional_field.rb
+++ b/app/avo/fields/event_additional_field.rb
@@ -1,13 +1,13 @@
-class EventAdditionalField < Avo::Fields::BaseField
+class Avo::Fields::EventAdditionalField < Avo::Fields::BaseField
   def nested_field
-    return unless @model
-    additional_type = @model.additional_type
+    return unless record
+    additional_type = record.additional_type
     if additional_type.nil?
       return JsonViewerField.new(id, **@args)
-          .hydrate(model:, resource:, action:, view:, panel_name:, user:)
+          .hydrate(record:, resource:, action:, view:, panel_name:, user:)
     end
 
-    NestedField.new(id, **@args) do
+    Avo::Fields::NestedField.new(id, **@args) do
       additional_type.attribute_types.each do |attribute_name, type|
         case type
         when Types::GlobalId
@@ -20,7 +20,7 @@ def nested_field
           field attribute_name.to_sym, as: :json_viewer, hide_on: :index
         end
       end
-    end.hydrate(model:, resource:, action:, view:, panel_name:, user:)
+    end.hydrate(record:, resource:, action:, view:, panel_name:, user:)
   end
 
   methods = %i[fill_field value update_using to_permitted_param component_for_view visible get_fields]
diff --git a/app/avo/fields/global_id_field.rb b/app/avo/fields/global_id_field.rb
index 0f72f5637af..59cce30fcbc 100644
--- a/app/avo/fields/global_id_field.rb
+++ b/app/avo/fields/global_id_field.rb
@@ -1,4 +1,4 @@
-class GlobalIdField < Avo::Fields::BelongsToField
+class Avo::Fields::GlobalIdField < Avo::Fields::BelongsToField
   include SemanticLogger::Loggable
 
   delegate(*%i[values_for_type custom?], to: :@nil)
diff --git a/app/avo/fields/json_viewer_field.rb b/app/avo/fields/json_viewer_field.rb
index df4d52e45d3..aedb7030e5f 100644
--- a/app/avo/fields/json_viewer_field.rb
+++ b/app/avo/fields/json_viewer_field.rb
@@ -1,4 +1,4 @@
-class JsonViewerField < Avo::Fields::CodeField
+class Avo::Fields::JsonViewerField < Avo::Fields::CodeField
   def initialize(name, **args, &)
     super(name, **args, language: :javascript, line_wrapping: true, &)
   end
diff --git a/app/avo/fields/nested_field.rb b/app/avo/fields/nested_field.rb
index 769216a026a..c0078d70892 100644
--- a/app/avo/fields/nested_field.rb
+++ b/app/avo/fields/nested_field.rb
@@ -1,8 +1,8 @@
-class NestedField < Avo::Fields::BaseField
-  include Avo::Concerns::HasFields
+class Avo::Fields::NestedField < Avo::Fields::BaseField
+  include Avo::Concerns::HasItems
 
   def initialize(name, stacked: true, **args, &block)
-    @items_holder = Avo::ItemsHolder.new
+    @items_holder = Avo::Resources::Items::Holder.new
     hide_on :index
     super(name, stacked:, **args, &nil)
     instance_exec(&block) if block
diff --git a/app/avo/fields/select_record_field.rb b/app/avo/fields/select_record_field.rb
index 83da8985919..e4d07e2373e 100644
--- a/app/avo/fields/select_record_field.rb
+++ b/app/avo/fields/select_record_field.rb
@@ -1,4 +1,4 @@
-class SelectRecordField < Avo::Fields::BelongsToField
+class Avo::Fields::SelectRecordField < Avo::Fields::BelongsToField
   def foreign_key
     id
   end
@@ -7,4 +7,8 @@ def resolve_attribute(value)
     return if value.blank?
     target_resource.find_record value
   end
+
+  def form_field_label
+    is_searchable? ? id : super
+  end
 end
diff --git a/app/avo/filters/email_filter.rb b/app/avo/filters/email_filter.rb
index 2a3375c86c5..2cbc9e19912 100644
--- a/app/avo/filters/email_filter.rb
+++ b/app/avo/filters/email_filter.rb
@@ -1,4 +1,4 @@
-class EmailFilter < Avo::Filters::TextFilter
+class Avo::Filters::EmailFilter < Avo::Filters::TextFilter
   self.name = "Email filter"
   self.button_label = "Filter by email"
 
diff --git a/app/avo/filters/scope_boolean_filter.rb b/app/avo/filters/scope_boolean_filter.rb
index 6addbbcb400..67543347576 100644
--- a/app/avo/filters/scope_boolean_filter.rb
+++ b/app/avo/filters/scope_boolean_filter.rb
@@ -1,4 +1,4 @@
-class ScopeBooleanFilter < Avo::Filters::BooleanFilter
+class Avo::Filters::ScopeBooleanFilter < Avo::Filters::BooleanFilter
   def name
     arguments.fetch(:name) { self.class.to_s.demodulize.underscore.sub(/_filter$/, "").titleize }
   end
diff --git a/app/avo/resources/admin_github_user.rb b/app/avo/resources/admin_github_user.rb
new file mode 100644
index 00000000000..1f90f36b113
--- /dev/null
+++ b/app/avo/resources/admin_github_user.rb
@@ -0,0 +1,34 @@
+class Avo::Resources::AdminGitHubUser < Avo::BaseResource
+  self.title = :login
+  self.includes = []
+  self.model_class = ::Admin::GitHubUser
+  self.search = {
+    query: lambda {
+             query.where("login LIKE ?", "%#{params[:q]}%")
+           }
+  }
+
+  self.description = "GitHub users that have authenticated via the admin OAuth flow."
+
+  def fields
+    field :id, as: :id
+
+    field :is_admin, as: :boolean, readonly: true
+    field :login, as: :text, readonly: true,
+      as_html: true,
+      format_using: -> { link_to value, "https://github.com/#{value}" }
+    field :avatar_url, as: :external_image, name: "Avatar", readonly: true
+    field :github_id, as: :text, readonly: true
+    field :oauth_token, as: :text, visible: -> { false }
+
+    field :details, as: :heading
+
+    field :teams, as: :tags, readonly: true, format_using: -> { value.pluck(:slug) }
+
+    field :info_data,
+      as: :code, readonly: true, language: :javascript,
+      format_using: -> { JSON.pretty_generate value }
+
+    field :audits, as: :has_many
+  end
+end
diff --git a/app/avo/resources/admin_github_user_resource.rb b/app/avo/resources/admin_github_user_resource.rb
deleted file mode 100644
index 65a1e6c79e3..00000000000
--- a/app/avo/resources/admin_github_user_resource.rb
+++ /dev/null
@@ -1,31 +0,0 @@
-class AdminGitHubUserResource < Avo::BaseResource
-  self.title = :login
-  self.includes = []
-  self.model_class = ::Admin::GitHubUser
-  self.authorization_policy = ::Admin::GitHubUserPolicy
-  self.search_query = lambda {
-    scope.where("login LIKE ?", "%#{params[:q]}%")
-  }
-
-  self.description = "GitHub users that have authenticated via the admin OAuth flow."
-
-  field :id, as: :id
-
-  field :is_admin, as: :boolean, readonly: true
-  field :login, as: :text, readonly: true,
-    as_html: true,
-    format_using: -> { link_to value, "https://github.com/#{value}" }
-  field :avatar_url, as: :external_image, name: "Avatar", readonly: true
-  field :github_id, as: :text, readonly: true
-  field :oauth_token, as: :text, visible: ->(resource:) { false } # rubocop:disable Lint/UnusedBlockArgument
-
-  heading "Details"
-
-  field :teams, as: :tags, readonly: true, format_using: -> { value.pluck(:slug) }
-
-  field :info_data,
-    as: :code, readonly: true, language: :javascript,
-    format_using: -> { JSON.pretty_generate value }
-
-  field :audits, as: :has_many
-end
diff --git a/app/avo/resources/api_key.rb b/app/avo/resources/api_key.rb
new file mode 100644
index 00000000000..c3c2251565e
--- /dev/null
+++ b/app/avo/resources/api_key.rb
@@ -0,0 +1,46 @@
+class Avo::Resources::ApiKey < Avo::BaseResource
+  self.title = :name
+  self.includes = []
+
+  class ExpiredFilter < Avo::Filters::ScopeBooleanFilter; end
+
+  def filters
+    filter ExpiredFilter, arguments: { default: { expired: false, unexpired: true } }
+  end
+
+  def fields
+    main_panel do
+      field :id, as: :id, hide_on: :index
+
+      field :name, as: :text, link_to_resource: true
+      field :hashed_key, as: :text, visible: -> { false }
+      field :user, as: :belongs_to, visible: -> { false }
+      field :owner, as: :belongs_to,
+        polymorphic_as: :owner,
+        types: [::User, ::OIDC::TrustedPublisher::GitHubAction]
+      field :last_accessed_at, as: :date_time
+      field :soft_deleted_at, as: :date_time
+      field :soft_deleted_rubygem_name, as: :text
+      field :expires_at, as: :date_time
+
+      field :enabled_scopes, as: :tags
+
+      sidebar do
+        field :permissions, as: :heading
+
+        field :index_rubygems, as: :boolean
+        field :push_rubygem, as: :boolean
+        field :yank_rubygem, as: :boolean
+        field :add_owner, as: :boolean
+        field :remove_owner, as: :boolean
+        field :access_webhooks, as: :boolean
+        field :show_dashboard, as: :boolean
+        field :mfa, as: :boolean
+      end
+    end
+
+    field :api_key_rubygem_scope, as: :has_one
+    field :ownership, as: :has_one
+    field :oidc_id_token, as: :has_one
+  end
+end
diff --git a/app/avo/resources/api_key_resource.rb b/app/avo/resources/api_key_resource.rb
deleted file mode 100644
index dfcec27ceb2..00000000000
--- a/app/avo/resources/api_key_resource.rb
+++ /dev/null
@@ -1,39 +0,0 @@
-class ApiKeyResource < Avo::BaseResource
-  self.title = :name
-  self.includes = []
-
-  class ExpiredFilter < ScopeBooleanFilter; end
-  filter ExpiredFilter, arguments: { default: { expired: false, unexpired: true } }
-
-  field :id, as: :id, hide_on: :index
-
-  field :name, as: :text, link_to_resource: true
-  field :hashed_key, as: :text, visible: ->(_) { false }
-  field :user, as: :belongs_to, visible: ->(_) { false }
-  field :owner, as: :belongs_to,
-    polymorphic_as: :owner,
-    types: ["User", "OIDC::TrustedPublisher::GitHubAction"]
-  field :last_accessed_at, as: :date_time
-  field :soft_deleted_at, as: :date_time
-  field :soft_deleted_rubygem_name, as: :text
-  field :expires_at, as: :date_time
-
-  field :scopes, as: :tags
-
-  sidebar do
-    heading "Permissions"
-
-    field :index_rubygems, as: :boolean
-    field :push_rubygem, as: :boolean
-    field :yank_rubygem, as: :boolean
-    field :add_owner, as: :boolean
-    field :remove_owner, as: :boolean
-    field :access_webhooks, as: :boolean
-    field :show_dashboard, as: :boolean
-    field :mfa, as: :boolean
-  end
-
-  field :api_key_rubygem_scope, as: :has_one
-  field :ownership, as: :has_one
-  field :oidc_id_token, as: :has_one
-end
diff --git a/app/avo/resources/api_key_rubygem_scope.rb b/app/avo/resources/api_key_rubygem_scope.rb
new file mode 100644
index 00000000000..e8105285828
--- /dev/null
+++ b/app/avo/resources/api_key_rubygem_scope.rb
@@ -0,0 +1,11 @@
+class Avo::Resources::ApiKeyRubygemScope < Avo::BaseResource
+  self.title = :cache_key
+  self.includes = []
+
+  def fields
+    field :id, as: :id
+
+    field :api_key, as: :belongs_to
+    field :ownership, as: :belongs_to
+  end
+end
diff --git a/app/avo/resources/api_key_rubygem_scope_resource.rb b/app/avo/resources/api_key_rubygem_scope_resource.rb
deleted file mode 100644
index 9560edba16c..00000000000
--- a/app/avo/resources/api_key_rubygem_scope_resource.rb
+++ /dev/null
@@ -1,9 +0,0 @@
-class ApiKeyRubygemScopeResource < Avo::BaseResource
-  self.title = :cache_key
-  self.includes = []
-
-  field :id, as: :id
-
-  field :api_key, as: :belongs_to
-  field :ownership, as: :belongs_to
-end
diff --git a/app/avo/resources/attestation.rb b/app/avo/resources/attestation.rb
new file mode 100644
index 00000000000..132f3b9d2ac
--- /dev/null
+++ b/app/avo/resources/attestation.rb
@@ -0,0 +1,20 @@
+class Avo::Resources::Attestation < Avo::BaseResource
+  self.title = :id
+  self.includes = [:version]
+
+  def fields
+    field :id, as: :id
+
+    field :version, as: :belongs_to
+    field :media_type, as: :text
+    field :body, as: :json_viewer
+
+    field :leaf_certificate, as: :code, only_on: :show do
+      record.sigstore_bundle.leaf_certificate.to_text
+    end
+
+    field :display_data, as: :json_viewer, only_on: :show do
+      record.display_data
+    end
+  end
+end
diff --git a/app/avo/resources/audit.rb b/app/avo/resources/audit.rb
new file mode 100644
index 00000000000..4395346edd1
--- /dev/null
+++ b/app/avo/resources/audit.rb
@@ -0,0 +1,47 @@
+class Avo::Resources::Audit < Avo::BaseResource
+  self.includes = %i[
+    admin_github_user
+    auditable
+  ]
+
+  def fields
+    main_panel do
+      field :action, as: :text
+
+      if defined?(Avo::Pro)
+        sidebar do
+          panel_sidebar_contents
+        end
+      else
+        panel_sidebar_contents
+      end
+
+      field :audited_changes, as: :audited_changes, except_on: :index
+    end
+  end
+
+  def panel_sidebar_contents
+    field :admin_github_user, as: :belongs_to
+    field :created_at, as: :date_time
+    field :comment, as: :text
+
+    field :auditable, as: :belongs_to,
+      polymorphic_as: :auditable,
+      types: [::User, ::WebHook],
+      name: "Edited Record"
+
+    field :action_details, as: :heading
+
+    field :audited_changes_arguments, as: :json_viewer, only_on: :show do |_model|
+      record.audited_changes["arguments"]
+    end
+    field :audited_changes_fields, as: :json_viewer, only_on: :show do |_model|
+      record.audited_changes["fields"]
+    end
+    field :audited_changes_models, as: :text, as_html: true, only_on: :show do
+      record.audited_changes["models"]
+    end
+
+    field :id, as: :id
+  end
+end
diff --git a/app/avo/resources/audit_resource.rb b/app/avo/resources/audit_resource.rb
deleted file mode 100644
index 548729de209..00000000000
--- a/app/avo/resources/audit_resource.rb
+++ /dev/null
@@ -1,36 +0,0 @@
-class AuditResource < Avo::BaseResource
-  self.title = :id
-  self.includes = %i[
-    admin_github_user
-    auditable
-  ]
-
-  field :action, as: :text
-
-  sidebar do
-    field :admin_github_user, as: :belongs_to
-    field :created_at, as: :date_time
-    field :comment, as: :text
-
-    field :auditable, as: :belongs_to,
-      polymorphic_as: :auditable,
-      types: %w[User WebHook],
-      name: "Edited Record"
-
-    heading "Action Details"
-
-    field :audited_changes_arguments, as: :json_viewer, only_on: :show do |model|
-      model.audited_changes["arguments"]
-    end
-    field :audited_changes_fields, as: :json_viewer, only_on: :show do |model|
-      model.audited_changes["fields"]
-    end
-    field :audited_changes_models, as: :text, as_html: true, only_on: :show do
-      model.audited_changes["models"]
-    end
-
-    field :id, as: :id
-  end
-
-  field :audited_changes, as: :audited_changes, except_on: :index
-end
diff --git a/app/avo/resources/concerns/avo_auditable_resource.rb b/app/avo/resources/concerns/avo_auditable_resource.rb
index 5eb219fb67b..df3630780a4 100644
--- a/app/avo/resources/concerns/avo_auditable_resource.rb
+++ b/app/avo/resources/concerns/avo_auditable_resource.rb
@@ -1,20 +1,24 @@
-module Concerns::AvoAuditableResource
+module Avo::Resources::Concerns::AvoAuditableResource
   extend ActiveSupport::Concern
 
-  class_methods do
-    def inherited(base)
-      super
-      base.items_holder = Avo::ItemsHolder.new
-      base.items_holder.instance_variable_get(:@items).replace items_holder.instance_variable_get(:@items).deep_dup
-      base.items_holder.invalid_fields.replace items_holder.invalid_fields.deep_dup
-    end
+  def fetch_fields
+    super
+    return unless view.form?
+
+    field :comment, as: :textarea, required: true,
+          help: "A comment explaining why this action was taken.<br>Will be saved in the audit log.<br>Must be more than 10 characters."
   end
 
-  included do
-    panel "Auditable" do
-      field :comment, as: :textarea, required: true,
-        help: "A comment explaining why this action was taken.<br>Will be saved in the audit log.<br>Must be more than 10 characters.",
-        only_on: %i[new edit]
+  # Would be nice if there was a way to force a field to show up as visible
+  module HasItemsIncludeComment
+    def visible_items
+      items = super
+
+      if view.form?
+        comment = self.items.find { |item| item.respond_to?(:id) && item.id == :comment }
+        items << comment if comment
+      end
+      items
     end
   end
 end
diff --git a/app/avo/resources/deletion.rb b/app/avo/resources/deletion.rb
new file mode 100644
index 00000000000..d406c74d99a
--- /dev/null
+++ b/app/avo/resources/deletion.rb
@@ -0,0 +1,14 @@
+class Avo::Resources::Deletion < Avo::BaseResource
+  self.includes = [:version]
+
+  def fields
+    field :id, as: :id
+
+    field :created_at, as: :date_time, sortable: true, title: "Deleted At"
+    field :rubygem, as: :text
+    field :number, as: :text
+    field :platform, as: :text
+    field :user, as: :belongs_to
+    field :version, as: :belongs_to
+  end
+end
diff --git a/app/avo/resources/deletion_resource.rb b/app/avo/resources/deletion_resource.rb
deleted file mode 100644
index fdf0cca5387..00000000000
--- a/app/avo/resources/deletion_resource.rb
+++ /dev/null
@@ -1,17 +0,0 @@
-class DeletionResource < Avo::BaseResource
-  self.title = :id
-  self.includes = [:version]
-  # self.search_query = -> do
-  #   scope.ransack(id_eq: params[:q], m: "or").result(distinct: false)
-  # end
-
-  field :id, as: :id
-  # Fields generated from the model
-  field :created_at, as: :date_time, sortable: true, title: "Deleted At"
-  field :rubygem, as: :text
-  field :number, as: :text
-  field :platform, as: :text
-  field :user, as: :belongs_to
-  field :version, as: :belongs_to
-  # add fields here
-end
diff --git a/app/avo/resources/dependency.rb b/app/avo/resources/dependency.rb
new file mode 100644
index 00000000000..b5e364ba7a2
--- /dev/null
+++ b/app/avo/resources/dependency.rb
@@ -0,0 +1,17 @@
+class Avo::Resources::Dependency < Avo::BaseResource
+  self.includes = []
+
+  def fields
+    field :id, as: :id, link_to_resource: true
+
+    field :version, as: :belongs_to
+    field :rubygem, as: :belongs_to
+    field :requirements, as: :text
+    field :unresolved_name, as: :text
+
+    field :scope, as: :badge,
+      options: {
+        warning: "development"
+      }
+  end
+end
diff --git a/app/avo/resources/dependency_resource.rb b/app/avo/resources/dependency_resource.rb
deleted file mode 100644
index a3751556d8f..00000000000
--- a/app/avo/resources/dependency_resource.rb
+++ /dev/null
@@ -1,19 +0,0 @@
-class DependencyResource < Avo::BaseResource
-  self.title = :id
-  self.includes = []
-  # self.search_query = -> do
-  #   scope.ransack(id_eq: params[:q], m: "or").result(distinct: false)
-  # end
-
-  field :id, as: :id, link_to_resource: true
-
-  field :version, as: :belongs_to
-  field :rubygem, as: :belongs_to
-  field :requirements, as: :text
-  field :unresolved_name, as: :text
-
-  field :scope, as: :badge,
-    options: {
-      warning: "development"
-    }
-end
diff --git a/app/avo/resources/events_rubygem_event.rb b/app/avo/resources/events_rubygem_event.rb
new file mode 100644
index 00000000000..74ab7bc5c19
--- /dev/null
+++ b/app/avo/resources/events_rubygem_event.rb
@@ -0,0 +1,30 @@
+class Avo::Resources::EventsRubygemEvent < Avo::BaseResource
+  self.title = :cache_key
+  self.includes = %i[rubygem ip_address geoip_info]
+  self.model_class = "Events::RubygemEvent"
+
+  def fields
+    field :id, as: :id, hide_on: :index
+    field :created_at, as: :date_time
+
+    field :trace_id, as: :text, format_using: proc {
+      if value.present?
+        link_to(
+          view == :index ? "🔗" : value,
+          "https://app.datadoghq.com/logs?query=#{{
+            :@traceid => value,
+          from_ts: (record.created_at - 12.hours).to_i * 1000,
+          to_ts: (record.created_at + 12.hours).to_i * 1000
+          }.to_query}",
+          { target: :_blank, rel: :noopener }
+        )
+      end
+    }
+
+    field :tag, as: :text
+    field :rubygem, as: :belongs_to
+    field :ip_address, as: :belongs_to
+    field :geoip_info, as: :belongs_to
+    field :additional, as: :event_additional, show_on: :index
+  end
+end
diff --git a/app/avo/resources/events_rubygem_event_resource.rb b/app/avo/resources/events_rubygem_event_resource.rb
deleted file mode 100644
index 00e1c212574..00000000000
--- a/app/avo/resources/events_rubygem_event_resource.rb
+++ /dev/null
@@ -1,28 +0,0 @@
-class EventsRubygemEventResource < Avo::BaseResource
-  self.title = :cache_key
-  self.includes = %i[rubygem ip_address geoip_info]
-  self.model_class = ::Events::RubygemEvent
-
-  field :id, as: :id, hide_on: :index
-  field :created_at, as: :date_time
-
-  field :trace_id, as: :text, format_using: proc {
-    if value.present?
-      link_to(
-        view == :index ? "🔗" : value,
-        "https://app.datadoghq.com/logs?query=#{{
-          :@traceid => value,
-          from_ts: (model.created_at - 12.hours).to_i * 1000,
-          to_ts: (model.created_at + 12.hours).to_i * 1000
-        }.to_query}",
-        { target: :_blank, rel: :noopener }
-      )
-    end
-  }
-
-  field :tag, as: :text
-  field :rubygem, as: :belongs_to
-  field :ip_address, as: :belongs_to
-  field :geoip_info, as: :belongs_to
-  field :additional, as: :event_additional, show_on: :index
-end
diff --git a/app/avo/resources/events_user_event.rb b/app/avo/resources/events_user_event.rb
new file mode 100644
index 00000000000..225c6fc723e
--- /dev/null
+++ b/app/avo/resources/events_user_event.rb
@@ -0,0 +1,30 @@
+class Avo::Resources::EventsUserEvent < Avo::BaseResource
+  self.title = :cache_key
+  self.includes = %i[user ip_address geoip_info]
+  self.model_class = "Events::UserEvent"
+
+  def fields
+    field :id, as: :id, hide_on: :index
+
+    field :created_at, as: :date_time
+    field :trace_id, as: :text, format_using: proc {
+      if value.present?
+        link_to(
+          view == :index ? "🔗" : value,
+          "https://app.datadoghq.com/logs?query=#{{
+            :@traceid => value,
+          from_ts: (record.created_at - 12.hours).to_i * 1000,
+          to_ts: (record.created_at + 12.hours).to_i * 1000
+          }.to_query}",
+          { target: :_blank, rel: :noopener }
+        )
+      end
+    }
+
+    field :tag, as: :text
+    field :user, as: :belongs_to
+    field :ip_address, as: :belongs_to
+    field :geoip_info, as: :belongs_to
+    field :additional, as: :event_additional, show_on: :index
+  end
+end
diff --git a/app/avo/resources/events_user_event_resource.rb b/app/avo/resources/events_user_event_resource.rb
deleted file mode 100644
index f1293d3fb1f..00000000000
--- a/app/avo/resources/events_user_event_resource.rb
+++ /dev/null
@@ -1,28 +0,0 @@
-class EventsUserEventResource < Avo::BaseResource
-  self.title = :cache_key
-  self.includes = %i[user ip_address geoip_info]
-  self.model_class = ::Events::UserEvent
-
-  field :id, as: :id, hide_on: :index
-
-  field :created_at, as: :date_time
-  field :trace_id, as: :text, format_using: proc {
-    if value.present?
-      link_to(
-        view == :index ? "🔗" : value,
-        "https://app.datadoghq.com/logs?query=#{{
-          :@traceid => value,
-          from_ts: (model.created_at - 12.hours).to_i * 1000,
-          to_ts: (model.created_at + 12.hours).to_i * 1000
-        }.to_query}",
-        { target: :_blank, rel: :noopener }
-      )
-    end
-  }
-
-  field :tag, as: :text
-  field :user, as: :belongs_to
-  field :ip_address, as: :belongs_to
-  field :geoip_info, as: :belongs_to
-  field :additional, as: :event_additional, show_on: :index
-end
diff --git a/app/avo/resources/gem_download.rb b/app/avo/resources/gem_download.rb
new file mode 100644
index 00000000000..fd33f5963b5
--- /dev/null
+++ b/app/avo/resources/gem_download.rb
@@ -0,0 +1,33 @@
+class Avo::Resources::GemDownload < Avo::BaseResource
+  self.title = :inspect
+  self.includes = %i[rubygem version]
+
+  self.index_query = lambda {
+    query.order(count: :desc)
+  }
+
+  class SpecificityFilter < Avo::Filters::ScopeBooleanFilter; end
+
+  def filters
+    filter SpecificityFilter, arguments: { default: { for_versions: true, for_rubygems: true, total: true } }
+  end
+
+  def fields
+    field :title, as: :text, link_to_resource: true do |_model, _resource, _view|
+      if record.version
+        "#{record.version.full_name} (#{record.count.to_fs(:delimited)})"
+      elsif record.rubygem
+        "#{record.rubygem} (#{record.count.to_fs(:delimited)})"
+      else
+        "All Gems (#{record.count.to_fs(:delimited)})"
+      end
+    end
+
+    field :rubygem, as: :belongs_to
+    field :version, as: :belongs_to
+    field :count, as: :number, sortable: true, html: { index: { wrapper: { classes: "text-right" } } },
+                  format_using: -> { value.to_fs(:delimited) }, default: 0
+
+    field :id, as: :id, hide_on: :index
+  end
+end
diff --git a/app/avo/resources/gem_download_resource.rb b/app/avo/resources/gem_download_resource.rb
deleted file mode 100644
index 4cc08993f07..00000000000
--- a/app/avo/resources/gem_download_resource.rb
+++ /dev/null
@@ -1,27 +0,0 @@
-class GemDownloadResource < Avo::BaseResource
-  self.title = :inspect
-  self.includes = %i[rubygem version]
-
-  self.resolve_query_scope = lambda { |model_class:|
-    model_class.order(count: :desc)
-  }
-
-  class SpecificityFilter < ScopeBooleanFilter; end
-  filter SpecificityFilter, arguments: { default: { for_versions: true, for_rubygems: true, total: true } }
-
-  field :title, as: :text, link_to_resource: true do |model, _resource, _view|
-    if model.version
-      "#{model.version.full_name} (#{model.count.to_fs(:delimited)})"
-    elsif model.rubygem
-      "#{model.rubygem} (#{model.count.to_fs(:delimited)})"
-    else
-      "All Gems (#{model.count.to_fs(:delimited)})"
-    end
-  end
-
-  field :rubygem, as: :belongs_to
-  field :version, as: :belongs_to
-  field :count, as: :number, sortable: true, index_text_align: :right, format_using: -> { value.to_fs(:delimited) }, default: 0
-
-  field :id, as: :id, hide_on: :index
-end
diff --git a/app/avo/resources/gem_name_reservation.rb b/app/avo/resources/gem_name_reservation.rb
new file mode 100644
index 00000000000..8676f15210e
--- /dev/null
+++ b/app/avo/resources/gem_name_reservation.rb
@@ -0,0 +1,14 @@
+class Avo::Resources::GemNameReservation < Avo::BaseResource
+  self.title = :name
+  self.includes = []
+  self.search = {
+    query: lambda {
+             query.where("name LIKE ?", "%#{params[:q]}%")
+           }
+  }
+
+  def fields
+    field :id, as: :id
+    field :name, as: :text
+  end
+end
diff --git a/app/avo/resources/gem_name_reservation_resource.rb b/app/avo/resources/gem_name_reservation_resource.rb
deleted file mode 100644
index 0b44fa49e59..00000000000
--- a/app/avo/resources/gem_name_reservation_resource.rb
+++ /dev/null
@@ -1,10 +0,0 @@
-class GemNameReservationResource < Avo::BaseResource
-  self.title = :name
-  self.includes = []
-  self.search_query = lambda {
-    scope.where("name LIKE ?", "%#{params[:q]}%")
-  }
-
-  field :id, as: :id
-  field :name, as: :text
-end
diff --git a/app/avo/resources/gem_typo_exception.rb b/app/avo/resources/gem_typo_exception.rb
new file mode 100644
index 00000000000..ae5579df463
--- /dev/null
+++ b/app/avo/resources/gem_typo_exception.rb
@@ -0,0 +1,19 @@
+class Avo::Resources::GemTypoException < Avo::BaseResource
+  self.title = :name
+  self.includes = []
+  self.search = {
+    query: lambda {
+             query.where("name ILIKE ?", "%#{params[:q]}%")
+           }
+  }
+
+  def fields
+    field :id, as: :id, hide_on: :index
+
+    field :name, as: :text, link_to_resource: true
+    field :info, as: :textarea
+
+    field :created_at, as: :date_time, sortable: true, readonly: true, only_on: %i[index show]
+    field :updated_at, as: :date_time, sortable: true, readonly: true, only_on: %i[index show]
+  end
+end
diff --git a/app/avo/resources/gem_typo_exception_resource.rb b/app/avo/resources/gem_typo_exception_resource.rb
deleted file mode 100644
index 8512e03d2f3..00000000000
--- a/app/avo/resources/gem_typo_exception_resource.rb
+++ /dev/null
@@ -1,15 +0,0 @@
-class GemTypoExceptionResource < Avo::BaseResource
-  self.title = :name
-  self.includes = []
-  self.search_query = lambda {
-    scope.where("name ILIKE ?", "%#{params[:q]}%")
-  }
-
-  field :id, as: :id, hide_on: :index
-  # Fields generated from the model
-  field :name, as: :text, link_to_resource: true
-  field :info, as: :textarea
-  # add fields here
-  field :created_at, as: :date_time, sortable: true, readonly: true, only_on: %i[index show]
-  field :updated_at, as: :date_time, sortable: true, readonly: true, only_on: %i[index show]
-end
diff --git a/app/avo/resources/geoip_info.rb b/app/avo/resources/geoip_info.rb
new file mode 100644
index 00000000000..ea4e35f35eb
--- /dev/null
+++ b/app/avo/resources/geoip_info.rb
@@ -0,0 +1,14 @@
+class Avo::Resources::GeoipInfo < Avo::BaseResource
+  self.includes = []
+
+  def fields
+    field :continent_code, as: :text
+    field :country_code, as: :text
+    field :country_code3, as: :text
+    field :country_name, as: :text
+    field :region, as: :text
+    field :city, as: :text
+
+    field :ip_addresses, as: :has_many
+  end
+end
diff --git a/app/avo/resources/geoip_info_resource.rb b/app/avo/resources/geoip_info_resource.rb
deleted file mode 100644
index b049c7b965c..00000000000
--- a/app/avo/resources/geoip_info_resource.rb
+++ /dev/null
@@ -1,13 +0,0 @@
-class GeoipInfoResource < Avo::BaseResource
-  self.title = :id
-  self.includes = []
-
-  field :continent_code, as: :text
-  field :country_code, as: :text
-  field :country_code3, as: :text
-  field :country_name, as: :text
-  field :region, as: :text
-  field :city, as: :text
-
-  field :ip_addresses, as: :has_many
-end
diff --git a/app/avo/resources/ip_address.rb b/app/avo/resources/ip_address.rb
new file mode 100644
index 00000000000..a0e757efaf8
--- /dev/null
+++ b/app/avo/resources/ip_address.rb
@@ -0,0 +1,24 @@
+class Avo::Resources::IpAddress < Avo::BaseResource
+  self.title = :ip_address
+  self.includes = []
+
+  self.search = {
+    hide_on_global: true,
+      query: lambda {
+               query.where("ip_address <<= inet ?", params[:q])
+             }
+  }
+
+  def fields
+    field :id, as: :id
+
+    field :ip_address, as: :text
+    field :hashed_ip_address, as: :textarea
+    field :geoip_info, as: :json_viewer
+
+    tabs style: :pills do
+      field :user_events, as: :has_many
+      field :rubygem_events, as: :has_many
+    end
+  end
+end
diff --git a/app/avo/resources/ip_address_resource.rb b/app/avo/resources/ip_address_resource.rb
deleted file mode 100644
index a6c99cc7271..00000000000
--- a/app/avo/resources/ip_address_resource.rb
+++ /dev/null
@@ -1,20 +0,0 @@
-class IpAddressResource < Avo::BaseResource
-  self.title = :ip_address
-  self.includes = []
-
-  self.hide_from_global_search = true
-  self.search_query = lambda {
-    scope.where("ip_address <<= inet ?", params[:q])
-  }
-
-  field :id, as: :id
-
-  field :ip_address, as: :text
-  field :hashed_ip_address, as: :textarea
-  field :geoip_info, as: :json_viewer
-
-  tabs style: :pills do
-    field :user_events, as: :has_many
-    field :rubygem_events, as: :has_many
-  end
-end
diff --git a/app/avo/resources/link_verification.rb b/app/avo/resources/link_verification.rb
new file mode 100644
index 00000000000..60048673afe
--- /dev/null
+++ b/app/avo/resources/link_verification.rb
@@ -0,0 +1,16 @@
+class Avo::Resources::LinkVerification < Avo::BaseResource
+  self.includes = []
+
+  def fields
+    field :id, as: :id
+
+    field :linkable, as: :belongs_to,
+      polymorphic_as: :linkable,
+      types: [::Rubygem]
+    field :uri, as: :text
+    field :verified?, as: :boolean
+    field :last_verified_at, as: :date_time
+    field :last_failure_at, as: :date_time
+    field :failures_since_last_verification, as: :number
+  end
+end
diff --git a/app/avo/resources/link_verification_resource.rb b/app/avo/resources/link_verification_resource.rb
deleted file mode 100644
index ee60c06d904..00000000000
--- a/app/avo/resources/link_verification_resource.rb
+++ /dev/null
@@ -1,19 +0,0 @@
-class LinkVerificationResource < Avo::BaseResource
-  self.title = :id
-  self.includes = []
-  # self.search_query = -> do
-  #   scope.ransack(id_eq: params[:q], m: "or").result(distinct: false)
-  # end
-
-  field :id, as: :id
-  # Fields generated from the model
-  field :linkable, as: :belongs_to,
-    polymorphic_as: :linkable,
-    types: %w[Rubygem]
-  field :uri, as: :text
-  field :verified?, as: :boolean
-  field :last_verified_at, as: :date_time
-  field :last_failure_at, as: :date_time
-  field :failures_since_last_verification, as: :number
-  # add fields here
-end
diff --git a/app/avo/resources/linkset.rb b/app/avo/resources/linkset.rb
new file mode 100644
index 00000000000..aa642178821
--- /dev/null
+++ b/app/avo/resources/linkset.rb
@@ -0,0 +1,13 @@
+class Avo::Resources::Linkset < Avo::BaseResource
+  self.includes = [:rubygem]
+  self.visible_on_sidebar = false
+
+  def fields
+    field :id, as: :id, link_to_resource: true
+    field :rubygem, as: :belongs_to
+
+    Linkset::LINKS.each do |link|
+      field link, as: :text, format_using: -> { link_to value, value if value.present? }
+    end
+  end
+end
diff --git a/app/avo/resources/linkset_resource.rb b/app/avo/resources/linkset_resource.rb
deleted file mode 100644
index ac5966a45bf..00000000000
--- a/app/avo/resources/linkset_resource.rb
+++ /dev/null
@@ -1,12 +0,0 @@
-class LinksetResource < Avo::BaseResource
-  self.title = :id
-  self.includes = [:rubygem]
-  self.visible_on_sidebar = false
-
-  field :id, as: :id, link_to_resource: true
-  field :rubygem, as: :belongs_to
-
-  Linkset::LINKS.each do |link|
-    field link, as: :text, format_using: -> { link_to value, value if value.present? }
-  end
-end
diff --git a/app/avo/resources/log_ticket.rb b/app/avo/resources/log_ticket.rb
new file mode 100644
index 00000000000..1a16fbb13a1
--- /dev/null
+++ b/app/avo/resources/log_ticket.rb
@@ -0,0 +1,21 @@
+class Avo::Resources::LogTicket < Avo::BaseResource
+  self.includes = []
+
+  class BackendFilter < Avo::Filters::ScopeBooleanFilter; end
+  class StatusFilter < Avo::Filters::ScopeBooleanFilter; end
+
+  def filters
+    filter BackendFilter, arguments: { default: LogTicket.backends.transform_values { true } }
+    filter StatusFilter, arguments: { default: LogTicket.statuses.transform_values { true } }
+  end
+
+  def fields
+    field :id, as: :id, link_to_resource: true
+
+    field :key, as: :text
+    field :directory, as: :text
+    field :backend, as: :select, enum: LogTicket.backends
+    field :status, as: :select, enum: LogTicket.statuses
+    field :processed_count, as: :number, sortable: true
+  end
+end
diff --git a/app/avo/resources/log_ticket_resource.rb b/app/avo/resources/log_ticket_resource.rb
deleted file mode 100644
index 1a6c88419e2..00000000000
--- a/app/avo/resources/log_ticket_resource.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-class LogTicketResource < Avo::BaseResource
-  self.title = :id
-  self.includes = []
-
-  class BackendFilter < ScopeBooleanFilter; end
-  filter BackendFilter, arguments: { default: LogTicket.backends.transform_values { true } }
-
-  class StatusFilter < ScopeBooleanFilter; end
-  filter StatusFilter, arguments: { default: LogTicket.statuses.transform_values { true } }
-
-  field :id, as: :id, link_to_resource: true
-
-  field :key, as: :text
-  field :directory, as: :text
-  field :backend, as: :select, enum: LogTicket.backends
-  field :status, as: :select, enum: LogTicket.statuses
-  field :processed_count, as: :number, sortable: true
-end
diff --git a/app/avo/resources/maintenance_tasks_run.rb b/app/avo/resources/maintenance_tasks_run.rb
new file mode 100644
index 00000000000..d1d7fb36f0a
--- /dev/null
+++ b/app/avo/resources/maintenance_tasks_run.rb
@@ -0,0 +1,29 @@
+class Avo::Resources::MaintenanceTasksRun < Avo::BaseResource
+  self.includes = []
+  self.model_class = ::MaintenanceTasks::Run
+
+  class StatusFilter < Avo::Filters::ScopeBooleanFilter; end
+
+  def filters
+    filter StatusFilter, arguments: { default: MaintenanceTasks::Run.statuses.transform_values { true } }
+  end
+
+  def fields
+    field :id, as: :id
+
+    field :task_name, as: :text
+    field :started_at, as: :date_time, sortable: true
+    field :ended_at, as: :date_time, sortable: true
+    field :time_running, as: :number, sortable: true
+    field :tick_count, as: :number
+    field :tick_total, as: :number
+    field :job_id, as: :text
+    field :cursor, as: :number
+    field :status, as: :select, enum: MaintenanceTasks::Run.statuses
+    field :error_class, as: :text
+    field :error_message, as: :text
+    field :backtrace, as: :textarea
+    field :arguments, as: :textarea
+    field :lock_version, as: :number
+  end
+end
diff --git a/app/avo/resources/maintenance_tasks_run_resource.rb b/app/avo/resources/maintenance_tasks_run_resource.rb
deleted file mode 100644
index 0f553fdb3a5..00000000000
--- a/app/avo/resources/maintenance_tasks_run_resource.rb
+++ /dev/null
@@ -1,29 +0,0 @@
-class MaintenanceTasksRunResource < Avo::BaseResource
-  self.title = :id
-  self.includes = []
-  self.model_class = ::MaintenanceTasks::Run
-  # self.search_query = -> do
-  #   scope.ransack(id_eq: params[:q], m: "or").result(distinct: false)
-  # end
-
-  class StatusFilter < ScopeBooleanFilter; end
-  filter StatusFilter, arguments: { default: MaintenanceTasks::Run.statuses.transform_values { true } }
-
-  field :id, as: :id
-  # Fields generated from the model
-  field :task_name, as: :text
-  field :started_at, as: :date_time, sortable: true
-  field :ended_at, as: :date_time, sortable: true
-  field :time_running, as: :number, sortable: true
-  field :tick_count, as: :number
-  field :tick_total, as: :number
-  field :job_id, as: :text
-  field :cursor, as: :number
-  field :status, as: :select, enum: MaintenanceTasks::Run.statuses
-  field :error_class, as: :text
-  field :error_message, as: :text
-  field :backtrace, as: :textarea
-  field :arguments, as: :textarea
-  field :lock_version, as: :number
-  # add fields here
-end
diff --git a/app/avo/resources/membership.rb b/app/avo/resources/membership.rb
new file mode 100644
index 00000000000..006dbd889bf
--- /dev/null
+++ b/app/avo/resources/membership.rb
@@ -0,0 +1,15 @@
+class Avo::Resources::Membership < Avo::BaseResource
+  self.includes = []
+
+  class ConfirmedFilter < Avo::Filters::ScopeBooleanFilter; end
+
+  def filters
+    filter ConfirmedFilter, arguments: { default: { confirmed: true, unconfirmed: false } }
+  end
+
+  def fields
+    field :id, as: :id
+    field :user, as: :belongs_to
+    field :organization, as: :belongs_to
+  end
+end
diff --git a/app/avo/resources/oidc_api_key_role.rb b/app/avo/resources/oidc_api_key_role.rb
new file mode 100644
index 00000000000..8dc81b51b6a
--- /dev/null
+++ b/app/avo/resources/oidc_api_key_role.rb
@@ -0,0 +1,34 @@
+class Avo::Resources::OIDCApiKeyRole < Avo::BaseResource
+  self.title = :token
+  self.includes = []
+  self.model_class = ::OIDC::ApiKeyRole
+
+  def fields
+    field :token, as: :text, link_to_resource: true, readonly: true
+    field :id, as: :id, link_to_resource: true, hide_on: :index
+    # Fields generated from the model
+    field :name, as: :text
+    field :provider, as: :belongs_to
+    field :user, as: :belongs_to, searchable: true
+    field :api_key_permissions, as: :nested do
+      field :valid_for, as: :text, format_using: -> { value&.iso8601 }
+      field :scopes, as: :tags, suggestions: ApiKey::API_SCOPES.map { { label: _1, value: _1 } }, enforce_suggestions: true
+      field :gems, as: :tags, suggestions: -> { Rubygem.limit(10).pluck(:name).map { { value: _1, label: _1 } } }
+    end
+    field :access_policy, as: :nested do
+      field :statements, as: :array_of, field: :nested do
+        field :effect, as: :select, options: { "Allow" => "allow" }, default: "Allow"
+        field :principal, as: :nested, field_options: { stacked: false } do
+          field :oidc, as: :text
+        end
+        field :conditions, as: :array_of, field: :nested, field_options: { stacked: false } do
+          field :operator, as: :select, options: OIDC::AccessPolicy::Statement::Condition::OPERATORS.index_by(&:titleize)
+          field :claim, as: :text
+          field :value, as: :text
+        end
+      end
+    end
+
+    field :id_tokens, as: :has_many
+  end
+end
diff --git a/app/avo/resources/oidc_api_key_role_resource.rb b/app/avo/resources/oidc_api_key_role_resource.rb
deleted file mode 100644
index 3f59087e912..00000000000
--- a/app/avo/resources/oidc_api_key_role_resource.rb
+++ /dev/null
@@ -1,36 +0,0 @@
-class OIDCApiKeyRoleResource < Avo::BaseResource
-  self.title = :token
-  self.includes = []
-  self.model_class = ::OIDC::ApiKeyRole
-  # self.search_query = -> do
-  #   scope.ransack(id_eq: params[:q], m: "or").result(distinct: false)
-  # end
-
-  field :token, as: :text, link_to_resource: true, readonly: true
-  field :id, as: :id, link_to_resource: true, hide_on: :index
-  # Fields generated from the model
-  field :name, as: :text
-  field :provider, as: :belongs_to
-  field :user, as: :belongs_to, searchable: true
-  field :api_key_permissions, as: :nested do
-    field :valid_for, as: :text, format_using: -> { value&.iso8601 }
-    field :scopes, as: :tags, suggestions: ApiKey::API_SCOPES.map { { label: _1, value: _1 } }, enforce_suggestions: true
-    field :gems, as: :tags, suggestions: -> { Rubygem.limit(10).pluck(:name).map { { value: _1, label: _1 } } }
-  end
-  field :access_policy, as: :nested do
-    field :statements, as: :array_of, field: :nested do
-      field :effect, as: :select, options: { "Allow" => "allow" }, default: "Allow"
-      field :principal, as: :nested, field_options: { stacked: false } do
-        field :oidc, as: :text
-      end
-      field :conditions, as: :array_of, field: :nested, field_options: { stacked: false } do
-        field :operator, as: :select, options: OIDC::AccessPolicy::Statement::Condition::OPERATORS.index_by(&:titleize)
-        field :claim, as: :text
-        field :value, as: :text
-      end
-    end
-  end
-
-  field :id_tokens, as: :has_many
-  # add fields here
-end
diff --git a/app/avo/resources/oidc_id_token.rb b/app/avo/resources/oidc_id_token.rb
new file mode 100644
index 00000000000..fc0c4a36462
--- /dev/null
+++ b/app/avo/resources/oidc_id_token.rb
@@ -0,0 +1,20 @@
+class Avo::Resources::OIDCIdToken < Avo::BaseResource
+  self.includes = []
+  self.model_class = ::OIDC::IdToken
+
+  def fields
+    field :id, as: :id
+    # Fields generated from the model
+    field :api_key_role, as: :belongs_to
+    field :provider, as: :has_one
+    field :api_key, as: :has_one
+
+    field :jwt, as: :heading
+    field :claims, as: :key_value, stacked: true do
+      record.jwt.fetch("claims")
+    end
+    field :header, as: :key_value, stacked: true do
+      record.jwt.fetch("header")
+    end
+  end
+end
diff --git a/app/avo/resources/oidc_id_token_resource.rb b/app/avo/resources/oidc_id_token_resource.rb
deleted file mode 100644
index bda90ed7025..00000000000
--- a/app/avo/resources/oidc_id_token_resource.rb
+++ /dev/null
@@ -1,23 +0,0 @@
-class OIDCIdTokenResource < Avo::BaseResource
-  self.title = :id
-  self.includes = []
-  self.model_class = ::OIDC::IdToken
-  # self.search_query = -> do
-  #   scope.ransack(id_eq: params[:q], m: "or").result(distinct: false)
-  # end
-
-  field :id, as: :id
-  # Fields generated from the model
-  field :api_key_role, as: :belongs_to
-  field :provider, as: :has_one
-  field :api_key, as: :has_one
-
-  heading "JWT"
-  field :claims, as: :key_value, stacked: true do
-    model.jwt.fetch("claims")
-  end
-  field :header, as: :key_value, stacked: true do
-    model.jwt.fetch("header")
-  end
-  # add fields here
-end
diff --git a/app/avo/resources/oidc_pending_trusted_publisher.rb b/app/avo/resources/oidc_pending_trusted_publisher.rb
new file mode 100644
index 00000000000..0e83788d396
--- /dev/null
+++ b/app/avo/resources/oidc_pending_trusted_publisher.rb
@@ -0,0 +1,19 @@
+class Avo::Resources::OIDCPendingTrustedPublisher < Avo::BaseResource
+  self.includes = []
+  self.model_class = ::OIDC::PendingTrustedPublisher
+
+  class ExpiredFilter < Avo::Filters::ScopeBooleanFilter; end
+
+  def filters
+    filter ExpiredFilter, arguments: { default: { expired: false, unexpired: true } }
+  end
+
+  def fields
+    field :id, as: :id
+
+    field :rubygem_name, as: :text
+    field :user, as: :belongs_to
+    field :trusted_publisher, as: :belongs_to, polymorphic_as: :trusted_publisher
+    field :expires_at, as: :date_time
+  end
+end
diff --git a/app/avo/resources/oidc_pending_trusted_publisher_resource.rb b/app/avo/resources/oidc_pending_trusted_publisher_resource.rb
deleted file mode 100644
index f546d3a8df1..00000000000
--- a/app/avo/resources/oidc_pending_trusted_publisher_resource.rb
+++ /dev/null
@@ -1,16 +0,0 @@
-class OIDCPendingTrustedPublisherResource < Avo::BaseResource
-  self.title = :id
-  self.includes = []
-  self.model_class = ::OIDC::PendingTrustedPublisher
-
-  class ExpiredFilter < ScopeBooleanFilter; end
-  filter ExpiredFilter, arguments: { default: { expired: false, unexpired: true } }
-
-  field :id, as: :id
-  # Fields generated from the model
-  field :rubygem_name, as: :text
-  field :user, as: :belongs_to
-  field :trusted_publisher, as: :belongs_to, polymorphic_as: :trusted_publisher
-  field :expires_at, as: :date_time
-  # add fields here
-end
diff --git a/app/avo/resources/oidc_provider.rb b/app/avo/resources/oidc_provider.rb
new file mode 100644
index 00000000000..12a06658e1e
--- /dev/null
+++ b/app/avo/resources/oidc_provider.rb
@@ -0,0 +1,24 @@
+class Avo::Resources::OIDCProvider < Avo::BaseResource
+  self.title = :issuer
+  self.includes = []
+  self.model_class = ::OIDC::Provider
+
+  def actions
+    action Avo::Actions::RefreshOIDCProvider
+  end
+
+  def fields
+    field :issuer, as: :text, link_to_resource: true
+    field :configuration, as: :nested do
+      visible_on = %i[edit new]
+      OIDC::Provider::Configuration.then { _1.required_attributes + _1.optional_attributes }.each do |k|
+        field k, as: (k.to_s.end_with?("s_supported") ? :tags : :text),
+            visible: -> { resource && (visible_on.include?(resource.view) || resource.record.configuration&.send(k).present?) }
+      end
+    end
+    field :jwks, as: :array_of, field: :json_viewer, hide_on: :index
+    field :api_key_roles, as: :has_many
+
+    field :id, as: :id
+  end
+end
diff --git a/app/avo/resources/oidc_provider_resource.rb b/app/avo/resources/oidc_provider_resource.rb
deleted file mode 100644
index 8a2fa0fe6d4..00000000000
--- a/app/avo/resources/oidc_provider_resource.rb
+++ /dev/null
@@ -1,20 +0,0 @@
-class OIDCProviderResource < Avo::BaseResource
-  self.title = :issuer
-  self.includes = []
-  self.model_class = ::OIDC::Provider
-
-  action RefreshOIDCProvider
-
-  # Fields generated from the model
-  field :issuer, as: :text, link_to_resource: true
-  field :configuration, as: :nested do
-    visible_on = %i[edit new]
-    OIDC::Provider::Configuration.then { (_1.required_attributes + _1.optional_attributes) - fields.map(&:id) }.each do |k|
-      field k, as: (k.to_s.end_with?("s_supported") ? :tags : :text), visible: ->(_) { visible_on.include?(view) || value.send(k).present? }
-    end
-  end
-  field :jwks, as: :array_of, field: :json_viewer, hide_on: :index
-  field :api_key_roles, as: :has_many
-  # add fields here
-  field :id, as: :id
-end
diff --git a/app/avo/resources/oidc_rubygem_trusted_publisher.rb b/app/avo/resources/oidc_rubygem_trusted_publisher.rb
new file mode 100644
index 00000000000..95e165d6d88
--- /dev/null
+++ b/app/avo/resources/oidc_rubygem_trusted_publisher.rb
@@ -0,0 +1,11 @@
+class Avo::Resources::OIDCRubygemTrustedPublisher < Avo::BaseResource
+  self.includes = [:trusted_publisher]
+  self.model_class = ::OIDC::RubygemTrustedPublisher
+
+  def fields
+    field :id, as: :id
+
+    field :rubygem, as: :belongs_to
+    field :trusted_publisher, as: :belongs_to, polymorphic_as: :trusted_publisher
+  end
+end
diff --git a/app/avo/resources/oidc_rubygem_trusted_publisher_resource.rb b/app/avo/resources/oidc_rubygem_trusted_publisher_resource.rb
deleted file mode 100644
index 96c63c43096..00000000000
--- a/app/avo/resources/oidc_rubygem_trusted_publisher_resource.rb
+++ /dev/null
@@ -1,11 +0,0 @@
-class OIDCRubygemTrustedPublisherResource < Avo::BaseResource
-  self.title = :id
-  self.includes = [:trusted_publisher]
-  self.model_class = ::OIDC::RubygemTrustedPublisher
-
-  field :id, as: :id
-  # Fields generated from the model
-  field :rubygem, as: :belongs_to
-  field :trusted_publisher, as: :belongs_to, polymorphic_as: :trusted_publisher
-  # add fields here
-end
diff --git a/app/avo/resources/oidc_trusted_publisher_github_action.rb b/app/avo/resources/oidc_trusted_publisher_github_action.rb
new file mode 100644
index 00000000000..0a850ed2e21
--- /dev/null
+++ b/app/avo/resources/oidc_trusted_publisher_github_action.rb
@@ -0,0 +1,20 @@
+class Avo::Resources::OIDCTrustedPublisherGitHubAction < Avo::BaseResource
+  self.title = :name
+  self.includes = []
+  self.model_class = ::OIDC::TrustedPublisher::GitHubAction
+
+  def fields
+    field :id, as: :id
+
+    field :repository_owner, as: :text
+    field :repository_name, as: :text
+    field :repository_owner_id, as: :text
+    field :workflow_filename, as: :text
+    field :environment, as: :text
+
+    field :rubygem_trusted_publishers, as: :has_many
+    field :pending_trusted_publishers, as: :has_many
+    field :rubygems, as: :has_many, through: :rubygem_trusted_publishers
+    field :api_keys, as: :has_many, inverse_of: :owner
+  end
+end
diff --git a/app/avo/resources/oidc_trusted_publisher_github_action_resource.rb b/app/avo/resources/oidc_trusted_publisher_github_action_resource.rb
deleted file mode 100644
index 0ea00fd83e4..00000000000
--- a/app/avo/resources/oidc_trusted_publisher_github_action_resource.rb
+++ /dev/null
@@ -1,19 +0,0 @@
-class OIDCTrustedPublisherGitHubActionResource < Avo::BaseResource
-  self.title = :name
-  self.includes = []
-  self.model_class = ::OIDC::TrustedPublisher::GitHubAction
-
-  field :id, as: :id
-  # Fields generated from the model
-  field :repository_owner, as: :text
-  field :repository_name, as: :text
-  field :repository_owner_id, as: :text
-  field :workflow_filename, as: :text
-  field :environment, as: :text
-  # add fields here
-  #
-  field :rubygem_trusted_publishers, as: :has_many
-  field :pending_trusted_publishers, as: :has_many
-  field :rubygems, as: :has_many, through: :rubygem_trusted_publishers
-  field :api_keys, as: :has_many, inverse_of: :owner
-end
diff --git a/app/avo/resources/organization.rb b/app/avo/resources/organization.rb
new file mode 100644
index 00000000000..b70f952cf09
--- /dev/null
+++ b/app/avo/resources/organization.rb
@@ -0,0 +1,35 @@
+class Avo::Resources::Organization < Avo::BaseResource
+  self.title = :name
+  self.includes = []
+  self.search = {
+    query: lambda {
+             query.where("name LIKE ? OR handle LIKE ?", "%#{params[:q]}%", "%#{params[:q]}%")
+           }
+  }
+
+  self.find_record_method = lambda {
+    query.find_by_handle!(id)
+  }
+
+  class DeletedFilter < Avo::Filters::ScopeBooleanFilter; end
+
+  def filters
+    filter DeletedFilter, arguments: { default: { not_deleted: true, deleted: false } }
+  end
+
+  def fields
+    field :id, as: :id
+    # Fields generated from the model
+    field :handle, as: :text
+    field :name, as: :text
+    field :deleted_at, as: :date_time
+    # add fields here
+    tabs style: :pills do
+      field :memberships, as: :has_many
+      field :unconfirmed_memberships, as: :has_many
+      field :users, as: :has_many
+      field :rubygems, as: :has_many
+      field :organization_onboarding, as: :belongs_to
+    end
+  end
+end
diff --git a/app/avo/resources/organization_onboarding.rb b/app/avo/resources/organization_onboarding.rb
new file mode 100644
index 00000000000..ed6dcb4313f
--- /dev/null
+++ b/app/avo/resources/organization_onboarding.rb
@@ -0,0 +1,27 @@
+class Avo::Resources::OrganizationOnboarding < Avo::BaseResource
+  self.title = :organization_name
+  self.includes = [:invites]
+
+  def actions
+    action Avo::Actions::OnboardOrganization
+  end
+
+  def fields
+    field :id, as: :id
+    field :status, as: :select, enum: OrganizationOnboarding.statuses
+    field :organization_name, as: :text
+    field :organization_handle, as: :text
+    field :created_by, as: :belongs_to
+    field :error, as: :text
+
+    field :onboarded_at, as: :date_time
+    field :created_at, as: :date_time
+    field :updated_at, as: :date_time
+
+    tabs style: :pills do
+      field :users, as: :has_many, through: :invites
+      field :invites, as: :has_many, use_resource: Avo::Resources::OrganizationOnboardingInvite
+      field :organization, as: :has_one
+    end
+  end
+end
diff --git a/app/avo/resources/organization_onboarding_invite.rb b/app/avo/resources/organization_onboarding_invite.rb
new file mode 100644
index 00000000000..001269d7c79
--- /dev/null
+++ b/app/avo/resources/organization_onboarding_invite.rb
@@ -0,0 +1,11 @@
+class Avo::Resources::OrganizationOnboardingInvite < Avo::BaseResource
+  self.title = :id
+  self.includes = [:organization_onboarding]
+
+  def fields
+    field :id, as: :id
+    field :organization_onboarding, as: :belongs_to
+    field :user, as: :belongs_to
+    field :role, as: :select, enum: OrganizationOnboardingInvite.roles
+  end
+end
diff --git a/app/avo/resources/ownership.rb b/app/avo/resources/ownership.rb
new file mode 100644
index 00000000000..079445d9d63
--- /dev/null
+++ b/app/avo/resources/ownership.rb
@@ -0,0 +1,36 @@
+class Avo::Resources::Ownership < Avo::BaseResource
+  self.title = :cache_key
+  self.includes = []
+
+  class ConfirmedFilter < Avo::Filters::ScopeBooleanFilter; end
+
+  def filters
+    filter ConfirmedFilter, arguments: { default: { confirmed: true, unconfirmed: true } }
+  end
+
+  def fields
+    field :id, as: :id, link_to_resource: true
+
+    field :user, as: :belongs_to
+    field :rubygem, as: :belongs_to
+
+    field :role, as: :select, enum: Ownership.roles
+
+    field :token, as: :heading
+
+    field :token, as: :text, visible: -> { false }
+    field :token_expires_at, as: :date_time
+    field :api_key_rubygem_scopes, as: :has_many
+
+    field :notifications, as: :heading
+
+    field :push_notifier, as: :boolean
+    field :owner_notifier, as: :boolean
+    field :ownership_request_notifier, as: :boolean
+
+    field :authorization, as: :heading
+
+    field :authorizer, as: :belongs_to
+    field :confirmed_at, as: :date_time
+  end
+end
diff --git a/app/avo/resources/ownership_resource.rb b/app/avo/resources/ownership_resource.rb
deleted file mode 100644
index cd51054bbd0..00000000000
--- a/app/avo/resources/ownership_resource.rb
+++ /dev/null
@@ -1,29 +0,0 @@
-class OwnershipResource < Avo::BaseResource
-  self.title = :cache_key
-  self.includes = []
-
-  class ConfirmedFilter < ScopeBooleanFilter; end
-  filter ConfirmedFilter, arguments: { default: { confirmed: true, unconfirmed: true } }
-
-  field :id, as: :id, link_to_resource: true
-
-  field :user, as: :belongs_to
-  field :rubygem, as: :belongs_to
-
-  heading "Token"
-
-  field :token, as: :text, visible: ->(_) { false }
-  field :token_expires_at, as: :date_time
-  field :api_key_rubygem_scopes, as: :has_many
-
-  heading "Notifications"
-
-  field :push_notifier, as: :boolean
-  field :owner_notifier, as: :boolean
-  field :ownership_request_notifier, as: :boolean
-
-  heading "Authorization"
-
-  field :authorizer, as: :belongs_to
-  field :confirmed_at, as: :date_time
-end
diff --git a/app/avo/resources/rubygem.rb b/app/avo/resources/rubygem.rb
new file mode 100644
index 00000000000..4f3c81c1698
--- /dev/null
+++ b/app/avo/resources/rubygem.rb
@@ -0,0 +1,56 @@
+class Avo::Resources::Rubygem < Avo::BaseResource
+  self.title = :name
+  self.includes = []
+  self.search = {
+    query: lambda {
+             query.where("name LIKE ?", "%#{params[:q]}%")
+           }
+  }
+
+  def actions
+    action Avo::Actions::ReleaseReservedNamespace
+    action Avo::Actions::AddOwner
+    action Avo::Actions::YankRubygem
+    action Avo::Actions::UploadInfoFile
+    action Avo::Actions::UploadNamesFile
+    action Avo::Actions::UploadVersionsFile
+  end
+
+  class IndexedFilter < Avo::Filters::ScopeBooleanFilter; end
+
+  def filters
+    filter IndexedFilter, arguments: { default: { with_versions: true, without_versions: true } }
+  end
+
+  def fields
+    field :name, as: :text, link_to_resource: true
+    field :indexed, as: :boolean
+    field :slug, as: :text, hide_on: :index
+    field :id, as: :id, hide_on: :index
+    field :protected_days, as: :number, hide_on: :index
+
+    tabs style: :pills do
+      field :versions, as: :has_many
+      field :latest_version, as: :has_one
+
+      field :ownerships, as: :has_many
+      field :ownerships_including_unconfirmed, as: :has_many
+      field :ownership_calls, as: :has_many
+      field :ownership_requests, as: :has_many
+      field :organization, as: :belongs_to
+
+      field :subscriptions, as: :has_many
+      field :subscribers, as: :has_many, through: :subscriptions
+
+      field :web_hooks, as: :has_many
+      field :linkset, as: :has_one
+      field :gem_download, as: :has_one
+
+      field :link_verifications, as: :has_many
+      field :oidc_rubygem_trusted_publishers, as: :has_many
+
+      field :audits, as: :has_many
+      field :events, as: :has_many
+    end
+  end
+end
diff --git a/app/avo/resources/rubygem_resource.rb b/app/avo/resources/rubygem_resource.rb
deleted file mode 100644
index 09636f782de..00000000000
--- a/app/avo/resources/rubygem_resource.rb
+++ /dev/null
@@ -1,47 +0,0 @@
-class RubygemResource < Avo::BaseResource
-  self.title = :name
-  self.includes = []
-  self.search_query = lambda {
-    scope.where("name LIKE ?", "%#{params[:q]}%")
-  }
-
-  action ReleaseReservedNamespace
-  action AddOwner
-  action YankRubygem
-  action UploadInfoFile
-  action UploadNamesFile
-  action UploadVersionsFile
-
-  class IndexedFilter < ScopeBooleanFilter; end
-  filter IndexedFilter, arguments: { default: { with_versions: true, without_versions: true } }
-
-  # Fields generated from the model
-  field :name, as: :text, link_to_resource: true
-  field :indexed, as: :boolean
-  field :slug, as: :text, hide_on: :index
-  field :id, as: :id, hide_on: :index
-  field :protected_days, as: :number, hide_on: :index
-
-  tabs style: :pills do
-    field :versions, as: :has_many
-    field :latest_version, as: :has_one
-
-    field :ownerships, as: :has_many
-    field :ownerships_including_unconfirmed, as: :has_many
-    field :ownership_calls, as: :has_many
-    field :ownership_requests, as: :has_many
-
-    field :subscriptions, as: :has_many
-    field :subscribers, as: :has_many, through: :subscriptions
-
-    field :web_hooks, as: :has_many
-    field :linkset, as: :has_one
-    field :gem_download, as: :has_one
-
-    field :link_verifications, as: :has_many
-    field :oidc_rubygem_trusted_publishers, as: :has_many
-
-    field :events, as: :has_many
-    field :audits, as: :has_many
-  end
-end
diff --git a/app/avo/resources/sendgrid_event.rb b/app/avo/resources/sendgrid_event.rb
new file mode 100644
index 00000000000..c9d57d8a636
--- /dev/null
+++ b/app/avo/resources/sendgrid_event.rb
@@ -0,0 +1,27 @@
+class Avo::Resources::SendgridEvent < Avo::BaseResource
+  self.title = :sendgrid_id
+  self.includes = []
+  # self.search_query = -> do
+  #   query.ransack(id_eq: params[:q], m: "or").result(distinct: false)
+  # end
+
+  class StatusFilter < Avo::Filters::ScopeBooleanFilter; end
+  class EventTypeFilter < Avo::Filters::ScopeBooleanFilter; end
+
+  def filters
+    filter StatusFilter, arguments: { default: SendgridEvent.statuses.transform_values { true } }
+    filter EventTypeFilter, arguments: { default: SendgridEvent.event_types.transform_values { true } }
+    filter Avo::Filters::EmailFilter
+  end
+
+  def fields
+    field :id, as: :id, hide_on: :index
+
+    field :sendgrid_id, as: :text, link_to_resource: true
+    field :email, as: :text
+    field :event_type, as: :text
+    field :occurred_at, as: :date_time, sortable: true
+    field :payload, as: :json_viewer
+    field :status, as: :select, enum: SendgridEvent.statuses
+  end
+end
diff --git a/app/avo/resources/sendgrid_event_resource.rb b/app/avo/resources/sendgrid_event_resource.rb
deleted file mode 100644
index 9328ed102db..00000000000
--- a/app/avo/resources/sendgrid_event_resource.rb
+++ /dev/null
@@ -1,25 +0,0 @@
-class SendgridEventResource < Avo::BaseResource
-  self.title = :sendgrid_id
-  self.includes = []
-  # self.search_query = -> do
-  #   scope.ransack(id_eq: params[:q], m: "or").result(distinct: false)
-  # end
-
-  class StatusFilter < ScopeBooleanFilter; end
-  filter StatusFilter, arguments: { default: SendgridEvent.statuses.transform_values { true } }
-
-  class EventTypeFilter < ScopeBooleanFilter; end
-  filter EventTypeFilter, arguments: { default: SendgridEvent.event_types.transform_values { true } }
-
-  filter EmailFilter
-
-  field :id, as: :id, hide_on: :index
-  # Fields generated from the model
-  field :sendgrid_id, as: :text, link_to_resource: true
-  field :email, as: :text
-  field :event_type, as: :text
-  field :occurred_at, as: :date_time, sortable: true
-  field :payload, as: :json_viewer
-  field :status, as: :select, enum: SendgridEvent.statuses
-  # add fields here
-end
diff --git a/app/avo/resources/user.rb b/app/avo/resources/user.rb
new file mode 100644
index 00000000000..2e594b52c06
--- /dev/null
+++ b/app/avo/resources/user.rb
@@ -0,0 +1,77 @@
+class Avo::Resources::User < Avo::BaseResource
+  self.title = :name
+  self.includes = []
+  self.search = {
+    query: lambda {
+             query.where("email LIKE ? OR handle LIKE ?", "%#{params[:q]}%", "%#{params[:q]}%")
+           }
+  }
+
+  def actions
+    action Avo::Actions::BlockUser
+    action Avo::Actions::CreateUser
+    action Avo::Actions::ChangeUserEmail
+    action Avo::Actions::ResetApiKey
+    action Avo::Actions::ResetUser2fa
+    action Avo::Actions::YankRubygemsForUser
+    action Avo::Actions::YankUser
+  end
+
+  def fields # rubocop:disable Metrics
+    field :id, as: :id
+
+    field :email, as: :text
+    field :gravatar,
+      as: :gravatar,
+      rounded: true,
+      size: 48 do |_, _, _|
+        record.email
+      end
+
+    field :email_confirmed, as: :boolean
+
+    field :email_reset, as: :boolean
+    field :handle, as: :text
+    field :public_email, as: :boolean
+    field :twitter_username, as: :text, as_html: true, format_using: -> { link_to value, "https://twitter.com/#{value}", target: :_blank, rel: :noopener if value.present? }
+    field :unconfirmed_email, as: :text
+
+    field :mail_fails, as: :number
+    field :blocked_email, as: :text
+
+    tabs style: :pills do
+      tab "Auth" do
+        field :encrypted_password, as: :password, visible: -> { false }
+        field :totp_seed, as: :text, visible: -> { false }
+        field :mfa_seed, as: :text, visible: -> { false } # legacy field
+        field :mfa_level, as: :select, enum: ::User.mfa_levels
+        field :mfa_recovery_codes, as: :text, visible: -> { false }
+        field :mfa_hashed_recovery_codes, as: :text, visible: -> { false }
+        field :webauthn_id, as: :text
+        field :remember_token_expires_at, as: :date_time
+        field :api_key, as: :text, visible: -> { false }
+        field :confirmation_token, as: :text, visible: -> { false }
+        field :remember_token, as: :text, visible: -> { false }
+        field :salt, as: :text, visible: -> { false }
+        field :token, as: :text, visible: -> { false }
+        field :token_expires_at, as: :date_time
+      end
+      field :ownerships, as: :has_many
+      field :rubygems, as: :has_many, through: :ownerships
+      field :subscriptions, as: :has_many
+      field :subscribed_gems, as: :has_many, through: :subscriptions
+      field :deletions, as: :has_many
+      field :web_hooks, as: :has_many
+      field :unconfirmed_ownerships, as: :has_many
+      field :api_keys, as: :has_many, name: "API Keys"
+      field :ownership_calls, as: :has_many
+      field :ownership_requests, as: :has_many
+      field :pushed_versions, as: :has_many
+      field :oidc_api_key_roles, as: :has_many
+      field :webauthn_credentials, as: :has_many
+      field :webauthn_verification, as: :has_one
+
+      field :audits, as: :has_many
+    end
+  end
+end
diff --git a/app/avo/resources/user_resource.rb b/app/avo/resources/user_resource.rb
deleted file mode 100644
index f8e28066d22..00000000000
--- a/app/avo/resources/user_resource.rb
+++ /dev/null
@@ -1,78 +0,0 @@
-class UserResource < Avo::BaseResource
-  self.title = :name
-  self.includes = []
-  self.search_query = lambda {
-    scope.where("email LIKE ? OR handle LIKE ?", "%#{params[:q]}%", "%#{params[:q]}%")
-  }
-  self.unscoped_queries_on_index = true
-
-  class DeletedFilter < ScopeBooleanFilter; end
-  filter DeletedFilter, arguments: { default: { not_deleted: true, deleted: false } }
-
-  action BlockUser
-  action CreateUser
-  action ChangeUserEmail
-  action ResetApiKey
-  action ResetUser2fa
-  action YankRubygemsForUser
-  action YankUser
-
-  field :id, as: :id
-  # Fields generated from the model
-  field :email, as: :text
-  field :gravatar,
-    as: :gravatar,
-    rounded: true,
-    size: 48 do |_, _, _|
-      model.email
-    end
-
-  field :email_confirmed, as: :boolean
-
-  field :email_reset, as: :boolean
-  field :handle, as: :text
-  field :public_email, as: :boolean
-  field :twitter_username, as: :text, as_html: true, format_using: -> { link_to value, "https://twitter.com/#{value}", target: :_blank, rel: :noopener if value.present? }
-  field :unconfirmed_email, as: :text
-
-  field :mail_fails, as: :number
-  field :blocked_email, as: :text
-
-  field :deleted_at, as: :date_time
-
-  tabs style: :pills do
-    tab "Auth" do
-      field :encrypted_password, as: :password, visible: ->(_) { false }
-      field :totp_seed, as: :text, visible: ->(_) { false }
-      field :mfa_seed, as: :text, visible: ->(_) { false } # legacy field
-      field :mfa_level, as: :select, enum: ::User.mfa_levels
-      field :mfa_recovery_codes, as: :text, visible: ->(_) { false }
-      field :mfa_hashed_recovery_codes, as: :text, visible: ->(_) { false }
-      field :webauthn_id, as: :text
-      field :remember_token_expires_at, as: :date_time
-      field :api_key, as: :text, visible: ->(_) { false }
-      field :confirmation_token, as: :text, visible: ->(_) { false }
-      field :remember_token, as: :text, visible: ->(_) { false }
-      field :salt, as: :text, visible: ->(_) { false }
-      field :token, as: :text, visible: ->(_) { false }
-      field :token_expires_at, as: :date_time
-    end
-    field :ownerships, as: :has_many
-    field :rubygems, as: :has_many, through: :ownerships
-    field :subscriptions, as: :has_many
-    field :subscribed_gems, as: :has_many, through: :subscriptions
-    field :deletions, as: :has_many
-    field :web_hooks, as: :has_many
-    field :unconfirmed_ownerships, as: :has_many
-    field :api_keys, as: :has_many, name: "API Keys"
-    field :ownership_calls, as: :has_many
-    field :ownership_requests, as: :has_many
-    field :pushed_versions, as: :has_many
-    field :oidc_api_key_roles, as: :has_many
-    field :webauthn_credentials, as: :has_many
-    field :webauthn_verification, as: :has_one
-
-    field :audits, as: :has_many
-    field :events, as: :has_many
-  end
-end
diff --git a/app/avo/resources/version.rb b/app/avo/resources/version.rb
new file mode 100644
index 00000000000..4e3e14de176
--- /dev/null
+++ b/app/avo/resources/version.rb
@@ -0,0 +1,79 @@
+class Avo::Resources::Version < Avo::BaseResource
+  self.title = :full_name
+  self.includes = [:rubygem]
+  self.search = {
+    query: lambda {
+             query.where("full_name LIKE ?", "#{params[:q]}%")
+           }
+  }
+
+  def actions
+    action Avo::Actions::RestoreVersion
+    action Avo::Actions::VersionAfterWrite
+  end
+
+  class IndexedFilter < Avo::Filters::ScopeBooleanFilter; end
+
+  def filters
+    filter IndexedFilter, arguments: { default: { indexed: true, yanked: true } }
+  end
+
+  def fields # rubocop:disable Metrics
+    field :full_name, as: :text, link_to_resource: true
+    field :id, as: :id, hide_on: :index, as_html: true do |_id, *_args|
+      link_to record.id, main_app.rubygem_version_url(record.rubygem.slug, record.slug)
+    end
+
+    field :rubygem, as: :belongs_to
+    field :slug, as: :text, hide_on: :index
+    field :number, as: :text
+    field :platform, as: :text
+
+    field :canonical_number, as: :text
+
+    field :indexed, as: :boolean
+    field :prerelease, as: :boolean
+    field :position, as: :number
+    field :latest, as: :boolean
+
+    field :yanked_at, as: :date_time, sortable: true
+
+    field :pusher, as: :belongs_to, class: "User"
+    field :pusher_api_key, as: :belongs_to, class: "ApiKey"
+
+    tabs do
+      tab "Metadata", description: "Metadata that comes from the gemspec" do
+        panel do
+          field :summary, as: :textarea
+          field :description, as: :textarea
+          field :authors, as: :textarea
+          field :licenses, as: :textarea
+          field :cert_chain, as: :textarea
+          field :built_at, as: :date_time, sortable: true
+          field :metadata, as: :key_value, stacked: true
+        end
+      end
+
+      tab "Runtime information" do
+        panel do
+          field :size, as: :number, sortable: true
+          field :requirements, as: :textarea
+          field :required_ruby_version, as: :text
+          field :sha256, as: :text
+          field :required_rubygems_version, as: :text
+        end
+      end
+
+      tab "API" do
+        panel do
+          field :info_checksum, as: :text
+          field :yanked_info_checksum, as: :text
+        end
+      end
+
+      field :dependencies, as: :has_many
+      field :gem_download, as: :has_one, name: "Downloads"
+      field :deletion, as: :has_one
+    end
+  end
+end
diff --git a/app/avo/resources/version_resource.rb b/app/avo/resources/version_resource.rb
deleted file mode 100644
index 62d853fb69c..00000000000
--- a/app/avo/resources/version_resource.rb
+++ /dev/null
@@ -1,70 +0,0 @@
-class VersionResource < Avo::BaseResource
-  self.title = :full_name
-  self.includes = [:rubygem]
-  self.search_query = lambda {
-    scope.where("full_name LIKE ?", "#{params[:q]}%")
-  }
-
-  action RestoreVersion
-  action VersionAfterWrite
-
-  class IndexedFilter < ScopeBooleanFilter; end
-  filter IndexedFilter, arguments: { default: { indexed: true, yanked: true } }
-
-  field :full_name, as: :text, link_to_resource: true
-  field :id, as: :id, hide_on: :index, as_html: true do |_id, *_args|
-    link_to model.id, main_app.rubygem_version_url(model.rubygem.slug, model.slug)
-  end
-
-  field :rubygem, as: :belongs_to
-  field :slug, as: :text, hide_on: :index
-  field :number, as: :text
-  field :platform, as: :text
-
-  field :canonical_number, as: :text
-
-  field :indexed, as: :boolean
-  field :prerelease, as: :boolean
-  field :position, as: :number
-  field :latest, as: :boolean
-
-  field :yanked_at, as: :date_time, sortable: true
-
-  field :pusher, as: :belongs_to, class: "User"
-  field :pusher_api_key, as: :belongs_to, class: "ApiKey"
-
-  tabs do
-    tab "Metadata", description: "Metadata that comes from the gemspec" do
-      panel do
-        field :summary, as: :textarea
-        field :description, as: :textarea
-        field :authors, as: :textarea
-        field :licenses, as: :textarea
-        field :cert_chain, as: :textarea
-        field :built_at, as: :date_time, sortable: true
-        field :metadata, as: :key_value, stacked: true
-      end
-    end
-
-    tab "Runtime information" do
-      panel do
-        field :size, as: :number, sortable: true
-        field :requirements, as: :textarea
-        field :required_ruby_version, as: :text
-        field :sha256, as: :text
-        field :required_rubygems_version, as: :text
-      end
-    end
-
-    tab "API" do
-      panel do
-        field :info_checksum, as: :text
-        field :yanked_info_checksum, as: :text
-      end
-    end
-
-    field :dependencies, as: :has_many
-    field :gem_download, as: :has_one, name: "Downloads"
-    field :deletion, as: :has_one
-  end
-end
diff --git a/app/avo/resources/web_hook.rb b/app/avo/resources/web_hook.rb
new file mode 100644
index 00000000000..786fdd4fac7
--- /dev/null
+++ b/app/avo/resources/web_hook.rb
@@ -0,0 +1,42 @@
+class Avo::Resources::WebHook < Avo::BaseResource
+  self.includes = %i[user rubygem]
+
+  def actions
+    action Avo::Actions::DeleteWebhook
+  end
+
+  class EnabledFilter < Avo::Filters::ScopeBooleanFilter; end
+  class GlobalFilter < Avo::Filters::ScopeBooleanFilter; end
+
+  def filters
+    filter EnabledFilter, arguments: { default: { enabled: true, disabled: false } }
+    filter GlobalFilter, arguments: { default: { global: true, specific: true } }
+  end
+
+  def fields
+    field :id, as: :id, link_to_resource: true
+
+    field :url, as: :text
+    field :enabled?, as: :boolean
+    field :failure_count, as: :number, sortable: true, html: { index: { wrapper: { classes: "text-right" } } }
+    field :user, as: :belongs_to
+    field :rubygem, as: :belongs_to
+    field :global?, as: :boolean
+
+    field :hook_relay_stream, as: :text do
+      stream_name = "webhook_id-#{record.id}"
+      link_to stream_name, "https://app.hookrelay.dev/hooks/#{ENV['HOOK_RELAY_HOOK_ID']}?started_at=P1W&stream=#{stream_name}"
+    end
+
+    field :disabled_reason, as: :text
+    field :disabled_at, as: :date_time, sortable: true
+    field :last_success, as: :date_time, sortable: true
+    field :last_failure, as: :date_time, sortable: true
+    field :successes_since_last_failure, as: :number, sortable: true
+    field :failures_since_last_success, as: :number, sortable: true
+
+    tabs style: :pills do
+      field :audits, as: :has_many
+    end
+  end
+end
diff --git a/app/avo/resources/web_hook_resource.rb b/app/avo/resources/web_hook_resource.rb
deleted file mode 100644
index ee2c22d59f9..00000000000
--- a/app/avo/resources/web_hook_resource.rb
+++ /dev/null
@@ -1,35 +0,0 @@
-class WebHookResource < Avo::BaseResource
-  self.title = :id
-  self.includes = %i[user rubygem]
-
-  action DeleteWebhook
-  class EnabledFilter < ScopeBooleanFilter; end
-  filter EnabledFilter, arguments: { default: { enabled: true, disabled: false } }
-  class GlobalFilter < ScopeBooleanFilter; end
-  filter GlobalFilter, arguments: { default: { global: true, specific: true } }
-
-  field :id, as: :id, link_to_resource: true
-
-  field :url, as: :text
-  field :enabled?, as: :boolean
-  field :failure_count, as: :number, sortable: true, index_text_align: :right
-  field :user, as: :belongs_to
-  field :rubygem, as: :belongs_to
-  field :global?, as: :boolean
-
-  field :hook_relay_stream, as: :text do
-    stream_name = "webhook_id-#{model.id}"
-    link_to stream_name, "https://app.hookrelay.dev/hooks/#{ENV['HOOK_RELAY_STREAM_ID']}?started_at=P1W&stream=#{stream_name}"
-  end
-
-  field :disabled_reason, as: :text
-  field :disabled_at, as: :date_time, sortable: true
-  field :last_success, as: :date_time, sortable: true
-  field :last_failure, as: :date_time, sortable: true
-  field :successes_since_last_failure, as: :number, sortable: true
-  field :failures_since_last_success, as: :number, sortable: true
-
-  tabs style: :pills do
-    field :audits, as: :has_many
-  end
-end
diff --git a/app/avo/resources/webauthn_credential.rb b/app/avo/resources/webauthn_credential.rb
new file mode 100644
index 00000000000..efbde57c3c8
--- /dev/null
+++ b/app/avo/resources/webauthn_credential.rb
@@ -0,0 +1,13 @@
+class Avo::Resources::WebauthnCredential < Avo::BaseResource
+  self.includes = []
+
+  def fields
+    field :id, as: :id
+
+    field :external_id, as: :text
+    field :public_key, as: :text
+    field :nickname, as: :text
+    field :sign_count, as: :number
+    field :user, as: :belongs_to
+  end
+end
diff --git a/app/avo/resources/webauthn_credential_resource.rb b/app/avo/resources/webauthn_credential_resource.rb
deleted file mode 100644
index b6711b63eab..00000000000
--- a/app/avo/resources/webauthn_credential_resource.rb
+++ /dev/null
@@ -1,13 +0,0 @@
-class WebauthnCredentialResource < Avo::BaseResource
-  self.title = :id
-  self.includes = []
-
-  field :id, as: :id
-  # Fields generated from the model
-  field :external_id, as: :text
-  field :public_key, as: :text
-  field :nickname, as: :text
-  field :sign_count, as: :number
-  field :user, as: :belongs_to
-  # add fields here
-end
diff --git a/app/avo/resources/webauthn_verification.rb b/app/avo/resources/webauthn_verification.rb
new file mode 100644
index 00000000000..4d02a0409aa
--- /dev/null
+++ b/app/avo/resources/webauthn_verification.rb
@@ -0,0 +1,13 @@
+class Avo::Resources::WebauthnVerification < Avo::BaseResource
+  self.includes = []
+
+  def fields
+    field :id, as: :id
+
+    field :path_token, as: :text
+    field :path_token_expires_at, as: :date_time
+    field :otp, as: :text
+    field :otp_expires_at, as: :date_time
+    field :user, as: :belongs_to
+  end
+end
diff --git a/app/avo/resources/webauthn_verification_resource.rb b/app/avo/resources/webauthn_verification_resource.rb
deleted file mode 100644
index 5834540ac89..00000000000
--- a/app/avo/resources/webauthn_verification_resource.rb
+++ /dev/null
@@ -1,13 +0,0 @@
-class WebauthnVerificationResource < Avo::BaseResource
-  self.title = :id
-  self.includes = []
-
-  field :id, as: :id
-  # Fields generated from the model
-  field :path_token, as: :text
-  field :path_token_expires_at, as: :date_time
-  field :otp, as: :text
-  field :otp_expires_at, as: :date_time
-  field :user, as: :belongs_to
-  # add fields here
-end
diff --git a/app/components/avo/audited_changes_record_diff/show_component.html.erb b/app/components/avo/audited_changes_record_diff/show_component.html.erb
index 82c6d99e068..15bc48d4e8c 100644
--- a/app/components/avo/audited_changes_record_diff/show_component.html.erb
+++ b/app/components/avo/audited_changes_record_diff/show_component.html.erb
@@ -1,4 +1,4 @@
-<%= render Avo::PanelComponent.new(title: title_link, classes: %w[w-full]) do |c| %>
+<%= render Avo::PanelComponent.new(title: title_link, classes: "w-full") do |c| %>
   <% c.with_body do %>
     <% next unless authorized? %>
 
diff --git a/app/components/avo/audited_changes_record_diff/show_component.rb b/app/components/avo/audited_changes_record_diff/show_component.rb
index e898fe4593f..d17539f237d 100644
--- a/app/components/avo/audited_changes_record_diff/show_component.rb
+++ b/app/components/avo/audited_changes_record_diff/show_component.rb
@@ -10,16 +10,23 @@ def initialize(gid:, changes:, unchanged:, view:, user:)
     @view = view
 
     global_id = GlobalID.parse(gid)
-    model = begin
+    resource_class = Avo.resource_manager.get_resource_by_model_class(global_id.model_class)
+    unless resource_class
+      logger.info "No avo resource class for #{global_id} found"
+      return
+    end
+
+    record = begin
       global_id.find
     rescue ActiveRecord::RecordNotFound
       global_id.model_class.new(id: global_id.model_id)
     end
-    return unless (@resource = Avo::App.get_resource_by_model_name(global_id.model_class))
-    @resource.hydrate(model:, user:, view:)
+    @resource = resource_class.new(record:, view:, user:).detect_fields
 
-    @old_resource = resource.dup.hydrate(model: resource.model_class.new(**unchanged, **changes.transform_values(&:first)), view:)
-    @new_resource = resource.dup.hydrate(model: resource.model_class.new(**unchanged, **changes.transform_values(&:last)), view:)
+    @old_resource = resource_class
+      .new(record: resource.model_class.new(**unchanged, **changes.transform_values(&:first)), view:, user:).detect_fields
+    @new_resource = resource_class
+      .new(record: resource.model_class.new(**unchanged, **changes.transform_values(&:last)), view:, user:).detect_fields
   end
 
   def render?
@@ -29,7 +36,7 @@ def render?
   attr_reader :gid, :changes, :unchanged, :user, :resource, :old_resource, :new_resource, :view
 
   def sorted_fields
-    @resource.fields
+    @resource.only_fields
       .reject { _1.is_a?(Avo::Fields::HasBaseField) }
       .sort_by.with_index { |f, i| [changes.key?(f.id.to_s) ? -1 : 1, i] }
   end
@@ -59,16 +66,16 @@ def each_field # rubocop:disable Metrics/CyclomaticComplexity,Metrics/PerceivedC
   end
 
   def component_for_field(field, resource)
-    field = field.hydrate(model: resource.model, view:)
+    field = field.hydrate(resource:, record: resource.record, view:, user:)
     field.component_for_view(view).new(field:, resource:)
   end
 
   def authorized?
-    Pundit.policy!(user, [:admin, resource.model]).avo_show?
+    Pundit.policy!(user, [:admin, resource.record]).avo_show?
   end
 
   def title_link
-    link_to(resource.model_title, resource.record_path)
+    link_to(resource.record_title, resource.record_path)
   end
 
   def change_type_icon(type)
diff --git a/app/components/avo/fields/audited_changes_field/show_component.html.erb b/app/components/avo/fields/audited_changes_field/show_component.html.erb
index 9b4ee42a56e..20941303dd5 100644
--- a/app/components/avo/fields/audited_changes_field/show_component.html.erb
+++ b/app/components/avo/fields/audited_changes_field/show_component.html.erb
@@ -1,5 +1,6 @@
 <%= field_wrapper **field_wrapper_args, full_width: true do %>
   <% records&.each do |gid, changes, unchanged| %>
+    <h3><%= gid %></h3>
     <%= render Avo::AuditedChangesRecordDiff::ShowComponent.new(
       gid:,
       changes:,
diff --git a/app/controllers/adoptions_controller.rb b/app/controllers/adoptions_controller.rb
index 77f4d09aebf..8ee0d1cbdf1 100644
--- a/app/controllers/adoptions_controller.rb
+++ b/app/controllers/adoptions_controller.rb
@@ -2,7 +2,7 @@ class AdoptionsController < ApplicationController
   include SessionVerifiable
 
   before_action :find_rubygem
-  before_action :redirect_to_verify, if: -> { @rubygem.owned_by?(current_user) && !verified_session_active? }
+  before_action :redirect_to_verify, if: -> { policy(@rubygem).manage_adoption? && !verified_session_active? }
 
   def index
     @ownership_call     = @rubygem.ownership_call
diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index 46b886f3ae9..3eefc10e801 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -2,7 +2,9 @@ class Api::BaseController < ApplicationController
   skip_before_action :verify_authenticity_token
   after_action :skip_session
 
-  rescue_from(Pundit::NotAuthorizedError) { |_| render_api_key_forbidden }
+  rescue_from(Pundit::NotAuthorizedError) do |e|
+    render_forbidden(e.policy.error)
+  end
 
   private
 
@@ -17,13 +19,13 @@ def gem_name
   def find_rubygem_by_name
     @rubygem = Rubygem.find_by name: gem_name
     return if @rubygem
-    render plain: "This gem could not be found", status: :not_found
+    render plain: t(:api_gem_not_found), status: :not_found
   end
 
   def verify_api_key_gem_scope
     return unless @api_key.rubygem && @api_key.rubygem != @rubygem
 
-    render plain: "This API key cannot perform the specified action on this gem.", status: :forbidden
+    render_forbidden t(:api_key_insufficient_scope)
   end
 
   def verify_with_otp
@@ -33,58 +35,16 @@ def verify_with_otp
     render plain: prompt_text, status: :unauthorized
   end
 
-  def verify_mfa_requirement
-    if @rubygem && !@rubygem.mfa_requirement_satisfied_for?(@api_key.user)
-      render plain: "Gem requires MFA enabled; You do not have MFA enabled yet.", status: :forbidden
-    elsif @api_key.mfa_required_not_yet_enabled?
-      render_mfa_setup_required_error
-    elsif @api_key.mfa_required_weak_level_enabled?
-      render_mfa_strong_level_required_error
+  def response_with_mfa_warning(message)
+    if @api_key&.mfa_recommended_not_yet_enabled?
+      +message << "\n\n" << t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
+    elsif @api_key&.mfa_recommended_weak_level_enabled?
+      +message << "\n\n" << t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
+    else
+      message
     end
   end
 
-  def response_with_mfa_warning(response)
-    message = response
-    if @api_key.mfa_recommended_not_yet_enabled?
-      message += <<~WARN.chomp
-
-
-        [WARNING] For protection of your account and gems, we encourage you to set up multi-factor authentication \
-        at https://rubygems.org/totp/new. Your account will be required to have MFA enabled in the future.
-      WARN
-    elsif @api_key.mfa_recommended_weak_level_enabled?
-      message += <<~WARN.chomp
-
-
-        [WARNING] For protection of your account and gems, we encourage you to change your multi-factor authentication \
-        level to 'UI and gem signin' or 'UI and API' at https://rubygems.org/settings/edit. \
-        Your account will be required to have MFA enabled on one of these levels in the future.
-      WARN
-    end
-
-    message
-  end
-
-  def render_mfa_setup_required_error
-    error = <<~ERROR.chomp
-      [ERROR] For protection of your account and your gems, you are required to set up multi-factor authentication \
-      at https://rubygems.org/totp/new.
-
-      Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
-    ERROR
-    render_forbidden(error)
-  end
-
-  def render_mfa_strong_level_required_error
-    error = <<~ERROR.chomp
-      [ERROR] For protection of your account and your gems, you are required to change your MFA level to 'UI and gem signin' or 'UI and API' \
-      at https://rubygems.org/settings/edit.
-
-      Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
-    ERROR
-    render_forbidden(error)
-  end
-
   def authenticate_with_api_key
     params_key = request.headers["Authorization"] || ""
     hashed_key = Digest::SHA256.hexdigest(params_key)
@@ -92,7 +52,7 @@ def authenticate_with_api_key
     return render_unauthorized unless @api_key
     set_tags "gemcutter.api_key.owner" => @api_key.owner.to_gid, "gemcutter.user.api_key_id" => @api_key.id
     Current.user = @api_key.user
-    render_soft_deleted_api_key if @api_key.soft_deleted?
+    render_forbidden(t(:api_key_soft_deleted)) if @api_key.soft_deleted?
   end
 
   def pundit_user
@@ -104,19 +64,21 @@ def policy_scope(scope)
   end
 
   def authorize(record, query = nil)
+    return if record.nil? # not found is handled by the action
     super(Array.wrap(record).prepend(:api), query)
   end
 
   def verify_user_api_key
-    render_api_key_forbidden if @api_key.user.blank?
+    render_forbidden(t(:api_key_forbidden)) if @api_key.user.blank?
   end
 
   def render_unauthorized
     render plain: t(:please_sign_up), status: :unauthorized
   end
 
-  def render_api_key_forbidden(error = nil)
-    error = error&.message || t(:api_key_forbidden)
+  def render_forbidden(error = nil)
+    error = error.message if error.respond_to?(:message)
+    error ||= t(:api_key_forbidden)
     respond_to do |format|
       format.any(:all) { render plain: error, status: :forbidden }
       format.json { render json: { error: }, status: :forbidden }
@@ -124,10 +86,6 @@ def render_api_key_forbidden(error = nil)
     end
   end
 
-  def render_soft_deleted_api_key
-    render plain: "An invalid API key cannot be used. Please delete it and create a new one.", status: :forbidden
-  end
-
   def skip_session
     request.session_options[:skip] = true
   end
diff --git a/app/controllers/api/compact_index_controller.rb b/app/controllers/api/compact_index_controller.rb
index 386e3cad3c1..bdae9f274cd 100644
--- a/app/controllers/api/compact_index_controller.rb
+++ b/app/controllers/api/compact_index_controller.rb
@@ -33,6 +33,7 @@ def render_range(response_body)
     headers["Digest"] = "sha-256=#{digest}"
     headers["Repr-Digest"] = "sha-256=:#{digest}:"
     headers["Accept-Ranges"] = "bytes"
+    headers["Content-Type"] = "text/plain; charset=utf-8"
 
     ranges = Rack::Utils.byte_ranges(request.env, response_body.bytesize)
     if ranges
diff --git a/app/controllers/api/v1/api_keys_controller.rb b/app/controllers/api/v1/api_keys_controller.rb
index a4c7d53b30d..a89511f998f 100644
--- a/app/controllers/api/v1/api_keys_controller.rb
+++ b/app/controllers/api/v1/api_keys_controller.rb
@@ -49,10 +49,13 @@ def update
 
   def check_mfa(user)
     if user&.mfa_gem_signin_authorized?(otp)
-      return render_mfa_setup_required_error if user.mfa_required_not_yet_enabled?
-      return render_mfa_strong_level_required_error if user.mfa_required_weak_level_enabled?
-
-      yield
+      if user.mfa_required_not_yet_enabled?
+        render_forbidden t("multifactor_auths.api.mfa_required_not_yet_enabled").chomp
+      elsif user.mfa_required_weak_level_enabled?
+        render_forbidden t("multifactor_auths.api.mfa_required_weak_level_enabled").chomp
+      else
+        yield
+      end
     elsif user&.mfa_enabled?
       prompt_text = otp.present? ? t(:otp_incorrect) : t(:otp_missing)
       render plain: prompt_text, status: :unauthorized
diff --git a/app/controllers/api/v1/attestations_controller.rb b/app/controllers/api/v1/attestations_controller.rb
new file mode 100644
index 00000000000..87b5f4a97a6
--- /dev/null
+++ b/app/controllers/api/v1/attestations_controller.rb
@@ -0,0 +1,16 @@
+class Api::V1::AttestationsController < Api::BaseController
+  before_action :find_version
+
+  def show
+    respond_to do |format|
+      format.json { render json: @version.attestations.pluck(:body) }
+    end
+  end
+
+  private
+
+  def find_version
+    @version = Version.find_by(full_name: params[:id].delete_suffix(".json")) ||
+      render(plain: t(:this_rubygem_could_not_be_found), status: :not_found)
+  end
+end
diff --git a/app/controllers/api/v1/deletions_controller.rb b/app/controllers/api/v1/deletions_controller.rb
index 3dea90ad1ed..bb06d5acae3 100644
--- a/app/controllers/api/v1/deletions_controller.rb
+++ b/app/controllers/api/v1/deletions_controller.rb
@@ -5,10 +5,9 @@ class Api::V1::DeletionsController < Api::BaseController
   before_action :verify_api_key_gem_scope
   before_action :validate_gem_and_version
   before_action :verify_with_otp
-  before_action :render_api_key_forbidden, if: :api_key_unauthorized?
-  before_action :verify_mfa_requirement
 
   def create
+    authorize @rubygem, :yank? # TODO: change to @version
     @deletion = @api_key.user.deletions.build(version: @version)
     if @deletion.save
       StatsD.increment "yank.success"
@@ -34,8 +33,7 @@ def validate_gem_and_version
       render plain: response_with_mfa_warning(t(:this_rubygem_could_not_be_found)),
              status: :not_found
     elsif !@rubygem.owned_by?(@api_key.user)
-      render plain: response_with_mfa_warning("You do not have permission to delete this gem."),
-             status: :forbidden
+      render_forbidden response_with_mfa_warning("You do not have permission to delete this gem.")
     else
       begin
         version = params.permit(:version).require(:version)
@@ -47,8 +45,4 @@ def validate_gem_and_version
       end
     end
   end
-
-  def api_key_unauthorized?
-    !@api_key.can_yank_rubygem?
-  end
 end
diff --git a/app/controllers/api/v1/oidc/rubygem_trusted_publishers_controller.rb b/app/controllers/api/v1/oidc/rubygem_trusted_publishers_controller.rb
index f1bb0a6b9df..e600e3c4ab9 100644
--- a/app/controllers/api/v1/oidc/rubygem_trusted_publishers_controller.rb
+++ b/app/controllers/api/v1/oidc/rubygem_trusted_publishers_controller.rb
@@ -5,7 +5,6 @@ class Api::V1::OIDC::RubygemTrustedPublishersController < Api::BaseController
   before_action :find_rubygem
 
   before_action :verify_with_otp
-  before_action :verify_mfa_requirement
 
   before_action :find_rubygem_trusted_publisher, except: %i[index create]
   before_action :set_trusted_publisher_type, only: %i[create]
@@ -19,7 +18,7 @@ def show
   end
 
   def create
-    trusted_publisher = authorize @rubygem.oidc_rubygem_trusted_publishers.build(create_params)
+    trusted_publisher = @rubygem.oidc_rubygem_trusted_publishers.build(create_params)
 
     if trusted_publisher.save
       render json: trusted_publisher, status: :created
@@ -36,11 +35,11 @@ def destroy
 
   def find_rubygem
     super
-    authorize @rubygem, :show_trusted_publishers?
+    authorize @rubygem, :configure_trusted_publishers?
   end
 
   def find_rubygem_trusted_publisher
-    @rubygem_trusted_publisher = authorize @rubygem.oidc_rubygem_trusted_publishers.find(params.permit(:id).require(:id))
+    @rubygem_trusted_publisher = @rubygem.oidc_rubygem_trusted_publishers.find(params.permit(:id).require(:id))
   end
 
   def set_trusted_publisher_type
diff --git a/app/controllers/api/v1/oidc/trusted_publisher_controller.rb b/app/controllers/api/v1/oidc/trusted_publisher_controller.rb
index febafa6ce39..3da6fe8d22e 100644
--- a/app/controllers/api/v1/oidc/trusted_publisher_controller.rb
+++ b/app/controllers/api/v1/oidc/trusted_publisher_controller.rb
@@ -2,6 +2,7 @@ class Api::V1::OIDC::TrustedPublisherController < Api::BaseController
   include ApiKeyable
 
   before_action :decode_jwt
+  before_action :validate_jwt_format
   before_action :find_provider
   before_action :verify_signature
   before_action :find_trusted_publisher
@@ -9,6 +10,9 @@ class Api::V1::OIDC::TrustedPublisherController < Api::BaseController
 
   class UnsupportedIssuer < StandardError; end
   class UnverifiedJWT < StandardError; end
+  class InvalidJWT < StandardError; end
+
+  rescue_from InvalidJWT, with: :render_bad_request
 
   rescue_from(
     UnsupportedIssuer, UnverifiedJWT,
@@ -40,9 +44,18 @@ def exchange_token
 
   def decode_jwt
     @jwt = JSON::JWT.decode_compact_serialized(params.permit(:jwt).require(:jwt), :skip_verification)
-  rescue JSON::JWT::InvalidFormat, JSON::ParserError, ArgumentError
+  rescue JSON::JWT::InvalidFormat, JSON::ParserError, ArgumentError => e
     # invalid base64 raises ArgumentError
-    render_bad_request
+    render_bad_request(e)
+  end
+
+  def validate_jwt_format
+    %w[nbf iat exp].each do |claim|
+      raise InvalidJWT, "Missing/invalid #{claim}" unless @jwt[claim].is_a?(Integer)
+    end
+    %w[iss jti].each do |claim|
+      raise InvalidJWT, "Missing/invalid #{claim}" unless @jwt[claim].is_a?(String)
+    end
   end
 
   def find_provider
@@ -65,8 +78,4 @@ def find_trusted_publisher
   def validate_claims
     @trusted_publisher.to_access_policy(@jwt).verify_access!(@jwt)
   end
-
-  def render_bad_request
-    render json: { error: "Bad Request" }, status: :bad_request
-  end
 end
diff --git a/app/controllers/api/v1/owners_controller.rb b/app/controllers/api/v1/owners_controller.rb
index d9f00ea7a64..ec4e6ed3f1c 100644
--- a/app/controllers/api/v1/owners_controller.rb
+++ b/app/controllers/api/v1/owners_controller.rb
@@ -1,11 +1,9 @@
 class Api::V1::OwnersController < Api::BaseController
   before_action :authenticate_with_api_key, except: %i[show gems]
-  before_action :verify_user_api_key, except: %i[show gems]
-  before_action :find_rubygem, except: :gems
-  before_action :verify_api_key_gem_scope, except: %i[show gems]
-  before_action :verify_gem_ownership, except: %i[show gems]
-  before_action :verify_mfa_requirement, except: %i[show gems]
   before_action :verify_with_otp, except: %i[show gems]
+  before_action :find_rubygem, except: :gems
+
+  rescue_from ActiveRecord::RecordNotFound, with: :render_not_found
 
   def show
     respond_to do |format|
@@ -15,65 +13,74 @@ def show
   end
 
   def create
-    return render_api_key_forbidden unless @api_key.can_add_owner?
+    authorize @rubygem, :add_owner?
+    owner = User.find_by_name!(email_param)
+    ownership = @rubygem.ownerships.new(user: owner, authorizer: @api_key.user, **ownership_params)
+
+    if ownership.save
+      OwnersMailer.ownership_confirmation(ownership).deliver_later
+      render plain: response_with_mfa_warning("#{owner.display_handle} was added as an unconfirmed owner. " \
+                                              "Ownership access will be enabled after the user clicks on the " \
+                                              "confirmation mail sent to their email.")
+    else
+      render plain: response_with_mfa_warning(ownership.errors.full_messages.to_sentence), status: :unprocessable_entity
+    end
+  end
 
+  def update
     owner = User.find_by_name(email_param)
-    if owner
-      ownership = @rubygem.ownerships.new(user: owner, authorizer: @api_key.user)
-      if ownership.save
-        OwnersMailer.ownership_confirmation(ownership).deliver_later
-        render plain: response_with_mfa_warning("#{owner.display_handle} was added as an unconfirmed owner. " \
-                                                "Ownership access will be enabled after the user clicks on the " \
-                                                "confirmation mail sent to their email.")
-      else
-        render plain: response_with_mfa_warning(ownership.errors.full_messages.to_sentence), status: :unprocessable_entity
-      end
+    ownership = @rubygem.ownerships.find_by(user: owner) if owner
+    if ownership
+      authorize(ownership)
     else
-      render plain: response_with_mfa_warning("Owner could not be found."), status: :not_found
+      authorize(@rubygem, :update_owner?) # don't leak presence of an email unless authorized
+      return render_not_found
+    end
+
+    if ownership.update(ownership_params)
+      render plain: response_with_mfa_warning("Owner updated successfully.")
+    else
+      render plain: response_with_mfa_warning(ownership.errors.full_messages.to_sentence), status: :unprocessable_entity
     end
   end
 
   def destroy
-    return render_api_key_forbidden unless @api_key.can_remove_owner?
+    authorize @rubygem, :remove_owner?
+    owner = User.find_by_name!(email_param)
+    ownership = @rubygem.ownerships_including_unconfirmed.find_by!(user: owner)
 
-    owner = @rubygem.owners_including_unconfirmed.find_by_name(email_param)
-    if owner
-      ownership = @rubygem.ownerships_including_unconfirmed.find_by(user_id: owner.id)
-      if ownership.safe_destroy
-        OwnersMailer.owner_removed(ownership.user_id, @api_key.user.id, ownership.rubygem_id).deliver_later
-        render plain: response_with_mfa_warning("Owner removed successfully.")
-      else
-        render plain: response_with_mfa_warning("Unable to remove owner."), status: :forbidden
-      end
+    if ownership.safe_destroy
+      OwnersMailer.owner_removed(ownership.user_id, @api_key.user.id, ownership.rubygem_id).deliver_later
+      render plain: response_with_mfa_warning("Owner removed successfully.")
     else
-      render plain: response_with_mfa_warning("Owner could not be found."), status: :not_found
+      render plain: response_with_mfa_warning("Unable to remove owner."), status: :forbidden
     end
   end
 
   def gems
-    user = User.find_by_slug(params[:handle])
-    if user
-      rubygems = user.rubygems.with_versions.preload(
-        :linkset, :gem_download,
-        most_recent_version: { dependencies: :rubygem, gem_download: nil }
-      ).strict_loading
-      respond_to do |format|
-        format.json { render json: rubygems }
-        format.yaml { render yaml: rubygems }
-      end
-    else
-      render plain: "Owner could not be found.", status: :not_found
+    owner = User.find_by_slug!(params[:handle])
+    rubygems = owner.rubygems.with_versions.preload(
+      :linkset, :gem_download,
+      most_recent_version: { dependencies: :rubygem, gem_download: nil }
+    ).strict_loading
+
+    respond_to do |format|
+      format.json { render json: rubygems }
+      format.yaml { render yaml: rubygems }
     end
   end
 
   protected
 
-  def verify_gem_ownership
-    return if @api_key.user.rubygems.find_by_name(params[:rubygem_id])
-    render plain: response_with_mfa_warning("You do not have permission to manage this gem."), status: :unauthorized
+  def render_not_found
+    render plain: response_with_mfa_warning("Owner could not be found."), status: :not_found
   end
 
   def email_param
     params.permit(:email).require(:email)
   end
+
+  def ownership_params
+    params.permit(:role)
+  end
 end
diff --git a/app/controllers/api/v1/rubygems_controller.rb b/app/controllers/api/v1/rubygems_controller.rb
index 4d6793e1922..2d759f98de7 100644
--- a/app/controllers/api/v1/rubygems_controller.rb
+++ b/app/controllers/api/v1/rubygems_controller.rb
@@ -4,12 +4,10 @@ class Api::V1::RubygemsController < Api::BaseController
   before_action :find_rubygem, only: %i[show reverse_dependencies]
   before_action :cors_preflight_check, only: :show
   before_action :verify_with_otp, only: %i[create]
-  before_action :verify_mfa_requirement, only: %i[create]
   after_action  :cors_set_access_control_headers, only: :show
 
   def index
-    return render_forbidden unless @api_key.can_index_rubygems?
-
+    authorize Rubygem, :index?
     @rubygems = @api_key.user.rubygems.with_versions
       .preload(:linkset, :gem_download, most_recent_version: { dependencies: :rubygem, gem_download: nil })
     respond_to do |format|
@@ -33,11 +31,26 @@ def show
   end
 
   def create
-    return render_api_key_forbidden unless @api_key.can_push_rubygem?
+    authorize Rubygem, :create?
+    return render_forbidden(t(:api_key_insufficient_scope)) unless @api_key.can_push_rubygem?
+
+    gem_body = attestations = nil
+    if %w[multipart/form-data multipart/mixed].include?(request.media_type)
+      gem_body = params.permit(:gem).require(:gem)
+      return render_bad_request("gem is not a file upload") unless gem_body.is_a?(ActionDispatch::Http::UploadedFile)
+      return render_bad_request("missing attestations") unless (attestations = params[:attestations]).is_a?(String)
+      attestations = ActiveSupport::JSON.decode(attestations)
+      return render_bad_request("attestations must be an array, is #{attestations.class}") unless attestations.is_a?(Array)
+      attestations = attestations&.as_json
+    else
+      gem_body = request.body
+    end
 
-    gemcutter = Pusher.new(@api_key, request.body, request:)
+    gemcutter = Pusher.new(@api_key, gem_body, request:, attestations:)
     gemcutter.process
     render plain: response_with_mfa_warning(gemcutter.message), status: gemcutter.code
+  rescue Pundit::NotAuthorizedError
+    raise # allow rescue_from in base_controller to handle this
   rescue StandardError => e
     Rails.error.report(e, handled: true)
     render plain: "Server error. Please try again.", status: :internal_server_error
diff --git a/app/controllers/api/v1/timeframe_versions_controller.rb b/app/controllers/api/v1/timeframe_versions_controller.rb
index 0259eb85712..31007ea9a31 100644
--- a/app/controllers/api/v1/timeframe_versions_controller.rb
+++ b/app/controllers/api/v1/timeframe_versions_controller.rb
@@ -31,7 +31,7 @@ def from_time
 
   def to_time
     @to_time ||= params[:to].blank? ? Time.zone.now : Time.iso8601(params[:to])
-  rescue ArgumentError
+  rescue ArgumentError, TypeError
     raise InvalidTimeframeParameterError, 'the "to" parameter must be iso8601 formatted'
   end
 
diff --git a/app/controllers/api/v1/web_hooks_controller.rb b/app/controllers/api/v1/web_hooks_controller.rb
index 301d73a20b5..77a66eb1fd6 100644
--- a/app/controllers/api/v1/web_hooks_controller.rb
+++ b/app/controllers/api/v1/web_hooks_controller.rb
@@ -1,10 +1,10 @@
 class Api::V1::WebHooksController < Api::BaseController
   before_action :authenticate_with_api_key
   before_action :verify_user_api_key
-  before_action :render_api_key_forbidden, if: :api_key_unauthorized?
   before_action :find_rubygem_by_name, :set_url, except: :index
 
   def index
+    authorize WebHook
     respond_to do |format|
       format.json { render json: @api_key.user.all_hooks }
       format.yaml { render yaml: @api_key.user.all_hooks }
@@ -12,7 +12,7 @@ def index
   end
 
   def create
-    webhook = @api_key.user.web_hooks.build(url: @url, rubygem: @rubygem)
+    webhook = authorize @api_key.user.web_hooks.build(url: @url, rubygem: @rubygem)
     if webhook.save
       render(plain: webhook.success_message, status: :created)
     else
@@ -21,7 +21,7 @@ def create
   end
 
   def remove
-    webhook = @api_key.user.web_hooks.find_by_rubygem_id_and_url(@rubygem&.id, @url)
+    webhook = authorize @api_key.user.web_hooks.find_by_rubygem_id_and_url(@rubygem&.id, @url)
     if webhook&.destroy
       render(plain: webhook.removed_message)
     else
@@ -33,11 +33,15 @@ def fire
     webhook = @api_key.user.web_hooks.new(url: @url)
     @rubygem ||= Rubygem.find_by_name("gemcutter")
 
-    if webhook.fire(request.protocol.delete("://"), request.host_with_port,
-                    @rubygem.most_recent_version, delayed: false)
-      render plain: webhook.deployed_message(@rubygem)
+    authorize webhook
+
+    response = webhook.fire(request.protocol.delete("://"), request.host_with_port,
+                            @rubygem.most_recent_version, delayed: false)
+
+    if response.fetch("status") == "success"
+      render plain: webhook.deployed_message(@rubygem) + hook_relay_message(response)
     else
-      render_bad_request webhook.failed_message(@rubygem)
+      render_bad_request webhook.failed_message(@rubygem) + hook_relay_message(response)
     end
   end
 
@@ -54,7 +58,20 @@ def set_url
     @url = params[:url]
   end
 
-  def api_key_unauthorized?
-    !@api_key.can_access_webhooks?
+  def hook_relay_message(response)
+    status = response.fetch("status")
+    msg = +""
+    msg << "\nFailed with status #{status.inspect}: #{response['failure_reason']}" if status != "success"
+    if response.key?("responses") && response["responses"].any?
+      r = response.dig("responses", -1)
+      msg << "\nError: #{r['error']}" if r["error"]
+      msg << "\n\nResponse: #{r['code']}"
+      r.fetch("headers", []).each do |k, v|
+        msg << "\n#{k}: #{v}"
+      end
+      msg << "\n\n#{r['body']}"
+    end
+
+    msg
   end
 end
diff --git a/app/controllers/api_keys_controller.rb b/app/controllers/api_keys_controller.rb
index 3be2f3403fa..65663f0cff9 100644
--- a/app/controllers/api_keys_controller.rb
+++ b/app/controllers/api_keys_controller.rb
@@ -1,5 +1,6 @@
 class ApiKeysController < ApplicationController
   before_action :disable_cache, only: :index
+  before_action :set_page, only: :index
 
   include ApiKeyable
 
@@ -8,7 +9,7 @@ class ApiKeysController < ApplicationController
 
   def index
     @api_key  = session.delete(:api_key)
-    @api_keys = current_user.api_keys.unexpired.not_oidc.preload(ownership: :rubygem)
+    @api_keys = current_user.api_keys.unexpired.not_oidc.preload(ownership: :rubygem).page(@page)
     redirect_to new_profile_api_key_path if @api_keys.empty?
   end
 
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index e9fe1221041..65a6f65e107 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -9,7 +9,9 @@ class ApplicationController < ActionController::Base
   rescue_from ActiveRecord::RecordNotFound, with: :render_not_found
   rescue_from ActionController::InvalidAuthenticityToken, with: :render_forbidden
   rescue_from ActionController::UnpermittedParameters, with: :render_bad_request
-  rescue_from(Pundit::NotAuthorizedError) { |_| render_forbidden } # don't pass pundit error message
+  rescue_from(Pundit::NotAuthorizedError) do |e|
+    render_forbidden(e.policy.error)
+  end
 
   before_action :set_locale
   before_action :reject_null_char_param
@@ -60,6 +62,16 @@ def self.http_basic_authenticate_with(**options)
     super
   end
 
+  def breadcrumbs
+    @breadcrumbs ||= []
+  end
+  helper_method :breadcrumbs
+
+  def add_breadcrumb(name, link = nil)
+    breadcrumbs << [name, link]
+  end
+  helper_method :add_breadcrumb
+
   protected
 
   def http_basic_authentication_options_valid?(**options)
@@ -105,10 +117,6 @@ def find_rubygem
     end
   end
 
-  def owner?
-    @rubygem.owned_by?(current_user)
-  end
-
   def find_versioned_links
     @versioned_links = @rubygem.links(@latest_version)
   end
@@ -138,7 +146,8 @@ def render_not_found
     end
   end
 
-  def render_forbidden(error = "forbidden")
+  def render_forbidden(error = nil)
+    error ||= t(:forbidden)
     render plain: error, status: :forbidden
   end
 
diff --git a/app/controllers/avo/attestations_controller.rb b/app/controllers/avo/attestations_controller.rb
new file mode 100644
index 00000000000..053dc201472
--- /dev/null
+++ b/app/controllers/avo/attestations_controller.rb
@@ -0,0 +1,4 @@
+# This controller has been generated to enable Rails' resource routes.
+# More information on https://docs.avohq.io/2.0/controllers.html
+class Avo::AttestationsController < Avo::ResourcesController
+end
diff --git a/app/controllers/avo/memberships_controller.rb b/app/controllers/avo/memberships_controller.rb
new file mode 100644
index 00000000000..679726950fa
--- /dev/null
+++ b/app/controllers/avo/memberships_controller.rb
@@ -0,0 +1,4 @@
+# This controller has been generated to enable Rails' resource routes.
+# More information on https://docs.avohq.io/2.0/controllers.html
+class Avo::MembershipsController < Avo::ResourcesController
+end
diff --git a/app/controllers/avo/organization_onboarding_invites_controller.rb b/app/controllers/avo/organization_onboarding_invites_controller.rb
new file mode 100644
index 00000000000..fc4bf11c51b
--- /dev/null
+++ b/app/controllers/avo/organization_onboarding_invites_controller.rb
@@ -0,0 +1,4 @@
+# This controller has been generated to enable Rails' resource routes.
+# More information on https://docs.avohq.io/2.0/controllers.html
+class Avo::OrganizationOnboardingInvitesController < Avo::ResourcesController
+end
diff --git a/app/controllers/avo/organization_onboardings_controller.rb b/app/controllers/avo/organization_onboardings_controller.rb
new file mode 100644
index 00000000000..d9575f8fbbb
--- /dev/null
+++ b/app/controllers/avo/organization_onboardings_controller.rb
@@ -0,0 +1,4 @@
+# This controller has been generated to enable Rails' resource routes.
+# More information on https://docs.avohq.io/2.0/controllers.html
+class Avo::OrganizationOnboardingsController < Avo::ResourcesController
+end
diff --git a/app/controllers/avo/organizations_controller.rb b/app/controllers/avo/organizations_controller.rb
new file mode 100644
index 00000000000..351db7d415e
--- /dev/null
+++ b/app/controllers/avo/organizations_controller.rb
@@ -0,0 +1,4 @@
+# This controller has been generated to enable Rails' resource routes.
+# More information on https://docs.avohq.io/2.0/controllers.html
+class Avo::OrganizationsController < Avo::ResourcesController
+end
diff --git a/app/controllers/concerns/avo_auditable.rb b/app/controllers/concerns/avo_auditable.rb
index bf7643f1005..2fdabd8772a 100644
--- a/app/controllers/concerns/avo_auditable.rb
+++ b/app/controllers/concerns/avo_auditable.rb
@@ -12,17 +12,17 @@ def perform_action_and_record_errors(&blk)
       action = params.fetch(:action)
       fields = action == "destroy" ? {} : cast_nullable(model_params)
 
-      @model.errors.add :comment, "must supply a sufficiently detailed comment" if fields[:comment]&.then { _1.length < 10 }
-      raise ActiveRecord::RecordInvalid, @model if @model.errors.present?
-      action_name = "Manual #{action} of #{@model.class}"
+      @record.errors.add :comment, "must supply a sufficiently detailed comment" if fields[:comment]&.then { _1.length < 10 }
+      raise ActiveRecord::RecordInvalid, @record if @record.errors.present?
+      action_name = "Manual #{action} of #{@record.class}"
 
       value, @audit = in_audited_transaction(
-        auditable: @model,
+        auditable: @record,
         admin_github_user: _current_user,
         action: action_name,
         fields: fields.reverse_merge(comment: action_name),
         arguments: {},
-        models: [@model],
+        models: [@record],
         &blk
       )
       value
diff --git a/app/controllers/concerns/require_mfa.rb b/app/controllers/concerns/require_mfa.rb
index 8dc1c3195e2..872ed47833d 100644
--- a/app/controllers/concerns/require_mfa.rb
+++ b/app/controllers/concerns/require_mfa.rb
@@ -54,12 +54,12 @@ def incorrect_otp
   end
 
   def webauthn_failure
-    invalidate_mfa_session(@webauthn_error)
+    mfa_failure(@webauthn_error)
   end
 
   def invalidate_mfa_session(message)
     delete_mfa_session
-    mfa_failure(message)
+    login_failure(message)
   end
 
   def delete_mfa_session
diff --git a/app/controllers/dashboards_controller.rb b/app/controllers/dashboards_controller.rb
index 79e8b999ce6..4cf72c275cd 100644
--- a/app/controllers/dashboards_controller.rb
+++ b/app/controllers/dashboards_controller.rb
@@ -4,12 +4,16 @@ class DashboardsController < ApplicationController
   before_action :redirect_to_new_mfa, if: :mfa_required_not_yet_enabled?
   before_action :redirect_to_settings_strong_mfa_required, if: :mfa_required_weak_level_enabled?
 
+  layout "subject"
+
   def show
+    add_breadcrumb t("breadcrumbs.dashboard")
+
     respond_to do |format|
       format.html do
-        @my_gems         = current_user.rubygems.with_versions.by_name.preload(:most_recent_version)
-        @latest_updates  = Version.subscribed_to_by(current_user).published.limit(Gemcutter::DEFAULT_PAGINATION)
-        @subscribed_gems = current_user.subscribed_gems.with_versions
+        find_my_gems
+        find_subscribed_gems
+        find_latest_updates
       end
       format.atom do
         @versions = Version.subscribed_to_by(api_or_logged_in_user).published.limit(Gemcutter::DEFAULT_PAGINATION)
@@ -32,4 +36,33 @@ def authenticate_with_api_key
   def api_or_logged_in_user
     current_user || @api_key.user
   end
+
+  def find_my_gems
+    @my_gems_count = current_user.rubygems.with_versions.count
+    @my_gems = current_user
+      .rubygems
+      .with_versions
+      .by_downloads
+      .preload(:most_recent_version, :gem_download)
+      .load_async
+  end
+
+  def find_subscribed_gems
+    @subscribed_gems_count = current_user.subscribed_gems.with_versions.count
+    @subscribed_gems = current_user
+      .subscribed_gems
+      .with_versions
+      .limit(5)
+      .preload(:most_recent_version)
+      .load_async
+  end
+
+  def find_latest_updates
+    @latest_updates = Version
+      .subscribed_to_by(current_user)
+      .published
+      .limit(Gemcutter::DEFAULT_PAGINATION)
+      .preload(:rubygem, :pusher, pusher_api_key: :owner)
+      .load_async
+  end
 end
diff --git a/app/controllers/multifactor_auths_controller.rb b/app/controllers/multifactor_auths_controller.rb
index efd8cebb682..ccc4fe14113 100644
--- a/app/controllers/multifactor_auths_controller.rb
+++ b/app/controllers/multifactor_auths_controller.rb
@@ -84,12 +84,13 @@ def mfa_failure(message)
     delete_mfa_session
     redirect_to edit_settings_path, flash: { error: message }
   end
+  alias login_failure mfa_failure
 
   def otp_verification_url
-    otp_update_multifactor_auth_url(token: current_user.confirmation_token, level: level_param)
+    otp_update_multifactor_auth_url(level: level_param)
   end
 
   def webauthn_verification_url
-    webauthn_update_multifactor_auth_url(token: current_user.confirmation_token, level: level_param)
+    webauthn_update_multifactor_auth_url(level: level_param)
   end
 end
diff --git a/app/controllers/oidc/rubygem_trusted_publishers_controller.rb b/app/controllers/oidc/rubygem_trusted_publishers_controller.rb
index 2f6b30b2f31..14ba48a3faf 100644
--- a/app/controllers/oidc/rubygem_trusted_publishers_controller.rb
+++ b/app/controllers/oidc/rubygem_trusted_publishers_controller.rb
@@ -53,7 +53,7 @@ def create_params_key = :oidc_rubygem_trusted_publisher
 
   def find_rubygem
     super
-    authorize @rubygem, :show_trusted_publishers?
+    authorize @rubygem, :configure_trusted_publishers?
   end
 
   def find_rubygem_trusted_publisher
diff --git a/app/controllers/organizations/onboarding/base_controller.rb b/app/controllers/organizations/onboarding/base_controller.rb
new file mode 100644
index 00000000000..67eae35ded2
--- /dev/null
+++ b/app/controllers/organizations/onboarding/base_controller.rb
@@ -0,0 +1,28 @@
+class Organizations::Onboarding::BaseController < ApplicationController
+  before_action :redirect_to_signin, unless: :signed_in?
+  before_action :redirect_to_new_mfa, if: :mfa_required_not_yet_enabled?
+  before_action :find_or_initialize_onboarding
+  before_action :set_breadcrumbs
+
+  def find_or_initialize_onboarding
+    @organization_onboarding = OrganizationOnboarding.find_or_initialize_by(created_by: Current.user, status: :pending)
+  end
+
+  def set_breadcrumbs
+    add_breadcrumb t("breadcrumbs.dashboard"), dashboard_path
+    add_breadcrumb "Create Org"
+  end
+
+  def available_rubygems
+    @available_rubygems ||= @organization_onboarding.available_rubygems.to_a.tap do |gems|
+      namesake_rubygem = @organization_onboarding.namesake_rubygem
+      gems.unshift gems.delete(namesake_rubygem) if namesake_rubygem
+    end
+  end
+  helper_method :available_rubygems
+
+  def approved_invites
+    @approved_invites ||= @organization_onboarding.approved_invites
+  end
+  helper_method :approved_invites
+end
diff --git a/app/controllers/organizations/onboarding/confirm_controller.rb b/app/controllers/organizations/onboarding/confirm_controller.rb
new file mode 100644
index 00000000000..bba2ae80f4f
--- /dev/null
+++ b/app/controllers/organizations/onboarding/confirm_controller.rb
@@ -0,0 +1,16 @@
+class Organizations::Onboarding::ConfirmController < Organizations::Onboarding::BaseController
+  layout "onboarding"
+
+  def edit
+  end
+
+  def update
+    @organization_onboarding.onboard!
+
+    flash[:notice] = I18n.t("organization_onboardings.confirm.success")
+    redirect_to organization_path(@organization_onboarding.organization)
+  rescue ActiveRecord::ActiveRecordError
+    flash.now[:error] = "Onboarding error: #{@organization_onboarding.error}"
+    render :edit, status: :unprocessable_entity
+  end
+end
diff --git a/app/controllers/organizations/onboarding/gems_controller.rb b/app/controllers/organizations/onboarding/gems_controller.rb
new file mode 100644
index 00000000000..c80825ee2f8
--- /dev/null
+++ b/app/controllers/organizations/onboarding/gems_controller.rb
@@ -0,0 +1,20 @@
+class Organizations::Onboarding::GemsController < Organizations::Onboarding::BaseController
+  layout "onboarding"
+
+  def edit
+  end
+
+  def update
+    if @organization_onboarding.update(onboarding_gems_params)
+      redirect_to organization_onboarding_users_path
+    else
+      render :edit, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def onboarding_gems_params
+    params.permit(organization_onboarding: { rubygems: [] }).fetch(:organization_onboarding, {})
+  end
+end
diff --git a/app/controllers/organizations/onboarding/name_controller.rb b/app/controllers/organizations/onboarding/name_controller.rb
new file mode 100644
index 00000000000..e61ccf376fe
--- /dev/null
+++ b/app/controllers/organizations/onboarding/name_controller.rb
@@ -0,0 +1,20 @@
+class Organizations::Onboarding::NameController < Organizations::Onboarding::BaseController
+  layout "onboarding"
+
+  def new
+  end
+
+  def create
+    if @organization_onboarding.update(onboarding_name_params)
+      redirect_to organization_onboarding_gems_path
+    else
+      render :new, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def onboarding_name_params
+    params.require(:organization_onboarding).permit(:organization_name, :organization_handle)
+  end
+end
diff --git a/app/controllers/organizations/onboarding/users_controller.rb b/app/controllers/organizations/onboarding/users_controller.rb
new file mode 100644
index 00000000000..94dc7d3d571
--- /dev/null
+++ b/app/controllers/organizations/onboarding/users_controller.rb
@@ -0,0 +1,27 @@
+class Organizations::Onboarding::UsersController < Organizations::Onboarding::BaseController
+  layout "onboarding"
+
+  def edit
+  end
+
+  def update
+    if @organization_onboarding.update(onboarding_user_params)
+      redirect_to organization_onboarding_confirm_path
+    else
+      render :edit, status: :unprocessable_entity
+    end
+  end
+
+  private
+
+  def role_options
+    @role_options ||= OrganizationOnboardingInvite.roles.map do |k, _|
+      [Membership.human_attribute_name("role.#{k}"), k]
+    end
+  end
+  helper_method :role_options
+
+  def onboarding_user_params
+    params.require(:organization_onboarding).permit(invites_attributes: %i[id role])
+  end
+end
diff --git a/app/controllers/organizations/onboarding_controller.rb b/app/controllers/organizations/onboarding_controller.rb
new file mode 100644
index 00000000000..fe66a4ab034
--- /dev/null
+++ b/app/controllers/organizations/onboarding_controller.rb
@@ -0,0 +1,10 @@
+class Organizations::OnboardingController < ApplicationController
+  before_action :redirect_to_signin, unless: :signed_in?
+  before_action :redirect_to_new_mfa, if: :mfa_required_not_yet_enabled?
+
+  def destroy
+    OrganizationOnboarding.destroy_by(created_by: Current.user, status: %i[pending failed])
+
+    redirect_to dashboard_path
+  end
+end
diff --git a/app/controllers/organizations_controller.rb b/app/controllers/organizations_controller.rb
new file mode 100644
index 00000000000..8ea9cb0e87b
--- /dev/null
+++ b/app/controllers/organizations_controller.rb
@@ -0,0 +1,10 @@
+class OrganizationsController < ApplicationController
+  def show
+    render plain: flash[:notice] # HACK: for tests until this view is ready
+  end
+
+  private
+
+  def organization_params
+  end
+end
diff --git a/app/controllers/owners_controller.rb b/app/controllers/owners_controller.rb
index 82735cee4ac..1c393af0dfa 100644
--- a/app/controllers/owners_controller.rb
+++ b/app/controllers/owners_controller.rb
@@ -2,8 +2,13 @@ class OwnersController < ApplicationController
   include SessionVerifiable
 
   before_action :find_rubygem, except: :confirm
-  verify_session_before only: %i[index create destroy]
-  before_action :verify_mfa_requirement, only: %i[create destroy]
+  verify_session_before only: %i[index edit update create destroy]
+  before_action :verify_mfa_requirement, only: %i[create edit update destroy]
+  before_action :find_ownership, only: %i[edit update destroy]
+
+  rescue_from(Pundit::NotAuthorizedError) do |e|
+    redirect_to rubygem_path(@rubygem.slug), alert: e.policy.error
+  end
 
   def confirm
     ownership = Ownership.find_by!(token: token_params)
@@ -32,9 +37,14 @@ def index
     @ownerships = @rubygem.ownerships_including_unconfirmed.includes(:user, :authorizer)
   end
 
+  def edit
+  end
+
   def create
+    authorize @rubygem, :add_owner?
     owner = User.find_by_name(handle_params)
-    ownership = authorize @rubygem.ownerships.new(user: owner, authorizer: current_user)
+
+    ownership = @rubygem.ownerships.new(user: owner, authorizer: current_user, role: params[:role])
     if ownership.save
       OwnersMailer.ownership_confirmation(ownership).deliver_later
       redirect_to rubygem_owners_path(@rubygem.slug), notice: t(".success_notice", handle: owner.name)
@@ -43,8 +53,19 @@ def create
     end
   end
 
+  # This action is used to update a user's owenrship role. This endpoint currently asssumes
+  # the role is the only thing that can be updated. If more fields are added to the ownership
+  # this action will need to be tweaked a bit
+  def update
+    if @ownership.update(update_params)
+      OwnersMailer.with(ownership: @ownership, authorizer: current_user).owner_updated.deliver_later
+      redirect_to rubygem_owners_path(@ownership.rubygem.slug), notice: t(".success_notice", handle: @ownership.user.name)
+    else
+      index_with_error @ownership.errors.full_messages.to_sentence, :unprocessable_entity
+    end
+  end
+
   def destroy
-    @ownership = authorize @rubygem.ownerships_including_unconfirmed.find_by_owner_handle!(handle_params)
     if @ownership.safe_destroy
       OwnersMailer.owner_removed(@ownership.user_id, current_user.id, @ownership.rubygem_id).deliver_later
       redirect_to rubygem_owners_path(@ownership.rubygem.slug), notice: t(".removed_notice", owner_name: @ownership.owner_name)
@@ -59,6 +80,15 @@ def verify_session_redirect_path
     rubygem_owners_url(params[:rubygem_id])
   end
 
+  def find_ownership
+    @ownership = @rubygem.ownerships_including_unconfirmed.find_by_owner_handle(handle_params)
+    return authorize(@ownership) if @ownership
+
+    predicate = params[:action] == "destroy" ? :remove_owner? : :update_owner?
+    authorize(@rubygem, predicate)
+    render_not_found
+  end
+
   def token_params
     params.permit(:token).require(:token)
   end
@@ -67,6 +97,10 @@ def handle_params
     params.permit(:handle).require(:handle)
   end
 
+  def update_params
+    params.permit(:role)
+  end
+
   def notify_owner_added(ownership)
     ownership.rubygem.ownership_notifiable_owners.each do |notified_user|
       OwnersMailer.owner_added(
diff --git a/app/controllers/ownership_calls_controller.rb b/app/controllers/ownership_calls_controller.rb
index 6a33c8b52c4..67fd36844cf 100644
--- a/app/controllers/ownership_calls_controller.rb
+++ b/app/controllers/ownership_calls_controller.rb
@@ -1,8 +1,11 @@
 class OwnershipCallsController < ApplicationController
+  include SessionVerifiable
+
   before_action :find_rubygem, except: :index
   before_action :redirect_to_signin, unless: :signed_in?, except: :index
   before_action :redirect_to_new_mfa, if: :mfa_required_not_yet_enabled?, except: :index
   before_action :redirect_to_settings_strong_mfa_required, if: :mfa_required_weak_level_enabled?, except: :index
+  before_action :redirect_to_verify, only: %i[create close], unless: :verified_session_active?
   before_action :find_ownership_call, only: :close
 
   rescue_from ActiveRecord::RecordInvalid, with: :redirect_try_again
diff --git a/app/controllers/ownership_requests_controller.rb b/app/controllers/ownership_requests_controller.rb
index b1152961557..48d8f887e05 100644
--- a/app/controllers/ownership_requests_controller.rb
+++ b/app/controllers/ownership_requests_controller.rb
@@ -1,8 +1,11 @@
 class OwnershipRequestsController < ApplicationController
+  include SessionVerifiable
+
   before_action :find_rubygem
   before_action :redirect_to_signin, unless: :signed_in?
   before_action :redirect_to_new_mfa, if: :mfa_required_not_yet_enabled?
   before_action :redirect_to_settings_strong_mfa_required, if: :mfa_required_weak_level_enabled?
+  before_action :redirect_to_verify, only: %i[update close_all], if: -> { policy(@rubygem).manage_adoption? && !verified_session_active? }
 
   rescue_from ActiveRecord::RecordInvalid, with: :redirect_try_again
   rescue_from ActiveRecord::RecordNotSaved, with: :redirect_try_again
@@ -31,7 +34,7 @@ def update
   end
 
   def close_all
-    authorize(@rubygem, :close_ownership_requests?).ownership_requests.each(&:close!)
+    authorize(@rubygem, :manage_adoption?).ownership_requests.each(&:close!)
     redirect_to rubygem_adoptions_path(@rubygem.slug), notice: t("ownership_requests.close.success_notice", gem: @rubygem.name)
   end
 
diff --git a/app/controllers/pages_controller.rb b/app/controllers/pages_controller.rb
index 767ce234925..c47d16291c4 100644
--- a/app/controllers/pages_controller.rb
+++ b/app/controllers/pages_controller.rb
@@ -1,7 +1,10 @@
 class PagesController < ApplicationController
   before_action :find_page
 
+  layout "hammy"
+
   def show
+    add_breadcrumb t("pages.#{@page}.title")
     render @page
   end
 
diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
index b979302e3d3..9a20498dcfd 100644
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -2,7 +2,6 @@ class PasswordsController < ApplicationController
   include MfaExpiryMethods
   include RequireMfa
   include WebauthnVerifiable
-  include SessionVerifiable
 
   before_action :ensure_email_present, only: %i[create]
 
@@ -11,16 +10,15 @@ class PasswordsController < ApplicationController
   before_action :require_mfa, only: %i[edit]
   before_action :validate_otp, only: %i[otp_edit]
   before_action :validate_webauthn, only: %i[webauthn_edit]
+  before_action :password_reset_session_verified, only: %i[edit otp_edit webauthn_edit]
   after_action :delete_mfa_expiry_session, only: %i[otp_edit webauthn_edit]
 
-  verify_session_before only: %i[update]
+  before_action :validate_password_reset_session, only: :update
 
   def new
   end
 
   def edit
-    # When user doesn't have mfa, a valid token is a full "magic link" sign in.
-    verified_sign_in
     render :edit
   end
 
@@ -36,11 +34,11 @@ def create
   end
 
   def update
-    if current_user.update_password reset_params[:password]
-      current_user.reset_api_key! if reset_params[:reset_api_key] == "true" # singular
-      current_user.api_keys.expire_all! if reset_params[:reset_api_keys] == "true" # plural
-      redirect_to dashboard_path
-      session[:password_reset_token] = nil
+    if @user.update_password reset_params[:password]
+      @user.reset_api_key! if reset_params[:reset_api_key] == "true" # singular
+      @user.api_keys.expire_all! if reset_params[:reset_api_keys] == "true" # plural
+      delete_password_reset_session
+      redirect_to signed_in? ? dashboard_path : sign_in_path
     else
       flash.now[:alert] = t(".failure")
       render :edit
@@ -48,28 +46,15 @@ def update
   end
 
   def otp_edit
-    verified_sign_in
     render :edit
   end
 
   def webauthn_edit
-    verified_sign_in
     render :edit
   end
 
   private
 
-  def verified_sign_in
-    sign_in @user
-    session_verified
-    @user.update!(confirmation_token: nil)
-    StatsD.increment "login.success"
-  end
-
-  def reset_params
-    params.fetch(:password_reset, {}).permit(:password, :reset_api_key, :reset_api_keys)
-  end
-
   def ensure_email_present
     @email = params.dig(:password, :email)
     return if @email.present?
@@ -79,22 +64,47 @@ def ensure_email_present
   end
 
   def validate_confirmation_token
-    @user = User.find_by(confirmation_token: params[:token].to_s)
-    redirect_to root_path, alert: t("passwords.edit.token_failure") unless @user&.valid_confirmation_token?
+    confirmation_token = params.permit(:token).fetch(:token, "").to_s
+    @user = User.find_by(confirmation_token:)
+    return login_failure(t("passwords.edit.token_failure")) unless @user&.valid_confirmation_token?
+    sign_out if signed_in? && @user != current_user
   end
 
-  def login_failure(message)
-    flash.now.alert = message
-    render template: "multifactor_auths/prompt", status: :unauthorized
+  # The order of these methods intends to leave the session fully reset if we
+  # fail to invalidate the token for some reason, since this would indicate
+  # something is wrong with the user, necessitating help from an admin.
+  def password_reset_session_verified
+    reset_session
+    @user.update!(confirmation_token: nil)
+    session[:password_reset_verified_user] = @user.id
+    session[:password_reset_verified] = Gemcutter::PASSWORD_VERIFICATION_EXPIRY.from_now
+  end
+
+  def validate_password_reset_session
+    return login_failure(t("passwords.edit.token_failure")) if session[:password_reset_verified].nil?
+    return login_failure(t("verification_expired")) if session[:password_reset_verified] < Time.current
+    @user = User.find_by(id: session[:password_reset_verified_user])
+    login_failure(t("verification_expired")) unless @user
+  end
+
+  def delete_password_reset_session
+    delete_mfa_session
+    session.delete(:password_reset_verified_user)
+    session.delete(:password_reset_verified)
+  end
+
+  def reset_params
+    params.permit(password_reset: %i[password reset_api_key reset_api_keys]).require(:password_reset)
   end
 
   def mfa_failure(message)
-    login_failure(message)
+    flash.now.alert = message
+    render template: "multifactor_auths/prompt", status: :unauthorized
   end
 
-  def redirect_to_verify
-    session[:redirect_uri] = verify_session_redirect_path
-    redirect_to verify_session_path, alert: t("verification_expired")
+  def login_failure(alert)
+    reset_session
+    redirect_to sign_in_path, alert:
   end
 
   def otp_verification_url
diff --git a/app/controllers/rubygems_controller.rb b/app/controllers/rubygems_controller.rb
index 2d0b9eb8709..e5a9ef07d30 100644
--- a/app/controllers/rubygems_controller.rb
+++ b/app/controllers/rubygems_controller.rb
@@ -1,9 +1,9 @@
 class RubygemsController < ApplicationController
   include LatestVersion
-  before_action :set_reserved_gem, only: %i[show security_events], if: :reserved?
-  before_action :find_rubygem, only: %i[show security_events], unless: :reserved?
-  before_action :latest_version, only: %i[show], unless: :reserved?
-  before_action :find_versioned_links, only: %i[show], unless: :reserved?
+  before_action :show_reserved_gem, only: %i[show security_events]
+  before_action :find_rubygem, only: %i[show security_events]
+  before_action :latest_version, only: %i[show]
+  before_action :find_versioned_links, only: %i[show]
   before_action :set_page, only: :index
   before_action :redirect_to_signin, unless: :signed_in?, only: %i[security_events]
 
@@ -21,16 +21,12 @@ def index
   end
 
   def show
-    if @reserved_gem
-      render "reserved"
+    @versions = @rubygem.public_versions.limit(5)
+    @adoption = @rubygem.ownership_call
+    if @versions.to_a.any?
+      render "show"
     else
-      @versions = @rubygem.public_versions.limit(5)
-      @adoption = @rubygem.ownership_call
-      if @versions.to_a.any?
-        render "show"
-      else
-        render "show_yanked"
-      end
+      render "show_yanked"
     end
   end
 
@@ -42,12 +38,10 @@ def security_events
 
   private
 
-  def reserved?
-    GemNameReservation.reserved?(params[:id])
-  end
-
-  def set_reserved_gem
+  def show_reserved_gem
+    return unless GemNameReservation.reserved?(params[:id])
     @reserved_gem = params[:id].downcase
+    render "reserved"
   end
 
   def gem_params
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index b424fc0c13f..85a26427723 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -73,6 +73,12 @@ def webauthn_authenticate
     end
   end
 
+  def development_log_in_as
+    user = User.find(params[:user_id])
+    sign_in(user)
+    redirect_back_or_to dashboard_path
+  end
+
   private
 
   def mark_verified
@@ -109,6 +115,10 @@ def login_failure(message)
     render "sessions/new", status: :unauthorized
   end
 
+  def webauthn_failure
+    invalidate_mfa_session(@webauthn_error)
+  end
+
   def mfa_failure(message)
     login_failure(message)
   end
diff --git a/app/controllers/subscriptions_controller.rb b/app/controllers/subscriptions_controller.rb
index 67ba4419d61..3eeeb53a15c 100644
--- a/app/controllers/subscriptions_controller.rb
+++ b/app/controllers/subscriptions_controller.rb
@@ -1,5 +1,23 @@
 class SubscriptionsController < ApplicationController
-  before_action :find_rubygem
+  before_action :redirect_to_signin, only: :index, unless: :signed_in?
+  before_action :redirect_to_new_mfa, only: :index, if: :mfa_required_not_yet_enabled?
+  before_action :redirect_to_settings_strong_mfa_required, only: :index, if: :mfa_required_weak_level_enabled?
+
+  before_action :find_rubygem, only: %i[create destroy]
+
+  layout "subject"
+
+  def index
+    add_breadcrumb t("breadcrumbs.dashboard"), dashboard_path
+    add_breadcrumb t("breadcrumbs.subscriptions")
+
+    @subscribed_gems = current_user
+      .subscribed_gems
+      .with_versions
+      .by_name
+      .preload(:most_recent_version)
+      .load_async
+  end
 
   def create
     subscription = @rubygem.subscriptions.build(user: current_user)
diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 62447d8a786..0e650d61de3 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -75,7 +75,7 @@ def flash_message(name, msg)
     msg
   end
 
-  def search_field(home: false)
+  def rubygem_search_field(**kwargs)
     data = {
       autocomplete_target: "query",
       action: %w[
@@ -89,17 +89,21 @@ def search_field(home: false)
         blur->autocomplete#hide
       ].join(" ")
     }
-    data[:nav_target] = "search" unless home
+    aria = { autocomplete: "list" }
+
+    data.merge!(kwargs.delete(:data) || {})
+    aria.merge!(kwargs.delete(:aria) || {})
 
     search_field_tag(
       :query,
       params[:query],
       placeholder: t("layouts.application.header.search_gem_html"),
       autofocus: current_page?(root_url),
-      class: home ? "home__search" : "header__search",
+      class: kwargs[:class],
       autocomplete: "off",
-      aria: { autocomplete: "list" },
-      data: data
+      aria:,
+      data:,
+      **kwargs
     )
   end
 end
diff --git a/app/helpers/attestations_helper.rb b/app/helpers/attestations_helper.rb
new file mode 100644
index 00000000000..9dc4009853f
--- /dev/null
+++ b/app/helpers/attestations_helper.rb
@@ -0,0 +1,2 @@
+module AttestationsHelper
+end
diff --git a/app/helpers/icon_helper.rb b/app/helpers/icon_helper.rb
new file mode 100644
index 00000000000..88a2a9f4847
--- /dev/null
+++ b/app/helpers/icon_helper.rb
@@ -0,0 +1,14 @@
+module IconHelper
+  # size is in tailwind units (6 = 24px)
+  def icon_tag(name, size: 6, **options)
+    options[:class] = "h-#{size} w-#{size} flex-shrink-0 stroke-current stroke-0 fill-current #{options[:class]}"
+    options[:height] = size * 4
+    options[:width] = size * 4
+    options[:aria] ||= { hidden: true }
+    options[:role] ||= "graphics-symbol"
+
+    tag.svg(**options) do
+      concat tag.use(href: "#{image_path('icons.svg')}##{name}")
+    end
+  end
+end
diff --git a/app/helpers/pages_helper.rb b/app/helpers/pages_helper.rb
deleted file mode 100644
index 5c303f9476c..00000000000
--- a/app/helpers/pages_helper.rb
+++ /dev/null
@@ -1,15 +0,0 @@
-module PagesHelper
-  def version_number
-    version&.number || "0.0.0"
-  end
-
-  def version
-    Rubygem.current_rubygems_release
-  end
-
-  def subtitle
-    subtitle = "v#{version_number}"
-    subtitle += " - #{nice_date_for(version.authored_at)}" if version
-    subtitle
-  end
-end
diff --git a/app/helpers/prose_helper.rb b/app/helpers/prose_helper.rb
new file mode 100644
index 00000000000..32598181f28
--- /dev/null
+++ b/app/helpers/prose_helper.rb
@@ -0,0 +1,8 @@
+module ProseHelper
+  def prose(**options, &)
+    base = "prose prose-neutral dark:prose-invert prose-lg md:prose-xl max-w-prose mx-auto"
+    styles = "prose-headings:font-semibold"
+    options[:class] = "#{options[:class]} #{base} #{styles}"
+    tag.div(**options, &)
+  end
+end
diff --git a/app/helpers/rubygems_helper.rb b/app/helpers/rubygems_helper.rb
index 7898a9e9475..a6f2db4279c 100644
--- a/app/helpers/rubygems_helper.rb
+++ b/app/helpers/rubygems_helper.rb
@@ -188,4 +188,34 @@ def github_params(rubygem)
       size: "large"
     }
   end
+
+  def copy_field_tag(name, value)
+    field = text_field_tag(
+      name,
+      value,
+      id: name,
+      class: "gem__code",
+      readonly: "readonly",
+      data: { clipboard_target: "source" }
+    )
+
+    button = tag.span(
+      "=",
+      class: "gem__code__icon",
+      title: t("copy_to_clipboard"),
+      data: {
+        action: "click->clipboard#copy",
+        clipboard_target: "button"
+      }
+    )
+
+    tag.div(
+      field + button,
+      class: "gem__code-wrap",
+      data: {
+        controller: "clipboard",
+        clipboard_success_content_value: "✔"
+      }
+    )
+  end
 end
diff --git a/app/helpers/versions_helper.rb b/app/helpers/versions_helper.rb
index 4545f432500..e1047d859f4 100644
--- a/app/helpers/versions_helper.rb
+++ b/app/helpers/versions_helper.rb
@@ -1,8 +1,8 @@
 module VersionsHelper
-  def version_date_tag(version)
+  def version_date_tag(version, prefix: nil)
     data = {}
     klass = ["gem__version__date"]
-    date = version_authored_date(version)
+    date = version_authored_date(version, prefix:)
     if version.rely_on_built_at?
       klass << "tooltip__text"
       data.merge!(tooltip: t("versions.index.imported_gem_version_notice", import_date: nice_date_for(Version::RUBYGEMS_IMPORT_DATE)))
@@ -14,7 +14,39 @@ def version_date_tag(version)
     end
   end
 
-  def version_authored_date(version)
-    "- #{nice_date_for(version.authored_at)}"
+  def version_authored_date(version, prefix: nil)
+    "#{prefix}#{nice_date_for(version.authored_at)}"
+  end
+
+  def version_number(version)
+    tag.code(
+      version.number,
+      class: "px-2 text-c3 bg-green-200 dark:bg-green-800 rounded-sm text-neutral-900 dark:text-white"
+    )
+  end
+
+  def version_date_component(version, **options)
+    options[:class] = "flex text-b3 text-neutral-600 dark:text-neutral-400 #{options[:class]}"
+    options[:data] ||= {}
+
+    if version.rely_on_built_at?
+      options[:data].merge!(tooltip: t("versions.index.imported_gem_version_notice", import_date: nice_date_for(Version::RUBYGEMS_IMPORT_DATE)))
+    end
+
+    tag.div(**options) do
+      concat version_authored_date(version)
+      concat content_tag(:sup, "*") if version.rely_on_built_at?
+    end
+  end
+
+  def download_count_component(rubygem, **options)
+    downloads = number_with_delimiter(rubygem.downloads)
+    options[:class] = "flex text-neutral-600 dark:text-neutral-400 text-nowrap text-b3 space-x-1 items-center #{options[:class]}"
+    options[:title] = "#{t('total_downloads')}: #{downloads}"
+
+    tag.span(**options) do
+      concat icon_tag("arrow-circle-down", size: 5)
+      concat tag.span(downloads)
+    end
   end
 end
diff --git a/app/javascript/application.js b/app/javascript/application.js
index 25a991a9917..50eaafaba76 100644
--- a/app/javascript/application.js
+++ b/app/javascript/application.js
@@ -1,13 +1,17 @@
 // Configure your import map in config/importmap.rb. Read more: https://github.com/rails/importmap-rails
+import "@hotwired/turbo-rails"
+Turbo.session.drive = false
+
 import Rails from "@rails/ujs";
 Rails.start();
+
+import LocalTime from "local-time"
+LocalTime.start()
+
 import "controllers"
 
-import "src/clipboard_buttons";
-import "src/multifactor_auths";
 import "src/oidc_api_key_role_form";
 import "src/pages";
-import "src/search";
 import "src/transitive_dependencies";
 import "src/webauthn";
 import "github-buttons";
diff --git a/app/javascript/controllers/application.js b/app/javascript/controllers/application.js
index 1213e85c7ac..724e451cf20 100644
--- a/app/javascript/controllers/application.js
+++ b/app/javascript/controllers/application.js
@@ -1,7 +1,13 @@
 import { Application } from "@hotwired/stimulus"
+import Clipboard from '@stimulus-components/clipboard'
+import CheckboxSelectAll from '@stimulus-components/checkbox-select-all'
 
 const application = Application.start()
 
+// Add vendored controllers
+application.register('clipboard', Clipboard)
+application.register('checkbox-select-all', CheckboxSelectAll)
+
 // Configure Stimulus development experience
 application.debug = false
 window.Stimulus   = application
diff --git a/app/javascript/controllers/autocomplete_controller.js b/app/javascript/controllers/autocomplete_controller.js
index a840f4eb1d1..f1825ce6466 100644
--- a/app/javascript/controllers/autocomplete_controller.js
+++ b/app/javascript/controllers/autocomplete_controller.js
@@ -11,9 +11,10 @@ export default class extends Controller {
     this.suggestLength = 0;
   }
 
-  disconnect() { clear() }
+  disconnect() { this.clear() }
 
   clear() {
+    this.suggestionsTarget.classList.add('hidden');
     this.suggestionsTarget.innerHTML = ""
     this.suggestionsTarget.removeAttribute('tabindex');
     this.suggestionsTarget.removeAttribute('aria-activedescendant');
@@ -25,12 +26,14 @@ export default class extends Controller {
   }
 
   next() {
+    if (this.suggestLength === 0) return;
     this.indexNumber++;
     if (this.indexNumber >= this.suggestLength) this.indexNumber = 0;
     this.focusItem(this.itemTargets[this.indexNumber]);
   }
 
   prev() {
+    if (this.suggestLength === 0) return;
     this.indexNumber--;
     if (this.indexNumber < 0) this.indexNumber = this.suggestLength - 1;
     this.focusItem(this.itemTargets[this.indexNumber]);
@@ -78,6 +81,7 @@ export default class extends Controller {
     items.forEach((item, idx) => this.appendItem(item, idx));
     this.suggestionsTarget.setAttribute('tabindex', 0);
     this.suggestionsTarget.setAttribute('role', 'listbox');
+    this.suggestionsTarget.classList.remove('hidden');
 
     this.suggestLength = items.length;
     this.indexNumber = -1;
@@ -92,8 +96,9 @@ export default class extends Controller {
   }
 
   focusItem(el, change = true) {
-    this.itemTargets.forEach(el => el.classList.remove(this.selectedClass))
-    el.classList.add(this.selectedClass);
+    if (!el) { return; }
+    this.itemTargets.forEach(el => el.classList.remove(...this.selectedClasses))
+    el.classList.add(...this.selectedClasses);
     this.suggestionsTarget.setAttribute('aria-activedescendant', el.id);
     if (change) {
       this.queryTarget.value = el.textContent;
diff --git a/app/javascript/controllers/counter_controller.js b/app/javascript/controllers/counter_controller.js
new file mode 100644
index 00000000000..c3fe216484b
--- /dev/null
+++ b/app/javascript/controllers/counter_controller.js
@@ -0,0 +1,24 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ["counter", "checked"]
+
+  connect() {
+    this.update()
+  }
+
+  checkedTargetConnected(el) {
+    el.addEventListener("change", this.update.bind(this))
+    el.addEventListener("input", this.update.bind(this)) // input emitted by checkbox-select-all controller
+  }
+
+  checkedTargetdisconnected(el) {
+    el.removeEventListener("change", this.update.bind(this))
+    el.removeEventListener("input", this.update.bind(this))
+  }
+
+  update() {
+    const count = this.checkedTargets.filter(el => el.checked).length
+    this.counterTarget.textContent = count
+  }
+}
diff --git a/app/javascript/controllers/dialog_controller.js b/app/javascript/controllers/dialog_controller.js
new file mode 100644
index 00000000000..b3f3c6f479d
--- /dev/null
+++ b/app/javascript/controllers/dialog_controller.js
@@ -0,0 +1,28 @@
+import Dialog from '@stimulus-components/dialog'
+
+export default class extends Dialog {
+  static targets = ["dialog", "button"]
+
+  connect() {
+    super.connect()
+    this.setAriaExpanded('false')
+  }
+
+  open(e) {
+    super.open()
+    e.preventDefault()
+    this.setAriaExpanded('true')
+  }
+
+  close(e) {
+    super.close()
+    e.preventDefault()
+    this.setAriaExpanded('false')
+  }
+
+  setAriaExpanded(expanded) {
+    if (this.hasButtonTarget) {
+      this.buttonTarget.setAttribute('aria-expanded', expanded)
+    }
+  }
+}
diff --git a/app/javascript/controllers/dump_controller.js b/app/javascript/controllers/dump_controller.js
new file mode 100644
index 00000000000..7c42fc55582
--- /dev/null
+++ b/app/javascript/controllers/dump_controller.js
@@ -0,0 +1,62 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ["list", "template"]
+
+  connect() {
+    this.getDumpData();
+  }
+
+  getDumpData() {
+    fetch('https://s3-us-west-2.amazonaws.com/rubygems-dumps/?prefix=production/public_postgresql')
+      .then(response => response.text())
+      .then(data => {
+        const parser = new DOMParser();
+        const xml = parser.parseFromString(data, "application/xml");
+        const files = this.parseS3Listing(xml);
+        this.render(files);
+      })
+      .catch(error => {
+        console.error(error);
+      });
+  }
+
+  parseS3Listing(xml) {
+    const contents = Array.from(xml.getElementsByTagName('Contents'));
+    return contents.map(item => {
+      return {
+        Key: item.getElementsByTagName('Key')[0].textContent,
+        LastModified: item.getElementsByTagName('LastModified')[0].textContent,
+        Size: item.getElementsByTagName('Size')[0].textContent,
+        StorageClass: item.getElementsByTagName('StorageClass')[0].textContent
+      };
+    });
+  }
+
+  render(files) {
+    files
+      .filter(item => 'STANDARD' === item.StorageClass)
+      .sort((a, b) => Date.parse(b.LastModified) - Date.parse(a.LastModified))
+      .forEach(item => {
+        let text = `${item.LastModified.replace('.000Z', '')} (${this.bytesToSize(item.Size)})`;
+        let uri = `https://s3-us-west-2.amazonaws.com/rubygems-dumps/${item.Key}`;
+        this.appendItem(text, uri);
+      });
+  }
+
+  appendItem(text, uri) {
+    const clone = this.templateTarget.content.cloneNode(true);
+    const a = clone.querySelector('a > span')
+    a.textContent = text;
+    a.href = uri;
+    this.element.appendChild(clone)
+  }
+
+  bytesToSize(bytes) {
+    if (bytes === 0) { return '0 Bytes' }
+    const k = 1024;
+    const sizes = ['Bytes', 'KB', 'MB', 'GB', 'TB', 'PB', 'EB', 'ZB', 'YB'];
+    const i = Math.floor(Math.log(bytes) / Math.log(k));
+    return (bytes / Math.pow(k, i)).toPrecision(3) + " " + sizes[i];
+  }
+}
diff --git a/app/javascript/controllers/onboarding_name_controller.js b/app/javascript/controllers/onboarding_name_controller.js
new file mode 100644
index 00000000000..ee6f6466b71
--- /dev/null
+++ b/app/javascript/controllers/onboarding_name_controller.js
@@ -0,0 +1,74 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = [
+    "radio",
+    "gemname",
+    "username",
+    "reveal",
+    "displayname",
+    "submit",
+  ]
+
+  connect() {
+    this.submitTarget.disabled = true
+    this.radioTargets.forEach((radio) => {
+      if (radio.checked) {
+        this[radio.value+"name"]()
+      }
+    })
+  }
+
+  gemnameField() {
+    return this.gemnameTarget.querySelector("select")
+  }
+
+  usernameField() {
+    return this.usernameTarget.querySelector("input")
+  }
+
+  gemname() {
+    this.usernameTarget.classList.add("hidden")
+
+    this.gemnameField().disabled = false
+    this.gemnameTarget.classList.remove("hidden")
+    this.revealTarget.classList.remove("hidden")
+
+    const inputElement = this.gemnameField()
+    inputElement.focus()
+    this.updateDisplaynameWith(inputElement.value)
+    if (inputElement.value === "") {
+      this.submitTarget.disabled = true
+    }
+    this.validate()
+  }
+
+  username() {
+    this.gemnameTarget.classList.add("hidden")
+    this.gemnameField().disabled = true
+
+    this.usernameTarget.classList.remove("hidden")
+    this.revealTarget.classList.remove("hidden")
+
+    this.updateDisplaynameWith(this.usernameField().value)
+    this.validate()
+  }
+
+  validate() {
+    if (this.element.checkValidity()) {
+      this.submitTarget.disabled = false
+    } else {
+      this.submitTarget.disabled = true
+    }
+  }
+
+  updateDisplayname(e) {
+    this.updateDisplaynameWith(e.currentTarget.value)
+    this.validate()
+  }
+
+  updateDisplaynameWith(value) {
+    // Replace dashes and underscores with spaces. Capitalize the first letter of each word.
+    this.displaynameTarget.value = value.replace(/[-_]/g, " ").replace(/\b\w/g, (char) => char.toUpperCase())
+  }
+}
diff --git a/app/javascript/controllers/radio_reveal_controller.js b/app/javascript/controllers/radio_reveal_controller.js
new file mode 100644
index 00000000000..88b984f40d1
--- /dev/null
+++ b/app/javascript/controllers/radio_reveal_controller.js
@@ -0,0 +1,25 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = [
+    "radio",
+    "item",
+  ]
+
+  connect() {
+    this.update()
+  }
+
+  update() {
+    this.itemTargets.forEach(item => {
+      item.classList.add("hidden")
+    })
+
+    this.radioTargets.forEach(radio => {
+      if (radio.checked) {
+        const item = this.itemTargets.find(item => item.dataset.name == radio.value)
+        item.classList.remove("hidden")
+      }
+    })
+  }
+}
diff --git a/app/javascript/controllers/recovery_controller.js b/app/javascript/controllers/recovery_controller.js
new file mode 100644
index 00000000000..832bd691bf1
--- /dev/null
+++ b/app/javascript/controllers/recovery_controller.js
@@ -0,0 +1,39 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static values = {
+    confirm: { type: String, default: "Leave without copying recovery codes?" }
+  }
+
+  connect() {
+    this.copied = false;
+    window.addEventListener("beforeunload", this.popUp);
+  }
+
+  popUp(e) {
+    e.preventDefault();
+    e.returnValue = "";
+  }
+
+  copy() {
+    if (!this.copied) {
+      this.copied = true;
+      window.removeEventListener("beforeunload", this.popUp);
+    }
+  }
+
+  submit(e) {
+    e.preventDefault();
+
+    if (!this.element.checkValidity()) {
+      this.element.reportValidity();
+      return;
+    }
+
+    if (this.copied || confirm(this.confirmValue)) {
+      window.removeEventListener("beforeunload", this.popUp);
+      // Don't include the form data in the URL.
+      window.location.href = this.element.action;
+    }
+  }
+}
diff --git a/app/javascript/controllers/reveal_controller.js b/app/javascript/controllers/reveal_controller.js
new file mode 100644
index 00000000000..42abc59f821
--- /dev/null
+++ b/app/javascript/controllers/reveal_controller.js
@@ -0,0 +1,46 @@
+import Reveal from '@stimulus-components/reveal'
+
+export default class extends Reveal {
+  static targets = ["item", "toggle", "button"]
+  static classes = ["hidden", "toggle"]
+
+  connect() {
+    super.connect()
+    if (this.hasButtonTarget) {
+      this.buttonTarget.ariaExpanded = false
+    }
+  }
+
+  toggle() {
+    super.toggle()
+    if (this.hasButtonTarget) {
+      this.setAriaExpanded(this.buttonTarget.ariaExpanded === "true" ? "false" : "true")
+    }
+    if (this.hasToggleTarget && this.hasToggleClass) {
+      this.toggleClasses.forEach((className) => {
+        this.toggleTarget.classList.toggle(className)
+      })
+    }
+  }
+
+  show() {
+    super.show()
+    if (this.hasToggleTarget && this.hasToggleClass) {
+      this.toggleTarget.classList.add(...this.toggleClasses)
+    }
+  }
+
+  hide() {
+    super.hide()
+    this.setAriaExpanded('false')
+    if (this.hasToggleTarget && this.hasToggleClass) {
+      this.toggleTarget.classList.add(...this.toggleClasses)
+    }
+  }
+
+  setAriaExpanded(expanded) {
+    if (this.hasButtonTarget) {
+      this.buttonTarget.setAttribute('aria-expanded', expanded)
+    }
+  }
+}
diff --git a/app/javascript/controllers/reveal_search_controller.js b/app/javascript/controllers/reveal_search_controller.js
new file mode 100644
index 00000000000..fb3a3ea3356
--- /dev/null
+++ b/app/javascript/controllers/reveal_search_controller.js
@@ -0,0 +1,19 @@
+import Reveal from 'controllers/reveal_controller'
+
+export default class extends Reveal {
+  static targets = ["item", "toggle", "button", "input"]
+
+  // There's nothing here because this is just a copy of the reveal controller
+  // with a different name. This saves us from a name conflict in the header.
+  toggle() {
+    super.toggle()
+    if (!this.itemTarget.classList.contains("hidden")) {
+      this.inputTarget.focus()  // Auto focus the input when revealed
+    }
+  }
+
+  open() {
+    super.open()
+    this.inputTarget.focus()
+  }
+}
diff --git a/app/javascript/controllers/scroll_controller.js b/app/javascript/controllers/scroll_controller.js
new file mode 100644
index 00000000000..f3b76f9ee91
--- /dev/null
+++ b/app/javascript/controllers/scroll_controller.js
@@ -0,0 +1,19 @@
+/* A controller that, when loaded, causes the page to refresh periodically */
+
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = ["scroll", "scrollLeft"]
+
+  scrollLeftTargetConnected() {
+    this.element.scrollLeft = this.scrollLeftTarget.offsetLeft + this.scrollLeftTarget.offsetWidth / 2 - this.element.offsetWidth / 2
+  }
+
+  scrollTargetConnected() {
+    this.scrollTarget.scrollIntoView({ behavior: "smooth" })
+  }
+
+  scroll(e) {
+    e.currentTarget.scrollIntoView({ behavior: "smooth" })
+  }
+}
diff --git a/app/javascript/controllers/search_controller.js b/app/javascript/controllers/search_controller.js
new file mode 100644
index 00000000000..c8a9a2bbcff
--- /dev/null
+++ b/app/javascript/controllers/search_controller.js
@@ -0,0 +1,15 @@
+import { Controller } from "@hotwired/stimulus"
+
+export default class extends Controller {
+  static targets = [ "query", "attribute" ]
+
+  input(e) {
+    this.queryTarget.value = this.attributeTargets.map(field =>
+      field.value.length > 0 && field.checkValidity() ? `${field.name}: ${field.value}` : ''
+    ).join(' ')
+  }
+
+  submit() {
+    this.queryTarget.form.submit()
+  }
+}
diff --git a/app/javascript/controllers/stats_controller.js b/app/javascript/controllers/stats_controller.js
new file mode 100644
index 00000000000..0f17d3f2d66
--- /dev/null
+++ b/app/javascript/controllers/stats_controller.js
@@ -0,0 +1,10 @@
+import { Controller } from "@hotwired/stimulus"
+import $ from 'jquery'
+
+export default class extends Controller {
+  static values = { width: String }
+
+  connect() {
+    $(this.element).animate({ width: this.widthValue + '%' }, 700).removeClass('t-item--hidden').css("display", "block");
+  }
+}
diff --git a/app/javascript/src/clipboard_buttons.js b/app/javascript/src/clipboard_buttons.js
deleted file mode 100644
index 23dcd50b1fe..00000000000
--- a/app/javascript/src/clipboard_buttons.js
+++ /dev/null
@@ -1,38 +0,0 @@
-import $ from "jquery";
-import ClipboardJS from "clipboard";
-
-$(function() {
-  var clipboard = new ClipboardJS('.gem__code__icon');
-  var copyTooltip = $('.gem__code__tooltip--copy');
-  var copiedTooltip = $('.gem__code__tooltip--copied');
-  var copyButtons = $('.gem__code__icon');
-
-  function hideCopyShowCopiedTooltips(e) {
-    copyTooltip.removeClass("clipboard-is-hover");
-    copiedTooltip.insertAfter(e.trigger);
-    copiedTooltip.addClass("clipboard-is-active");
-  };
-
-  clipboard.on('success', function(e) {
-    hideCopyShowCopiedTooltips(e);
-    e.clearSelection();
-  });
-
-  clipboard.on('error', function(e) {
-    hideCopyShowCopiedTooltips(e);
-    copiedTooltip.text("Ctrl-C to Copy");
-  });
-
-  copyButtons.hover(function() {
-    copyTooltip.insertAfter(this);
-    copyTooltip.addClass("clipboard-is-hover");
-  });
-
-  copyButtons.mouseout(function() {
-    copyTooltip.removeClass("clipboard-is-hover");
-  });
-
-  copyButtons.mouseout(function() {
-    copiedTooltip.removeClass("clipboard-is-active");
-  });
-});
diff --git a/app/javascript/src/multifactor_auths.js b/app/javascript/src/multifactor_auths.js
deleted file mode 100644
index 365d2db89e4..00000000000
--- a/app/javascript/src/multifactor_auths.js
+++ /dev/null
@@ -1,43 +0,0 @@
-import $ from "jquery";
-import ClipboardJS from "clipboard";
-
-function popUp (e) {
-  e.preventDefault();
-  e.returnValue = "";
-};
-
-function confirmNoRecoveryCopy (e, from) {
-  if (from == null){
-    e.preventDefault();
-    if (confirm("Leave without copying recovery codes?")) {
-      window.removeEventListener("beforeunload", popUp);
-      $(this).trigger('click', ["non-null"]);
-    }
-  }
-}
-
-if($("#recovery-code-list").length){
-  new ClipboardJS(".recovery__copy__icon");
-
-  $(".recovery__copy__icon").on("click", function(e){
-    $(this).text("[ copied ]");
-
-    if( !$(this).is(".clicked") ) {
-      e.preventDefault();
-      $(this).addClass("clicked");
-      window.removeEventListener("beforeunload", popUp);
-      $(".form__submit").unbind("click", confirmNoRecoveryCopy);
-    }
-  });
-
-  window.addEventListener("beforeunload", popUp);
-  $(".form__submit").on("click", confirmNoRecoveryCopy);
-
-  $(".form__checkbox__input").change(function() {
-    if(this.checked) {
-      $(".form__submit").prop('disabled', false);
-    } else {
-      $(".form__submit").prop('disabled', true);
-    }
-  });
-}
diff --git a/app/javascript/src/pages.js b/app/javascript/src/pages.js
index f7fe0aa7289..301e599cbba 100644
--- a/app/javascript/src/pages.js
+++ b/app/javascript/src/pages.js
@@ -1,73 +1,5 @@
 import $ from "jquery";
 
-//data page
-$(function() {
-  var getDumpData = function(target, type) {
-    return $.get('https://s3-us-west-2.amazonaws.com/rubygems-dumps/?prefix=production/public_' + type).done(function(data) {
-      var files, xml;
-      xml = $(data);
-      files = parseS3Listing(xml);
-      files = sortByLastModified(files);
-      $(target).html(renderDumpList(files));
-    }).fail(function(error) {
-      console.error(error);
-    });
-  };
-
-  var parseS3Listing = function(xml) {
-    var files;
-    files = $.map(xml.find('Contents'), function(item) {
-      item = $(item);
-      return {
-        Key: item.find('Key').text(),
-        LastModified: item.find('LastModified').text(),
-        Size: item.find('Size').text(),
-        StorageClass: item.find('StorageClass').text()
-      };
-    });
-    return files;
-  };
-
-  var sortByLastModified = function(files) {
-    return files.sort(function(a, b) {return Date.parse(b.LastModified) - Date.parse(a.LastModified)});
-  };
-
-  var bytesToSize = function(bytes) {
-    var i, k, sizes;
-    if (bytes === 0) {
-      return '0 Byte';
-    }
-    k = 1024;
-    sizes = ['Bytes', 'KB', 'MB', 'GB', 'TB', 'PB', 'EB', 'ZB', 'YB'];
-    i = Math.floor(Math.log(bytes) / Math.log(k));
-    return (bytes / Math.pow(k, i)).toPrecision(3) + " " + sizes[i];
-  };
-
-  var renderDumpList = function(files) {
-    var content;
-    content = [];
-    $.each(files, function(idx, item) {
-      if ('STANDARD' === item.StorageClass) {
-        return content.push("<li><a href='https://s3-us-west-2.amazonaws.com/rubygems-dumps/" + item.Key + "'>" + (item.LastModified.replace('.000Z', '')) + " (" + (bytesToSize(item.Size)) + ")</a></li>");
-      }
-    });
-    return content.join("\n");
-  };
-
-  if($("#data-dump").length) {
-    getDumpData('ul.rubygems-dump-listing-postgresql', 'postgresql');
-    getDumpData('ul.rubygems-dump-listing-redis', 'redis');
-  }
-
-});
-
-//stats page
-$(function() {
-  $('.stats__graph__gem__meter').each(function() {
-    $(this).animate({ width: $(this).data("bar-width") + '%' }, 700).removeClass('t-item--hidden').css("display", "block");
-  });
-});
-
 //gem page
 $(function() {
   $('.gem__users__mfa-text.mfa-warn').on('click', function() {
diff --git a/app/javascript/src/search.js b/app/javascript/src/search.js
deleted file mode 100644
index d9ddae734bf..00000000000
--- a/app/javascript/src/search.js
+++ /dev/null
@@ -1,28 +0,0 @@
-import $ from "jquery";
-
-if($("#advanced-search").length){
-  var $main        = $('#query');
-  var $name        = $('input#name');
-  var $summary     = $('input#summary');
-  var $description = $('input#description');
-  var $downloads   = $('input#downloads');
-  var $updated     = $('input#updated');
-
-  $name.add($summary)
-    .add($description)
-    .add($downloads)
-    .add($updated)
-    .on('input', function(e) {
-      var name        = $name.val().length > 0 ? 'name: ' + $name.val() : '';
-      var summary     = $summary.val().length > 0 ? 'summary: ' + $summary.val() : '';
-      var description = $description.val().length > 0 ? 'description: ' + $description.val() : '';
-      var downloads   = $downloads.val().length > 0 ? 'downloads: ' + $downloads.val() : '';
-      var updated     = $updated.val().length > 0 ? 'updated: ' + $updated.val() : '';
-
-      $main.val($.trim(name + ' ' + summary + ' ' + description + ' ' + downloads + ' ' + updated));
-  }).on('keypress', function(e) {
-    if (e.key === 'Enter') {
-      $("input#advanced_search_submit").click();
-    }
-  });
-}
diff --git a/app/jobs/notify_web_hook_job.rb b/app/jobs/notify_web_hook_job.rb
index 30543a30147..1f1de9abac0 100644
--- a/app/jobs/notify_web_hook_job.rb
+++ b/app/jobs/notify_web_hook_job.rb
@@ -13,6 +13,15 @@ class NotifyWebHookJob < ApplicationJob
   before_perform { @host_with_port = @kwargs.fetch(:host_with_port) }
   before_perform { @version = @kwargs.fetch(:version) }
   before_perform { @rubygem = @version.rubygem }
+  before_perform { @poll_delivery = @kwargs.fetch(:poll_delivery, false) }
+  before_perform do
+    @http = Faraday.new("https://api.hookrelay.dev", request: { timeout: TIMEOUT_SEC }) do |f|
+      f.request :json
+      f.response :logger, logger, headers: false, errors: true
+      f.response :json
+      f.response :raise_error
+    end
+  end
 
   attr_reader :webhook, :protocol, :host_with_port, :version, :rubygem
 
@@ -21,7 +30,6 @@ class NotifyWebHookJob < ApplicationJob
 
   # has to come after the retry on
   discard_on(Faraday::UnprocessableEntityError) do |j, e|
-    raise unless j.use_hook_relay?
     logger.info({ webhook_id: j.webhook.id, url: j.webhook.url, response: JSON.parse(e.response_body) })
     j.webhook.increment! :failure_count
   end
@@ -31,11 +39,7 @@ def perform(*)
     set_tag "gemcutter.notifier.url", url
     set_tag "gemcutter.notifier.webhook_id", webhook.id
 
-    if use_hook_relay?
-      post_hook_relay
-    else
-      post_directly
-    end
+    post_hook_relay
   end
   statsd_count_success :perform, "Webhook.perform"
 
@@ -48,44 +52,53 @@ def authorization
   end
 
   def hook_relay_url
-    "https://api.hookrelay.dev/hooks/#{ENV['HOOK_RELAY_ACCOUNT_ID']}/#{ENV['HOOK_RELAY_HOOK_ID']}/webhook_id-#{webhook.id}"
-  end
-
-  def use_hook_relay?
-    # can't use hook relay for `perform_now` (aka an unenqueued job)
-    # because then we won't actually hit the webhook URL synchronously
-    enqueued_at.present? && ENV["HOOK_RELAY_ACCOUNT_ID"].present? && ENV["HOOK_RELAY_HOOK_ID"].present?
+    "https://api.hookrelay.dev/hooks/#{account_id}/#{hook_id}/webhook_id-#{webhook.id || 'fire'}"
   end
 
   def post_hook_relay
     response = post(hook_relay_url)
-    delivery_id = JSON.parse(response.body).fetch("id")
+    delivery_id = response.body.fetch("id")
     Rails.logger.info do
       { webhook_id: webhook.id, url: webhook.url, delivery_id:, full_name: version.full_name, message: "Sent webhook to HookRelay" }
     end
+    return poll_delivery(delivery_id) if @poll_delivery
     true
   end
 
-  def post_directly
-    post(webhook.url)
-    true
-  rescue *ERRORS
-    webhook.increment! :failure_count
-    false
-  end
-
   def post(url)
-    Faraday.new(nil, request: { timeout: TIMEOUT_SEC }) do |f|
-      f.request :json
-      f.response :logger, logger, headers: false, errors: true
-      f.response :raise_error
-    end.post(
+    @http.post(
       url, payload,
       {
         "Authorization"   => authorization,
         "HR_TARGET_URL"   => webhook.url,
-        "HR_MAX_ATTEMPTS" => "3"
+        "HR_MAX_ATTEMPTS" => @poll_delivery ? "1" : "3"
       }
     )
   end
+
+  def poll_delivery(delivery_id)
+    deadline = (Rails.env.test? ? 0.01 : 10).seconds.from_now
+    response = nil
+    until Time.zone.now > deadline
+      sleep 0.5
+      response = @http.get("https://app.hookrelay.dev/api/v1/accounts/#{account_id}/hooks/#{hook_id}/deliveries/#{delivery_id}", nil, {
+                             "Authorization" => "Bearer #{ENV['HOOK_RELAY_API_KEY']}"
+                           })
+      status = response.body.fetch("status")
+
+      break if status == "success"
+    end
+
+    response.body || raise("Failed to get delivery status after 10 seconds")
+  end
+
+  private
+
+  def account_id
+    ENV["HOOK_RELAY_ACCOUNT_ID"]
+  end
+
+  def hook_id
+    ENV["HOOK_RELAY_HOOK_ID"]
+  end
 end
diff --git a/app/jobs/refresh_oidc_provider_job.rb b/app/jobs/refresh_oidc_provider_job.rb
index 166a5319b8b..e7edcb433cd 100644
--- a/app/jobs/refresh_oidc_provider_job.rb
+++ b/app/jobs/refresh_oidc_provider_job.rb
@@ -4,6 +4,8 @@ class RefreshOIDCProviderJob < ApplicationJob
   ERRORS = (HTTP_ERRORS + [Faraday::Error, SocketError, SystemCallError, OpenSSL::SSL::SSLError]).freeze
   retry_on(*ERRORS)
 
+  class JWKSURIMismatchError < StandardError; end
+
   def perform(provider:)
     connection = Faraday.new(provider.issuer, request: { timeout: 2 }, headers: { "Accept" => "application/json" }) do |f|
       f.request :json
@@ -15,6 +17,9 @@ def perform(provider:)
 
     provider.configuration = resp.body
     provider.configuration.validate!
+    if provider.configuration.jwks_uri.blank? || URI.parse(provider.configuration.jwks_uri).host != URI.parse(provider.issuer).host
+      raise JWKSURIMismatchError, "Invalid JWKS URI in OpenID Connect configuration #{provider.configuration.jwks_uri.inspect}"
+    end
     provider.jwks = connection.get(provider.configuration.jwks_uri).body
 
     provider.save!
diff --git a/app/jobs/rstuf/check_job.rb b/app/jobs/rstuf/check_job.rb
index c66da399fe2..82e2bc1b7c8 100644
--- a/app/jobs/rstuf/check_job.rb
+++ b/app/jobs/rstuf/check_job.rb
@@ -14,7 +14,7 @@ def perform(task_id)
       raise FailureException, "RSTUF job failed, please check payload and retry"
     when "ERRORED", "REVOKED", "REJECTED"
       raise ErrorException, "RSTUF internal problem, please check RSTUF health"
-    when "PENDING", "RUNNING", "RECEIVED", "STARTED"
+    when "PENDING", "PRE_RUN", "RUNNING", "RECEIVED", "STARTED"
       raise RetryException
     else
       Rails.logger.info "RSTUF job returned unexpected state #{status}"
diff --git a/app/jobs/verify_link_job.rb b/app/jobs/verify_link_job.rb
index 50667b6b0b5..8a18a838cf1 100644
--- a/app/jobs/verify_link_job.rb
+++ b/app/jobs/verify_link_job.rb
@@ -9,10 +9,6 @@ class NotHTTPSError < StandardError; end
   class LinkNotPresentError < StandardError; end
   class HTTPResponseError < StandardError; end
 
-  rescue_from NotHTTPSError do |_error|
-    record_failure
-  end
-
   rescue_from LinkNotPresentError, HTTPResponseError, *ERRORS do |error|
     logger.info "Linkback verification failed with error: #{error.message}", error: error, uri: link_verification.uri,
       linkable: link_verification.linkable.to_gid
@@ -23,6 +19,10 @@ class HTTPResponseError < StandardError; end
     end
   end
 
+  rescue_from NotHTTPSError, Faraday::RestrictIPAddresses::AddressNotAllowed do |_error|
+    record_failure
+  end
+
   TIMEOUT_SEC = 5
 
   def perform(link_verification:)
@@ -68,6 +68,9 @@ def verify_link!(uri, linkable)
 
   def get(url)
     Faraday.new(nil, request: { timeout: TIMEOUT_SEC }) do |f|
+      # prevent SSRF attacks
+      f.request :restrict_ip_addresses, deny_rfc6890: true
+
       f.response :logger, logger, headers: false, errors: true
       f.response :raise_error
     end.get(
diff --git a/app/mailers/mailer.rb b/app/mailers/mailer.rb
index d9ee97a0db8..98bda5678fe 100644
--- a/app/mailers/mailer.rb
+++ b/app/mailers/mailer.rb
@@ -30,6 +30,17 @@ def email_confirmation(user)
     end
   end
 
+  def admin_manual(user, subject, body)
+    @user = user
+    @body = body
+    @sub_title = subject
+    mail to: @user.email,
+         subject: subject do |format|
+           format.html
+           format.text
+         end
+  end
+
   def deletion_complete(email)
     mail to: email,
          subject: I18n.t("mailer.deletion_complete.subject")
diff --git a/app/mailers/owners_mailer.rb b/app/mailers/owners_mailer.rb
index 7b6bef127c1..2130ee0abcb 100644
--- a/app/mailers/owners_mailer.rb
+++ b/app/mailers/owners_mailer.rb
@@ -13,6 +13,17 @@ def ownership_confirmation(ownership)
       end
   end
 
+  def owner_updated
+    @ownership = params[:ownership]
+    @user = @ownership.user
+    @rubygem = @ownership.rubygem
+
+    mail(
+      to: @user.email,
+      subject: t("mailer.owner_updated.subject", gem: @rubygem.name, host: Gemcutter::HOST_DISPLAY)
+    )
+  end
+
   def owner_removed(user_id, remover_id, gem_id)
     @user = User.find(user_id)
     @remover = User.find(remover_id)
diff --git a/app/models/api_key.rb b/app/models/api_key.rb
index d0a4c113ad0..924bf5fc3f2 100644
--- a/app/models/api_key.rb
+++ b/app/models/api_key.rb
@@ -1,9 +1,9 @@
 class ApiKey < ApplicationRecord
   class ScopeError < RuntimeError; end
 
-  API_SCOPES = %i[show_dashboard index_rubygems push_rubygem yank_rubygem add_owner remove_owner access_webhooks
+  API_SCOPES = %i[show_dashboard index_rubygems push_rubygem yank_rubygem add_owner update_owner remove_owner access_webhooks
                   configure_trusted_publishers].freeze
-  APPLICABLE_GEM_API_SCOPES = %i[push_rubygem yank_rubygem add_owner remove_owner configure_trusted_publishers].freeze
+  APPLICABLE_GEM_API_SCOPES = %i[push_rubygem yank_rubygem add_owner update_owner remove_owner configure_trusted_publishers].freeze
   EXCLUSIVE_SCOPES = %i[show_dashboard].freeze
 
   self.ignored_columns += API_SCOPES
@@ -20,10 +20,10 @@ class ScopeError < RuntimeError; end
   after_create :record_create_event
   after_update :record_expire_event, if: :saved_change_to_expires_at?
 
-  validates :name, :hashed_key, presence: true
   validate :exclusive_show_dashboard_scope, if: :can_show_dashboard?
   validate :scope_presence
-  validates :name, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
+  validates :name, presence: true, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
+  validates :hashed_key, presence: true, uniqueness: true
   validates :expires_at, inclusion: { in: -> { 1.minute.from_now.. } }, allow_nil: true, on: :create
   validate :rubygem_scope_definition, if: :ownership
   validate :known_scopes
@@ -40,7 +40,7 @@ class ScopeError < RuntimeError; end
 
   def self.expire_all!
     transaction do
-      find_each.all?(&:expire!)
+      unexpired.find_each.all?(&:expire!)
     end
   end
 
@@ -70,6 +70,10 @@ def user?
     owner_type == "User"
   end
 
+  def trusted_publisher?
+    owner_type.deconstantize == "OIDC::TrustedPublisher"
+  end
+
   delegate :mfa_required_not_yet_enabled?, :mfa_required_weak_level_enabled?,
     :mfa_recommended_not_yet_enabled?, :mfa_recommended_weak_level_enabled?,
     to: :user, allow_nil: true
diff --git a/app/models/attestation.rb b/app/models/attestation.rb
new file mode 100644
index 00000000000..e85eac9e770
--- /dev/null
+++ b/app/models/attestation.rb
@@ -0,0 +1,50 @@
+class Attestation < ApplicationRecord
+  belongs_to :version
+
+  validates :body, :media_type, presence: true
+  attribute :body, :jsonb
+
+  def sigstore_bundle
+    Sigstore::SBundle.new(
+      Sigstore::Bundle::V1::Bundle.decode_json_hash(body, registry: Sigstore::REGISTRY)
+    )
+  end
+
+  def display_data # rubocop:disable Metrics/MethodLength
+    bundle = sigstore_bundle
+    leaf_certificate = bundle.leaf_certificate
+
+    issuer = leaf_certificate.extension(Sigstore::Internal::X509::Extension::FulcioIssuer).issuer
+    log_index = bundle.verification_material.tlog_entries.first.log_index
+
+    extensions = leaf_certificate.openssl.extensions.to_h do |ext|
+      [ext.oid, if (ext.oid =~ /\A1\.3\.6\.1\.4\.1\.57264\.1\.(\d+)\z/) && ::Regexp.last_match(1).to_i >= 8
+                  OpenSSL::ASN1.decode(ext.value_der).value
+                else
+                  ext.value
+                end]
+    end
+
+    repo = extensions["1.3.6.1.4.1.57264.1.5"]
+    commit = extensions["1.3.6.1.4.1.57264.1.3"]
+    ref  =  extensions["1.3.6.1.4.1.57264.1.14"]
+    san  =  extensions["subjectAltName"]
+    build_file_url = extensions["1.3.6.1.4.1.57264.1.21"]
+
+    case issuer
+    when "https://token.actions.githubusercontent.com"
+      san =~ %r{\AURI:https://github\.com/#{Regexp.escape(repo)}/(.+)@#{Regexp.escape(ref)}\z}
+      build_file_string = ::Regexp.last_match(1)
+      {
+        ci_platform: "GitHub Actions",
+        source_commit_string: "github.com/#{repo}@#{commit[0, 7]}",
+        source_commit_url: "https://github.com/#{repo}/tree/#{commit}",
+        build_file_string:, build_file_url:
+      }
+    else
+      raise "Unhandled issuer: #{issuer.inspect}"
+    end.merge(
+      log_index:
+    )
+  end
+end
diff --git a/app/models/concerns/rubygem_searchable.rb b/app/models/concerns/rubygem_searchable.rb
index d0d5c4737c4..27eee6ad34f 100644
--- a/app/models/concerns/rubygem_searchable.rb
+++ b/app/models/concerns/rubygem_searchable.rb
@@ -24,7 +24,7 @@ module RubygemSearchable
           description: { type: "text", analyzer: "english", fields: { raw: { analyzer: "simple", type: "text" } } },
           suggest: { type: "completion", contexts: { name: "yanked", type: "category" } },
           yanked: { type: "boolean" },
-          downloads: { type: "integer" },
+          downloads: { type: "long" },
           updated: { type: "date" }
         }
       }
@@ -88,12 +88,16 @@ def suggest_json
       {
         suggest: {
           input: name,
-          weight: downloads,
+          weight: suggest_weight_scale(downloads),
           contexts: {
             yanked: versions.none?(&:indexed?)
           }
         }
       }
     end
+
+    def suggest_weight_scale(downloads)
+      Math.log10(downloads + 1).to_i
+    end
   end
 end
diff --git a/app/models/concerns/user_multifactor_methods.rb b/app/models/concerns/user_multifactor_methods.rb
index 2d181787f3e..07a687e532e 100644
--- a/app/models/concerns/user_multifactor_methods.rb
+++ b/app/models/concerns/user_multifactor_methods.rb
@@ -7,7 +7,7 @@ module UserMultifactorMethods
 
     attr_accessor :new_mfa_recovery_codes
 
-    enum mfa_level: { disabled: 0, ui_only: 1, ui_and_api: 2, ui_and_gem_signin: 3 }, _prefix: :mfa
+    enum :mfa_level, { disabled: 0, ui_only: 1, ui_and_api: 2, ui_and_gem_signin: 3 }, prefix: :mfa
 
     validate :mfa_level_for_enabled_devices
   end
diff --git a/app/models/events/organization_event.rb b/app/models/events/organization_event.rb
new file mode 100644
index 00000000000..8171c3738aa
--- /dev/null
+++ b/app/models/events/organization_event.rb
@@ -0,0 +1,10 @@
+class Events::OrganizationEvent < ApplicationRecord
+  belongs_to :organization
+
+  include Events::Tags
+
+  CREATED = define_event "organization:created" do
+    attribute :name, :string
+    attribute :actor_gid, :global_id
+  end
+end
diff --git a/app/models/events/rubygem_event.rb b/app/models/events/rubygem_event.rb
index 11c7dea8b13..6f4895dd442 100644
--- a/app/models/events/rubygem_event.rb
+++ b/app/models/events/rubygem_event.rb
@@ -59,6 +59,17 @@ class Events::RubygemEvent < ApplicationRecord
     attribute :owner_gid, :global_id
   end
 
+  OWNER_ROLE_UPDATED = define_event "rubygem:owner:role_updated" do
+    attribute :owner, :string
+    attribute :updated_by, :string
+
+    attribute :actor_gid, :global_id
+    attribute :owner_gid, :global_id
+
+    attribute :previous_role, :string
+    attribute :current_role, :string
+  end
+
   OWNER_REMOVED = define_event "rubygem:owner:removed" do
     attribute :owner, :string
     attribute :removed_by, :string
diff --git a/app/models/gem_name_reservation.rb b/app/models/gem_name_reservation.rb
index 4e3e69eb566..cb4e685a20a 100644
--- a/app/models/gem_name_reservation.rb
+++ b/app/models/gem_name_reservation.rb
@@ -1,5 +1,5 @@
 class GemNameReservation < ApplicationRecord
-  validates :name, uniqueness: { case_sensitive: false }, presence: true
+  validates :name, uniqueness: { case_sensitive: false }, presence: true, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
   validate :downcase_name_check
 
   def self.reserved?(name)
diff --git a/app/models/gem_typo_exception.rb b/app/models/gem_typo_exception.rb
index 98db3b92cde..668c5e3830b 100644
--- a/app/models/gem_typo_exception.rb
+++ b/app/models/gem_typo_exception.rb
@@ -1,5 +1,5 @@
 class GemTypoException < ApplicationRecord
-  validates :name, presence: true, uniqueness: { case_sensitive: false }
+  validates :name, presence: true, uniqueness: { case_sensitive: false }, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
   validate :rubygems_name
 
   private
diff --git a/app/models/linkset.rb b/app/models/linkset.rb
index dc0be7a6d3d..ccea8016728 100644
--- a/app/models/linkset.rb
+++ b/app/models/linkset.rb
@@ -11,6 +11,8 @@ class Linkset < ApplicationRecord
       allow_nil: true,
       allow_blank: true,
       message: "does not appear to be a valid URL"
+
+    validates url, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
   end
 
   def empty?
diff --git a/app/models/log_ticket.rb b/app/models/log_ticket.rb
index 2d6c8c7c85e..51b3ac47ba9 100644
--- a/app/models/log_ticket.rb
+++ b/app/models/log_ticket.rb
@@ -1,6 +1,6 @@
 class LogTicket < ApplicationRecord
-  enum backend: { s3: 0, local: 1 }
-  enum status: %i[pending processing failed processed].index_with(&:to_s)
+  enum :backend, { s3: 0, local: 1 }
+  enum :status, %i[pending processing failed processed].index_with(&:to_s)
 
   def self.pop(key: nil, directory: nil)
     scope = pending.limit(1).lock(true).order("id ASC")
diff --git a/app/models/membership.rb b/app/models/membership.rb
new file mode 100644
index 00000000000..f570f99bbbf
--- /dev/null
+++ b/app/models/membership.rb
@@ -0,0 +1,15 @@
+class Membership < ApplicationRecord
+  belongs_to :user
+  belongs_to :organization
+
+  scope :unconfirmed, -> { where(confirmed_at: nil) }
+  scope :confirmed, -> { where.not(confirmed_at: nil) }
+
+  enum :role, { owner: Access::OWNER, admin: Access::ADMIN, maintainer: Access::MAINTAINER }, validate: true, default: :maintainer
+
+  scope :with_minimum_role, ->(role) { where(role: Access.flag_for_role(role)...) }
+
+  def confirmed?
+    !confirmed_at.nil?
+  end
+end
diff --git a/app/models/oidc/api_key_role.rb b/app/models/oidc/api_key_role.rb
index 1f7edf17a85..9111cc723e6 100644
--- a/app/models/oidc/api_key_role.rb
+++ b/app/models/oidc/api_key_role.rb
@@ -22,7 +22,7 @@ class OIDC::ApiKeyRole < ApplicationRecord
   scope :deleted, -> { where.not(deleted_at: nil) }
   scope :active, -> { where(deleted_at: nil) }
 
-  validates :name, presence: true, length: { maximum: 255 }, uniqueness: { scope: :user_id }
+  validates :name, presence: true, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }, uniqueness: { scope: :user_id }
 
   attribute :api_key_permissions, Types::JsonDeserializable.new(OIDC::ApiKeyPermissions)
   validates :api_key_permissions, presence: true, nested: true
diff --git a/app/models/oidc/trusted_publisher/github_action.rb b/app/models/oidc/trusted_publisher/github_action.rb
index dd68c8132ec..dfff396e0d8 100644
--- a/app/models/oidc/trusted_publisher/github_action.rb
+++ b/app/models/oidc/trusted_publisher/github_action.rb
@@ -8,11 +8,9 @@ class OIDC::TrustedPublisher::GitHubAction < ApplicationRecord
 
   before_validation :find_github_repository_owner_id
 
-  validates :repository_owner, presence: true
-  validates :repository_name, presence: true
-  validates :workflow_filename, presence: true
-  validates :environment, presence: true, allow_nil: true
-  validates :repository_owner_id, presence: true
+  validates :repository_owner, :repository_name, :workflow_filename, :repository_owner_id,
+    presence: true, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
+  validates :environment, presence: true, allow_nil: true, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }
 
   validate :unique_publisher
   validate :workflow_filename_format
@@ -121,6 +119,24 @@ def to_access_policy(jwt)
     )
   end
 
+  class SigstorePolicy
+    def initialize(trusted_publisher)
+      @trusted_publisher = trusted_publisher
+    end
+
+    def verify(cert)
+      ref = cert.openssl.find_extension("1.3.6.1.4.1.57264.1.14")&.value_der&.then { OpenSSL::ASN1.decode(_1).value }
+      Sigstore::Policy::Identity.new(
+        identity: "https://github.com/#{@trusted_publisher.repository}/#{@trusted_publisher.workflow_slug}@#{ref}",
+        issuer: OIDC::Provider::GITHUB_ACTIONS_ISSUER
+      ).verify(cert)
+    end
+  end
+
+  def to_sigstore_identity_policy
+    SigstorePolicy.new(self)
+  end
+
   def name
     name = "#{self.class.publisher_name} #{repository_owner}/#{repository_name} @ #{workflow_slug}"
     name << " (#{environment})" if environment?
diff --git a/app/models/organization.rb b/app/models/organization.rb
new file mode 100644
index 00000000000..1e6560d26a9
--- /dev/null
+++ b/app/models/organization.rb
@@ -0,0 +1,23 @@
+class Organization < ApplicationRecord
+  include Events::Recordable
+
+  validates :handle, presence: true,
+    uniqueness: { case_sensitive: false },
+    length: { within: 2..40 },
+    format: { with: Patterns::HANDLE_PATTERN }
+  validates :name, presence: true, length: { within: 2..255 }
+
+  has_many :memberships, -> { where.not(confirmed_at: nil) }, dependent: :destroy, inverse_of: :organization
+  has_many :unconfirmed_memberships, -> { where(confirmed_at: nil) }, class_name: "Membership", dependent: :destroy, inverse_of: :organization
+  has_many :users, through: :memberships
+  has_many :rubygems, dependent: :nullify
+  has_one :organization_onboarding, foreign_key: :onboarded_organization_id, inverse_of: :organization, dependent: :destroy
+
+  default_scope { not_deleted }
+  scope :not_deleted, -> { where(deleted_at: nil) }
+  scope :deleted, -> { unscoped.where.not(deleted_at: nil) }
+
+  after_create do
+    record_event!(Events::OrganizationEvent::CREATED, actor_gid: memberships.first&.to_gid)
+  end
+end
diff --git a/app/models/organization_onboarding.rb b/app/models/organization_onboarding.rb
new file mode 100644
index 00000000000..d97aaacc95b
--- /dev/null
+++ b/app/models/organization_onboarding.rb
@@ -0,0 +1,163 @@
+class OrganizationOnboarding < ApplicationRecord
+  enum :name_type, { gem: "gem", user: "user" }, prefix: true, default: "gem"
+  enum :status, { pending: "pending", completed: "completed", failed: "failed" }, default: "pending"
+
+  has_many :invites, -> { preload(:user) }, class_name: "OrganizationOnboardingInvite", inverse_of: :organization_onboarding, dependent: :destroy
+  has_many :users, through: :invites
+  belongs_to :organization, optional: true, foreign_key: :onboarded_organization_id, inverse_of: :organization_onboarding
+  belongs_to :created_by, class_name: "User", inverse_of: :organization_onboardings
+
+  accepts_nested_attributes_for :invites
+
+  validate :created_by_gem_ownerships
+
+  validates :organization_name, :organization_handle, :name_type, presence: true
+
+  with_options if: :completed? do
+    validates :onboarded_at, presence: true
+  end
+
+  with_options if: :failed? do
+    validates :error, presence: true
+  end
+
+  with_options if: :name_type_user? do
+    before_validation :set_user_handle
+  end
+
+  with_options if: :name_type_gem? do
+    validate :organization_handle_matches_rubygem_name
+    after_validation :add_namesake_rubygem
+  end
+
+  before_validation :remove_invalid_invites
+  before_save :sync_invites, if: :rubygems_changed?
+
+  def onboard!
+    raise StandardError, "onboard has already been completed" if completed?
+
+    transaction do
+      onboarded_organization = create_organization!
+      onboard_rubygems!(onboarded_organization)
+
+      update!(
+        onboarded_at: Time.zone.now,
+        status: :completed,
+        onboarded_organization_id: onboarded_organization.id
+      )
+    end
+
+    remove_ownerships
+  rescue ActiveRecord::ActiveRecordError => e
+    self.status = :failed
+    self.error = e.message
+    save(validate: false)
+
+    raise e
+  end
+
+  def available_rubygems
+    return Rubygem.none if created_by.blank?
+    created_by.rubygems.where(organization_id: nil).order(:name)
+  end
+
+  def selected_rubygems
+    Rubygem.where(id: rubygems).all
+  end
+
+  def namesake_rubygem
+    return unless name_type_gem?
+    created_by&.rubygems&.find_by(name: organization_handle)
+  end
+
+  def approved_invites
+    invites.select { |invite| invite.user.present? && invite.role.present? }
+  end
+
+  def rubygems=(value)
+    super(Rubygem.where(id: value.compact_blank, organization_id: nil).pluck(:id))
+  end
+
+  private
+
+  def users_for_selected_gems
+    return User.none if available_rubygems.blank? || created_by.blank?
+    User
+      .joins(:ownerships)
+      .where(ownerships: { rubygem_id: available_rubygems.pluck(:id) })
+      .where.not(ownerships: { user_id: created_by })
+      .order(Arel.sql("COUNT (ownerships.id) DESC"))
+      .group(users: [:id])
+  end
+
+  def sync_invites
+    existing_invites = invites.index_by(&:user_id)
+    self.invites = users_for_selected_gems.map { existing_invites[_1.id] || OrganizationOnboardingInvite.new(user: _1) }
+  end
+
+  def remove_invalid_invites
+    self.invites = invites.select(&:valid?)
+  end
+
+  def create_organization!
+    memberships = invites.filter_map(&:to_membership)
+    memberships << build_owner
+
+    Organization.create!(
+      name: organization_name,
+      handle: organization_handle,
+      memberships: memberships
+    )
+  end
+
+  def onboard_rubygems!(onboarded_organization)
+    onboarding_gems = Rubygem.where(id: rubygems).all
+    onboarding_gems.each do |rubygem|
+      rubygem.update!(organization_id: onboarded_organization.id)
+    end
+  end
+
+  def build_owner
+    Membership.build(
+      user: created_by,
+      role: :owner,
+      confirmed_at: Time.zone.now
+    )
+  end
+
+  def set_user_handle
+    return if created_by.blank? || !name_type_user?
+    self.organization_handle = created_by.handle
+  end
+
+  def remove_ownerships
+    onboarded_users = invites.reject { _1.role.nil? || _1.outside_contributor? }.map(&:user)
+    onboarded_users << created_by
+
+    Ownership.includes(:rubygem, :user, :api_key_rubygem_scopes).where(user: onboarded_users, rubygem: selected_rubygems).destroy_all
+  end
+
+  def add_namesake_rubygem
+    namesake = namesake_rubygem
+    return unless namesake && rubygems.exclude?(namesake.id)
+    rubygems.unshift(namesake.id)
+  end
+
+  def organization_handle_matches_rubygem_name
+    return if organization_handle.blank?
+    return if namesake_rubygem.present?
+    return if selected_rubygems.any? { _1.name == organization_handle }
+
+    errors.add(:organization_handle, "must match a rubygem you own")
+  end
+
+  def created_by_gem_ownerships
+    return if created_by.blank? || rubygems.blank?
+
+    ownerships = Ownership.where(user: created_by, rubygem: rubygems).index_by(&:rubygem_id)
+
+    selected_rubygems.reject { ownerships[_1.id].present? && ownerships[_1.id].owner? }.each do |rubygem|
+      errors.add(:created_by, "must be an owner of the #{rubygem.name} gem")
+    end
+  end
+end
diff --git a/app/models/organization_onboarding_invite.rb b/app/models/organization_onboarding_invite.rb
new file mode 100644
index 00000000000..8de20669b50
--- /dev/null
+++ b/app/models/organization_onboarding_invite.rb
@@ -0,0 +1,16 @@
+class OrganizationOnboardingInvite < ApplicationRecord
+  belongs_to :organization_onboarding, inverse_of: :invites
+  belongs_to :user
+
+  validates :user_id, uniqueness: { scope: :organization_onboarding_id }
+
+  enum :role, { owner: "owner", admin: "admin", maintainer: "maintainer", outside_contributor: "outside_contributor" },
+    validate: { allow_nil: true }
+
+  def to_membership
+    Membership.new(
+      user: user,
+      role: role
+    )
+  end
+end
diff --git a/app/models/ownership.rb b/app/models/ownership.rb
index fd6e4b94d1a..bbe1f3776c8 100644
--- a/app/models/ownership.rb
+++ b/app/models/ownership.rb
@@ -13,11 +13,17 @@ class Ownership < ApplicationRecord
 
   after_create :record_create_event
   after_update :record_confirmation_event, if: :saved_change_to_confirmed_at?
+  after_update :record_role_updated_event, if: :saved_change_to_role?
+  after_update :notify_user_role_of_role_change, if: :saved_change_to_role?
   after_destroy :record_destroy_event
 
   scope :confirmed, -> { where.not(confirmed_at: nil) }
   scope :unconfirmed, -> { where(confirmed_at: nil) }
 
+  enum :role, { owner: Access::OWNER, maintainer: Access::MAINTAINER }, validate: true, default: :owner
+
+  scope :user_with_minimum_role, ->(user, role) { where(user: user, role: Access.with_minimum_role(role)) }
+
   def self.by_indexed_gem_name
     select("ownerships.*, rubygems.name")
       .left_joins(rubygem: :versions)
@@ -26,8 +32,8 @@ def self.by_indexed_gem_name
       .order("rubygems.name ASC")
   end
 
-  def self.find_by_owner_handle!(handle)
-    joins(:user).find_by(users: { handle: handle }) || joins(:user).find_by!(users: { id: handle })
+  def self.find_by_owner_handle(handle)
+    joins(:user).find_by(users: { handle: handle }) || joins(:user).find_by(users: { id: handle })
   end
 
   def self.create_confirmed(rubygem, user, approver)
@@ -107,6 +113,16 @@ def record_confirmation_event
       actor_gid: Current.user&.to_gid)
   end
 
+  def record_role_updated_event
+    rubygem.record_event!(Events::RubygemEvent::OWNER_ROLE_UPDATED,
+      owner: user.display_handle,
+      updated_by: Current.user&.display_handle,
+      owner_gid: user.to_gid,
+      actor_gid: Current.user&.to_gid,
+      previous_role: role_previously_was,
+      current_role: role)
+  end
+
   def record_destroy_event
     rubygem.record_event!(Events::RubygemEvent::OWNER_REMOVED,
       owner: user.display_handle,
@@ -114,4 +130,8 @@ def record_destroy_event
       owner_gid: user.to_gid,
       actor_gid: Current.user&.to_gid)
   end
+
+  def notify_user_role_of_role_change
+    OwnersMailer.with(ownership: self).owner_updated.deliver_later
+  end
 end
diff --git a/app/models/ownership_call.rb b/app/models/ownership_call.rb
index 2973c67994e..01b836dbf77 100644
--- a/app/models/ownership_call.rb
+++ b/app/models/ownership_call.rb
@@ -10,7 +10,7 @@ class OwnershipCall < ApplicationRecord
   delegate :name, to: :rubygem, prefix: true
   delegate :display_handle, to: :user, prefix: true
 
-  enum status: { opened: true, closed: false }
+  enum :status, { opened: true, closed: false }
 
   def close!
     ownership_requests.each(&:close!)
diff --git a/app/models/ownership_request.rb b/app/models/ownership_request.rb
index 545ce581a30..3aafdd45514 100644
--- a/app/models/ownership_request.rb
+++ b/app/models/ownership_request.rb
@@ -4,14 +4,15 @@ class OwnershipRequest < ApplicationRecord
   belongs_to :ownership_call, optional: true
   belongs_to :approver, class_name: "User", optional: true
 
-  validates :rubygem_id, :user_id, :status, :note, presence: true
+  validates :status, :note, presence: true
   validates :note, length: { maximum: Gemcutter::MAX_TEXT_FIELD_LENGTH }
   validates :user_id, uniqueness: { scope: :rubygem_id, conditions: -> { opened } }
+  validate :not_already_owner, on: :create
 
   delegate :name, to: :user, prefix: true
   delegate :name, to: :rubygem, prefix: true
 
-  enum status: { opened: 0, approved: 1, closed: 2 }
+  enum :status, { opened: 0, approved: 1, closed: 2 }
 
   def approve!(approver)
     return unless Pundit.policy!(approver, self).approve?
@@ -32,4 +33,11 @@ def close!(closer = nil)
     return if closer && closer == user # Don't notify the requester if they closed their own request
     OwnersMailer.ownership_request_closed(id).deliver_later
   end
+
+  private
+
+  def not_already_owner
+    return unless rubygem.owned_by?(user)
+    errors.add(:user_id, I18n.t("activerecord.errors.models.ownership_request.attributes.user_id.existing"))
+  end
 end
diff --git a/app/models/pusher.rb b/app/models/pusher.rb
index 6b256ce230a..0f0dab75908 100644
--- a/app/models/pusher.rb
+++ b/app/models/pusher.rb
@@ -4,21 +4,30 @@ class Pusher
   include TraceTagger
   include SemanticLogger::Loggable
 
-  attr_reader :api_key, :owner, :spec, :spec_contents, :message, :code, :rubygem, :body, :version, :version_id, :size
+  attr_reader :api_key, :spec, :spec_contents, :message, :code, :rubygem, :body, :version, :version_id, :size, :attestations
 
-  def initialize(api_key, body, request: nil)
+  delegate :owner, to: :api_key
+
+  def initialize(api_key, body, request: nil, attestations: nil)
     @api_key = api_key
-    @owner = api_key.owner
     @scoped_rubygem = api_key.rubygem
 
     @body = StringIO.new(body.read)
+    @attestations = attestations
+
     @size = @body.size
     @request = request
   end
 
   def process
     trace("gemcutter.pusher.process", tags: { "gemcutter.api_key.owner" => owner.to_gid }) do
-      pull_spec && find && authorize && verify_gem_scope && verify_mfa_requirement && validate && save
+      pull_spec &&
+        find &&
+        authorize &&
+        verify_gem_scope &&
+        verify_mfa_requirement &&
+        validate &&
+        save
     end
   end
 
@@ -48,13 +57,18 @@ def validate
       return notify("There was a problem saving your gem: the uploaded spec has malformed platform attributes", 409)
     end
 
+    return unless verify_sigstore
+
     true
   end
 
   def save
     # Restructured so that if we fail to write the gem (ie, s3 is down)
     # can clean things up well.
-    return notify("There was a problem saving your gem: #{rubygem.all_errors(version)}", 403) unless update
+    unless update
+      return false if message
+      return notify("There was a problem saving your gem: #{rubygem.all_errors(version)}", 403)
+    end
     trace("gemcutter.pusher.write_gem") do
       write_gem @body, @spec_contents
     end
@@ -73,7 +87,9 @@ def save
   end
 
   def pull_spec
-    package = Gem::Package.new(body, gem_security_policy)
+    # ensure the body can't be treated as a file path
+    package_source = Gem::Package::IOSource.new(body)
+    package = Gem::Package.new(package_source, gem_security_policy)
     @spec = package.spec
     @files = package.files
     validate_spec && serialize_spec
@@ -84,13 +100,19 @@ def pull_spec
       Ensure you are using a recent version of RubyGems to build the gem by running
       `gem update --system` and then try pushing again.
     MSG
-  rescue StandardError => e
+  rescue Gem::Exception, Psych::DisallowedClass, ArgumentError => e
     notify <<~MSG, 422
       RubyGems.org cannot process this gem.
       Please try rebuilding it and installing it locally to make sure it's valid.
       Error:
       #{e.message}
     MSG
+  rescue StandardError
+    # Ensure arbitrary exceptions are not leaked to the client
+    notify <<~MSG, 422
+      RubyGems.org cannot process this gem.
+      Please try rebuilding it and installing it locally to make sure it's valid.
+    MSG
   end
 
   def find # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
@@ -143,12 +165,47 @@ def find # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
 
   # Overridden so we don't get megabytes of the raw data printing out
   def inspect
-    attrs = %i[@rubygem @owner @message @code].map do |attr|
-      "#{attr}=#{instance_variable_get(attr).inspect}"
+    attrs = { :@rubygem => @rubygem, :@owner => owner, :@message => @message, :@code => @code }.map do |attr, value|
+      "#{attr}=#{value.inspect}"
     end
     "<Pusher #{attrs.join(' ')}>"
   end
 
+  def verify_sigstore
+    return true if attestations.blank?
+    return notify("Pushing with an attestation requires trusted publishing", 400) unless api_key.trusted_publisher?
+
+    policy = api_key.owner.to_sigstore_identity_policy
+
+    artifact = Sigstore::Verification::V1::Artifact.new
+    artifact.artifact = body.string
+
+    attestations.each do |attestation|
+      bundle = Sigstore::Bundle::V1::Bundle.decode_json_hash(attestation, registry: Sigstore::REGISTRY)
+
+      verification_input = Sigstore::Verification::V1::Input.new
+      verification_input.artifact = artifact
+      verification_input.bundle = bundle
+      input = Sigstore::VerificationInput.new(verification_input)
+      sigstore_verification = sigstore_verifier.verify(input:, policy:, offline: true)
+      logger.info do
+        { message: "verifying sigstore bundles", sigstore_verification: sigstore_verification, policy: policy }
+      end
+
+      return notify("Attestation verification failed:\n#{sigstore_verification.reason}", 422) unless sigstore_verification.verified?
+      return notify("Must provide at least v0.3 bundles", 422) unless input.sbundle.bundle_type >= Sigstore::BundleType::BUNDLE_0_3
+
+      @version.attestations << Attestation.new(body: bundle, media_type: bundle.media_type)
+    end
+
+    true
+  rescue Sigstore::Error => e
+    notify <<~MSG, 422
+      Error verifying sigstore attestation:
+      #{e.message}
+    MSG
+  end
+
   private
 
   def after_write
@@ -172,18 +229,19 @@ def update
     rubygem.update_attributes_from_gem_specification!(version, spec)
 
     if rubygem.unowned?
-      case owner
-      when User
+      if api_key.user?
         rubygem.create_ownership(owner)
-      else
+      elsif api_key.trusted_publisher?
         pending_publisher = find_pending_trusted_publisher
-        return notify_unauthorized if pending_publisher.blank?
+        return notify("No pending publisher found", 404) if pending_publisher.blank?
 
         rubygem.transaction do
           logger.info { "Reifying pending publisher" }
           rubygem.create_ownership(pending_publisher.user)
           owner.rubygem_trusted_publishers.create!(rubygem: rubygem)
         end
+      else
+        return notify_unauthorized
       end
     end
 
@@ -303,7 +361,11 @@ def serialize_spec
   end
 
   def find_pending_trusted_publisher
-    return unless owner.class.module_parent_name == "OIDC::TrustedPublisher"
+    return unless api_key.trusted_publisher?
     owner.pending_trusted_publishers.unexpired.rubygem_name_is(rubygem.name).first
   end
+
+  def sigstore_verifier
+    @sigstore_verifier ||= Sigstore::Verifier.production
+  end
 end
diff --git a/app/models/rubygem.rb b/app/models/rubygem.rb
index 2bef507f40b..59529105575 100644
--- a/app/models/rubygem.rb
+++ b/app/models/rubygem.rb
@@ -1,7 +1,6 @@
 class Rubygem < ApplicationRecord
   include Patterns
   include RubygemSearchable
-  include Events::Recordable
 
   has_many :ownerships, -> { confirmed }, dependent: :destroy, inverse_of: :rubygem
   has_many :ownerships_including_unconfirmed, dependent: :destroy, class_name: "Ownership"
@@ -27,6 +26,12 @@ class Rubygem < ApplicationRecord
   has_many :reverse_development_dependencies, -> { merge(Dependency.development) }, through: :incoming_dependencies, source: :version_rubygem
   has_many :reverse_runtime_dependencies, -> { merge(Dependency.runtime) }, through: :incoming_dependencies, source: :version_rubygem
 
+  belongs_to :organization, optional: true
+
+  # needs to come last so its dependent: :destroy works, since yanking a version
+  # will create an event
+  include Events::Recordable
+
   has_one :most_recent_version,
     lambda {
       order(Arel.sql("case when #{quoted_table_name}.latest AND #{quoted_table_name}.platform = 'ruby' then 2 else 1 end desc"))
@@ -173,7 +178,7 @@ def hosted?
   end
 
   def unowned?
-    ownerships.blank?
+    ownerships.none? && !owned_by_organization?
   end
 
   def indexed_versions?
@@ -182,7 +187,14 @@ def indexed_versions?
 
   def owned_by?(user)
     return false unless user
-    ownerships.exists?(user_id: user.id)
+    ownerships.exists?(user_id: user.id) || (owned_by_organization? && user_authorized_for_organization?(user))
+  end
+
+  def owned_by_with_role?(user, minimum_required_role)
+    return false if user.blank?
+    ownerships.user_with_minimum_role(user, minimum_required_role).exists?
+  rescue KeyError
+    false
   end
 
   def unconfirmed_ownerships
@@ -420,4 +432,12 @@ def bulk_reorder_versions
     sanitized_query = ActiveRecord::Base.send(:sanitize_sql_array, update_query)
     ActiveRecord::Base.connection.execute(sanitized_query)
   end
+
+  def owned_by_organization?
+    organization.present?
+  end
+
+  def user_authorized_for_organization?(user)
+    organization.memberships.exists?(user: user)
+  end
 end
diff --git a/app/models/rubygem_contents/entry.rb b/app/models/rubygem_contents/entry.rb
index e6a218f27a3..396d205030a 100644
--- a/app/models/rubygem_contents/entry.rb
+++ b/app/models/rubygem_contents/entry.rb
@@ -3,7 +3,7 @@
 class RubygemContents::Entry
   class InvalidMetadata < RuntimeError; end
 
-  SIZE_LIMIT = 500.megabyte
+  SIZE_LIMIT = 500.megabytes
   MIME_TEXTUAL_SUBTYPES = %w[json ld+json x-csh x-sh x-httpd-php xhtml+xml xml].freeze
 
   class << self
diff --git a/app/models/user.rb b/app/models/user.rb
index b756fbbae04..8b25cd75531 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -64,25 +64,26 @@ class User < ApplicationRecord
   has_many :oidc_pending_trusted_publishers, class_name: "OIDC::PendingTrustedPublisher", inverse_of: :user, dependent: :destroy
   has_many :oidc_rubygem_trusted_publishers, through: :rubygems, class_name: "OIDC::RubygemTrustedPublisher"
 
+  has_many :memberships, dependent: :destroy
+  has_many :organizations, through: :memberships
+
+  has_many :organization_onboardings, foreign_key: :created_by_id, dependent: :nullify, inverse_of: :created_by
+
   validates :email, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }, format: { with: URI::MailTo::EMAIL_REGEXP }, presence: true,
-uniqueness: { case_sensitive: false }
+    uniqueness: { case_sensitive: false }
   validates :unconfirmed_email, length: { maximum: Gemcutter::MAX_FIELD_LENGTH }, format: { with: URI::MailTo::EMAIL_REGEXP }, allow_blank: true
 
   validates :handle, uniqueness: { case_sensitive: false }, allow_nil: true, if: :handle_changed?
-  validates :handle, format: {
-    with: /\A[A-Za-z][A-Za-z_\-0-9]*\z/,
-    message: "must start with a letter and can only contain letters, numbers, underscores, and dashes"
-  }, allow_nil: true
-  validates :handle, length: { within: 2..40 }, allow_nil: true
+  validates :handle, format: { with: Patterns::HANDLE_PATTERN }, length: { within: 2..40 }, allow_nil: true
+  validate :unique_with_org_handle
 
   validates :twitter_username, format: {
     with: /\A[a-zA-Z0-9_]*\z/,
     message: "can only contain letters, numbers, and underscores"
-  }, allow_nil: true
+  }, allow_nil: true, length: { within: 0..20 }
 
-  validates :twitter_username, length: { within: 0..20 }, allow_nil: true
   validates :password,
-    length: { within: 10..200 },
+    length: { minimum: 10 },
     unpwn: true,
     allow_blank: true, # avoid double errors with can't be blank
     unless: :skip_password_validation?
@@ -91,6 +92,7 @@ class User < ApplicationRecord
 
   validate :unconfirmed_email_uniqueness
   validate :toxic_email_domain, on: :create
+  validate :password_byte_length
 
   def self.authenticate(who, password)
     # Avoid exceptions when string is invalid in the given encoding, _or_ cannot be converted
@@ -117,6 +119,11 @@ def self.find_by_slug(slug)
     find_by(id: slug) || find_by(handle: slug)
   end
 
+  def self.find_by_name!(name)
+    raise ActiveRecord::RecordNotFound if name.blank?
+    find_by_email(name) || find_by!(handle: name)
+  end
+
   def self.find_by_name(name)
     return if name.blank?
     find_by_email(name) || find_by(handle: name)
@@ -141,8 +148,7 @@ def self.ownership_request_notifiable_owners
 
   def self.normalize_email(email)
     email.to_s.gsub(/\s+/, "")
-  rescue ArgumentError => e
-    Rails.error.report(e, handled: true)
+  rescue ArgumentError
     ""
   end
 
@@ -260,6 +266,19 @@ def block!
     end
   end
 
+  def unblock!
+    raise ArgumentError, "User is not blocked" unless blocked?
+
+    update!(
+      email: blocked_email,
+      blocked_email: nil
+    )
+  end
+
+  def blocked?
+    blocked_email.present?
+  end
+
   def owns_gem?(rubygem)
     rubygem.owned_by?(self)
   end
@@ -305,8 +324,13 @@ def toxic_email_domain
     errors.add(:email, I18n.t("activerecord.errors.messages.blocked", domain: domain)) if toxic
   end
 
+  def password_byte_length
+    return if skip_password_validation? || password.blank?
+    errors.add(:password, :bcrypt_length) if password.bytesize > 72
+  end
+
   def expire_all_api_keys
-    api_keys.unexpired.expire_all!
+    api_keys.expire_all!
   end
 
   def destroy_associations_for_discard
@@ -358,4 +382,8 @@ def record_email_verified_event
   def record_password_update_event
     record_event!(Events::UserEvent::PASSWORD_CHANGED)
   end
+
+  def unique_with_org_handle
+    errors.add(:handle, "has already been taken") if handle && Organization.where("lower(handle) = lower(?)", handle).any?
+  end
 end
diff --git a/app/models/user/with_private_fields.rb b/app/models/user/with_private_fields.rb
index 23a9a3a6952..164836e3dd9 100644
--- a/app/models/user/with_private_fields.rb
+++ b/app/models/user/with_private_fields.rb
@@ -10,12 +10,9 @@ def payload
 
   def mfa_warning
     if mfa_recommended_not_yet_enabled?
-      "[WARNING] For protection of your account and gems, we encourage you to set up multi-factor authentication " \
-        "at https://rubygems.org/totp/new. Your account will be required to have MFA enabled in the future."
+      I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
     elsif mfa_recommended_weak_level_enabled?
-      "[WARNING] For protection of your account and gems, we encourage you to change your multi-factor authentication " \
-        "level to 'UI and gem signin' or 'UI and API' at https://rubygems.org/settings/edit. " \
-        "Your account will be required to have MFA enabled on one of these levels in the future."
+      I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
     end
   end
 end
diff --git a/app/models/version.rb b/app/models/version.rb
index 2bf906ccf02..f3aa3e75413 100644
--- a/app/models/version.rb
+++ b/app/models/version.rb
@@ -13,6 +13,7 @@ class Version < ApplicationRecord # rubocop:disable Metrics/ClassLength
   belongs_to :pusher_api_key, class_name: "ApiKey", inverse_of: :pushed_versions, optional: true
   has_one :deletion, dependent: :delete, inverse_of: :version, required: false
   has_one :yanker, through: :deletion, source: :user, inverse_of: :yanked_versions, required: false
+  has_many :attestations, dependent: :destroy, inverse_of: :version
 
   before_validation :set_canonical_number, if: :number_changed?
   before_validation :full_nameify!
@@ -47,6 +48,11 @@ class Version < ApplicationRecord # rubocop:disable Metrics/ClassLength
     allow_blank: true
   validates :sha256, :spec_sha256, format: { with: Patterns::BASE64_SHA256_PATTERN }, allow_nil: true
 
+  validates :number, :platform, :gem_platform, :full_name, :gem_full_name, :canonical_number,
+    name_format: { requires_letter: false },
+    if: -> { validation_context == :create || number_changed? || platform_changed? },
+    presence: true
+
   validate :unique_canonical_number, on: :create
   validate :platform_and_number_are_unique, on: :create
   validate :gem_platform_and_number_are_unique, on: :create
diff --git a/app/models/web_hook.rb b/app/models/web_hook.rb
index 21723d0d17d..4dca75e5368 100644
--- a/app/models/web_hook.rb
+++ b/app/models/web_hook.rb
@@ -21,12 +21,12 @@ class WebHook < ApplicationRecord
   scope :disabled, -> { where.not(disabled_at: nil) }
 
   def fire(protocol, host_with_port, version, delayed: true)
-    job = NotifyWebHookJob.new(webhook: self, protocol:, host_with_port:, version:)
+    job = NotifyWebHookJob.new(webhook: self, protocol:, host_with_port:, version:, poll_delivery: !delayed)
 
     if delayed
       job.enqueue
     else
-      job.perform_now
+      job.send(:_perform_job)
     end
   end
 
diff --git a/app/models/webauthn_credential.rb b/app/models/webauthn_credential.rb
index 0d948384839..99ca6b3ce34 100644
--- a/app/models/webauthn_credential.rb
+++ b/app/models/webauthn_credential.rb
@@ -1,9 +1,9 @@
 class WebauthnCredential < ApplicationRecord
   belongs_to :user
 
-  validates :external_id, uniqueness: true, presence: true
-  validates :public_key, presence: true
-  validates :nickname, presence: true, uniqueness: { scope: :user_id }
+  validates :external_id, uniqueness: true, presence: true, length: { maximum: 512 }
+  validates :public_key, presence: true, length: { maximum: 512 }
+  validates :nickname, presence: true, uniqueness: { scope: :user_id }, length: { maximum: 64 }
   validates :sign_count, presence: true, numericality: { greater_than_or_equal_to: 0 }
 
   after_create :send_creation_email
diff --git a/app/models/webauthn_verification.rb b/app/models/webauthn_verification.rb
index 052d8b97925..95b19ae1485 100644
--- a/app/models/webauthn_verification.rb
+++ b/app/models/webauthn_verification.rb
@@ -2,7 +2,7 @@ class WebauthnVerification < ApplicationRecord
   belongs_to :user
 
   validates :user_id, uniqueness: true
-  validates :path_token, presence: true, uniqueness: true
+  validates :path_token, presence: true, uniqueness: true, length: { maximum: 128 }
   validates :path_token_expires_at, presence: true
 
   def expire_path_token
diff --git a/app/policies/admin/github_user_policy.rb b/app/policies/admin/admin/github_user_policy.rb
similarity index 85%
rename from app/policies/admin/github_user_policy.rb
rename to app/policies/admin/admin/github_user_policy.rb
index 91eaabfb6c1..7f2dd7b7b4d 100644
--- a/app/policies/admin/github_user_policy.rb
+++ b/app/policies/admin/admin/github_user_policy.rb
@@ -1,4 +1,4 @@
-class Admin::GitHubUserPolicy < Admin::ApplicationPolicy
+class Admin::Admin::GitHubUserPolicy < Admin::ApplicationPolicy
   class Scope < Admin::ApplicationPolicy::Scope
     # NOTE: Be explicit about which records you allow access to!
     def resolve
diff --git a/app/policies/admin/attestation_policy.rb b/app/policies/admin/attestation_policy.rb
new file mode 100644
index 00000000000..cbbb176ad10
--- /dev/null
+++ b/app/policies/admin/attestation_policy.rb
@@ -0,0 +1,15 @@
+class Admin::AttestationPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
+    def resolve
+      scope.all
+    end
+  end
+
+  def avo_index?
+    true
+  end
+
+  def avo_show?
+    true
+  end
+end
diff --git a/app/policies/admin/events/organization_event_policy.rb b/app/policies/admin/events/organization_event_policy.rb
new file mode 100644
index 00000000000..558bdd4694a
--- /dev/null
+++ b/app/policies/admin/events/organization_event_policy.rb
@@ -0,0 +1,13 @@
+class Admin::Events::OrganizationEventPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
+    def resolve
+      scope.all
+    end
+  end
+
+  has_association :organization
+  has_association :ip_address
+
+  def avo_index? = rubygems_org_admin?
+  def avo_show? = rubygems_org_admin?
+end
diff --git a/app/policies/admin/ip_address_policy.rb b/app/policies/admin/ip_address_policy.rb
index e05baef361d..2f3fca42a56 100644
--- a/app/policies/admin/ip_address_policy.rb
+++ b/app/policies/admin/ip_address_policy.rb
@@ -7,6 +7,7 @@ def resolve
 
   has_association :user_events
   has_association :rubygem_events
+  has_association :organization_events
 
   def avo_index? = rubygems_org_admin?
   def avo_show? = rubygems_org_admin?
diff --git a/app/policies/admin/membership_policy.rb b/app/policies/admin/membership_policy.rb
new file mode 100644
index 00000000000..eb22ee86781
--- /dev/null
+++ b/app/policies/admin/membership_policy.rb
@@ -0,0 +1,11 @@
+class Admin::MembershipPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
+    def resolve
+      scope.all
+    end
+  end
+
+  def avo_show?
+    rubygems_org_admin?
+  end
+end
diff --git a/app/policies/admin/oidc/api_key_role_policy.rb b/app/policies/admin/oidc/api_key_role_policy.rb
index 51f0c3ae0c5..0c3914089b8 100644
--- a/app/policies/admin/oidc/api_key_role_policy.rb
+++ b/app/policies/admin/oidc/api_key_role_policy.rb
@@ -10,7 +10,5 @@ def resolve
 
   def avo_index? = rubygems_org_admin?
   def avo_show? = rubygems_org_admin?
-  def avo_create? = rubygems_org_admin?
-  def avo_update? = rubygems_org_admin?
   def act_on? = rubygems_org_admin?
 end
diff --git a/app/policies/admin/organization_onboarding_invite_policy.rb b/app/policies/admin/organization_onboarding_invite_policy.rb
new file mode 100644
index 00000000000..dcfa8c722b5
--- /dev/null
+++ b/app/policies/admin/organization_onboarding_invite_policy.rb
@@ -0,0 +1,19 @@
+class Admin::OrganizationOnboardingInvitePolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
+    def resolve
+      scope.all
+    end
+  end
+
+  def avo_index?
+    rubygems_org_admin?
+  end
+
+  def avo_show?
+    rubygems_org_admin?
+  end
+
+  def act_on?
+    rubygems_org_admin?
+  end
+end
diff --git a/app/policies/admin/organization_onboarding_policy.rb b/app/policies/admin/organization_onboarding_policy.rb
new file mode 100644
index 00000000000..7a962588828
--- /dev/null
+++ b/app/policies/admin/organization_onboarding_policy.rb
@@ -0,0 +1,21 @@
+class Admin::OrganizationOnboardingPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
+    def resolve
+      scope.all
+    end
+  end
+
+  has_association :organization_onboarding_invites
+
+  def avo_index?
+    rubygems_org_admin?
+  end
+
+  def avo_show?
+    rubygems_org_admin?
+  end
+
+  def act_on?
+    rubygems_org_admin?
+  end
+end
diff --git a/app/policies/admin/organization_policy.rb b/app/policies/admin/organization_policy.rb
new file mode 100644
index 00000000000..12291ad110a
--- /dev/null
+++ b/app/policies/admin/organization_policy.rb
@@ -0,0 +1,22 @@
+class Admin::OrganizationPolicy < Admin::ApplicationPolicy
+  class Scope < Admin::ApplicationPolicy::Scope
+    def resolve
+      scope.all
+    end
+  end
+
+  has_association :memberships
+  has_association :users
+
+  def avo_index?
+    rubygems_org_admin?
+  end
+
+  def avo_show?
+    rubygems_org_admin?
+  end
+
+  def act_on?
+    rubygems_org_admin?
+  end
+end
diff --git a/app/policies/admin/user_policy.rb b/app/policies/admin/user_policy.rb
index 91a1738210f..117f703d5d8 100644
--- a/app/policies/admin/user_policy.rb
+++ b/app/policies/admin/user_policy.rb
@@ -6,22 +6,24 @@ def resolve
     end
   end
 
-  has_association :ownerships
-  has_association :rubygems
-  has_association :subscriptions
-  has_association :subscribed_gems
-  has_association :deletions
-  has_association :web_hooks
-  has_association :unconfirmed_ownerships
   has_association :api_keys
+  has_association :audits
+  has_association :deletions
+  has_association :events
+  has_association :memberships
+  has_association :oidc_api_key_roles
+  has_association :organizations
   has_association :ownership_calls
   has_association :ownership_requests
+  has_association :ownerships
   has_association :pushed_versions
-  has_association :audits
-  has_association :oidc_api_key_roles
+  has_association :rubygems
+  has_association :subscribed_gems
+  has_association :subscriptions
+  has_association :unconfirmed_ownerships
+  has_association :web_hooks
   has_association :webauthn_credentials
   has_association :webauthn_verification
-  has_association :events
 
   def avo_index?
     rubygems_org_admin?
diff --git a/app/policies/api/application_policy.rb b/app/policies/api/application_policy.rb
index 29821e94bed..3d7d9b7f873 100644
--- a/app/policies/api/application_policy.rb
+++ b/app/policies/api/application_policy.rb
@@ -16,12 +16,13 @@ def resolve
     attr_reader :api_key, :scope
   end
 
-  attr_reader :api_key, :record
+  attr_reader :user, :record, :error, :api_key
 
   def initialize(api_key, record)
-    @api_key = api_key
     @user = api_key.user
     @record = record
+    @error = nil
+    @api_key = api_key
   end
 
   def index? = false
@@ -34,7 +35,49 @@ def destroy? = false
 
   private
 
-  def policy!(user, record) = Pundit.policy!(user, record)
-  def user_policy! = policy!(api_key.user, record)
-  def api_key_scope?(...) = api_key.scope?(...)
+  delegate :t, to: I18n
+
+  def deny(error)
+    @error = error
+    false
+  end
+
+  def api_policy!(record)
+    Pundit.policy!(api_key, [:api, record])
+  end
+
+  def user_policy!(record)
+    Pundit.policy!(api_key.user, record)
+  end
+
+  def api_authorized?(record, action)
+    policy = api_policy!(record)
+    policy.send(action) || deny(policy.error)
+  end
+
+  def user_authorized?(record, action)
+    policy = user_policy!(record)
+    policy.send(action) || deny(policy.error)
+  end
+
+  def api_key_scope?(scope, rubygem = nil)
+    api_key.scope?(scope, rubygem) || deny(t(:api_key_insufficient_scope))
+  end
+
+  def mfa_requirement_satisfied?(rubygem = nil)
+    if rubygem && !rubygem.mfa_requirement_satisfied_for?(user)
+      deny t("multifactor_auths.api.mfa_required")
+    elsif user&.mfa_required_not_yet_enabled?
+      deny t("multifactor_auths.api.mfa_required_not_yet_enabled").chomp
+    elsif user&.mfa_required_weak_level_enabled?
+      deny t("multifactor_auths.api.mfa_required_weak_level_enabled").chomp
+    else
+      true
+    end
+  end
+
+  def user_api_key?
+    return true if user
+    deny t(:api_key_forbidden)
+  end
 end
diff --git a/app/policies/api/nil_class_policy.rb b/app/policies/api/nil_class_policy.rb
new file mode 100644
index 00000000000..820bb9d6e89
--- /dev/null
+++ b/app/policies/api/nil_class_policy.rb
@@ -0,0 +1,11 @@
+class Api::NilClassPolicy < ApplicationPolicy
+  class Scope < ApplicationPolicy::Scope
+    def resolve
+      raise Pundit::NotDefinedError, "Cannot scope NilClass"
+    end
+  end
+
+  def destroy?
+    false
+  end
+end
diff --git a/app/policies/api/oidc/rubygem_trusted_publisher_policy.rb b/app/policies/api/oidc/rubygem_trusted_publisher_policy.rb
deleted file mode 100644
index 9723db57fee..00000000000
--- a/app/policies/api/oidc/rubygem_trusted_publisher_policy.rb
+++ /dev/null
@@ -1,24 +0,0 @@
-class Api::OIDC::RubygemTrustedPublisherPolicy < Api::ApplicationPolicy
-  class Scope < Api::ApplicationPolicy::Scope
-  end
-
-  delegate :rubygem, to: :record
-
-  def show?
-    can_configure_trusted_publishers? && user_policy!.show?
-  end
-
-  def create?
-    can_configure_trusted_publishers? && user_policy!.create?
-  end
-
-  def destroy?
-    can_configure_trusted_publishers? && user_policy!.destroy?
-  end
-
-  private
-
-  def can_configure_trusted_publishers?
-    api_key_scope?(:configure_trusted_publishers, rubygem)
-  end
-end
diff --git a/app/policies/api/ownership_policy.rb b/app/policies/api/ownership_policy.rb
new file mode 100644
index 00000000000..464b2376bf0
--- /dev/null
+++ b/app/policies/api/ownership_policy.rb
@@ -0,0 +1,11 @@
+class Api::OwnershipPolicy < Api::ApplicationPolicy
+  class Scope < Api::ApplicationPolicy::Scope
+  end
+
+  delegate :rubygem, to: :record
+
+  def update?
+    api_authorized?(rubygem, :update_owner?) &&
+      user_authorized?(record, :update?)
+  end
+end
diff --git a/app/policies/api/rubygem_policy.rb b/app/policies/api/rubygem_policy.rb
index 9c52e5273b6..690ede046c3 100644
--- a/app/policies/api/rubygem_policy.rb
+++ b/app/policies/api/rubygem_policy.rb
@@ -4,7 +4,46 @@ class Scope < Api::ApplicationPolicy::Scope
 
   alias rubygem record
 
-  def show_trusted_publishers?
-    api_key_scope?(:configure_trusted_publishers, rubygem) && user_policy!.show_trusted_publishers?
+  def index?
+    api_key_scope?(:index_rubygems)
+  end
+
+  def create?
+    mfa_requirement_satisfied? &&
+      api_key_scope?(:push_rubygem)
+  end
+
+  def yank?
+    user_api_key? &&
+      mfa_requirement_satisfied?(rubygem) &&
+      api_key_scope?(:yank_rubygem, rubygem)
+  end
+
+  def add_owner?
+    user_api_key? &&
+      mfa_requirement_satisfied?(rubygem) &&
+      api_key_scope?(:add_owner, rubygem) &&
+      user_authorized?(rubygem, :add_owner?)
+  end
+
+  def update_owner?
+    user_api_key? &&
+      mfa_requirement_satisfied?(rubygem) &&
+      api_key_scope?(:update_owner, rubygem) &&
+      user_authorized?(rubygem, :update_owner?)
+  end
+
+  def remove_owner?
+    user_api_key? &&
+      mfa_requirement_satisfied?(rubygem) &&
+      api_key_scope?(:remove_owner, rubygem) &&
+      user_authorized?(rubygem, :remove_owner?)
+  end
+
+  def configure_trusted_publishers?
+    user_api_key? &&
+      mfa_requirement_satisfied?(rubygem) &&
+      api_key_scope?(:configure_trusted_publishers, rubygem) &&
+      user_authorized?(rubygem, :configure_trusted_publishers?)
   end
 end
diff --git a/app/policies/api/web_hook_policy.rb b/app/policies/api/web_hook_policy.rb
new file mode 100644
index 00000000000..51f8ea73473
--- /dev/null
+++ b/app/policies/api/web_hook_policy.rb
@@ -0,0 +1,28 @@
+class Api::WebHookPolicy < Api::ApplicationPolicy
+  class Scope < Api::ApplicationPolicy::Scope
+  end
+
+  delegate :rubygem, to: :record
+
+  def index?
+    can_access_webhooks?
+  end
+
+  def create?
+    can_access_webhooks?(rubygem)
+  end
+
+  def fire?
+    can_access_webhooks?(rubygem)
+  end
+
+  def remove?
+    can_access_webhooks?(rubygem)
+  end
+
+  private
+
+  def can_access_webhooks?(rubygem = nil)
+    api_key_scope?(:access_webhooks, rubygem)
+  end
+end
diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
index 3f25a3cede5..45051f2f443 100644
--- a/app/policies/application_policy.rb
+++ b/app/policies/application_policy.rb
@@ -18,11 +18,12 @@ def resolve
     attr_reader :user, :scope
   end
 
-  attr_reader :user, :record
+  attr_reader :user, :record, :error
 
   def initialize(user, record)
     @user = user
     @record = record
+    @error = nil
   end
 
   def index?
@@ -59,7 +60,44 @@ def search?
 
   private
 
+  delegate :t, to: I18n
+
+  def deny(error = t(:forbidden))
+    @error = error
+    false
+  end
+
+  def allow
+    @error = nil
+    true
+  end
+
   def current_user?(record_user)
     user && user == record_user
   end
+
+  def rubygem_owned_by?(user)
+    rubygem.owned_by?(user) ||
+      organization_member_with_role?(user, :maintainer) ||
+      deny(t(:forbidden))
+  end
+
+  def rubygem_owned_by_with_role?(user, minimum_required_role:, minimum_required_org_role: :owner)
+    organization_member_with_role?(user, minimum_required_org_role) ||
+      rubygem.owned_by_with_role?(user, minimum_required_role) ||
+      deny(t(:forbidden))
+  end
+
+  def organization_member_with_role?(user, minimum_role)
+    return false unless respond_to?(:organization) && organization.present?
+    organization.memberships.where(user: user).with_minimum_role(minimum_role).exists?
+  end
+
+  def policy!(user, record) = Pundit.policy!(user, record)
+  def user_policy!(record) = policy!(user, record)
+
+  def user_authorized?(record, action)
+    policy = user_policy!(record)
+    policy.send(action) || deny(policy.error)
+  end
 end
diff --git a/app/policies/membership_policy.rb b/app/policies/membership_policy.rb
new file mode 100644
index 00000000000..2d77fcf4631
--- /dev/null
+++ b/app/policies/membership_policy.rb
@@ -0,0 +1,23 @@
+class MembershipPolicy < ApplicationPolicy
+  class Scope < ApplicationPolicy::Scope
+  end
+
+  alias membership record
+  delegate :organization, to: :membership
+
+  def create?
+    minimum_required_role = membership.owner? ? :owner : :admin
+    organization_member_with_role?(user, minimum_required_role) || deny(t(:forbidden))
+  end
+
+  def update?
+    minimum_required_role = :owner if membership.role_was.to_s == "owner" || membership.owner?
+    minimum_required_role ||= :admin
+    organization_member_with_role?(user, minimum_required_role) || deny(t(:forbidden))
+  end
+
+  def destroy?
+    minimum_required_role = membership.owner? ? :owner : :admin
+    organization_member_with_role?(user, minimum_required_role) || deny(t(:forbidden))
+  end
+end
diff --git a/app/policies/oidc/rubygem_trusted_publisher_policy.rb b/app/policies/oidc/rubygem_trusted_publisher_policy.rb
index 8d1400908af..cbd7896e834 100644
--- a/app/policies/oidc/rubygem_trusted_publisher_policy.rb
+++ b/app/policies/oidc/rubygem_trusted_publisher_policy.rb
@@ -5,14 +5,14 @@ class Scope < ApplicationPolicy::Scope
   delegate :rubygem, to: :record
 
   def show?
-    rubygem.owned_by?(user)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
   end
 
   def create?
-    rubygem.owned_by?(user)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
   end
 
   def destroy?
-    rubygem.owned_by?(user)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
   end
 end
diff --git a/app/policies/organization_onboarding_policy.rb b/app/policies/organization_onboarding_policy.rb
new file mode 100644
index 00000000000..7ef1e546c8e
--- /dev/null
+++ b/app/policies/organization_onboarding_policy.rb
@@ -0,0 +1,4 @@
+class OrganizationOnboardingPolicy < ApplicationPolicy
+  class Scope < ApplicationPolicy::Scope
+  end
+end
diff --git a/app/policies/organization_policy.rb b/app/policies/organization_policy.rb
new file mode 100644
index 00000000000..2dc35c3e1c6
--- /dev/null
+++ b/app/policies/organization_policy.rb
@@ -0,0 +1,38 @@
+class OrganizationPolicy < ApplicationPolicy
+  class Scope < ApplicationPolicy::Scope
+  end
+
+  alias organization record
+
+  def show?
+    true
+  end
+
+  def update?
+    organization_member_with_role?(user, :owner) || deny(t(:forbidden))
+  end
+
+  def create?
+    true
+  end
+
+  def add_gem?
+    organization_member_with_role?(user, :admin) || deny(t(:forbidden))
+  end
+
+  def remove_gem?
+    organization_member_with_role?(user, :owner) || deny(t(:forbidden))
+  end
+
+  def manage_memberships?
+    organization_member_with_role?(user, :admin) || deny(t(:forbidden))
+  end
+
+  def list_memberships?
+    organization_member_with_role?(user, :maintainer) || deny(t(:forbidden))
+  end
+
+  def destroy?
+    false # For now organizations cannot be deleted
+  end
+end
diff --git a/app/policies/ownership_call_policy.rb b/app/policies/ownership_call_policy.rb
index b5f74a089b2..dafeff928cc 100644
--- a/app/policies/ownership_call_policy.rb
+++ b/app/policies/ownership_call_policy.rb
@@ -5,10 +5,10 @@ class Scope < ApplicationPolicy::Scope
   delegate :rubygem, to: :record
 
   def create?
-    rubygem.owned_by?(user) && current_user?(record.user)
+    user_authorized?(rubygem, :manage_adoption?)
   end
 
   def close?
-    rubygem.owned_by?(user)
+    user_authorized?(rubygem, :manage_adoption?)
   end
 end
diff --git a/app/policies/ownership_policy.rb b/app/policies/ownership_policy.rb
index a0ba9d4fac6..ad31e15c265 100644
--- a/app/policies/ownership_policy.rb
+++ b/app/policies/ownership_policy.rb
@@ -5,10 +5,16 @@ class Scope < ApplicationPolicy::Scope
   delegate :rubygem, to: :record
 
   def create?
-    rubygem.owned_by?(user) && current_user?(record.authorizer)
+    policy!(user, rubygem).add_owner?
   end
 
+  def update?
+    return deny(t("owners.update.update_current_user_role")) if current_user?(record.user)
+    policy!(user, rubygem).update_owner?
+  end
+  alias edit? update?
+
   def destroy?
-    rubygem.owned_by?(user)
+    policy!(user, rubygem).remove_owner?
   end
 end
diff --git a/app/policies/ownership_request_policy.rb b/app/policies/ownership_request_policy.rb
index 88b16d29323..c1db2e38200 100644
--- a/app/policies/ownership_request_policy.rb
+++ b/app/policies/ownership_request_policy.rb
@@ -5,14 +5,14 @@ class Scope < ApplicationPolicy::Scope
   delegate :rubygem, to: :record
 
   def create?
-    current_user?(record.user) && Pundit.policy!(user, rubygem).request_ownership?
+    current_user?(record.user) && user_authorized?(rubygem, :request_ownership?)
   end
 
   def approve?
-    rubygem.owned_by?(user)
+    rubygem_owned_by?(user)
   end
 
   def close?
-    current_user?(record.user) || rubygem.owned_by?(user)
+    current_user?(record.user) || rubygem_owned_by?(user)
   end
 end
diff --git a/app/policies/rubygem_policy.rb b/app/policies/rubygem_policy.rb
index ef7dde21fd7..41d761d014c 100644
--- a/app/policies/rubygem_policy.rb
+++ b/app/policies/rubygem_policy.rb
@@ -5,6 +5,9 @@ class Scope < ApplicationPolicy::Scope
   ABANDONED_RELEASE_AGE = 1.year
   ABANDONED_DOWNLOADS_MAX = 10_000
 
+  alias rubygem record
+  delegate :organization, to: :rubygem
+
   def show?
     true
   end
@@ -21,31 +24,50 @@ def destroy?
     false
   end
 
-  def show_adoption?
-    record.owned_by?(user) || request_ownership?
+  def configure_oidc?
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
   end
 
-  def show_events?
-    record.owned_by?(user)
+  def configure_trusted_publishers?
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
+  end
+
+  def manage_adoption?
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner)
   end
 
   def request_ownership?
-    return false if record.owned_by?(user)
-    return true if record.ownership_calls.any?
-    return false if record.downloads >= ABANDONED_DOWNLOADS_MAX
-    return false unless record.latest_version&.created_at&.before?(ABANDONED_RELEASE_AGE.ago)
-    true
+    return allow if rubygem.ownership_calls.any?
+    return false if rubygem.downloads >= ABANDONED_DOWNLOADS_MAX
+    return false if rubygem.latest_version.nil? || rubygem.latest_version.created_at.after?(ABANDONED_RELEASE_AGE.ago)
+    allow
   end
 
-  def close_ownership_requests?
-    record.owned_by?(user)
+  def show_adoption?
+    manage_adoption? || request_ownership?
+  end
+
+  def show_events?
+    rubygem_owned_by?(user)
   end
 
-  def show_trusted_publishers?
-    record.owned_by?(user)
+  def close_ownership_requests?
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner)
   end
 
   def show_unconfirmed_ownerships?
-    record.owned_by?(user)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
+  end
+
+  def add_owner?
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner)
+  end
+
+  def update_owner?
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner)
+  end
+
+  def remove_owner?
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner)
   end
 end
diff --git a/app/views/adoptions/index.html.erb b/app/views/adoptions/index.html.erb
index 48afcc14296..7d6ae93012f 100644
--- a/app/views/adoptions/index.html.erb
+++ b/app/views/adoptions/index.html.erb
@@ -3,7 +3,7 @@
 <% content_for :title do %>
   <h1 class="t-display page__heading page__heading--small">
     <%= t('.title') %>
-    <% if @rubygem.owned_by?(current_user) %>
+    <% if policy(@rubygem).manage_adoption? %>
       <i class="page__subheading page__subheading--block"><%= t(".subtitle_owner_html", gem: @rubygem.name) %></i>
     <% else %>
       <i class="page__subheading page__subheading--block"><%= t(".subtitle_user_html", gem: @rubygem.name) %></i>
@@ -24,12 +24,12 @@
       <strong><%= t("ownership_calls.created_by") %>:</strong>
       <%= link_to @ownership_call.user_display_handle, profile_path(@ownership_call.user), class: "t-text t-link" %>
     </p>
-    <% if @ownership_call.rubygem.owned_by?(current_user) %>
+    <% if policy(@ownership_call).close? %>
       <%= button_to t("ownership_calls.close"), close_rubygem_ownership_calls_path(@ownership_call.rubygem.slug), method: :patch, class: "form__submit form__submit--medium" %>
     <% end %>
   </div>
 
-<% elsif @rubygem.owned_by?(current_user) %>
+<% elsif policy(@rubygem).manage_adoption? %>
   <%= render partial: "ownership_calls/form", locals: { gem: @rubygem.name } %>
 <% else %>
   <div class="t-list__item">
diff --git a/app/views/api_keys/index.html.erb b/app/views/api_keys/index.html.erb
index c4ace3d48fe..c1816ee1a9c 100644
--- a/app/views/api_keys/index.html.erb
+++ b/app/views/api_keys/index.html.erb
@@ -9,6 +9,12 @@
   </div>
 <% end %>
 
+<header class="gems__header">
+  <p class="gems__meter">
+    <%= page_entries_info @api_keys, entry_name: 'API keys' %>
+  </p>
+</header>
+
 <div class="t-body">
   <table class="owners__table">
     <tr class="owners__row owners__header">
@@ -85,6 +91,7 @@
         </td>
       </tr>
     <% end %>
+
     <tr class="owners__row">
       <td class="owners__cell">
       </td>
@@ -114,6 +121,8 @@
     </tr>
   </table>
 
+  <%= paginate @api_keys %>
+
   <p><%= button_to t(".new_key"), new_profile_api_key_path, method: "get", class: "form__submit" %></p>
   <% if current_user.oidc_api_key_roles.any? %>
     <h2 class="t-display"><%= link_to t("oidc.api_key_roles.index.api_key_roles"), profile_oidc_api_key_roles_path, class: "t-link t-underline" %> →</h2>
diff --git a/app/views/avo/login.html.erb b/app/views/avo/login.html.erb
index 3c119593efb..d3f04dca01f 100644
--- a/app/views/avo/login.html.erb
+++ b/app/views/avo/login.html.erb
@@ -13,7 +13,7 @@
       </div>
       <div class="content">
         <p>To reach the admin panel, please log in via GitHub.</p>
-        <%= form_tag ActionDispatch::Http::URL.path_for(path: '/oauth/github', params: { origin: request.fullpath }) do %>
+        <%= form_tag ActionDispatch::Http::URL.path_for(path: '/oauth/github', params: { origin: request.fullpath }, data: { turbo: false }) do %>
           <button id="github-login" type="submit" autofocus>
             <svg viewBox="0 0 16 16" height="48" width="48" focusable="false" role="img" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
               <path d="M8 0C3.58 0 0 3.58 0 8c0 3.54 2.29 6.53 5.47 7.59.4.07.55-.17.55-.38 0-.19-.01-.82-.01-1.49-2.01.37-2.53-.49-2.69-.94-.09-.23-.48-.94-.82-1.13-.28-.15-.68-.52-.01-.53.63-.01 1.08.58 1.23.82.72 1.21 1.87.87 2.33.66.07-.52.28-.87.51-1.07-1.78-.2-3.64-.89-3.64-3.95 0-.87.31-1.59.82-2.15-.08-.2-.36-1.02.08-2.12 0 0 .67-.21 2.2.82.64-.18 1.32-.27 2-.27.68 0 1.36.09 2 .27 1.53-1.04 2.2-.82 2.2-.82.44 1.1.16 1.92.08 2.12.51.56.82 1.27.82 2.15 0 3.07-1.87 3.75-3.65 3.95.29.25.54.73.54 1.48 0 1.07-.01 1.93-.01 2.2 0 .21.15.46.55.38A8.012 8.012 0 0 0 16 8c0-4.42-3.58-8-8-8z"></path>
@@ -22,7 +22,7 @@
           </button>
         <% end %>
 
-        <% if Gemcutter::ENABLE_DEVELOPMENT_ADMIN_LOG_IN %>
+        <% if Gemcutter::ENABLE_DEVELOPMENT_LOG_IN %>
           <p>Since this is development mode, you can choose any admin from the list below to log in as that admin.</p>
           <% if Admin::GitHubUser.any? %>
             <ul class="admin-list">
diff --git a/app/views/components/alert_component.rb b/app/views/components/alert_component.rb
new file mode 100644
index 00000000000..6c5952c423b
--- /dev/null
+++ b/app/views/components/alert_component.rb
@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+class AlertComponent < ApplicationComponent
+  attr_reader :style, :closeable
+
+  def initialize(style: :notice, closeable: false)
+    super()
+    @style = style.to_sym
+    @style = :notice if @style == :notice_html
+    @style = :neutral unless STYLES.key?(@style)
+    @closeable = closeable
+  end
+
+  def view_template(&)
+    color, icon_color, icon = STYLES.fetch(style)
+    data = { controller: "reveal", reveal_target: "item" } if closeable
+    p(data:, class: "flex flex-row items-center p-4 mb-10 rounded border text-b2 #{color} justify-between") do
+      span(class: "flex flex-row items-center") do
+        unsafe_raw helpers.icon_tag(icon, size: 8, class: "#{icon_color} mr-3 h-8 w-8")
+        span(class: "align-middle", &)
+      end
+      if closeable
+        button(data: { action: "click->reveal#hide" }, title: t("hide"), class: "h-8 w-8 ml-6 items-center justify-center outline-none") do
+          unsafe_raw helpers.icon_tag("close", class: "w-6 h-6", aria: { label: t("hide") })
+        end
+      end
+    end
+  end
+
+  COLORS = {
+    orange:  "border-orange-500 bg-orange-200 text-neutral-800 " \
+             "dark:bg-orange-900 dark:text-white",
+    yellow:  "border-yellow-500 bg-yellow-200 text-neutral-800 " \
+             "dark:bg-yellow-900 dark:text-white",
+    blue:    "border-blue-500 bg-blue-200 text-neutral-800 " \
+             "dark:bg-blue-900 dark:text-white",
+    green:   "border-green-500 bg-green-200 text-neutral-800 " \
+             "dark:bg-green-900 dark:text-white",
+    red:     "border-red-500 bg-red-200 text-neutral-800 " \
+             "dark:bg-red-900 dark:text-white",
+    neutral: "border-neutral-500 bg-neutral-200 text-neutral-800 " \
+             "dark:bg-neutral-900 dark:text-white"
+  }.freeze
+
+  ICON_COLORS = {
+    orange:  "fill-orange-500",
+    yellow:  "fill-yellow-600",
+    blue:    "fill-blue-500",
+    green:   "fill-green-500",
+    red:     "fill-red-400",
+    neutral: "fill-neutral-800 dark:fill-neutral-500"
+  }.freeze
+
+  STYLES = {
+    error:   [COLORS[:red],     ICON_COLORS[:red],     "error"],
+    alert:   [COLORS[:yellow],  ICON_COLORS[:yellow],  "warning"],
+    notice:  [COLORS[:blue],    ICON_COLORS[:blue],    "arrow-circle-right"],
+    success: [COLORS[:green],   ICON_COLORS[:green],   "check-circle"],
+    primary: [COLORS[:orange],  ICON_COLORS[:orange],  "arrow-circle-right"],
+    neutral: [COLORS[:neutral], ICON_COLORS[:neutral], "arrow-circle-right"]
+  }.freeze
+end
diff --git a/app/views/components/application_component.rb b/app/views/components/application_component.rb
index 75773f70368..8e8d1aa0d40 100644
--- a/app/views/components/application_component.rb
+++ b/app/views/components/application_component.rb
@@ -2,6 +2,7 @@
 
 class ApplicationComponent < Phlex::HTML
   include Phlex::Rails::Helpers::Routes
+  extend PropInitializer::Properties
 
   class TranslationHelper
     include ActionView::Helpers::TranslationHelper
diff --git a/app/views/components/button_component.rb b/app/views/components/button_component.rb
new file mode 100644
index 00000000000..ff8e572a621
--- /dev/null
+++ b/app/views/components/button_component.rb
@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+class ButtonComponent < ApplicationComponent
+  include Phlex::Rails::Helpers::LinkTo
+  include Phlex::Rails::Helpers::ButtonTo
+
+  attr_reader :args, :type, :options, :color, :size, :style
+
+  def initialize(*args, type: :button, size: :large, color: :primary, style: :fill, **options) # rubocop:disable Metrics/ParameterLists
+    super()
+    @args = args
+    @type = type
+    @size = size
+    @color = color
+    @style = style
+    @options = options
+    @options[:name] ||= nil
+  end
+
+  def view_template(&block)
+    css = "text-nowrap no-underline " \
+          "rounded inline-flex border-box " \
+          "justify-content-center items-center hover:shadow-md " \
+          "#{DISABLED} disabled:cursor-default disabled:hover:shadow-none " \
+          "transition duration-200 ease-in-out focus:outline-none " \
+          "#{button_color(color, style)} #{button_size(size)} #{options.delete(:class)}"
+
+    if type == :link
+      link_to(*args, class: css, **options, &block)
+    elsif (args.size == 1 && block_given?) || args.size == 2
+      button_to(*args, class: css, method: :get, **options, &block)
+    else
+      block ||= proc { args.first }
+      button(class: css, type:, **options, &block)
+    end
+  end
+
+  private
+
+  def button_color(color, style)
+    color = color.to_sym
+    color = :orange if color == :primary
+    color = :hammy if color == :secondary
+    STYLES[style][color]
+  end
+
+  def button_size(size)
+    case size
+    when :small # 36px height
+      "px-4 py-3 h-9 min-h-9 text-b3"
+    else # :large, 44px height
+      "px-4 py-3 h-12 min-h-12 text-b2"
+    end
+  end
+
+  DISABLED = "disabled:bg-neutral-200 disabled:border-neutral-200 disabled:text-neutral-600 " \
+             "dark:disabled:bg-neutral-800 dark:disabled:border-neutral-800 dark:disabled:text-neutral-600"
+
+  FILL_BUTTON_COLOR = {
+    red:     "text-white bg-red-500 hover:bg-red-600 active:bg-red-600 " \
+             "dark:bg-red-500 dark:hover:bg-red-600 dark:active:bg-red-600",
+    orange:  "text-white bg-orange-500 hover:bg-orange-600 active:bg-orange-600 " \
+             "dark:bg-orange-500 dark:hover:bg-orange-700 dark:active:bg-orange-700",
+    hammy:   "text-orange-900 bg-orange-200 hover:bg-orange-300 active:bg-orange-300 " \
+             "dark:text-white dark:bg-orange-800 dark:hover:bg-orange-900 dark:active:bg-orange-900",
+    yellow:  "text-neutral-800 bg-yellow-500 hover:bg-yellow-600 active:bg-yellow-600 " \
+             "dark:text-white dark:bg-yellow-500 dark:hover:bg-yellow-600 dark:active:bg-yellow-600",
+    green:   "text-white bg-green-500 hover:bg-green-600 active:bg-green-600 " \
+             "dark:bg-green-500 dark:hover:bg-green-700 dark:active:bg-green-700",
+    blue:    "text-white bg-blue-500 hover:bg-blue-600 active:bg-blue-600 " \
+             "dark:bg-blue-500 dark:hover:bg-blue-700 dark:active:bg-blue-700",
+    neutral: "text-white bg-neutral-700 hover:bg-neutral-600 active:bg-neutral-600 " \
+             "dark:bg-neutral-700 dark:hover:bg-neutral-800 dark:active:bg-neutral-800"
+  }.freeze
+
+  PLAIN_BUTTON_COLOR = {
+    red:     "text-red-500 hover:bg-red-500/5 active:bg-red-500/10 " \
+             "dark:hover:bg-red-500/15 dark:active:bg-red-500/25 ",
+    orange:  "text-orange-500 hover:bg-orange-500/5 active:bg-orange-500/10 " \
+             "dark:hover:bg-orange-500/15 dark:active:bg-orange-500/25 ",
+    hammy:   "text-orange-800 hover:bg-orange-200/15 active:bg-orange-200/25 " \
+             "dark:text-orange-200 dark:hover:bg-orange-200/15 dark:active:bg-orange-200/25 ",
+    yellow:  "text-yellow-500 hover:bg-yellow-500/5 active:bg-yellow-500/10 " \
+             "dark:hover:bg-yellow-500/15 dark:active:bg-yellow-500/25 ",
+    green:   "text-green-500 hover:bg-green-500/5 active:bg-green-500/10 " \
+             "dark:hover:bg-green-500/15 dark:active:bg-green-500/25 ",
+    blue:    "text-blue-500 hover:bg-blue-500/5 active:bg-blue-500/10 " \
+             "dark:hover:bg-blue-500/15 dark:active:bg-blue-500/25 ",
+    neutral: "text-neutral-700 hover:bg-neutral-700/5 active:bg-neutral-700/10 " \
+             "dark:text-white dark:hover:bg-white/15 dark:active:bg-white/25"
+  }.freeze
+
+  OUTLINE_BUTTON_COLOR = {
+    red:     "#{PLAIN_BUTTON_COLOR[:red]} border-2 border-red-500",
+    orange:  "#{PLAIN_BUTTON_COLOR[:orange]} border-2 border-orange-500",
+    hammy:   "#{PLAIN_BUTTON_COLOR[:hammy]} border-2 border-orange-800 dark:border-orange-200",
+    yellow:  "#{PLAIN_BUTTON_COLOR[:yellow]} border-2 border-yellow-500",
+    green:   "#{PLAIN_BUTTON_COLOR[:green]} border-2 border-green-500",
+    blue:    "#{PLAIN_BUTTON_COLOR[:blue]} border-2 border-blue-500",
+    neutral: "#{PLAIN_BUTTON_COLOR[:neutral]} border-2 border-neutral-700 dark:border-white"
+  }.freeze
+
+  STYLES = {
+    fill: FILL_BUTTON_COLOR,
+    outline: OUTLINE_BUTTON_COLOR,
+    plain: PLAIN_BUTTON_COLOR
+  }.freeze
+end
diff --git a/app/views/components/card/timeline_component.rb b/app/views/components/card/timeline_component.rb
new file mode 100644
index 00000000000..7f7ec86885e
--- /dev/null
+++ b/app/views/components/card/timeline_component.rb
@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+class Card::TimelineComponent < ApplicationComponent
+  include Phlex::Rails::Helpers::LinkTo
+  include Phlex::Rails::Helpers::TimeAgoInWords
+
+  def view_template(&)
+    div(class: "flex grow ml-2 md:-ml-2 border-l-2 border-neutral-300") do
+      div(class: "flex flex-col grow -mt-2", &)
+    end
+  end
+
+  def timeline_item(datetime, user_link = nil, &)
+    # this block is shifted left to align the dots with the line
+    div(class: "flex items-start -ml-2 mb-4") do
+      # Dot
+      div(class: "relative z-10 top-0.5 left-[1px] w-3 h-3 bg-orange-600 rounded-full flex-shrink-0 mt-1")
+
+      # Content
+      div(class: "flex-1 flex-col ml-5 md:ml-7 pb-4 border-b border-neutral-300 dark:border-neutral-700") do
+        div(class: "flex items-center justify-between") do
+          span(class: "text-b3 text-neutral-600") { t("time_ago", duration: time_ago_in_words(datetime)) }
+          span(class: "text-b3 text-neutral-800") { user_link } if user_link
+        end
+
+        div(class: "flex flex-wrap w-full items-center justify-between", &)
+      end
+    end
+  end
+end
diff --git a/app/views/components/card_component.rb b/app/views/components/card_component.rb
new file mode 100644
index 00000000000..fec79c3f747
--- /dev/null
+++ b/app/views/components/card_component.rb
@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+class CardComponent < ApplicationComponent
+  include Phlex::Rails::Helpers::LinkTo
+
+  def view_template(&)
+    color = "bg-white dark:bg-black border border-neutral-200 dark:border-neutral-800 text-neutral-900 dark:text-white "
+    box = "w-full px-4 py-6 md:p-10 mb-10 rounded-md shadow overflow-hidden"
+    article(**classes(color, box), &)
+  end
+
+  def head(title = nil, icon: nil, count: nil, url: nil, **options, &block)
+    block ||= proc do
+      title(title, icon:, count:)
+      a(href: url, class: "text-sm text-orange-500 hover:underline") { t("view_all") } if url
+    end
+    options[:class] = "#{options[:class]} flex justify-between items-center -mx-10 px-10 pb-8"
+    div(**options, &block)
+  end
+
+  def title(title, icon: nil, count: nil)
+    h3(class: "flex items-center text-lg space-x-2") do
+      render_icon(icon, class: "fill-orange") if icon
+      span(class: "font-semibold") { title }
+      # when count is 0, don't show the count because it's more confusing than helpful
+      span(class: "font-light text-neutral-600") { count } unless count.to_i.zero?
+    end
+  end
+
+  def with_list(items, &)
+    list do
+      items.each do |item|
+        list_item do
+          yield(item)
+        end
+      end
+    end
+  end
+
+  def list(**options, &)
+    options[:class] = "#{options[:class]} -mx-4"
+    ul(**options, &)
+  end
+
+  def divided_list(**options, &)
+    options[:class] = "#{options[:class]} -mx-4 divide-y divide-neutral-200 dark:divide-neutral-800"
+    ul(**options, &)
+  end
+
+  def list_item(**options, &)
+    options[:class] = "#{options[:class]} #{LIST_ITEM_CLASSES}"
+    li(**options, &)
+  end
+
+  def list_item_to(url = nil, **options, &)
+    options[:class] = "#{options[:class]} #{LIST_ITEM_CLASSES}"
+    li do
+      link_to(url, **options) do
+        span(class: "flex-1", &)
+        render_icon("arrow-forward-ios", class: "w-8 h-8 ml-2 -mr-2 text-neutral-800 dark:text-white fill-current")
+      end
+    end
+  end
+
+  # removes padding inside the "content" area of the card so scroll bar and overflaw appear correctly
+  # adds a border to the top of the scrollable area to explain the content being hidden on scroll
+  def scrollable(**options, &)
+    options[:class] = "#{options[:class]} lg:max-h-96 lg:overflow-y-auto"
+    options[:class] << " -mx-4 -mb-6 md:-mx-10 md:-mb-10"
+    options[:class] << " border-t border-neutral-200 dark:border-neutral-800"
+    div(**options) do
+      div(class: "px-4 pt-6 md:px-10 md:pt-10", &)
+    end
+  end
+
+  private
+
+  LIST_ITEM_CLASSES = "flex w-full px-4 py-3 " \
+                      "items-center md:rounded " \
+                      "hover:bg-neutral-100 dark:hover:bg-neutral-800"
+
+  def render_icon(name, size: 8, **)
+    unsafe_raw helpers.icon_tag(name, size: size, **)
+  end
+end
diff --git a/app/views/components/events/table_component.rb b/app/views/components/events/table_component.rb
index e6955d33857..ea1fef7b768 100644
--- a/app/views/components/events/table_component.rb
+++ b/app/views/components/events/table_component.rb
@@ -12,9 +12,7 @@ class Events::TableComponent < ApplicationComponent
   register_value_helper :page_entries_info
   register_value_helper :paginate
 
-  extend Dry::Initializer
-
-  option :security_events
+  prop :security_events, reader: :public
 
   def view_template
     header(class: "gems__header push--s") do
diff --git a/app/views/components/events/table_details_component.rb b/app/views/components/events/table_details_component.rb
index c97cf39ae79..49e07e748ce 100644
--- a/app/views/components/events/table_details_component.rb
+++ b/app/views/components/events/table_details_component.rb
@@ -1,7 +1,7 @@
 class Events::TableDetailsComponent < ApplicationComponent
-  extend Dry::Initializer
+  extend PropInitializer::Properties
 
-  option :event
+  prop :event, reader: :public
   delegate :additional, :rubygem, to: :event
 
   def view_template
diff --git a/app/views/components/oidc/api_key_role/table_component.rb b/app/views/components/oidc/api_key_role/table_component.rb
index dce49298fb9..e00a87474eb 100644
--- a/app/views/components/oidc/api_key_role/table_component.rb
+++ b/app/views/components/oidc/api_key_role/table_component.rb
@@ -2,9 +2,8 @@
 
 class OIDC::ApiKeyRole::TableComponent < ApplicationComponent
   include Phlex::Rails::Helpers::LinkTo
-  extend Dry::Initializer
 
-  option :api_key_roles
+  prop :api_key_roles, reader: :public
 
   def view_template
     table(class: "t-body") do
diff --git a/app/views/components/oidc/id_token/key_value_pairs_component.rb b/app/views/components/oidc/id_token/key_value_pairs_component.rb
index ed71fe2d19f..8052eb446ad 100644
--- a/app/views/components/oidc/id_token/key_value_pairs_component.rb
+++ b/app/views/components/oidc/id_token/key_value_pairs_component.rb
@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
 class OIDC::IdToken::KeyValuePairsComponent < ApplicationComponent
-  extend Dry::Initializer
-  option :pairs
+  prop :pairs, reader: :public
 
   def view_template
     dl(class: "t-body provider_attributes full-width overflow-wrap") do
diff --git a/app/views/components/oidc/id_token/table_component.rb b/app/views/components/oidc/id_token/table_component.rb
index da8b45b90a0..8c8541afdf8 100644
--- a/app/views/components/oidc/id_token/table_component.rb
+++ b/app/views/components/oidc/id_token/table_component.rb
@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
 class OIDC::IdToken::TableComponent < ApplicationComponent
-  extend Dry::Initializer
-  option :id_tokens
+  prop :id_tokens, reader: :public
 
   include Phlex::Rails::Helpers::TimeTag
   include Phlex::Rails::Helpers::LinkToUnlessCurrent
diff --git a/app/views/components/oidc/trusted_publisher/github_action/form_component.rb b/app/views/components/oidc/trusted_publisher/github_action/form_component.rb
index 677f57c0a45..de52e3282be 100644
--- a/app/views/components/oidc/trusted_publisher/github_action/form_component.rb
+++ b/app/views/components/oidc/trusted_publisher/github_action/form_component.rb
@@ -1,9 +1,7 @@
 # frozen_string_literal: true
 
 class OIDC::TrustedPublisher::GitHubAction::FormComponent < ApplicationComponent
-  extend Dry::Initializer
-
-  option :github_action_form
+  prop :github_action_form, reader: :public
 
   def view_template
     github_action_form.fields_for :trusted_publisher do |trusted_publisher_form|
diff --git a/app/views/components/oidc/trusted_publisher/github_action/table_component.rb b/app/views/components/oidc/trusted_publisher/github_action/table_component.rb
index 9174f2d1602..ecb8e83242b 100644
--- a/app/views/components/oidc/trusted_publisher/github_action/table_component.rb
+++ b/app/views/components/oidc/trusted_publisher/github_action/table_component.rb
@@ -1,7 +1,5 @@
 class OIDC::TrustedPublisher::GitHubAction::TableComponent < ApplicationComponent
-  extend Dry::Initializer
-
-  option :github_action
+  prop :github_action, reader: :public
 
   def view_template
     dl(class: "tw-flex tw-flex-col sm:tw-grid sm:tw-grid-cols-2 tw-items-baseline tw-gap-4 full-width overflow-wrap") do
diff --git a/app/views/components/onboarding/steps_component.rb b/app/views/components/onboarding/steps_component.rb
new file mode 100644
index 00000000000..5744ca2dd4d
--- /dev/null
+++ b/app/views/components/onboarding/steps_component.rb
@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+class Onboarding::StepsComponent < ApplicationComponent
+  include Phlex::DeferredRender
+
+  include Phlex::Rails::Helpers::LinkTo
+
+  def initialize(current_step)
+    @current_step = current_step
+    @steps = []
+    super()
+  end
+
+  def view_template(&)
+    nav(class: "mb-10 flex items-start text-start text-neutral-800 dark:text-white") do
+      @steps.each_with_index do |step, idx|
+        step_item(idx + 1, *step)
+        connector(idx + 1) unless idx == @steps.size - 1
+      end
+    end
+  end
+
+  def step(name, link)
+    @steps << [name, link]
+  end
+
+  private
+
+  STEP = "w-8 h-8 flex items-center justify-center rounded font-bold"
+  ACTIVE_STEP = "#{STEP} bg-orange hover:bg-orange-600 text-white".freeze
+  PENDING_STEP = "#{STEP} bg-neutral-300 dark:bg-neutral-700 text-neutral-700 dark:text-white".freeze
+
+  def step_item(step, name, link)
+    a(href: link, class: "relative z-10 w-20 flex flex-col items-center space-y-2 text-center text-b3") do
+      span(class: @current_step >= step ? ACTIVE_STEP : PENDING_STEP, aria_current: "step") { step }
+      p(class: "") { name }
+    end
+  end
+
+  def connector(step)
+    color = @current_step > step ? "border-orange-500" : "border-neutral-300 dark:border-neutral-700"
+    span(class: "flex-grow mt-4 -mx-6 border-t-2 #{color}")
+  end
+end
diff --git a/app/views/components/subject/nav_component.rb b/app/views/components/subject/nav_component.rb
new file mode 100644
index 00000000000..2730dc08372
--- /dev/null
+++ b/app/views/components/subject/nav_component.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+class Subject::NavComponent < ApplicationComponent
+  include Phlex::Rails::Helpers::LinkTo
+
+  attr_reader :current
+
+  def initialize(current: :dashboard)
+    @current = current
+    super()
+  end
+
+  def view_template(&)
+    div(class: "relative -mx-8 lg:mx-0") do
+      nav(data: { controller: "scroll" }, class: NAV, &)
+      div class: "#{GRADIENT} w-12 right-0 bg-gradient-to-l" # Gradient fade right
+      div class: "#{GRADIENT} w-8 left-0 bg-gradient-to-r" # Gradient fade left
+    end
+  end
+
+  NAV = "relative flex overflow-x-auto no-scrollbar whitespace-nowrap py-4 space-x-2 pl-8 pr-12 " \
+        "lg:flex-col lg:px-0 lg:space-x-0 lg:space-y-2"
+  GRADIENT = "lg:hidden absolute top-0 h-full pointer-events-none from-white dark:from-black"
+  LINK = "flex items-center space-x-2 h-12 lg:h-14 px-3 py-1 lg:px-6 lg:py-2 rounded"
+  ACTIVE_LINK = "#{LINK} bg-orange-100 dark:bg-orange-900 text-neutral-900 dark:text-white".freeze
+  INACTIVE_LINK = "#{LINK} bg-neutral-050 text-neutral-600 hover:bg-neutral-200 " \
+                  "dark:bg-neutral-950 dark:text-neutral-400 dark:hover:bg-neutral-800".freeze
+
+  def link(text, url, icon:, name: nil, **options)
+    is_current = name == current
+    data = { scroll_target: "scrollLeft" } if is_current
+    options[:class] = "#{options[:class]} #{is_current ? ACTIVE_LINK : INACTIVE_LINK}"
+    link_to(url, data:, **options) do
+      unsafe_raw helpers.icon_tag(icon, size: 7, class: is_current && "text-orange-500")
+      span { text }
+    end
+  end
+end
diff --git a/app/views/components/version/provenance_component.rb b/app/views/components/version/provenance_component.rb
new file mode 100644
index 00000000000..fb454d5acc1
--- /dev/null
+++ b/app/views/components/version/provenance_component.rb
@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+class Version::ProvenanceComponent < ApplicationComponent
+  include Phlex::Rails::Helpers::LinkTo
+
+  prop :attestation
+
+  def view_template
+    display_data = @attestation.display_data
+
+    div(class: "gem__attestation") do
+      div(class: "gem__attestation__built_on") do
+        div(class: "gem__attestation__grid gem__attestation__grid__left") do
+          p
+          p { plain "Built and signed on" }
+          p { "✅" }
+          p { display_data[:ci_platform] }
+          p
+          p { link_to "Build summary", display_data[:build_summary_url], target: "_blank", rel: "noopener" }
+        end
+      end
+      div(class: "gem__attestation__grid gem__attestation__grid__right") do
+        p { plain "Source Commit" }
+        p { link_to display_data[:source_commit_string], display_data[:source_commit_url] }
+        p { plain "Build File" }
+        p { link_to display_data[:build_file_string], display_data[:build_file_url] }
+        p { plain "Public Ledger" }
+        p { link_to "Transparency log entry", "https://search.sigstore.dev/?logIndex=#{display_data[:log_index]}" }
+      end
+    end
+  end
+end
diff --git a/app/views/dashboards/_promo.html.erb b/app/views/dashboards/_promo.html.erb
new file mode 100644
index 00000000000..bc7e62dbff4
--- /dev/null
+++ b/app/views/dashboards/_promo.html.erb
@@ -0,0 +1,43 @@
+<% return unless current_user.memberships.any? %>
+<div class="flex flex-col px-4 py-6 md:p-10 mb-10 border border-orange rounded-lg bg-orange-050 dark:bg-orange-950">
+  <h2 class="flex text-h3 mb-10">
+    <%= icon_tag "organizations", size: 8, class: "mr-2 inline-block" %>
+    Introducing Organizations!
+  </h2>
+  <div class="flex flex-col md:flex-row-reverse">
+    <div class="flex mx-auto mb-10 md:mb-0 md:ml-10 w-64">
+      <div role="graphics-symbol" title="A diagram showing the layers of roles in an organization">
+        <div class="border-orange-600 border-2 border-dashed text-b3 text-orange-800 dark:text-white pl-8 rounded-md justify-end content-end shadow-lg">
+          <p class="-ml-8 px-2 pt-1 h-8">Organization</p>
+          <div class="bg-orange-400 dark:bg-orange-600 relative -bottom-0.5 -right-0.5 pl-8 rounded-md border border-orange-600">
+            <p class="-ml-8 px-2 pt-1 h-8">Owner</p>
+            <div class="bg-orange-300 dark:bg-orange-700 pl-8 rounded-md border-t border-l border-orange-600">
+              <p class="-ml-8 px-2 pt-1 h-8">Admin</p>
+              <div class="bg-orange-200 dark:bg-orange-800 pl-8 rounded-md box-border border-t border-l border-orange-600">
+                <p class="-ml-8 px-2 pt-1 h-8">Maintainer</p>
+                <div class="bg-orange-100 dark:bg-orange-950 w-32 h-32 rounded-md box-border border-t border-l border-orange-600">
+                  <p class="px-2 pt-1">Outside contributor</p>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <div class="flex flex-col w-full md:w-2/3 items-start">
+      <p class="text-b1 text-neutral-800 dark:text-white mt-2 mb-10">
+        RubyGems is making ownership and permissions easier with organizations. Name your org then add your gems. It’s that easy!
+      </p>
+
+      <div>
+        <%= render ButtonComponent.new(organization_onboarding_name_path, type: :link, style: :outline, color: :primary) do %>
+          <span class="px-10 flex items-center">
+            Begin
+            <%= icon_tag "arrow-forward", size: 6, class: "ml-2 inline-block" %>
+          </span>
+        <% end %>
+      </div>
+    </div>
+  </div>
+</div>
diff --git a/app/views/dashboards/_subject.html.erb b/app/views/dashboards/_subject.html.erb
new file mode 100644
index 00000000000..64981449be9
--- /dev/null
+++ b/app/views/dashboards/_subject.html.erb
@@ -0,0 +1,42 @@
+<%
+  user ||= @user || current_user
+  current ||= :dashboard
+%>
+
+<div class="flex flex-wrap lg:flex-col items-start mb-6 lg:mb-10">
+  <%= avatar 328, "user_gravatar", theme: :dark, class: "h-24 w-24 lg:h-40 lg:w-40 rounded-lg object-cover mr-4" %>
+
+  <div class="lg:w-full lg:mt-2">
+    <h2 class="font-bold text-h4"><%= user.display_handle %></h2>
+    <% if user.full_name.present? %>
+      <p class="text-neutral-500 text-b3"><%= user.full_name %></p>
+    <% end %>
+  </div>
+</div>
+
+<% if user.public_email? || user == current_user %>
+  <div class="flex items-center mb-4 text-b3 lg:text-b2">
+    <%= icon_tag("mail", color: :primary, class: "h-6 w-6 text-orange mr-3") %>
+    <p class="text-neutral-800 dark:text-white"><%=
+      mail_to(user.email, encode: "hex")
+    %></p>
+  </div>
+<% end %>
+
+<% if user.twitter_username.present? %>
+  <div class="flex items-center mb-4 text-b3 lg:text-b2">
+    <%= icon_tag("x-twitter", color: :primary, class: "w-6 text-orange mr-3") %>
+    <p class="text-neutral-800 dark:text-white"><%=
+      link_to(
+        twitter_username(user),
+        twitter_url(user)
+      )
+    %></p>
+  </div>
+<% end %>
+
+<%= render Subject::NavComponent.new(current:) do |nav| %>
+  <%= nav.link t("layouts.application.header.dashboard"), dashboard_path, name: :dashboard, icon: "space-dashboard" %>
+  <%= nav.link t("dashboards.show.my_subscriptions"), subscriptions_path, name: :subscriptions, icon: "notifications" %>
+  <%= nav.link t("layouts.application.header.settings"), edit_settings_path, name: :settings, icon: "settings" %>
+<% end %>
diff --git a/app/views/dashboards/show.html.erb b/app/views/dashboards/show.html.erb
index 49b2b76c30a..5cfb8105f25 100644
--- a/app/views/dashboards/show.html.erb
+++ b/app/views/dashboards/show.html.erb
@@ -1,67 +1,113 @@
 <% @title = t('.title') %>
 
-<div class="l-overflow">
-  <div class="subscribed l-colspan--l colspan--l--has-border">
-    <h3 class="gems__gem__name">
-      <%= t '.latest' %>:
-    </h3>
-    <%= link_to dashboard_path(:api_key => current_user.api_key, :format => :atom), :id => 'feed', :title => t('.latest_title'), :class => 'gem__link t-list__item', 'data-icon' => '#' do %>
-      <span class="t-hidden">RSS</span>
-    <% end %>
-    </a>
-    <div class="push--bottom">
-      <% if @latest_updates.empty? %>
-        <div class="t-body push--s">
-          <i class="t-text"><%= t('.no_subscriptions_html', :gem_link => link_to(t('.gem_link_text'), rubygem_path("rake"))) %></i>
-        </div>
-      <% else %>
-        <ol>
-          <% @latest_updates.each do |version| %>
-            <li>
-              <a href="<%= rubygem_path(version.rubygem.slug) %>" class="dashboard__gem">
-                <div class="dashboard__gem__info">
-                  <strong class="dashboard__gem__name"><%= version.to_title %></strong>
-                  <i class="dashboard__gem__version"><%= t 'time_ago', :duration => time_ago_in_words(version.authored_at) %></i>
-                </div>
-                <p class="dashboard__gem__desc"><%= short_info(version) %></p>
-              </a>
-            </li>
-          <% end %>
-        </ol>
+<% content_for :subject do %>
+  <% render "dashboards/subject", user: current_user %>
+<% end %>
+
+<!-- Main Content -->
+<h1 class="text-h2 mb-10"><%= t(".title") %></h1>
+
+<%= render "dashboards/promo" %>
+
+<%= render CardComponent.new do |c| %>
+  <%= c.head(divide: true) do %>
+    <%= c.title t(".latest"), icon: :history %>
+    <div class="flex space-x-2 items-center">
+      <%= link_to dashboard_path(api_key: current_user.api_key, format: :atom), id: 'feed', title: t('.latest_title'), class: 'items-center' do %>
+        <%= icon_tag("rss-feed", size: 6, class: "w-6 h-6 fill-orange") %>
       <% end %>
     </div>
-  </div>
+  <% end %>
 
-  <div class="l-col--r--pad">
-    <div class="mine t-body">
-      <h1><%= t '.mine' %></h1>
-      <% if @my_gems.empty? %>
-        <div class="t-body push--bottom">
-          <p>
-            <%= t('.no_owned_html', :creating_link => link_to(t('.creating_link_text'), "https://guides.rubygems.org/make-your-own-gem/"),
-                                    :migrating_link => link_to(t('.migrating_link_text'), page_path("migrate"))) %>
-          </p>
-        </div>
-      <% else %>
-        <ul>
-          <% @my_gems.each do |rubygem| %>
-            <li>
-              <%= link_to rubygem.name, rubygem_path(rubygem.slug), :title => short_info(rubygem.most_recent_version), :class => 't-link' %>
-            </li>
+  <% if @latest_updates.empty? %>
+    <%= prose do %>
+      <i><%= t('.no_subscriptions_html', :gem_link => link_to(t('.gem_link_text'), rubygem_path("rake"))) %></i>
+    <% end %>
+  <% else %>
+    <%= c.scrollable do %>
+      <%= render Card::TimelineComponent.new do |t| %>
+        <% @latest_updates.each do |version| %>
+          <%
+            pusher_link = if version.pusher.present?
+              link_to_user(version.pusher)
+            elsif version.pusher_api_key&.owner.present?
+              link_to_pusher(version.pusher_api_key.owner)
+            end
+          %>
+          <%= t.timeline_item(version.authored_at, pusher_link) do %>
+              <div class="flex text-b1 text-neutral-800 dark:text-white"><%= link_to version.rubygem.name, rubygem_path(version.rubygem.slug) %></div>
+              <%= version_number(version) %>
           <% end %>
-        </ul>
+        <% end %>
       <% end %>
+    <% end %>
+  <% end %>
+<% end %>
 
-      <% if @subscribed_gems.present? %>
-        <h1><%= t '.my_subscriptions' %></h1>
-        <ul>
-          <% current_user.subscribed_gems.each do |gem| %>
-            <li>
-              <%= link_to gem, rubygem_path(gem.slug), :title => short_info(gem.most_recent_version), :class => 't-link' %>
-            </li>
-          <% end %>
-        </ul>
+<%= render CardComponent.new do |c| %>
+  <%= c.head do %>
+    <%= c.title t(".mine"), icon: "gems", count: @my_gems_count %>
+  <% end %>
+  <% if @my_gems.empty? %>
+    <%= prose do %>
+      <i><%= t('.no_owned_html', :creating_link => link_to(t('.creating_link_text'), "https://guides.rubygems.org/make-your-own-gem/")) %></i>
+    <% end %>
+  <% else %>
+    <%= c.divided_list do %>
+      <% @my_gems.each do |rubygem| %>
+        <%= c.list_item_to(
+          rubygem_path(rubygem.slug),
+          title: short_info(rubygem.most_recent_version),
+        ) do %>
+          <div class="flex flex-col w-full justify-between">
+            <div class="flex flex-row w-full items-center justify-between">
+              <h4 class="text-b1 flex"><%= rubygem.name %></h4>
+              <%= version_number(rubygem.most_recent_version) %>
+            </div>
+            <div class="flex flex-row w-full items-center justify-between">
+              <%= download_count_component(rubygem, class: "flex") %>
+              <div class="flex text-neutral-600"><%= version_date_component(rubygem.most_recent_version) %></div>
+            </div>
+          </div>
+        <% end %>
       <% end %>
-    </div>
-  </div>
-</div>
+    <% end %>
+  <% end %>
+<% end %>
+
+<% if @subscribed_gems.present? %>
+  <%= render CardComponent.new do |c| %>
+    <%= c.head do %>
+      <%= c.title t(".my_subscriptions"), icon: "notifications", count: @subscribed_gems_count %>
+      <%= link_to t("view_all"), subscriptions_path, class: "text-sm text-orange-500" %>
+    <% end %>
+    <%= c.list do %>
+      <% @subscribed_gems.each do |gem| %>
+        <%= c.list_item_to(rubygem_path(gem.slug), title: short_info(gem.most_recent_version)) do %>
+          <h3 class="text-b1"><%= gem.name %></h3>
+          <p class="text-b3 text-neutral-600"><%= short_info(gem.most_recent_version) %></p>
+        <% end %>
+      <% end %>
+    <% end %>
+  <% end %>
+<% end %>
+
+<% if current_user.memberships.any? %>
+  <!-- Organizations -->
+  <%= render CardComponent.new do |c| %>
+    <%= c.head do %>
+      <%= c.title t(".organizations"), icon: "organizations", count: current_user.memberships.count %>
+      <%= link_to t("view_all"), "#", class: "text-sm text-orange-500" %>
+    <% end %>
+    <%= c.divided_list do %>
+      <% current_user.memberships.preload(:organization).each do |membership| %>
+        <%= c.list_item_to("#") do %>
+          <div class="flex justify-between">
+            <p class="text-neutral-800 dark:text-white"><%= membership.organization.name %></p>
+            <p class="text-neutral-500 capitalize"><%= membership.role %></p>
+          </div>
+        <% end %>
+      <% end %>
+    <% end %>
+  <% end %>
+<% end %>
diff --git a/app/views/layouts/_breadcrumbs.html.erb b/app/views/layouts/_breadcrumbs.html.erb
new file mode 100644
index 00000000000..d59f3a3e87f
--- /dev/null
+++ b/app/views/layouts/_breadcrumbs.html.erb
@@ -0,0 +1,20 @@
+<div class="hidden lg:block w-full px-8 py-1 lg:pb-8 bg-neutral-050 dark:bg-neutral-950 text-neutral-800 dark:text-white">
+  <div class="max-w-screen-xl mx-auto flex items-center">
+    <nav class="flex justify-start items-center text-b2" aria-label="Breadcrumb">
+      <!-- Home breadcrumb -->
+      <%= link_to root_path, class: "inline-block p-1 -ml-1 hover:text-neutral-600 dark:hover:text-neutral-400", title: t("breadcrumbs.home"), aria: { label: t("breadcrumbs.home") } do %>
+        <%= icon_tag "house-siding", size: 6 %>
+      <% end %>
+
+      <% breadcrumbs.each do |name, link| %>
+        <%= icon_tag "chevron-right", size: 6, class: "text-neutral-600 dark:text-neutral-700 fill-neutral-600 dark:fill-neutral-700", aria: { hidden: "true" } %>
+        <% if link %>
+          <%= link_to name, link, class: "inline-block p-1 hover:text-neutral-600 dark:hover:text-neutral-400" %>
+        <% else %>
+          <!-- Current page -->
+          <span class="inline-block p-1 text-black dark:text-white font-semibold" aria-current="page"><%= name %></span>
+        <% end %>
+      <% end %>
+    </nav>
+  </div>
+</div>
diff --git a/app/views/layouts/_search.html.erb b/app/views/layouts/_search.html.erb
index d7f395b2818..b5bf61009f5 100644
--- a/app/views/layouts/_search.html.erb
+++ b/app/views/layouts/_search.html.erb
@@ -1,7 +1,10 @@
 <% home = current_page?(root_path) || current_page?(advanced_search_path) %>
 <div class="<%= home ? "home__search-wrap" : "header__search-wrap" %>" role="search">
   <%= form_tag search_path, method: :get, data: { controller: "autocomplete", autocomplete_selected_class: "selected", } do %>
-    <%= search_field(home: home) %>
+    <%= rubygem_search_field(
+      class: (home ? "home__search" : "header__search"),
+      data: (home ? nil : { nav_target: "search" }),
+    ) %>
 
     <ul class="suggest-list" role="listbox" data-autocomplete-target="suggestions"></ul>
 
diff --git a/app/views/layouts/_session.html.erb b/app/views/layouts/_session.html.erb
new file mode 100644
index 00000000000..677752bc08b
--- /dev/null
+++ b/app/views/layouts/_session.html.erb
@@ -0,0 +1,53 @@
+<div class="ml-3 flex text-neutral-900 dark:text-white hover:text-black dark:hover:text-neutral-400 items-center" data-controller="dialog">
+  <% if signed_in? %>
+    <%# This class is used in the tests :( I need it to be the same class until the old design is gone. %>
+    <%= link_to(dashboard_path, data: { action: "dialog#open", dialog_target: "button" }, class: "header__popup-link") do %>
+      <%= avatar 64, "user_gravatar", theme: :dark, class: "h-9 w-9 rounded" %>
+    <% end %>
+  <% else %>
+    <div class="hidden md:flex text-nowrap">
+      <%= render ButtonComponent.new t('sign_in'), sign_in_path, type: :link, color: :secondary, size: :small %>
+      <% if Clearance.configuration.allow_sign_up? %>
+        <%= render ButtonComponent.new t('sign_up'), sign_up_path, type: :link, color: :primary, size: :small, class: "ml-3" %>
+      <% end %>
+    </div>
+
+    <% sign_in_sign_up_path = Clearance.configuration.allow_sign_up? ? sign_up_path : sign_in_path %>
+    <%= link_to sign_in_sign_up_path, class: "-mr-1 p-1 md:hidden text-neutral-800 dark:text-white hover:text-neutral-600 dark:hover:text-neutral-400 " do %>
+      <%= icon_tag "account-box", size: 7 %>
+    <% end %>
+  <% end %>
+
+  <dialog
+    data-dialog-target="dialog" data-action="click->dialog#backdropClose"
+    class="fixed m-0 inset-0 py-16 px-8 z-50 w-full h-full max-w-screen max-h-screen bg-white bg-opacity-20 p-0 ems-start justify-center sm:justify-right"
+  >
+    <div class="max-w-screen-xl mx-auto flex items-center relative">
+      <!-- Dialog content -->
+      <div
+        class="w-full sm:absolute sm:top-0 sm:right-0 sm:max-w-sm bg-white dark:bg-black rounded-lg shadow-xl shadow-black/10 max-h-[90vh] overflow-y-auto dark:border dark:border-neutral-800
+        flex flex-col px-4 py-4 text-b2 text-left text-neutral-900 dark:text-white"
+      >
+        <!-- Dialog header -->
+        <div class="flex justify-between items-center">
+          <h2 class="flex h-7 lg:h-8 lg:mb-0 items-center space-x-1 text-orange text-b1">
+            <%= icon_tag "logo", size: 8, class: "w-6 h-6" %>
+            <span class="text-h5 text-orange">RubyGems</span>
+          <h2>
+
+          <button data-action="dialog#close" class="h-8 w-8 items-center justify-center outline-none">
+            <%= icon_tag "close", class: "w-6 h-6", aria: { label: "Close profile modal" } %>
+          </button>
+        </div>
+
+        <!-- Authenticated user content -->
+        <nav class="flex flex-col py-6 text-left text-b2 text-neutral-900 dark:text-white border-b border-neutral-400 dark:border-neutral-800">
+          <%= link_to t('layouts.application.header.profile'), dashboard_path, class: "px-6 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+          <%= link_to t('layouts.application.header.edit_profile'), edit_profile_path, class: "px-6 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+          <%= link_to t('layouts.application.header.settings'), edit_settings_path, class: "px-6 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+        </nav>
+        <%= link_to t('sign_out'), sign_out_path, method: :delete, class: "w-full my-8 px-4 py-2 text-b2 rounded border border-black dark:border-white bg-white dark:bg-black hover:bg-neutral-100 dark:hover:bg-neutral-800 text-black dark:text-white text-center" %>
+      </div>
+    </div>
+  </dialog>
+</div>
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 4c75e93fe66..0c4f46be8b1 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -13,9 +13,7 @@
     <link rel="fluid-icon" href="/fluid-icon.png"/>
     <link rel="search" type="application/opensearchdescription+xml" title="<%=t :title %>" href="/opensearch.xml">
     <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
-
-    <%= stylesheet_link_tag("application") %>
-    <%= stylesheet_link_tag("tailwind", "data-turbo-track": "reload") %>
+    <%= stylesheet_link_tag("application", "preload_links_header" => true) %>
     <link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
     <link href='https://fonts.googleapis.com/css?family=Roboto:100&amp;subset=greek,latin,cyrillic,latin-ext' rel='stylesheet' type='text/css'>
     <%= render "layouts/feeds" %>
@@ -75,12 +73,12 @@
                 <%= link_to t('.header.settings'), edit_settings_path, class: "header__nav-link" %>
                 <%= link_to t('.header.dashboard'), dashboard_path, class: "header__nav-link" %>
                 <%= link_to t('.header.edit_profile'), edit_profile_path, class: "header__nav-link" %>
-                <%= link_to t('.header.sign_out'), sign_out_path, method: :delete, class: "header__nav-link" %>
+                <%= link_to t('sign_out'), sign_out_path, method: :delete, class: "header__nav-link" %>
               </div>
             <% else %>
-              <%= link_to t('.header.sign_in'), sign_in_path, class: "header__nav-link #{'is-active' if request.path_info == '/sign_in'}" %>
+              <%= link_to t('sign_in'), sign_in_path, class: "header__nav-link #{'is-active' if request.path_info == '/sign_in'}" %>
               <% if Clearance.configuration.allow_sign_up? %>
-                <%= link_to t('.header.sign_up'), sign_up_path, class: "header__nav-link #{'is-active' if request.path_info == '/sign_up'}" %>
+                <%= link_to t('sign_up'), sign_up_path, class: "header__nav-link #{'is-active' if request.path_info == '/sign_up'}" %>
               <% end %>
             <% end %>
           </nav>
diff --git a/app/views/layouts/hammy.html.erb b/app/views/layouts/hammy.html.erb
new file mode 100644
index 00000000000..8c8ed47549a
--- /dev/null
+++ b/app/views/layouts/hammy.html.erb
@@ -0,0 +1,251 @@
+<!DOCTYPE html>
+<html lang="<%= I18n.locale %>">
+<head>
+  <title><%= page_title %></title>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0">
+  <meta name="google-site-verification" content="AuesbWQ9MCDMmC1lbDlw25RJzyqWOcDYpuaCjgPxEZY" />
+  <link rel="apple-touch-icon" href="/apple-touch-icons/apple-touch-icon.png" />
+  <% ["57x57", "72x72", "76x76", "114x114","120x120", "144x144", "152x152", "180x180"].each do |size| %>
+    <link rel="apple-touch-icon" sizes="<%= size %>" href="/apple-touch-icons/apple-touch-icon-<%= size %>.png" />
+  <% end %>
+  <link rel="mask-icon" href="/rubygems_logo.svg" color="#e9573f">
+  <link rel="fluid-icon" href="/fluid-icon.png"/>
+  <link rel="search" type="application/opensearchdescription+xml" title="<%=t :title %>" href="/opensearch.xml">
+  <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
+
+  <%= stylesheet_link_tag("hammy") %>
+  <%= stylesheet_link_tag("tailwind", "data-turbo-track": "reload") %>
+  <link href="https://fonts.gstatic.com" rel="preconnect" crossorigin>
+  <link href="https://fonts.googleapis.com/css2?family=Titillium+Web:ital,wght@0,200;0,300;0,400;0,600;0,700;0,900;1,200;1,300;1,400;1,600;1,700&display=swap" rel="stylesheet" type="text/css">
+  <%= render "layouts/feeds" %>
+  <%= csrf_meta_tag %>
+  <%= yield :head %>
+  <%= javascript_importmap_tags %>
+</head>
+<body data-turbo="true" class="bg-neutral-050 dark:bg-neutral-950">
+  <div class="min-h-screen flex flex-col">
+    <!-- Header -->
+    <header class="bg-white dark:bg-black">
+      <!-- Header Nav -->
+      <div class="py-4 px-8 border-b border-neutral-400 dark:border-neutral-800">
+        <div class="flex flex-wrap justify-between max-w-screen-xl mx-auto" data-controller="reveal-search" data-reveal-search-toggle-class="bg-neutral-200 dark:bg-neutral-800 text-neutral-800 dark:text-neutral-200 border">
+          <!-- Menu button, Logo, desktop nav, mobile nav dialog -->
+          <div class="flex flex-row items-center xl:mr-auto" data-controller="dialog">
+            <!-- Mobile Menu Button -->
+            <button data-action="dialog#open" data-dialog-target="button" aria-label="Open menu" class="px-2 py-1 w-10 h-9 mr-3 items-center rounded text-white bg-orange hover:bg-orange-600 dark:bg-orange-600 dark:hover:bg-orange-700 lg:hidden focus:outline-none">
+              <%= icon_tag "menu" %>
+            </button>
+
+            <!-- Logo -->
+            <%= link_to(root_path, title: "RubyGems", class: "flex h-8 items-center text-orange text-b1") do %>
+              <%= icon_tag "logo", size: 8, class: "w-7 h-7 lg:w-8 lg:h-8", aria: { label: "RubyGems Home" } %>
+              <span class="hidden sm:flex ml-1 text-h5 text-orange">RubyGems</span>
+            <% end %>
+
+            <!-- Desktop Navigation Links -->
+            <nav class="hidden lg:flex flex-row ml-7 items-center justify-end text-b2 text-neutral-800 dark:text-white leading-7">
+              <%= link_to t("layouts.application.footer.blog"), "https://blog.rubygems.org", class: "lowercase hover:text-neutral-600 dark:hover:text-neutral-400" %>
+              <%= link_to t("layouts.application.footer.statistics"), stats_path, class: "ml-7 lowercase hover:text-neutral-600 dark:hover:text-neutral-400" %>
+              <%= link_to t("layouts.application.footer.docs"), "https://guides.rubygems.org/command-reference/#gem-install", class: "ml-7 lowercase hover:text-neutral-600 dark:hover:text-neutral-400" %>
+              <!-- About links -->
+              <div class="flex relative ml-7" data-controller="dropdown">
+                <button data-action="dropdown#toggle click@window->dropdown#hide" class="flex items-center text-neutral-900 dark:text-white hover:text-neutral-600 dark:hover:text-neutral-400 focus:outline-none lowercase">
+                  <span><%= t("layouts.application.footer.about") %></span>
+                  <%= icon_tag "arrow-drop-down" %>
+                </button>
+
+                <!-- About Dropdown Menu -->
+                <div data-dropdown-target="menu" class="z-50 hidden absolute -left-4 top-8 bg-white dark:bg-black border border-neutral-200 dark:border-neutral-800 rounded shadow-lg text-b2 text-neutral-700 dark:text-neutral-300 divide-y divide-neutral-200 dark:divide-neutral-800">
+                  <%= link_to t('title'), page_path("about"), data: { reveal_target: "item" }, class: "block px-4 py-2 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+                  <%= link_to t('layouts.application.footer.status'), "https://status.rubygems.org", data: { reveal_target: "item" }, class: "block px-4 py-2 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+                  <%= link_to t('layouts.application.footer.data'), page_path("data"), data: { reveal_target: "item" }, class: "block px-4 py-2 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+                  <%= link_to t('layouts.application.footer.security'), page_path("security"), data: { reveal_target: "item" }, class: "block px-4 py-2 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+                  <%= mail_to "support@rubygems.org", t('layouts.application.footer.help'), data: { reveal_target: "item" }, class: "block px-4 py-2 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+                </div>
+              </div>
+              <!-- Language Selector -->
+              <div class="flex relative ml-5" data-controller="dropdown">
+                <button data-action="dropdown#toggle click@window->dropdown#hide" class="flex items-center text-neutral-900 dark:text-white hover:text-neutral-600 dark:hover:text-neutral-400 focus:outline-none">
+                  <%= icon_tag "language", size: 5 %>
+                  <span class="ml-1 text-b3 uppercase"><%= I18n.locale %></span>
+                  <%= icon_tag "arrow-drop-down" %>
+                </button>
+
+                <!-- Language Dropdown Menu -->
+                <div data-dropdown-target="menu" class="z-50 hidden absolute flex-row -left-4 top-8 bg-white dark:bg-black border border-neutral-200 dark:border-neutral-800 rounded shadow-lg text-b2 text-neutral-700 dark:text-neutral-300 divide-y divide-neutral-200 dark:divide-neutral-800">
+                  <% I18n.available_locales.each do |language| %>
+                    <%= link_to I18n.t(:locale_name, locale: language), url_for(locale: language, only_path: true), class: "block px-4 py-2 hover:bg-neutral-100 dark:hover:bg-neutral-800 text-nowrap" %>
+                  <% end %>
+                </div>
+              </div>
+            </nav>
+
+            <!-- Mobile Left Navigation Menu -->
+            <dialog
+              data-dialog-target="dialog" data-action="click->dialog#backdropClose"
+              role="dialog" aria-modal="true"
+              class="fixed left-0 top-0 h-full w-screen max-h-full max-w-screen bg-white bg-opacity-20 z-50 overflow-hidden">
+              <div class="h-full w-72 bg-white dark:bg-black overflow-y-auto border-r border-neutral-400 dark:border-neutral-800 shadow-[5px_0px_9px_3px_rgba(0,0,0,0.10)]">
+                <!-- Mobile nav header -->
+                <div class="flex flex-row items-center px-8 py-4 border-b border-neutral-400 dark:border-neutral-800">
+                  <!-- Close Menu Button -->
+                  <button data-action="dialog#close" aria-label="Close menu" class="px-2 py-1 w-10 h-9 mr-3 rounded text-white bg-orange dark:bg-orange-600 hover:bg-orange-700 dark:hover:bg-orange-700 focus:outline-none items-center">
+                    <%= icon_tag "close" %>
+                  </button>
+                  <!-- Logo -->
+                  <%= link_to(root_path, title: "RubyGems", class: "flex h-8 items-center text-orange text-b1") do %>
+                    <%= icon_tag "logo", size: 8, class: "w-7 h-7 lg:w-8 lg:h-8", aria: { label: "RubyGems Home" } %>
+                    <span class="ml-1 text-h5 lg:text-h4 text-orange">RubyGems</span>
+                  <% end %>
+                </div>
+
+                <!-- Mobile nav links -->
+                <nav class="flex flex-col py-6 text-left text-b2 text-neutral-900 dark:text-white">
+                  <%= link_to t("layouts.application.footer.blog"), "https://blog.rubygems.org", class: "px-8 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+                  <%= link_to t("layouts.application.footer.statistics"), stats_path, class: "px-8 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+                  <%= link_to t("layouts.application.footer.docs"), "https://guides.rubygems.org/command-reference/#gem-install", class: "px-8 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+
+                  <!-- About links expand -->
+                  <div data-controller="reveal" data-reveal-toggle-class="rotate-180" class="flex flex-col">
+                    <button class="flex items-center px-8 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800 focus:outline-none justify-between" data-action="reveal#toggle" data-reveal-target="button">
+                      <span><%= t("layouts.application.footer.about") %></span>
+                      <%= icon_tag "keyboard-arrow-down", class:"transition-transform transform", data: { reveal_target: "toggle" } %>
+                    </button>
+
+                    <%= link_to t('title'), page_path("about"), data: { reveal_target: "item" }, class: "hidden px-16 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+                    <%= link_to t('layouts.application.footer.status'), "https://status.rubygems.org", data: { reveal_target: "item" }, class: "hidden px-16 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+                    <%= link_to t('layouts.application.footer.data'), page_path("data"), data: { reveal_target: "item" }, class: "hidden px-16 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+                    <%= link_to t('layouts.application.footer.security'), page_path("security"), data: { reveal_target: "item" }, class: "hidden px-16 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+                    <%= mail_to "support@rubygems.org", t('layouts.application.footer.help'), data: { reveal_target: "item" }, class: "mb-4 hidden px-16 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800" %>
+                  </div>
+
+                  <!-- Mobile Language Selector -->
+                  <div class="flex flex-col" data-controller="reveal" data-reveal-toggle-class="rotate-180">
+                    <button class="flex items-center px-8 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800 focus:outline-none justify-between" data-action="reveal#toggle" data-reveal-target="button">
+                      <span class="flex items-center">
+                        <%= icon_tag "language" %>
+                        <span class="mx-2 text-b2 uppercase"><%= I18n.locale %></span>
+                      </span>
+                      <%= icon_tag "keyboard-arrow-down", class:"transition-transform transform", data: { reveal_target: "toggle" } %>
+                    </button>
+
+                    <% I18n.available_locales.each do |language| %>
+                      <%= link_to I18n.t(:locale_name, locale: language), url_for(locale: language, only_path: true), data: { reveal_target: "item" }, class: "hidden px-16 py-3 hover:bg-neutral-100 dark:hover:bg-neutral-800 text-nowrap" %>
+                    <% end %>
+                  </div>
+                </nav>
+              </div>
+            </dialog>
+          </div>
+
+          <!-- Search button and Profile -->
+          <div class="ml-auto flex flex-row items-center xl:ml-0 xl:order-3">
+            <!-- Search button -->
+            <button type="button" data-action="reveal-search#toggle" data-reveal-search-target="toggle" aria-label="Open search" class="flex xl:hidden h-9 w-9 box-border text-neutral-800 dark:text-white hover:text-neutral-600 dark:hover:text-neutral-400 items-center justify-center rounded border-neutral-300 dark:border-neutral-700">
+              <%= icon_tag "search", class: "h-6 w-6" %>
+            </button>
+
+            <!-- Profile -->
+            <%= render "layouts/session" %>
+          </div>
+
+          <!-- Search Bar -->
+          <div data-reveal-search-target="item" class="hidden pt-4 w-full items-center xl:flex xl:pt-0 xl:w-72 xl:order-2" role="search">
+            <%= form_tag(search_path, method: :get, data: { controller: "autocomplete", autocomplete_selected_class: "bg-neutral-100 dark:bg-neutral-800", reveal_target: "item" }, class: "relative w-full items-center", role: "search") do %>
+              <%= rubygem_search_field(data: { reveal_search_target: "input" }, class: "w-full md h-9 pr-12 bg-neutral-200 dark:bg-neutral-800 text-neutral-800 dark:text-neutral-200 rounded border-neutral-300 dark:border-neutral-700 box-border outline-none focus:ring-0 focus:border-neutral-500") %>
+
+              <ul role="listbox" data-autocomplete-target="suggestions" class="hidden absolute z-40 start-0 mt-2 w-full bg-white dark:bg-black text-b2 text-neutral-800 dark:text-neutral-200 border border-neutral-200 dark:border-neutral-800 rounded shadow-md divide-y divide-neutral-200 dark:divide-neutral-800"></ul>
+
+              <template id="suggestion" data-autocomplete-target="template">
+                <li class="block px-4 py-2 hover:bg-neutral-100 dark:hover:bg-neutral-800" role="option" tabindex="-1" data-autocomplete-target="item" data-action="click->autocomplete#choose mouseover->autocomplete#highlight"></li>
+              </template>
+
+              <%= label_tag :query, id: "querylabel" do %>
+                <span class="hidden"><%= t('layouts.application.header.search_gem_html') %></span>
+              <% end %>
+
+              <button type="submit" id="search_submit" aria-labelledby="querylabel" class="absolute end-[1px] top-[1px] p-[5px] text-neutral-900 dark:text-white focus:outline-none border-l border-neutral-300 dark:border-neutral-700 hover:text-neutral-600 dark:hover:text-neutral-400 rounded-r">
+                <%= icon_tag "search", class: "h-6 w-6" %>
+              </button>
+            <% end %>
+          </div>
+        </div>
+      </div>
+
+      <!-- Breadcrumbs -->
+      <%= render "layouts/breadcrumbs" %>
+    </header>
+
+    <!-- Content -->
+    <% if content_for?(:main) %>
+      <%= yield :main %>
+    <% else %>
+      <main class="flex-1 w-full px-8 flex-col bg-neutral-050 dark:bg-neutral-950 text-neutral-950 dark:text-neutral-050 text-b2 items-center inline-flex">
+        <div class="max-w-screen-xl w-full mx-auto pt-8 pb-10 mb-12 md:mb-16 lg:mb-28">
+          <!-- New design notice -->
+          <%= render AlertComponent.new(style: :neutral, closeable: true) do %>
+            Design Under Construction.
+            <a href="https://blog.rubygems.org/2024/10/15/our-new-design.html" class="text-blue-500 dark:text-blue-400 text-nowrap">Learn more</a>
+          <% end %>
+
+          <% flash.each do |name, msg| %>
+            <%= render AlertComponent.new(style: name, closeable: true) do %>
+              <%= flash_message(name, msg) %>
+            <% end %>
+          <% end %>
+
+          <%= yield %>
+        </div>
+      </main>
+    <% end %>
+
+    <!-- Footer -->
+    <footer>
+      <div class="w-full px-8 py-8 bg-orange-100 dark:bg-orange-950 text-neutral-800 dark:text-neutral-200">
+        <!-- Footer Nav -->
+        <div class="max-w-screen-xl mx-auto flex flex-col md:flex-row justify-between">
+          <nav class="mb-4 md:mb-0 justify-start">
+            <ul class="flex flex-col md:flex-row md:space-x-8 text-b1 md:text-b2">
+              <li><%= link_to t("layouts.application.footer.about"), page_path("about"), class: "hover:text-neutral-600" %></li>
+              <li><%= link_to t("layouts.application.footer.docs"), "https://guides.rubygems.org/command-reference/#gem-install", class: "hover:text-neutral-600" %></li>
+              <li><%= link_to t("layouts.application.footer.status"), "https://status.rubygems.org", class: "hover:text-neutral-600" %></li>
+              <li><%= link_to t("layouts.application.footer.security"), page_path("security"), class: "hover:text-neutral-600" %></li>
+              <li><%= mail_to "support@rubygems.org", t('layouts.application.footer.help'), class: "hover:text-neutral-600" %></li>
+            </ul>
+          </nav>
+          <div class="flex space-x-4">
+            <a href="https://github.com/rubygems/rubygems.org">
+              <%= icon_tag "github" %>
+            </a>
+            <a href="https://ruby.social/users/rubygems">
+              <%= icon_tag "mastodon" %>
+            </a>
+          </div>
+        </div>
+      </div>
+
+      <div class="w-full px-6 bg-orange-200 dark:bg-orange-900 text-neutral-900 dark:text-neutral-100">
+        <!-- Supported By -->
+        <div class="flex flex-col lg:flex-row max-w-screen-xl mx-auto py-6 items-center justify-between">
+          <!-- RubyGems.org is supported by -->
+          <p class="mb-6 lg:mb-0 lg:mr-14 lg:w-52 text-b2 leading-6 text-balance">
+            <%= t("layouts.application.footer.supported_by_html") %>
+          </p>
+
+          <!-- Supporter Icons -->
+          <div class="w-full lg:grow mx-auto grid grid-cols-3 gap-6 justify-items-center md:flex md:items-center md:justify-between">
+            <a href="https://rubycentral.org/" class="p-1"><%= icon_tag "ruby-central", size: 15 %></a>
+            <a href="https://dnsimple.link/resolving-rubygems" class="p-1"><%= icon_tag "dnsimple", size: 15 %></a>
+            <a href="https://www.datadoghq.com/" class="p-1"><%= icon_tag "datadog", size: 15 %></a>
+            <a href="https://www.fastly.com/" class="p-1"><%= icon_tag "fastly", size: 15 %></a>
+            <a href="https://www.honeybadger.io/" class="p-1"><%= icon_tag "honeybadger", size: 15 %></a>
+            <a href="https://domainr.com/" class="p-1"><%= icon_tag "domainr", size: 15 %></a>
+            <a href="https://mend.io/" class="col-start-2 p-1"><%= icon_tag "mend-io", size: 15 %></a>
+          </div>
+        </div>
+      </div>
+    </footer>
+  </div>
+</body>
+</html>
diff --git a/app/views/layouts/onboarding.html.erb b/app/views/layouts/onboarding.html.erb
new file mode 100644
index 00000000000..42f82fef964
--- /dev/null
+++ b/app/views/layouts/onboarding.html.erb
@@ -0,0 +1,31 @@
+<% content_for :main do %>
+  <div class="w-full px-8 pt-10 lg:pt-0 flex-col bg-white dark:bg-black lg:bg-neutral-050 lg:dark:bg-neutral-950 text-neutral-950 dark:text-neutral-050 text-b2 items-center">
+    <div class="max-w-screen-xl w-full mx-auto">
+      <% flash.each do |name, msg| %>
+        <%= render AlertComponent.new(style: name, closeable: true) do %>
+          <%= flash_message(name, msg) %>
+        <% end %>
+      <% end %>
+    </div>
+  </div>
+
+  <%# At desktop width, these outer 2 divs make the full content background with 2 columns of content %>
+  <div class="flex-1 lg:w-full lg:px-8 bg-white dark:bg-black lg:bg-neutral-050 lg:dark:bg-neutral-950 text-neutral-950 dark:text-white text-b2 items-center">
+    <h1 class="lg:max-w-screen-xl lg:w-full lg:mx-auto px-8 lg:px-0 text-b1 lg:text-h1 font-semibold lg:font-normal lg:mb-10">Create an Organization</h1>
+    <div class="lg:max-w-screen-xl lg:w-full lg:mx-auto lg:flex lg:flex-row">
+
+      <%# mobile: main makes a full width section with a max width inner container %>
+      <main class="flex-1 w-full px-8 pt-10 mb-20 lg:p-0">
+        <div class="flex flex-col max-w-screen-xl w-full mx-auto lg:w-auto lg:mx-auto lg:p-10 lg:border lg:border-neutral-500 lg:rounded lg:bg-white lg:dark:bg-black">
+          <%= yield %>
+        </div>
+      </main>
+
+      <%# At mobile width, the aside is hidden %>
+      <aside class="hidden lg:flex flex-col w-96 px-8 lg:px-0 pb-6 lg:w-72 lg:ml-20 lg:mr-16 lg:mb-32 border-b border-neutral-400 dark:border-neutral-800 lg:border-none">
+        <%= yield :aside %>
+      </aside>
+    </div>
+  </div>
+<% end %>
+<%= render template: "layouts/hammy" %>
diff --git a/app/views/layouts/subject.html.erb b/app/views/layouts/subject.html.erb
new file mode 100644
index 00000000000..64f01248ec2
--- /dev/null
+++ b/app/views/layouts/subject.html.erb
@@ -0,0 +1,42 @@
+<%#
+  This is a subject focused layout, like a profile or organization where
+  the user or organization stays on the left side while the main content changes.
+  On mobile, the subject connects to the header in color and spacing, making
+  it clear that the subject content is part of the page context.
+%>
+<% content_for :main do %>
+  <div class="w-full px-8 pt-10 lg:pt-0 flex-col bg-white dark:bg-black lg:bg-neutral-050 lg:dark:bg-neutral-950 text-neutral-950 dark:text-neutral-050 text-b2 items-center">
+    <div class="max-w-screen-xl w-full mx-auto">
+      <!-- New design notice -->
+      <%= render AlertComponent.new(style: :neutral, closeable: true) do %>
+        Design Under Construction.
+        <a href="https://blog.rubygems.org/2024/10/15/our-new-design.html" class="text-blue-500 dark:text-blue-400 text-nowrap">Learn more</a>
+      <% end %>
+
+      <% flash.each do |name, msg| %>
+        <%= render AlertComponent.new(style: name, closeable: true) do %>
+          <%= flash_message(name, msg) %>
+        <% end %>
+      <% end %>
+    </div>
+  </div>
+
+  <%# At desktop width, these outer 2 divs make the full content background with 2 columns of content %>
+  <div class="flex-1 lg:w-full lg:px-8 bg-white dark:bg-black lg:bg-neutral-050 lg:dark:bg-neutral-950 text-neutral-950 dark:text-neutral-050 text-b2 items-center">
+    <div class="lg:max-w-screen-xl lg:w-full lg:mx-auto lg:flex lg:flex-row">
+      <%# At mobile width, the inner aside and main make two stacked full width sections %>
+      <aside class="w-full px-8 lg:px-0 pb-6 lg:w-72 lg:mx-0 lg:mb-32 bg-white dark:bg-black lg:bg-neutral-050 lg:dark:bg-neutral-950 border-b border-neutral-400 dark:border-neutral-800 lg:border-none">
+        <div class="flex flex-col max-w-screen-xl mx-auto w-full">
+          <%= yield :subject %>
+        </div>
+      </aside>
+
+      <main class="flex-1 w-full px-8 pt-10 lg:p-0 lg:ml-20 bg-neutral-050 dark:bg-neutral-950">
+        <div class="flex flex-col max-w-screen-xl w-full mx-auto">
+          <%= yield %>
+        </div>
+      </main>
+    </div>
+  </div>
+<% end %>
+<%= render template: "layouts/hammy" %>
diff --git a/app/views/mailer/admin_manual.html.erb b/app/views/mailer/admin_manual.html.erb
new file mode 100644
index 00000000000..e53371b916d
--- /dev/null
+++ b/app/views/mailer/admin_manual.html.erb
@@ -0,0 +1,20 @@
+<% @title = t(".title") %>
+
+<!-- Body -->
+<table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="#ffffff">
+  <tr>
+    <td class="content-spacing" style="font-size:0pt; line-height:0pt; text-align:left" width="20"></td>
+    <td>
+      <table width="100%" border="0" cellspacing="0" cellpadding="0" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%"><tr><td height="40" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%">&nbsp;</td></tr></table>
+
+      <div class="h3-1-center" style="color:#1e1e1e; font-family:Georgia, serif; min-width:auto !important; font-size:20px; line-height:26px; text-align:center">
+        <%= simple_format @body %><br />
+      </div>
+
+      <table width="100%" border="0" cellspacing="0" cellpadding="0" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%"><tr><td height="35" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%">&nbsp;</td></tr></table>
+
+    </td>
+    <td class="content-spacing" style="font-size:0pt; line-height:0pt; text-align:left" width="20"></td>
+  </tr>
+</table>
+<!-- END Body -->
diff --git a/app/views/mailer/admin_manual.text.erb b/app/views/mailer/admin_manual.text.erb
new file mode 100644
index 00000000000..9e66ef58e6d
--- /dev/null
+++ b/app/views/mailer/admin_manual.text.erb
@@ -0,0 +1,3 @@
+Hi <%= @user.handle %>
+
+<%= strip_tags @body %>
diff --git a/app/views/multifactor_auths/recovery.html.erb b/app/views/multifactor_auths/recovery.html.erb
index f1e46bec240..9a5fa4cbe06 100644
--- a/app/views/multifactor_auths/recovery.html.erb
+++ b/app/views/multifactor_auths/recovery.html.erb
@@ -1,18 +1,25 @@
 <% @title = t(".title") %>
 
-<div class="t-body">
+<%= tag.div(
+  class: "t-body",
+  data: {
+    controller: "clipboard",
+    clipboard_success_content_value: t('copied')
+  }
+) do %>
   <p><%= t ".note_html" %></p>
 
-  <ul id="recovery-code-list">
-    <% @mfa_recovery_codes.each do |code| %>
-      <li class="recovery-code-list__item"><%= code %></li>
-    <% end %>
-  </ul>
+  <%# This tag contains the recovery codes and should not be a part of the form %>
+  <%= text_area_tag "source", "#{@mfa_recovery_codes.join("\n")}\n", class: "recovery-code-list", rows: @mfa_recovery_codes.size + 1, cols: @mfa_recovery_codes.first.length + 1, readonly: true, data: { clipboard_target: "source" } %>
 
-  <p><%= link_to t(".copy"), "#/", class: "t-link--bold recovery__copy__icon", data: { "clipboard-target": "#recovery-code-list" } %></p>
-  <div class = "form__checkbox__item">
-    <%= check_box_tag "checked", "ack", false, class: "form__checkbox__input" %>
-    <%= label_tag "checked", t(".saved"), class: "form__checkbox__label" %>
-  </div>
-  <%= button_to t(".continue"), @continue_path, method: "get", class: "form__submit form__submit--no-hover", disabled: true %>
-</div>
+  <%= form_tag(@continue_path, method: "get", class: "form", data: { controller: "recovery", recovery_confirm_value: t(".confirm_dialog"), action: "recovery#submit" }) do %>
+    <p><%= link_to t("copy_to_clipboard"), "#/", class: "t-link--bold recovery__copy__icon", data: { action: "clipboard#copy recovery#copy", clipboard_target: "button" } %></p>
+
+    <div class = "form__checkbox__item">
+      <%= check_box_tag "checked", "ack", false, required: true, class: "form__checkbox__input" %>
+      <%= label_tag "checked", t(".saved"), class: "form__checkbox__label" %>
+    </div>
+
+    <%= button_tag t(".continue"), class: "form__submit form__submit--no-hover" %>
+  <% end %>
+<% end %>
diff --git a/app/views/oidc/api_key_roles/github_actions_workflow_view.rb b/app/views/oidc/api_key_roles/github_actions_workflow_view.rb
index a7032b28e00..c250501599c 100644
--- a/app/views/oidc/api_key_roles/github_actions_workflow_view.rb
+++ b/app/views/oidc/api_key_roles/github_actions_workflow_view.rb
@@ -15,7 +15,7 @@ def view_template
 
     return if not_configured
 
-    div(class: "t-body") do
+    div(class: "t-body", data: { controller: "clipboard", clipboard_success_content_value: "✔" }) do
       p do
         t(".configured_for_html", link_html:
           single_gem_role? ? helpers.link_to(gem_name, rubygem_path(gem_name)) : t(".a_gem"))
@@ -30,12 +30,14 @@ def view_template
 
       header(class: "gem__code__header") do
         h3(class: "t-list__heading l-mb-0") { code { ".github/workflows/push_gem.yml" } }
-        button(class: "gem__code__icon", data: { "clipboard-target": "#workflow_yaml" }) { "=" }
-        span(class: "gem__code__tooltip--copy") { t("copy_to_clipboard") }
-        span(class: "gem__code__tooltip--copied") { t("copied") }
+        button(
+          class: "gem__code__icon",
+          title: t("copy_to_clipboard"),
+          data: { action: "click->clipboard#copy", clipboard_target: "button" }
+        ) { "=" }
       end
       pre(class: "gem__code multiline") do
-        code(class: "multiline", id: "workflow_yaml") do
+        code(class: "multiline", id: "workflow_yaml", data: { clipboard_target: "source" }) do
           plain workflow_yaml
         end
       end
diff --git a/app/views/oidc/id_tokens/show_view.rb b/app/views/oidc/id_tokens/show_view.rb
index 995222b359d..a151197509c 100644
--- a/app/views/oidc/id_tokens/show_view.rb
+++ b/app/views/oidc/id_tokens/show_view.rb
@@ -1,11 +1,10 @@
 # frozen_string_literal: true
 
 class OIDC::IdTokens::ShowView < ApplicationView
-  extend Dry::Initializer
   include Phlex::Rails::Helpers::TimeTag
   include Phlex::Rails::Helpers::LinkTo
 
-  option :id_token
+  prop :id_token, reader: :public
 
   def view_template # rubocop:disable Metrics/AbcSize
     self.title = t(".title")
diff --git a/app/views/oidc/pending_trusted_publishers/index_view.rb b/app/views/oidc/pending_trusted_publishers/index_view.rb
index 60343a55cd9..903f15db369 100644
--- a/app/views/oidc/pending_trusted_publishers/index_view.rb
+++ b/app/views/oidc/pending_trusted_publishers/index_view.rb
@@ -5,9 +5,8 @@ class OIDC::PendingTrustedPublishers::IndexView < ApplicationView
   include Phlex::Rails::Helpers::ContentFor
   include Phlex::Rails::Helpers::DistanceOfTimeInWordsToNow
   include Phlex::Rails::Helpers::LinkTo
-  extend Dry::Initializer
 
-  option :trusted_publishers
+  prop :trusted_publishers, reader: :public
 
   def view_template
     title_content
diff --git a/app/views/oidc/pending_trusted_publishers/new_view.rb b/app/views/oidc/pending_trusted_publishers/new_view.rb
index e9485d61e4a..76b2b259b02 100644
--- a/app/views/oidc/pending_trusted_publishers/new_view.rb
+++ b/app/views/oidc/pending_trusted_publishers/new_view.rb
@@ -6,9 +6,7 @@ class OIDC::PendingTrustedPublishers::NewView < ApplicationView
   include Phlex::Rails::Helpers::OptionsForSelect
   include Phlex::Rails::Helpers::FormWith
 
-  extend Dry::Initializer
-
-  option :pending_trusted_publisher
+  prop :pending_trusted_publisher, reader: :public
 
   def view_template
     self.title = t(".title")
diff --git a/app/views/oidc/rubygem_trusted_publishers/index_view.rb b/app/views/oidc/rubygem_trusted_publishers/index_view.rb
index 3619836663f..42816591196 100644
--- a/app/views/oidc/rubygem_trusted_publishers/index_view.rb
+++ b/app/views/oidc/rubygem_trusted_publishers/index_view.rb
@@ -5,10 +5,9 @@ class OIDC::RubygemTrustedPublishers::IndexView < ApplicationView
   include Phlex::Rails::Helpers::LinkTo
   include Phlex::Rails::Helpers::ContentFor
   include OIDC::RubygemTrustedPublishers::Concerns::Title
-  extend Dry::Initializer
 
-  option :rubygem
-  option :trusted_publishers
+  prop :rubygem, reader: :public
+  prop :trusted_publishers, reader: :public
 
   def view_template
     title_content
diff --git a/app/views/oidc/rubygem_trusted_publishers/new_view.rb b/app/views/oidc/rubygem_trusted_publishers/new_view.rb
index f4280aa771a..0c976a06ae9 100644
--- a/app/views/oidc/rubygem_trusted_publishers/new_view.rb
+++ b/app/views/oidc/rubygem_trusted_publishers/new_view.rb
@@ -8,9 +8,7 @@ class OIDC::RubygemTrustedPublishers::NewView < ApplicationView
   include Phlex::Rails::Helpers::SelectTag
   include OIDC::RubygemTrustedPublishers::Concerns::Title
 
-  extend Dry::Initializer
-
-  option :rubygem_trusted_publisher
+  prop :rubygem_trusted_publisher, reader: :public
 
   def view_template
     title_content
diff --git a/app/views/organizations/onboarding/_progress.html.erb b/app/views/organizations/onboarding/_progress.html.erb
new file mode 100644
index 00000000000..0b6455ea67f
--- /dev/null
+++ b/app/views/organizations/onboarding/_progress.html.erb
@@ -0,0 +1,6 @@
+<%= render Onboarding::StepsComponent.new(current_step) do |s| %>
+  <%= s.step "Name", organization_onboarding_name_path %>
+  <%= s.step "Gems", organization_onboarding_gems_path %>
+  <%= s.step "Members", organization_onboarding_users_path %>
+  <%= s.step "Finalize", organization_onboarding_confirm_path %>
+<% end %>
diff --git a/app/views/organizations/onboarding/_summary.html.erb b/app/views/organizations/onboarding/_summary.html.erb
new file mode 100644
index 00000000000..30f5a3b2c7d
--- /dev/null
+++ b/app/views/organizations/onboarding/_summary.html.erb
@@ -0,0 +1,71 @@
+<% current_step ||= 1 %>
+
+<!-- Summary Header -->
+<div class="flex justify-between items-center mb-6">
+  <h2 class="text-h4">Summary</h2>
+</div>
+
+<%# Name Section %>
+<div class="mb-6">
+  <div class="flex justify-between items-center">
+    <h3 class="text-b1 text-neutral-900 dark:text-white">Name</h3>
+    <% if current_step > 1 %>
+      <%= link_to "edit", organization_onboarding_name_path, class: "text-orange-500" %>
+    <% end %>
+  </div>
+  <div class="mt-4">
+    <p class="flex justify-between">
+      <span class="font-semibold">Org handle</span>
+      <span class="text-neutral-700 dark:text-neutral-300 ml-2"><%= @organization_onboarding.organization_handle %></span>
+    </p>
+    <p class="flex justify-between mt-2">
+      <span class="font-semibold">Org name</span>
+      <span class="text-neutral-700 dark:text-neutral-300 ml-2"><%= @organization_onboarding.organization_name %></span>
+    </p>
+  </div>
+</div>
+<hr class="border-neutral-400 my-6">
+
+<%# Gems Section %>
+<div class="mb-6">
+  <div class="flex justify-between items-center">
+    <h3 class="text-b1 text-neutral-900 dark:text-white">
+      Gems
+      <span class="text-neutral-600 font-light ml-1"><%= @organization_onboarding.selected_rubygems.size %></span>
+    </h3>
+    <% if current_step > 2 %>
+      <%= link_to "edit", organization_onboarding_gems_path, class: "text-orange-500" %>
+    <% end %>
+  </div>
+  <ul class="mt-4">
+    <% @organization_onboarding.selected_rubygems.each do |gem| %>
+      <li class="mt-2 text-neutral-800 dark:text-neutral-200"><%= gem.name %></li>
+    <% end %>
+  </ul>
+</div>
+<hr class="border-neutral-400 my-6">
+
+<%# People Section %>
+<div class="mb-6">
+  <div class="flex justify-between items-center">
+    <h3 class="text-b1 text-neutral-900 dark:text-white">
+      People
+      <span class="text-neutral-600 font-light ml-1"><%= approved_invites.size %></span>
+    </h3>
+    <% if current_step > 3 %>
+      <%= link_to "edit", organization_onboarding_users_path, class: "text-orange-500" %>
+    <% end %>
+  </div>
+  <ul class="mt-2 items-center space-y-4">
+    <% approved_invites.each do |invite| %>
+      <% user = invite.user %>
+      <li class="flex flex-row w-full justify-between">
+        <span class="flex flex-row items-center">
+          <%= avatar 48, "gravatar-#{user.id}", user, theme: :dark, class: "h-6 w-6 rounded mr-2 inline-block" %>
+          <span class="text-neutral-800 dark:text-white"><%= user.handle %></span>
+        </span>
+        <span class="text-neutral-500"><%= invite.role %></span>
+      </li>
+    <% end %>
+  </ul>
+</div>
diff --git a/app/views/organizations/onboarding/confirm/edit.html.erb b/app/views/organizations/onboarding/confirm/edit.html.erb
new file mode 100644
index 00000000000..ad5c9540f08
--- /dev/null
+++ b/app/views/organizations/onboarding/confirm/edit.html.erb
@@ -0,0 +1,17 @@
+<%= render "organizations/onboarding/progress", current_step: 4 %>
+
+<h2 class="text-h4 mb-10">Finalize</h2>
+
+<p class="mb-10">Review the summary and confirm everything looks good.</p>
+<p>Your Org handle is permanent, and will require support to update beyond this point. Everything else can be updated any time.</p>
+
+<div class="mt-10">
+  <%= render "organizations/onboarding/summary", current_step: 4 %>
+</div>
+
+<%= form_with(model: @organization_onboarding, url: organization_onboarding_confirm_path, method: :patch) do |form| %>
+  <div class="flex border-t border-neutral-400 lg:-mx-10 lg:px-10 pt-10 mt-10 justify-between">
+    <%= render ButtonComponent.new("Back", organization_onboarding_users_path, type: :link, color: :neutral, style: :outline) %>
+    <%= render ButtonComponent.new("Create Org", type: :submit, style: :fill) %>
+  </div>
+<% end %>
diff --git a/app/views/organizations/onboarding/gems/edit.html.erb b/app/views/organizations/onboarding/gems/edit.html.erb
new file mode 100644
index 00000000000..0e93f074b28
--- /dev/null
+++ b/app/views/organizations/onboarding/gems/edit.html.erb
@@ -0,0 +1,56 @@
+<% content_for :aside do %>
+  <%= render "organizations/onboarding/summary", current_step: 2 %>
+<% end %>
+
+<%= render "organizations/onboarding/progress", current_step: 2 %>
+
+<h2 class="text-h4 mb-10">Add gems to your Org</h2>
+
+<%= form_with(model: @organization_onboarding, url: organization_onboarding_gems_path, method: :patch, data: { controller: "onboarding-gems counter" }) do |form| %>
+  <div class="border border-neutral-700 dark:border-neutral-300 rounded-lg" data-controller="checkbox-select-all">
+    <div class="flex flex-row p-4 w-full border-b border-neutral-700 dark:border-neutral-300 justify-between items-center">
+      <h3 class="text-b2 font-semibold">Gems<span data-counter-target="counter" class="ml-2 font-light text-neutral-600"><%= @organization_onboarding.rubygems.size %></span></h3>
+      <label class="flex items-center">
+        <span class="mr-3">Select all</span>
+        <input
+          type="checkbox"
+          data-checkbox-select-all-target="checkboxAll"
+          class="h-5 w-5 fill-white text-orange-500 bg-white dark:bg-black border-neutral-500 rounded focus:ring-2 focus:ring-orange-500 rounded disabled:text-neutral-700 dark:disabled:text-neutral-700"
+        />
+      </label>
+    </div>
+    <ul class="divide-y divide-neutral-300 dark:divide-neutral-700">
+      <% available_rubygems.each do |gem| %>
+        <% required = @organization_onboarding.namesake_rubygem == gem %>
+
+        <li class="flex items-center">
+          <label class="flex w-full px-4 py-2 items-center justify-between space-x-2">
+            <span class="flex">
+              <span class="text-neutral-800 dark:text-white"><%= gem.name %></span>
+              <% if required %>
+                <span class="flex flex-row text-xs text-neutral-900 bg-orange-100 dark:text-white dark:bg-orange-900 px-2 py-0.5 rounded ml-2">Required</span>
+              <% end %>
+            </span>
+            <%
+              data = { counter_target: "checked" }
+              data[:checkbox_select_all_target] = "checkbox" unless required
+            %>
+            <%= check_box_tag(
+              "organization_onboarding[rubygems][]",
+              gem.id,
+              @organization_onboarding.rubygems.include?(gem.id),
+              class: "h-5 w-5 fill-white text-orange-500 bg-white dark:bg-black border-neutral-500 rounded focus:ring-2 focus:ring-orange-500 rounded disabled:text-neutral-700 dark:disabled:text-neutral-700",
+              disabled: required,
+              data: data,
+            ) %>
+          </label>
+        </li>
+      <% end %>
+    </ul>
+  </div>
+
+  <div class="flex border-t border-neutral-400 lg:-mx-10 lg:px-10 pt-10 mt-10 justify-between">
+    <%= render ButtonComponent.new("Back", organization_onboarding_name_path, type: :link, color: :neutral, style: :outline) %>
+    <%= render ButtonComponent.new("Continue", type: :submit, style: :outline) %>
+  </div>
+<% end %>
diff --git a/app/views/organizations/onboarding/name/new.html.erb b/app/views/organizations/onboarding/name/new.html.erb
new file mode 100644
index 00000000000..54c05540067
--- /dev/null
+++ b/app/views/organizations/onboarding/name/new.html.erb
@@ -0,0 +1,96 @@
+<% content_for :aside do %>
+  <%= render "organizations/onboarding/summary", current_step: 1 %>
+<% end %>
+
+<%= render "organizations/onboarding/progress", current_step: 1 %>
+
+<h2 class="text-h4 mb-10">Name your Organization</h2>
+
+<p class="mb-10">
+  Choose a name for your Organization.
+  <br>
+  This name will be used as the URL for your Organization's page and will eventually become its namespace.
+</p>
+
+<%= form_with(model: @organization_onboarding, url: organization_onboarding_name_path, method: :post, data: { controller: "onboarding-name" }) do |form| %>
+  <h3 class="text-b2 font-semibold mb-2">Name your org using:</h3>
+
+  <div class="flex w-full space-x-4 mb-10" data-controller="scroll">
+    <label class="flex-1 border-2 rounded-lg p-4 text-center dark:border-neutral-700 has-[:checked]:border-orange-500">
+      <%= form.radio_button(:name_type, "gem", class: "hidden peer", data: { onboarding_name_target: "radio", action: "onboarding-name#gemname scroll#scroll" }, required: true, checked: true) %>
+      <div class="text-neutral-800 dark:text-neutral-400 peer-checked:text-orange-500">
+        <%= icon_tag "gems", size: 10, class: "mx-auto mb-2" %>
+      </div>
+      <span class="dark:text-neutral-400 peer-checked:font-semibold dark:peer-checked:text-white">a gem you own</span>
+    </label>
+    <%# Username option is disabled at first %>
+    <div class="hidden">
+      <label class="flex-1 border-2 rounded-lg p-4 text-center dark:border-neutral-700 has-[:checked]:border-orange-500">
+        <%= form.radio_button(:name_type, "user", class: "hidden peer", data: { onboarding_name_target: "radio", action: "onboarding-name#username scroll#scroll" }, required: true, disabled: true) %>
+        <div class="text-neutral-800 dark:text-neutral-400 peer-checked:text-orange-500">
+          <%= icon_tag "account-box", size: 10, class: "mx-auto mb-2" %>
+        </div>
+        <span class="dark:text-neutral-400 peer-checked:font-semibold dark:peer-checked:text-white">your username</span>
+      </label>
+    </div>
+  </div>
+
+  <div class="hidden mb-10" data-onboarding-name-target="gemname">
+    <p class="mb-2">
+      Select one of your gems to use as your Organization handle.
+      <br>
+      Changing this later will require help from RubyGems.org support.
+    </p>
+    <label class="flex flex-col xl:flex-row items-center rounded-lg border border-neutral-400 dark:border-neutral-600 overflow-hidden">
+      <span class="flex h-11 pl-4 pr-1 text-neutral-700 w-full xl:w-auto items-center bg-neutral-100 dark:text-neutral-300 dark:bg-neutral-900 border-b xl:border-b-0 xl:border-r border-neutral-400 dark:border-neutral-600">
+        rubygems.org/organizations/
+      </span>
+      <%= form.select(
+        :organization_handle,
+        available_rubygems.map(&:name),
+        { prompt: "select..." },
+        {
+          required: true,
+          class: "flex-1 w-full h-11 text-b2 px-4 xl:px-2 bg-white border-none dark:bg-neutral-950 rounded-b-lg xl:rounded-bl-none xl:rounded-r-lg outline-none appearance-none focus:ring-inset focus:ring-1 focus:ring-orange-500",
+          data: { action: "onboarding-name#updateDisplayname" }
+        }
+      ) %>
+    </label>
+  </div>
+
+  <div class="hidden mb-10" data-onboarding-name-target="username">
+    <p class="mb-10">
+      Your username will be used for your Organization handle.
+      <br>
+      Changing this later may require help from RubyGems.org support.
+    </p>
+    <label class="flex flex-col lg:flex-row overflow-hidden items-center">
+      <span class="flex h-11 px-4 text-neutral-700 box-border w-full lg:w-auto rounded-t-lg lg:rounded-l-lg border lg:border-r-0 border-neutral-400 dark:border-neutral-600 items-center bg-neutral-100 dark:text-neutral-300 dark:bg-neutral-900">rubygems.org/organizations/</span>
+      <%= text_field_tag(
+        :disabled_username,
+        current_user.name,
+        disabled: true,
+        class: "flex-1 w-full h-11 text-b2 px-4 lg:px-2 bg-white dark:bg-neutral-950 rounded-b-lg lg:rounded-r-lg outline-none appearance-none placeholder:italic placeholder:text-neutral-400 focus:ring-inset focus:ring-1 focus:ring-orange-500",
+      ) %>
+    </label>
+  </div>
+
+  <div class="hidden" data-onboarding-name-target="reveal">
+    <%= form.label :organization_name, "Display Name", class: "block text-b2 font-semibold mb-2" %>
+    <p class="mb-2">We suggest a name based on your selection. You can update this at any time.<p>
+    <%= form.text_field(
+      :organization_name,
+      placeholder: "Select a gem name first",
+      class: "w-full text-b2 rounded-lg dark:bg-neutral-950 focus:ring-inset focus:ring-1 focus:ring-orange-500",
+      required: true,
+      autocomplete: "organization",
+      data: { onboarding_name_target: "displayname", action: "onboarding-name#validate" },
+    ) %>
+  </div>
+
+
+  <div class="flex border-t border-neutral-400 lg:-mx-10 lg:px-10 pt-10 mt-10 justify-between">
+    <%= render ButtonComponent.new("Cancel", organization_onboarding_path, type: :link, color: :neutral, style: :outline, method: :delete) %>
+    <%= render ButtonComponent.new("Continue", type: :submit, style: :outline, data: { onboarding_name_target: "submit" }) %>
+  </div>
+<% end %>
diff --git a/app/views/organizations/onboarding/users/edit.html.erb b/app/views/organizations/onboarding/users/edit.html.erb
new file mode 100644
index 00000000000..0f1be2b5b93
--- /dev/null
+++ b/app/views/organizations/onboarding/users/edit.html.erb
@@ -0,0 +1,96 @@
+<% content_for :aside do %>
+  <%= render "organizations/onboarding/summary", current_step: 3 %>
+<% end %>
+
+<%= render "organizations/onboarding/progress", current_step: 3 %>
+
+<h2 class="text-h4 mb-10">Manage Members</h2>
+
+<p class="mb-10">
+  Below we have listed all the owners of the gems you selected.
+  If you do nothing, these existing owners will remain owners of their gems.
+  You can invite them to join the organization now or you can add members later.
+</p>
+
+<div data-controller="reveal" data-reveal-toggle-class="rotate-180" class="mb-10">
+  <p class="text-b2 font-neutral-600">
+    <%= render ButtonComponent.new(type: :button, color: :neutral, style: :plain, data: { action: "reveal#toggle" }) do %>
+      <%= icon_tag "keyboard-arrow-down", class:"transition-transform transform mr-1", data: { reveal_target: "toggle" } %>
+      <%= "Permission Details" %>
+    <% end %>
+  </p>
+
+  <div class="border border-orange-500 rounded-lg overflow-hidden mt-2" data-reveal-target="item">
+    <div class="bg-orange-100 text-orange-800 font-semibold text-center py-2">
+      Outside Contributor
+    </div>
+    <div class="px-4 py-3 text-b3 text-neutral-800 dark:text-white">
+      <p><b>Outside Contributors</b> are non-members that maintain ownership of their gems in this org.</p>
+      <p class="text-b4 text-neutral-500 mt-1 italic">
+        * If you make no changes, gem ownership will remain unaltered for everyone else.
+      </p>
+    </div>
+
+    <div class="bg-orange-200 text-orange-800 font-semibold text-center py-2">
+      Maintainer
+    </div>
+    <div class="px-4 py-3 text-b3 text-neutral-800 dark:text-white">
+      <p><b>Maintainers</b> can publish and manage any gem owned by the organization</p>
+    </div>
+
+    <div class="bg-orange-300 text-orange-800 font-semibold text-center py-2">
+      Admin
+    </div>
+    <div class="px-4 py-3 text-b3 text-neutral-800 dark:text-white">
+      <p><b>Admins</b> can publish and manage any gem owned by the organization and:</p>
+      <p>Manage organization teams, outside contributors and individual gems.</p>
+      <p class="text-b4 text-neutral-500 mt-1 italic">
+        * An admin cannot remove a gem from the organization or manage organization settings.
+      </p>
+    </div>
+
+    <div class="bg-orange-400 text-orange-800 font-semibold text-center py-2">
+      Owner
+    </div>
+    <div class="px-4 py-3 text-b3 text-neutral-800 dark:text-white">
+      <b>Owners</b> can add other owners to the organization and remove gems from the organization.
+    </div>
+  </div>
+</div>
+
+<%= form_with(model: @organization_onboarding, url: organization_onboarding_users_path, method: :patch) do |form| %>
+  <ul>
+    <li class="flex w-full py-3 pl-[11px] pr-10 justify-between box-border border border-neutral-400 rounded-lg">
+      <span class="flex flex-row items-center">
+        <%= avatar 48, "gravatar-#{@organization_onboarding.created_by.id}", theme: :dark, class: "h-6 w-6 rounded mr-2" %>
+        <span><%= @organization_onboarding.created_by.handle %></span>
+      </span>
+      <span>Owner</span>
+    </li>
+    <%= form.fields_for :invites do |invite_fields| %>
+      <% user = invite_fields.object.user %>
+      <li class="flex w-full py-3 pl-3 justify-between items-center" data-user-handle="<%= user.handle %>">
+        <%= invite_fields.label :role, class: "flex flex-row items-center h-11" do %>
+          <%= avatar 48, "gravatar-#{user.id}", user, theme: :dark, class: "h-6 w-6 rounded mr-2" %>
+          <span class="text-b2"><%= user.handle %></span>
+        <% end %>
+        <%= invite_fields.select(
+          :role,
+          role_options,
+          { include_blank: "select role" },
+          style: "text-align-last: right;",
+          class: "text-b2 rounded-lg appearance-none outline-none bg-white dark:bg-black border-none h-11 text-right focus:ring-2 focus:ring-inset focus:ring-orange"
+        ) %>
+        <%= invite_fields.hidden_field :id %>
+      </li>
+    <% end %>
+  </ul>
+
+  <div class="flex border-t border-neutral-400 lg:-mx-10 lg:px-10 pt-10 mt-10 justify-between">
+    <%= render ButtonComponent.new("Back", organization_onboarding_gems_path, type: :link, color: :neutral, style: :outline) %>
+    <span class="space-x-2">
+      <%= render ButtonComponent.new("Skip for now", organization_onboarding_confirm_path, type: :link, color: :neutral, style: :plain) %>
+      <%= render ButtonComponent.new("Continue", type: :submit, style: :outline) %>
+    </span>
+  </div>
+<% end %>
diff --git a/app/views/owners/_owners_table.html.erb b/app/views/owners/_owners_table.html.erb
index ec78a4160d5..4ad86899233 100644
--- a/app/views/owners/_owners_table.html.erb
+++ b/app/views/owners/_owners_table.html.erb
@@ -13,6 +13,9 @@
     <th class="owners__cell">
       <%= t("owners.index.added_by") %>
     </th>
+    <th class="owners__cell">
+      <%= t("owners.index.role") %>
+    </th>
     <th class="owners__cell">
       <%= t("owners.index.confirmed_at") %>
     </th>
@@ -40,6 +43,9 @@
       <td class="owners__cell" data-title="Added By">
         <%= ownership.authorizer_name %>
       </td>
+      <td class="owners__cell" data-title="Role">
+        <%= Ownership.human_attribute_name("role.#{ownership.role}") %>
+      </td>
       <td class="owners__cell" data-title="Confirmed At">
         <%= ownership.confirmed_at.strftime("%Y-%m-%d %H:%M %Z") if ownership.confirmed? %>
       </td>
@@ -49,6 +55,12 @@
           method: "delete",
           data: { confirm: t("owners.index.confirm_remove") },
           class: "form__submit form__submit--small" %>
+        <br/>
+        <%= button_to "Edit",
+          edit_rubygem_owner_path(@rubygem.name, ownership.user.display_id),
+          disabled: ownership.user == current_user,
+          method: "get",
+          class: "form__submit form__submit--small" %>
       </td>
     </tr>
   <% end %>
diff --git a/app/views/owners/edit.html.erb b/app/views/owners/edit.html.erb
new file mode 100644
index 00000000000..e1e7bfcd9d4
--- /dev/null
+++ b/app/views/owners/edit.html.erb
@@ -0,0 +1,21 @@
+<% @title = t('.title') %>
+<% @roles = Ownership.roles.map { |k,_| [Ownership.human_attribute_name("role.#{k}"), k] } %>
+
+<%= form_tag rubygem_owner_path(rubygem_id: @rubygem.slug, owner_id: @ownership.user.display_id), method: :patch do |form| %>
+  <%= error_messages_for(@ownership) %>
+
+  <div class="text_field">
+    <%= label_tag :display_id, "User", class: 'form__label' %>
+    <%= text_field_tag :display_id, @ownership.user.display_id, disabled: true, :class => 'form__input' %>
+  </div>
+
+  <div class="text_field">
+    <%= label_tag :role, t(".role"), class: 'form__label' %>
+    <br/>
+    <%= select_tag :role, options_for_select(@roles, @ownership.role), class: "form__input form__select"  %>
+  </div>
+
+  <div class="submit_field">
+    <%= submit_tag 'Update', :data => {:disable_with => t('form_disable_with')}, :class => 'form__submit' %>
+  </div>
+<% end %>
diff --git a/app/views/owners/index.html.erb b/app/views/owners/index.html.erb
index 75bc1084b47..957f5a24daa 100644
--- a/app/views/owners/index.html.erb
+++ b/app/views/owners/index.html.erb
@@ -1,5 +1,6 @@
 <% @title = @rubygem.name %>
 <% @subtitle = t(".info", gem: @rubygem.name) %>
+<% @roles = Ownership.roles.map { |k,_| [Ownership.human_attribute_name("role.#{k}"), k] } %>
 
 <div class="t-body">
   <%= render "owners_table" %>
@@ -14,6 +15,11 @@
       <%= label_tag :handle, t(".email_field"), class: "form__label" %>
       <%= text_field_tag :handle, nil, class: "form__input", required: true %>
     </div>
+    <div class="text_field">
+      <%= label_tag :role, t(".role_field"), class: "form__label" %>
+      <br/>
+      <%= select_tag :role, options_for_select(@roles), class: "form__input form__select" %>
+    </div>
     <div class="submit_field">
       <%= submit_tag t(".submit_button"), data: {disable_with: t("form_disable_with")}, class: "form__submit" %>
     </div>
diff --git a/app/views/owners_mailer/owner_updated.html.erb b/app/views/owners_mailer/owner_updated.html.erb
new file mode 100644
index 00000000000..9c7a8a1e286
--- /dev/null
+++ b/app/views/owners_mailer/owner_updated.html.erb
@@ -0,0 +1,40 @@
+<% @title = t("mailer.owner_updated.title") %>
+<% @sub_title = t("mailer.owner_updated.subtitle", user_handle: @user.handle) %>
+
+<!-- Body -->   
+<table width="100%" border="0" cellspacing="0" cellpadding="0" bgcolor="#ffffff">
+  <tr>
+    <td class="content-spacing" style="font-size:0pt; line-height:0pt; text-align:left" width="20"></td>
+    <td>
+      <div class="h3-1-center" style="color:#1e1e1e; font-family:Georgia, serif; min-width:auto !important; font-size:20px; line-height:26px;">
+        <br>
+        <p>
+          <%= t("mailer.owner_updated.body_html", gem: @rubygem.name, host: Gemcutter::HOST_DISPLAY, role: Ownership.human_attribute_name("role.#{@ownership.role}")) %>
+        </p>
+        <table width="100%" border="0" cellspacing="0" cellpadding="0" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%"><tr><td height="35" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%">&nbsp;</td></tr></table>
+
+        <p>If this change is expected, you do not need to take further action.</p>
+        <p>
+          <strong>Only if this change is unexpected</strong>
+          please take immediate steps to secure your account and gems:
+        </p>
+
+        <%= render "mailer/compromised_instructions" do %>
+          <li>Look out for unexpected changes to your gems on RubyGems.org</li>
+        <% end %>
+
+        <p>
+          <em>
+            To stop receiving these messages, update your <%= link_to("email notification settings", notifier_url) %>.
+          </em>
+        </p>
+      </div>
+
+      <table width="100%" border="0" cellspacing="0" cellpadding="0" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%"><tr><td height="30" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%">&nbsp;</td></tr></table>
+
+      <table width="100%" border="0" cellspacing="0" cellpadding="0" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%"><tr><td height="35" class="spacer" style="font-size:0pt; line-height:0pt; text-align:center; width:100%; min-width:100%">&nbsp;</td></tr></table>
+
+    </td>
+    <td class="content-spacing" style="font-size:0pt; line-height:0pt; text-align:left" width="20"></td>
+  </tr>
+</table>
diff --git a/app/views/owners_mailer/owner_updated.text.erb b/app/views/owners_mailer/owner_updated.text.erb
new file mode 100644
index 00000000000..b68561ccfd8
--- /dev/null
+++ b/app/views/owners_mailer/owner_updated.text.erb
@@ -0,0 +1,5 @@
+<%= t("mailer.owner_updated.subtitle", user_handle: @user.handle) %>
+
+<%= t("mailer.owner_updated.body_text", gem: @rubygem.name, host: Gemcutter::HOST_DISPLAY, role: Ownership.human_attribute_name("role.#{@ownership.role}")) %>
+
+<%= rubygem_owners_url(@rubygem.slug) %>
diff --git a/app/views/ownership_calls/_close.html.erb b/app/views/ownership_calls/_close.html.erb
index af7ddc1001f..1d9b5e119a4 100644
--- a/app/views/ownership_calls/_close.html.erb
+++ b/app/views/ownership_calls/_close.html.erb
@@ -1,3 +1,3 @@
-<% if ownership_call.rubygem.owned_by?(current_user) %>
+<% if policy(ownership_call).close? %>
   <div><%= button_to t("ownership_calls.close"), close_rubygem_ownership_calls_path(ownership_call.rubygem.slug), method: :patch, class: "form__submit form__submit--medium" %></div>
 <% end %>
diff --git a/app/views/ownership_requests/_list.html.erb b/app/views/ownership_requests/_list.html.erb
index a0cdd088204..4481cf4ec4a 100644
--- a/app/views/ownership_requests/_list.html.erb
+++ b/app/views/ownership_requests/_list.html.erb
@@ -4,7 +4,7 @@
   </h2>
 </div>
 
-<% if @rubygem.owned_by?(current_user) %>
+<% if policy(@rubygem).manage_adoption? %>
   <div class="t-list__items">
     <%= render(partial: "ownership_requests/owner", layout: "ownership_requests/ownership_request", collection: @ownership_requests, as: :ownership_request, locals: { show_user: true, show_gem: false }) || t("ownership_requests.no_ownership_requests", gem: @rubygem.name) %>
   </div>
diff --git a/app/views/pages/about.html.erb b/app/views/pages/about.html.erb
index 115142f8cad..e654a2f3e20 100644
--- a/app/views/pages/about.html.erb
+++ b/app/views/pages/about.html.erb
@@ -1,11 +1,11 @@
 <% @title = t('.title') %>
 
-<div class="l-colspan t-body">
+<%= prose do %>
   <p><%= t '.purpose.header', :site => t('title') %></p>
-  <ol class="t-numbered-items">
-    <li class="t-numbered-item"><%= t '.purpose.better_api' %></li>
-    <li class="t-numbered-item"><%= t '.purpose.transparent_pages' %></li>
-    <li class="t-numbered-item"><%= t '.purpose.enable_community' %></li>
+  <ol class="list-decimal">
+    <li><%= t '.purpose.better_api' %></li>
+    <li><%= t '.purpose.transparent_pages' %></li>
+    <li><%= t '.purpose.enable_community' %></li>
   </ol>
   <p>
     <%= t('.founding_html', :founder => link_to('Nick Quaranto', 'https://twitter.com/qrush'),
@@ -28,16 +28,9 @@
                              ) %>
   </p>
 
-  <div class="hide-assets">
-    <h2 class="about__assets__heading"><%= t('.logo_header') %></h2>
-    <p><%= t('.logo_details') %></p>
-    <div class="about__assets-wrap">
-      <div class="about__assets">
-        <svg class="about__asset" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 200" enable-background="new 0 0 200 200"><g fill="#ffffff"><path d="M68.8 69.9l-.1-.1-22.2 22.2 53.9 53.8 22.2-22.1 31.7-31.7-22.2-22.2v-.1h-63.4zM100.2 10.6l-78.5 45v90l78.5 45 78.5-45v-90l-78.5-45zm63.5 126.4l-63.5 36.6-63.5-36.6v-73l63.5-36.6 63.5 36.6v73z"/></g></svg>
-        <svg class="about__asset" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 200" enable-background="new 0 0 200 200"><g fill="#141c22"><path d="M68.8 69.9l-.1-.1-22.2 22.2 53.9 53.8 22.2-22.1 31.7-31.7-22.2-22.2v-.1h-63.4zM100.2 10.6l-78.5 45v90l78.5 45 78.5-45v-90l-78.5-45zm63.5 126.4l-63.5 36.6-63.5-36.6v-73l63.5-36.6 63.5 36.6v73z"/></g></svg>
-        <svg class="about__asset" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 200 200" enable-background="new 0 0 200 200"><g fill="#e9573f"><path d="M68.8 69.9l-.1-.1-22.2 22.2 53.9 53.8 22.2-22.1 31.7-31.7-22.2-22.2v-.1h-63.4zM100.2 10.6l-78.5 45v90l78.5 45 78.5-45v-90l-78.5-45zm63.5 126.4l-63.5 36.6-63.5-36.6v-73l63.5-36.6 63.5 36.6v73z"/></g></svg>
-      </div>
-      <a href="/logos.zip" download="RubyGems Assets.zip" class="about__assets__download" data-icon=">"><%= t('rubygems.aside.links.download') %></a>
-    </div>
+  <h2 class="about__assets__heading"><%= t('.logo_header') %></h2>
+  <p><%= t('.logo_details') %></p>
+  <div class="about__assets-wrap">
+    <%= render ButtonComponent.new t('rubygems.aside.links.download'), "/logos.zip", type: :link %>
   </div>
-</div>
+<% end %>
diff --git a/app/views/pages/data.html.erb b/app/views/pages/data.html.erb
index b3d820b82ba..c447164d503 100644
--- a/app/views/pages/data.html.erb
+++ b/app/views/pages/data.html.erb
@@ -1,10 +1,19 @@
 <% @title = t('.title') %>
 
-<div class="t-body" id="data-dump">
-  <p>We provide weekly dumps of the RubyGems.org PostgreSQL data. This dump is sanitized, removing all user information.</p>
-  <p>The <a href="https://github.com/rubygems/rubygems.org/tree/master/script/load-pg-dump">load-pg-dump</a> script is
-     available as an example of how to to download and load the most recent weekly dump.</p>
-  <ul class="rubygems-dump-listing-postgresql"></ul>
-  <p>We also provide weekly dumps of the historial RubyGems.org Redis data. (We do not use redis anymore but these are here for historical purposes.)</p>
-  <ul class="rubygems-dump-listing-redis"></ul>
+<div class="flex flex-col space-y-10 max-w-3xl mx-auto" id="data-dump">
+  <%= render CardComponent.new do |c| %>
+    <%= c.head("PostgreSQL Data", icon: :history) %>
+    <%= prose do |user| %>
+      <p>We provide weekly dumps of the RubyGems.org PostgreSQL data. This dump is sanitized, removing all user information.</p>
+      <p>The <a href="https://github.com/rubygems/rubygems.org/tree/master/script/load-pg-dump" class="text-orange">load-pg-dump</a> script is
+        available as an example of how to to download and load the most recent weekly dump.</p>
+    <% end %>
+    <%= c.list(data: { controller: "dump" }) do %>
+      <template data-dump-target="template">
+        <%= c.list_item_to "#" do %>
+          <span></span>
+        <% end %>
+      </template>
+    <% end %>
+  <% end %>
 </div>
diff --git a/app/views/pages/download.html.erb b/app/views/pages/download.html.erb
index 0cecaa6c9db..e1412a7237c 100644
--- a/app/views/pages/download.html.erb
+++ b/app/views/pages/download.html.erb
@@ -1,30 +1,34 @@
 <% @title = t('.title') %>
-<% @subtitle = subtitle %>
 
-<div class="l-colspan t-body">
+<%= prose do %>
+  <h2><%= @title %></h2>
+  <% if (rubygems_version = Rubygem.current_rubygems_release) %>
+    <h4><%= "v#{rubygems_version.number} - #{nice_date_for(rubygems_version.authored_at)}" %></h4>
+  <% end %>
   <p>
-    RubyGems is a package management framework for Ruby. Download the latest version here:
-  </p>
-  <div id="formats" class="download__formats">
-    <%= link_to "tgz", "https://rubygems.org/rubygems/rubygems-#{version_number}.tgz", class: "download__format" %>
-    <%= link_to "zip", "https://rubygems.org/rubygems/rubygems-#{version_number}.zip", class: "download__format" %>
-    <%= link_to "gem", "https://rubygems.org/gems/rubygems-update-#{version_number}.gem", class: "download__format" %>
-    <%= link_to "git", "https://github.com/rubygems/rubygems", class: "download__format" %>
-  </div>
-  <p>
-  Or, to upgrade to the latest RubyGems:
+    RubyGems is a package management framework for Ruby.
+    <br>
+    Upgrade to the latest RubyGems at the command line:
   </p>
   <pre><code>$ gem update --system</code></pre>
   <p>
-    You might be running into some bug that prevents you from upgrading rubygems the standard way. In that case, you can try upgrading manually:
+    If you run into problems that prevent you from upgrading rubygems the standard way, you can try upgrading manually:
   </p>
   <ol class="manual">
-    <li><%=link_to "Download from above", "#formats" %></li>
-    <li>Unpack into a directory and <code>cd</code> there</li>
-    <li>Install with: <code>ruby setup.rb</code></li>
+    <li>Download the latest version</li>
+    <li>Unpack and <code>cd</code> into the unpacked directory</li>
+    <li>Install with:
+    <pre><code>ruby setup.rb</code></pre>
+    </li>
+    <li>
+      For more details and other options, run: <code>ruby setup.rb --help</code>
+    </li>
   </ol>
-  <p>
-  For more details and other options, see:
-  </p>
-  <pre><code>ruby setup.rb --help</code></pre>
-</div>
+  <h4>Download the latest version</h4>
+  <div id="formats" class="flex flex-row space-x-6">
+    <%= render ButtonComponent.new "tgz", "https://rubygems.org/rubygems/rubygems-#{rubygems_version}.tgz", type: :link %>
+    <%= render ButtonComponent.new "zip", "https://rubygems.org/rubygems/rubygems-#{rubygems_version}.zip", type: :link %>
+    <%= render ButtonComponent.new "gem", "https://rubygems.org/gems/rubygems-update-#{rubygems_version}.gem", type: :link %>
+    <%= render ButtonComponent.new "git", "https://github.com/rubygems/rubygems", type: :link %>
+  </div>
+<% end %>
diff --git a/app/views/pages/faq.html.erb b/app/views/pages/faq.html.erb
deleted file mode 100644
index ab8e903c4df..00000000000
--- a/app/views/pages/faq.html.erb
+++ /dev/null
@@ -1,7 +0,0 @@
-<% @title = t('.title') %>
-
-<div class="t-body">
-  <p>
-    <%= link_to "This page has been moved onto #{t(:title)}’s new support site.", "https://help.rubygems.org/kb/gemcutter/faq" %>
-  </p>
-</div>
diff --git a/app/views/pages/migrate.html.erb b/app/views/pages/migrate.html.erb
deleted file mode 100644
index aac2e406081..00000000000
--- a/app/views/pages/migrate.html.erb
+++ /dev/null
@@ -1,8 +0,0 @@
-<% @title = t('.title') %>
-
-<div class="l-colspan t-body">
-  <p>
-    <code>gem migrate</code> has been deprecated, all of the RubyForge accounts and ownerships have been transferred over to Gemcutter.
-  </p>
-  <p>If you’re having problems with your gems and pushing, <%= mail_to "support@rubygems.org", "please open a support request" %>.</p>
-</div>
diff --git a/app/views/pages/security.html.erb b/app/views/pages/security.html.erb
index e7731de0096..2955948a383 100644
--- a/app/views/pages/security.html.erb
+++ b/app/views/pages/security.html.erb
@@ -1,6 +1,6 @@
 <% @title = t('.title') %>
 
-<div class="l-colspan t-body">
+<%= prose do %>
   <p>
     Found a security issue with RubyGems or RubyGems.org?
     Please follow these steps to report it.
@@ -131,4 +131,4 @@
       security@rubygems.org</a> or <a href="https://github.com/rubygems/rubygems.org/issues">
       open an issue on GitHub</a>. Thanks!
   </p>
-</div>
+<% end %>
diff --git a/app/views/pages/sponsors.html.erb b/app/views/pages/sponsors.html.erb
index 7d93b9c5096..05b78bf813e 100644
--- a/app/views/pages/sponsors.html.erb
+++ b/app/views/pages/sponsors.html.erb
@@ -1,6 +1,6 @@
 <% @title = t('.title') %>
 
-<div class="l-colspan t-body">
+<%= prose do %>
   <p>
     RubyGems.org is made possible by support from the Ruby community. These companies provide the servers and developers that create the public infrastructure of the Ruby programming language.
   </p>
@@ -8,10 +8,11 @@
   <h2><a href="https://rubycentral.org">Ruby Central</a></h2>
   <p>
     Ruby Central, Inc. is a nonprofit 501(c)3 organization dedicated to the support and advocacy of the worldwide Ruby community. They organize the annual RubyConf and RailsConf as opportunities for Rubyists to collaborate and network. As part of those conferences, Ruby Central also operates the Opportunity Scholarship program to consistently bring new people into the tech community and to provide them with a comfortable, welcoming environment to explore our community and its events.
-    <br><br>
+  </p>
+  <p>
     They also fund and operate the Ruby Central Community Grant, underwriting events or open source projects that benefit the Ruby community, and they fund the ongoing server costs associated with running RubyGems.org.
 
-    You can support Ruby Central by attending or [sponsoring](sponsors@rubycentral.org) a conference, or by [joining as a supporting member](https://rubycentral.org/#/portal/signup).
+    You can support Ruby Central by attending or <a href="mailto:sponsors@rubycentral.org">contacting Ruby Central</a> about sponsoring a conference, or by <a href="https://rubycentral.org/#/portal/signup">joining as a supporting member</a>.
   </p>
 
   <h2><a href="https://fastly.com">Fastly</a></h2>
@@ -21,16 +22,12 @@
     Fastly provides the RubyGems.org content delivery network, allowing Ruby developers all over the world to download gems from nearby servers around the world.
   </p>
 
-  <hr>
-
   <h3><a href="https://1password.com">1Password</a></h3>
   <p>A password manager, digital vault, form filler and secure digital wallet. 1Password remembers all your passwords for you to help keep account information safe.</p>
 
-  <hr>
-
   <h3><a href="https://avohq.io">Avo</a></h3>
   <p>
     Avo is a custom Content Management System for Ruby on Rails that saves developers and teams months of development time. It's built on modern technologies and provides all the necessary hooks to ensure developers ship the best experiences to their customers.<br><br>
     Avo enables the RubyGems.org team to quickly build internal tools with limited resources.
   </p>
-</div>
+<% end %>
diff --git a/app/views/passwords/edit.html.erb b/app/views/passwords/edit.html.erb
index 18a49cb6f8a..e5e5bd17d08 100644
--- a/app/views/passwords/edit.html.erb
+++ b/app/views/passwords/edit.html.erb
@@ -1,7 +1,7 @@
 <% @title = t('.title') %>
 
 <%= form_for(:password_reset, url: password_path, html: { method: :put }) do |form| %>
-  <%= error_messages_for current_user %>
+  <%= error_messages_for @user %>
   <div class="password_field">
     <%= form.label :password, "Password", :class => 'form__label' %>
     <%= form.password_field :password, autocomplete: 'new-password', class: 'form__input' %>
diff --git a/app/views/profiles/security_events_view.rb b/app/views/profiles/security_events_view.rb
index 31e4f133609..46cbd8a78e7 100644
--- a/app/views/profiles/security_events_view.rb
+++ b/app/views/profiles/security_events_view.rb
@@ -6,9 +6,8 @@ class Profiles::SecurityEventsView < ApplicationView
   include Phlex::Rails::Helpers::DistanceOfTimeInWordsToNow
   include Phlex::Rails::Helpers::TimeTag
   include Phlex::Rails::Helpers::LinkTo
-  extend Dry::Initializer
 
-  option :security_events
+  prop :security_events, reader: :public
 
   def view_template
     title_content
diff --git a/app/views/profiles/show.html.erb b/app/views/profiles/show.html.erb
index d53b7f5ca94..a109e68018b 100644
--- a/app/views/profiles/show.html.erb
+++ b/app/views/profiles/show.html.erb
@@ -107,7 +107,7 @@
       </h2>
 
       <h4 id="downloads" class="gem__downloads__heading t-text--s">
-        <%= t('stats.index.total_downloads') %>
+        <%= t('total_downloads') %>
       </h4>
 
       <h2 id="downloads_count" class="gem__downloads">
diff --git a/app/views/rubygems/_aside.html.erb b/app/views/rubygems/_aside.html.erb
index f12a8e7b4e9..f7735be703b 100644
--- a/app/views/rubygems/_aside.html.erb
+++ b/app/views/rubygems/_aside.html.erb
@@ -7,7 +7,7 @@
   <% end %>
   <div class="gem__downloads-wrap" data-href="<%= api_v1_download_path(@latest_version.full_name, :format => 'json') %>">
     <h2 class="gem__downloads__heading t-text--s">
-      <%= t('stats.index.total_downloads') %>
+      <%= t('total_downloads') %>
       <span class="gem__downloads"><%= number_with_delimiter(@rubygem.downloads) %></span>
     </h2>
     <h2 class="gem__downloads__heading t-text--s">
@@ -15,6 +15,14 @@
       <span class="gem__downloads"><%= number_with_delimiter(@latest_version.downloads_count) %></span>
     </h2>
   </div>
+
+  <h2 class="gem__ruby-version__heading t-list__heading">
+    <%= t('.gem_version_age') %>:
+    <span class="gem__rubygem-version-age">
+      <p><%= local_time_ago(@latest_version.authored_at) %></p>
+    </span>
+  </h2>
+
   <h2 class="gem__ruby-version__heading t-list__heading">
     <%= pluralized_licenses_header @latest_version %>:
     <span class="gem__ruby-version">
@@ -66,11 +74,11 @@
     <%= atom_link(@rubygem) %>
     <%= report_abuse_link(@rubygem) %>
     <%= reverse_dependencies_link(@rubygem) %>
-    <%= ownership_link(@rubygem) if @rubygem.owned_by?(current_user) %>
-    <%= rubygem_trusted_publishers_link(@rubygem) if @rubygem.owned_by?(current_user) %>
-    <%= oidc_api_key_role_links(@rubygem) if @rubygem.owned_by?(current_user) %>
+    <%= ownership_link(@rubygem) if policy(@rubygem).show_unconfirmed_ownerships? %>
+    <%= rubygem_trusted_publishers_link(@rubygem) if policy(@rubygem).configure_trusted_publishers? %>
+    <%= oidc_api_key_role_links(@rubygem) if policy(@rubygem).configure_oidc? %>
     <%= resend_owner_confirmation_link(@rubygem) if @rubygem.unconfirmed_ownership?(current_user) %>
     <%= rubygem_adoptions_link(@rubygem) if policy(@rubygem).show_adoption? %>
-    <%= rubygem_security_events_link(@rubygem) if @rubygem.owned_by?(current_user) %>
+    <%= rubygem_security_events_link(@rubygem) if policy(@rubygem).show_events? %>
   </div>
 </div>
diff --git a/app/views/rubygems/_gem_members.html.erb b/app/views/rubygems/_gem_members.html.erb
index fc15a017930..d8457c7eec1 100644
--- a/app/views/rubygems/_gem_members.html.erb
+++ b/app/views/rubygems/_gem_members.html.erb
@@ -57,12 +57,7 @@
 
   <% if latest_version.sha256.present? %>
     <h3 class="t-list__heading"><%= t '.sha_256_checksum' %>:</h3>
-    <div class="gem__code-wrap">
-      <input type="text" class="gem__code" id="gem_sha_256_checksum" value="<%= latest_version.sha256_hex %>" readonly="readonly">
-      <span class="gem__code__icon" id="js-gem__code--gemfile" data-clipboard-target="#gem_sha_256_checksum">=</span>
-      <span class="gem__code__tooltip--copy"><%= t('copy_to_clipboard') %></span>
-      <span class="gem__code__tooltip--copied"><%= t('copied') %></span>
-    </div>
+    <%= copy_field_tag("gem_sha_256_checksum", latest_version.sha256_hex) %>
   <% end %>
 
   <% if latest_version.cert_chain.present? %>
@@ -75,4 +70,11 @@
       <% end %>
     </div>
   <% end %>
+
+  <% if latest_version.attestations.present? %>
+    <h3 class="t-list__heading"><%= t '.provenance_header' %>:</h3>
+    <% latest_version.attestations.each do |attestation| %>
+      <%= render Version::ProvenanceComponent.new(attestation:) %>
+    <%end%>
+  <% end %>
 </div>
diff --git a/app/views/rubygems/security_events_view.rb b/app/views/rubygems/security_events_view.rb
index 79c2e01bd71..613c4c28b86 100644
--- a/app/views/rubygems/security_events_view.rb
+++ b/app/views/rubygems/security_events_view.rb
@@ -4,10 +4,9 @@ class Rubygems::SecurityEventsView < ApplicationView
   include Phlex::Rails::Helpers::ButtonTo
   include Phlex::Rails::Helpers::ContentFor
   include Phlex::Rails::Helpers::LinkTo
-  extend Dry::Initializer
 
-  option :rubygem
-  option :security_events
+  prop :rubygem, reader: :public
+  prop :security_events, reader: :public
 
   def view_template
     title_content
diff --git a/app/views/rubygems/show.html.erb b/app/views/rubygems/show.html.erb
index 617e95ac320..a1703a598b0 100644
--- a/app/views/rubygems/show.html.erb
+++ b/app/views/rubygems/show.html.erb
@@ -31,19 +31,11 @@
       <div class="gem__install">
         <h2 class="gem__ruby-version__heading t-list__heading">
           <%= t '.bundler_header' %>:
-          <div class="gem__code-wrap">
-            <input type="text" class="gem__code" id="gemfile_text" value="<%= @latest_version.to_bundler(locked_version: @on_version_page) %>" readonly="readonly">
-            <span class="gem__code__icon" id="js-gem__code--gemfile" data-clipboard-target="#gemfile_text">=</span>
-            <span class="gem__code__tooltip--copy"><%= t('copy_to_clipboard') %></span>
-            <span class="gem__code__tooltip--copied"><%= t('copied') %></span>
-          </div>
+          <%= copy_field_tag("gemfile_text", @latest_version.to_bundler(locked_version: @on_version_page)) %>
         </h2>
         <h2 class="gem__ruby-version__heading t-list__heading">
           <%= t '.install' %>:
-          <div class="gem__code-wrap">
-            <input type="text" class="gem__code" id="install_text" value="<%= @latest_version.to_install %>" readonly="readonly">
-            <span class="gem__code__icon" id="js-gem__code--install" data-clipboard-target="#install_text">=</span>
-          </div>
+          <%= copy_field_tag("install_text", @latest_version.to_install) %>
         </h2>
       </div>
     <% else %>
diff --git a/app/views/searches/advanced.html.erb b/app/views/searches/advanced.html.erb
index 68f7c62a262..0a5ccd43042 100644
--- a/app/views/searches/advanced.html.erb
+++ b/app/views/searches/advanced.html.erb
@@ -1,8 +1,16 @@
 <% @title = t("advanced_search") %>
 
-<div class="home__search-wrap" role="search">
+<div class="home__search-wrap" role="search" data-controller="search">
   <%= form_tag search_url, id: "advanced-search", method: :get do %>
-    <%= search_field_tag :query, params[:query], placeholder: t("layouts.application.header.search_gem_html"), autofocus: current_page?(root_url), id: "query", class: "home__search" %>
+    <%= search_field_tag(
+      :query,
+      params[:query],
+      placeholder: t("layouts.application.header.search_gem_html"),
+      autofocus: current_page?(root_url),
+      id: "query",
+      class: "home__search",
+      data: { search_target: "query" }
+    ) %>
     <%= label_tag :query do %>
       <span class="t-hidden"><%= t("layouts.application.header.search_gem_html") %></span>
     <% end %>
@@ -11,18 +19,18 @@
 
   <dl class="search-fields">
     <dt><%= label_tag :name, t(".name"), class: "form__label" %></dt>
-    <dd><%= text_field_tag :name, "", placeholder: "active OR action", class: "form__input"%></dd>
+    <dd><%= text_field_tag :name, "", placeholder: "active OR action", class: "form__input", data: { search_target: "attribute", action: "input->search#input keydown.enter->search#submit" } %></dd>
 
     <dt><%= label_tag :summary, t(".summary"), class: "form__label" %></dt>
-    <dd><%= text_field_tag :summary, "", placeholder: "ORM, NoSQL", class: "form__input"%></dd>
+    <dd><%= text_field_tag :summary, "", placeholder: "ORM, NoSQL", class: "form__input", data: { search_target: "attribute", action: "input->search#input keydown.enter->search#submit" } %></dd>
 
     <dt><%= label_tag :description, t(".description"), class: "form__label" %></dt>
-    <dd><%= text_field_tag :description, "", placeholder: "associations AND validations", class: "form__input"%></dd>
+    <dd><%= text_field_tag :description, "", placeholder: "associations AND validations", class: "form__input", data: { search_target: "attribute", action: "input->search#input keydown.enter->search#submit" } %></dd>
 
     <dt><%= label_tag :downloads, t(".downloads"), class: "form__label" %></dt>
-    <dd><%= text_field_tag :downloads, "", placeholder: ">20000", class: "form__input"%></dd>
+    <dd><%= text_field_tag :downloads, "", placeholder: ">20000", class: "form__input", pattern: "\\s*(<=?|>=?)?[\\d]+\\s*", data: { search_target: "attribute", action: "input->search#input keydown.enter->search#submit" } %></dd>
 
     <dt><%= label_tag :updated, t(".updated"), class: "form__label" %></dt>
-    <dd><%= text_field_tag :updated, "", placeholder: ">#{1.week.ago.strftime('%F')}", class: "form__input"%></dd>
+    <dd><%= text_field_tag :updated, "", placeholder: ">#{1.week.ago.strftime('%F')}", class: "form__input", pattern: "\\s*(<=?|>=?)?[\\d-]+\\s*", data: { search_target: "attribute", action: "input->search#input keydown.enter->search#submit" } %></dd>
   </dl>
 </div>
diff --git a/app/views/searches/show.html.erb b/app/views/searches/show.html.erb
index faabe5a83e5..2075bfb7830 100644
--- a/app/views/searches/show.html.erb
+++ b/app/views/searches/show.html.erb
@@ -7,7 +7,7 @@
 <% end %>
 <%= link_to t("advanced_search"), advanced_search_path, class: "t-link--gray t-link--has-arrow" %>
 <% if @yanked_filter %>
-  <% @subtitle = t('.subtitle', :query => content_tag(:em, h(params[:query]))) %>
+  <% @subtitle = t('.subtitle_html', :query => params[:query]) %>
 
   <% if @yanked_gem.present? %>
     <%= link_to rubygem_path(@yanked_gem.slug), :class => 'gems__gem' do %>
@@ -22,7 +22,7 @@
   <% end %>
 <% else %>
   <% if @gems %>
-    <% @subtitle = t('.subtitle', :query => content_tag(:em, h(params[:query]))) %>
+    <% @subtitle = t('.subtitle_html', :query => params[:query]) %>
 
     <header class="gems__header push--s">
       <p class="gems__meter"><%= page_entries_info(@gems, :entry_name => 'gem') %></p>
diff --git a/app/views/sessions/new.html.erb b/app/views/sessions/new.html.erb
index 099daa2ab84..281ef945a2b 100644
--- a/app/views/sessions/new.html.erb
+++ b/app/views/sessions/new.html.erb
@@ -1,5 +1,19 @@
 <% @title = t('sign_in') %>
 
+<% if Gemcutter::ENABLE_DEVELOPMENT_LOG_IN %>
+<div class="t-body">
+  <h2 class="page__subheading--block">Development Login</h2>
+  <ul>
+    <% User.all.order(id: :asc).each do |user| %>
+    <li>
+      <%= link_to "login as #{user.handle}", controller: :sessions, action: "development_log_in_as", user_id: user.id %>
+    </li>
+    <% end %>
+  </ul>
+  <hr/>
+</div>
+<% end %>
+
 <div class="t-body">
   <p>
     <%= link_to t('.forgot_password'), new_password_path, class: 't-list__item' %>
diff --git a/app/views/stats/index.html.erb b/app/views/stats/index.html.erb
index 69555fc487f..f9098e70fff 100644
--- a/app/views/stats/index.html.erb
+++ b/app/views/stats/index.html.erb
@@ -10,7 +10,7 @@
     <span class="stat__count"><%= number_with_delimiter @number_of_users %></span>
   </h2>
   <h2 class="stat" data-icon="⌄">
-    <%= t('stats.index.total_downloads') %>
+    <%= t('total_downloads') %>
     <span class="stat__count"><%= number_with_delimiter @number_of_downloads %></span>
   </h2>
 </div>
@@ -27,7 +27,7 @@
   <div class="stats__graph__gem">
     <h3 class="stats__graph__gem__name"><%= link_to gem.name, rubygem_path(gem.slug) %></h3>
     <div class="stats__graph__gem__meter-wrap">
-      <div class="stats__graph__gem__meter t-item--hidden" data-bar-width="<%= stats_graph_meter(gem, @most_downloaded_count) %>">
+      <div class="stats__graph__gem__meter t-item--hidden" data-controller="stats" data-stats-width-value="<%= stats_graph_meter(gem, @most_downloaded_count) %>">
         <span class="stats__graph__gem__count"><%= number_to_delimited gem.downloads %></span>
       </div>
     </div>
diff --git a/app/views/subscriptions/index.html.erb b/app/views/subscriptions/index.html.erb
new file mode 100644
index 00000000000..77ddebf2171
--- /dev/null
+++ b/app/views/subscriptions/index.html.erb
@@ -0,0 +1,38 @@
+<% @title = t("dashboards.show.my_subscriptions") %>
+
+<% content_for :subject do %>
+  <% render "dashboards/subject", user: current_user, current: :subscriptions %>
+<% end %>
+
+<h1 class="text-h2 mb-10 space-x-2">
+  <span><%= t("dashboards.show.my_subscriptions") %></span>
+  <% unless @subscribed_gems.size.zero? %>
+    <span class="font-light text-neutral-600"><%= @subscribed_gems.size %></span>
+  <% end %>
+</h1>
+
+<%= render CardComponent.new do |c| %>
+  <% if @subscribed_gems.empty? %>
+    <%= prose do %>
+      <i><%= t("dashboards.show.no_subscriptions_html", :gem_link => link_to(t('dashboards.show.gem_link_text'), rubygem_path("rake"))) %></i>
+    <% end %>
+  <% else %>
+    <%= c.with_list(@subscribed_gems) do |gem| %>
+      <div class="flex flex-row w-full items-center justify-between">
+        <%= link_to rubygem_path(gem.slug) do %>
+          <h3 class="text-b1"><%= gem.name %></h3>
+          <p class="text-b3"><%= short_info(gem.most_recent_version) %></p>
+        <% end %>
+        <%= button_to(
+          rubygem_subscription_path(gem.slug),
+          method: :delete,
+          title: t("rubygems.aside.links.unsubscribe"),
+          class: "h-8 w-8 ml-6 items-center justify-center outline-none -mr-2",
+          aria: { label: t("rubygems.aside.links.unsubscribe") }
+        ) do %>
+          <%= icon_tag "close", class: "w-6 h-6" %>
+        <% end %>
+      </div>
+    <% end %>
+  <% end %>
+<% end %>
diff --git a/bin/brakeman b/bin/brakeman
index b4fe8de2663..ace1c9ba08a 100755
--- a/bin/brakeman
+++ b/bin/brakeman
@@ -1,27 +1,7 @@
 #!/usr/bin/env ruby
-# frozen_string_literal: true
-
-#
-# This file was generated by Bundler.
-#
-# The application 'brakeman' is installed as part of a gem, and
-# this file is here to facilitate running it.
-#
-
-ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
-
-bundle_binstub = File.expand_path("bundle", __dir__)
-
-if File.file?(bundle_binstub)
-  if File.read(bundle_binstub, 300).include?("This file was generated by Bundler")
-    load(bundle_binstub)
-  else
-    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
-Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
-  end
-end
-
 require "rubygems"
 require "bundler/setup"
 
+ARGV.unshift("--ensure-latest")
+
 load Gem.bin_path("brakeman", "brakeman")
diff --git a/bin/rubocop b/bin/rubocop
index 369a05bedb5..40330c0ff1c 100755
--- a/bin/rubocop
+++ b/bin/rubocop
@@ -1,27 +1,8 @@
 #!/usr/bin/env ruby
-# frozen_string_literal: true
-
-#
-# This file was generated by Bundler.
-#
-# The application 'rubocop' is installed as part of a gem, and
-# this file is here to facilitate running it.
-#
-
-ENV["BUNDLE_GEMFILE"] ||= File.expand_path("../Gemfile", __dir__)
-
-bundle_binstub = File.expand_path("bundle", __dir__)
-
-if File.file?(bundle_binstub)
-  if File.read(bundle_binstub, 300).include?("This file was generated by Bundler")
-    load(bundle_binstub)
-  else
-    abort("Your `bin/bundle` was not generated by Bundler, so this binstub cannot run.
-Replace `bin/bundle` by running `bundle binstubs bundler --force`, then run this command again.")
-  end
-end
-
 require "rubygems"
 require "bundler/setup"
 
+# explicit rubocop config increases performance slightly while avoiding config confusion.
+ARGV.unshift("--config", File.expand_path("../.rubocop.yml", __dir__))
+
 load Gem.bin_path("rubocop", "rubocop")
diff --git a/bin/setup b/bin/setup
index e2675753e1d..51afbda953b 100755
--- a/bin/setup
+++ b/bin/setup
@@ -1,8 +1,8 @@
 #!/usr/bin/env ruby
 require "fileutils"
 
-# path to your application root.
 APP_ROOT = File.expand_path("..", __dir__)
+APP_NAME = "gemcutter"
 
 def system!(*args)
   system(*args, exception: true)
@@ -36,4 +36,8 @@ FileUtils.chdir APP_ROOT do
 
   puts "\n== Restarting application server =="
   system! "bin/rails restart"
+
+  # puts "\n== Configuring puma-dev =="
+  # system "ln -nfs #{APP_ROOT} ~/.puma-dev/#{APP_NAME}"
+  # system "curl -Is https://#{APP_NAME}.test/up | head -n 1"
 end
diff --git a/config/application.rb b/config/application.rb
index 7de954883d6..1328ecd5bd4 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -12,13 +12,18 @@
 # require "action_text/engine"
 require "action_view/railtie"
 # require "action_cable/engine"
-require "sprockets/railtie"
 require "rails/test_unit/railtie"
 
 # Require the gems listed in Gemfile, including any gems
 # you've limited to :test, :development, or :production.
 Bundler.require(*Rails.groups)
 
+# allow dotenv to specify RAILS_GROUPS
+if defined?(Dotenv::Rails)
+  Dotenv::Rails.load
+  Bundler.require(*Rails.groups)
+end
+
 module Gemcutter
   class Application < Rails::Application
     # Initialize configuration defaults for originally generated Rails version.
@@ -44,7 +49,7 @@ class Application < Rails::Application
     config.i18n.available_locales = [:en, :nl, "zh-CN", "zh-TW", "pt-BR", :fr, :es, :de, :ja]
     config.i18n.fallbacks = [:en]
 
-    config.middleware.insert 0, Rack::UTF8Sanitizer
+    config.middleware.insert 0, Rack::Sanitizer
     config.middleware.use Rack::Attack
     config.middleware.use Rack::Deflater
 
@@ -69,6 +74,10 @@ class Application < Rails::Application
     config.active_support.cache_format_version = 7.1
 
     config.action_dispatch.rescue_responses["Rack::Multipart::EmptyContentError"] = :bad_request
+
+    config.action_dispatch.default_headers.merge!(
+      "Cross-Origin-Opener-Policy" => "same-origin"
+    )
   end
 
   def self.config
@@ -101,9 +110,9 @@ def self.config
   GEM_REQUEST_LIMIT = 400
   VERSIONS_PER_PAGE = 100
   SEPARATE_ADMIN_HOST = config["separate_admin_host"]
-  ENABLE_DEVELOPMENT_ADMIN_LOG_IN = Rails.env.local?
+  ENABLE_DEVELOPMENT_LOG_IN = Rails.env.local?
   MAIL_SENDER = "RubyGems.org <no-reply@mailer.rubygems.org>".freeze
   PAGES = %w[
-    about data download faq migrate security sponsors
+    about data download security sponsors
   ].freeze
 end
diff --git a/config/brakeman.ignore b/config/brakeman.ignore
new file mode 100644
index 00000000000..2a902bfc302
--- /dev/null
+++ b/config/brakeman.ignore
@@ -0,0 +1,52 @@
+{
+  "ignored_warnings": [
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "85e397bacae5462238e8ce59c0fcd1045a414e603588ae313c5156c09a623fed",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/controllers/owners_controller.rb",
+      "line": 101,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "code": "params.permit(:role)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "OwnersController",
+        "method": "update_params"
+      },
+      "user_input": ":role",
+      "confidence": "Medium",
+      "cwe_id": [
+        915
+      ],
+      "note": ""
+    },
+    {
+      "warning_type": "Mass Assignment",
+      "warning_code": 105,
+      "fingerprint": "b57c75e671196846b60667930fc3c1a4d02122b7ec3ae5ae0cf8cecc6c1d0b63",
+      "check_name": "PermitAttributes",
+      "message": "Potentially dangerous key allowed for mass assignment",
+      "file": "app/controllers/api/v1/owners_controller.rb",
+      "line": 84,
+      "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
+      "code": "params.permit(:role)",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Api::V1::OwnersController",
+        "method": "ownership_params"
+      },
+      "user_input": ":role",
+      "confidence": "Medium",
+      "cwe_id": [
+        915
+      ],
+      "note": ""
+    }
+  ],
+  "updated": "2024-09-21 16:16:50 -0700",
+  "brakeman_version": "6.2.1"
+}
diff --git a/config/brakeman.yml b/config/brakeman.yml
index d9492b31e1d..26a7bbdc235 100644
--- a/config/brakeman.yml
+++ b/config/brakeman.yml
@@ -7,5 +7,5 @@
 :output_files:
 - reports/brakeman/brakeman.json
 - reports/brakeman/brakeman.html
-:rails5: true
+:rails7: true
 :github_repo: rubygems/rubygems.org
diff --git a/config/deploy/production/secrets.ejson b/config/deploy/production/secrets.ejson
index 23e4cd93c0b..8826939da3e 100644
--- a/config/deploy/production/secrets.ejson
+++ b/config/deploy/production/secrets.ejson
@@ -22,7 +22,7 @@
         "client_id": "EJ[1:YVJ0VwGrcSYWmu7lQOJPUdkXYI5VBgGXLla1+Fo1eA8=:jnplUfdfAMq/te3PyIN3SejasXCukW/g:0LsAhlffVl+6W4k5sRLWpew4D8ohT5ym3Ou+O1CsZgd/fvu16YWRpgvX345ewip0]",
         "github_key": "EJ[1:dz+xczzzSxiEdCK5nfz6u2RkBOEeeOTlMD2eWIHTAg8=:3ZtgHbbvis6EJ5UymIZBWPwc+Zvf722/:gcsPiEVuVZIitCZ3t2216Jn5re2vBTyN7FElhowCKpQUglwU]",
         "github_secret": "EJ[1:dz+xczzzSxiEdCK5nfz6u2RkBOEeeOTlMD2eWIHTAg8=:3bGij9eYVzE6mJ4XmIT/QBBRmnCi9nMs:8jcKV1Hl8TYTMQaQ8SV+agQ6c9UA9lb1DHKy2J/W//gdlJ2r/r4qlKeI/zoWMX2e461aB1Dx7XQ=]",
-        "avo_license_key": "EJ[1:6oWEkRT4PhQJLxAVEt3F66gOvAd2bB/J7cF+DpFv4Gk=:atX3EOd7BdoSBqJFPaqASO6/u6R2MLlR:G4TyGlkc1EZWpUJ0mQTS9Bw1O5V9Hww3DZtV+MQuDg9pzw8n7frV+GQek4wDqI29QLk0Kg==]",
+        "avo_license_key": "EJ[1:vHG/UgXm5H2xr/ExsZdTi7Lep9NzpQkKXFUlNb9FOVU=:dRDXtqaYSBhiY5cuHJutRa8R2ZUUE8h3:+xyDjGvAJmtwxHdMcGQ21GDRnVagGG009JSw]",
         "datadog_csp_api_key": "EJ[1:MJLOVnheQZD8mqT8Q5xlN8u6Qd9eH4sbO1kcsg/TTR4=:0eAj1g7msiS86qexeMNsWU+1vy3pXSKK:4YT1qDTiBirwkNsbNdhN90lPlF51qiMNChue7uMpEYuAiKTI3TnwOWJd7sk0PmARVsIn]",
         "hook_relay_account_id": "EJ[1:Px+UVqbFzeNGqkAlgQ9Vz00tXWKza1XmLLHD/iQT5wM=:JsT1PTsSpMaxE0FV7ODyJ5E1FQAzv9v/:tMUgIFIUJH+WhT+kHS5pne5Uw9qvdLqLd2aAfJ9EehzIYpH6Bl6EQg==]",
         "hook_relay_hook_id": "EJ[1:Px+UVqbFzeNGqkAlgQ9Vz00tXWKza1XmLLHD/iQT5wM=:Vt1tMd8/9ZhSHL80yrWIWUy2wMOh8Iqt:MUwOcVrjWl7i8RRNg68Sb/Fa+RYsLL54yc+adRK84i5jWWa9fmSgRg==]",
diff --git a/config/deploy/staging/secrets.ejson b/config/deploy/staging/secrets.ejson
index ed0a20bd927..4efe779d58d 100644
--- a/config/deploy/staging/secrets.ejson
+++ b/config/deploy/staging/secrets.ejson
@@ -22,7 +22,7 @@
         "client_id": "EJ[1:G3QtTGP/Pf0HRv8+b6zf3xI3TmNiOPmidA24ZSgQgjU=:AZtoluRkpeCK96i3FxPgamAkAlwRuTKq:NrpTfXVR1rAA0UyJzYVmCvJvQ5lr/VLyAoHDz0IY0cmC0aJLO8HWKsAYWq3T4w2D]",
         "github_key": "EJ[1:w54WPX1mXZxgJoUu4zPMVMd5zCWl0rbbfuyqcvJOP1o=:XX+D9g9OUcALhAK1aRB5uK4hmUOhmq+a:kEEf22rN2vnyXE2I5me5Fc+2rCu070VA8IpcsbeJ8Xh/3261]",
         "github_secret": "EJ[1:w54WPX1mXZxgJoUu4zPMVMd5zCWl0rbbfuyqcvJOP1o=:0aEWndKlt5UpeGXSNfX8jWtc5UqnKk1g:MmBDQQEzb9tUaxVIL7bUUBbg2/UvhyvbnHcvlfqWztdSVHAFuvGe+tVtHjEdCdMzrJzG5d6UVBo=]",
-        "avo_license_key": "EJ[1:TD6sa+BG2xSLyZddF8CUdq8egeXQfz1oeMaSD/DV/z8=:iXP5X+kGqtPPjluF93iyxTRiwA4sq5ch:My9uCrd+KqROpd1l3x8HgQYvi/gRs+FBQ41IdmqouwbVJBRipuHotXYGHBcqOtvFwpk1/w==]",
+        "avo_license_key": "EJ[1:xcimfAiJn0jrCDMpC+0kpX0WGUO3QxTcjfZSV8/zMBg=:Kkeih5DzMjlewV8GjD+iBOhQHinGXswy:hDpP9A4MhyRLAAoAmekw9soIdVHWso4TClPK]",
         "datadog_csp_api_key": "EJ[1:M1xidXJHz2i/vKthLOnwYbEnkFjYneq+d6Ryj6TXdFQ=:fxMZfI3MptOYF/hXcrnrWK/SDTU1SzZC:Gn807pB1wSTTNIyTJ5cpGCvN5+vplIZUxi/a8/s+UFDJE52zeM5KyhvmK6f0J8mDa2vh]",
         "hook_relay_account_id": "EJ[1:JT93bSSDxXR0tIyvuhE4hVVEav3DdVDYtCuhLTlwwUw=:OUkdjS28VFFsXWnK0c2zBubgen83JLIZ:r9s3A3e3UuNrYRelD3HzIKsNvEGlGhvKmZayZt7wZGHrxB+yTb8gQQ==]",
         "hook_relay_hook_id": "EJ[1:JT93bSSDxXR0tIyvuhE4hVVEav3DdVDYtCuhLTlwwUw=:n1YqUGXM5FdcwoAJjIXXgHxWqiF/voeL:sj7Gbn405v2hw4CKkU6N7Fhgb3J/5RnrAZpp+Xcn61ZTNJq0qFXBiA==]",
diff --git a/config/deploy/web.yaml.erb b/config/deploy/web.yaml.erb
index ba6c2c32020..c9e4f42feef 100644
--- a/config/deploy/web.yaml.erb
+++ b/config/deploy/web.yaml.erb
@@ -61,6 +61,8 @@ spec:
             value: "<%= environment %>"
           - name: ENV
             value: "<%= environment %>"
+          - name: RAILS_GROUPS
+            value: "avo"
           - name: WEB_CONCURRENCY
             value: "<%= environment == 'production' ? 8 : 2 %>"
           - name: RAILS_MAX_THREADS
@@ -219,6 +221,10 @@ spec:
           preStop:
             exec:
               command: ["sleep", "25"]
+        volumeMounts:
+        - name: sigstore-signing-token
+          mountPath: /var/run/secrets/sigstore
+          readOnly: true
       - name: nginx
         image: nginx:1.25.2
         imagePullPolicy: IfNotPresent
@@ -298,3 +304,10 @@ spec:
           secret:
             secretName: nginx-basic-auth
         <% end %>
+        - name: sigstore-signing-token
+          projected:
+            sources:
+            - serviceAccountToken:
+                path: sigstore-signing-token
+                expirationSeconds: 600
+                audience: sigstore
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 63cbd9de3ce..2384e1ee68d 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -1,4 +1,3 @@
-require_relative "../../lib/gemcutter/middleware/hostess"
 require "active_support/core_ext/integer/time"
 
 Rails.application.configure do
@@ -15,7 +14,7 @@
   # Show full error reports.
   config.consider_all_requests_local = true
 
-  # Enable server timing
+  # Enable server timing.
   config.server_timing = true
 
   # Enable/disable caching. By default caching is disabled.
@@ -26,9 +25,7 @@
 
     config.cache_store = :mem_cache_store,
                          { compress: true, compression_min_size: 524_288 }
-    config.public_file_server.headers = {
-      "Cache-Control" => "public, max-age=#{2.days.to_i}"
-    }
+    config.public_file_server.headers = { "Cache-Control" => "public, max-age=#{2.days.to_i}" }
   else
     config.action_controller.perform_caching = false
 
@@ -40,6 +37,8 @@
 
   config.action_mailer.raise_delivery_errors = true
 
+  # Disable caching for Action Mailer templates even if Action Controller
+  # caching is enabled.
   config.action_mailer.perform_caching = false
 
   config.action_mailer.default_url_options = { host: Gemcutter::HOST,
@@ -75,13 +74,18 @@
   # Raises error for missing translations.
   # config.i18n.raise_on_missing_translations = true
 
+  require_relative "../../lib/gemcutter/middleware/hostess"
   config.middleware.use Gemcutter::Middleware::Hostess
+
   # Annotate rendered view with file names.
-  # config.action_view.annotate_rendered_view_with_filenames = true
+  config.action_view.annotate_rendered_view_with_filenames = true
 
-  # Raise error when a before_action's only/except options reference missing actions
+  # Raise error when a before_action's only/except options reference missing actions.
   config.action_controller.raise_on_missing_callback_actions = true
 
+  # Apply autocorrection by RuboCop to files generated by `bin/rails generate`.
+  config.generators.apply_rubocop_autocorrect_after_generate!
+
   # Use an evented file watcher to asynchronously detect changes in source code,
   # routes, locales, etc. This feature depends on the listen gem.
   config.file_watcher = ActiveSupport::EventedFileUpdateChecker
@@ -119,8 +123,6 @@
       'Cache-Control' => 'max-age=315360000, public',
       'Expires' => 'Thu, 31 Dec 2037 23:55:55 GMT'
     }
-    config.assets.js_compressor = :terser
-    config.assets.css_compressor = :sass
     config.assets.compile = false
     config.assets.digest = true
     config.assets.debug = false
@@ -129,4 +131,6 @@
     config.active_record.verbose_query_logs = false
     config.action_view.cache_template_loading = true
   end
+
+  config.hosts << "rubygems.test"
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 8d5862924f6..8d95758ee47 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -1,5 +1,3 @@
-require Rails.root.join("config", "secret") if Rails.root.join("config", "secret.rb").file?
-require_relative "../../lib/gemcutter/middleware/redirector"
 require "active_support/core_ext/integer/time"
 
 Rails.application.configure do
@@ -22,21 +20,14 @@
   # key such as config/credentials/production.key. This key is used to decrypt credentials (and other encrypted files).
   # config.require_master_key = true
 
-  # Disable serving static files from the `/public` folder by default since
-  # Apache or NGINX already handles this.
+  # Disable serving static files from `public/`, relying on NGINX/Apache to do so instead.
   config.public_file_server.enabled = ENV["RAILS_SERVE_STATIC_FILES"].present?
   config.public_file_server.headers = {
     'Cache-Control' => 'max-age=315360000, public',
     'Expires' => 'Thu, 31 Dec 2037 23:55:55 GMT'
   }
 
-  # Compress JavaScript using a preprocessor
-  config.assets.js_compressor = :terser
-
-  # Compress CSS using a preprocessor.
-  config.assets.css_compressor = :sass
-
-  # Do not fallback to assets pipeline if a precompiled asset is missed.
+  # Do not fall back to assets pipeline if a precompiled asset is missed.
   config.assets.compile = false
 
   # Enable serving of images, stylesheets, and JavaScripts from an asset server.
@@ -62,7 +53,6 @@
   # Include generic and useful information about system operation, but avoid logging too much
   # information to avoid inadvertent exposure of personally identifiable information (PII).
   $stdout.sync = true
-  config.log_level = :info
   config.rails_semantic_logger.format = :json
   config.rails_semantic_logger.semantic = true
   config.rails_semantic_logger.add_file_appender = false
@@ -71,13 +61,20 @@
   # Prepend all log lines with the following tags.
   # config.log_tags = [ :request_id ]
 
+  # "info" includes generic and useful information about system operation, but avoids logging too much
+  # information to avoid inadvertent exposure of personally identifiable information (PII). If you
+  # want to log everything, set the level to "debug".
+  config.log_level = ENV.fetch("RAILS_LOG_LEVEL", "info")
+
   # Use a different cache store in production.
   # config.cache_store = :mem_cache_store
 
   # Use a real queuing backend for Active Job (and separate queues per environment).
-  # config.active_job.queue_adapter     = :resque
+  # config.active_job.queue_adapter = :resque
   # config.active_job.queue_name_prefix = "gemcutter_production"
 
+  # Disable caching for Action Mailer templates even if Action Controller
+  # caching is enabled.
   config.action_mailer.perform_caching = false
 
   # Ignore bad email addresses and do not raise email delivery errors.
@@ -122,5 +119,6 @@
     value_max_bytes: 2_097_152 # 2MB
   }
 
+  require_relative "../../lib/gemcutter/middleware/redirector"
   config.middleware.use Gemcutter::Middleware::Redirector
 end
diff --git a/config/environments/staging.rb b/config/environments/staging.rb
index f2a52cdfe87..ae4726d99a0 100644
--- a/config/environments/staging.rb
+++ b/config/environments/staging.rb
@@ -30,10 +30,6 @@
     'Expires' => 'Thu, 31 Dec 2037 23:55:55 GMT'
   }
 
-  # Compress JavaScripts and CSS.
-  config.assets.js_compressor = :terser
-  config.assets.css_compressor = :sass
-
   # Do not fallback to assets pipeline if a precompiled asset is missed.
   config.assets.compile = false
 
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 73358c44122..a65ac8280f1 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -1,4 +1,3 @@
-require_relative "../../lib/gemcutter/middleware/redirector"
 require "active_support/core_ext/integer/time"
 
 # The test environment is used exclusively to run your application's
@@ -35,12 +34,17 @@
   # Disable request forgery protection in test environment.
   config.action_controller.allow_forgery_protection = false
 
+  # Disable caching for Action Mailer templates even if Action Controller
+  # caching is enabled.
   config.action_mailer.perform_caching = false
 
   # Tell Action Mailer not to deliver emails to the real world.
   # The :test delivery method accumulates sent emails in the
   # ActionMailer::Base.deliveries array.
   config.action_mailer.delivery_method = :test
+
+  # Unlike controllers, the mailer instance doesn't have any context about the
+  # incoming request so you'll need to provide the :host parameter yourself.
   config.action_mailer.default_url_options = { host: Gemcutter::HOST,
                                                port: "31337",
                                                protocol: Gemcutter::PROTOCOL }
@@ -48,7 +52,7 @@
   # Print deprecation notices to the stderr.
   config.active_support.deprecation = :stderr
 
-  require 'clearance_backdoor'
+  require_relative "../../lib/clearance_backdoor"
   config.middleware.use ClearanceBackdoor
 
   # Raise exceptions for disallowed deprecations.
@@ -65,7 +69,7 @@
   # Annotate rendered view with file names.
   # config.action_view.annotate_rendered_view_with_filenames = true
 
-  # Raise error when a before_action's only/except options reference missing actions
+  # Raise error when a before_action's only/except options reference missing actions.
   config.action_controller.raise_on_missing_callback_actions = true
 
   BCrypt::Engine.cost = BCrypt::Engine::MIN_COST
diff --git a/config/importmap.rb b/config/importmap.rb
index c4acae20adf..6061894a513 100644
--- a/config/importmap.rb
+++ b/config/importmap.rb
@@ -1,16 +1,23 @@
 # Pin npm packages by running ./bin/importmap
 
 pin "jquery" # @3.7.1
-pin "@rails/ujs", to: "@rails--ujs.js" # @7.1.3
+pin "@rails/ujs", to: "@rails--ujs.js" # @7.1.3-4
 pin "application"
 pin_all_from "app/javascript/src", under: "src"
 
-pin "clipboard" # @2.0.11
-# stimulus.min.js is a compiled asset from stimulus-rails gem
-pin "@hotwired/stimulus", to: "stimulus.min.js"
+# If the version of turbo-rails changes, check that the CSP hash of the ProgressBar stylesheet didn't change.
+# Look for an error in the browser console indicating that a stylesheet was skipped.
+# 'turbo.min.js' is embedded in the turbo-rails gem.
+pin "@hotwired/turbo-rails", to: "turbo.min.js"
+
+pin "@hotwired/stimulus", to: "@hotwired--stimulus.js" # @3.2.2
 # stimulus-loading.js is a compiled asset only available from stimulus-rails gem
 pin "@hotwired/stimulus-loading", to: "stimulus-loading.js"
 pin_all_from "app/javascript/controllers", under: "controllers"
+pin "@stimulus-components/clipboard", to: "@stimulus-components--clipboard.js" # @5.0.0
+pin "@stimulus-components/dialog", to: "@stimulus-components--dialog.js" # @1.0.1
+pin "@stimulus-components/reveal", to: "@stimulus-components--reveal.js" # @5.0.0
+pin "@stimulus-components/checkbox-select-all", to: "@stimulus-components--checkbox-select-all.js" # @6.0.0
 
 # vendored and adapted from https://github.com/mdo/github-buttons/blob/master/src/js.js
 pin "github-buttons"
@@ -20,3 +27,4 @@
 # Avo custom JS entrypoint
 pin "avo.custom", preload: false
 pin "stimulus-rails-nested-form", preload: false # @4.1.0
+pin "local-time" # @3.0.2
diff --git a/config/initializers/assets.rb b/config/initializers/assets.rb
index 4658f8394f0..487324424ff 100644
--- a/config/initializers/assets.rb
+++ b/config/initializers/assets.rb
@@ -5,8 +5,3 @@
 
 # Add additional assets to the asset load path.
 # Rails.application.config.assets.paths << Emoji.images_path
-
-# Precompile additional assets.
-# application.js, application.css, and all non-JS/CSS in the app/assets
-# folder are already added.
-Rails.application.config.assets.precompile += %w[*.png *.jpg *.jpeg *.gif *.svg]
diff --git a/config/initializers/avo.rb b/config/initializers/avo.rb
index 17c1acae253..a7c018b0454 100644
--- a/config/initializers/avo.rb
+++ b/config/initializers/avo.rb
@@ -1,13 +1,12 @@
 # For more information regarding these settings check out our docs https://docs.avohq.io
-Avo.configure do |config|
+Avo.configure do |config| # rubocop:disable Metrics/BlockLength
   ## == Routing ==
   config.root_path = '/admin'
 
   # Where should the user be redirected when visting the `/avo` url
-  config.home_path = "/admin/dashboards/dashy"
+  config.home_path = "/admin/dashboards/dashy" if defined?(Avo::Pro)
 
   ## == Licensing ==
-  config.license = 'pro' # change this to 'pro' when you add the license key
   config.license_key = ENV['AVO_LICENSE_KEY']
 
   ## == Set the context ==
@@ -18,6 +17,13 @@
   ## == Authentication ==
   config.current_user_method = :admin_user
   config.authenticate_with do
+    if !Rails.env.local? && !(Avo.license.valid? && Avo.license.advanced?)
+      raise "Avo::Pro is missing in #{Rails.env}." \
+            "\nRails.groups=#{Rails.groups.inspect}" \
+            "\nAvo.license=#{Avo.license.inspect}" \
+            "\nAvo.configuration.license=#{Avo.configuration.license.inspect}"
+    end
+
     redirect_to '/' unless _current_user&.valid?
     Current.user = begin
       User.security_user
@@ -98,33 +104,36 @@
   # end
 
   ## == Menus ==
-  config.main_menu = lambda {
-    section "Dashboards", icon: "dashboards" do
-      all_dashboards
-    end
+  if defined?(Avo::Pro)
+    config.main_menu = lambda {
+      section "Dashboards", icon: "dashboards" do
+        all_dashboards
+      end
 
-    section "Resources", icon: "resources" do
-      Avo::App.resources_for_navigation.group_by { |r| r.model_class.module_parent_name }.sort_by { |k, _| k.to_s }.each do |namespace, reses|
-        if namespace.present?
-          group namespace.titleize, icon: "folder" do
+      section "Resources", icon: "resources" do
+        Avo.resource_manager.resources_for_navigation(current_user).group_by { |r| r.model_class.module_parent_name }
+          .sort_by { |k, _| k.to_s }.each do |namespace, reses|
+          if namespace.present?
+            group namespace.titleize, icon: "folder" do
+              reses.each do |res|
+                resource res.route_key
+              end
+            end
+          else
             reses.each do |res|
               resource res.route_key
             end
           end
-        else
-          reses.each do |res|
-            resource res.route_key
-          end
         end
       end
-    end
 
-    unless all_tools.empty?
-      section "Tools", icon: "tools" do
-        all_tools
+      unless all_tools.empty?
+        section "Tools", icon: "tools" do
+          all_tools
+        end
       end
-    end
-  }
+    }
+  end
 
   config.profile_menu = lambda {
     link_to "Admin Profile",
@@ -136,11 +145,8 @@
 Rails.configuration.to_prepare do
   Avo::ApplicationController.include GitHubOAuthable
   Avo::BaseController.prepend AvoAuditable
-  Avo::BaseResource.include Concerns::AvoAuditableResource
-
-  Avo::ApplicationController.content_security_policy do |policy|
-    policy.style_src :self, "https://fonts.googleapis.com", :unsafe_inline
-  end
+  Avo::BaseResource.prepend Avo::Resources::Concerns::AvoAuditableResource
+  Avo::Concerns::HasItems.prepend Avo::Resources::Concerns::AvoAuditableResource::HasItemsIncludeComment
 
   # Fix for https://github.com/rails/rails/issues/49783
   Avo::Views::ResourceEditComponent.class_eval do
diff --git a/config/initializers/better_html.rb b/config/initializers/better_html.rb
index 07b30994ef3..3eb5dc80cfe 100644
--- a/config/initializers/better_html.rb
+++ b/config/initializers/better_html.rb
@@ -1,5 +1,5 @@
 BetterHtml.configure do |config|
   config.template_exclusion_filter = proc { |filename|
-    filename.include?("avo")
+    filename.include?("avo") || filename.include?("/railties-")
   }
 end
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index f332248831b..df1cf833606 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -1,49 +1,51 @@
 # Be sure to restart your server when you modify this file.
 
-# Define an application-wide content security policy
-# For further information see the following documentation
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+# Define an application-wide content security policy.
+# See the Securing Rails Applications Guide for more information:
+# https://guides.rubyonrails.org/security.html#content-security-policy-header
 
-Rails.application.config.content_security_policy do |policy|
-  policy.default_src :self
-  policy.font_src    :self, "https://fonts.gstatic.com"
-  policy.img_src     :self, "https://secure.gaug.es", "https://gravatar.com", "https://www.gravatar.com", "https://secure.gravatar.com",
-    "https://*.fastly-insights.com", "https://avatars.githubusercontent.com"
-  policy.object_src  :none
-  # NOTE: This scirpt_src is overridden for all requests in ApplicationController
-  # This is the baseline in case the override is ever skipped
-  policy.script_src :self, "https://secure.gaug.es", "https://www.fastly-insights.com"
-  policy.style_src :self, "https://fonts.googleapis.com"
-  policy.connect_src :self, "https://s3-us-west-2.amazonaws.com/rubygems-dumps/", "https://*.fastly-insights.com", "https://fastly-insights.com",
-    "https://api.github.com", "http://localhost:*"
-  policy.form_action :self, "https://github.com/login/oauth/authorize"
-  policy.frame_ancestors :self
-  policy.base_uri :self
+Rails.application.configure do
+  config.content_security_policy do |policy|
+    policy.default_src :self
+    policy.font_src    :self, "https://fonts.gstatic.com"
+    policy.img_src     :self, "data:", "https://secure.gaug.es", "https://gravatar.com", "https://www.gravatar.com", "https://secure.gravatar.com",
+      "https://*.fastly-insights.com", "https://avatars.githubusercontent.com"
+    policy.object_src  :none
+    # NOTE: This scirpt_src is overridden for all requests in ApplicationController
+    # This is the baseline in case the override is ever skipped
+    policy.script_src :self, "https://secure.gaug.es", "https://www.fastly-insights.com"
+    policy.style_src :self, :unsafe_inline, "https://fonts.googleapis.com"
+    policy.connect_src :self, "https://s3-us-west-2.amazonaws.com/rubygems-dumps/", "https://*.fastly-insights.com", "https://fastly-insights.com",
+      "https://api.github.com", "http://localhost:*"
+    policy.form_action :self, "https://github.com/login/oauth/authorize"
+    policy.frame_ancestors :self
+    policy.base_uri :self
 
-  # Specify URI for violation reports
-  policy.report_uri lambda {
-    dd_api_key = ENV['DATADOG_CSP_API_KEY'].presence
-    url = ActionDispatch::Http::URL.url_for(
-      protocol: 'https',
-      host: 'csp-report.browser-intake-datadoghq.com',
-      path: '/api/v2/logs',
-      params: {
-        "dd-api-key": dd_api_key,
-        "dd-evp-origin": 'content-security-policy',
-        ddsource: 'csp-report',
-        ddtags: {
-          service: "rubygems.org",
-          version: AppRevision.version,
-          env: Rails.env,
-          trace_id: Datadog::Tracing.correlation&.trace_id,
-          "gemcutter.user.id": (current_user.id if respond_to?(:signed_in?) && signed_in?)
-        }.compact.map { |k, v| "#{k}:#{v}" }.join(',')
-      }
-    )
-    # ensure we compute the URL on development/test,
-    # but onlu return it if the API key is configures
-    url if dd_api_key
-  }
+    # Specify URI for violation reports
+    policy.report_uri lambda {
+      dd_api_key = ENV['DATADOG_CSP_API_KEY'].presence
+      url = ActionDispatch::Http::URL.url_for(
+        protocol: 'https',
+        host: 'csp-report.browser-intake-datadoghq.com',
+        path: '/api/v2/logs',
+        params: {
+          "dd-api-key": dd_api_key,
+          "dd-evp-origin": 'content-security-policy',
+          ddsource: 'csp-report',
+          ddtags: {
+            service: "rubygems.org",
+            version: AppRevision.version,
+            env: Rails.env,
+            trace_id: Datadog::Tracing.correlation&.trace_id,
+            "gemcutter.user.id": (current_user.id if respond_to?(:signed_in?) && signed_in?)
+          }.compact.map { |k, v| "#{k}:#{v}" }.join(',')
+        }
+      )
+      # ensure we compute the URL on development/test,
+      # but onlu return it if the API key is configures
+      url if dd_api_key
+    }
+  end
 end
 
 # Generate session nonces for permitted importmap, inline scripts, and inline styles.
@@ -53,8 +55,4 @@
   request.session.send(:load_for_write!) # force session to be created
   request.session.id.to_s.presence || SecureRandom.base64(16)
 }
-Rails.application.config.content_security_policy_nonce_directives = %w[script-src style-src]
-
-# Report CSP violations to a specified URI. See:
-# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
-# config.content_security_policy_report_only = truepoint
+Rails.application.config.content_security_policy_nonce_directives = %w[script-src]
diff --git a/config/initializers/datadog.rb b/config/initializers/datadog.rb
index 5a508fe401d..9681e9c18aa 100644
--- a/config/initializers/datadog.rb
+++ b/config/initializers/datadog.rb
@@ -1,5 +1,7 @@
 require "app_revision"
 
+return if Rails.env.local? # Don't enable Datadog in local Development & Test environments
+
 Datadog.configure do |c|
   # unified service tagging
 
@@ -9,7 +11,7 @@
 
   # Enabling datadog functionality
 
-  enabled = !Rails.env.local? && ENV["DD_AGENT_HOST"].present? && !defined?(Rails::Console)
+  enabled = ENV["DD_AGENT_HOST"].present? && !defined?(Rails::Console)
   c.runtime_metrics.enabled = enabled
   c.profiling.enabled = enabled
   c.tracing.enabled = enabled
@@ -43,10 +45,12 @@
   c.tracing.instrument :opensearch, service_name: c.service
   c.tracing.instrument :pg
   c.tracing.instrument :rails, request_queuing: true
-  c.tracing.instrument :shoryuken
+  c.tracing.instrument :shoryuken if defined?(Shoryuken)
 end
 
 Datadog::Tracing.before_flush(
   # Remove spans for the /internal/ping endpoint
   Datadog::Tracing::Pipeline::SpanFilter.new { |span| span.resource == "Internal::PingController#index" }
 )
+
+require "datadog/auto_instrument"
diff --git a/config/initializers/filter_parameter_logging.rb b/config/initializers/filter_parameter_logging.rb
index d997f9aa485..89c5d312f58 100644
--- a/config/initializers/filter_parameter_logging.rb
+++ b/config/initializers/filter_parameter_logging.rb
@@ -3,7 +3,7 @@
 # Configure parameters to be partially matched (e.g. passw matches password) and filtered from the log file.
 # Use this to limit dissemination of sensitive information.
 # See the ActiveSupport::ParameterFilter documentation for supported notations and behaviors.
-Rails.application.config.filter_parameters += %I[
-  password passw secret token _key crypt salt certificate otp ssn api_key recovery_codes seed
-  jwt
+Rails.application.config.filter_parameters += %i[
+  passw email secret token _key crypt salt certificate otp ssn
+  api_key recovery_codes seed jwt password
 ]
diff --git a/config/initializers/honeybadger.rb b/config/initializers/honeybadger.rb
index fa6efe727ab..cf96d851c43 100644
--- a/config/initializers/honeybadger.rb
+++ b/config/initializers/honeybadger.rb
@@ -1,7 +1,13 @@
-Honeybadger.configure do |config|
-  config.report_data = false if Rails.env.development?
-  config.before_notify do |notice|
-    notice.halt! if ActionDispatch::ExceptionWrapper.rescue_responses.key?(notice.error_class)
+return if Rails.env.local? # Don't enable Honeybadger in local Development & Test environments
+
+Rails.logger.silence(:error) do
+  require "honeybadger"
+
+  Honeybadger.configure do |config|
+    config.before_notify do |notice|
+      notice.halt! if ActionDispatch::ExceptionWrapper.rescue_responses.key?(notice.error_class)
+    end
+
+    config.logger = SemanticLogger[Honeybadger]
   end
-  config.logger = SemanticLogger[Honeybadger]
 end
diff --git a/config/initializers/new_framework_defaults_7_2.rb b/config/initializers/new_framework_defaults_7_2.rb
new file mode 100644
index 00000000000..b549c4a258a
--- /dev/null
+++ b/config/initializers/new_framework_defaults_7_2.rb
@@ -0,0 +1,70 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file eases your Rails 7.2 framework defaults upgrade.
+#
+# Uncomment each configuration one by one to switch to the new default.
+# Once your application is ready to run with all new defaults, you can remove
+# this file and set the `config.load_defaults` to `7.2`.
+#
+# Read the Guide for Upgrading Ruby on Rails for more info on each option.
+# https://guides.rubyonrails.org/upgrading_ruby_on_rails.html
+
+###
+# Controls whether Active Job's `#perform_later` and similar methods automatically defer
+# the job queuing to after the current Active Record transaction is committed.
+#
+# Example:
+#   Topic.transaction do
+#     topic = Topic.create(...)
+#     NewTopicNotificationJob.perform_later(topic)
+#   end
+#
+# In this example, if the configuration is set to `:never`, the job will
+# be enqueued immediately, even though the `Topic` hasn't been committed yet.
+# Because of this, if the job is picked up almost immediately, or if the
+# transaction doesn't succeed for some reason, the job will fail to find this
+# topic in the database.
+#
+# If `enqueue_after_transaction_commit` is set to `:default`, the queue adapter
+# will define the behaviour.
+#
+# Note: Active Job backends can disable this feature. This is generally done by
+# backends that use the same database as Active Record as a queue, hence they
+# don't need this feature.
+#++
+# Rails.application.config.active_job.enqueue_after_transaction_commit = :default
+
+###
+# Adds image/webp to the list of content types Active Storage considers as an image
+# Prevents automatic conversion to a fallback PNG, and assumes clients support WebP, as they support gif, jpeg, and png.
+# This is possible due to broad browser support for WebP, but older browsers and email clients may still not support
+# WebP. Requires imagemagick/libvips built with WebP support.
+#++
+# Rails.application.config.active_storage.web_image_content_types = %w[image/png image/jpeg image/gif image/webp]
+
+###
+# Enable validation of migration timestamps. When set, an ActiveRecord::InvalidMigrationTimestampError
+# will be raised if the timestamp prefix for a migration is more than a day ahead of the timestamp
+# associated with the current time. This is done to prevent forward-dating of migration files, which can
+# impact migration generation and other migration commands.
+#
+# Applications with existing timestamped migrations that do not adhere to the
+# expected format can disable validation by setting this config to `false`.
+#++
+# Rails.application.config.active_record.validate_migration_timestamps = true
+
+###
+# Controls whether the PostgresqlAdapter should decode dates automatically with manual queries.
+#
+# Example:
+#   ActiveRecord::ConnectionAdapters::PostgreSQLAdapter.select_value("select '2024-01-01'::date") #=> Date
+#
+# This query used to return a `String`.
+#++
+# Rails.application.config.active_record.postgresql_adapter_decode_dates = true
+
+###
+# Enables YJIT as of Ruby 3.3, to bring sizeable performance improvements. If you are
+# deploying to a memory constrained environment you may want to set this to `false`.
+#++
+# Rails.application.config.yjit = true
diff --git a/config/initializers/omniauth.rb b/config/initializers/omniauth.rb
index a41c0d6777e..0bacd8f5845 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/omniauth.rb
@@ -11,3 +11,20 @@
 
 OmniAuth::AuthenticityTokenProtection.default_options(key: "csrf.token", authenticity_param: "_csrf")
 OmniAuth.config.logger = SemanticLogger[OmniAuth]
+
+class FailureEndpoint < OmniAuth::FailureEndpoint
+  # ensures that same-site: strict cookies are available for csrf validation
+  def call
+    if env["omniauth.error.type"] == :csrf_detected && env["HTTP_SEC_FETCH_SITE"] == "cross-site"
+      request = Rack::Request.new(env)
+      # avoid overwriting the (real) session cookie
+      request.session.options[:skip] = true
+      # redirect to the same path, but with a meta refresh to avoid the browser treating the request as cross-site
+      [303, {}, ["<!DOCTYPE html><html><head><meta http-equiv='refresh' content='0; #{request.fullpath}' /></head></html>"]]
+    else
+      super
+    end
+  end
+end
+
+OmniAuth.config.on_failure = FailureEndpoint
diff --git a/config/initializers/prosopite.rb b/config/initializers/prosopite.rb
index 95e7e0208d6..19c65ff5a37 100644
--- a/config/initializers/prosopite.rb
+++ b/config/initializers/prosopite.rb
@@ -11,8 +11,9 @@
       "app/mailers/",
 
       # avo auditing potentially loads things multiple times, but it will be bounded by the size of the audit
-      "app/avo/actions/base_action.rb",
+      "app/avo/actions/application_action.rb",
       "app/components/avo/fields/audited_changes_field/show_component.html.erb",
+      "app/components/avo/views/resource_index_component.html.erb",
 
       # calls count for each owner, AR doesn't yet allow preloading aggregates
       "app/views/ownership_requests/_ownership_request.html.erb"
diff --git a/config/initializers/requires.rb b/config/initializers/requires.rb
index 966db0b8de5..8a6f441cff6 100644
--- a/config/initializers/requires.rb
+++ b/config/initializers/requires.rb
@@ -5,3 +5,4 @@
 require 'rack/rewindable_input'
 require 'elastic_searcher'
 require 'github_secret_scanning'
+require 'access'
diff --git a/config/initializers/semantic_logger.rb b/config/initializers/semantic_logger.rb
index 44ddc2ab5c4..52e3cf17a36 100644
--- a/config/initializers/semantic_logger.rb
+++ b/config/initializers/semantic_logger.rb
@@ -29,7 +29,7 @@ def append_info_to_payload(payload)
       url: request.url
     }
 
-    method_and_path = [request.method, request.path].select(&:present?)
+    method_and_path = [request.method, request.path].compact_blank
     method_and_path_string = method_and_path.empty? ? ' ' : " #{method_and_path.join(' ')} "
 
     payload[:message] ||= "[#{response.status}]#{method_and_path_string}(#{payload.fetch(:controller)}##{payload.fetch(:action)})"
diff --git a/config/initializers/sendgrid.rb b/config/initializers/sendgrid.rb
index 810b664e5a3..51a64f8dce7 100644
--- a/config/initializers/sendgrid.rb
+++ b/config/initializers/sendgrid.rb
@@ -6,7 +6,7 @@
     password:             ENV['SENDGRID_PASSWORD'],
     domain:               'mailer.rubygems.org',
     authentication:       :plain,
-    enable_starttls_auto: true
+    enable_starttls:      true
   }
   ActionMailer::Base.delivery_method = :smtp
 end
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 28c03b11a72..445a076ac0d 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -5,7 +5,7 @@
 
 # Be sure to restart your server when you modify this file.
 
-Rails.application.config.session_store :cookie_store, key: '_rubygems_session'
+Rails.application.config.session_store :cookie_store, key: '_rubygems_session', same_site: :strict
 
 # Use the database for sessions instead of the cookie-based default,
 # which shouldn't be used to store highly confidential information
diff --git a/config/initializers/sigstore.rb b/config/initializers/sigstore.rb
new file mode 100644
index 00000000000..6328db2eb58
--- /dev/null
+++ b/config/initializers/sigstore.rb
@@ -0,0 +1,12 @@
+require "sigstore/verifier"
+require "sigstore/rekor/client"
+require "sigstore/models"
+require "sigstore/policy"
+require "sigstore/signer"
+
+module Sigstore::Loggable::ClassMethods
+  undef_method :logger
+  def logger
+    @semantic_logger ||= SemanticLogger[self] # rubocop:disable Naming/MemoizedInstanceVariableName
+  end
+end
diff --git a/config/initializers/statsd.rb b/config/initializers/statsd.rb
index 2e91b49bc84..a3721b165bb 100644
--- a/config/initializers/statsd.rb
+++ b/config/initializers/statsd.rb
@@ -57,8 +57,10 @@
 
 ActiveSupport::Notifications.subscribe("perform_job.good_job") do |event|
   execution = event.payload[:execution]
+  # TODO: remove || execution after GoodJob 4 upgrade
+  job = event.payload[:job] || execution
 
-  result = if event.payload[:retried] || execution.retried_good_job_id.present?
+  result = if event.payload[:retried] || job.retried_good_job_id.present?
              :retried
            elsif event.payload[:unhandled_error]
              :unhandled_error
@@ -72,7 +74,7 @@
     job_class: execution.serialized_params['job_class'],
     exception: event.payload.dig(:exception, 0),
     queue: execution.queue_name,
-    priority: execution.priority,
+    priority: job.priority,
     result:
   }
 
diff --git a/config/initializers/strong_migrations.rb b/config/initializers/strong_migrations.rb
index 17f3f042095..1d977dad858 100644
--- a/config/initializers/strong_migrations.rb
+++ b/config/initializers/strong_migrations.rb
@@ -12,7 +12,7 @@
 
 # Set the version of the production database
 # so the right checks are run in development
-StrongMigrations.target_version = "11.3"
+StrongMigrations.target_version = "13"
 
 # Add custom checks
 # StrongMigrations.add_check do |method, args|
diff --git a/config/initializers/zeitwerk.rb b/config/initializers/zeitwerk.rb
index 896e8817c1b..11a2829e0d1 100644
--- a/config/initializers/zeitwerk.rb
+++ b/config/initializers/zeitwerk.rb
@@ -9,6 +9,12 @@
 
 Rails.autoloaders.main.ignore(Rails.root.join("lib/puma/plugin"))
 
+unless defined?(Avo::Pro)
+  Rails.autoloaders.main.ignore(Rails.root.join("app/avo/cards"))
+  Rails.autoloaders.main.ignore(Rails.root.join("app/avo/dashboards"))
+  Rails.autoloaders.main.ignore(Rails.root.join("lib/admin/authorization_client.rb"))
+end
+
 Rails.autoloaders.once.inflector.inflect(
   "http" => "HTTP",
   "oidc" => "OIDC",
diff --git a/config/locales/de.yml b/config/locales/de.yml
index d490bee4403..66e603971e6 100644
--- a/config/locales/de.yml
+++ b/config/locales/de.yml
@@ -4,6 +4,7 @@ de:
   copied: Kopiert!
   copy_to_clipboard: In die Zwischenablage kopieren
   edit: Bearbeiten
+  hide: Verbergen
   verification_expired:
   feed_latest: RubyGems.org | Neueste Gems
   feed_subscribed: RubyGems.org | Abonnierte Gems
@@ -26,7 +27,11 @@ de:
   locale_name: Deutsch
   none: None
   not_found: Nicht gefunden
+  forbidden:
+  api_gem_not_found:
   api_key_forbidden:
+  api_key_soft_deleted:
+  api_key_insufficient_scope:
   please_sign_up: Zugriff verweigert. Bitte melden Sie sich unter https://rubygems.org
     mit einem Konto an
   please_sign_in: Bitte melden Sie sich an, um fortzufahren.
@@ -35,6 +40,7 @@ de:
   otp_missing: Sie haben die Mehrfaktor-Authentifizierung aktiviert, aber keinen OTP-Code
     angegeben. Bitte füllen Sie diesen aus und versuchen Sie es erneut.
   sign_in: Anmelden
+  sign_out: Abmelden
   sign_up: Registrieren
   dependency_list: Alle transitiven Abhängigkeiten anzeigen
   multifactor_authentication: Mehrfaktorauthentifizierung
@@ -42,8 +48,10 @@ de:
   this_rubygem_could_not_be_found: Dieses Ruby Gem konnte nicht gefunden werden.
   time_ago: seit %{duration}
   title: RubyGems.org
-  update: Aktualisieren
+  total_downloads: Downloads insgesamt
   try_again: Etwas ist schiefgelaufen. Bitte versuchen Sie es erneut.
+  update: Aktualisieren
+  view_all: Alle anzeigen
   advanced_search: Erweiterte Suche
   authenticate: Authentifizieren
   helpers:
@@ -69,6 +77,14 @@ de:
         full_name: Vollständiger Name
         handle: Benutzername
         password: Passwort
+      ownership/role:
+        owner:
+        maintainer:
+      membership/role:
+        owner:
+        admin:
+        maintainer:
+        outside_contributor:
       api_key:
         oidc_api_key_role: OIDC-API-Schlüsselrolle
       oidc/id_token:
@@ -91,11 +107,26 @@ de:
           attributes:
             expires_at:
               inclusion:
+        organization:
+          attributes:
+            handle:
+              invalid:
         ownership:
           attributes:
             user_id:
               already_confirmed: ist bereits Eigentümer dieses Gems
               already_invited: wurde bereits zu diesem Gem eingeladen
+        ownership_request:
+          attributes:
+            user_id:
+              taken:
+              existing:
+        user:
+          attributes:
+            handle:
+              invalid:
+            password:
+              bcrypt_length:
         version:
           attributes:
             gem_full_name:
@@ -169,6 +200,7 @@ de:
         können. Neuer API-Schlüssel:'
       mfa: MFA
       expiration:
+      update_owner:
     new:
       new_api_key: Neuer API-Schlüssel
     reset:
@@ -193,9 +225,10 @@ de:
       mine: Meine Gems
       my_subscriptions: Abonnements
       no_owned_html: Du hast noch keine Gems gepusht. Schau doch vielleicht die Dokumentation
-        auf %{creating_link} an und %{migrating_link} ein Gem from RubyForge.
+        auf %{creating_link}.
       no_subscriptions_html: Du hast noch keine Gems abonniert. Besuche %{gem_link}
         um das Gem zu abonnieren!
+      organizations:
       title: Dashboard
   dependencies:
     show:
@@ -226,6 +259,7 @@ de:
         blog: Blog
         contribute: Beitragen
         data: Daten
+        docs: Dokumentation
         designed_by: Design von
         discussion_forum: Diskussion
         gems_served_by: Gems angeboten von
@@ -240,6 +274,9 @@ de:
         statistics: Statistiken
         status: Status
         supported_by: Unterstützt von
+        supported_by_html: |
+          <a href="https://rubygems.org" class="font-semibold">RubyGems.org</a>
+          wird unterstützt von
         tested_by:
         tracking_by: Getrackt von
         uptime: Betriebszeit
@@ -247,14 +284,18 @@ de:
         secured_by:
         looking_for_maintainers:
       header:
+        profile: Profil
         dashboard: Dashboard
-        settings:
-        edit_profile:
+        settings: Einstellungen
+        edit_profile: Profil bearbeiten
         search_gem_html: Suche Gems&hellip;
-        sign_in: Anmelden
-        sign_out: Abmelden
-        sign_up: Registrieren
       mfa_banner_html:
+  breadcrumbs:
+    home: Startseite
+    dashboard: Dashboard
+    settings: Einstellungen
+    org_name: 'Organisation: %{name}'
+    subscriptions: Abonnements
   mailer:
     confirm_your_email: Bitte bestätigen Sie Ihre E-Mail-Adresse mit dem Link, der
       an Ihre E-Mail gesendet wurde.
@@ -352,6 +393,12 @@ de:
       subtitle: Hallo %{user_handle}!
       body_html: <b>Du</b> wurdest als Besitzer für das <strong><a href="https://rubygems.org/gems/%{gem}">%{gem}</a></strong>-Gem
         auf %{host} von <b>%{remover}</b> entfernt.
+    owner_updated:
+      subject:
+      title:
+      subtitle:
+      body_html:
+      body_text:
     ownerhip_request_closed:
       title: ANFRAGE ZUR BESITZERRECHTIGUNG
       subtitle: Hallo %{handle}!
@@ -410,6 +457,8 @@ de:
         gepusht wurde.
     gem_trusted_publisher_added:
       title: VERTRAUENSWÜRDIGER PUBLISHER HINZUGEFÜGT
+    admin_manual:
+      title:
   news:
     show:
       title: Neue Veröffentlichungen — Alle Gems
@@ -421,45 +470,41 @@ de:
     about:
       contributors_amount: "%{count} Rubyists"
       downloads_amount: Millionen von Gem-Downloads
-      checkout_code: bitte prüfe den Code
-      mit_licensed: MIT-lizenziert
+      checkout_code: sieh dir einfach den Code an
+      mit_licensed: MIT Lizenz
       logo_header: Auf der Suche nach unserem Logo?
-      logo_details: Wähle einfach den Download-Button, um drei .PNGs und eine .SVG
-        des RubyGems-Logos für dich zu erhalten.
+      logo_details: Klick einfach auf den Download-Button, um drei PNGs und eine SVG
+        des RubyGems-Logos zu erhalten.
       founding_html: Das Projekt wurde im April 2009 von %{founder} gestartet und
-        hat seitdem über %{contributors} und %{downloads}. Ab dem Release von RubyGems
-        1.3.6 wurde die Website von Gemcutter zu %{title} umbenannt, um eine zentrale
-        Rolle in der Ruby-Community zu verfestigen.
-      support_html: Obwohl RubyGems.org nicht von einem bestimmten Unternehmen ausgeführt
+        ist seitdem dank %{contributors} und %{downloads} gewachsen. Mit dem Release
+        von RubyGems 1.3.6 wurde die Website von Gemcutter zu %{title} umbenannt,
+        um ihre zentrale Rolle in der Ruby-Community zu verdeutlichen.
+      support_html: Obwohl RubyGems.org nicht von einem zentralen Unternehmen geführt
         wird, haben viele Unternehmen uns bereits unterstützt. Das aktuelle Design,
-        die Illustrationen und die Front-End-Entwicklung für dieser Webseite wurden
-        von %{dockyard} erstellt. %{github} hat auch von unschätzbarem Wert uns geholfen
-        den Code mit anderen Entwicklern zuteilen, um an dem Code leichter zusammenarbeiten.
-        Die Website wurde mit %{heroku} gestartet, dessen großen Dienst uns geholfen,
-        RubyGems als eine praktikable Lösung zu erweisen, wo die ganze Gemeinschaft
-        darauf verlassen kann. Our infrastructure is currently hosted on %{aws}.
+        die Illustrationen und die Frontend-Entwicklung wurden von %{dockyard} erstellt.
+        %{github} war auch von unschätzbarem Wert und hat uns sehr geholfen, zusammenzuarbeiten
+        und Code zu teilen. Die Website wurde mit %{heroku} gestartet, großartiger
+        Service dazu beitrug, RubyGems als eine praktikable Lösung zu beweisen, auf
+        die sich die gesamte Community verlassen kann. Unsere Infrastruktur wird derzeit
+        auf %{aws} gehostet.
       technical_html: 'Einige Einblicke in die technischen Aspekte dieser Webseite:
-        Es ist 100% in Ruby geschrieben. Die Hauptseite ist verwendet die %{rails}-Software.
-        Die Gems werden in %{s3}, served by %{fastly}, gehostet und die Zeit zwischen
-        der Veröffentlichung eines neuen Gems und nachdem er bereit zur Installation
-        freigegeben ist, ist minimal. Für mehr Informationen siehe %{source_code}
-        (%{license}) auf GitHub.'
+        Sie ist zu 100% in Ruby geschrieben. Die Hauptseite ist eine %{rails} App.
+        Die Gems werden auf %{s3} gehostet und über %{fastly} ausgeliefert, und die
+        Zeit nach der Veröffentlichung eines neuen Gems, bis es zur Installation bereit
+        seht, beträgt meistens nur einige wenige Sekunden. Für mehr Informationen
+        %{source_code}, der mit der %{license} auf GitHub bereitseht.'
       title: Über uns
       purpose:
-        better_api: Bereitstellen eines besseren APIs für den Umgang mit Gems
-        enable_community: Der Gemeinschaft ermöglichen, die Webseite zu verbessern
+        better_api: Eine bessere API bereitzustellen, um mit Gems zu arbeiten
+        enable_community: Es der Community zu ermöglichen, diese Webseite zu verbessern
           und zu erweitern
-        header: 'Willkommen in %{site}, die Community für Ruby Gem-Hostingservice.
-          Die Gründe sind vielfältig:'
-        transparent_pages: Erstellen transparenter und zugänglicher Projektseiten
+        header: 'Willkommen bei RubyGems.org, dem Gem-Hosting-Srrvice der Ruby-Community.
+          Dieses Projekt hat drei Ziele:'
+        transparent_pages: Mehr transparente und barrierefreie Projektseiten zu erstellen
     data:
       title: RubyGems.org Data Dumps
     download:
       title: Download RubyGems
-    faq:
-      title: FAQ
-    migrate:
-      title: Migrate gems
     security:
       title: Security
     sponsors:
@@ -511,12 +556,17 @@ de:
       die Sicherheit deines Kontos, indem du <a href=\"/settings/edit#security-device\">ein
       neues Gerät einrichtest</a>. <a href=\"https://blog.rubygems.org/2023/08/03/level-up-using-security-devices.html\">Erfahre
       mehr</a>!"
+    api:
+      mfa_required:
+      mfa_required_not_yet_enabled:
+      mfa_required_weak_level_enabled:
+      mfa_recommended_not_yet_enabled:
+      mfa_recommended_weak_level_enabled:
     recovery:
-      copied: "[ kopiert ]"
       continue: Weiter
       title: Wiederherstellungscodes
-      copy: "[ kopieren ]"
       saved: Ich bestätige, dass ich meine Wiederherstellungscodes gespeichert habe.
+      confirm_dialog:
       note_html: Bitte <strong class='recovery__bold'>kopieren und speichern</strong>
         Sie diese Wiederherstellungscodes. Sie können diese Codes verwenden, um sich
         anzumelden und Ihre MFA zurückzusetzen, wenn Sie Ihr Authentifizierungsgerät
@@ -593,7 +643,13 @@ de:
     failed_verification:
       title:
       close_browser:
+  organization_onboardings:
+    confirm:
+      success:
   owners:
+    edit:
+      role:
+      title:
     confirm:
       confirmed_email:
       token_expired:
@@ -605,6 +661,8 @@ de:
       confirmed_at:
       added_by:
       action:
+      role:
+      role_field:
       email_field:
       submit_button:
       info:
@@ -615,6 +673,9 @@ de:
       resent_notice:
     create:
       success_notice:
+    update:
+      update_current_user_role:
+      success_notice:
     destroy:
       removed_notice:
       failed_notice:
@@ -698,6 +759,7 @@ de:
   rubygems:
     aside:
       downloads_for_this_version: Für diese Version
+      gem_version_age: Version veröffentlicht
       required_ruby_version: Erforderliche Ruby-Version
       required_rubygems_version:
       requires_mfa:
@@ -743,6 +805,7 @@ de:
       sha_256_checksum: SHA 256-Prüfsumme
       signature_period:
       expired:
+      provenance_header:
     version_navigation:
       previous_version:
       next_version:
@@ -784,7 +847,7 @@ de:
       updated:
       yanked:
     show:
-      subtitle: für %{query}
+      subtitle_html: für <em>%{query}</em>
       month_update:
       week_update:
       filter:
@@ -804,7 +867,6 @@ de:
     index:
       title:
       all_time_most_downloaded: Am meisten Heruntergeladen in der gesamten Zeit
-      total_downloads: Downloads insgesamt
       total_gems: Gems insgesamt
       total_users: Benutzer insgesamt
   users:
@@ -870,8 +932,6 @@ de:
       continue:
       title:
       notice_html:
-      copied:
-      copy:
       saved:
     webauthn_credential:
       confirm_delete:
diff --git a/config/locales/en.yml b/config/locales/en.yml
index f78235ae00f..d88cefe17e9 100644
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -4,6 +4,7 @@ en:
   copied: Copied!
   copy_to_clipboard: Copy to clipboard
   edit: Edit
+  hide: Hide
   verification_expired: The verification has expired. Please verify again.
   feed_latest: RubyGems.org | Latest Gems
   feed_subscribed: RubyGems.org | Subscribed Gems
@@ -26,12 +27,17 @@ en:
   locale_name: English
   none: None
   not_found: Not Found
+  forbidden: Forbidden
+  api_gem_not_found: This gem could not be found
   api_key_forbidden: The API key doesn't have access
+  api_key_soft_deleted: An invalid API key cannot be used. Please delete it and create a new one.
+  api_key_insufficient_scope: This API key cannot perform the specified action on this gem.
   please_sign_up: Access Denied. Please sign up for an account at https://rubygems.org
   please_sign_in: Please sign in to continue.
   otp_incorrect: Your OTP code is incorrect. Please check it and retry.
   otp_missing: You have enabled multifactor authentication but no OTP code provided. Please fill it and retry.
   sign_in: Sign in
+  sign_out: Sign out
   sign_up: Sign up
   dependency_list: Show all transitive dependencies
   multifactor_authentication: Multi-factor authentication
@@ -39,8 +45,10 @@ en:
   this_rubygem_could_not_be_found: This rubygem could not be found.
   time_ago: "%{duration} ago"
   title: RubyGems.org
-  update: Update
+  total_downloads: Total downloads
   try_again: Something went wrong. Please try again.
+  update: Update
+  view_all: View all
   advanced_search: Advanced Search
   authenticate: Authenticate
   helpers:
@@ -66,6 +74,14 @@ en:
         full_name: Full name
         handle: Username
         password: Password
+      ownership/role:
+        owner: Owner
+        maintainer: Maintainer
+      membership/role:
+        owner: Owner
+        admin: Admin
+        maintainer: Maintainer
+        outside_contributor: Outside Contributor
       api_key:
         oidc_api_key_role: OIDC API Key Role
       oidc/id_token:
@@ -86,11 +102,26 @@ en:
           attributes:
             expires_at:
               inclusion: "must be in the future"
+        organization:
+          attributes:
+            handle:
+              invalid: "must start with a letter and can only contain letters, numbers, underscores, and dashes"
         ownership:
           attributes:
             user_id:
               already_confirmed: "is already an owner of this gem"
               already_invited: "is already invited to this gem"
+        ownership_request:
+          attributes:
+            user_id:
+              taken: "has already requested ownership"
+              existing: "is already an owner"
+        user:
+          attributes:
+            handle:
+              invalid: "must start with a letter and can only contain letters, numbers, underscores, and dashes"
+            password:
+              bcrypt_length: is too long (maximum is 72 bytes)
         version:
           attributes:
             gem_full_name:
@@ -161,6 +192,7 @@ en:
       save_key: "Note that we won't be able to show the key to you again. New API key:"
       mfa: MFA
       expiration: Expiration
+      update_owner: Update Owner
     new:
       new_api_key: New API key
     reset:
@@ -182,8 +214,9 @@ en:
       migrating_link_text: migrating
       mine: My Gems
       my_subscriptions: Subscriptions
-      no_owned_html: You haven't pushed any gems yet. Perhaps check out the guides on %{creating_link} a gem or %{migrating_link} a gem from RubyForge.
+      no_owned_html: You haven't pushed any gems yet. Perhaps check out the guide on %{creating_link} a gem.
       no_subscriptions_html: You're not subscribed to any gems yet. Visit a %{gem_link} to subscribe to one!
+      organizations: Organizations
       title: Dashboard
   dependencies:
     show:
@@ -212,6 +245,7 @@ en:
         blog: Blog
         contribute: Contribute
         data: Data
+        docs: Docs
         designed_by: Designed by
         discussion_forum: Discuss
         gems_served_by: Gems served by
@@ -226,6 +260,9 @@ en:
         statistics: Stats
         status: Status
         supported_by: Supported by
+        supported_by_html: |
+          <a href="https://rubygems.org" class="font-semibold">RubyGems.org</a>
+          is supported by
         tested_by: Tested by
         tracking_by: Tracking by
         uptime: Uptime
@@ -233,14 +270,18 @@ en:
         secured_by: Secured by
         looking_for_maintainers: maintainers wanted
       header:
+        profile: Profile
         dashboard: Dashboard
         settings: Settings
         edit_profile: Edit profile
         search_gem_html: Search Gems&hellip;
-        sign_in: Sign in
-        sign_out: Sign out
-        sign_up: Sign up
       mfa_banner_html: 🎉 We now support security devices! Improve your account security by <a href="/settings/edit#security-device">setting up</a> a new device. [Learn more](link to blog post)!
+  breadcrumbs:
+    home: Home
+    dashboard: Dashboard
+    settings: Settings
+    org_name: "Org: %{name}"
+    subscriptions: Subscriptions
   mailer:
     confirm_your_email: Please confirm your email address with the link sent to your email.
     confirmation_subject: Please confirm your email address with %{host}
@@ -318,6 +359,12 @@ en:
       title: OWNER REMOVED
       subtitle: Hi %{user_handle}!
       body_html: <b>You</b> were removed as an owner for <strong><a href="https://rubygems.org/gems/%{gem}">%{gem}</a></strong> gem on %{host} by <b>%{remover}</b>.
+    owner_updated:
+      subject: Your role was updated for %{gem} gem
+      title: OWNER ROLE UPDATED
+      subtitle: Hi %{user_handle}!
+      body_html: Your role was updated to %{role} for <strong><a href="https://rubygems.org/gems/%{gem}">%{gem}</a></strong> gem.
+      body_text: Your role was updated to %{role} for %{gem} gem.
     ownerhip_request_closed:
       title: OWNERSHIP REQUEST
       subtitle: Hi %{handle}!
@@ -360,6 +407,8 @@ en:
       gem_html: This webhook was previously called when <strong><a href="https://rubygems.org/gems/%{gem}">%{gem}</a></strong> was pushed.
     gem_trusted_publisher_added:
       title: TRUSTED PUBLISHER ADDED
+    admin_manual:
+      title: MESSAGE FROM RUBYGEMS.ORG ADMINS
   news:
     show:
       title: New Releases — All Gems
@@ -388,10 +437,6 @@ en:
       title: RubyGems.org Data Dumps
     download:
       title: Download RubyGems
-    faq:
-      title: FAQ
-    migrate:
-      title: Migrate gems
     security:
       title: Security
     sponsors:
@@ -427,12 +472,27 @@ en:
     strong_mfa_level_required_html: For protection of your account and your gems, you are required to change your MFA level to "UI and gem signin" or "UI and API". Please read our <a href="https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html">blog post</a> for more details.
     strong_mfa_level_recommended: For protection of your account and your gems, we encourage you to change your MFA level to "UI and gem signin" or "UI and API". Your account will be required to have MFA enabled on one of these levels in the future.
     setup_webauthn_html: 🎉 We now support security devices! Improve your account security by <a href="/settings/edit#security-device">setting up</a> a new device. <a href="https://blog.rubygems.org/2023/08/03/level-up-using-security-devices.html">Learn more</a>!
+    api:
+      mfa_required: Gem requires MFA enabled; You do not have MFA enabled yet.
+      mfa_required_not_yet_enabled: |
+        [ERROR] For protection of your account and your gems, you are required to set up multi-factor authentication at https://rubygems.org/totp/new.
+
+        Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
+      mfa_required_weak_level_enabled: |
+        [ERROR] For protection of your account and your gems, you are required to change your MFA level to 'UI and gem signin' or 'UI and API' at https://rubygems.org/settings/edit.
+
+        Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
+      mfa_recommended_not_yet_enabled: |
+        [WARNING] For protection of your account and gems, we encourage you to set up multi-factor authentication at https://rubygems.org/totp/new.
+        Your account will be required to have MFA enabled in the future.
+      mfa_recommended_weak_level_enabled: |
+        [WARNING] For protection of your account and gems, we encourage you to change your multi-factor authentication level to 'UI and gem signin' or 'UI and API' at https://rubygems.org/settings/edit.
+        Your account will be required to have MFA enabled on one of these levels in the future.
     recovery:
-      copied: "[ copied ]"
       continue: Continue
       title: Recovery codes
-      copy: "[ copy ]"
       saved: I acknowledge that I have saved my recovery codes.
+      confirm_dialog: Leave without copying recovery codes?
       note_html: "Please <strong class='recovery__bold'>copy and save</strong> these recovery codes. You can use these codes to login and reset your MFA if your lose your authentication device. Each code can be used once."
       already_generated: You should have already saved your recovery codes.
     update:
@@ -496,7 +556,13 @@ en:
     failed_verification:
       title: Error - Verification Failed
       close_browser: Please close this browser and try again.
+  organization_onboardings:
+    confirm:
+      success: Organization onboarded successfully!
   owners:
+    edit:
+      role: Role
+      title: Edit Owner
     confirm:
       confirmed_email: You were added as an owner to %{gem} gem
       token_expired: The confirmation token has expired. Please try resending the token from the gem page.
@@ -508,6 +574,8 @@ en:
       confirmed_at: CONFIRMED AT
       added_by: ADDED BY
       action: ACTION
+      role: ROLE
+      role_field: Role
       email_field: Email / Handle
       submit_button: Add Owner
       info: add or remove owners
@@ -518,6 +586,9 @@ en:
       resent_notice: A confirmation mail has been re-sent to your email
     create:
       success_notice: "%{handle} was added as an unconfirmed owner. Ownership access will be enabled after the user clicks on the confirmation mail sent to their email."
+    update:
+      update_current_user_role: Can't update your own Role
+      success_notice: "%{handle} was succesfully updated."
     destroy:
       removed_notice: "%{owner_name} was removed from the owners successfully"
       failed_notice: Can't remove the only owner of the gem
@@ -601,6 +672,7 @@ en:
   rubygems:
     aside:
       downloads_for_this_version: For this version
+      gem_version_age: Version Released
       required_ruby_version: Required Ruby Version
       required_rubygems_version: Required Rubygems Version
       requires_mfa: New versions require MFA
@@ -646,6 +718,7 @@ en:
       sha_256_checksum: SHA 256 checksum
       signature_period: Signature validity period
       expired: expired
+      provenance_header: Provenance
     version_navigation:
       previous_version: ← Previous version
       next_version: Next version →
@@ -687,7 +760,7 @@ en:
       updated: Updated
       yanked: Yanked
     show:
-      subtitle: for %{query}
+      subtitle_html: for <em>%{query}</em>
       month_update: Updated last month (%{count})
       week_update: Updated last week (%{count})
       filter: "Filter:"
@@ -707,7 +780,6 @@ en:
     index:
       title: Stats
       all_time_most_downloaded: All Time Most Downloaded
-      total_downloads: Total downloads
       total_gems: Total gems
       total_users: Total users
   users:
@@ -773,8 +845,6 @@ en:
       continue: Continue
       title: You have successfully added a security device
       notice_html: 'Please <strong class="recovery__bold">copy and paste</strong> these recovery codes. You can use these codes to login if you lose your security device. Each code can be used once.'
-      copied: "[ copied ]"
-      copy: "[ copy ]"
       saved: I acknowledge that I have saved my recovery codes.
     webauthn_credential:
       confirm_delete: "Credential deleted"
diff --git a/config/locales/es.yml b/config/locales/es.yml
index 17af540ada5..ee7e6a0d528 100644
--- a/config/locales/es.yml
+++ b/config/locales/es.yml
@@ -4,6 +4,7 @@ es:
   copied: "¡Copiado!"
   copy_to_clipboard: Copiar al portapapeles
   edit: Editar
+  hide: Ocultar
   verification_expired:
   feed_latest: RubyGems.org | Gemas más recientes
   feed_subscribed: RubyGems.org | Suscripciones a gemas
@@ -26,13 +27,18 @@ es:
   locale_name: Español
   none: Ninguno
   not_found: No encontrado
+  forbidden:
+  api_gem_not_found:
   api_key_forbidden: La clave API no tiene acceso
+  api_key_soft_deleted:
+  api_key_insufficient_scope:
   please_sign_up: Acceso denegado. Por favor regístrate en https://rubygems.org
   please_sign_in: Por favor, ingresa en tu cuenta para continuar.
   otp_incorrect: Tu código OTP es incorrecto. Por favor verifícalo y prueba nuevamente.
   otp_missing: Activaste autenticación con múltiples factores, pero no suministraste
     un código OTP. Por favor ingrésalo y prueba nuevamente.
   sign_in: Ingresa
+  sign_out: Salir
   sign_up: Regístrate
   dependency_list: Mostrar toda la cadena de dependencias
   multifactor_authentication: Autenticación de múltiples factores
@@ -40,8 +46,10 @@ es:
   this_rubygem_could_not_be_found: Esta gema no pudo encontrarse.
   time_ago: hace %{duration}
   title: RubyGems.org
-  update: Actualizar
+  total_downloads: Total de descargas
   try_again: Algo salió mal. Por favor inténtalo nuevamente.
+  update: Actualizar
+  view_all: Ver todo
   advanced_search: Búsqueda avanzada
   authenticate: Autenticar
   helpers:
@@ -67,6 +75,14 @@ es:
         full_name: Nombre completo
         handle: Usuario
         password: Contraseña
+      ownership/role:
+        owner:
+        maintainer:
+      membership/role:
+        owner:
+        admin:
+        maintainer:
+        outside_contributor:
       api_key:
         oidc_api_key_role:
       oidc/id_token:
@@ -89,11 +105,26 @@ es:
           attributes:
             expires_at:
               inclusion:
+        organization:
+          attributes:
+            handle:
+              invalid:
         ownership:
           attributes:
             user_id:
               already_confirmed: ya es propietario de esta gema
               already_invited: ya ha sido invitado a esta gema
+        ownership_request:
+          attributes:
+            user_id:
+              taken:
+              existing:
+        user:
+          attributes:
+            handle:
+              invalid:
+            password:
+              bcrypt_length:
         version:
           attributes:
             gem_full_name:
@@ -167,6 +198,7 @@ es:
         clave de API:'
       mfa: AMF
       expiration:
+      update_owner:
     new:
       new_api_key: Nueva clave de API
     reset:
@@ -191,10 +223,11 @@ es:
       migrating_link_text: migrar
       mine: Mis Gemas
       my_subscriptions: Suscripciones
-      no_owned_html: Todavía no publicaste ninguna gema. Prueba a ver las guías sobre
-        cómo %{creating_link} o %{migrating_link} una gema en rubygems.org.
+      no_owned_html: Todavía no publicaste ninguna gema. Prueba a ver la guía sobre
+        cómo %{creating_link}.
       no_subscriptions_html: Aún no te suscribiste a ninguna gema. ¡Visita la %{gem_link}
         para suscribirte!
+      organizations:
       title: Dashboard
   dependencies:
     show:
@@ -225,6 +258,7 @@ es:
         blog: Blog
         contribute: Contribuye
         data: Datos
+        docs: Documentación
         designed_by: Diseñado por
         discussion_forum: Foro de Discusión
         gems_served_by: Distribuida por
@@ -239,6 +273,9 @@ es:
         statistics: Estadísticas
         status: Estado
         supported_by: Con el apoyo de
+        supported_by_html: |
+          <a href="https://rubygems.org" class="font-semibold">RubyGems.org</a>
+          es respaldado por
         tested_by: Probado por
         tracking_by: Seguimiento con
         uptime: Uptime
@@ -246,14 +283,18 @@ es:
         secured_by: Protegido por
         looking_for_maintainers: Se buscan mantenedores/as
       header:
+        profile: Perfil
         dashboard: Dashboard
         settings: Configuración
-        edit_profile: Editar perfil
+        edit_profile: Editar
         search_gem_html: Buscar gemas&hellip;
-        sign_in: Acceso
-        sign_out: Salir
-        sign_up: Registro
       mfa_banner_html:
+  breadcrumbs:
+    home: Inicio
+    dashboard: Dashboard
+    settings: Configuración
+    org_name: 'Org: %{name}'
+    subscriptions: Suscripciones
   mailer:
     confirm_your_email: Por favor confirma tu dirección de correo con el enlace enviado.
     confirmation_subject: Por favor confirma tu dirección de correo con %{host}
@@ -351,6 +392,12 @@ es:
       subtitle: "¡Hola %{handle}!"
       body_html: Has sido eliminado como propietario/a de la gema <strong><a href="https://rubygems.org/gems/%{gem}">%{gem}</a></strong>
         en %{host} por <b>%{remover}</b>.
+    owner_updated:
+      subject:
+      title:
+      subtitle:
+      body_html:
+      body_text:
     ownerhip_request_closed:
       title: CANDIDATURA A PROPIETARIO
       subtitle: "¡Hola %{handle}!"
@@ -401,6 +448,8 @@ es:
       gem_html: Este webhook se ejecutaba antes cuando se subía <strong><a href="https://rubygems.org/gems/%{gem}">%{gem}</a></strong>.
     gem_trusted_publisher_added:
       title:
+    admin_manual:
+      title:
   news:
     show:
       title: Nuevos lanzamientos — Todas las Gemas
@@ -444,10 +493,6 @@ es:
       title: Volcado de datos de RubyGems.org
     download:
       title: Descargar RubyGems
-    faq:
-      title: Preguntas Frecuentes
-    migrate:
-      title: Migrar Gemas
     security:
       title: Seguridad
     sponsors:
@@ -496,12 +541,17 @@ es:
     setup_webauthn_html: "\U0001F389 ¡Ahora soportamos dispositivos de seguridad!
       Aumenta la seguridad de tu cuenta <a href=\"/settings/edit#security-device\">configurando</a>
       un nuevo dispositivo."
+    api:
+      mfa_required:
+      mfa_required_not_yet_enabled:
+      mfa_required_weak_level_enabled:
+      mfa_recommended_not_yet_enabled:
+      mfa_recommended_weak_level_enabled:
     recovery:
-      copied: "[ copiado ]"
       continue: Continuar
       title: Códigos de recuperación
-      copy: "[ copiar ]"
       saved: Declaro haber guardado mis códigos de recuperación.
+      confirm_dialog:
       note_html: Por favor <strong class='recovery__bold'>copia y guarda</strong>
         estos códigos de recuperación. Puedes usar estos códigos para acceder y restablecer
         tu autenticación de múltiples factores si pierdes tu dispositivo. Cada código
@@ -578,7 +628,13 @@ es:
     failed_verification:
       title: Error - Falló la verification
       close_browser: Por favor cierra este navegador e inténtalo de nuevo.
+  organization_onboardings:
+    confirm:
+      success:
   owners:
+    edit:
+      role:
+      title:
     confirm:
       confirmed_email: Has sido añadido/a como propietario de la gema %{gem}
       token_expired: El token de confirmación ha expirado. Por favor intenta reenviar
@@ -591,6 +647,8 @@ es:
       confirmed_at: CONFIRMADO
       added_by: AÑADIDO POR
       action: ACCIÓN
+      role:
+      role_field:
       email_field: Correo / Usuario
       submit_button: Añadir a propietarios
       info: añadir o eliminar propietarios
@@ -603,6 +661,9 @@ es:
       success_notice: Se ha añadido a %{handle} como propietario sin confirmar. Su
         acceso como propietario se activará cuando haga click en el mensaje de confirmación
         que se le ha enviado a su correo
+    update:
+      update_current_user_role:
+      success_notice:
     destroy:
       removed_notice: "%{owner_name} eliminado con éxito de la lista de propietarios"
       failed_notice: No se puede eliminar al único propietario de una gema
@@ -670,7 +731,8 @@ es:
         %{unconfirmed_email}
       enter_password: Por favor introduce tu contraseña
       optional_full_name: Opcional. Será mostrado en tu perfil público
-      optional_twitter_username: Usuario de X opcional. Será mostrado en tu perfil público
+      optional_twitter_username: Usuario de X opcional. Será mostrado en tu perfil
+        público
       twitter_username: Usuario
       title: Editar perfil
       delete:
@@ -708,6 +770,7 @@ es:
   rubygems:
     aside:
       downloads_for_this_version: Para esta versión
+      gem_version_age: Versión publicada
       required_ruby_version: Versión de Ruby requerida
       required_rubygems_version: Versión de Rubygems requerida
       requires_mfa: Nuevas versiones requieren AMF
@@ -756,6 +819,7 @@ es:
       sha_256_checksum: SHA 256 checksum
       signature_period: Periodo de validez de la firma
       expired: Expirado
+      provenance_header:
     version_navigation:
       previous_version: "← Versión anterior"
       next_version: Siguiente versión →
@@ -809,7 +873,7 @@ es:
       updated: Actualizada
       yanked: Borrada
     show:
-      subtitle: para %{query}
+      subtitle_html: para <em>%{query}</em>
       month_update: Actualizadas en el último mes (%{count})
       week_update: Actualizadas en la última semana (%{count})
       filter: 'Filtro:'
@@ -830,7 +894,6 @@ es:
     index:
       title: Estadísticas
       all_time_most_downloaded: Más descargadas
-      total_downloads: Total de descargas
       total_gems: Gemas totales
       total_users: Usuarios totales
   users:
@@ -912,8 +975,6 @@ es:
         estos códigos de recuperación. Puedes utilizar estos códigos para acceder
         si pierdes tu dispositivo de seguridad. Cada código solo se puede usar una
         vez.
-      copied: "[ copiado ]"
-      copy: "[ copiar ]"
       saved: Declaro haber guardado mis códigos de recuperación.
     webauthn_credential:
       confirm_delete: Credencial borrada
diff --git a/config/locales/fr.yml b/config/locales/fr.yml
index a309c89e946..612d974d890 100644
--- a/config/locales/fr.yml
+++ b/config/locales/fr.yml
@@ -4,6 +4,7 @@ fr:
   copied: Copié!
   copy_to_clipboard: Copier
   edit: Modification
+  hide: Cacher
   verification_expired:
   feed_latest: RubyGems.org | Derniers Gems
   feed_subscribed: RubyGems.org | Gems abonnés
@@ -27,12 +28,17 @@ fr:
   locale_name: Français
   none:
   not_found: Introuvable
+  forbidden:
+  api_gem_not_found:
   api_key_forbidden:
+  api_key_soft_deleted:
+  api_key_insufficient_scope:
   please_sign_up: Accès refusé. Inscrivez-vous sur https://rubygems.org
   please_sign_in:
   otp_incorrect:
   otp_missing:
   sign_in: Connexion
+  sign_out: Déconnexion
   sign_up: Inscription
   dependency_list:
   multifactor_authentication: Authentification Multifacteur
@@ -40,8 +46,10 @@ fr:
   this_rubygem_could_not_be_found: Rubygem introuvable.
   time_ago: il y a %{duration}
   title: RubyGems.org
-  update: Mise à jour
+  total_downloads: Total de téléchargements
   try_again: Une erreur est survenue. Veuillez réessayer.
+  update: Mise à jour
+  view_all: Voir tout
   advanced_search: Recherche avancée
   authenticate:
   helpers:
@@ -67,6 +75,14 @@ fr:
         full_name: Nom complet
         handle: Pseudonyme
         password: Mot de passe
+      ownership/role:
+        owner:
+        maintainer:
+      membership/role:
+        owner:
+        admin:
+        maintainer:
+        outside_contributor:
       api_key:
         oidc_api_key_role:
       oidc/id_token:
@@ -87,11 +103,26 @@ fr:
           attributes:
             expires_at:
               inclusion:
+        organization:
+          attributes:
+            handle:
+              invalid:
         ownership:
           attributes:
             user_id:
               already_confirmed:
               already_invited:
+        ownership_request:
+          attributes:
+            user_id:
+              taken:
+              existing:
+        user:
+          attributes:
+            handle:
+              invalid:
+            password:
+              bcrypt_length:
         version:
           attributes:
             gem_full_name:
@@ -162,6 +193,7 @@ fr:
       save_key:
       mfa:
       expiration:
+      update_owner:
     new:
       new_api_key:
     reset:
@@ -183,10 +215,11 @@ fr:
       migrating_link_text: migration
       mine: Mes Gems
       my_subscriptions: Abonnements
-      no_owned_html: Vous n'avez pas encore publié de gem. Vous pouvez vérifier les
-        guides de %{creating_link} ou de %{migrating_link} de gems depuis RubyForge.
+      no_owned_html: Vous n'avez pas encore publié de gem. Vous pouvez vérifier le
+        guide de %{creating_link}.
       no_subscriptions_html: Vous n'avez pas encore d'abonnements. Visitez %{gem_link}
         pour vous y abonner !
+      organizations:
       title: Dashboard
   dependencies:
     show:
@@ -217,6 +250,7 @@ fr:
         blog: Blog
         contribute: Contribuer
         data: Données
+        docs: Documentation
         designed_by: Design par
         discussion_forum: Discussions
         gems_served_by: Gems mis à disposition par
@@ -231,6 +265,9 @@ fr:
         statistics: Stats
         status: Statut
         supported_by: Soutenu par
+        supported_by_html: |
+          <a href="https://rubygems.org" class="font-semibold">RubyGems.org</a>
+          <br class="hidden lg:block"> est soutenu par
         tested_by: Testé par
         tracking_by: Tracking par
         uptime: Uptime
@@ -238,14 +275,18 @@ fr:
         secured_by:
         looking_for_maintainers:
       header:
+        profile: Profil
         dashboard: Dashboard
-        settings:
-        edit_profile:
+        settings: Paramètres
+        edit_profile: Modifier le profil
         search_gem_html: Recherche de Gems&hellip;
-        sign_in: Connexion
-        sign_out: Déconnexion
-        sign_up: Inscription
       mfa_banner_html:
+  breadcrumbs:
+    home: Accueil
+    dashboard: Dashboard
+    settings: Paramètres
+    org_name: 'Org: %{name}'
+    subscriptions: Abonnements
   mailer:
     confirm_your_email: Veuillez confirmer votre adresse email avec le lien qui vous
       a été envoyé par email.
@@ -330,6 +371,12 @@ fr:
       title:
       subtitle:
       body_html:
+    owner_updated:
+      subject:
+      title:
+      subtitle:
+      body_html:
+      body_text:
     ownerhip_request_closed:
       title:
       subtitle:
@@ -366,6 +413,8 @@ fr:
       gem_html:
     gem_trusted_publisher_added:
       title:
+    admin_manual:
+      title:
   news:
     show:
       title: Nouvelles Versions - Toutes les Gems
@@ -409,10 +458,6 @@ fr:
       title:
     download:
       title:
-    faq:
-      title:
-    migrate:
-      title:
     security:
       title:
     sponsors:
@@ -447,12 +492,17 @@ fr:
     strong_mfa_level_required_html:
     strong_mfa_level_recommended:
     setup_webauthn_html:
+    api:
+      mfa_required:
+      mfa_required_not_yet_enabled:
+      mfa_required_weak_level_enabled:
+      mfa_recommended_not_yet_enabled:
+      mfa_recommended_weak_level_enabled:
     recovery:
-      copied:
       continue: Continuer
       title: Codes de récupération
-      copy:
       saved:
+      confirm_dialog:
       note_html:
       already_generated:
     update:
@@ -517,7 +567,13 @@ fr:
     failed_verification:
       title:
       close_browser:
+  organization_onboardings:
+    confirm:
+      success:
   owners:
+    edit:
+      role:
+      title:
     confirm:
       confirmed_email:
       token_expired:
@@ -529,6 +585,8 @@ fr:
       confirmed_at:
       added_by:
       action:
+      role:
+      role_field:
       email_field:
       submit_button:
       info:
@@ -539,6 +597,9 @@ fr:
       resent_notice:
     create:
       success_notice:
+    update:
+      update_current_user_role:
+      success_notice:
     destroy:
       removed_notice:
       failed_notice:
@@ -635,6 +696,7 @@ fr:
   rubygems:
     aside:
       downloads_for_this_version: Pour cette version
+      gem_version_age: Version publiée
       required_ruby_version: Version de Ruby requise
       required_rubygems_version:
       requires_mfa:
@@ -680,6 +742,7 @@ fr:
       sha_256_checksum: Total de contrôle SHA 256
       signature_period:
       expired:
+      provenance_header:
     version_navigation:
       previous_version: "← Version précédente"
       next_version: Version suivante →
@@ -734,7 +797,7 @@ fr:
       updated: Mis à jour
       yanked:
     show:
-      subtitle: pour %{query}
+      subtitle_html: pour <em>%{query}</em>
       month_update:
       week_update:
       filter:
@@ -754,7 +817,6 @@ fr:
     index:
       title:
       all_time_most_downloaded: Gems les plus téléchargés
-      total_downloads: Total de téléchargements
       total_gems: Total de gems
       total_users: Total d'utilisateurs
   users:
@@ -820,8 +882,6 @@ fr:
       continue:
       title:
       notice_html:
-      copied:
-      copy:
       saved:
     webauthn_credential:
       confirm_delete:
diff --git a/config/locales/ja.yml b/config/locales/ja.yml
index 63d23c96f36..017c949cf28 100644
--- a/config/locales/ja.yml
+++ b/config/locales/ja.yml
@@ -4,6 +4,7 @@ ja:
   copied: コピー完了!
   copy_to_clipboard: クリップボードにコピー
   edit: 編集
+  hide: 非表示
   verification_expired: 検証が期限切れです。もう一度検証してください。
   feed_latest: RubyGems.org | 最新のgemの一覧
   feed_subscribed: RubyGems.org | 購読したgemの一覧
@@ -20,12 +21,17 @@ ja:
   locale_name: 日本語
   none: なし
   not_found: 見つかりませんでした
+  forbidden:
+  api_gem_not_found:
   api_key_forbidden: APIキーにアクセス権がありません
+  api_key_soft_deleted:
+  api_key_insufficient_scope:
   please_sign_up: アクセスが拒否されました。https://rubygems.org でアカウント登録を行ってください。
   please_sign_in: サインインしてお進みください。
   otp_incorrect: OTPのコードが正しくありません。ご確認の上再試行してください。
   otp_missing: 多要素認証が有効化済みですがOTPのコードが与えられませんでした。入力の上再試行してください。
   sign_in: サインイン
+  sign_out: サインアウト
   sign_up: 新規登録
   dependency_list: 全ての推移的な依存関係を表示
   multifactor_authentication: 多要素認証
@@ -33,8 +39,10 @@ ja:
   this_rubygem_could_not_be_found: お探しのrubygemは見つかりませんでした。
   time_ago: "%{duration}前"
   title: RubyGems.org
-  update: 更新
+  total_downloads: 累計ダウンロード数
   try_again: エラーが発生しました。再試行してください。
+  update: 更新
+  view_all: 全て表示
   advanced_search: 高度な検索
   authenticate: 認証
   helpers:
@@ -60,6 +68,14 @@ ja:
         full_name: フルネーム
         handle: ユーザー名
         password: パスワード
+      ownership/role:
+        owner:
+        maintainer:
+      membership/role:
+        owner:
+        admin:
+        maintainer:
+        outside_contributor:
       api_key:
         oidc_api_key_role: OIDC APIキーのロール
       oidc/id_token:
@@ -80,11 +96,26 @@ ja:
           attributes:
             expires_at:
               inclusion: 未来でなければなりません
+        organization:
+          attributes:
+            handle:
+              invalid:
         ownership:
           attributes:
             user_id:
               already_confirmed: は既にこのgemの所有者です
               already_invited: は既にこのgemに招待されています
+        ownership_request:
+          attributes:
+            user_id:
+              taken:
+              existing:
+        user:
+          attributes:
+            handle:
+              invalid:
+            password:
+              bcrypt_length:
         version:
           attributes:
             gem_full_name:
@@ -155,6 +186,7 @@ ja:
       save_key: キーを二度と表示できなくなるためご注意ください。新しいAPIキー：
       mfa: MFA
       expiration: 期限
+      update_owner:
     new:
       new_api_key: 新しいAPIキー
     reset:
@@ -176,8 +208,9 @@ ja:
       migrating_link_text: 移行
       mine: 自分のgem
       my_subscriptions: 購読
-      no_owned_html: まだgemを公開していません。よろしければgemの%{creating_link}またはRubyForgeからの%{migrating_link}ガイドをご覧ください。
+      no_owned_html: まだgemを公開していません。よろしければgemの%{creating_link}ガイドをご覧ください。
       no_subscriptions_html: まだgemを購読していません。%{gem_link}から何か購読してみてください。
+      organizations:
       title: ダッシュボード
   dependencies:
     show:
@@ -206,6 +239,7 @@ ja:
         blog: ブログ
         contribute: 貢献
         data: データ
+        docs: ドキュメント
         designed_by: 設計
         discussion_forum: 議論
         gems_served_by: gemの提供
@@ -220,6 +254,9 @@ ja:
         statistics: 統計
         status: 状態
         supported_by: 協賛
+        supported_by_html: |
+          <a href="https://rubygems.org" class="font-semibold">RubyGems.org</a>
+          は以下から支援を受けています
         tested_by: テスト
         tracking_by: 追跡
         uptime: 稼働時間
@@ -227,15 +264,19 @@ ja:
         secured_by: セキュリティ
         looking_for_maintainers: メンテナの募集
       header:
+        profile: プロフィール
         dashboard: ダッシュボード
         settings: 設定
         edit_profile: プロフィールを編集
         search_gem_html: gemを検索...
-        sign_in: サインイン
-        sign_out: サインアウト
-        sign_up: 新規登録
       mfa_banner_html: "\U0001F389 セキュリティ機器に対応しました！新しい機器を<a href=\"/settings/edit#security-device\">設定</a>してアカウントのセキュリティを向上しましょう。[詳細はこちら](link
         to blog post)！"
+  breadcrumbs:
+    home: ホーム
+    dashboard: ダッシュボード
+    settings: 設定
+    org_name: 組織：%{name}
+    subscriptions: 購読
   mailer:
     confirm_your_email: Eメールに送信されたリンクからEメールアドレスを確認してください。
     confirmation_subject: "%{host}に登録されたメールアドレスを確認してください"
@@ -318,6 +359,12 @@ ja:
       subtitle: こんにちは、%{user_handle}！
       body_html: <b>あなた</b>は<b>%{remover}</b>によって%{host}上の<strong><a href="https://rubygems.org/gems/%{gem}">%{gem}</a></strong>
         gemの所有者から削除されました。
+    owner_updated:
+      subject:
+      title:
+      subtitle:
+      body_html:
+      body_text:
     ownerhip_request_closed:
       title: 所有権の申請
       subtitle: こんにちは、%{handle}！
@@ -360,6 +407,8 @@ ja:
       gem_html: このwebhookは以前<strong><a href="https://rubygems.org/gems/%{gem}">%{gem}</a></strong>がプッシュされたときに呼ばれました。
     gem_trusted_publisher_added:
       title: 信頼できる発行元が追加されました
+    admin_manual:
+      title:
   news:
     show:
       title: 新しいリリース - 全てのgem
@@ -389,10 +438,6 @@ ja:
       title: RubyGems.orgのデータのダンプ
     download:
       title: RubyGemsをダウンロード
-    faq:
-      title: FAQ
-    migrate:
-      title: gemを移行する
     security:
       title: セキュリティ
     sponsors:
@@ -428,12 +473,17 @@ ja:
     strong_mfa_level_recommended: アカウントとgemの保護のため、MFAの水準を「UIとgemのサインイン」または「UIとAPI」に変更することをお勧めします。将来のアカウントはこれらの水準のどちらか1つにMFAが有効になっていることが必須になります。
     setup_webauthn_html: "\U0001F389 セキュリティ機器に対応しました！新しい機器を<a href=\"/settings/edit#security-device\">設定</a>してアカウントのセキュリティを向上しましょう。<a
       href=\"https://blog.rubygems.org/2023/08/03/level-up-using-security-devices.html\">詳細はこちら</a>！"
+    api:
+      mfa_required:
+      mfa_required_not_yet_enabled:
+      mfa_required_weak_level_enabled:
+      mfa_recommended_not_yet_enabled:
+      mfa_recommended_weak_level_enabled:
     recovery:
-      copied: "[ コピーしました ]"
       continue: 続ける
       title: 復旧コード
-      copy: "[ コピーする ]"
       saved: 復旧コードを保存したことを確認しました。
+      confirm_dialog:
       note_html: これらの復旧コードを<strong class='recovery__bold'>コピー及び保存</strong>してください。認証機器を紛失した場合にこれらのコードを使ってログインしMFAをリセットできます。各コードは1回使えます。
       already_generated: 既に復旧コードを保存したはずです。
     update:
@@ -497,7 +547,13 @@ ja:
     failed_verification:
       title: エラー - 検証が失敗しました
       close_browser: このブラウザを閉じて再試行してください。
+  organization_onboardings:
+    confirm:
+      success:
   owners:
+    edit:
+      role:
+      title:
     confirm:
       confirmed_email: "%{gem} gemの所有者として追加されました"
       token_expired: 確認トークンが期限切れです。gemのページからトークンを再送してみてください。
@@ -509,6 +565,8 @@ ja:
       confirmed_at: 確定日時
       added_by: 追加者
       action: 操作
+      role:
+      role_field:
       email_field: Eメール / ハンドル名
       submit_button: 所有者を追加
       info: 所有者を追加または削除する
@@ -519,6 +577,9 @@ ja:
       resent_notice: 確定メールがEメールに再送されました。
     create:
       success_notice: "%{handle}が未確定の所有者として追加されました。当該ユーザーがEメールに送られた確定メールでクリックした後に所有権アクセスが有効になります。"
+    update:
+      update_current_user_role:
+      success_notice:
     destroy:
       removed_notice: "%{owner_name}は所有者から正常に削除されました"
       failed_notice: gemの唯一の所有者は削除できません。
@@ -604,6 +665,7 @@ ja:
   rubygems:
     aside:
       downloads_for_this_version: このバージョンのみ
+      gem_version_age: このバージョンがリリースされたのは
       required_ruby_version: 必要なRubyのバージョン
       required_rubygems_version: 必要なRubyGemsのバージョン
       requires_mfa: 新しいバージョンはMFAを必要とします
@@ -650,6 +712,7 @@ ja:
       sha_256_checksum: SHA 256チェックサム
       signature_period: シグネチャの有効期限
       expired: 期限切れ
+      provenance_header:
     version_navigation:
       previous_version: "←前のバージョン"
       next_version: 次のバージョン→
@@ -695,7 +758,7 @@ ja:
       updated: 更新日
       yanked: ヤンク済み
     show:
-      subtitle: "%{query}の検索結果"
+      subtitle_html: "<em>%{query}</em>の検索結果"
       month_update: 先月更新（%{count}件）
       week_update: 先週更新（%{count}件）
       filter: 絞り込み：
@@ -715,7 +778,6 @@ ja:
     index:
       title: 統計
       all_time_most_downloaded: 累計最多ダウンロード数
-      total_downloads: 累計ダウンロード数
       total_gems: gem総数
       total_users: ユーザー総数
   users:
@@ -782,8 +844,6 @@ ja:
       continue: 続ける
       title: セキュリティ機器を正常に追加しました。
       notice_html: これらの復旧コードを<strong class="recovery__bold">コピー&amp;ペースト</strong>してください。セキュリティ機器を紛失した場合にこれらのコードを使ってログインできます。各コードは1度使えます。
-      copied: "[ コピーしました ]"
-      copy: "[ コピーする ]"
       saved: 復旧コードを保存したことを確認しました。
     webauthn_credential:
       confirm_delete: 認証情報が削除されました
diff --git a/config/locales/nl.yml b/config/locales/nl.yml
index 269bb17ba8a..e290c8869b8 100644
--- a/config/locales/nl.yml
+++ b/config/locales/nl.yml
@@ -1,9 +1,10 @@
 ---
 nl:
   credentials_required:
-  copied:
-  copy_to_clipboard:
+  copied: Gekopieerd
+  copy_to_clipboard: Kopieer naar klembord
   edit: Wijzig
+  hide: Verberg
   verification_expired:
   feed_latest: RubyGems.org | Nieuwste Gems
   feed_subscribed: RubyGems.org | Geabonneerde Gems
@@ -19,12 +20,17 @@ nl:
   locale_name: Nederlands
   none: Geen
   not_found: Niet gevonden
+  forbidden:
+  api_gem_not_found:
   api_key_forbidden:
+  api_key_soft_deleted:
+  api_key_insufficient_scope:
   please_sign_up: Toegang geweigerd. Schrijf je in voor een account op https://rubygems.org
   please_sign_in:
   otp_incorrect:
   otp_missing:
   sign_in: Inloggen
+  sign_out: Uitloggen
   sign_up: Registreren
   dependency_list:
   multifactor_authentication: Multifactor authenticatie
@@ -32,8 +38,10 @@ nl:
   this_rubygem_could_not_be_found: De gem kon niet gevonden worden.
   time_ago: "%{duration} geleden"
   title: RubyGems.org
-  update: Wijzig
+  total_downloads:
   try_again: Er is iets fout gegaan, probeer het opnieuw.
+  update: Wijzig
+  view_all: Bekijk alles
   advanced_search: Uitgebreid zoeken
   authenticate:
   helpers:
@@ -59,6 +67,14 @@ nl:
         full_name: Voor-en achternaam
         handle: Gebruikersnaam
         password: Wachtwoord
+      ownership/role:
+        owner:
+        maintainer:
+      membership/role:
+        owner:
+        admin:
+        maintainer:
+        outside_contributor:
       api_key:
         oidc_api_key_role:
       oidc/id_token:
@@ -79,11 +95,26 @@ nl:
           attributes:
             expires_at:
               inclusion:
+        organization:
+          attributes:
+            handle:
+              invalid:
         ownership:
           attributes:
             user_id:
               already_confirmed:
               already_invited:
+        ownership_request:
+          attributes:
+            user_id:
+              taken:
+              existing:
+        user:
+          attributes:
+            handle:
+              invalid:
+            password:
+              bcrypt_length:
         version:
           attributes:
             gem_full_name:
@@ -154,6 +185,7 @@ nl:
       save_key:
       mfa:
       expiration:
+      update_owner:
     new:
       new_api_key:
     reset:
@@ -176,10 +208,10 @@ nl:
       mine: Mijn Gems
       my_subscriptions: Mijn abonnementen
       no_owned_html: Je hebt nog geen gems gepubliceerd. Bekijk de instructies voor
-        het %{creating_link} van een gem of het  %{migrating_link} van een gem vanaf
-        RubyForge.
+        het %{creating_link} van een gem.
       no_subscriptions_html: Je bent nog niet geabonneerd op een of meerdere gems.
         Bezoek een %{gem_link} en abonneer je erop.
+      organizations:
       title: Dashboard
   dependencies:
     show:
@@ -209,6 +241,7 @@ nl:
         blog: Blog
         contribute: Bijdragen
         data: Data
+        docs: Documentatie
         designed_by: Ontwerp
         discussion_forum: Forum
         gems_served_by:
@@ -223,6 +256,9 @@ nl:
         statistics: Statistieken
         status: Status
         supported_by: Ondersteuning
+        supported_by_html: |
+          <a href="https://rubygems.org" class="font-semibold">RubyGems.org</a>
+          <br class="hidden lg:block"> wordt ondersteund door
         tested_by: Getest door
         tracking_by: Tracking
         uptime: Uptime
@@ -230,14 +266,18 @@ nl:
         secured_by:
         looking_for_maintainers:
       header:
+        profile: Profiel
         dashboard: Dashboard
-        settings:
-        edit_profile:
+        settings: Instellingen
+        edit_profile: Wijzig profiel
         search_gem_html: Gems Zoeken&hellip;
-        sign_in: Inloggen
-        sign_out: Uitloggen
-        sign_up: Registreren
       mfa_banner_html:
+  breadcrumbs:
+    home: Startpagina
+    dashboard: Dashboard
+    settings: Instellingen
+    org_name: 'Organisatie: %{name}'
+    subscriptions: Abonnementen
   mailer:
     confirm_your_email:
     confirmation_subject:
@@ -315,6 +355,12 @@ nl:
       title:
       subtitle:
       body_html:
+    owner_updated:
+      subject:
+      title:
+      subtitle:
+      body_html:
+      body_text:
     ownerhip_request_closed:
       title:
       subtitle:
@@ -351,6 +397,8 @@ nl:
       gem_html:
     gem_trusted_publisher_added:
       title:
+    admin_manual:
+      title:
   news:
     show:
       title:
@@ -395,10 +443,6 @@ nl:
       title:
     download:
       title:
-    faq:
-      title:
-    migrate:
-      title:
     security:
       title:
     sponsors:
@@ -432,12 +476,17 @@ nl:
     strong_mfa_level_required_html:
     strong_mfa_level_recommended:
     setup_webauthn_html:
+    api:
+      mfa_required:
+      mfa_required_not_yet_enabled:
+      mfa_required_weak_level_enabled:
+      mfa_recommended_not_yet_enabled:
+      mfa_recommended_weak_level_enabled:
     recovery:
-      copied:
       continue:
       title:
-      copy:
       saved:
+      confirm_dialog:
       note_html:
       already_generated:
     update:
@@ -498,7 +547,13 @@ nl:
     failed_verification:
       title:
       close_browser:
+  organization_onboardings:
+    confirm:
+      success:
   owners:
+    edit:
+      role:
+      title:
     confirm:
       confirmed_email:
       token_expired:
@@ -510,6 +565,8 @@ nl:
       confirmed_at:
       added_by:
       action:
+      role:
+      role_field:
       email_field:
       submit_button:
       info:
@@ -520,6 +577,9 @@ nl:
       resent_notice:
     create:
       success_notice:
+    update:
+      update_current_user_role:
+      success_notice:
     destroy:
       removed_notice:
       failed_notice:
@@ -603,6 +663,7 @@ nl:
   rubygems:
     aside:
       downloads_for_this_version: Voor deze versie
+      gem_version_age: Versie vrijgegeven
       required_ruby_version: Required Ruby Version
       required_rubygems_version: Required Rubygems Version
       requires_mfa:
@@ -648,6 +709,7 @@ nl:
       sha_256_checksum: SHA 256 checksum
       signature_period:
       expired:
+      provenance_header:
     version_navigation:
       previous_version:
       next_version:
@@ -689,7 +751,7 @@ nl:
       updated:
       yanked:
     show:
-      subtitle: voor %{query}
+      subtitle_html: voor <em>%{query}</em>
       month_update:
       week_update:
       filter:
@@ -709,7 +771,6 @@ nl:
     index:
       title:
       all_time_most_downloaded:
-      total_downloads:
       total_gems:
       total_users:
   users:
@@ -775,8 +836,6 @@ nl:
       continue:
       title:
       notice_html:
-      copied:
-      copy:
       saved:
     webauthn_credential:
       confirm_delete:
diff --git a/config/locales/pt-BR.yml b/config/locales/pt-BR.yml
index 57d2269b7f7..ce8a03c68ae 100644
--- a/config/locales/pt-BR.yml
+++ b/config/locales/pt-BR.yml
@@ -1,9 +1,10 @@
 ---
 pt-BR:
   credentials_required:
-  copied:
-  copy_to_clipboard:
+  copied: Copiado
+  copy_to_clipboard: Copiar
   edit: Editar
+  hide: Esconder
   verification_expired:
   feed_latest: RubyGems.org | Últimas Gems
   feed_subscribed: RubyGems.org | Gems do seu Feed
@@ -25,13 +26,18 @@ pt-BR:
   locale_name: Português do Brasil
   none: Nenhum
   not_found: Não encontrado
+  forbidden:
+  api_gem_not_found:
   api_key_forbidden:
+  api_key_soft_deleted:
+  api_key_insufficient_scope:
   please_sign_up: Acesso Negado. Por favor se registre em https://rubygems.org
   please_sign_in: Por favor, faça login em sua conta para continuar.
   otp_incorrect: Seu código OTP está incorreto. Por favor, verifique-o e tente novamente.
   otp_missing: Você habilitou a autenticação multifator mas nenhum código OTP foi
     fornecido. Por favor, preencha-o e tente novamente.
   sign_in: Fazer Login
+  sign_out: Sair
   sign_up: Cadastrar
   dependency_list: Mostrar todas as dependências
   multifactor_authentication: Autenticação Multifator
@@ -39,8 +45,10 @@ pt-BR:
   this_rubygem_could_not_be_found: Não foi possível localizar esta rubygem
   time_ago: "%{duration} atrás"
   title: RubyGems.org
-  update: Atualizar
+  total_downloads: Total de downloads
   try_again: Algo deu errado. Por favor, tente novamente.
+  update: Atualizar
+  view_all: Ver tudo
   advanced_search: Busca avançada
   authenticate:
   helpers:
@@ -66,6 +74,14 @@ pt-BR:
         full_name: Nome completo
         handle: Usuário
         password: Senha
+      ownership/role:
+        owner:
+        maintainer:
+      membership/role:
+        owner:
+        admin:
+        maintainer:
+        outside_contributor:
       api_key:
         oidc_api_key_role:
       oidc/id_token:
@@ -86,11 +102,26 @@ pt-BR:
           attributes:
             expires_at:
               inclusion:
+        organization:
+          attributes:
+            handle:
+              invalid:
         ownership:
           attributes:
             user_id:
               already_confirmed:
               already_invited:
+        ownership_request:
+          attributes:
+            user_id:
+              taken:
+              existing:
+        user:
+          attributes:
+            handle:
+              invalid:
+            password:
+              bcrypt_length:
         version:
           attributes:
             gem_full_name:
@@ -161,6 +192,7 @@ pt-BR:
       save_key:
       mfa:
       expiration:
+      update_owner:
     new:
       new_api_key:
     reset:
@@ -183,9 +215,10 @@ pt-BR:
       mine: Minhas Gems
       my_subscriptions: Observando
       no_owned_html: Você ainda não enviou nenhuma gem. Verifique os guias sobre %{creating_link}
-        uma gem ou %{migrating_link} uma gem do RubyForge.
+        uma gem.
       no_subscriptions_html: Você ainda não está observando nenhuma gem. Visite uma
         %{gem_link} para poder observá-la!
+      organizations:
       title: Painel de Controle
   dependencies:
     show:
@@ -209,11 +242,12 @@ pt-BR:
   layouts:
     application:
       footer:
-        about: Sobre o Rubygems
+        about: Sobre
         api: API
         blog: Blog
         contribute: Como Contribuir
         data: Dump de Dados
+        docs: Documentação
         designed_by: Design
         discussion_forum: Fóruns
         gems_served_by: Provisionamento
@@ -228,6 +262,9 @@ pt-BR:
         statistics: Estatísticas
         status: Status
         supported_by: Patrocínio
+        supported_by_html: |
+          <a href="https://rubygems.org" class="font-semibold">RubyGems.org</a>
+          <br class="hidden lg:block"> é apoiado por
         tested_by: Testado por
         tracking_by: Coleta de Dados
         uptime: Uptime
@@ -235,14 +272,18 @@ pt-BR:
         secured_by:
         looking_for_maintainers:
       header:
+        profile: Perfil
         dashboard: Painel de Controle
         settings: Configurações da Conta
         edit_profile: Editar Perfil
         search_gem_html: Buscar Gems&hellip;
-        sign_in: Fazer Login
-        sign_out: Sair
-        sign_up: Cadastrar
       mfa_banner_html:
+  breadcrumbs:
+    home: Início
+    dashboard: Painel de Controle
+    settings: Configurações da Conta
+    org_name: 'Org: %{name}'
+    subscriptions: Observando
   mailer:
     confirm_your_email: Por favor, confirme seu endereço de email através do link
       que enviamos para o seu endereço de email.
@@ -327,6 +368,12 @@ pt-BR:
       title:
       subtitle:
       body_html:
+    owner_updated:
+      subject:
+      title:
+      subtitle:
+      body_html:
+      body_text:
     ownerhip_request_closed:
       title:
       subtitle:
@@ -363,6 +410,8 @@ pt-BR:
       gem_html:
     gem_trusted_publisher_added:
       title:
+    admin_manual:
+      title:
   news:
     show:
       title: Novos Releases - Todas as Gems
@@ -406,10 +455,6 @@ pt-BR:
       title:
     download:
       title:
-    faq:
-      title:
-    migrate:
-      title:
     security:
       title:
     sponsors:
@@ -443,12 +488,17 @@ pt-BR:
     strong_mfa_level_required_html:
     strong_mfa_level_recommended:
     setup_webauthn_html:
+    api:
+      mfa_required:
+      mfa_required_not_yet_enabled:
+      mfa_required_weak_level_enabled:
+      mfa_recommended_not_yet_enabled:
+      mfa_recommended_weak_level_enabled:
     recovery:
-      copied:
       continue:
       title:
-      copy:
       saved:
+      confirm_dialog:
       note_html:
       already_generated:
     update:
@@ -509,7 +559,13 @@ pt-BR:
     failed_verification:
       title:
       close_browser:
+  organization_onboardings:
+    confirm:
+      success:
   owners:
+    edit:
+      role:
+      title:
     confirm:
       confirmed_email:
       token_expired:
@@ -521,6 +577,8 @@ pt-BR:
       confirmed_at:
       added_by:
       action:
+      role:
+      role_field:
       email_field:
       submit_button:
       info:
@@ -531,6 +589,9 @@ pt-BR:
       resent_notice:
     create:
       success_notice:
+    update:
+      update_current_user_role:
+      success_notice:
     destroy:
       removed_notice:
       failed_notice:
@@ -614,6 +675,7 @@ pt-BR:
   rubygems:
     aside:
       downloads_for_this_version: Desta versão
+      gem_version_age: Versão lançada
       required_ruby_version: Versão Requerida do Ruby
       required_rubygems_version: Versão Requerida do RubyGems
       requires_mfa:
@@ -661,6 +723,7 @@ pt-BR:
       sha_256_checksum: SHA 256 checksum
       signature_period:
       expired:
+      provenance_header:
     version_navigation:
       previous_version:
       next_version:
@@ -712,7 +775,7 @@ pt-BR:
       updated:
       yanked:
     show:
-      subtitle: para %{query}
+      subtitle_html: para <em>%{query}</em>
       month_update:
       week_update:
       filter:
@@ -732,7 +795,6 @@ pt-BR:
     index:
       title: Estatísticas
       all_time_most_downloaded: Mais baixadas de todos os tempos
-      total_downloads: Total de downloads
       total_gems: Total de gems
       total_users: Total de usuários
   users:
@@ -798,8 +860,6 @@ pt-BR:
       continue:
       title:
       notice_html:
-      copied:
-      copy:
       saved:
     webauthn_credential:
       confirm_delete:
diff --git a/config/locales/zh-CN.yml b/config/locales/zh-CN.yml
index e52330c68de..0e707dafd0c 100644
--- a/config/locales/zh-CN.yml
+++ b/config/locales/zh-CN.yml
@@ -4,6 +4,7 @@ zh-CN:
   copied: 已复制！
   copy_to_clipboard: 复制到剪贴板
   edit: 编辑
+  hide: 隐藏
   verification_expired:
   feed_latest: RubyGems.org | 最新的 Gem
   feed_subscribed: RubyGems.org | 订阅的 Gem
@@ -21,12 +22,17 @@ zh-CN:
   locale_name: 简体中文
   none: 无
   not_found: 未找到
+  forbidden:
+  api_gem_not_found:
   api_key_forbidden: API 密钥没有访问权限
+  api_key_soft_deleted:
+  api_key_insufficient_scope:
   please_sign_up: 拒绝访问。请在 https://rubygems.org 上注册一个账号。
   please_sign_in: 请先登录以继续
   otp_incorrect: 您的 OTP 码不正确。请检查后重试。
   otp_missing: 您已启用多因素验证，但是没有提供 OTP 码。请输入后重试。
   sign_in: 登录
+  sign_out: 退出
   sign_up: 注册
   dependency_list: 显示所有传递性依赖
   multifactor_authentication: 多因素验证
@@ -34,8 +40,10 @@ zh-CN:
   this_rubygem_could_not_be_found: 未找到这个 Gem
   time_ago: "%{duration} 前"
   title: RubyGems.org
-  update: 更新
+  total_downloads: 下载总量
   try_again: 出了点儿问题。请重试。
+  update: 更新
+  view_all: 查看全部
   advanced_search: 高级搜索
   authenticate: 身份认证
   helpers:
@@ -61,6 +69,14 @@ zh-CN:
         full_name: 全名
         handle: 用户名
         password: 密码
+      ownership/role:
+        owner:
+        maintainer:
+      membership/role:
+        owner:
+        admin:
+        maintainer:
+        outside_contributor:
       api_key:
         oidc_api_key_role:
       oidc/id_token:
@@ -81,11 +97,26 @@ zh-CN:
           attributes:
             expires_at:
               inclusion:
+        organization:
+          attributes:
+            handle:
+              invalid:
         ownership:
           attributes:
             user_id:
               already_confirmed:
               already_invited:
+        ownership_request:
+          attributes:
+            user_id:
+              taken:
+              existing:
+        user:
+          attributes:
+            handle:
+              invalid:
+            password:
+              bcrypt_length:
         version:
           attributes:
             gem_full_name:
@@ -156,6 +187,7 @@ zh-CN:
       save_key: 请注意在此之后我们不会再次向您显示该密钥。新的 API 密钥为：
       mfa: 多因素验证
       expiration:
+      update_owner:
     new:
       new_api_key: 生成新 API 密钥
     reset:
@@ -177,9 +209,9 @@ zh-CN:
       migrating_link_text: 迁移
       mine: 我的 Gem
       my_subscriptions: 订阅
-      no_owned_html: 您还没有发布过任何 Gem。可以看看 %{creating_link} 指南，或从 RubyForge %{migrating_link}
-        一个 Gem。
+      no_owned_html: 您还没有发布过任何 Gem。可以看看 %{creating_link} 指南。
       no_subscriptions_html: 您没有订阅任何 Gem，访问 %{gem_link} 订阅一个！
+      organizations:
       title: 仪表盘
   dependencies:
     show:
@@ -208,6 +240,7 @@ zh-CN:
         blog: 博客
         contribute: 贡献
         data: 数据
+        docs: 文档
         designed_by: 设计
         discussion_forum: 讨论
         gems_served_by: 服务
@@ -222,6 +255,9 @@ zh-CN:
         statistics: 统计
         status: 状态
         supported_by: 支持
+        supported_by_html: |
+          <a href="https://rubygems.org" class="font-semibold">RubyGems.org</a>
+          <br class="hidden lg:block"> 由以下支持
         tested_by: 测试
         tracking_by: 追踪
         uptime: 服务运行时间
@@ -229,14 +265,18 @@ zh-CN:
         secured_by: 安全保护
         looking_for_maintainers: 招募维护者
       header:
+        profile: 个人信息
         dashboard: 仪表盘
         settings: 设置
         edit_profile: 编辑个人信息
         search_gem_html: 搜索 Gem &hellip;&hellip;
-        sign_in: 登录
-        sign_out: 退出
-        sign_up: 注册
       mfa_banner_html:
+  breadcrumbs:
+    home: 首页
+    dashboard: 仪表盘
+    settings: 设置
+    org_name: 组织：%{name}
+    subscriptions: 订阅
   mailer:
     confirm_your_email: 请在发送到您的邮件中点击链接，确认您的邮箱地址。
     confirmation_subject: 请确认您的邮箱地址
@@ -320,6 +360,12 @@ zh-CN:
       subtitle: 你好啊，%{user_handle}！
       body_html: <b>您</b>在 RubyGems.org 上对 Gem <strong><a href="https://rubygems.org/gems/%{gem}">%{gem}</a></strong>
         的业主身份已被 <b>%{remover}</b> 移除
+    owner_updated:
+      subject:
+      title:
+      subtitle:
+      body_html:
+      body_text:
     ownerhip_request_closed:
       title: 所有权申请
       subtitle: 你好啊，%{hand}！
@@ -365,6 +411,8 @@ zh-CN:
         被推送时被调用。
     gem_trusted_publisher_added:
       title:
+    admin_manual:
+      title:
   news:
     show:
       title: 新的发布 — 所有 Gem
@@ -397,10 +445,6 @@ zh-CN:
       title: RubyGems.org 数据转储
     download:
       title: 下载 RubyGems
-    faq:
-      title: 常问问题
-    migrate:
-      title: 迁移 Gem
     security:
       title: 安全
     sponsors:
@@ -436,12 +480,17 @@ zh-CN:
     strong_mfa_level_recommended: 为了保护您的帐户和您的 Gem，我们建议您将您的多因素验证级别更改为 "UI and gem signin"
       或 "UI and API"。在将来，您的帐户将被要求在其中某一个级别上启用多因素验证。
     setup_webauthn_html:
+    api:
+      mfa_required:
+      mfa_required_not_yet_enabled:
+      mfa_required_weak_level_enabled:
+      mfa_recommended_not_yet_enabled:
+      mfa_recommended_weak_level_enabled:
     recovery:
-      copied: "[ 已复制 ]"
       continue: 继续
       title: 恢复码
-      copy: "[ 复制 ]"
       saved: 我声明我已经保存了我的恢复码。
+      confirm_dialog:
       note_html: 请 <strong class='recovery__bold'>复制并保存</strong> 这些恢复码。如果您丢失了身份验证设备，您可以使用这些恢复码登录并重置您的多因素验证配置。每个恢复码只能使用一次。
       already_generated: 您应该已经保存了您的恢复码。
     update:
@@ -503,7 +552,13 @@ zh-CN:
     failed_verification:
       title: 错误 — 验证失败
       close_browser: 请关闭该浏览器并重试。
+  organization_onboardings:
+    confirm:
+      success:
   owners:
+    edit:
+      role:
+      title:
     confirm:
       confirmed_email: 您已被添加为 Gem %{gem} 的业主之一
       token_expired: 确认令牌已过期。请尝试从该 Gem 页面重新发送令牌。
@@ -515,6 +570,8 @@ zh-CN:
       confirmed_at: 批准于
       added_by: 添加
       action: 行为
+      role:
+      role_field:
       email_field: Email / Handle
       submit_button: 添加业主
       info: 添加或移除业主
@@ -525,6 +582,9 @@ zh-CN:
       resent_notice: 一封确认邮件已被重新发送到您的邮箱中
     create:
       success_notice: "%{handle} 已添加为还未经批准的业主。在用户点击发送到其邮箱的批准邮件后，所有权访问才将被启用。"
+    update:
+      update_current_user_role:
+      success_notice:
     destroy:
       removed_notice: "%{owner_name} 已成功从业主中移除"
       failed_notice: 不能删除该 Gem 的唯一业主
@@ -611,6 +671,7 @@ zh-CN:
   rubygems:
     aside:
       downloads_for_this_version: 这个版本
+      gem_version_age: 版本发布
       required_ruby_version: 需要的 Ruby 版本
       required_rubygems_version: 需要的 RubyGems 版本
       requires_mfa: 新的版本需要开启多因素验证
@@ -656,6 +717,7 @@ zh-CN:
       sha_256_checksum: SHA 256 校验和
       signature_period: 签名有效期
       expired: 过期
+      provenance_header:
     version_navigation:
       previous_version: "← 以前的版本"
       next_version: 接下来的版本 →
@@ -701,7 +763,7 @@ zh-CN:
       updated: 更新
       yanked: 撤回
     show:
-      subtitle: "%{query}"
+      subtitle_html: "<em>%{query}</em>"
       month_update: 上个月更新 (%{count})
       week_update: 上周更新 (%{count})
       filter: 过滤：
@@ -721,7 +783,6 @@ zh-CN:
     index:
       title: 统计数据
       all_time_most_downloaded: 至今最多下载
-      total_downloads: 下载总量
       total_gems: Gem 总数
       total_users: 用户总数
   users:
@@ -789,8 +850,6 @@ zh-CN:
       continue: 继续
       title: 您已成功添加一个安全设备
       notice_html: 请 <strong class="recovery__bold">复制并粘贴</strong>这些恢复码。如果您丢失了安全设备，您可以使用这些恢复码登录。每个恢复码码只能使用一次。
-      copied: "[ 已复制 ]"
-      copy: "[ 复制 ]"
       saved: 我确认我已经保存了我的恢复码。
     webauthn_credential:
       confirm_delete: 凭证已删除
diff --git a/config/locales/zh-TW.yml b/config/locales/zh-TW.yml
index 0ce6860de28..c0962e266f1 100644
--- a/config/locales/zh-TW.yml
+++ b/config/locales/zh-TW.yml
@@ -4,6 +4,7 @@ zh-TW:
   copied: 已複製
   copy_to_clipboard: 複製
   edit: 編輯
+  hide: 隱藏
   verification_expired:
   feed_latest: RubyGems.org | 最新 Gems
   feed_subscribed: RubyGems.org | 訂閱 Gems
@@ -20,12 +21,17 @@ zh-TW:
   locale_name: 正體中文
   none: 無
   not_found: 沒有找到
+  forbidden:
+  api_gem_not_found:
   api_key_forbidden: API 金鑰沒有存取權限
+  api_key_soft_deleted:
+  api_key_insufficient_scope:
   please_sign_up: 存取遭拒。請先在 https://rubygems.org 上註冊帳號
   please_sign_in: 請登入以繼續。
   otp_incorrect: 您的 OTP 碼不正確。請檢查後再試一次。
   otp_missing: 您已啟用多重要素驗證，但是沒有輸入 OTP 碼。請輸入後再試一次。
   sign_in: 登入
+  sign_out: 登出
   sign_up: 註冊
   dependency_list:
   multifactor_authentication: 多重要素驗證
@@ -33,8 +39,10 @@ zh-TW:
   this_rubygem_could_not_be_found: 找不到此 rubygem。
   time_ago: "%{duration} 前"
   title: RubyGems.org
-  update: 更新
+  total_downloads: 總下載次數
   try_again: 發生錯誤。請再試一次。
+  update: 更新
+  view_all: 查看全部
   advanced_search: 進階搜尋
   authenticate: 驗證
   helpers:
@@ -60,6 +68,14 @@ zh-TW:
         full_name: 全名
         handle: 帳號
         password: 密碼
+      ownership/role:
+        owner:
+        maintainer:
+      membership/role:
+        owner:
+        admin:
+        maintainer:
+        outside_contributor:
       api_key:
         oidc_api_key_role: OIDC API 金鑰角色
       oidc/id_token:
@@ -80,11 +96,26 @@ zh-TW:
           attributes:
             expires_at:
               inclusion:
+        organization:
+          attributes:
+            handle:
+              invalid:
         ownership:
           attributes:
             user_id:
               already_confirmed: 已是此 Gem 的擁有者
               already_invited: 已獲邀加入此 Gem
+        ownership_request:
+          attributes:
+            user_id:
+              taken:
+              existing:
+        user:
+          attributes:
+            handle:
+              invalid:
+            password:
+              bcrypt_length:
         version:
           attributes:
             gem_full_name:
@@ -155,6 +186,7 @@ zh-TW:
       save_key: 請注意，我們無法再次顯示您的 API 金鑰。新 API 金鑰：
       mfa: MFA
       expiration:
+      update_owner:
     new:
       new_api_key: 新 API 金鑰
     reset:
@@ -176,9 +208,9 @@ zh-TW:
       migrating_link_text: Gem 轉移
       mine: 我的 Gems
       my_subscriptions: 我的訂閱
-      no_owned_html: 您尚未發佈任何 Gem。可以閱讀 %{creating_link} 教學，或參考 %{migrating_link} 教學來將您的
-        Gem 從 RubyForge 遷移過來。
+      no_owned_html: 您尚未發佈任何 Gem。可以閱讀 %{creating_link} 教學。
       no_subscriptions_html: 您還沒有訂閱過 Gem，前往 %{gem_link} 來訂閱！
+      organizations:
       title: 控制台
   dependencies:
     show:
@@ -207,6 +239,7 @@ zh-TW:
         blog: 部落格
         contribute: 貢獻
         data: 資料
+        docs: 文件
         designed_by: 設計
         discussion_forum: 討論群組
         gems_served_by: 服務
@@ -221,6 +254,9 @@ zh-TW:
         statistics: 統計
         status: 狀態
         supported_by: 支持
+        supported_by_html: |
+          <a href="https://rubygems.org" class="font-semibold">RubyGems.org</a>
+          <br class="hidden lg:block"> 由以下支持
         tested_by: 測試
         tracking_by: 追蹤
         uptime: 上線時間
@@ -228,14 +264,18 @@ zh-TW:
         secured_by:
         looking_for_maintainers: 徵求維護者
       header:
+        profile: 個人檔案
         dashboard: 儀表板
         settings: 設定
         edit_profile: 編輯個人檔案
         search_gem_html: 搜尋 Gems&hellip;
-        sign_in: 登入
-        sign_out: 登出
-        sign_up: 註冊
       mfa_banner_html: "\U0001F389 我們現在支援安全裝置了！<a href=\"/settings/edit#security-device\">設定</a>新的裝置來提升您的帳號安全。[了解詳情](部落格文章連結)！"
+  breadcrumbs:
+    home: 首頁
+    dashboard: 控制台
+    settings: 設定
+    org_name: 組織：%{name}
+    subscriptions: 訂閱
   mailer:
     confirm_your_email: 已寄送連結，請點擊連結來確認您的電子郵件地址。
     confirmation_subject: "%{host} 電子郵件地址確認"
@@ -315,6 +355,12 @@ zh-TW:
       title:
       subtitle: 嗨 %{user_handle}！
       body_html:
+    owner_updated:
+      subject:
+      title:
+      subtitle:
+      body_html:
+      body_text:
     ownerhip_request_closed:
       title: 所有權請求
       subtitle: 嗨 %{handle}！
@@ -357,6 +403,8 @@ zh-TW:
         被推送的時候被呼叫。
     gem_trusted_publisher_added:
       title:
+    admin_manual:
+      title:
   news:
     show:
       title: 最新發佈
@@ -391,10 +439,6 @@ zh-TW:
       title:
     download:
       title: 下載 RubyGems
-    faq:
-      title: 常見問題
-    migrate:
-      title: 轉移 Gems
     security:
       title: 安全性
     sponsors:
@@ -431,12 +475,17 @@ zh-TW:
       或 "使用者介面和 API"。未來我們將強制要求所有帳號將設為上述 MFA 等級。
     setup_webauthn_html: "\U0001F389 我們現在支援安全裝置了！<a href=\"/settings/edit#security-device\">設定</a>新的裝置來提升您的帳號安全。<a
       href=\"https://blog.rubygems.org/2023/08/03/level-up-using-security-devices.html\">了解詳情</a>！"
+    api:
+      mfa_required:
+      mfa_required_not_yet_enabled:
+      mfa_required_weak_level_enabled:
+      mfa_recommended_not_yet_enabled:
+      mfa_recommended_weak_level_enabled:
     recovery:
-      copied: "[ 已複製 ]"
       continue: 繼續
       title: 復原碼
-      copy: "[ 複製 ]"
       saved:
+      confirm_dialog:
       note_html:
       already_generated:
     update:
@@ -498,7 +547,13 @@ zh-TW:
     failed_verification:
       title: 錯誤 - 驗證失敗
       close_browser: 請關閉此瀏覽器並重試。
+  organization_onboardings:
+    confirm:
+      success:
   owners:
+    edit:
+      role:
+      title:
     confirm:
       confirmed_email:
       token_expired: 確認權杖已過期。請從 Gem 頁面嘗試重新傳送權杖。
@@ -510,6 +565,8 @@ zh-TW:
       confirmed_at: 確認於
       added_by: 新增者
       action: 操作
+      role:
+      role_field:
       email_field:
       submit_button: 新增擁有者
       info: 新增或移除擁有者
@@ -520,6 +577,9 @@ zh-TW:
       resent_notice:
     create:
       success_notice: "%{handle} 已以未確認擁有者的身分加入。所有權存取將在使用者點擊傳送到他們的電子郵件地址的確認信後啟用。"
+    update:
+      update_current_user_role:
+      success_notice:
     destroy:
       removed_notice:
       failed_notice: 無法移除 Gem 的唯一擁有者
@@ -605,6 +665,7 @@ zh-TW:
   rubygems:
     aside:
       downloads_for_this_version: 這個版本
+      gem_version_age: 版本发布
       required_ruby_version: Ruby 版本需求
       required_rubygems_version: RubyGems 版本需求
       requires_mfa: 新版本需要 MFA
@@ -650,6 +711,7 @@ zh-TW:
       sha_256_checksum: SHA 256 總和檢查碼
       signature_period: 簽名有效期
       expired: 已過期
+      provenance_header:
     version_navigation:
       previous_version: "← 上一版本"
       next_version: 下一版本 →
@@ -691,7 +753,7 @@ zh-TW:
       updated: 更新於
       yanked: 移除於
     show:
-      subtitle: "%{query}"
+      subtitle_html: "<em>%{query}</em>"
       month_update: 於最近一個月更新 (%{count})
       week_update: 於最近一週更新 (%{count})
       filter:
@@ -711,7 +773,6 @@ zh-TW:
     index:
       title: 統計資料
       all_time_most_downloaded: 歷史下載次數排行
-      total_downloads: 總下載次數
       total_gems: Gems 總數
       total_users: 總使用者數量
   users:
@@ -780,8 +841,6 @@ zh-TW:
       continue: 繼續
       title: 您已成功新增安全裝置
       notice_html:
-      copied: "[ 已複製 ]"
-      copy: "[ 複製 ]"
       saved:
     webauthn_credential:
       confirm_delete: 已刪除認證
diff --git a/config/puma.rb b/config/puma.rb
index cbc576cdb8f..06bcbfdb6d8 100644
--- a/config/puma.rb
+++ b/config/puma.rb
@@ -2,20 +2,32 @@
 # are invoked here are part of Puma's configuration DSL. For more information
 # about methods provided by the DSL, see https://puma.io/puma/Puma/DSL.html.
 
-# Puma can serve each request in a thread from an internal thread pool.
-# The `threads` method setting takes two numbers: a minimum and maximum.
-# Any libraries that use thread pools should be configured to match
-# the maximum value specified for Puma. Default is set to 5 threads for minimum
-# and maximum; this matches the default thread size of Active Record.
-max_threads_count = ENV.fetch("RAILS_MAX_THREADS", 5)
-min_threads_count = ENV.fetch("RAILS_MIN_THREADS") { max_threads_count }
-threads min_threads_count, max_threads_count
-
-require "concurrent"
+# Puma starts a configurable number of processes (workers) and each process
+# serves each request in a thread from an internal thread pool.
+#
+# The ideal number of threads per worker depends both on how much time the
+# application spends waiting for IO operations and on how much you wish to
+# to prioritize throughput over latency.
+#
+# As a rule of thumb, increasing the number of threads will increase how much
+# traffic a given process can handle (throughput), but due to CRuby's
+# Global VM Lock (GVL) it has diminishing returns and will degrade the
+# response time (latency) of the application.
+#
+# The default is set to 3 threads as it's deemed a decent compromise between
+# throughput and latency for the average Rails application.
+#
+# Any libraries that use a connection pool or another resource pool should
+# be configured to provide at least as many connections as the number of
+# threads. This includes Active Record's `pool` parameter in `database.yml`.
+threads_count = ENV.fetch("RAILS_MAX_THREADS", 3)
+threads threads_count, threads_count
 
 rails_env = ENV.fetch("RAILS_ENV") { "development" }
 production_like = !%w[development test].include?(rails_env) # rubocop:disable Rails/NegateInclude
 
+require "concurrent"
+
 if production_like
   # Specifies that the worker count should equal the number of processors in production.
   worker_count = Integer(ENV.fetch("WEB_CONCURRENCY") { Concurrent.physical_processor_count })
@@ -39,8 +51,9 @@
 # Specifies the `environment` that Puma will run in.
 environment rails_env
 
-# Specifies the `pidfile` that Puma will use.
-pidfile ENV.fetch("PIDFILE") { "tmp/pids/server.pid" }
+# Specify the PID file. Defaults to tmp/pids/server.pid in development.
+# In other environments, only set the PID file if requested.
+pidfile ENV["PIDFILE"] if ENV["PIDFILE"]
 
 before_fork do
   sleep 1
diff --git a/config/routes.rb b/config/routes.rb
index fd5871e8c0c..e99f9cd795c 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -87,11 +87,14 @@
           delete :yank, to: "deletions#create"
         end
         constraints rubygem_id: Patterns::ROUTE_PATTERN do
-          resource :owners, only: %i[show create destroy]
+          resource :owners, only: %i[show create edit update destroy]
           resources :trusted_publishers, controller: 'oidc/rubygem_trusted_publishers', only: %i[index create destroy show]
         end
       end
 
+      resources :attestations, only: :show, format: /json/,
+        constraints: { id: Patterns::ROUTE_PATTERN }
+
       resource :activity, only: [], format: /json|yaml/ do
         collection do
           get :latest
@@ -157,6 +160,7 @@
       get :advanced
     end
     resource :dashboard, only: :show, constraints: { format: /html|atom/ }
+    resources :subscriptions, only: :index
     resources :profiles, only: :show
     get "profile/me", to: "profiles#me", as: :my_profile
     resource :multifactor_auth, only: %i[update] do
@@ -211,7 +215,7 @@
         get '/dependencies', to: 'dependencies#show', constraints: { format: /json|html/ }
       end
       resources :reverse_dependencies, only: %i[index]
-      resources :owners, only: %i[index destroy create], param: :handle do
+      resources :owners, only: %i[index destroy edit update create], param: :handle do
         get 'confirm', to: 'owners#confirm', as: :confirm, on: :collection
         get 'resend_confirmation', to: 'owners#resend_confirmation', as: :resend_confirmation, on: :collection
       end
@@ -255,6 +259,8 @@
       get 'verify', to: 'sessions#verify', as: :verify
       post 'authenticate', to: 'sessions#authenticate', as: :authenticate
       post 'webauthn_authenticate', to: 'sessions#webauthn_authenticate', as: :webauthn_authenticate
+
+      get 'development_log_in_as/:user_id', to: 'sessions#development_log_in_as' if Gemcutter::ENABLE_DEVELOPMENT_LOG_IN
     end
 
     resources :users, only: %i[new create]
@@ -263,6 +269,26 @@
     delete '/sign_out' => 'sessions#destroy', as: 'sign_out'
 
     get '/sign_up' => 'users#new', as: 'sign_up' if Clearance.configuration.allow_sign_up?
+
+    namespace :organizations, as: :organization do
+      get "onboarding", to: redirect("/organizations/onboarding/name")
+      delete "onboarding", to: "onboarding#destroy"
+
+      namespace :onboarding do
+        get "name", to: "name#new"
+        post "name", to: "name#create"
+
+        get "gems", to: "gems#edit"
+        patch "gems", to: "gems#update"
+
+        get "users", to: "users#edit"
+        patch "users", to: "users#update"
+
+        get "confirm", to: "confirm#edit"
+        patch "confirm", to: "confirm#update"
+      end
+    end
+    resources :organizations, only: %i[show], constraints: { id: Patterns::ROUTE_PATTERN }
   end
 
   ################################################################################
@@ -331,7 +357,7 @@
     get ':provider/callback', to: 'oauth#create'
     get 'failure', to: 'oauth#failure'
 
-    get 'development_log_in_as/:admin_github_user_id', to: 'oauth#development_log_in_as' if Gemcutter::ENABLE_DEVELOPMENT_ADMIN_LOG_IN
+    get 'development_log_in_as/:admin_github_user_id', to: 'oauth#development_log_in_as' if Gemcutter::ENABLE_DEVELOPMENT_LOG_IN
   end
 
   ################################################################################
diff --git a/config/tailwind.config.js b/config/tailwind.config.js
index 7366febac45..f82dab740ee 100644
--- a/config/tailwind.config.js
+++ b/config/tailwind.config.js
@@ -3,7 +3,6 @@ const defaultTheme = require("tailwindcss/defaultTheme");
 /** @type {import('tailwindcss').Config} */
 module.exports = {
   mode: "jit",
-  prefix: "tw-", // While we still have non-tailwind classes
   content: [
     "./app/views/**/*.rb",
     "./app/components/**/*rb",
@@ -14,18 +13,241 @@ module.exports = {
   ],
   theme: {
     extend: {
+      screens: {
+        'sm': '480px' // Below this is a phone in portrait mode
+      },
       fontFamily: {
-        sans: [
-          "Helvetica Neue",
-          "Helvetica",
-          "Arial",
-          ...defaultTheme.fontFamily.sans,
-        ],
+        sans: ['"Titillium Web"', ...defaultTheme.fontFamily.sans],
+        mono: ['"Fira Code"', ...defaultTheme.fontFamily.mono],
+      },
+      fontSize: {
+        lg:   ['1.4375rem', '2.156rem'], // Base/01 23px, 34.5px
+        base: ['1.1875rem', '1.781rem'], // Base/02 19px, 28.5px
+        sm:   ['1.0000rem', '1.500rem'], // Base/03 16px, 24px
+        xs:   ['0.8750rem', '1.313rem'], // Base/04 14px, 21px
+
+        d1: ['3.1875rem', '3.825rem'], // Display/01 51px, 61.2px
+        d2: ['2.9375rem', '3.525rem'], // Display/02 47px, 56.4px
+        d3: ['2.6875rem', '3.225rem'], // Display/03 43px, 51.6px
+        h1: ['2.4375rem', '2.925rem'], // Header/01 39px, 46.8px
+        h2: ['2.1875rem', '2.625rem'], // Header/02 35px, 42px
+        h3: ['1.8750rem', '2.325rem'], // Header/03 31px, 37.2px
+        h4: ['1.6875rem', '2.025rem'], // Header/04 27px, 32.4px
+        b1: ['1.4375rem', '2.156rem'], // Base/01 23px, 34.5px
+        b2: ['1.1875rem', '1.781rem'], // Base/02 19px, 28.5px
+        b3: ['1.0000rem', '1.500rem'], // Base/03 16px, 24px
+        b4: ['0.8750rem', '1.313rem'], // Base/04 14px, 21px
+        c1: ['1.6875rem', '2.025rem'], // Code/01 27px, 32.4px
+        c2: ['1.4375rem', '1.725rem'], // Code/02 23px, 27.6px
+        c3: ['1.1250rem', '1.350rem'], // Code/03 18px, 21.6px
+        c4: ['1.0000rem', '1.200rem'], // Code/04 16px, 19.2px
       },
       colors: {
-        "rubygems-red": "#e74c3c",
-        blackish: "#141c22",
-        grayish: "#c1c4ca",
+        transparent: 'transparent',
+        current: 'currentColor',
+        'white': '#FFFFFF',
+        'black': '#000000',
+        'red': { // Warn / Failure
+          100: '#FFEEF1',
+          200: '#FFC4CD',
+          300: '#FF9CB0',
+          400: '#FF0E3B',
+          500: '#E4002B',
+          600: '#BA0023',
+          700: '#970019',
+          800: '#730012',
+          900: '#58000A',
+        },
+        'orange': { // Primary
+          '050': '#FFF8F1',
+          100: '#FFF0EC',
+          200: '#FFC6AD',
+          300: '#FFA983',
+          400: '#FF7539',
+          500: '#F74C27',
+          DEFAULT: '#F74C27', // 500 brand primary
+          600: '#E04300',
+          700: '#AD2F14',
+          800: '#761A05',
+          900: '#581A0C',
+          950: '#3A1007',
+        },
+        'yellow': { // Alert
+          100: '#FFFBF7',
+          200: '#FFF4EA',
+          300: '#FFE4BB',
+          400: '#FFC772',
+          500: '#FFAB2D',
+          600: '#D38C22',
+          700: '#A66D17',
+          800: '#7A4E0C',
+          900: '#4D2E00',
+        },
+        'green': { // Success
+          100: '#F1FFFE',
+          200: '#E1FFFC',
+          300: '#C9FFF9',
+          400: '#06B8B9',
+          500: '#05A3A7',
+          600: '#03858B',
+          700: '#006770',
+          800: '#004F56',
+          900: '#00373B',
+        },
+        'blue': { // Info
+          100: '#F3F9FF',
+          200: '#E1F1FF',
+          300: '#92C0F4',
+          400: '#76ADEC',
+          500: '#6999D2',
+          600: '#5B86B8',
+          700: '#3F699A',
+          800: '#234C7D',
+          900: '#113765',
+          950: '#06264C',
+        },
+        'neutral': {
+          // WHITE
+          // Light
+          //   background (general)
+          //   secondary search bar background
+          // Dark
+          //   primary text
+          //   primary icons
+          '000': '#FFFFFF',
+
+          // neutral-050
+          // Light
+          //   work canvas
+          //   form input
+          // Dark (not used)
+          '050': '#FBFBFB',
+
+          // neutral-100
+          // Light
+          //   primary search bar bg
+          // Dark (not used)
+          '100': '#EEF1F3',
+
+          // neutral-200
+          // Light
+          //   tab hover
+          //   pagination hover
+          //   neutral toasts
+          //   neutral badges
+          //   neutral labels (dropdown)
+          //   low performance indicators
+          // Dark
+          //   primary text hover
+          '200': '#E3E7EA',
+
+          // neutral-300
+          // Light
+          //   disabled buttons
+          //   disabled form input
+          //   list dividing line
+          //   tab dividing line
+          //   outside line default
+          //     search bar
+          //     dropdown
+          //     chips
+          // Dark (not used)
+          '300': '#D7DEE3',
+
+          // neutral-400
+          // Light (not used)
+          // Dark
+          //   secondary text
+          //     disabled button text
+          //     inactive search bar
+          //     nav breadcrumbs
+          //   secondary icons
+          '400': '#C6CED5',
+
+          // neutral-500
+          // Light
+          //   outside stroke
+          //     general containers
+          //     neutral toasts
+          //   outside stroke active states
+          //     search bar
+          //     drop downs
+          //     chips
+          // Dark (not used)
+          '500': '#AEB8C1',
+
+          // neutral-600
+          // Light
+          //   secondary text
+          //     disabled button text
+          //     inactive search bar
+          //     nav breadcrumbs
+          //     search result gem description captions
+          //     text counters [  Gems  4  ]
+          //     sort by - not active
+          //   secondary icons
+          // Dark
+          //   secondary text
+          //     search result gem description captions
+          //     text counters [  Gems  4  ]
+          //     sort by - not active
+          //
+          '600': '#6C7583',
+
+          // neutral-700
+          // Light (not used)
+          // Dark
+          //   disabled buttons
+          //   disabled form input
+          //   list dividing line
+          //   tab dividing line
+          //   outside line default
+          //     search bar
+          //     dropdown
+          //     chips
+          //   outside stroke
+          //     general containers
+          //     neutral toasts
+          //   outside stroke active states
+          //     search bar
+          //     drop downs
+          //     chips
+          '700': '#434B59',
+
+          // neutral-800
+          // Light
+          //   primary text
+          //   primary icons
+          // Dark
+          //   tab hover
+          //   pagination hover
+          //   neutral toasts
+          //   neutral badges
+          //   neutral labels (dropdown)
+          //   low performance indicators
+          '800': '#333A45',
+
+          // neutral-900
+          // Light (not used)
+          // Dark
+          //   primary search bar background
+          '900': '#222831',
+
+          // neutral-950
+          // Light (not used)
+          // Dark
+          //   work canvas
+          //   form input
+          '950': '#16191E',
+
+          // BLACK
+          // Light
+          //   primary text hover
+          // Dark
+          //   background (general)
+          //   secondary search bar background
+          '1000': '#000000',
+        },
       },
     },
   },
@@ -36,6 +258,5 @@ module.exports = {
     require("@tailwindcss/container-queries"),
   ],
   corePlugins: {
-    preflight: false,
   },
 };
diff --git a/db/migrate/20240630025625_create_organizations.rb b/db/migrate/20240630025625_create_organizations.rb
new file mode 100644
index 00000000000..66e7228c92d
--- /dev/null
+++ b/db/migrate/20240630025625_create_organizations.rb
@@ -0,0 +1,13 @@
+class CreateOrganizations < ActiveRecord::Migration[7.1]
+  def change
+    create_table :organizations do |t|
+      t.string :handle, limit: 40
+      t.string :name, limit: 255
+      t.timestamp :deleted_at
+
+      t.timestamps
+
+      t.index "lower(handle)", unique: true
+    end
+  end
+end
diff --git a/db/migrate/20240630025804_create_memberships.rb b/db/migrate/20240630025804_create_memberships.rb
new file mode 100644
index 00000000000..ee39a70ece8
--- /dev/null
+++ b/db/migrate/20240630025804_create_memberships.rb
@@ -0,0 +1,12 @@
+class CreateMemberships < ActiveRecord::Migration[7.1]
+  def change
+    create_table :memberships do |t|
+      t.belongs_to :user, null: false, foreign_key: true
+      t.belongs_to :organization, null: false, foreign_key: true
+      t.timestamp :confirmed_at, default: nil
+
+      t.timestamps
+      t.index %i[user_id organization_id], unique: true
+    end
+  end
+end
diff --git a/db/migrate/20240712003336_create_organization_events.rb b/db/migrate/20240712003336_create_organization_events.rb
new file mode 100644
index 00000000000..03cb1b95eaa
--- /dev/null
+++ b/db/migrate/20240712003336_create_organization_events.rb
@@ -0,0 +1,14 @@
+class CreateOrganizationEvents < ActiveRecord::Migration[7.0]
+  def change
+    create_table :events_organization_events do |t|
+      t.string :tag, null: false, index: true
+      t.string :trace_id, null: true
+      t.references :organization, null: false, foreign_key: true
+      t.references :ip_address, null: true, foreign_key: true
+      t.references :geoip_info, null: true, foreign_key: true
+      t.jsonb :additional
+
+      t.timestamps
+    end
+  end
+end
diff --git a/db/migrate/20240722182907_create_good_job_execution_duration.rb b/db/migrate/20240722182907_create_good_job_execution_duration.rb
new file mode 100644
index 00000000000..fef37f07bc1
--- /dev/null
+++ b/db/migrate/20240722182907_create_good_job_execution_duration.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class CreateGoodJobExecutionDuration < ActiveRecord::Migration[7.1]
+  def change
+    reversible do |dir|
+      dir.up do
+        # Ensure this incremental update migration is idempotent
+        # with monolithic install migration.
+        return if connection.column_exists?(:good_job_executions, :duration)
+      end
+    end
+
+    add_column :good_job_executions, :duration, :interval
+  end
+end
diff --git a/db/migrate/20240802151324_add_role_to_ownership.rb b/db/migrate/20240802151324_add_role_to_ownership.rb
new file mode 100644
index 00000000000..236a6040c4d
--- /dev/null
+++ b/db/migrate/20240802151324_add_role_to_ownership.rb
@@ -0,0 +1,5 @@
+class AddRoleToOwnership < ActiveRecord::Migration[7.1]
+  def change
+    add_column :ownerships, :role, :integer, null: false, default: 70 # Access::OWNER
+  end
+end
diff --git a/db/migrate/20240917042436_add_role_to_memberships.rb b/db/migrate/20240917042436_add_role_to_memberships.rb
new file mode 100644
index 00000000000..1a1d311325a
--- /dev/null
+++ b/db/migrate/20240917042436_add_role_to_memberships.rb
@@ -0,0 +1,5 @@
+class AddRoleToMemberships < ActiveRecord::Migration[7.1]
+  def change
+    add_column :memberships, :role, :integer, null: false, default: 50 # Access::MAINTAINER
+  end
+end
diff --git a/db/migrate/20241007193740_create_attestations.rb b/db/migrate/20241007193740_create_attestations.rb
new file mode 100644
index 00000000000..c0f49e4c22d
--- /dev/null
+++ b/db/migrate/20241007193740_create_attestations.rb
@@ -0,0 +1,11 @@
+class CreateAttestations < ActiveRecord::Migration[7.2]
+  def change
+    create_table :attestations do |t|
+      t.belongs_to :version, null: false, foreign_key: true
+      t.jsonb :body
+      t.string :media_type
+
+      t.timestamps
+    end
+  end
+end
diff --git a/db/migrate/20241023052946_create_organization_onboardings.rb b/db/migrate/20241023052946_create_organization_onboardings.rb
new file mode 100644
index 00000000000..90474326c49
--- /dev/null
+++ b/db/migrate/20241023052946_create_organization_onboardings.rb
@@ -0,0 +1,16 @@
+class CreateOrganizationOnboardings < ActiveRecord::Migration[7.2]
+  def change
+    create_table :organization_onboardings do |t|
+      t.string :status, null: false
+      t.string :name_type, null: false
+      t.string :organization_name, null: false
+      t.string :organization_handle, null: false
+      t.text :error, null: true
+      t.integer :rubygems, array: true, default: [], null: true
+      t.datetime :onboarded_at, null: true
+      t.integer :created_by_id, null: false
+      t.integer :onboarded_organization_id, null: true
+      t.timestamps
+    end
+  end
+end
diff --git a/db/migrate/20241023053140_add_organization_foreign_keyto_ruby_gems.rb b/db/migrate/20241023053140_add_organization_foreign_keyto_ruby_gems.rb
new file mode 100644
index 00000000000..27359ca9772
--- /dev/null
+++ b/db/migrate/20241023053140_add_organization_foreign_keyto_ruby_gems.rb
@@ -0,0 +1,8 @@
+class AddOrganizationForeignKeytoRubyGems < ActiveRecord::Migration[7.2]
+  disable_ddl_transaction!
+
+  def change
+    add_reference :rubygems, :organization, null: true, index: { algorithm: :concurrently }
+    add_foreign_key :rubygems, :organizations, column: :organization_id, on_delete: :nullify, validate: false
+  end
+end
diff --git a/db/migrate/20241023053210_validate_add_organization_foreign_keyto_ruby_gems.rb b/db/migrate/20241023053210_validate_add_organization_foreign_keyto_ruby_gems.rb
new file mode 100644
index 00000000000..00d7ae1d13f
--- /dev/null
+++ b/db/migrate/20241023053210_validate_add_organization_foreign_keyto_ruby_gems.rb
@@ -0,0 +1,5 @@
+class ValidateAddOrganizationForeignKeytoRubyGems < ActiveRecord::Migration[7.2]
+  def change
+    validate_foreign_key :rubygems, :organizations
+  end
+end
diff --git a/db/migrate/20241104065953_add_organization_onboarding_invites.rb b/db/migrate/20241104065953_add_organization_onboarding_invites.rb
new file mode 100644
index 00000000000..9e0d98cefde
--- /dev/null
+++ b/db/migrate/20241104065953_add_organization_onboarding_invites.rb
@@ -0,0 +1,11 @@
+class AddOrganizationOnboardingInvites < ActiveRecord::Migration[7.2]
+  def change
+    create_table :organization_onboarding_invites do |t|
+      t.references :organization_onboarding, null: false, foreign_key: true
+      t.references :user, null: false, foreign_key: true
+      t.string :role, null: true
+
+      t.timestamps
+    end
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index e1bf4f13690..99235afcc75 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.1].define(version: 2024_05_22_185717) do
+ActiveRecord::Schema[7.2].define(version: 2024_11_04_065953) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "hstore"
   enable_extension "pgcrypto"
@@ -56,6 +56,15 @@
     t.check_constraint "scopes IS NOT NULL", name: "api_keys_scopes_null"
   end
 
+  create_table "attestations", force: :cascade do |t|
+    t.bigint "version_id", null: false
+    t.jsonb "body"
+    t.string "media_type"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["version_id"], name: "index_attestations_on_version_id"
+  end
+
   create_table "audits", force: :cascade do |t|
     t.string "auditable_type", null: false
     t.bigint "auditable_id", null: false
@@ -94,6 +103,21 @@
     t.index ["version_id"], name: "index_dependencies_on_version_id"
   end
 
+  create_table "events_organization_events", force: :cascade do |t|
+    t.string "tag", null: false
+    t.string "trace_id"
+    t.bigint "organization_id", null: false
+    t.bigint "ip_address_id"
+    t.bigint "geoip_info_id"
+    t.jsonb "additional"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["geoip_info_id"], name: "index_events_organization_events_on_geoip_info_id"
+    t.index ["ip_address_id"], name: "index_events_organization_events_on_ip_address_id"
+    t.index ["organization_id"], name: "index_events_organization_events_on_organization_id"
+    t.index ["tag"], name: "index_events_organization_events_on_tag"
+  end
+
   create_table "events_rubygem_events", force: :cascade do |t|
     t.string "tag", null: false
     t.string "trace_id"
@@ -187,6 +211,7 @@
     t.integer "error_event", limit: 2
     t.text "error_backtrace", array: true
     t.uuid "process_id"
+    t.interval "duration"
     t.index ["active_job_id", "created_at"], name: "index_good_job_executions_on_active_job_id_and_created_at"
     t.index ["process_id", "created_at"], name: "index_good_job_executions_on_process_id_and_created_at"
   end
@@ -315,6 +340,18 @@
     t.index ["task_name", "status", "created_at"], name: "index_maintenance_tasks_runs", order: { created_at: :desc }
   end
 
+  create_table "memberships", force: :cascade do |t|
+    t.bigint "user_id", null: false
+    t.bigint "organization_id", null: false
+    t.datetime "confirmed_at", precision: nil
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.integer "role", default: 50, null: false
+    t.index ["organization_id"], name: "index_memberships_on_organization_id"
+    t.index ["user_id", "organization_id"], name: "index_memberships_on_user_id_and_organization_id", unique: true
+    t.index ["user_id"], name: "index_memberships_on_user_id"
+  end
+
   create_table "oidc_api_key_roles", force: :cascade do |t|
     t.bigint "oidc_provider_id", null: false
     t.bigint "user_id", null: false
@@ -382,6 +419,39 @@
     t.index ["repository_owner", "repository_name", "repository_owner_id", "workflow_filename", "environment"], name: "index_oidc_trusted_publisher_github_actions_claims", unique: true
   end
 
+  create_table "organization_onboarding_invites", force: :cascade do |t|
+    t.bigint "organization_onboarding_id", null: false
+    t.bigint "user_id", null: false
+    t.string "role"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["organization_onboarding_id"], name: "idx_on_organization_onboarding_id_e5b08868fb"
+    t.index ["user_id"], name: "index_organization_onboarding_invites_on_user_id"
+  end
+
+  create_table "organization_onboardings", force: :cascade do |t|
+    t.string "status", null: false
+    t.string "name_type", null: false
+    t.string "organization_name", null: false
+    t.string "organization_handle", null: false
+    t.text "error"
+    t.integer "rubygems", default: [], array: true
+    t.datetime "onboarded_at"
+    t.integer "created_by_id", null: false
+    t.integer "onboarded_organization_id"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
+  create_table "organizations", force: :cascade do |t|
+    t.string "handle", limit: 40
+    t.string "name", limit: 255
+    t.datetime "deleted_at", precision: nil
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index "lower((handle)::text)", name: "index_organizations_on_lower_handle", unique: true
+  end
+
   create_table "ownership_calls", force: :cascade do |t|
     t.bigint "rubygem_id"
     t.bigint "user_id"
@@ -419,6 +489,7 @@
     t.boolean "owner_notifier", default: true, null: false
     t.integer "authorizer_id"
     t.boolean "ownership_request_notifier", default: true, null: false
+    t.integer "role", default: 70, null: false
     t.index ["rubygem_id"], name: "index_ownerships_on_rubygem_id"
     t.index ["user_id", "rubygem_id"], name: "index_ownerships_on_user_id_and_rubygem_id", unique: true
   end
@@ -428,10 +499,12 @@
     t.datetime "created_at", precision: nil
     t.datetime "updated_at", precision: nil
     t.boolean "indexed", default: false, null: false
+    t.bigint "organization_id"
     t.index "regexp_replace(upper((name)::text), '[_-]'::text, ''::text, 'g'::text)", name: "dashunderscore_typos_idx"
     t.index "upper((name)::text) varchar_pattern_ops", name: "index_rubygems_upcase"
     t.index ["indexed"], name: "index_rubygems_on_indexed"
     t.index ["name"], name: "index_rubygems_on_name", unique: true
+    t.index ["organization_id"], name: "index_rubygems_on_organization_id"
   end
 
   create_table "sendgrid_events", force: :cascade do |t|
@@ -580,7 +653,11 @@
   end
 
   add_foreign_key "api_key_rubygem_scopes", "api_keys", name: "api_key_rubygem_scopes_api_key_id_fk"
+  add_foreign_key "attestations", "versions"
   add_foreign_key "audits", "admin_github_users", name: "audits_admin_github_user_id_fk"
+  add_foreign_key "events_organization_events", "geoip_infos"
+  add_foreign_key "events_organization_events", "ip_addresses"
+  add_foreign_key "events_organization_events", "organizations"
   add_foreign_key "events_rubygem_events", "geoip_infos"
   add_foreign_key "events_rubygem_events", "ip_addresses"
   add_foreign_key "events_rubygem_events", "rubygems"
@@ -589,12 +666,16 @@
   add_foreign_key "events_user_events", "users"
   add_foreign_key "ip_addresses", "geoip_infos"
   add_foreign_key "linksets", "rubygems", name: "linksets_rubygem_id_fk"
+  add_foreign_key "memberships", "organizations"
+  add_foreign_key "memberships", "users"
   add_foreign_key "oidc_api_key_roles", "oidc_providers"
   add_foreign_key "oidc_api_key_roles", "users"
   add_foreign_key "oidc_id_tokens", "api_keys"
   add_foreign_key "oidc_id_tokens", "oidc_api_key_roles"
   add_foreign_key "oidc_pending_trusted_publishers", "users"
   add_foreign_key "oidc_rubygem_trusted_publishers", "rubygems"
+  add_foreign_key "organization_onboarding_invites", "organization_onboardings"
+  add_foreign_key "organization_onboarding_invites", "users"
   add_foreign_key "ownership_calls", "rubygems", name: "ownership_calls_rubygem_id_fk"
   add_foreign_key "ownership_calls", "users", name: "ownership_calls_user_id_fk"
   add_foreign_key "ownership_requests", "ownership_calls", name: "ownership_requests_ownership_call_id_fk"
@@ -602,6 +683,7 @@
   add_foreign_key "ownership_requests", "users", column: "approver_id", name: "ownership_requests_approver_id_fk"
   add_foreign_key "ownership_requests", "users", name: "ownership_requests_user_id_fk"
   add_foreign_key "ownerships", "users", on_delete: :cascade
+  add_foreign_key "rubygems", "organizations", on_delete: :nullify
   add_foreign_key "versions", "api_keys", column: "pusher_api_key_id"
   add_foreign_key "versions", "rubygems", name: "versions_rubygem_id_fk"
   add_foreign_key "web_hooks", "users", name: "web_hooks_user_id_fk"
diff --git a/db/seeds.rb b/db/seeds.rb
index 2b84f60671e..7af1eed39f6 100644
--- a/db/seeds.rb
+++ b/db/seeds.rb
@@ -26,6 +26,7 @@
 ).find_or_create_by!(email: "gem-requester@example.com")
 
 User.create_with(
+  handle: "gem-security",
   email_confirmed: true,
   password:
 ).find_or_create_by!(email: "security@rubygems.org")
@@ -103,7 +104,9 @@
 user.web_hooks.find_or_create_by!(url: "https://example.com/rubygem0", rubygem: rubygem0)
 user.web_hooks.find_or_create_by!(url: "http://example.com/all", rubygem: nil)
 
-author.api_keys.find_or_create_by!(hashed_key: "securehashedkey", name: "api key", scopes: %i[push_rubygem])
+author.api_keys.create_with(
+  hashed_key: Digest::SHA256.hexdigest("gem-author-key")
+).find_or_create_by!(name: "api key", scopes: %i[push_rubygem])
 
 Admin::GitHubUser.create_with(
   is_admin: true,
@@ -297,6 +300,11 @@
   environment: "deploy"
 ).rubygem_trusted_publishers.find_or_create_by!(rubygem: rubygem0)
 
+rubygem0.versions.find_by(full_name: "rubygem0-1.0.0").attestations.find_or_create_by!(
+  media_type: Sigstore::BundleType::BUNDLE_0_3.media_type,
+  body: JSON.parse(Rails.root.join("test", "gems", "sigstore-1.0.0.gem.sigstore.json").read)
+)
+
 author.oidc_pending_trusted_publishers.create_with(
   expires_at: 100.years.from_now
 ).find_or_create_by!(
diff --git a/docker-compose.yml b/docker-compose.yml
index 3bcc4b47463..f2c7e57bb24 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,25 +1,26 @@
 services:
   db:
-    image: postgres:13.14
+    image: index.docker.io/library/postgres@sha256:e0892b968fb80d181a96f18bfef0a8a1693c2430fb2bc7392e65a53057eaa303 # 13.14
     ports:
       - "5432:5432"
     environment:
       - POSTGRES_HOST_AUTH_METHOD=trust
   downloads-db:
-    image: timescale/timescaledb:2.15.1-pg16
+    image: index.docker.io/timescale/timescaledb@sha256:2e3a19fa4624addcb2bb8d37dfe2fee9e12597537b057a742c68aa226ed77da5 # 2.15.1-pg16
     ports:
       - "5434:5432"
     environment:
       - POSTGRES_HOST_AUTH_METHOD=trust
   cache:
-    image: memcached:1.4.39
+    image: index.docker.io/library/memcached@sha256:f4504742a8fb03c3ac0cd172e1c1d2277117629f8d21d52f78307121ddc3de5f # 1.4.39
     ports:
       - "11211:11211"
   search:
-    image: opensearchproject/opensearch:2.13.0
+    image: index.docker.io/opensearchproject/opensearch@sha256:2e954ff0e8c9d0f4868b4818150b3aecc92fbb0cc4a24d00dace38ada227291d # 2.13.0
     environment:
       - discovery.type=single-node
       - DISABLE_SECURITY_PLUGIN=true
+      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
     ports:
       - "9200:9200"
     healthcheck:
@@ -35,12 +36,13 @@ services:
       timeout: 5s
       retries: 6
   search-console:
-    image: opensearchproject/opensearch-dashboards:2.13.0
+    image: index.docker.io/opensearchproject/opensearch-dashboards@sha256:d8f4442da4d0cb44865a5eab01c9eb9f00769e2d5f053d21e3ff3c64a50fc6ec # 2.13.0
     ports:
       - "5601:5601"
     environment:
       - 'OPENSEARCH_HOSTS=["http://search:9200"]'
       - "DISABLE_SECURITY_DASHBOARDS_PLUGIN=true"
+      - "OPENSEARCH_JAVA_OPTS=-Xms512m -Xmx512m"
     healthcheck:
       test:
         [
@@ -53,5 +55,5 @@ services:
       search:
         condition: service_healthy
   toxiproxy:
-    image: ghcr.io/shopify/toxiproxy:2.5.0
+    image: ghcr.io/shopify/toxiproxy@sha256:927c797a2115a193ae3a527e5a36782b938419904ac6706ca0efa029ebea58cb # 2.5.0
     network_mode: "host"
diff --git a/lib/access.rb b/lib/access.rb
new file mode 100644
index 00000000000..e86093fb79b
--- /dev/null
+++ b/lib/access.rb
@@ -0,0 +1,27 @@
+module Access
+  MAINTAINER = 50
+  ADMIN = 60
+  OWNER = 70
+
+  DEFAULT_ROLE = "owner".freeze
+
+  ROLES = {
+    "maintainer" => MAINTAINER,
+    "owner" => OWNER,
+    "admin" => ADMIN
+  }.with_indifferent_access.freeze
+
+  def self.flag_for_role(role)
+    ROLES.fetch(role)
+  end
+
+  def self.with_minimum_role(role)
+    Range.new(flag_for_role(role), nil)
+  end
+
+  def self.role_for_flag(flag)
+    ROLES.key(flag)&.inquiry.tap do |role|
+      raise ArgumentError, "Unknown role flag: #{flag}" if role.blank?
+    end
+  end
+end
diff --git a/lib/admin/authorization_client.rb b/lib/admin/authorization_client.rb
index 6a95c709438..db6e81df77a 100644
--- a/lib/admin/authorization_client.rb
+++ b/lib/admin/authorization_client.rb
@@ -1,6 +1,6 @@
 # This class is the same as the default pundit authorization client.
 # It just adds the admin scope automatically so that Avo pundit policies can be kept separate.
-class Admin::AuthorizationClient < Avo::Services::AuthorizationClients::PunditClient
+class Admin::AuthorizationClient < Avo::Pro::Authorization::Clients::PunditClient
   def authorize(user, record, action, policy_class: nil)
     # After https://github.com/avo-hq/avo/pull/2827 lands, we can hopefully remove this hack
     policy_class ||= Admin::GitHubUserPolicy if record == Admin::GitHubUser
diff --git a/lib/github_oauthable.rb b/lib/github_oauthable.rb
index 31d621bf4fb..04047d9d975 100644
--- a/lib/github_oauthable.rb
+++ b/lib/github_oauthable.rb
@@ -73,7 +73,7 @@ def log_in_as(user:, expires: 1.hour)
       cookies.encrypted[admin_cookie_name] = {
         value: user.id,
         expires: expires,
-        same_site: :lax
+        same_site: :strict
       }
     end
 
diff --git a/lib/name_format_validator.rb b/lib/name_format_validator.rb
index d8fae743d2c..fa59e37b185 100644
--- a/lib/name_format_validator.rb
+++ b/lib/name_format_validator.rb
@@ -2,14 +2,18 @@
 
 class NameFormatValidator < ActiveModel::EachValidator
   def validate_each(record, attribute, value)
-    if value.class != String
-      record.errors.add attribute, "must be a String"
-    elsif !Patterns::LETTER_REGEXP.match?(value)
-      record.errors.add attribute, "must include at least one letter"
-    elsif !Patterns::NAME_PATTERN.match?(value)
-      record.errors.add attribute, "can only include letters, numbers, dashes, and underscores"
-    elsif Patterns::SPECIAL_CHAR_PREFIX_REGEXP.match?(value)
-      record.errors.add attribute, "can not begin with a period, dash, or underscore"
-    end
+    return record.errors.add attribute, "must be a String" if value.class != String
+
+    record.errors.add attribute, "must include at least one letter" if requires_letter? && !Patterns::LETTER_REGEXP.match?(value)
+    record.errors.add attribute, "can only include letters, numbers, dashes, and underscores" unless Patterns::NAME_PATTERN.match?(value)
+    record.errors.add attribute, "can not begin with a period, dash, or underscore" if Patterns::SPECIAL_CHAR_PREFIX_REGEXP.match?(value)
+    record.errors.add attribute, "can not end with a period, dash, or underscore" if Patterns::SPECIAL_CHAR_SUFFIX_REGEXP.match?(value)
+    record.errors.add attribute, "can not end with a common file extension" if Patterns::BANNED_EXTENSION_REGEXP.match?(value)
+  end
+
+  private
+
+  def requires_letter?
+    options.fetch(:requires_letter, true)
   end
 end
diff --git a/lib/patterns.rb b/lib/patterns.rb
index 4ac37857d77..4b3a2674340 100644
--- a/lib/patterns.rb
+++ b/lib/patterns.rb
@@ -1,16 +1,19 @@
 module Patterns
   extend ActiveSupport::Concern
 
-  JAVA_HTTP_USER_AGENT  = /^java/i
   SPECIAL_CHARACTERS    = ".-_".freeze
   ALLOWED_CHARACTERS    = "[A-Za-z0-9#{Regexp.escape(SPECIAL_CHARACTERS)}]+".freeze
-  ROUTE_PATTERN         = /#{ALLOWED_CHARACTERS}/
+  ROUTE_PATTERN         = /#{ALLOWED_CHARACTERS}(?<!\.gem)/
   LAZY_ROUTE_PATTERN    = /#{ALLOWED_CHARACTERS}?/
   NAME_PATTERN          = /\A#{ALLOWED_CHARACTERS}\z/
   LETTER_REGEXP         = /[a-zA-Z]+/
-  SPECIAL_CHAR_PREFIX_REGEXP = /\A[#{Regexp.escape(SPECIAL_CHARACTERS)}]/o
   URL_VALIDATION_REGEXP = %r{\Ahttps?://([^\s:@]+:[^\s:@]*@)?[A-Za-z\d-]+(\.[A-Za-z\d-]+)+\.?(:\d{1,5})?([/?]\S*)?\z}
   VERSION_PATTERN       = /\A#{Gem::Version::VERSION_PATTERN}\z/o
   REQUIREMENT_PATTERN   = Gem::Requirement::PATTERN
   BASE64_SHA256_PATTERN = %r{\A[0-9a-zA-Z_+/-]{43}={0,2}\z}
+  HANDLE_PATTERN        = /\A[A-Za-z][A-Za-z_\-0-9]*\z/
+  SPECIAL_CHAR_PREFIX_REGEXP = /\A[#{Regexp.escape(SPECIAL_CHARACTERS)}]/o
+  SPECIAL_CHAR_SUFFIX_REGEXP = /[#{Regexp.escape(SPECIAL_CHARACTERS)}]\z/o
+  BANNED_EXTENSIONS          = %w[gem json html gemspec].freeze
+  BANNED_EXTENSION_REGEXP    = /\.(?:#{Regexp.union(BANNED_EXTENSIONS)})\z/i
 end
diff --git a/lib/tasks/extraneous_dependencies.rake b/lib/tasks/extraneous_dependencies.rake
deleted file mode 100644
index 7ce9f834373..00000000000
--- a/lib/tasks/extraneous_dependencies.rake
+++ /dev/null
@@ -1,111 +0,0 @@
-require "tasks/helpers/compact_index_tasks_helper"
-
-namespace :extraneous_dependencies do
-  def fetch_spec_deps(full_name)
-    spec_uri = URI("https://rubygems.org/quick/Marshal.4.8/#{full_name}.gemspec.rz")
-    http = Net::HTTP.new(spec_uri.host, spec_uri.port)
-    http.use_ssl = true
-
-    request = Net::HTTP::Get.new(spec_uri.request_uri)
-    res = http.request(request)
-
-    raise StandardError, "fetch deps request for #{full_name} failed #{res.inspect}" unless res.code == "200"
-
-    spec_obj = Marshal.load(Gem::Util.inflate(res.body))
-
-    spec_run_deps = spec_obj.dependencies.filter_map do |s|
-      s.name.to_s.downcase if s.type == :runtime && Rubygem.where(name: s.name.to_s).present?
-    end.sort
-
-    spec_dev_deps = spec_obj.dependencies.filter_map do |s|
-      s.name.to_s.downcase if s.type == :development && Rubygem.where(name: s.name.to_s).present?
-    end.sort
-
-    [spec_run_deps, spec_dev_deps]
-  end
-
-  desc "Remove dependencies from DB where it doesn't match the gemspec"
-  task clean: :environment do |task|
-    ActiveRecord::Base.logger.level = 1 if Rails.env.development?
-
-    versions = Version.joins("inner join dependencies on versions.id = dependencies.version_id")
-      .where("date_trunc('day', dependencies.created_at) = '2009-09-02 00:00:00'::timestamp")
-      .where("versions.indexed = 'true'")
-      .distinct("versions.id")
-
-    total              = versions.count
-    processed          = 0
-    errored            = 0
-    dev_mis_match      = 0
-    run_mis_match      = 0
-    mis_match_versions = 0
-    total_deleted_deps = 0
-
-    Rails.logger.info "[extraneous_dependencies:clean] found #{total} versions for clean up"
-    versions.each do |version|
-      print format("\r%.2f%% (%d/%d) complete", processed.to_f / total * 100.0, processed, total)
-
-      spec_run_deps, spec_dev_deps = fetch_spec_deps(version.full_name)
-
-      db_run_deps = {}
-      db_dev_deps = {}
-      db_deps = version.dependencies.to_a
-      db_deps.each do |d|
-        db_run_deps[d.id.to_s] = d.rubygem.name.downcase if d.scope == "runtime" && d.rubygem.present?
-        db_dev_deps[d.id.to_s] = d.rubygem.name.downcase if d.scope == "development" && d.rubygem.present?
-      end
-
-      deps_to_delete = []
-      if spec_run_deps != db_run_deps.values.sort
-        unique_run_devs = []
-        db_run_deps.each do |id, name|
-          deps_to_delete << id unless spec_run_deps.include?(name)
-
-          if unique_run_devs.include?(name)
-            deps_to_delete << id
-          else
-            unique_run_devs << name
-          end
-        end
-
-        run_mis_match += 1
-        Rails.logger.info("[extraneous_dependencies:clean] spec and db run deps don't match " \
-                          "for: #{version.full_name} spec: #{spec_run_deps} db: #{db_run_deps}")
-      end
-
-      if spec_dev_deps != db_dev_deps.values.sort
-        unique_dev_deps = []
-        db_dev_deps.sort.to_h.each do |id, name|
-          if unique_dev_deps.include?(name)
-            deps_to_delete << id
-          else
-            unique_dev_deps << name
-          end
-        end
-
-        dev_mis_match += 1
-        Rails.logger.info("[extraneous_dependencies:clean] spec and db dev deps don't match " \
-                          "for: #{version.full_name} spec: #{spec_dev_deps} db: #{db_dev_deps}")
-      end
-
-      if deps_to_delete.present?
-        mis_match_versions += 1
-        total_deleted_deps += deps_to_delete.count
-        Rails.logger.info("[extraneous_dependencies:clean] deleting dependencies with ids: #{deps_to_delete}")
-        Dependency.destroy(deps_to_delete)
-
-        CompactIndexTasksHelper.update_last_checksum(version.rubygem, task)
-      end
-    rescue StandardError => e
-      errored += 1
-      Rails.logger.error("[extraneous_dependencies:clean] skipping #{version.inspect} - #{e.message}")
-    ensure
-      processed += 1
-    end
-
-    Rails.logger.info("[extraneous_dependencies:clean] #{total_deleted_deps} dependencies deleted")
-    Rails.logger.info("[extraneous_dependencies:clean] #{errored}/#{processed} errors")
-    Rails.logger.info("[extraneous_dependencies:clean] #{mis_match_versions}/#{processed} version mismatches " \
-                      "(run_deps: #{run_mis_match}, dev_deps: #{dev_mis_match})")
-  end
-end
diff --git a/lib/tasks/gemcutter.rake b/lib/tasks/gemcutter.rake
index 51987a3623c..c2e0c61935c 100644
--- a/lib/tasks/gemcutter.rake
+++ b/lib/tasks/gemcutter.rake
@@ -1,5 +1,3 @@
-require "tasks/helpers/gemcutter_tasks_helper"
-
 namespace :gemcutter do
   namespace :index do
     desc "Update the index"
@@ -26,84 +24,6 @@ namespace :gemcutter do
     end
   end
 
-  namespace :checksums do
-    desc "Initialize missing checksums."
-    task init: :environment do
-      without_sha256 = Version.where(sha256: nil)
-      mod = ENV["shard"]
-      without_sha256.where("id % 4 = ?", mod.to_i) if mod
-
-      total = without_sha256.count
-      i = 0
-      without_sha256.find_each do |version|
-        GemcutterTaskshelper.recalculate_sha256!(version)
-        i += 1
-        print format("\r%.2f%% (%d/%d) complete", i.to_f / total * 100.0, i, total)
-      end
-      puts
-      puts "Done."
-    end
-
-    desc "Check existing checksums."
-    task check: :environment do
-      failed = false
-      i = 0
-      total = Version.count
-      Version.find_each do |version|
-        actual_sha256 = GemcutterTaskshelper.recalculate_sha256(version.full_name)
-        if actual_sha256 && version.sha256 != actual_sha256
-          puts "#{version.full_name}.gem has sha256 '#{actual_sha256}', " \
-               "but '#{version.sha256}' was expected."
-          failed = true
-        end
-        i += 1
-        print format("\r%.2f%% (%d/%d) complete", i.to_f / total * 100.0, i, total)
-      end
-    end
-  end
-
-  namespace :metadata do
-    desc "Backfill old gem versions with metadata."
-    task backfill: :environment do
-      without_metadata = Version.where("metadata = ''")
-      mod = ENV["shard"]
-      without_metadata = without_metadata.where("id % 4 = ?", mod.to_i) if mod
-
-      total = without_metadata.count
-      i = 0
-      puts "Total: #{total}"
-      without_metadata.find_each do |version|
-        GemcutterTaskshelper.recalculate_metadata!(version)
-        i += 1
-        print format("\r%.2f%% (%d/%d) complete", i.to_f / total * 100.0, i, total)
-      end
-      puts
-      puts "Done."
-    end
-  end
-
-  namespace :required_ruby_version do
-    desc "Backfill gem versions with rubygems_version."
-    task backfill: :environment do
-      ActiveRecord::Base.logger.level = 1 if Rails.env.development?
-
-      without_required_ruby_version = Version.where("created_at < '2014-03-21' and required_ruby_version is null and indexed = true")
-      mod = ENV["shard"]
-      without_required_ruby_version = without_required_ruby_version.where("id % 4 = ?", mod.to_i) if mod
-
-      total = without_required_ruby_version.count
-      i = 0
-      puts "Total: #{total}"
-      without_required_ruby_version.find_each do |version|
-        GemcutterTaskshelper.assign_required_ruby_version!(version)
-        i += 1
-        print format("\r%.2f%% (%d/%d) complete", i.to_f / total * 100.0, i, total)
-      end
-      puts
-      puts "Done."
-    end
-  end
-
   namespace :typo do
     desc "Add names to gem typo exception list\nUsage: rake gemcutter:typo:exception[<gem_name>,<info>]"
     task :exception, %i[name info] => %i[environment] do |_task, args|
diff --git a/lib/tasks/helpers/gemcutter_tasks_helper.rb b/lib/tasks/helpers/gemcutter_tasks_helper.rb
deleted file mode 100644
index 77477f5dc69..00000000000
--- a/lib/tasks/helpers/gemcutter_tasks_helper.rb
+++ /dev/null
@@ -1,42 +0,0 @@
-module GemcutterTaskshelper
-  module_function
-
-  def recalculate_sha256(version_full_name)
-    key = "gems/#{version_full_name}.gem"
-    file = RubygemFs.instance.get(key)
-    Digest::SHA2.base64digest(file) if file
-  end
-
-  def recalculate_sha256!(version)
-    sha256 = recalculate_sha256(version.full_name)
-    version.update(sha256: sha256)
-  end
-
-  def recalculate_metadata!(version)
-    metadata = get_spec_attribute(version.full_name, "metadata")
-    version.update(metadata: metadata || {})
-  end
-
-  def assign_required_ruby_version!(version)
-    required_ruby_version = get_spec_attribute(version.full_name, "required_ruby_version")
-
-    return if required_ruby_version.nil? || required_ruby_version.to_s == ">= 0"
-    Rails.logger.info("[gemcutter:required_ruby_version:backfill] updating version: #{version.full_name} " \
-                      "with required_ruby_version: #{required_ruby_version}")
-
-    version.update_column(:required_ruby_version, required_ruby_version.to_s)
-    CompactIndexTasksHelper.update_last_checksum(version.rubygem, "gemcutter:required_ruby_version:backfill")
-  end
-
-  def get_spec_attribute(version_full_name, attribute_name)
-    key = "quick/Marshal.4.8/#{version_full_name}.gemspec.rz"
-    file = RubygemFs.instance.get(key)
-    return nil unless file
-    spec = Marshal.load(Gem::Util.inflate(file))
-    spec.send(attribute_name)
-  rescue StandardError => e
-    Rails.logger.info("[gemcutter:required_ruby_version:backfill] could not get required_ruby_version for version: #{version_full_name} " \
-                      "error: #{e.inspect}")
-    nil
-  end
-end
diff --git a/lib/tasks/helpers/importmap_helper.rb b/lib/tasks/helpers/importmap_helper.rb
index 861bcc589ca..7c95a909829 100644
--- a/lib/tasks/helpers/importmap_helper.rb
+++ b/lib/tasks/helpers/importmap_helper.rb
@@ -9,43 +9,60 @@ class Packager < Importmap::Packager
     self.endpoint = URI("https://api.jspm.io/generate")
 
     # Copied from https://github.com/rails/importmap-rails/pull/237
-    def verify(package, url)
+    def verify(package, url, verbose: false)
       ensure_vendor_directory_exists
 
-      return unless vendored_package_path(package).file?
-      verify_vendored_package(package, url)
+      unless vendored_package_path(package).file?
+        raise ImportmapHelper::VerifyError, "Pinned #{package}#{extract_package_version_from(url)} does not exist in vendor/javascript"
+      end
+      verify_vendored_package(package, url, verbose:)
     end
 
-    def verify_vendored_package(package, url)
+    def verify_vendored_package(package, url, verbose: false)
       vendored_body = vendored_package_path(package).read.strip
-      remote_body = load_package_file(package, url).strip
+      vendored_body = vendored_body.lines[2..].join if vendored_body.start_with?("//") # remove the importmap-rails comment
+      remote_body = load_package_file(url).strip
 
       return true if vendored_body == remote_body
 
-      raise ImportmapHelper::VerifyError, "Vendored #{package}#{extract_package_version_from(url)} does not match remote #{url}"
+      verbose_error = verbose ? verbose_diff(remote_body, vendored_body) : " (run with VERBOSE=true for diff)"
+      raise ImportmapHelper::VerifyError, "Vendored #{package}#{extract_package_version_from(url)} does not match remote #{url}#{verbose_error}"
     end
 
-    def load_package_file(package, url)
+    def load_package_file(url)
       response = Net::HTTP.get_response(URI(url))
 
       if response.code == "200"
-        format_vendored_package(package, url, response.body)
+        format_vendored_package(response.body)
       else
         handle_failure_response(response)
       end
     end
 
-    def format_vendored_package(package, url, source)
-      formatted = +""
-      if Gem::Version.new(Importmap::VERSION) > Gem::Version.new("2.0.1")
-        formatted.concat "// #{package}#{extract_package_version_from(url)} downloaded from #{url}\n\n"
+    def format_vendored_package(source)
+      remove_sourcemap_comment_from(source).force_encoding("UTF-8")
+    end
+
+    def save_vendored_package(package, url, source)
+      File.open(vendored_package_path(package), "w+") do |vendored_package|
+        vendored_package.write "// #{package}#{extract_package_version_from(url)} downloaded from #{url}\n\n"
+
+        vendored_package.write remove_sourcemap_comment_from(source).force_encoding("UTF-8")
       end
-      formatted.concat remove_sourcemap_comment_from(source).force_encoding("UTF-8")
-      formatted
     end
 
-    def save_vendored_package(package, _url, source)
-      File.write(vendored_package_path(package), source)
+    def verbose_diff(remote_body, vendored_body)
+      require "diff/lcs"
+      diffs = Diff::LCS.sdiff(remote_body.split("\n"), vendored_body.split("\n"))
+      out = "\n\nDiff:\n- Remote\n+ Vendored\n\n"
+      out + diffs.map do |diff|
+        case diff.action
+        when "-" then "- #{diff.old_element}"
+        when "!" then "- #{diff.old_element}\n+ #{diff.new_element}"
+        when "+" then "+ #{diff.new_element}"
+        when "=" then "  #{diff.old_element}"
+        end
+      end.join("\n")
     end
 
     public :vendored_package_path
diff --git a/lib/tasks/importmap.rake b/lib/tasks/importmap.rake
index e941b84d6c2..22d9283516c 100644
--- a/lib/tasks/importmap.rake
+++ b/lib/tasks/importmap.rake
@@ -6,11 +6,18 @@ require "tasks/helpers/importmap_helper"
 namespace :importmap do
   desc "Verify downloaded packages in vendor/javascript"
   task :verify do # rubocop:disable Rails/RakeEnvironment
-    all_files = Rails.root.glob("vendor/javascript/*.js").map { |p| p.relative_path_from(Rails.root) }
-    all_files.delete(Pathname.new("vendor/javascript/github-buttons.js")) || raise("importmap:verify expected github-buttons.js not found")
-    all_files.delete(Pathname.new("vendor/javascript/webauthn-json.js")) || raise("importmap:verify expected webauthn-json.js not found")
+    options = { env: "production", from: "jspm.io" }
+    importmap_path = "config/importmap.rb"
+    vendor_pathname = Rails.root.join("vendor/javascript")
+    all_files = vendor_pathname.glob("*.js").map { |p| p.relative_path_from(Rails.root) }
+    manually_vendored_files = ["github-buttons.js", "webauthn-json.js"]
 
-    npm = Importmap::Npm.new(Rails.root.join("config/importmap.rb"))
+    manually_vendored_files.each do |filename|
+      path = vendor_pathname.join(filename).relative_path_from(Rails.root)
+      all_files.delete(path) || raise("importmap:verify expected #{path} not found")
+    end
+
+    npm = Importmap::Npm.new(importmap_path)
 
     packages = npm.packages_with_versions.map do |p, v|
       v.blank? ? p : [p, v].join("@")
@@ -18,12 +25,15 @@ namespace :importmap do
 
     puts "Verifying packages in vendor/javascript"
 
-    packager = ImportmapHelper::Packager.new
+    packager = ImportmapHelper::Packager.new(
+      importmap_path,
+      vendor_path: vendor_pathname.relative_path_from(Rails.root)
+    )
 
-    if (imports = packager.import(*packages, env: "production", from: "jspm.io"))
+    if (imports = packager.import(*packages, **options))
       imports.each do |package, url|
         puts %(Verifying "#{package}" download from #{url})
-        packager.verify(package, url)
+        packager.verify(package, url, verbose: ENV["VERBOSE"])
         path = packager.vendored_package_path(package)
         puts %(Verified  "#{package}" at #{path})
         all_files.delete path
@@ -45,4 +55,27 @@ namespace :importmap do
       exit 1
     end
   end
+
+  desc "Re-download all packages in the importmap with the same versions"
+  task pristine: :environment do
+    options = { env: "production", from: "jspm.io" }
+    npm = Importmap::Npm.new(Rails.root.join("config/importmap.rb"))
+
+    packages = npm.packages_with_versions.map do |p, v|
+      v.blank? ? p : [p, v].join("@")
+    end
+
+    puts "Downloading pristine packages from #{options[:from]} to vendor/javascript"
+
+    packager = ImportmapHelper::Packager.new
+
+    if (imports = packager.import(*packages, env: options[:env], from: options[:from]))
+      imports.each do |package, url|
+        puts %(Downloading pinned "#{package}" to #{packager.vendor_path}/#{package}.js from #{url})
+        packager.download(package, url)
+      end
+    else
+      puts "Couldn't find any packages in #{packages.inspect} on #{options[:from]}"
+    end
+  end
 end
diff --git a/public/robots.txt b/public/robots.txt
index 1fab05ef6e9..a1bc7a1368b 100644
--- a/public/robots.txt
+++ b/public/robots.txt
@@ -1,3 +1,4 @@
+# See https://www.robotstxt.org/robotstxt.html for documentation on how to use the robots.txt file
 User-agent: *
 Disallow: /downloads/
 Disallow: /gems?letter=*
diff --git a/script/build_docker.sh b/script/build_docker.sh
index 11ed8f8fcc0..55157c18c01 100755
--- a/script/build_docker.sh
+++ b/script/build_docker.sh
@@ -22,6 +22,8 @@ docker buildx build --cache-from=type=local,src=/tmp/.buildx-cache \
   --tag "$DOCKER_TAG" \
   --build-arg RUBYGEMS_VERSION="$RUBYGEMS_VERSION" \
   --build-arg REVISION="$GITHUB_SHA" \
+  --build-arg BUNDLE_WITH="$([ -n "${BUNDLE_PACKAGER__DEV}" ] && echo "avo")" \
+  --secret id=BUNDLE_PACKAGER__DEV \
   .
 
 # This is a ruby script we run to ensure that all dependencies are configured properly in
@@ -66,6 +68,7 @@ fi
 pusher_arn="arn:aws:iam::048268392960:role/rubygems-ecr-pusher"
 caller_arn="$(aws sts get-caller-identity --output text --query Arn || true)"
 
+set +x
 [[ "$caller_arn" == "$pusher_arn" ]] ||
   [[ "$caller_arn" == "arn:aws:sts::048268392960:assumed-role/rubygems-ecr-pusher/GitHubActions" ]] ||
   export $(printf "AWS_ACCESS_KEY_ID=%s AWS_SECRET_ACCESS_KEY=%s AWS_SESSION_TOKEN=%s" \
@@ -75,6 +78,7 @@ caller_arn="$(aws sts get-caller-identity --output text --query Arn || true)"
       --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
       --output text)) ||
   true
+set -x
 
 if [[ -z "${AWS_SESSION_TOKEN}" ]]; then
   echo "Skipping push since no AWS session token was found"
diff --git a/script/dev b/script/dev
index a58371a0a8f..2406a5181c6 100755
--- a/script/dev
+++ b/script/dev
@@ -2,10 +2,11 @@
 
 export GITHUB_KEY="op://bq25xfqpafelzdxwqu3mdq6rza/zsq3oitss3rbo4njqpjfd5r5cm/GITHUB_KEY"
 export GITHUB_SECRET="op://bq25xfqpafelzdxwqu3mdq6rza/zsq3oitss3rbo4njqpjfd5r5cm/GITHUB_SECRET"
-export AVO_LICENSE_KEY="op://bq25xfqpafelzdxwqu3mdq6rza/netp2leghd7zqdxlkp5asy67d4/license key"
+export AVO_LICENSE_KEY="op://bq25xfqpafelzdxwqu3mdq6rza/y32yshzph7shehubizpzphv6oe/license key"
 export DATADOG_CSP_API_KEY="op://bq25xfqpafelzdxwqu3mdq6rza/eisktguwm3pcfkwm7avqamdnxq/credential"
 export HOOK_RELAY_ACCOUNT_ID="op://bq25xfqpafelzdxwqu3mdq6rza/s3fs2zznjssijxouugddmwnuma/username"
 export HOOK_RELAY_HOOK_ID="op://bq25xfqpafelzdxwqu3mdq6rza/s3fs2zznjssijxouugddmwnuma/credential"
+export HOOK_RELAY_API_KEY="op://bq25xfqpafelzdxwqu3mdq6rza/s3fs2zznjssijxouugddmwnuma/API Key"
 export LAUNCH_DARKLY_SDK_KEY="op://bq25xfqpafelzdxwqu3mdq6rza/3o73k6fcenzrbspwcm4g4j5z2a/credential"
 
-exec op run --account 5MS5DHTO5NH7BAHTSIGT5NOAIE -- "${@}"
+exec op run --no-masking --account 5MS5DHTO5NH7BAHTSIGT5NOAIE -- "${@}"
diff --git a/script/update-rubygems b/script/update-rubygems
new file mode 100755
index 00000000000..fe2677126c5
--- /dev/null
+++ b/script/update-rubygems
@@ -0,0 +1,78 @@
+#!/usr/bin/env ruby
+
+unless ARGV.empty?
+  puts "Usage: #{$PROGRAM_NAME}"
+  exit 1
+end
+
+require "bundler"
+require "yaml"
+
+return unless (bundler_version = Bundler.self_manager.send(:resolve_update_version_from, ">= 0")&.version)
+rubygems_version = Gem::Version.new(bundler_version.segments.tap { |s| s[0] += 1 }.join("."))
+
+def order_nodes(nodes)
+  methods = %i[start_line start_column end_line end_column]
+  nodes.sort_by { |node| methods.map { |k| node.send(k) } }.reverse
+end
+
+def find_nodes(node, path) # rubocop:disable Metrics
+  return [node] if path.empty?
+  head, *tail = path
+
+  raise "Expected to index #{path}, got #{node}" if node.scalar?
+
+  if head == "*"
+    if node.sequence?
+      return node.children.flat_map { |child| find_nodes(child, tail) }.compact
+    elsif node.mapping?
+      return node.children.each_slice(2).flat_map { |_, v| find_nodes(v, tail) }.compact
+    else
+      raise "Expected to index #{path}, got #{node}"
+    end
+  end
+
+  if node.document?
+    find_nodes(node.root, path)
+  elsif node.sequence?
+    head, expected_value = head.split("=", 2)
+    if expected_value
+      node.to_ruby.each_with_index.select { |h, _| h[head] == expected_value }.map(&:last).flat_map { |i| find_nodes(node.children[i], tail) }
+    else
+      find_nodes(node.children[head.to_i], tail)
+    end
+  elsif node.mapping?
+    node.children.each_slice(2).flat_map { |k, v| find_nodes(v, tail) if k.value == head && (!expected_value || expected_value == k.value) }.compact
+  else
+    raise "Expected to index #{path}, got #{node}"
+  end
+end
+
+def sub_yaml(file, path, value)
+  nodes = find_nodes YAML.parse_file(file), path
+  contents = File.read(file)
+  lines = contents.lines
+  order_nodes(nodes).each do |node|
+    raise "Expected single line node, got #{node}" if node.start_line != node.end_line
+    line = lines[node.start_line]
+    range = node.start_column..node.end_column.pred
+    raise "Expected range to be #{node.value.inspect}, is #{line[range].inspect}" unless YAML.load(line[range]) == node.value
+    line[range] = value
+  end
+  File.write(file, lines.join)
+end
+
+sub_yaml ".github/workflows/docker.yml", %w[jobs * env RUBYGEMS_VERSION], rubygems_version.to_s.inspect
+sub_yaml ".github/workflows/test.yml", %w[jobs * strategy matrix rubygems 0 version], rubygems_version.to_s.inspect
+
+ruby_version = File.read(".ruby-version").strip
+
+%w[Dockerfile .devcontainer/Dockerfile].each do |f|
+  File.write(f, File.read(f).sub(/(RUBY_VERSION=)[\d.]+/, "\\1#{ruby_version}"))
+end
+
+sub_yaml ".github/workflows/docker.yml", %w[jobs * env RUBY_VERSION], ruby_version.inspect
+sub_yaml ".github/workflows/test.yml", %w[jobs * strategy matrix ruby_version 0], ruby_version.inspect
+sub_yaml ".github/workflows/test.yml", %w[jobs * strategy matrix include * ruby_version], ruby_version.inspect
+
+system("bundle", "update", "--bundler=#{bundler_version}", exception: true)
diff --git a/test/application_system_test_case.rb b/test/application_system_test_case.rb
index ff04317430c..c7f25952c16 100644
--- a/test/application_system_test_case.rb
+++ b/test/application_system_test_case.rb
@@ -2,5 +2,16 @@
 
 class ApplicationSystemTestCase < ActionDispatch::SystemTestCase
   include OauthHelpers
-  driven_by :selenium, using: :headless_chrome, screen_size: [1400, 1400]
+  include AvoHelpers
+
+  if ENV["CAPYBARA_SERVER_PORT"]
+    served_by host: "rails-app", port: ENV["CAPYBARA_SERVER_PORT"]
+
+    driven_by :selenium, using: :headless_chrome, screen_size: [1400, 1400], options: {
+      browser: :remote,
+      url: "http://#{ENV['SELENIUM_HOST']}:4444"
+    }
+  else
+    driven_by :selenium, using: :headless_chrome, screen_size: [1400, 1400]
+  end
 end
diff --git a/test/components/previews/oidc/trusted_publisher/github_action/form_component_preview.rb b/test/components/previews/oidc/trusted_publisher/github_action/form_component_preview.rb
index c02271a38fe..c2df0ed77c0 100644
--- a/test/components/previews/oidc/trusted_publisher/github_action/form_component_preview.rb
+++ b/test/components/previews/oidc/trusted_publisher/github_action/form_component_preview.rb
@@ -9,11 +9,11 @@ def default(factory: :oidc_rubygem_trusted_publisher, environment: nil, reposito
   class Wrapper < Phlex::HTML
     include Phlex::Rails::Helpers::FormWith
 
-    extend Dry::Initializer
-    option :form_object
+    extend PropInitializer::Properties
+    prop :form_object
 
     def view_template
-      form_with(model: form_object, url: "/") do |github_action_form|
+      form_with(model: @form_object, url: "/") do |github_action_form|
         render OIDC::TrustedPublisher::GitHubAction::FormComponent.new(github_action_form:)
         github_action_form.submit class: "form__submit", disabled: true
       end
diff --git a/test/factories/api_key.rb b/test/factories/api_key.rb
index e7c1fc38de8..e3083e644d2 100644
--- a/test/factories/api_key.rb
+++ b/test/factories/api_key.rb
@@ -1,7 +1,9 @@
 FactoryBot.define do
   factory :api_key do
-    transient { key { "12345" } }
-    transient { rubygem { nil } }
+    transient do
+      sequence(:key, &:to_s)
+      rubygem { nil }
+    end
 
     owner factory: %i[user]
     name { "ci-key" }
@@ -14,5 +16,10 @@
     after(:build) do |api_key, evaluator|
       api_key.rubygem_id = evaluator.rubygem.id if evaluator.rubygem
     end
+
+    trait :trusted_publisher do
+      owner factory: %i[oidc_trusted_publisher_github_action]
+      transient { key { SecureRandom.hex(4) } }
+    end
   end
 end
diff --git a/test/factories/attestations.rb b/test/factories/attestations.rb
new file mode 100644
index 00000000000..aa7dafc36d0
--- /dev/null
+++ b/test/factories/attestations.rb
@@ -0,0 +1,7 @@
+FactoryBot.define do
+  factory :attestation do
+    version
+    media_type { Sigstore::BundleType::BUNDLE_0_3.media_type }
+    body factory: %i[sigstore_bundle]
+  end
+end
diff --git a/test/factories/events/organization_events.rb b/test/factories/events/organization_events.rb
new file mode 100644
index 00000000000..09893b5a748
--- /dev/null
+++ b/test/factories/events/organization_events.rb
@@ -0,0 +1,8 @@
+FactoryBot.define do
+  factory :events_organization_event, class: "Events::OrganizationEvent" do
+    tag { "organization:created" }
+    organization
+    ip_address
+    additional { nil }
+  end
+end
diff --git a/test/factories/memberships.rb b/test/factories/memberships.rb
new file mode 100644
index 00000000000..0056afa4a28
--- /dev/null
+++ b/test/factories/memberships.rb
@@ -0,0 +1,20 @@
+FactoryBot.define do
+  factory :membership do
+    user
+    organization
+    confirmed_at { Time.zone.now }
+    role { :maintainer }
+
+    trait :maintainer do
+      role { :maintainer }
+    end
+
+    trait :owner do
+      role { :owner }
+    end
+
+    trait :admin do
+      role { :admin }
+    end
+  end
+end
diff --git a/test/factories/organization_onboarding_invites.rb b/test/factories/organization_onboarding_invites.rb
new file mode 100644
index 00000000000..73c7f4779b4
--- /dev/null
+++ b/test/factories/organization_onboarding_invites.rb
@@ -0,0 +1,7 @@
+FactoryBot.define do
+  factory :organization_onboarding_invite do
+    organization_onboarding { association(:organization_onboarding) }
+    user { association(:user) }
+    role { "owner" }
+  end
+end
diff --git a/test/factories/organization_onboardings.rb b/test/factories/organization_onboardings.rb
new file mode 100644
index 00000000000..7de553f8d3b
--- /dev/null
+++ b/test/factories/organization_onboardings.rb
@@ -0,0 +1,51 @@
+FactoryBot.define do
+  factory :organization_onboarding do
+    transient do
+      approved_invites { [] }
+      authorizer { create(:user) } # rubocop:disable FactoryBot/FactoryAssociationWithStrategy
+      namesake_rubygem { create(:rubygem) } # rubocop:disable FactoryBot/FactoryAssociationWithStrategy
+    end
+
+    created_by { association(:user) }
+
+    organization_name { namesake_rubygem.name }
+    organization_handle { namesake_rubygem.name }
+
+    rubygems do
+      [namesake_rubygem.id]
+    end
+
+    after(:build) do |organization_onboarding, evaluator|
+      Ownership.find_or_create_by(
+        user: organization_onboarding.created_by,
+        rubygem: evaluator.namesake_rubygem,
+        authorizer: evaluator.authorizer,
+        role: "owner"
+      )
+      evaluator.approved_invites.each do |invitee|
+        organization_onboarding.invites.find_or_initialize_by(user: invitee[:user]).role = invitee[:role]
+      end
+    end
+
+    trait :completed do
+      status { :completed }
+      onboarded_at { Time.zone.now }
+    end
+
+    trait :failed do
+      error { "Failed to onboard" }
+      status { :failed }
+    end
+
+    trait :user do
+      name_type { "gem" } # temporarily set to gem during release when username is disabled
+
+      # organization_name { "Rubygems" }
+      # organization_handle { created_by.handle }
+
+      # rubygems do
+      #   []
+      # end
+    end
+  end
+end
diff --git a/test/factories/organizations.rb b/test/factories/organizations.rb
new file mode 100644
index 00000000000..6a7697e236b
--- /dev/null
+++ b/test/factories/organizations.rb
@@ -0,0 +1,36 @@
+FactoryBot.define do
+  factory :organization do
+    transient do
+      owners { [] }
+      admins { [] }
+      maintainers { [] }
+      rubygems { [] }
+    end
+
+    handle
+    name
+    deleted_at { nil }
+
+    after(:create) do |organization, evaluator|
+      evaluator.owners.each do |user|
+        create(:membership, user: user, organization: organization, role: :owner)
+      end
+
+      evaluator.admins.each do |user|
+        create(:membership, user: user, organization: organization, role: :admin)
+      end
+
+      evaluator.maintainers.each do |user|
+        create(:membership, user: user, organization: organization, role: :maintainer)
+      end
+
+      evaluator.rubygems.each do |rubygem|
+        rubygem.update(organization: organization)
+      end
+    end
+
+    trait :with_members do
+      memberships { build_list(:membership, 2) }
+    end
+  end
+end
diff --git a/test/factories/ownership.rb b/test/factories/ownership.rb
index 196cb80382a..9931e2754e2 100644
--- a/test/factories/ownership.rb
+++ b/test/factories/ownership.rb
@@ -4,8 +4,14 @@
     user
     confirmed_at { Time.current }
     authorizer { association :user }
+    role { :owner }
+
     trait :unconfirmed do
       confirmed_at { nil }
     end
+
+    trait :maintainer do
+      role { :maintainer }
+    end
   end
 end
diff --git a/test/factories/rubygem.rb b/test/factories/rubygem.rb
index 78224af58d9..285e833a735 100644
--- a/test/factories/rubygem.rb
+++ b/test/factories/rubygem.rb
@@ -2,6 +2,7 @@
   factory :rubygem do
     transient do
       owners { [] }
+      maintainers { [] }
       number { nil }
       downloads { 0 }
     end
@@ -18,7 +19,11 @@
 
     after(:create) do |rubygem, evaluator|
       evaluator.owners.each do |owner|
-        create(:ownership, rubygem: rubygem, user: owner)
+        create(:ownership, rubygem: rubygem, user: owner, role: :owner)
+      end
+
+      evaluator.maintainers.each do |maintainer|
+        create(:ownership, rubygem: rubygem, user: maintainer, role: :maintainer)
       end
 
       create(:version, rubygem: rubygem, number: evaluator.number) if evaluator.number
diff --git a/test/factories/sigstore.rb b/test/factories/sigstore.rb
new file mode 100644
index 00000000000..4bb3636866f
--- /dev/null
+++ b/test/factories/sigstore.rb
@@ -0,0 +1,36 @@
+FactoryBot.define do
+  factory :sigstore_x509_certificate, class: "Sigstore::Common::V1::X509Certificate" do
+    transient do
+      x509_certificate factory: %i[x509_certificate key_usage github_actions_fulcio]
+    end
+    initialize_with do
+      cert = new
+      cert.raw_bytes = x509_certificate.to_der
+      cert
+    end
+    to_create { |instance| instance }
+  end
+  factory :sigstore_verification_material, class: "Sigstore::Bundle::V1::VerificationMaterial" do
+    certificate factory: %i[sigstore_x509_certificate]
+    tlog_entries { [build(:sigstore_tlog_entry)] }
+    to_create { |instance| instance }
+  end
+  factory :sigstore_checkpoint, class: "Sigstore::Rekor::V1::Checkpoint" do
+    to_create { |instance| instance }
+  end
+  factory :sigstore_inclusion_proof, class: "Sigstore::Rekor::V1::InclusionProof" do
+    checkpoint factory: %i[sigstore_checkpoint]
+    to_create { |instance| instance }
+  end
+  factory :sigstore_tlog_entry, class: "Sigstore::Rekor::V1::TransparencyLogEntry" do
+    sequence(:log_index)
+    inclusion_proof factory: %i[sigstore_inclusion_proof]
+    to_create { |instance| instance }
+  end
+
+  factory :sigstore_bundle, class: "Sigstore::Bundle::V1::Bundle" do
+    media_type { Sigstore::BundleType::BUNDLE_0_3.media_type }
+    verification_material factory: %i[sigstore_verification_material]
+    to_create { |instance| instance }
+  end
+end
diff --git a/test/factories/user.rb b/test/factories/user.rb
index 8e7460601b5..29bd04cb235 100644
--- a/test/factories/user.rb
+++ b/test/factories/user.rb
@@ -47,5 +47,10 @@
       mfa_level { User.mfa_levels["ui_and_gem_signin"] }
       mfa_recovery_codes { %w[aaa bbb ccc] }
     end
+
+    trait :blocked do
+      email { "security+locked-#{SecureRandom.hex(4)}@rubygems.org" }
+      blocked_email { "test@example.com" }
+    end
   end
 end
diff --git a/test/factories/x509.rb b/test/factories/x509.rb
new file mode 100644
index 00000000000..bdf3b452f3a
--- /dev/null
+++ b/test/factories/x509.rb
@@ -0,0 +1,78 @@
+FactoryBot.define do
+  factory :x509_certificate, class: "OpenSSL::X509::Certificate" do
+    subject { OpenSSL::X509::Name.parse("/DC=org/DC=example/CN=Test") }
+    issuer { subject }
+    version { 2 }
+    serial { 1 }
+    not_before { 1.day.ago }
+    not_after { 1.year.from_now }
+    public_key { OpenSSL::PKey::EC.generate("prime256v1") }
+    transient do
+      extension_factory { OpenSSL::X509::ExtensionFactory.new }
+    end
+
+    trait :key_usage do
+      after(:build) do |cert, ctx|
+        cert.add_extension(ctx.extension_factory.create_ext("keyUsage", "digitalSignature", true))
+        cert.add_extension(ctx.extension_factory.create_ext("2.5.29.37", "critical,DER:30:0A:06:08:2B:06:01:05:05:07:03:03"))
+      end
+    end
+
+    trait :github_actions_fulcio do
+      after(:build) do |cert, ctx|
+        {
+          "1.3.6.1.4.1.57264.1.1" =>
+                "https://token.actions.githubusercontent.com",
+            "1.3.6.1.4.1.57264.1.2" =>
+                "release",
+            "1.3.6.1.4.1.57264.1.3" =>
+                "f106999a2210a9a17b32b172f95518859a85ffed",
+            "1.3.6.1.4.1.57264.1.4" =>
+                "Release",
+            "1.3.6.1.4.1.57264.1.5" =>
+                "sigstore/sigstore-ruby",
+            "1.3.6.1.4.1.57264.1.6" =>
+                "refs/tags/v0.1.1",
+            "1.3.6.1.4.1.57264.1.8" =>
+                "https://token.actions.githubusercontent.com",
+            "1.3.6.1.4.1.57264.1.9" =>
+                ".Xhttps://github.com/sigstore/sigstore-ruby/.github/workflows/release.yml@refs/tags/v0.1.1",
+            "1.3.6.1.4.1.57264.1.10" =>
+                ".(f106999a2210a9a17b32b172f95518859a85ffed",
+            "1.3.6.1.4.1.57264.1.11" =>
+                ".githubHosted",
+            "1.3.6.1.4.1.57264.1.12" =>
+                ".)https://github.com/sigstore/sigstore-ruby",
+            "1.3.6.1.4.1.57264.1.13" =>
+                ".(f106999a2210a9a17b32b172f95518859a85ffed",
+            "1.3.6.1.4.1.57264.1.14" =>
+                "..refs/tags/v0.1.1",
+            "1.3.6.1.4.1.57264.1.15" =>
+                "..766398650",
+            "1.3.6.1.4.1.57264.1.16" =>
+                "..https://github.com/sigstore",
+            "1.3.6.1.4.1.57264.1.17" =>
+                "..71096353",
+            "1.3.6.1.4.1.57264.1.18" =>
+                ".Xhttps://github.com/sigstore/sigstore-ruby/.github/workflows/release.yml@refs/tags/v0.1.1",
+            "1.3.6.1.4.1.57264.1.19" =>
+                ".(f106999a2210a9a17b32b172f95518859a85ffed",
+            "1.3.6.1.4.1.57264.1.20" =>
+                "..release",
+            "1.3.6.1.4.1.57264.1.21" =>
+                ".Mhttps://github.com/sigstore/sigstore-ruby/actions/runs/11446323187/attempts/1",
+            "1.3.6.1.4.1.57264.1.22" =>
+                "..public"
+        }.each do |oid, value|
+          cert.add_extension(ctx.extension_factory.create_ext(oid, "ASN1:UTF8String:#{value}", false))
+        end
+      end
+    end
+
+    after(:build) do |cert, ctx|
+      cert.sign(ctx.public_key, OpenSSL::Digest.new("SHA256"))
+    end
+
+    to_create { |instance| instance }
+  end
+end
diff --git a/test/functional/api/v1/api_keys_controller_test.rb b/test/functional/api/v1/api_keys_controller_test.rb
index 62066783a9b..b0ba00d58e5 100644
--- a/test/functional/api/v1/api_keys_controller_test.rb
+++ b/test/functional/api/v1/api_keys_controller_test.rb
@@ -469,12 +469,7 @@ def self.should_expect_otp_for_update
 
         should "deny access" do
           assert_response :forbidden
-          mfa_error = <<~ERROR.chomp
-            [ERROR] For protection of your account and your gems, you are required to set up multi-factor authentication \
-            at https://rubygems.org/totp/new.
-
-            Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
-          ERROR
+          mfa_error = I18n.t("multifactor_auths.api.mfa_required_not_yet_enabled").chomp
 
           assert_match mfa_error, @response.body
         end
@@ -488,12 +483,7 @@ def self.should_expect_otp_for_update
 
         should "deny access" do
           assert_response :forbidden
-          mfa_error = <<~ERROR.chomp
-            [ERROR] For protection of your account and your gems, you are required to change your MFA level to 'UI and gem signin' or 'UI and API' \
-            at https://rubygems.org/settings/edit.
-
-            Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
-          ERROR
+          mfa_error = I18n.t("multifactor_auths.api.mfa_required_weak_level_enabled").chomp
 
           assert_match mfa_error, @response.body
         end
diff --git a/test/functional/api/v1/deletions_controller_test.rb b/test/functional/api/v1/deletions_controller_test.rb
index 2bd2d47a6e0..9be60bb1bea 100644
--- a/test/functional/api/v1/deletions_controller_test.rb
+++ b/test/functional/api/v1/deletions_controller_test.rb
@@ -189,12 +189,7 @@ class Api::V1::DeletionsControllerTest < ActionController::TestCase
           should respond_with :forbidden
 
           should "show error message" do
-            mfa_error = <<~ERROR.chomp
-              [ERROR] For protection of your account and your gems, you are required to set up multi-factor authentication \
-              at https://rubygems.org/totp/new.
-
-              Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
-            ERROR
+            mfa_error = I18n.t("multifactor_auths.api.mfa_required_not_yet_enabled").chomp
 
             assert_includes @response.body, mfa_error
           end
@@ -209,12 +204,7 @@ class Api::V1::DeletionsControllerTest < ActionController::TestCase
           should respond_with :forbidden
 
           should "show error message" do
-            mfa_error = <<~ERROR.chomp
-              [ERROR] For protection of your account and your gems, you are required to change your MFA level to 'UI and gem signin' or 'UI and API' \
-              at https://rubygems.org/settings/edit.
-
-              Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
-            ERROR
+            mfa_error = I18n.t("multifactor_auths.api.mfa_required_weak_level_enabled").chomp
 
             assert_includes @response.body, mfa_error
           end
@@ -290,12 +280,7 @@ class Api::V1::DeletionsControllerTest < ActionController::TestCase
               delete :create, params: { gem_name: gem[:name], version: gem[:version] }
 
               assert_response gem[:deletion_status]
-              mfa_warning = <<~WARN.chomp
-
-
-                [WARNING] For protection of your account and gems, we encourage you to set up multi-factor authentication \
-                at https://rubygems.org/totp/new. Your account will be required to have MFA enabled in the future.
-              WARN
+              mfa_warning = "\n\n#{I18n.t('multifactor_auths.api.mfa_recommended_not_yet_enabled')}".chomp
 
               assert_includes @response.body, mfa_warning
             end
@@ -312,13 +297,7 @@ class Api::V1::DeletionsControllerTest < ActionController::TestCase
               delete :create, params: { gem_name: gem[:name], version: gem[:version] }
 
               assert_response gem[:deletion_status]
-              mfa_warning = <<~WARN.chomp
-
-
-                [WARNING] For protection of your account and gems, we encourage you to change your multi-factor authentication \
-                level to 'UI and gem signin' or 'UI and API' at https://rubygems.org/settings/edit. \
-                Your account will be required to have MFA enabled on one of these levels in the future.
-              WARN
+              mfa_warning = "\n\n#{I18n.t('multifactor_auths.api.mfa_recommended_weak_level_enabled')}".chomp
 
               assert_includes @response.body, mfa_warning
             end
@@ -336,9 +315,8 @@ class Api::V1::DeletionsControllerTest < ActionController::TestCase
               delete :create, params: { gem_name: gem[:name], version: gem[:version] }
 
               assert_response gem[:deletion_status]
-              mfa_warning = "[WARNING] For protection of your account and gems"
-
-              refute_includes @response.body, mfa_warning
+              refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
+              refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
             end
           end
         end
@@ -354,9 +332,8 @@ class Api::V1::DeletionsControllerTest < ActionController::TestCase
               delete :create, params: { gem_name: gem[:name], version: gem[:version] }
 
               assert_response gem[:deletion_status]
-              mfa_warning = "[WARNING] For protection of your account and gems"
-
-              refute_includes @response.body, mfa_warning
+              refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
+              refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
             end
           end
         end
@@ -607,7 +584,7 @@ class Api::V1::DeletionsControllerTest < ActionController::TestCase
     should respond_with :forbidden
 
     should "return body that starts with denied access message" do
-      assert @response.body.start_with?("The API key doesn't have access")
+      assert_equal "This API key cannot perform the specified action on this gem.", @response.body
     end
   end
 end
diff --git a/test/functional/api/v1/owners_controller_test.rb b/test/functional/api/v1/owners_controller_test.rb
index 6a2369bc2ca..e1164f85882 100644
--- a/test/functional/api/v1/owners_controller_test.rb
+++ b/test/functional/api/v1/owners_controller_test.rb
@@ -2,6 +2,7 @@
 
 class Api::V1::OwnersControllerTest < ActionController::TestCase
   include ActiveJob::TestHelper
+  include ActionMailer::TestHelper
 
   def self.should_respond_to(format)
     should "route GET show with #{format.to_s.upcase}" do
@@ -401,12 +402,8 @@ def self.should_respond_to(format)
               post :create, params: { rubygem_id: @rubygem.slug, email: email }
 
               assert_equal 403, @response.status
-              mfa_error = <<~ERROR.chomp
-                [ERROR] For protection of your account and your gems, you are required to set up multi-factor authentication \
-                at https://rubygems.org/totp/new.
+              mfa_error = I18n.t("multifactor_auths.api.mfa_required_not_yet_enabled").chomp
 
-                Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
-              ERROR
               assert_includes @response.body, mfa_error
             end
           end
@@ -422,12 +419,8 @@ def self.should_respond_to(format)
               post :create, params: { rubygem_id: @rubygem.slug, email: email }
 
               assert_equal 403, @response.status
-              mfa_error = <<~ERROR.chomp
-                [ERROR] For protection of your account and your gems, you are required to change your MFA level to 'UI and gem signin' or 'UI and API' \
-                at https://rubygems.org/settings/edit.
+              mfa_error = I18n.t("multifactor_auths.api.mfa_required_weak_level_enabled").chomp
 
-                Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
-              ERROR
               assert_includes @response.body, mfa_error
             end
           end
@@ -473,12 +466,7 @@ def self.should_respond_to(format)
           should "include mfa setup warning" do
             @emails.each do |email|
               post :create, params: { rubygem_id: @rubygem.slug, email: email }
-              mfa_warning = <<~WARN.chomp
-
-
-                [WARNING] For protection of your account and gems, we encourage you to set up multi-factor authentication \
-                at https://rubygems.org/totp/new. Your account will be required to have MFA enabled in the future.
-              WARN
+              mfa_warning = "\n\n#{I18n.t('multifactor_auths.api.mfa_recommended_not_yet_enabled')}".chomp
 
               assert_includes @response.body, mfa_warning
             end
@@ -493,13 +481,7 @@ def self.should_respond_to(format)
           should "include change mfa level warning" do
             @emails.each do |email|
               post :create, params: { rubygem_id: @rubygem.slug, email: email }
-              mfa_warning = <<~WARN.chomp
-
-
-                [WARNING] For protection of your account and gems, we encourage you to change your multi-factor authentication \
-                level to 'UI and gem signin' or 'UI and API' at https://rubygems.org/settings/edit. \
-                Your account will be required to have MFA enabled on one of these levels in the future.
-              WARN
+              mfa_warning = "\n\n#{I18n.t('multifactor_auths.api.mfa_recommended_weak_level_enabled')}".chomp
 
               assert_includes @response.body, mfa_warning
             end
@@ -514,9 +496,9 @@ def self.should_respond_to(format)
           should "not include MFA warnings" do
             @emails.each do |email|
               post :create, params: { rubygem_id: @rubygem.slug, email: email }
-              mfa_warning = "[WARNING] For protection of your account and gems"
 
-              refute_includes @response.body, mfa_warning
+              refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
+              refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
             end
           end
         end
@@ -530,13 +512,46 @@ def self.should_respond_to(format)
           should "not include mfa warnings" do
             @emails.each do |email|
               post :create, params: { rubygem_id: @rubygem.slug, email: email }
-              mfa_warning = "[WARNING] For protection of your account and gems"
 
-              refute_includes @response.body, mfa_warning
+              refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
+              refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
             end
           end
         end
       end
+
+      context "when not supplying a role" do
+        should "set a default role" do
+          post :create, params: { rubygem_id: @rubygem.slug, email: @second_user.display_id }
+
+          assert_equal 200, @response.status
+          assert_predicate Ownership.find_by(user: @second_user, rubygem: @rubygem), :owner?
+        end
+      end
+
+      context "given a role" do
+        should "set the role for the given user" do
+          post :create, params: { rubygem_id: @rubygem.slug, email: @second_user.display_id, role: :maintainer }
+
+          assert_equal 200, @response.status
+          assert_predicate Ownership.find_by(user: @second_user, rubygem: @rubygem), :maintainer?
+        end
+      end
+
+      context "when given an invalid role" do
+        should "raise an error" do
+          post :create, params: { rubygem_id: @rubygem.slug, email: @second_user.display_id, role: :invalid }
+
+          assert_equal 422, @response.status
+          assert_equal "Role is not included in the list", @response.body
+        end
+
+        should "not create the ownership" do
+          post :create, params: { rubygem_id: @rubygem.slug, email: @second_user.email, role: :invalid }
+
+          assert_nil @rubygem.ownerships.find_by(user: @second_user)
+        end
+      end
     end
 
     context "without add owner api key scope" do
@@ -550,8 +565,8 @@ def self.should_respond_to(format)
 
       should respond_with :forbidden
 
-      should "return body that starts with denied access message" do
-        assert @response.body.start_with?("The API key doesn't have access")
+      should "return body with denied access message" do
+        assert_equal "This API key cannot perform the specified action on this gem.", @response.body
       end
     end
   end
@@ -784,12 +799,8 @@ def self.should_respond_to(format)
               delete :destroy, params: { rubygem_id: @rubygem.slug, email: email }
 
               assert_equal 403, response.status
-              mfa_error = <<~ERROR.chomp
-                [ERROR] For protection of your account and your gems, you are required to set up multi-factor authentication \
-                at https://rubygems.org/totp/new.
+              mfa_error = I18n.t("multifactor_auths.api.mfa_required_not_yet_enabled").chomp
 
-                Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
-              ERROR
               assert_includes @response.body, mfa_error
             end
           end
@@ -805,12 +816,8 @@ def self.should_respond_to(format)
               delete :destroy, params: { rubygem_id: @rubygem.slug, email: email }
 
               assert_equal 403, @response.status
-              mfa_error = <<~ERROR.chomp
-                [ERROR] For protection of your account and your gems, you are required to change your MFA level to 'UI and gem signin' or 'UI and API' \
-                at https://rubygems.org/settings/edit.
+              mfa_error = I18n.t("multifactor_auths.api.mfa_required_weak_level_enabled").chomp
 
-                Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
-              ERROR
               assert_includes @response.body, mfa_error
             end
           end
@@ -856,12 +863,7 @@ def self.should_respond_to(format)
           should "include mfa setup warning" do
             @emails.each do |email|
               delete :destroy, params: { rubygem_id: @rubygem.slug, email: email }
-              mfa_warning = <<~WARN.chomp
-
-
-                [WARNING] For protection of your account and gems, we encourage you to set up multi-factor authentication \
-                at https://rubygems.org/totp/new. Your account will be required to have MFA enabled in the future.
-              WARN
+              mfa_warning = "\n\n#{I18n.t('multifactor_auths.api.mfa_recommended_not_yet_enabled')}".chomp
 
               assert_includes @response.body, mfa_warning
             end
@@ -876,13 +878,7 @@ def self.should_respond_to(format)
           should "include change mfa level warning" do
             @emails.each do |email|
               delete :destroy, params: { rubygem_id: @rubygem.slug, email: email }
-              mfa_warning = <<~WARN.chomp
-
-
-                [WARNING] For protection of your account and gems, we encourage you to change your multi-factor authentication \
-                level to 'UI and gem signin' or 'UI and API' at https://rubygems.org/settings/edit. \
-                Your account will be required to have MFA enabled on one of these levels in the future.
-              WARN
+              mfa_warning = "\n\n#{I18n.t('multifactor_auths.api.mfa_recommended_weak_level_enabled')}".chomp
 
               assert_includes @response.body, mfa_warning
             end
@@ -897,9 +893,9 @@ def self.should_respond_to(format)
           should "not include mfa warnings" do
             @emails.each do |email|
               delete :destroy, params: { rubygem_id: @rubygem.slug, email: email }
-              mfa_warning = "[WARNING] For protection of your account and gems"
 
-              refute_includes @response.body, mfa_warning
+              refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
+              refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
             end
           end
         end
@@ -913,9 +909,9 @@ def self.should_respond_to(format)
           should "not include mfa warnings" do
             @emails.each do |email|
               delete :destroy, params: { rubygem_id: @rubygem.slug, email: email }
-              mfa_warning = "[WARNING] For protection of your account and gems"
 
-              refute_includes @response.body, mfa_warning
+              refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
+              refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
             end
           end
         end
@@ -933,8 +929,8 @@ def self.should_respond_to(format)
 
       should respond_with :forbidden
 
-      should "return body that starts with denied access message" do
-        assert @response.body.start_with?("The API key doesn't have access")
+      should "return body that has the denied access message" do
+        assert_equal "This API key cannot perform the specified action on this gem.", @response.body
       end
     end
   end
@@ -965,4 +961,80 @@ def self.should_respond_to(format)
 
     assert_equal "This rubygem could not be found.", @response.body
   end
+
+  should "route PUT /api/v1/gems/rubygem/owners.yaml" do
+    route = { controller: "api/v1/owners",
+              action: "update",
+              rubygem_id: "rails",
+              format: "yaml" }
+
+    assert_recognizes(route, path: "/api/v1/gems/rails/owners.yaml", method: :put)
+  end
+
+  context "on PATCH to owner gem" do
+    setup do
+      @owner = create(:user)
+      @maintainer = create(:user)
+      @rubygem = create(:rubygem, owners: [@owner])
+
+      @api_key = create(:api_key, key: "12223", scopes: %i[update_owner], owner: @owner, rubygem: @rubygem)
+      @request.env["HTTP_AUTHORIZATION"] = "12223"
+    end
+
+    should "set the maintainer to a lower access level" do
+      ownership = create(:ownership, user: @maintainer, rubygem: @rubygem, role: :owner)
+
+      patch :update, params: { rubygem_id: @rubygem.slug, email: @maintainer.email, role: :maintainer }
+
+      assert_response :success
+      assert_predicate ownership.reload, :maintainer?
+      assert_enqueued_email_with OwnersMailer, :owner_updated, params: { ownership: ownership }
+    end
+
+    context "when the current user is changing their own role" do
+      should "forbid changing the role" do
+        patch :update, params: { rubygem_id: @rubygem.slug, email: @owner.email, role: :maintainer }
+
+        ownership = @rubygem.ownerships.find_by(user: @owner)
+
+        assert_response :forbidden
+        assert_predicate ownership.reload, :owner?
+      end
+    end
+
+    context "when the role is invalid" do
+      should "return a bad request response with the error message" do
+        ownership = create(:ownership, user: @maintainer, rubygem: @rubygem, role: :maintainer)
+
+        patch :update, params: { rubygem_id: @rubygem.slug, email: @maintainer.email, role: :invalid }
+
+        assert_response :unprocessable_entity
+        assert_equal "Role is not included in the list", @response.body
+        assert_predicate ownership.reload, :maintainer?
+      end
+    end
+
+    context "when the owner is not found" do
+      context "when the update is authorized" do
+        should "return a not found response" do
+          patch :update, params: { rubygem_id: @rubygem.slug, email: "notauser", role: :owner }
+
+          assert_response :not_found
+          assert_equal "Owner could not be found.", @response.body
+        end
+      end
+
+      context "when the update is not authorized" do
+        should "return a forbidden response" do
+          @api_key = create(:api_key, key: "99999", scopes: %i[push_rubygem], owner: @owner)
+          @request.env["HTTP_AUTHORIZATION"] = "99999"
+
+          patch :update, params: { rubygem_id: @rubygem.slug, email: "notauser", role: :owner }
+
+          assert_response :forbidden
+          assert_equal "This API key cannot perform the specified action on this gem.", @response.body
+        end
+      end
+    end
+  end
 end
diff --git a/test/functional/api/v1/profiles_controller_test.rb b/test/functional/api/v1/profiles_controller_test.rb
index 401046e4113..b39f0d32969 100644
--- a/test/functional/api/v1/profiles_controller_test.rb
+++ b/test/functional/api/v1/profiles_controller_test.rb
@@ -27,15 +27,6 @@ def assert_mfa_info_included(mfa_level)
     assert_match mfa_level, @response.body
   end
 
-  def assert_warning_included(expected_warning)
-    assert response_body.key?("warning")
-    assert_match expected_warning, response_body["warning"].to_s
-  end
-
-  def refute_warning_included(expected_warning)
-    refute_match expected_warning, response_body["warning"].to_s
-  end
-
   def refute_mfa_info_included(mfa_level)
     refute response_body.key?("mfa")
     refute_match mfa_level, @response.body
@@ -101,11 +92,9 @@ def refute_mfa_info_included(mfa_level)
 
           context "when mfa is disabled" do
             should "include warning" do
-              expected_warning =
-                "For protection of your account and gems, we encourage you to set up multi-factor authentication " \
-                "at https://rubygems.org/totp/new. Your account will be required to have MFA enabled in the future."
+              expected_warning = I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
 
-              assert_warning_included(expected_warning)
+              assert_includes response_body["warning"].to_s, expected_warning
             end
           end
 
@@ -117,12 +106,9 @@ def refute_mfa_info_included(mfa_level)
               end
 
               should "include warning" do
-                expected_warning =
-                  "For protection of your account and gems, we encourage you to change your multi-factor authentication " \
-                  "level to 'UI and gem signin' or 'UI and API' at https://rubygems.org/settings/edit. " \
-                  "Your account will be required to have MFA enabled on one of these levels in the future."
+                expected_warning = I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
 
-                assert_warning_included(expected_warning)
+                assert_includes response_body["warning"].to_s, expected_warning
               end
             end
 
@@ -133,10 +119,9 @@ def refute_mfa_info_included(mfa_level)
               end
 
               should "not include warning in user json" do
-                unexpected_warning =
-                  "For protection of your account and gems"
+                unexpected_warning = "For protection of your account and gems"
 
-                refute_warning_included(unexpected_warning)
+                refute_includes response_body["warning"].to_s, unexpected_warning
               end
             end
 
@@ -147,10 +132,9 @@ def refute_mfa_info_included(mfa_level)
               end
 
               should "not include warning" do
-                unexpected_warning =
-                  "For protection of your account and gems"
+                unexpected_warning = "For protection of your account and gems"
 
-                refute_warning_included(unexpected_warning)
+                refute_includes response_body["warning"].to_s, unexpected_warning
               end
             end
           end
diff --git a/test/functional/api/v1/rubygems_controller_test.rb b/test/functional/api/v1/rubygems_controller_test.rb
index 8c644632e2e..cf60b05c4c4 100644
--- a/test/functional/api/v1/rubygems_controller_test.rb
+++ b/test/functional/api/v1/rubygems_controller_test.rb
@@ -560,12 +560,7 @@ def self.should_respond_to(format)
         should respond_with :forbidden
 
         should "show error message" do
-          mfa_error = <<~ERROR.chomp
-            [ERROR] For protection of your account and your gems, you are required to set up multi-factor authentication \
-            at https://rubygems.org/totp/new.
-
-            Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
-          ERROR
+          mfa_error = I18n.t("multifactor_auths.api.mfa_required_not_yet_enabled").chomp
 
           assert_includes @response.body, mfa_error
         end
@@ -580,12 +575,7 @@ def self.should_respond_to(format)
         should respond_with :forbidden
 
         should "show error message" do
-          mfa_error = <<~ERROR.chomp
-            [ERROR] For protection of your account and your gems, you are required to change your MFA level to 'UI and gem signin' or 'UI and API' \
-            at https://rubygems.org/settings/edit.
-
-            Please read our blog post for more details (https://blog.rubygems.org/2022/08/15/requiring-mfa-on-popular-gems.html).
-          ERROR
+          mfa_error = I18n.t("multifactor_auths.api.mfa_required_weak_level_enabled").chomp
 
           assert_includes @response.body, mfa_error
         end
@@ -600,7 +590,8 @@ def self.should_respond_to(format)
         should respond_with :success
 
         should "not show error message" do
-          refute_includes @response.body, "For protection of your account and your gems"
+          refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_required_not_yet_enabled").chomp
+          refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_required_weak_level_enabled").chomp
         end
       end
 
@@ -614,7 +605,8 @@ def self.should_respond_to(format)
         should respond_with :success
 
         should "not show error message" do
-          refute_includes @response.body, "For protection of your account and your gems"
+          refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_required_not_yet_enabled").chomp
+          refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_required_weak_level_enabled").chomp
         end
       end
     end
@@ -630,14 +622,7 @@ def self.should_respond_to(format)
         end
 
         should "include mfa setup warning" do
-          mfa_warning = <<~WARN.chomp
-
-
-            [WARNING] For protection of your account and gems, we encourage you to set up multi-factor authentication \
-            at https://rubygems.org/totp/new. Your account will be required to have MFA enabled in the future.
-          WARN
-
-          assert_includes @response.body, mfa_warning
+          assert_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
         end
       end
 
@@ -648,15 +633,7 @@ def self.should_respond_to(format)
         end
 
         should "include change mfa level warning" do
-          mfa_warning = <<~WARN.chomp
-
-
-            [WARNING] For protection of your account and gems, we encourage you to change your multi-factor authentication \
-            level to 'UI and gem signin' or 'UI and API' at https://rubygems.org/settings/edit. \
-            Your account will be required to have MFA enabled on one of these levels in the future.
-          WARN
-
-          assert_includes @response.body, mfa_warning
+          assert_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
         end
       end
 
@@ -669,9 +646,8 @@ def self.should_respond_to(format)
 
         should respond_with :success
         should "not include mfa warning" do
-          mfa_warning = "[WARNING] For protection of your account and gems"
-
-          refute_includes @response.body, mfa_warning
+          refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
+          refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
         end
       end
 
@@ -684,9 +660,8 @@ def self.should_respond_to(format)
 
         should respond_with :success
         should "not include mfa warning" do
-          mfa_warning = "[WARNING] For protection of your account and gems"
-
-          refute_includes @response.body, mfa_warning
+          refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
+          refute_includes @response.body, I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
         end
       end
     end
@@ -786,8 +761,8 @@ def self.should_respond_to(format)
       end
       should respond_with :forbidden
 
-      should "return body that starts with denied access message" do
-        assert @response.body.start_with?("The API key doesn't have access")
+      should "return body that includes the denied access message" do
+        assert_includes @response.body, "This API key cannot perform the specified action on this gem."
       end
     end
   end
diff --git a/test/functional/api/v1/timeframe_versions_controller_test.rb b/test/functional/api/v1/timeframe_versions_controller_test.rb
index b5953d74fdd..44f1d968546 100644
--- a/test/functional/api/v1/timeframe_versions_controller_test.rb
+++ b/test/functional/api/v1/timeframe_versions_controller_test.rb
@@ -52,6 +52,16 @@ class Api::V1::TimeframeVersionsControllerTest < ActionController::TestCase
         assert_includes response.body, "iso8601"
       end
 
+      should 'return a bad request with message when "to" is not primitive' do
+        get :index, format: :json, params: {
+          from: Time.zone.parse("2017-11-09").iso8601,
+          to: ["2017-11-12"]
+        }
+
+        assert_equal 400, response.status
+        assert_includes response.body, "iso8601"
+      end
+
       should 'return a bad request with message when "from" is invalid' do
         get :index, format: :json, params: {
           from: "2017-11-09",
diff --git a/test/functional/api/v1/web_hooks_controller_test.rb b/test/functional/api/v1/web_hooks_controller_test.rb
index 583c16a3b08..306aed704b3 100644
--- a/test/functional/api/v1/web_hooks_controller_test.rb
+++ b/test/functional/api/v1/web_hooks_controller_test.rb
@@ -9,6 +9,10 @@ def self.should_not_find_it
     end
   end
 
+  setup do
+    NotifyWebHookJob.any_instance.stubs(:sleep)
+  end
+
   context "with incorrect api key" do
     context "no api key" do
       should "forbid access when creating a web hook" do
@@ -83,7 +87,18 @@ def self.should_respond_to(format)
 
       context "On POST to fire for all gems" do
         setup do
-          stub_request(:post, @url)
+          stub_request(:post, "https://api.hookrelay.dev/hooks///webhook_id-fire")
+            .with(headers: {
+                    "Content-Type" => "application/json",
+                "HR_TARGET_URL" => @url,
+                "HR_MAX_ATTEMPTS" => "1"
+                  }).to_return(status: 200, body: '{"id":"delivery-id"}', headers: { "Content-Type" => "application/json" })
+
+          stub_request(:get, "https://app.hookrelay.dev/api/v1/accounts//hooks//deliveries/delivery-id")
+            .to_return(status: 200, body: { "status" => "success", "responses" => [
+              { "code" => 200, "body" => "OK", "headers" => { "Content-Type" => "text/plain" } }
+            ] }.to_json, headers: { "Content-Type" => "application/json" })
+
           post :fire, params: { gem_name: WebHook::GLOBAL_PATTERN,
                                 url: @url }
         end
@@ -98,7 +113,17 @@ def self.should_respond_to(format)
 
       context "On POST to fire for all gems that fails" do
         setup do
-          stub_request(:post, @url).to_timeout
+          stub_request(:post, "https://api.hookrelay.dev/hooks///webhook_id-fire")
+            .with(headers: {
+                    "Content-Type" => "application/json",
+                "HR_TARGET_URL" => @url,
+                "HR_MAX_ATTEMPTS" => "1"
+                  }).to_return(status: 200, body: '{"id":"delivery-id"}', headers: { "Content-Type" => "application/json" })
+
+          stub_request(:get, "https://app.hookrelay.dev/api/v1/accounts//hooks//deliveries/delivery-id")
+            .to_return(status: 200, body: { "status" => "failure",
+"failure_reason" => "timed out" }.to_json, headers: { "Content-Type" => "application/json" })
+
           post :fire, params: { gem_name: WebHook::GLOBAL_PATTERN,
                                 url: @url }
         end
@@ -132,7 +157,18 @@ def self.should_respond_to(format)
 
       context "On POST to fire for a specific gem" do
         setup do
-          stub_request(:post, @url)
+          stub_request(:post, "https://api.hookrelay.dev/hooks///webhook_id-fire")
+            .with(headers: {
+                    "Content-Type" => "application/json",
+                "HR_TARGET_URL" => @url,
+                "HR_MAX_ATTEMPTS" => "1"
+                  }).to_return(status: 200, body: '{"id":"delivery-id"}', headers: { "Content-Type" => "application/json" })
+
+          stub_request(:get, "https://app.hookrelay.dev/api/v1/accounts//hooks//deliveries/delivery-id")
+            .to_return(status: 200, body: { "status" => "success", "responses" => [
+              { "code" => 200, "body" => "OK", "headers" => { "Content-Type" => "text/plain" } }
+            ] }.to_json, headers: { "Content-Type" => "application/json" })
+
           post :fire, params: { gem_name: @rubygem.name,
                                 url: @url }
         end
@@ -145,7 +181,17 @@ def self.should_respond_to(format)
 
       context "On POST to fire for a specific gem that fails" do
         setup do
-          stub_request(:post, @url).to_return(status: 404)
+          stub_request(:post, "https://api.hookrelay.dev/hooks///webhook_id-fire")
+            .with(headers: {
+                    "Content-Type" => "application/json",
+                "HR_TARGET_URL" => @url,
+                "HR_MAX_ATTEMPTS" => "1"
+                  }).to_return(status: 200, body: '{"id":"delivery-id"}', headers: { "Content-Type" => "application/json" })
+
+          stub_request(:get, "https://app.hookrelay.dev/api/v1/accounts//hooks//deliveries/delivery-id")
+            .to_return(status: 200, body: { "status" => "failure",
+"failure_reason" => "exceeded", "responses" => [{ "code" => 404 }] }.to_json, headers: { "Content-Type" => "application/json" })
+
           post :fire, params: { gem_name: @rubygem.name,
                                 url: @url }
         end
diff --git a/test/functional/api_keys_controller_test.rb b/test/functional/api_keys_controller_test.rb
index b4c50f3e425..087bed7af79 100644
--- a/test/functional/api_keys_controller_test.rb
+++ b/test/functional/api_keys_controller_test.rb
@@ -223,7 +223,7 @@ class ApiKeysControllerTest < ActionController::TestCase
         end
 
         should "show error to user" do
-          page.assert_text "Show dashboard scope must be enabled exclusively"
+          assert_text "Show dashboard scope must be enabled exclusively"
         end
 
         should "not update scope of test key" do
diff --git a/test/functional/owners_controller_test.rb b/test/functional/owners_controller_test.rb
index e2877971228..7cbc4e78dfd 100644
--- a/test/functional/owners_controller_test.rb
+++ b/test/functional/owners_controller_test.rb
@@ -39,11 +39,8 @@ class OwnersControllerTest < ActionController::TestCase
           get :index, params: { rubygem_id: @rubygem.name }
         end
 
-        should respond_with :forbidden
-
-        should "render forbidden message" do
-          assert page.has_content?("forbidden")
-        end
+        should redirect_to("gem info page") { rubygem_path(@rubygem.slug) }
+        should set_flash[:alert].to "Forbidden"
       end
     end
 
@@ -52,7 +49,7 @@ class OwnersControllerTest < ActionController::TestCase
         context "with invalid handle" do
           setup do
             perform_enqueued_jobs only: ActionMailer::MailDeliveryJob do
-              post :create, params: { handle: "no_user", rubygem_id: @rubygem.name }
+              post :create, params: { handle: "no_user", rubygem_id: @rubygem.name, role: :owner }
             end
           end
 
@@ -72,7 +69,7 @@ class OwnersControllerTest < ActionController::TestCase
         context "with valid handle" do
           setup do
             @new_owner = create(:user)
-            post :create, params: { handle: @new_owner.display_id, rubygem_id: @rubygem.name }
+            post :create, params: { handle: @new_owner.display_id, rubygem_id: @rubygem.name, role: :owner }
           end
 
           should redirect_to("ownerships index") { rubygem_owners_path(@rubygem.slug) }
@@ -132,7 +129,7 @@ class OwnersControllerTest < ActionController::TestCase
           context "owner has enabled mfa" do
             setup do
               @user.enable_totp!(ROTP::Base32.random_base32, :ui_and_api)
-              post :create, params: { handle: @new_owner.display_id, rubygem_id: @rubygem.name }
+              post :create, params: { handle: @new_owner.display_id, rubygem_id: @rubygem.name, role: :owner }
             end
 
             should redirect_to("ownerships index") { rubygem_owners_path(@rubygem.slug) }
@@ -144,6 +141,19 @@ class OwnersControllerTest < ActionController::TestCase
               assert_equal expected_notice, flash[:notice]
             end
           end
+
+          context "with invalid role" do
+            setup do
+              @user.enable_totp!(ROTP::Base32.random_base32, :ui_and_api)
+              post :create, params: { handle: @new_owner.display_id, rubygem_id: @rubygem.name, role: :invalid }
+            end
+
+            should render_template :index
+
+            should "set alert notice flash" do
+              assert_equal "Role is not included in the list", flash[:alert]
+            end
+          end
         end
       end
 
@@ -154,7 +164,8 @@ class OwnersControllerTest < ActionController::TestCase
           post :create, params: { handle: @other_user.display_id, rubygem_id: @rubygem.name }
         end
 
-        should respond_with :forbidden
+        should redirect_to("gem info page") { rubygem_path(@rubygem.slug) }
+        should set_flash[:alert].to "Forbidden"
 
         should "not add other user as owner" do
           refute_includes @rubygem.owners_including_unconfirmed, @other_user
@@ -179,6 +190,7 @@ class OwnersControllerTest < ActionController::TestCase
               delete :destroy, params: { rubygem_id: @rubygem.name, handle: @second_user.display_id }
             end
           end
+
           should redirect_to("ownership index") { rubygem_owners_path(@rubygem.slug) }
 
           should "remove the ownership record" do
@@ -218,15 +230,10 @@ class OwnersControllerTest < ActionController::TestCase
               delete :destroy, params: { rubygem_id: @rubygem.name, handle: @last_owner.display_id }
             end
           end
-          should respond_with :forbidden
+          should set_flash.now[:alert].to "Can't remove the only owner of the gem"
 
           should "not remove the ownership record" do
             assert_includes @rubygem.owners_including_unconfirmed, @last_owner
-          end
-          should "should flash error" do
-            assert_equal "Can't remove the only owner of the gem", flash[:alert]
-          end
-          should "not send email notifications about owner removal" do
             assert_emails 0
           end
         end
@@ -280,7 +287,7 @@ class OwnersControllerTest < ActionController::TestCase
           delete :destroy, params: { rubygem_id: @rubygem.name, handle: @last_owner.display_id }
         end
 
-        should respond_with :forbidden
+        should redirect_to("gem info page") { rubygem_path(@rubygem.slug) }
 
         should "not remove user as owner" do
           assert_includes @rubygem.owners, @last_owner
@@ -344,6 +351,113 @@ class OwnersControllerTest < ActionController::TestCase
         end
       end
     end
+
+    context "on GET edit ownership" do
+      setup do
+        @owner = create(:user)
+        @maintainer = create(:user)
+        @rubygem = create(:rubygem, owners: [@owner, @maintainer])
+
+        verified_sign_in_as(@owner)
+      end
+
+      context "when editing another owner's role" do
+        setup do
+          get :edit, params: { rubygem_id: @rubygem.name, handle: @maintainer.display_id }
+        end
+
+        should respond_with :success
+        should render_template :edit
+      end
+
+      context "when editing your own role" do
+        setup do
+          get :edit, params: { rubygem_id: @rubygem.name, handle: @owner.display_id }
+        end
+
+        should redirect_to("gem info page") { rubygem_path(@rubygem.slug) }
+        should set_flash[:alert].to "Can't update your own Role"
+      end
+    end
+
+    context "on PATCH to update ownership" do
+      setup do
+        @owner = create(:user)
+        @maintainer = create(:user)
+        @rubygem = create(:rubygem, owners: [@owner, @maintainer])
+
+        verified_sign_in_as(@owner)
+        patch :update, params: { rubygem_id: @rubygem.name, handle: @maintainer.display_id, role: :maintainer }
+      end
+
+      should redirect_to("rubygem show") { rubygem_owners_path(@rubygem.slug) }
+
+      should "set success notice flash" do
+        assert_equal "#{@maintainer.name} was succesfully updated.", flash[:notice]
+      end
+
+      should "downgrade the ownership to a maintainer role" do
+        ownership = Ownership.find_by(rubygem: @rubygem, user: @maintainer)
+
+        assert_predicate ownership, :maintainer?
+        assert_enqueued_email_with OwnersMailer, :owner_updated, params: { ownership: ownership, authorizer: @owner }
+      end
+    end
+
+    context "when updating ownership without role" do
+      setup do
+        @owner = create(:user)
+        @maintainer = create(:user)
+        @rubygem = create(:rubygem, owners: [@owner, @maintainer])
+
+        verified_sign_in_as(@owner)
+        patch :update, params: { rubygem_id: @rubygem.name, handle: @maintainer.display_id }
+      end
+
+      should redirect_to("ownerships index") { rubygem_owners_path(@rubygem.slug) }
+
+      should "not update the role" do
+        ownership = Ownership.find_by(rubygem: @rubygem, user: @maintainer)
+
+        assert_predicate ownership, :owner?
+      end
+    end
+
+    context "when updating ownership with invalid role" do
+      setup do
+        @owner = create(:user)
+        @maintainer = create(:user)
+        @rubygem = create(:rubygem, owners: [@owner, @maintainer])
+
+        verified_sign_in_as(@owner)
+        patch :update, params: { rubygem_id: @rubygem.name, handle: @maintainer.display_id, role: :invalid }
+      end
+
+      should respond_with :unprocessable_content
+
+      should "set error flash message" do
+        assert_equal "Role is not included in the list", flash[:alert]
+      end
+    end
+
+    context "when updating the role of currently signed in user" do
+      setup do
+        @owner = create(:user)
+        @rubygem = create(:rubygem)
+        @ownership = create(:ownership, user: @owner, rubygem: @rubygem, role: :owner)
+
+        verified_sign_in_as(@owner)
+        patch :update, params: { rubygem_id: @rubygem.name, handle: @owner.display_id, role: :maintainer }
+      end
+
+      should "not update the ownership of the current user" do
+        assert_predicate @ownership.reload, :owner?
+      end
+
+      should "set notice flash message" do
+        assert_equal "Can't update your own Role", flash[:alert]
+      end
+    end
   end
 
   context "when logged in and unverified" do
@@ -366,7 +480,7 @@ class OwnersControllerTest < ActionController::TestCase
     context "on POST to create ownership" do
       setup do
         @new_owner = create(:user)
-        post :create, params: { handle: @new_owner.display_id, rubygem_id: @rubygem.name }
+        post :create, params: { handle: @new_owner.display_id, rubygem_id: @rubygem.name, role: :owner }
       end
 
       should redirect_to("sessions#verify") { verify_session_path }
@@ -386,9 +500,31 @@ class OwnersControllerTest < ActionController::TestCase
       should redirect_to("sessions#verify") { verify_session_path }
       should use_before_action(:redirect_to_verify)
 
-      should "remove the ownership record" do
-        assert_includes @rubygem.owners_including_unconfirmed, @second_user
+      should "not remove the ownership record" do
+        assert_includes @rubygem.owners, @second_user
+      end
+    end
+
+    context "on GET to edit" do
+      setup do
+        @second_user = create(:user)
+        @ownership = create(:ownership, :unconfirmed, rubygem: @rubygem, user: @second_user)
+        get :edit, params: { rubygem_id: @rubygem.name, handle: @second_user.display_id }
+      end
+
+      should redirect_to("sessions#verify") { verify_session_path }
+      should use_before_action(:redirect_to_verify)
+    end
+
+    context "on PATCH to update" do
+      setup do
+        @second_user = create(:user)
+        @ownership = create(:ownership, :unconfirmed, rubygem: @rubygem, user: @second_user, role: :owner)
+        patch :update, params: { rubygem_id: @rubygem.name, handle: @second_user.display_id, role: :maintainer }
       end
+
+      should redirect_to("sessions#verify") { verify_session_path }
+      should use_before_action(:redirect_to_verify)
     end
   end
 
@@ -485,5 +621,27 @@ class OwnersControllerTest < ActionController::TestCase
         assert redirect_to("sign in") { sign_in_path }
       end
     end
+
+    context "on EDIT to update owner" do
+      setup do
+        create(:ownership, rubygem: @rubygem, user: @user)
+        get :edit, params: { rubygem_id: @rubygem.name, handle: @user.display_id }
+      end
+
+      should "redirect to sign in path" do
+        assert redirect_to("sign in") { sign_in_path }
+      end
+    end
+
+    context "on PATCH to update owner" do
+      setup do
+        create(:ownership, rubygem: @rubygem, user: @user)
+        patch :update, params: { rubygem_id: @rubygem.name, handle: @user.display_id, role: :owner }
+      end
+
+      should "redirect to sign in path" do
+        assert redirect_to("sign in") { sign_in_path }
+      end
+    end
   end
 end
diff --git a/test/functional/ownership_calls_controller_test.rb b/test/functional/ownership_calls_controller_test.rb
index ec7d02b4aa5..e53d1e3e5d1 100644
--- a/test/functional/ownership_calls_controller_test.rb
+++ b/test/functional/ownership_calls_controller_test.rb
@@ -16,7 +16,17 @@ class OwnershipCallsControllerTest < ActionController::TestCase
         @rubygem = create(:rubygem, owners: [@user], number: "1.0.0")
       end
 
-      context "user is owner of rubygem" do
+      context "user is owner of rubygem and verified" do
+        setup do
+          session[:verification] = 10.minutes.from_now
+          session[:verified_user] = @user.id
+        end
+
+        teardown do
+          session[:verification] = nil
+          session[:verified_user] = nil
+        end
+
         context "with correct params" do
           setup do
             post :create, params: { rubygem_id: @rubygem.name, note: "short note" }
@@ -64,12 +74,28 @@ class OwnershipCallsControllerTest < ActionController::TestCase
         end
       end
 
+      context "user is owner and not verified" do
+        setup do
+          post :create, params: { rubygem_id: @rubygem.name, note: "short note" }
+        end
+
+        should redirect_to("verify page") { verify_session_path }
+      end
+
       context "user is not owner of rubygem" do
         setup do
-          user = create(:user)
-          sign_in_as(user)
+          @user = create(:user)
+          sign_in_as(@user)
+          session[:verification] = 10.minutes.from_now
+          session[:verified_user] = @user.id
           post :create, params: { rubygem_id: @rubygem.name, note: "short note" }
         end
+
+        teardown do
+          session[:verification] = nil
+          session[:verified_user] = nil
+        end
+
         should respond_with :forbidden
 
         should "not create a call" do
@@ -83,7 +109,17 @@ class OwnershipCallsControllerTest < ActionController::TestCase
         @rubygem = create(:rubygem, owners: [@user], number: "1.0.0")
       end
 
-      context "user is owner of rubygem" do
+      context "user is owner of rubygem and verified" do
+        setup do
+          session[:verification] = 10.minutes.from_now
+          session[:verified_user] = @user.id
+        end
+
+        teardown do
+          session[:verification] = nil
+          session[:verified_user] = nil
+        end
+
         context "ownership call exists" do
           setup do
             create(:ownership_call, rubygem: @rubygem, user: @user, status: "opened")
@@ -112,13 +148,31 @@ class OwnershipCallsControllerTest < ActionController::TestCase
         end
       end
 
+      context "user is owner and not verified" do
+        setup do
+          create(:ownership_call, rubygem: @rubygem, user: @user)
+          patch :close, params: { rubygem_id: @rubygem.name }
+        end
+
+        should redirect_to("verify page") { verify_session_path }
+      end
+
       context "user is not owner of rubygem" do
         setup do
-          user = create(:user)
-          sign_in_as(user)
+          @user = create(:user)
+          sign_in_as(@user)
+          session[:verification] = 10.minutes.from_now
+          session[:verified_user] = @user.id
+
           create(:ownership_call, rubygem: @rubygem, user: @user)
           patch :close, params: { rubygem_id: @rubygem.name }
         end
+
+        teardown do
+          session[:verification] = nil
+          session[:verified_user] = nil
+        end
+
         should respond_with :forbidden
 
         should "not update status to close" do
@@ -214,6 +268,13 @@ class OwnershipCallsControllerTest < ActionController::TestCase
       context "user has MFA set to strong level, expect normal behaviour" do
         setup do
           @user.enable_totp!(ROTP::Base32.random_base32, :ui_and_api)
+          session[:verification] = 10.minutes.from_now
+          session[:verified_user] = @user.id
+        end
+
+        teardown do
+          session[:verification] = nil
+          session[:verified_user] = nil
         end
 
         context "on GET to index" do
diff --git a/test/functional/ownership_requests_controller_test.rb b/test/functional/ownership_requests_controller_test.rb
index 980a93328d2..2a29093de1d 100644
--- a/test/functional/ownership_requests_controller_test.rb
+++ b/test/functional/ownership_requests_controller_test.rb
@@ -20,6 +20,7 @@ class OwnershipRequestsControllerTest < ActionController::TestCase
             create(:ownership, user: @user, rubygem: @rubygem)
             post :create, params: { rubygem_id: @rubygem.name, note: "small note" }
           end
+
           should respond_with :forbidden
 
           should "not create ownership request" do
@@ -58,14 +59,17 @@ class OwnershipRequestsControllerTest < ActionController::TestCase
           @rubygem = create(:rubygem, downloads: 2_000)
           create(:version, rubygem: @rubygem, created_at: 2.years.ago, number: "1.0.0")
         end
+
         context "when user is owner" do
           setup do
             create(:ownership, user: @user, rubygem: @rubygem)
             post :create, params: { rubygem_id: @rubygem.name, note: "small note" }
           end
-          should respond_with :forbidden
 
-          should "not create ownership request" do
+          should redirect_to("adoptions index") { rubygem_adoptions_path(@rubygem.slug) }
+          should set_flash[:alert].to("User is already an owner")
+
+          should "not create ownership call" do
             assert_nil @rubygem.ownership_requests.find_by(user: @user)
           end
         end
@@ -76,11 +80,8 @@ class OwnershipRequestsControllerTest < ActionController::TestCase
               post :create, params: { rubygem_id: @rubygem.name, note: "small note" }
             end
             should redirect_to("adoptions index") { rubygem_adoptions_path(@rubygem.slug) }
-            should "set success notice flash" do
-              expected_notice = "Your ownership request was submitted."
+            should set_flash[:notice].to("Your ownership request was submitted.")
 
-              assert_equal expected_notice, flash[:notice]
-            end
             should "create ownership request" do
               assert_not_nil @rubygem.ownership_requests.find_by(user: @user)
             end
@@ -90,11 +91,8 @@ class OwnershipRequestsControllerTest < ActionController::TestCase
               post :create, params: { rubygem_id: @rubygem.name }
             end
             should redirect_to("adoptions index") { rubygem_adoptions_path(@rubygem.slug) }
-            should "set error alert flash" do
-              expected_notice = "Note can't be blank"
+            should set_flash[:alert].to("Note can't be blank")
 
-              assert_equal expected_notice, flash[:alert]
-            end
             should "not create ownership call" do
               assert_nil @rubygem.ownership_requests.find_by(user: @user)
             end
@@ -105,11 +103,7 @@ class OwnershipRequestsControllerTest < ActionController::TestCase
               post :create, params: { rubygem_id: @rubygem.name, note: "new note" }
             end
             should redirect_to("adoptions index") { rubygem_adoptions_path(@rubygem.slug) }
-            should "set error alert flash" do
-              expected_notice = "User has already been taken"
-
-              assert_equal expected_notice, flash[:alert]
-            end
+            should set_flash[:alert].to("User has already requested ownership")
           end
         end
       end
@@ -120,10 +114,18 @@ class OwnershipRequestsControllerTest < ActionController::TestCase
         @rubygem = create(:rubygem, downloads: 2_000_000)
         create(:version, rubygem: @rubygem, created_at: 2.years.ago, number: "1.0.0")
       end
-      context "when user is owner" do
+      context "when user is owner and verified" do
         setup do
           create(:ownership, user: @user, rubygem: @rubygem)
+          session[:verification] = 10.minutes.from_now
+          session[:verified_user] = @user.id
+        end
+
+        teardown do
+          session[:verification] = nil
+          session[:verified_user] = nil
         end
+
         context "on close" do
           setup do
             @requester = create(:user)
@@ -193,12 +195,29 @@ class OwnershipRequestsControllerTest < ActionController::TestCase
         end
       end
 
+      context "when user is owner and not verified" do
+        setup do
+          create(:ownership, user: @user, rubygem: @rubygem)
+          @requester = create(:user)
+          ownership_request = create(:ownership_request, rubygem: @rubygem, user: @requester)
+          patch :update, params: { rubygem_id: @rubygem.name, id: ownership_request.id, status: "close" }
+        end
+        should redirect_to("verify page") { verify_session_path }
+      end
+
       context "when user is not an owner" do
         setup do
           request = create(:ownership_request, rubygem: @rubygem)
+          session[:verification] = 10.minutes.from_now
+          session[:verified_user] = @user.id
           patch :update, params: { rubygem_id: @rubygem.name, id: request.id, status: "close" }
         end
 
+        teardown do
+          session[:verification] = nil
+          session[:verified_user] = nil
+        end
+
         should respond_with :forbidden
       end
     end
@@ -208,10 +227,17 @@ class OwnershipRequestsControllerTest < ActionController::TestCase
         @rubygem = create(:rubygem, downloads: 2_000_000)
         create(:version, rubygem: @rubygem, created_at: 2.years.ago, number: "1.0.0")
       end
-      context "when user is owner" do
+      context "when user is owner and verified" do
         setup do
           create(:ownership, rubygem: @rubygem, user: @user)
           create_list(:ownership_request, 3, rubygem: @rubygem)
+          session[:verification] = 10.minutes.from_now
+          session[:verified_user] = @user.id
+        end
+
+        teardown do
+          session[:verification] = nil
+          session[:verified_user] = nil
         end
 
         context "with successful update" do
@@ -244,11 +270,20 @@ class OwnershipRequestsControllerTest < ActionController::TestCase
         end
       end
 
+      context "when user is owner and not verified" do
+        setup do
+          create(:ownership, rubygem: @rubygem, user: @user)
+          patch :close_all, params: { rubygem_id: @rubygem.name }
+        end
+        should redirect_to("verify page") { verify_session_path }
+      end
+
       context "user is not owner" do
         setup do
           create_list(:ownership_request, 3, rubygem: @rubygem)
           patch :close_all, params: { rubygem_id: @rubygem.name }
         end
+
         should respond_with :forbidden
 
         should "not close all open requests" do
@@ -363,7 +398,15 @@ class OwnershipRequestsControllerTest < ActionController::TestCase
       context "user has MFA set to strong level, expect normal behaviour" do
         setup do
           @user.enable_totp!(ROTP::Base32.random_base32, :ui_and_api)
+          session[:verification] = 10.minutes.from_now
+          session[:verified_user] = @user.id
+        end
+
+        teardown do
+          session[:verification] = nil
+          session[:verified_user] = nil
         end
+
         context "POST to create" do
           setup { post :create, params: { rubygem_id: @rubygem.name, note: "small note" } }
 
diff --git a/test/functional/passwords_controller_test.rb b/test/functional/passwords_controller_test.rb
index be178e1b6b1..9e7ae33ac0f 100644
--- a/test/functional/passwords_controller_test.rb
+++ b/test/functional/passwords_controller_test.rb
@@ -33,39 +33,93 @@ class PasswordsControllerTest < ActionController::TestCase
         get :edit, params: { token: "invalidtoken" }
       end
 
-      should redirect_to("the home page") { root_path }
+      should redirect_to("the sign in page") { sign_in_path }
+      should set_flash[:alert].to "Please double check the URL or try submitting a new password reset."
 
       should "not sign in the user" do
         refute_predicate @controller.request.env[:clearance], :signed_in?
       end
-
-      should "warn about invalid url" do
-        assert_equal "Please double check the URL or try submitting a new password reset.", flash[:alert]
-      end
     end
 
     context "with valid confirmation_token" do
-      setup do
-        get :edit, params: { token: @user.confirmation_token }
-      end
+      context "when not signed in" do
+        setup do
+          get :edit, params: { token: @user.confirmation_token }
+        end
 
-      should respond_with :success
+        should respond_with :success
 
-      should "sign in the user" do
-        assert_predicate @controller.request.env[:clearance], :signed_in?
-      end
+        should "not sign in the user" do
+          refute_predicate @controller.request.env[:clearance], :signed_in?
+        end
 
-      should "invalidate the confirmation_token" do
-        assert_nil @user.reload.confirmation_token
+        should "invalidate the confirmation_token" do
+          assert_nil @user.reload.confirmation_token
+        end
+
+        should "display edit form" do
+          assert_text "Reset password"
+          assert_selector "input[type=password][autocomplete=new-password]"
+        end
+
+        should "instruct the browser not to send referrer that contains the token" do
+          assert_equal "no-referrer", response.headers["Referrer-Policy"]
+        end
       end
 
-      should "display edit form" do
-        page.assert_text("Reset password")
-        page.assert_selector("input[type=password][autocomplete=new-password]")
+      context "when signed in as the user" do
+        setup do
+          sign_in_as @user
+
+          get :edit, params: { token: @user.confirmation_token }
+        end
+
+        should respond_with :success
+
+        should "leave the user signed in" do
+          assert_predicate @controller.request.env[:clearance], :signed_in?
+        end
+
+        should "invalidate the confirmation_token" do
+          assert_nil @user.reload.confirmation_token
+        end
+
+        should "display edit form" do
+          assert_text "Reset password"
+          assert_selector "input[type=password][autocomplete=new-password]"
+        end
+
+        should "instruct the browser not to send referrer that contains the token" do
+          assert_equal "no-referrer", response.headers["Referrer-Policy"]
+        end
       end
 
-      should "instruct the browser not to send referrer that contains the token" do
-        assert_equal "no-referrer", response.headers["Referrer-Policy"]
+      context "when signed in as another user" do
+        setup do
+          @other_user = create(:user, api_key: "otheruserkey")
+          sign_in_as @other_user
+
+          get :edit, params: { token: @user.confirmation_token }
+        end
+
+        should respond_with :success
+
+        should "sign the current user out" do
+          refute_predicate @controller.request.env[:clearance], :signed_in?
+        end
+
+        should "invalidate the confirmation_token" do
+          assert_nil @user.reload.confirmation_token
+        end
+
+        should "display edit form" do
+          assert_text "Reset password"
+          assert_selector "input[type=password][autocomplete=new-password]"
+        end
+
+        should "instruct the browser not to send referrer that contains the token" do
+          assert_equal "no-referrer", response.headers["Referrer-Policy"]
+        end
       end
     end
 
@@ -75,15 +129,12 @@ class PasswordsControllerTest < ActionController::TestCase
         get :edit, params: { token: @user.confirmation_token }
       end
 
-      should redirect_to("the home page") { root_path }
+      should redirect_to("the sign in page") { sign_in_path }
+      should set_flash[:alert].to "Please double check the URL or try submitting a new password reset."
 
       should "not sign in the user" do
         refute_predicate @controller.request.env[:clearance], :signed_in?
       end
-
-      should "warn about invalid url" do
-        assert_equal "Please double check the URL or try submitting a new password reset.", flash[:alert]
-      end
     end
 
     context "with totp enabled" do
@@ -190,8 +241,8 @@ class PasswordsControllerTest < ActionController::TestCase
 
         should respond_with :success
 
-        should "sign in the user" do
-          assert_predicate @controller.request.env[:clearance], :signed_in?
+        should "not sign in the user" do
+          refute_predicate @controller.request.env[:clearance], :signed_in?
         end
 
         should "invalidate the confirmation_token" do
@@ -199,7 +250,7 @@ class PasswordsControllerTest < ActionController::TestCase
         end
 
         should "display edit form" do
-          page.assert_text("Reset password")
+          assert_text "Reset password"
         end
 
         should "clear mfa_expires_at" do
@@ -214,14 +265,11 @@ class PasswordsControllerTest < ActionController::TestCase
         end
 
         should respond_with :unauthorized
+        should set_flash.now[:alert].to "Your OTP code is incorrect."
 
         should "not sign in the user" do
           refute_predicate @controller.request.env[:clearance], :signed_in?
         end
-
-        should "alert about otp being incorrect" do
-          assert_equal "Your OTP code is incorrect.", flash[:alert]
-        end
       end
 
       context "when the OTP session is expired" do
@@ -232,17 +280,12 @@ class PasswordsControllerTest < ActionController::TestCase
           end
         end
 
-        should set_flash.now[:alert]
-        should respond_with :unauthorized
+        should set_flash[:alert].to "Your login page session has expired."
+        should redirect_to("the sign in page") { sign_in_path }
 
         should "clear mfa_expires_at" do
           assert_nil @controller.session[:mfa_expires_at]
         end
-
-        should "render sign in page" do
-          page.assert_text "Sign in"
-        end
-
         should "not sign in the user" do
           refute_predicate @controller.request.env[:clearance], :signed_in?
         end
@@ -282,8 +325,8 @@ class PasswordsControllerTest < ActionController::TestCase
 
       should respond_with :success
 
-      should "sign in the user" do
-        assert_predicate @controller.request.env[:clearance], :signed_in?
+      should "not sign in the user" do
+        refute_predicate @controller.request.env[:clearance], :signed_in?
       end
 
       should "invalidate the confirmation_token" do
@@ -291,7 +334,7 @@ class PasswordsControllerTest < ActionController::TestCase
       end
 
       should "display edit form" do
-        page.assert_text("Reset password")
+        assert_text "Reset password"
       end
 
       should "clear mfa_expires_at" do
@@ -304,15 +347,12 @@ class PasswordsControllerTest < ActionController::TestCase
         post(:webauthn_edit, params: { token: "badtoken" })
       end
 
-      should redirect_to("the home page") { root_path }
+      should redirect_to("the sign in page") { sign_in_path }
+      should set_flash[:alert].to "Please double check the URL or try submitting a new password reset."
 
       should "not sign in the user" do
         refute_predicate @controller.request.env[:clearance], :signed_in?
       end
-
-      should "warn about invalid url" do
-        assert_equal "Please double check the URL or try submitting a new password reset.", flash[:alert]
-      end
     end
 
     context "when not providing credentials" do
@@ -388,17 +428,13 @@ class PasswordsControllerTest < ActionController::TestCase
         end
       end
 
-      should respond_with :unauthorized
-      should set_flash.now[:alert]
+      should redirect_to("the sign in page") { sign_in_path }
+      should set_flash[:alert]
 
       should "clear mfa_expires_at" do
         assert_nil @controller.session[:mfa_expires_at]
       end
 
-      should "render sign in page" do
-        page.assert_text "Sign in"
-      end
-
       should "not sign in the user" do
         refute_predicate @controller.request.env[:clearance], :signed_in?
       end
@@ -413,7 +449,7 @@ class PasswordsControllerTest < ActionController::TestCase
       @old_encrypted_password = @user.encrypted_password
     end
 
-    context "when not signed in" do
+    context "when not verified for password reset" do
       setup do
         put :update, params: {
           password_reset: { reset_api_key: "true", reset_api_keys: "true", password: PasswordHelpers::SECURE_TEST_PASSWORD }
@@ -433,57 +469,15 @@ class PasswordsControllerTest < ActionController::TestCase
       end
     end
 
-    context "when signed in as another user" do
+    context "when not verified for password reset" do
       setup do
-        @other_user = create(:user, api_key: "otheruserkey")
-        @other_api_key = @other_user.api_key
-        @other_new_api_key = create(:api_key, owner: @other_user, key: "rubygems_otheruserkey")
-        @other_old_encrypted_password = @other_user.encrypted_password
-        sign_in_as @other_user
-        session[:verification] = 10.minutes.from_now
-        session[:verified_user] = @other_user.id
-
-        put :update, params: {
-          password_reset: { reset_api_key: "true", reset_api_keys: "true", password: PasswordHelpers::SECURE_TEST_PASSWORD }
-        }
-      end
-
-      teardown do
-        session[:verification] = nil
-        session[:verified_user] = nil
-      end
-
-      should redirect_to("the dashboard") { dashboard_path }
-
-      should "not change the signed in user's api_key" do
-        assert_equal(@user.reload.api_key, @api_key)
-      end
-      should "not change the sign in user's password" do
-        assert_equal(@user.reload.encrypted_password, @old_encrypted_password)
-      end
-
-      # The password controller does not care who is signed in.
-      should "change logged in user's api_key" do
-        refute_equal(@other_user.reload.api_key, @other_api_key)
-      end
-      should "change logged in user's password" do
-        refute_equal(@other_user.reload.encrypted_password, @other_old_encrypted_password)
-      end
-      should "expire logged in user's new api key" do
-        assert_empty @other_user.reload.api_keys.unexpired
-        refute_empty @other_user.reload.api_keys.expired
-      end
-    end
-
-    context "when signed in but not verified" do
-      setup do
-        sign_in_as @user
         put :update, params: {
           password_reset: { password: PasswordHelpers::SECURE_TEST_PASSWORD }
         }
       end
 
-      should redirect_to("the verification page") { verify_session_path }
+      should redirect_to("the sign in page") { sign_in_path }
+      should set_flash[:alert].to "Please double check the URL or try submitting a new password reset."
 
       should "not change api_key" do
         assert_equal(@user.reload.api_key, @api_key)
@@ -496,13 +490,7 @@ class PasswordsControllerTest < ActionController::TestCase
     context "when signed in" do
       setup do
         sign_in_as @user
-        session[:verification] = 10.minutes.from_now
-        session[:verified_user] = @user.id
-      end
-
-      teardown do
-        session[:verification] = nil
-        session[:verified_user] = nil
+        get :edit, params: { token: @user.confirmation_token }
       end
 
       context "with invalid password" do
@@ -513,6 +501,7 @@ class PasswordsControllerTest < ActionController::TestCase
         end
 
         should respond_with :success
+        should set_flash.now[:alert].to "Your password could not be changed. Please try again."
 
         should "not change api_key" do
           assert_equal(@user.reload.api_key, @api_key)
@@ -520,9 +509,6 @@ class PasswordsControllerTest < ActionController::TestCase
         should "not change password" do
           assert_equal(@user.reload.encrypted_password, @old_encrypted_password)
         end
-        should "alert about invalid password" do
-          assert_equal "Your password could not be changed. Please try again.", flash[:alert]
-        end
       end
 
       context "with a valid password" do
@@ -536,7 +522,7 @@ class PasswordsControllerTest < ActionController::TestCase
           end
 
           should set_flash[:alert]
-          should redirect_to("the verification page") { verify_session_path }
+          should redirect_to("the sign in page") { sign_in_path }
 
           should "not sign the user out" do
             assert_predicate @controller.request.env[:clearance], :signed_in?
diff --git a/test/functional/profiles_controller_test.rb b/test/functional/profiles_controller_test.rb
index 876d60a8381..1cfbb165ec8 100644
--- a/test/functional/profiles_controller_test.rb
+++ b/test/functional/profiles_controller_test.rb
@@ -106,8 +106,8 @@ class ProfilesControllerTest < ActionController::TestCase
       should respond_with :success
 
       should "render user delete page" do
-        page.assert_text "Delete profile"
-        page.assert_selector "input[type=password][autocomplete=current-password]"
+        assert_text "Delete profile"
+        assert_selector "input[type=password][autocomplete=current-password]"
       end
     end
 
diff --git a/test/functional/rubygems_controller_test.rb b/test/functional/rubygems_controller_test.rb
index 0bf2ff07e61..68c698ac0e1 100644
--- a/test/functional/rubygems_controller_test.rb
+++ b/test/functional/rubygems_controller_test.rb
@@ -86,9 +86,9 @@ class RubygemsControllerTest < ActionController::TestCase
       should respond_with :success
 
       should "include the security events" do
-        page.assert_text "Owner Added"
-        page.assert_text "Owner Confirmed"
-        page.assert_text "Owner Removed"
+        assert_text "Owner Added"
+        assert_text "Owner Confirmed"
+        assert_text "Owner Removed"
       end
     end
   end
diff --git a/test/functional/searches_controller_test.rb b/test/functional/searches_controller_test.rb
index 63a7b2dd576..050f11b5236 100644
--- a/test/functional/searches_controller_test.rb
+++ b/test/functional/searches_controller_test.rb
@@ -70,19 +70,19 @@ class SearchesControllerTest < ActionController::TestCase
 
     should respond_with :success
     should "see sinatra on the page in the results" do
-      page.assert_text(@sinatra.name)
-      page.assert_selector("a[href='#{rubygem_path(@sinatra.slug)}']")
+      assert_text @sinatra.name
+      assert_selector "a[href='#{rubygem_path(@sinatra.slug)}']"
     end
     should "not see brando on the page in the results" do
-      page.assert_no_text(@brando.name)
-      page.assert_no_selector("a[href='#{rubygem_path(@brando.slug)}']")
+      refute_text @brando.name
+      refute_selector "a[href='#{rubygem_path(@brando.slug)}']"
     end
     should "display pagination summary" do
-      page.assert_text("all 2 gems")
+      assert page.has_text?("all 2 gems")
     end
     should "not see suggestions" do
-      page.assert_no_text("Did you mean")
-      page.assert_no_selector(".search-suggestions")
+      refute_text "Did you mean"
+      refute_selector ".search-suggestions"
     end
   end
 
@@ -112,19 +112,19 @@ class SearchesControllerTest < ActionController::TestCase
 
     should respond_with :success
     should "see sinatra on the page in the suggestions" do
-      page.assert_text("Did you mean")
-      assert page.find(".search__suggestions").has_content?(@sinatra.name)
-      assert page.has_selector?("a[href='#{search_path(query: @sinatra.name)}']")
+      assert_text "Did you mean"
+      assert_text @sinatra.name, page.find(".search__suggestions")
+      assert_selector "a[href='#{search_path(query: @sinatra.name)}']"
     end
     should "not see sinatra on the page in the results" do
-      page.assert_no_selector("a[href='#{rubygem_path(@sinatra.slug)}']")
+      refute_selector "a[href='#{rubygem_path(@sinatra.slug)}']"
     end
     should "not see brando on the page in the results" do
-      page.assert_no_text(@brando.name)
-      page.assert_no_selector("a[href='#{rubygem_path(@brando.slug)}']")
+      refute_text @brando.name
+      refute_selector "a[href='#{rubygem_path(@brando.slug)}']"
     end
     should "not see filters" do
-      page.assert_no_text("Filter")
+      refute_text "Filter"
     end
   end
 
@@ -141,10 +141,10 @@ class SearchesControllerTest < ActionController::TestCase
     should respond_with :success
 
     should "see sinatra_redux on the page in the results" do
-      page.assert_selector("a[href='#{rubygem_path(@sinatra_redux.slug)}']")
+      assert_selector "a[href='#{rubygem_path(@sinatra_redux.slug)}']"
     end
     should "not see sinatra on the page in the results" do
-      page.assert_no_selector("a[href='#{rubygem_path(@sinatra.slug)}']")
+      refute_selector "a[href='#{rubygem_path(@sinatra.slug)}']"
     end
   end
 
diff --git a/test/functional/sessions_controller_test.rb b/test/functional/sessions_controller_test.rb
index 7ef1f39db51..b617beb7842 100644
--- a/test/functional/sessions_controller_test.rb
+++ b/test/functional/sessions_controller_test.rb
@@ -474,8 +474,8 @@ class SessionsControllerTest < ActionController::TestCase
     end
 
     should "render sign-in form" do
-      page.assert_text("Sign in")
-      page.assert_selector("input[type=password][autocomplete=current-password]")
+      assert_text "Sign in"
+      assert_selector "input[type=password][autocomplete=current-password]"
     end
   end
 
diff --git a/test/functional/stats_controller_test.rb b/test/functional/stats_controller_test.rb
index e3de08a451f..84768c6adf8 100644
--- a/test/functional/stats_controller_test.rb
+++ b/test/functional/stats_controller_test.rb
@@ -58,12 +58,13 @@ class StatsControllerTest < ActionController::TestCase
     end
 
     should "not have width greater than 100%" do
-      assert_select ".stats__graph__gem__meter" do |element|
-        element.pluck(:style).each do |width|
-          width =~ /width: (\d+[,.]\d+)%/
+      assert page.has_selector?(".stats__graph__gem__meter")
 
-          assert_operator Regexp.last_match(1).to_f, :<=, 100, "#{Regexp.last_match(1)} is greater than 100"
-        end
+      page.find_all(".stats__graph__gem__meter").each do |element|
+        assert element["data-stats-width-value"]
+        width = element["data-stats-width-value"].to_f
+
+        assert_operator width, :<=, 100, "#{width} is greater than 100"
       end
     end
   end
diff --git a/test/functional/subscriptions_controller_test.rb b/test/functional/subscriptions_controller_test.rb
index d0ce9a69bc3..6407699103d 100644
--- a/test/functional/subscriptions_controller_test.rb
+++ b/test/functional/subscriptions_controller_test.rb
@@ -7,6 +7,31 @@ class SubscriptionsControllerTest < ActionController::TestCase
     sign_in_as(@user)
   end
 
+  context "on GET to index when the user is not subscribed to any gems" do
+    setup do
+      get :index
+    end
+
+    should respond_with :success
+
+    should "render 'no subscriptions' message" do
+      assert page.has_content?("You're not subscribed to any gems yet.")
+    end
+  end
+
+  context "on GET to index when the user is subscribed" do
+    setup do
+      create(:subscription, rubygem: @rubygem, user: @user)
+      get :index
+    end
+
+    should respond_with :success
+
+    should "show the gem name" do
+      assert page.has_content?(@rubygem.name)
+    end
+  end
+
   context "On POST to create for a gem that the user is not subscribed to" do
     setup do
       post :create, params: { rubygem_id: @rubygem.slug }
diff --git a/test/functional/users_controller_test.rb b/test/functional/users_controller_test.rb
index c038a29023a..0173d72abb3 100644
--- a/test/functional/users_controller_test.rb
+++ b/test/functional/users_controller_test.rb
@@ -11,8 +11,8 @@ class UsersControllerTest < ActionController::TestCase
     should render_template(:new)
 
     should "render the new user form" do
-      page.assert_text "Sign up"
-      page.assert_selector "input[type=password][autocomplete=new-password]"
+      assert_text "Sign up"
+      assert_selector "input[type=password][autocomplete=new-password]"
     end
 
     context "when logged in" do
diff --git a/test/functional/versions_controller_test.rb b/test/functional/versions_controller_test.rb
index fcdbca198a3..6b6a4ddec8a 100644
--- a/test/functional/versions_controller_test.rb
+++ b/test/functional/versions_controller_test.rb
@@ -107,7 +107,7 @@ class VersionsControllerTest < ActionController::TestCase
         The date displayed was specified by the author in the gemspec.
       NOTICE
 
-      assert_select ".gem__version__date", text: "- January 01, 2000*", count: 1 do |elements|
+      assert_select ".gem__version__date", text: "January 01, 2000*", count: 1 do |elements|
         version = elements.first
 
         assert_equal(tooltip_text, version["data-tooltip"])
diff --git a/test/gems/sigstore-1.0.0.gem b/test/gems/sigstore-1.0.0.gem
new file mode 100644
index 00000000000..5e669016dc3
Binary files /dev/null and b/test/gems/sigstore-1.0.0.gem differ
diff --git a/test/gems/sigstore-1.0.0.gem.sigstore.json b/test/gems/sigstore-1.0.0.gem.sigstore.json
new file mode 100644
index 00000000000..657949847a3
--- /dev/null
+++ b/test/gems/sigstore-1.0.0.gem.sigstore.json
@@ -0,0 +1 @@
+{"mediaType":"application/vnd.dev.sigstore.bundle.v0.3+json","verificationMaterial":{"certificate":{"rawBytes":"MIIIMzCCB7mgAwIBAgIUPP5IhTe2WtPWZQRUj2XjDqiiTyEwCgYIKoZIzj0EAwMwNzEVMBMGA1UEChMMc2lnc3RvcmUuZGV2MR4wHAYDVQQDExVzaWdzdG9yZS1pbnRlcm1lZGlhdGUwHhcNMjQwODE5MjIxMDQxWhcNMjQwODE5MjIyMDQxWjAAMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ0RRhDNQ5iLcioTLcjjBbw8yiFEatf9mkBEFtvNotLsZ7YukcrRlns+BwlOhSMQcjhP+/JDULnyRAP3LDRPShqOCBtgwggbUMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQU8nymsHXqKdr2Gpdc5nX09mR72zMwHwYDVR0jBBgwFoAU39Ppz1YkEZb5qNjpKFWixi4YZD8wgaUGA1UdEQEB/wSBmjCBl4aBlGh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS1jb25mb3JtYW5jZS9leHRyZW1lbHktZGFuZ2Vyb3VzLXB1YmxpYy1vaWRjLWJlYWNvbi8uZ2l0aHViL3dvcmtmbG93cy9leHRyZW1lbHktZGFuZ2Vyb3VzLW9pZGMtYmVhY29uLnltbEByZWZzL2hlYWRzL21haW4wOQYKKwYBBAGDvzABAQQraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTAfBgorBgEEAYO/MAECBBF3b3JrZmxvd19kaXNwYXRjaDA2BgorBgEEAYO/MAEDBCgwZjc1OTkyZGM3NTU5NTBiMjA4MTE1ZDZmMjkwYzg3YTcxYTNhZWRlMC0GCisGAQQBg78wAQQEH0V4dHJlbWVseSBkYW5nZXJvdXMgT0lEQyBiZWFjb24wSQYKKwYBBAGDvzABBQQ7c2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24wHQYKKwYBBAGDvzABBgQPcmVmcy9oZWFkcy9tYWluMDsGCisGAQQBg78wAQgELQwraHR0cHM6Ly90b2tlbi5hY3Rpb25zLmdpdGh1YnVzZXJjb250ZW50LmNvbTCBpgYKKwYBBAGDvzABCQSBlwyBlGh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS1jb25mb3JtYW5jZS9leHRyZW1lbHktZGFuZ2Vyb3VzLXB1YmxpYy1vaWRjLWJlYWNvbi8uZ2l0aHViL3dvcmtmbG93cy9leHRyZW1lbHktZGFuZ2Vyb3VzLW9pZGMtYmVhY29uLnltbEByZWZzL2hlYWRzL21haW4wOAYKKwYBBAGDvzABCgQqDCgwZjc1OTkyZGM3NTU5NTBiMjA4MTE1ZDZmMjkwYzg3YTcxYTNhZWRlMB0GCisGAQQBg78wAQsEDwwNZ2l0aHViLWhvc3RlZDBeBgorBgEEAYO/MAEMBFAMTmh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS1jb25mb3JtYW5jZS9leHRyZW1lbHktZGFuZ2Vyb3VzLXB1YmxpYy1vaWRjLWJlYWNvbjA4BgorBgEEAYO/MAENBCoMKDBmNzU5OTJkYzc1NTk1MGIyMDgxMTVkNmYyOTBjODdhNzFhM2FlZGUwHwYKKwYBBAGDvzABDgQRDA9yZWZzL2hlYWRzL21haW4wGQYKKwYBBAGDvzABDwQLDAk2MzI1OTY4OTcwNwYKKwYBBAGDvzABEAQpDCdodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UwGQYKKwYBBAGDvzABEQQLDAkxMzE4MDQ1NjMwgaYGCisGAQQBg78wARIEgZcMgZRodHRwczovL2dpdGh1Yi5jb20vc2lnc3RvcmUtY29uZm9ybWFuY2UvZXh0cmVtZWx5LWRhbmdlcm91cy1wdWJsaWMtb2lkYy1iZWFjb24vLmdpdGh1Yi93b3JrZmxvd3MvZXh0cmVtZWx5LWRhbmdlcm91cy1vaWRjLWJlYWNvbi55bWxAcmVmcy9oZWFkcy9tYWluMDgGCisGAQQBg78wARMEKgwoMGY3NTk5MmRjNzU1OTUwYjIwODExNWQ2ZjI5MGM4N2E3MWEzYWVkZTAhBgorBgEEAYO/MAEUBBMMEXdvcmtmbG93X2Rpc3BhdGNoMIGCBgorBgEEAYO/MAEVBHQMcmh0dHBzOi8vZ2l0aHViLmNvbS9zaWdzdG9yZS1jb25mb3JtYW5jZS9leHRyZW1lbHktZGFuZ2Vyb3VzLXB1YmxpYy1vaWRjLWJlYWNvbi9hY3Rpb25zL3J1bnMvMTA0NjE2NzgwMzUvYXR0ZW1wdHMvMTAWBgorBgEEAYO/MAEWBAgMBnB1YmxpYzCBiwYKKwYBBAHWeQIEAgR9BHsAeQB3AN09MGrGxxEyYxkeHJlnNwKiSl643jyt/4eKcoAvKe6OAAABkWyxQh4AAAQDAEgwRgIhAKo2Keb5q4OZIwh4iKDTde96+2BqMs4mBKjEU+6upNHNAiEA5wQHYBqAf9zEx8BbjbjEfg4hZP/s+NxxQI3dSPs7pngwCgYIKoZIzj0EAwMDaAAwZQIxAJLtd6ybF8WBnJlXW+4bvzKVnshOTh9Neoo/w8pldDrQHskIGqXRpmww6Xn9/Bij7QIwGLgbt6+ZXxnG0PFCTWMc+ZWjnnQkO+l9Y1gA6d6qi0OpJhkrBHEV8aTLqkPEkOb/"},"tlogEntries":[{"logIndex":"122963775","logId":{"keyId":"wNI9atQGlz+VWfO6LRygH4QUfY/8W4RFwiT5i5WRgB0="},"kindVersion":{"kind":"hashedrekord","version":"0.0.1"},"integratedTime":"1724105442","inclusionPromise":{"signedEntryTimestamp":"MEQCICgb3uAmDGlq7s+nkAcZ8fD0owzTwVymrzdFMT8d3LCVAiBsFMaj3rfpJzH3rngwalmkASo/bVj8hfWZTEBn9YornQ=="},"inclusionProof":{"logIndex":"1059513","rootHash":"/putP9z3Wss1HCFfDnWmpoa5i8l6WSZeW8XjIgpesm0=","treeSize":"1059514","hashes":["wnH/WECZ5+6nW4nogb4SIPHovLLVBkjJS6L2IUhh+5A=","Q8AmXrXnAEx+KtY/ftlNpoZHIDteiU093akegCKg9hg=","ARspm9MPppfljtu65QhY4zbFe+hgM9sh8BKUa9S42n0=","b8SrajRKbl/sbAkAtv6QLZ2Nq0a5yXAutxBUYCh3UZE=","6WaHP8iph/o/IEco+nWaj+Zb6EgGQbmz8QJ/QpujBCc=","PGV88p37MXO7aoOk8agunetUKPT+id/bPhQB5DR6bKo=","5ttUjdynHsMkxOw13D7urPJiKtAOMg9iZ2c6h7Gp0G4=","UORwhDZHpmRr46aYc0xce9Ibvxq2skbMMMOLkyhLlkQ=","HLt0TJCVl85VuVuUGesK0DTeWljDvsbKPLIsB2GNt+c="],"checkpoint":{"envelope":"rekor.sigstore.dev - 1193050959916656506\n1059514\n/putP9z3Wss1HCFfDnWmpoa5i8l6WSZeW8XjIgpesm0=\n\n— rekor.sigstore.dev wNI9ajBFAiAVGjyS7gu+/F744y3qmjS32jfsakwaJXcIokIVVOU+wQIhALQHbZh7RDoV2uXsBK18uClNWH/FdlgxS7RNtdAg33s/\n"}},"canonicalizedBody":"eyJhcGlWZXJzaW9uIjoiMC4wLjEiLCJraW5kIjoiaGFzaGVkcmVrb3JkIiwic3BlYyI6eyJkYXRhIjp7Imhhc2giOnsiYWxnb3JpdGhtIjoic2hhMjU2IiwidmFsdWUiOiI3NzMzOTE1OWMzNzdkYjM2YjkyMTg1MjFiZGQxOTNkMjFlMWI4NmIzZGJjZDdhZjUzYjkwNGZiNWY0ZDRhYjU0In19LCJzaWduYXR1cmUiOnsiY29udGVudCI6Ik1FWUNJUURvVnZnalNXV2JNVTNJaVEyR0hvMC9DS1R1Vms5UnBnL1laUWZONjl4N0NBSWhBTHg2UmFxTVZ1T2VYYUMyMnF5LzV0NE42OGp3MDZMOERPbUJqSEJDakZseiIsInB1YmxpY0tleSI6eyJjb250ZW50IjoiTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVbE5la05EUWpkdFowRjNTVUpCWjBsVlVGQTFTV2hVWlRKWGRGQlhXbEZTVldveVdHcEVjV2xwVkhsRmQwTm5XVWxMYjFwSmVtb3dSVUYzVFhjS1RucEZWazFDVFVkQk1WVkZRMmhOVFdNeWJHNWpNMUoyWTIxVmRWcEhWakpOVWpSM1NFRlpSRlpSVVVSRmVGWjZZVmRrZW1SSE9YbGFVekZ3WW01U2JBcGpiVEZzV2tkc2FHUkhWWGRJYUdOT1RXcFJkMDlFUlRWTmFrbDRUVVJSZUZkb1kwNU5hbEYzVDBSRk5VMXFTWGxOUkZGNFYycEJRVTFHYTNkRmQxbElDa3R2V2tsNmFqQkRRVkZaU1V0dldrbDZhakJFUVZGalJGRm5RVVZLTUZKU2FFUk9VVFZwVEdOcGIxUk1ZMnBxUW1KM09IbHBSa1ZoZEdZNWJXdENSVVlLZEhaT2IzUk1jMW8zV1hWclkzSlNiRzV6SzBKM2JFOW9VMDFSWTJwb1VDc3ZTa1JWVEc1NVVrRlFNMHhFVWxCVGFIRlBRMEowWjNkbloySlZUVUUwUndwQk1WVmtSSGRGUWk5M1VVVkJkMGxJWjBSQlZFSm5UbFpJVTFWRlJFUkJTMEpuWjNKQ1owVkdRbEZqUkVGNlFXUkNaMDVXU0ZFMFJVWm5VVlU0Ym5sdENuTklXSEZMWkhJeVIzQmtZelZ1V0RBNWJWSTNNbnBOZDBoM1dVUldVakJxUWtKbmQwWnZRVlV6T1ZCd2VqRlphMFZhWWpWeFRtcHdTMFpYYVhocE5Ga0tXa1E0ZDJkaFZVZEJNVlZrUlZGRlFpOTNVMEp0YWtOQ2JEUmhRbXhIYURCa1NFSjZUMms0ZGxveWJEQmhTRlpwVEcxT2RtSlRPWHBoVjJSNlpFYzVlUXBhVXpGcVlqSTFiV0l6U25SWlZ6VnFXbE01YkdWSVVubGFWekZzWWtocmRGcEhSblZhTWxaNVlqTldla3hZUWpGWmJYaHdXWGt4ZG1GWFVtcE1WMHBzQ2xsWFRuWmlhVGgxV2pKc01HRklWbWxNTTJSMlkyMTBiV0pIT1ROamVUbHNaVWhTZVZwWE1XeGlTR3QwV2tkR2RWb3lWbmxpTTFaNlRGYzVjRnBIVFhRS1dXMVdhRmt5T1hWTWJteDBZa1ZDZVZwWFducE1NbWhzV1ZkU2Vrd3lNV2hoVnpSM1QxRlpTMHQzV1VKQ1FVZEVkbnBCUWtGUlVYSmhTRkl3WTBoTk5ncE1lVGt3WWpKMGJHSnBOV2haTTFKd1lqSTFla3h0WkhCa1IyZ3hXVzVXZWxwWVNtcGlNalV3V2xjMU1FeHRUblppVkVGbVFtZHZja0puUlVWQldVOHZDazFCUlVOQ1FrWXpZak5LY2xwdGVIWmtNVGxyWVZoT2QxbFlVbXBoUkVFeVFtZHZja0puUlVWQldVOHZUVUZGUkVKRFozZGFhbU14VDFScmVWcEhUVE1LVGxSVk5VNVVRbWxOYWtFMFRWUkZNVnBFV20xTmFtdDNXWHBuTTFsVVkzaFpWRTVvV2xkU2JFMURNRWREYVhOSFFWRlJRbWMzT0hkQlVWRkZTREJXTkFwa1NFcHNZbGRXYzJWVFFtdFpWelZ1V2xoS2RtUllUV2RVTUd4RlVYbENhVnBYUm1waU1qUjNVMUZaUzB0M1dVSkNRVWRFZG5wQlFrSlJVVGRqTW14dUNtTXpVblpqYlZWMFdUSTVkVnB0T1hsaVYwWjFXVEpWZGxwWWFEQmpiVlowV2xkNE5VeFhVbWhpYldSc1kyMDVNV041TVhka1YwcHpZVmROZEdJeWJHc0tXWGt4YVZwWFJtcGlNalIzU0ZGWlMwdDNXVUpDUVVkRWRucEJRa0puVVZCamJWWnRZM2s1YjFwWFJtdGplVGwwV1Zkc2RVMUVjMGREYVhOSFFWRlJRZ3BuTnpoM1FWRm5SVXhSZDNKaFNGSXdZMGhOTmt4NU9UQmlNblJzWW1rMWFGa3pVbkJpTWpWNlRHMWtjR1JIYURGWmJsWjZXbGhLYW1JeU5UQmFWelV3Q2t4dFRuWmlWRU5DY0dkWlMwdDNXVUpDUVVkRWRucEJRa05SVTBKc2QzbENiRWRvTUdSSVFucFBhVGgyV2pKc01HRklWbWxNYlU1MllsTTVlbUZYWkhvS1pFYzVlVnBUTVdwaU1qVnRZak5LZEZsWE5XcGFVemxzWlVoU2VWcFhNV3hpU0d0MFdrZEdkVm95Vm5saU0xWjZURmhDTVZsdGVIQlplVEYyWVZkU2FncE1WMHBzV1ZkT2RtSnBPSFZhTW13d1lVaFdhVXd6WkhaamJYUnRZa2M1TTJONU9XeGxTRko1V2xjeGJHSklhM1JhUjBaMVdqSldlV0l6Vm5wTVZ6bHdDbHBIVFhSWmJWWm9XVEk1ZFV4dWJIUmlSVUo1V2xkYWVrd3lhR3haVjFKNlRESXhhR0ZYTkhkUFFWbExTM2RaUWtKQlIwUjJla0ZDUTJkUmNVUkRaM2NLV21wak1VOVVhM2xhUjAwelRsUlZOVTVVUW1sTmFrRTBUVlJGTVZwRVdtMU5hbXQzV1hwbk0xbFVZM2haVkU1b1dsZFNiRTFDTUVkRGFYTkhRVkZSUWdwbk56aDNRVkZ6UlVSM2QwNWFNbXd3WVVoV2FVeFhhSFpqTTFKc1drUkNaVUpuYjNKQ1owVkZRVmxQTDAxQlJVMUNSa0ZOVkcxb01HUklRbnBQYVRoMkNsb3liREJoU0ZacFRHMU9kbUpUT1hwaFYyUjZaRWM1ZVZwVE1XcGlNalZ0WWpOS2RGbFhOV3BhVXpsc1pVaFNlVnBYTVd4aVNHdDBXa2RHZFZveVZua0tZak5XZWt4WVFqRlpiWGh3V1hreGRtRlhVbXBNVjBwc1dWZE9kbUpxUVRSQ1oyOXlRbWRGUlVGWlR5OU5RVVZPUWtOdlRVdEVRbTFPZWxVMVQxUkthd3BaZW1NeFRsUnJNVTFIU1hsTlJHZDRUVlJXYTA1dFdYbFBWRUpxVDBSa2FFNTZSbWhOTWtac1drZFZkMGgzV1V0TGQxbENRa0ZIUkhaNlFVSkVaMUZTQ2tSQk9YbGFWMXA2VERKb2JGbFhVbnBNTWpGb1lWYzBkMGRSV1V0TGQxbENRa0ZIUkhaNlFVSkVkMUZNUkVGck1rMTZTVEZQVkZrMFQxUmpkMDUzV1VzS1MzZFpRa0pCUjBSMmVrRkNSVUZSY0VSRFpHOWtTRkozWTNwdmRrd3laSEJrUjJneFdXazFhbUl5TUhaak1teHVZek5TZG1OdFZYUlpNamwxV20wNWVRcGlWMFoxV1RKVmQwZFJXVXRMZDFsQ1FrRkhSSFo2UVVKRlVWRk1SRUZyZUUxNlJUUk5SRkV4VG1wTmQyZGhXVWREYVhOSFFWRlJRbWMzT0hkQlVrbEZDbWRhWTAxbldsSnZaRWhTZDJONmIzWk1NbVJ3WkVkb01WbHBOV3BpTWpCMll6SnNibU16VW5aamJWVjBXVEk1ZFZwdE9YbGlWMFoxV1RKVmRscFlhREFLWTIxV2RGcFhlRFZNVjFKb1ltMWtiR050T1RGamVURjNaRmRLYzJGWFRYUmlNbXhyV1hreGFWcFhSbXBpTWpSMlRHMWtjR1JIYURGWmFUa3pZak5LY2dwYWJYaDJaRE5OZGxwWWFEQmpiVlowV2xkNE5VeFhVbWhpYldSc1kyMDVNV041TVhaaFYxSnFURmRLYkZsWFRuWmlhVFUxWWxkNFFXTnRWbTFqZVRsdkNscFhSbXRqZVRsMFdWZHNkVTFFWjBkRGFYTkhRVkZSUW1jM09IZEJVazFGUzJkM2IwMUhXVE5PVkdzMVRXMVNhazU2VlRGUFZGVjNXV3BKZDA5RVJYZ0tUbGRSTWxwcVNUVk5SMDAwVGpKRk0wMVhSWHBaVjFacldsUkJhRUpuYjNKQ1owVkZRVmxQTDAxQlJWVkNRazFOUlZoa2RtTnRkRzFpUnpreldESlNjQXBqTTBKb1pFZE9iMDFKUjBOQ1oyOXlRbWRGUlVGWlR5OU5RVVZXUWtoUlRXTnRhREJrU0VKNlQyazRkbG95YkRCaFNGWnBURzFPZG1KVE9YcGhWMlI2Q21SSE9YbGFVekZxWWpJMWJXSXpTblJaVnpWcVdsTTViR1ZJVW5sYVZ6RnNZa2hyZEZwSFJuVmFNbFo1WWpOV2VreFlRakZaYlhod1dYa3hkbUZYVW1vS1RGZEtiRmxYVG5aaWFUbG9XVE5TY0dJeU5YcE1NMG94WW01TmRrMVVRVEJPYWtVeVRucG5kMDE2VlhaWldGSXdXbGN4ZDJSSVRYWk5WRUZYUW1kdmNncENaMFZGUVZsUEwwMUJSVmRDUVdkTlFtNUNNVmx0ZUhCWmVrTkNhWGRaUzB0M1dVSkNRVWhYWlZGSlJVRm5VamxDU0hOQlpWRkNNMEZPTURsTlIzSkhDbmg0UlhsWmVHdGxTRXBzYms1M1MybFRiRFkwTTJwNWRDODBaVXRqYjBGMlMyVTJUMEZCUVVKclYzbDRVV2cwUVVGQlVVUkJSV2QzVW1kSmFFRkxieklLUzJWaU5YRTBUMXBKZDJnMGFVdEVWR1JsT1RZck1rSnhUWE0wYlVKTGFrVlZLeloxY0U1SVRrRnBSVUUxZDFGSVdVSnhRV1k1ZWtWNE9FSmlhbUpxUlFwbVp6Um9XbEF2Y3l0T2VIaFJTVE5rVTFCek4zQnVaM2REWjFsSlMyOWFTWHBxTUVWQmQwMUVZVUZCZDFwUlNYaEJTa3gwWkRaNVlrWTRWMEp1U214WUNsY3JOR0oyZWt0V2JuTm9UMVJvT1U1bGIyOHZkemh3YkdSRWNsRkljMnRKUjNGWVVuQnRkM2MyV0c0NUwwSnBhamRSU1hkSFRHZGlkRFlyV2xoNGJrY0tNRkJHUTFSWFRXTXJXbGRxYm01UmEwOHJiRGxaTVdkQk5tUTJjV2t3VDNCS2FHdHlRa2hGVmpoaFZFeHhhMUJGYTA5aUx3b3RMUzB0TFVWT1JDQkRSVkpVU1VaSlEwRlVSUzB0TFMwdENnPT0ifX19fQ=="}]},"messageSignature":{"messageDigest":{"algorithm":"SHA2_256","digest":"dzORWcN32za5IYUhvdGT0h4bhrPbzXr1O5BPtfTUq1Q="},"signature":"MEYCIQDoVvgjSWWbMU3IiQ2GHo0/CKTuVk9Rpg/YZQfN69x7CAIhALx6RaqMVuOeXaC22qy/5t4N68jw06L8DOmBjHBCjFlz"}}
\ No newline at end of file
diff --git a/test/helpers/api_policy_helpers.rb b/test/helpers/api_policy_helpers.rb
new file mode 100644
index 00000000000..0d8ab5d7a7c
--- /dev/null
+++ b/test/helpers/api_policy_helpers.rb
@@ -0,0 +1,109 @@
+require_relative "policy_helpers"
+
+module ApiPolicyHelpers
+  extend ActiveSupport::Concern
+  include PolicyHelpers
+
+  class_methods do
+    def should_require_scope(scope, action)
+      context "requires #{scope} scope" do
+        should "deny ApiKey without scope" do
+          refute_authorized key_without_scope(scope), action
+        end
+
+        should "allow ApiKey with scope" do
+          assert_authorized key_with_scope(scope), action
+        end
+      end
+    end
+
+    def should_require_rubygem_scope(scope, action)
+      context "requires #{scope} and matching rubygem" do
+        should "deny ApiKey with rubygem without scope" do
+          refute_authorized key_without_scope(scope, rubygem: @rubygem), action
+        end
+
+        should "deny ApiKey with scope but wrong rubygem" do
+          refute_authorized key_with_scope(scope, rubygem: create(:rubygem, owners: [@owner])), action
+        end
+
+        should "allow ApiKey with scope and rubygem" do
+          assert_authorized key_with_scope(scope, rubygem: @rubygem), action
+        end
+      end
+    end
+
+    def should_require_user_key(scope, action)
+      context "requires ApiKey owned by a user" do
+        should "deny ApiKey not owned by a user" do
+          refute_authorized trusted_publisher_key(scope), action, I18n.t(:api_key_forbidden)
+        end
+
+        should "allow ApiKey owned by a user" do
+          assert_authorized key_with_scope(scope), action
+        end
+      end
+    end
+
+    def should_require_mfa(scope, action)
+      context "mfa required" do
+        setup do
+          GemDownload.increment(Rubygem::MFA_REQUIRED_THRESHOLD + 1, rubygem_id: @rubygem.id)
+          @rubygem.reload
+        end
+
+        should "deny ApiKey with owner.mfa_required_not_yet_enabled?" do
+          assert_predicate @owner, :mfa_required_not_yet_enabled?
+          refute_authorized key_with_scope(scope), action, I18n.t("multifactor_auths.api.mfa_required_not_yet_enabled")
+        end
+
+        should "deny ApiKey with owner.mfa_required_weak_level_enabled?" do
+          @owner.enable_totp!(ROTP::Base32.random_base32, :ui_only)
+
+          assert_predicate @owner, :mfa_required_weak_level_enabled?
+          refute_authorized key_with_scope(scope), action, I18n.t("multifactor_auths.api.mfa_required_weak_level_enabled")
+        end
+
+        should "allow ApiKey with strong level mfa" do
+          @owner.enable_totp!(ROTP::Base32.random_base32, :ui_and_api)
+
+          assert_predicate @owner, :strong_mfa_level?
+          assert_authorized key_with_scope(scope), action
+        end
+      end
+    end
+
+    def should_delegate_to_policy(scope, action, policy_class)
+      context "delegates to #{policy_class}##{action}" do
+        should "allow if the #{policy_class} allows #{action}" do
+          policy_class.any_instance.stubs(action => true)
+
+          assert_authorized key_with_scope(scope), action
+        end
+
+        should "deny if the #{policy_class} denies #{action}" do
+          policy_class.any_instance.stubs(action => false, :error => "error")
+
+          refute_authorized key_with_scope(scope), action, "error"
+        end
+      end
+    end
+  end
+
+  def trusted_publisher_key(scope)
+    create(:api_key, :trusted_publisher, scopes: [scope])
+  end
+
+  def key_without_scope(scopes, **)
+    scopes = (ApiKey::APPLICABLE_GEM_API_SCOPES - Array.wrap(scopes)).sample(2)
+    key_with_scope(scopes, **)
+  end
+
+  def key_with_scope(scopes, owner: @owner, **)
+    create(:api_key, owner:, scopes: Array.wrap(scopes), **)
+  end
+
+  def refute_authorized(actor, action, message = I18n.t(:api_key_insufficient_scope))
+    super
+  end
+end
diff --git a/test/helpers/avo_helpers.rb b/test/helpers/avo_helpers.rb
new file mode 100644
index 00000000000..1927d7b4bf1
--- /dev/null
+++ b/test/helpers/avo_helpers.rb
@@ -0,0 +1,24 @@
+module AvoHelpers
+  def avo_sign_in_as(user)
+    OmniAuth.config.mock_auth[:github] = OmniAuth::AuthHash.new(
+      provider: "github",
+      uid: "1",
+      credentials: {
+        token: user.oauth_token,
+        expires: false
+      },
+      info: {
+        name: user.login
+      }
+    )
+
+    @ip_address = create(:ip_address, ip_address: "127.0.0.1")
+
+    stub_github_info_request(user.info_data)
+
+    visit avo.root_path
+    click_button "Log in with GitHub"
+
+    page.assert_text user.login
+  end
+end
diff --git a/test/helpers/policy_helpers.rb b/test/helpers/policy_helpers.rb
new file mode 100644
index 00000000000..ad4901e5d72
--- /dev/null
+++ b/test/helpers/policy_helpers.rb
@@ -0,0 +1,31 @@
+module PolicyHelpers
+  extend ActiveSupport::Concern
+
+  def assert_authorized(policy_or_actor, action)
+    policy = policy_or_actor if policy_or_actor.is_a?(ApplicationPolicy)
+    policy ||= policy!(policy_or_actor)
+
+    result = policy.send(action)
+    flunk "Expected #{policy.class} to authorize #{action.inspect}\n#{pretty_print_policy(policy)}" unless result
+    flunk "Expected #{policy.class}##{action} not to produce an error: #{policy.error}\n#{pretty_print_policy(policy)}" if policy.error
+
+    assert result
+  end
+
+  def refute_authorized(policy_or_actor, action, message = nil)
+    policy = policy_or_actor if policy_or_actor.is_a?(ApplicationPolicy)
+    policy ||= policy!(policy_or_actor)
+
+    result = policy.send(action)
+    flunk "Expected #{policy.class} to deny #{action.inspect}\n#{pretty_print_policy(policy)}" if result
+    assert_equal message.chomp, policy.error&.chomp if message
+
+    refute result
+  end
+
+  def pretty_print_policy(policy)
+    user = policy.user.respond_to?(:handle) ? "#<User id: #{policy.user.id}, handle: #{policy.user.handle.inspect}>" : policy.user.inspect
+    error = policy.error ? "  Error: #{policy.error}\n" : nil
+    "#{error}  User: #{user}\n  Record: #{policy.record.inspect}"
+  end
+end
diff --git a/test/integration/about_page_test.rb b/test/integration/about_page_test.rb
deleted file mode 100644
index ed6ea009813..00000000000
--- a/test/integration/about_page_test.rb
+++ /dev/null
@@ -1,16 +0,0 @@
-require "test_helper"
-
-class AboutPageTest < ActionDispatch::IntegrationTest
-  def assert_about_page_i18n(local)
-    get page_url("about"), params: { locale: local }
-
-    assert_response :success
-    assert page.has_content? I18n.t("pages.about.title")
-  end
-
-  test "about page i18n for all supported languages" do
-    I18n.available_locales.each do |locale|
-      assert_about_page_i18n locale
-    end
-  end
-end
diff --git a/test/integration/api/v1/oidc/rubygem_trusted_publishers_controller_test.rb b/test/integration/api/v1/oidc/rubygem_trusted_publishers_controller_test.rb
index 637d6746a6f..64af8414c8c 100644
--- a/test/integration/api/v1/oidc/rubygem_trusted_publishers_controller_test.rb
+++ b/test/integration/api/v1/oidc/rubygem_trusted_publishers_controller_test.rb
@@ -62,7 +62,7 @@ class Api::V1::OIDC::RubygemTrustedPublishersControllerTest < ActionDispatch::In
 
     should "deny access" do
       assert_response :forbidden
-      assert_match "The API key doesn't have access", @response.body
+      assert_includes @response.body, "This API key cannot perform the specified action on this gem."
     end
   end
 
diff --git a/test/integration/api/v1/oidc/trusted_publisher_controller_test.rb b/test/integration/api/v1/oidc/trusted_publisher_controller_test.rb
index 5ce5bcd204a..98286492fd6 100644
--- a/test/integration/api/v1/oidc/trusted_publisher_controller_test.rb
+++ b/test/integration/api/v1/oidc/trusted_publisher_controller_test.rb
@@ -45,6 +45,20 @@ def jwt(claims = @claims, key: @pkey)
   end
 
   context "POST exchange_token" do
+    should "return invalid request with no JWT" do
+      post api_v1_oidc_trusted_publisher_exchange_token_path
+
+      assert_response :bad_request
+      assert_equal({ "error" => "Request is missing param 'jwt'" }, response.parsed_body)
+    end
+
+    should "return invalid request with integer JWT" do
+      post api_v1_oidc_trusted_publisher_exchange_token_path,
+        params: { jwt: 1 }
+
+      assert_response :bad_request
+    end
+
     should "return not found with no matching trusted publisher" do
       post api_v1_oidc_trusted_publisher_exchange_token_path,
         params: { jwt: jwt.to_s }
@@ -108,6 +122,24 @@ def jwt(claims = @claims, key: @pkey)
       assert_response :bad_request
     end
 
+    %w[nbf exp iat iss jti].each do |claim|
+      should "return bad request with missing/invalid #{claim}" do
+        payload = jwt # generates jwt hash
+        payload[claim] = ["a"]
+
+        post api_v1_oidc_trusted_publisher_exchange_token_path,
+          params: { jwt: payload.to_s }
+
+        assert_response :bad_request
+
+        payload.delete claim
+        post api_v1_oidc_trusted_publisher_exchange_token_path,
+          params: { jwt: payload.to_s }
+
+        assert_response :bad_request
+      end
+    end
+
     should "return not found when time is before nbf" do
       @claims["nbf"] += 1_000_000
       trusted_publisher = build(:oidc_trusted_publisher_github_action,
diff --git a/test/integration/api/v1/owner_test.rb b/test/integration/api/v1/owner_test.rb
index 1bff0a5706e..936b49c6124 100644
--- a/test/integration/api/v1/owner_test.rb
+++ b/test/integration/api/v1/owner_test.rb
@@ -63,13 +63,13 @@ class Api::V1::OwnerTest < ActionDispatch::IntegrationTest
       params: { email: @other_user.email },
       headers: { "HTTP_AUTHORIZATION" => @other_user_api_key }
 
-    assert_response :unauthorized
+    assert_response :forbidden
 
     delete api_v1_rubygem_owners_path(@rubygem.slug),
       params: { email: @other_user.email },
       headers: { "HTTP_AUTHORIZATION" => @other_user_api_key }
 
-    assert_response :unauthorized
+    assert_response :forbidden
 
     post api_v1_rubygem_owners_path(@rubygem.slug),
       params: { email: @other_user.email },
diff --git a/test/integration/api/v2/version_information_test.rb b/test/integration/api/v2/version_information_test.rb
index cb5b4aa1da4..e24ca4f672a 100644
--- a/test/integration/api/v2/version_information_test.rb
+++ b/test/integration/api/v2/version_information_test.rb
@@ -29,9 +29,10 @@ def request_endpoint(rubygem, version, format = "json")
   test "has required fields" do
     request_endpoint(@rubygem, "2.0.0")
     json_response = JSON.load(@response.body)
-    json_response["sha"]
-    json_response["platform"]
-    json_response["ruby_version"]
+
+    assert json_response.key?("sha")
+    assert json_response.key?("platform")
+    assert json_response.key?("ruby_version")
   end
 
   test "version does not exist" do
diff --git a/test/integration/avo/attestations_controller_test.rb b/test/integration/avo/attestations_controller_test.rb
new file mode 100644
index 00000000000..313642a7f62
--- /dev/null
+++ b/test/integration/avo/attestations_controller_test.rb
@@ -0,0 +1,25 @@
+require "test_helper"
+
+class Avo::AttestationsControllerTest < ActionDispatch::IntegrationTest
+  include AdminHelpers
+
+  test "getting attestations as admin" do
+    admin_sign_in_as create(:admin_github_user, :is_admin)
+
+    get avo.resources_attestations_path
+
+    assert_response :success
+
+    attestation = create(:attestation)
+
+    get avo.resources_attestations_path
+
+    assert_response :success
+    page.assert_text attestation.media_type
+
+    get avo.resources_attestation_path(attestation)
+
+    assert_response :success
+    page.assert_text attestation.media_type
+  end
+end
diff --git a/test/integration/avo/gem_name_reservations_controller_test.rb b/test/integration/avo/gem_name_reservations_controller_test.rb
index 58abc37dacb..57574ab3731 100644
--- a/test/integration/avo/gem_name_reservations_controller_test.rb
+++ b/test/integration/avo/gem_name_reservations_controller_test.rb
@@ -10,8 +10,14 @@ class Avo::GemNameReservationsControllerTest < ActionDispatch::IntegrationTest
     get avo.resources_gem_name_reservations_path
 
     assert_response :success
+  end
+
+  test "resource search_query scope" do
+    requires_avo_pro
+
+    admin_sign_in_as create(:admin_github_user, :is_admin)
+    create(:gem_name_reservation, name: "hello")
 
-    # test resource search_query scope
     get avo.avo_api_search_path(q: "hello")
 
     assert_response :success
diff --git a/test/integration/null_char_param_test.rb b/test/integration/null_char_param_test.rb
index 0d32fb3ad35..bc0ebd713ad 100644
--- a/test/integration/null_char_param_test.rb
+++ b/test/integration/null_char_param_test.rb
@@ -15,9 +15,13 @@ class NullCharParamTest < ActionDispatch::IntegrationTest
 
   test "cookie with null character responds with bad request for sign in" do
     get "/users/new", headers: { "HTTP_COOKIE" => "remember_token=php://input%00.;rubygems_session=php://input%00." }
+
+    assert_response :bad_request
   end
 
   test "cookie with null character responds with bad request for releases page" do
     get "/releases/popular", headers: { "HTTP_COOKIE" => "rubygems_session=php://input%00." }
+
+    assert_response :bad_request
   end
 end
diff --git a/test/integration/organizations/onboarding/confirm_controller_test.rb b/test/integration/organizations/onboarding/confirm_controller_test.rb
new file mode 100644
index 00000000000..e7a51033729
--- /dev/null
+++ b/test/integration/organizations/onboarding/confirm_controller_test.rb
@@ -0,0 +1,52 @@
+require "test_helper"
+
+class Organizations::Onboarding::ConfirmControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    @user = create(:user, remember_token_expires_at: Gemcutter::REMEMBER_FOR.from_now)
+    post session_path(session: { who: @user.handle, password: PasswordHelpers::SECURE_TEST_PASSWORD })
+
+    @collaborator = create(:user, :mfa_enabled)
+    @rubygem = create(:rubygem, owners: [@user, @collaborator])
+
+    @organization_onboarding = create(
+      :organization_onboarding,
+      :gem,
+      created_by: @user,
+      namesake_rubygem: @rubygem,
+      approved_invites: [{ user: @collaborator, role: "maintainer" }]
+    )
+  end
+
+  context "GET #show" do
+    should "to render the show template" do
+      get "/organizations/onboarding/confirm"
+
+      assert_response :ok
+    end
+  end
+
+  context "PATCH #update" do
+    should "onboard the organization and render a success message" do
+      patch "/organizations/onboarding/confirm"
+
+      assert_redirected_to organization_path(@organization_onboarding.reload.organization)
+
+      follow_redirect!
+
+      assert page.has_content?("Organization onboarded successfully")
+
+      assert_predicate @organization_onboarding.reload, :completed?
+    end
+
+    should "fail to onboard the organization and render an error message" do
+      @conflicting_org = create(:organization, handle: @organization_onboarding.organization_handle)
+
+      patch "/organizations/onboarding/confirm"
+
+      assert page.has_content?("Onboarding error: Validation failed: Handle has already been taken")
+
+      assert_predicate @organization_onboarding.reload, :failed?
+      assert_nil @organization_onboarding.organization
+    end
+  end
+end
diff --git a/test/integration/organizations/onboarding/gems_controller_test.rb b/test/integration/organizations/onboarding/gems_controller_test.rb
new file mode 100644
index 00000000000..a17bf7a5ab8
--- /dev/null
+++ b/test/integration/organizations/onboarding/gems_controller_test.rb
@@ -0,0 +1,50 @@
+require "test_helper"
+
+class Organizations::Onboarding::GemsControllerTest < ActionController::TestCase
+  setup do
+    @user = create(:user, :mfa_enabled)
+    @namesake_rubygem = create(:rubygem, owners: [@user])
+    @gem = create(:rubygem, owners: [@user])
+    @organization_onboarding = create(
+      :organization_onboarding,
+      created_by: @user,
+      namesake_rubygem: @namesake_rubygem,
+      status: :pending,
+      organization_handle: @namesake_rubygem.name,
+      organization_name: "Existing Name"
+    )
+
+    sign_in_as(@user)
+  end
+
+  context "PATCH update" do
+    should "save the selected gems and redirect to the next step" do
+      patch :update, params: { organization_onboarding: { rubygems: [@gem.id] } }
+
+      assert_redirected_to organization_onboarding_users_path
+      assert_equal [@namesake_rubygem.id, @gem.id], @organization_onboarding.reload.rubygems
+    end
+
+    should "allow selecting no additional gems" do
+      patch :update
+
+      assert_redirected_to organization_onboarding_users_path
+      assert_equal [@namesake_rubygem.id], @organization_onboarding.reload.rubygems
+    end
+
+    should "ignore empty params" do
+      patch :update, params: { organization_onboarding: { rubygems: [""] } }
+
+      assert_redirected_to organization_onboarding_users_path
+      assert_equal [@namesake_rubygem.id], @organization_onboarding.reload.rubygems
+    end
+
+    should "invalidate unknown gems" do
+      notmygem = create(:rubygem)
+      patch :update, params: { organization_onboarding: { rubygems: [notmygem.id] } }
+
+      assert_response :unprocessable_entity
+      assert_equal [@namesake_rubygem.id], @organization_onboarding.reload.rubygems
+    end
+  end
+end
diff --git a/test/integration/organizations/onboarding/name_controller_test.rb b/test/integration/organizations/onboarding/name_controller_test.rb
new file mode 100644
index 00000000000..b7c091cd762
--- /dev/null
+++ b/test/integration/organizations/onboarding/name_controller_test.rb
@@ -0,0 +1,60 @@
+require "test_helper"
+
+class Organizations::Onboarding::NameControllerTest < ActionController::TestCase
+  setup do
+    @user = create(:user, :mfa_enabled)
+    @gem = create(:rubygem, owners: [@user])
+
+    sign_in_as(@user)
+  end
+
+  context "GET new" do
+    should "ask the user to start creating a new organization" do
+      get :new
+
+      assert_select "input[name=?]", "organization_onboarding[organization_name]"
+    end
+
+    context "when the user has an existing onboarding" do
+      setup do
+        @organization_onboarding = create(:organization_onboarding, created_by: @user, status: :pending, organization_name: "Existing Name")
+      end
+
+      should "render with the in-progress onboarding" do
+        get :new
+
+        assert_select "input[name=?][value=?]", "organization_onboarding[organization_name]", @organization_onboarding.organization_name
+      end
+    end
+  end
+
+  context "POST create" do
+    should "create a new onboarding and redirect to the next step" do
+      post :create, params: { organization_onboarding: { organization_name: "New Name", organization_handle: @gem.name, name_type: "gem" } }
+
+      assert OrganizationOnboarding.exists?(organization_name: "New Name", organization_handle: @gem.name, name_type: "gem")
+      assert_redirected_to organization_onboarding_gems_path
+    end
+
+    context "when the user has an existing onboarding" do
+      setup do
+        @organization_onboarding = create(:organization_onboarding, created_by: @user, status: :pending, organization_name: "Existing Name")
+      end
+
+      should "update the existing onboarding and redirect to the next step" do
+        post :create, params: { organization_onboarding: { organization_name: "Updated Name" } }
+
+        assert_redirected_to organization_onboarding_gems_path
+        assert_equal "Updated Name", @organization_onboarding.reload.organization_name
+      end
+    end
+
+    context "when the onboarding is invalid" do
+      should "render the form with an error" do
+        post :create, params: { organization_onboarding: { organization_name: "" } }
+
+        assert_response :unprocessable_entity
+      end
+    end
+  end
+end
diff --git a/test/integration/organizations/onboarding/users_controller_test.rb b/test/integration/organizations/onboarding/users_controller_test.rb
new file mode 100644
index 00000000000..97eaeb5f1c2
--- /dev/null
+++ b/test/integration/organizations/onboarding/users_controller_test.rb
@@ -0,0 +1,123 @@
+require "test_helper"
+
+class Organizations::Onboarding::UsersControllerTest < ActionController::TestCase
+  setup do
+    @user = create(:user, :mfa_enabled)
+    @other_users = create_list(:user, 2)
+    @rubygem = create(:rubygem, owners: [@user, *@other_users])
+
+    sign_in_as(@user)
+
+    @organization_onboarding = create(
+      :organization_onboarding,
+      created_by: @user,
+      namesake_rubygem: @rubygem
+    )
+
+    @invites = @organization_onboarding.invites.to_a
+  end
+
+  test "render the list of users to invite" do
+    get :edit
+
+    assert_response :ok
+    # assert a text field has has the handle
+    @invites.each_with_index do |invite, idx|
+      assert_select "input[name='organization_onboarding[invites_attributes][#{idx}][id]'][value='#{invite.id}']"
+      assert_select "select[name='organization_onboarding[invites_attributes][#{idx}][role]']"
+    end
+  end
+
+  test "should update invites ignoring blank rows" do
+    patch :update, params: {
+      organization_onboarding: {
+        invites_attributes: {
+          "0" => { id: @invites[0].id, role: "maintainer" },
+          "1" => { id: @invites[1].id, role: "" }
+        }
+      }
+    }
+
+    assert_redirected_to organization_onboarding_confirm_path
+
+    @organization_onboarding.reload
+
+    assert_equal "maintainer", @organization_onboarding.invites.find_by(user_id: @other_users[0].id).role
+    assert_nil @organization_onboarding.invites.find_by(user_id: @other_users[1].id).role
+  end
+
+  test "should update invites ignoring user_id in invites_attributes" do
+    patch :update, params: {
+      organization_onboarding: {
+        invites_attributes: {
+          "0" => { id: @invites[0].id, role: "maintainer" },
+          "1" => { user_id: @invites[1].user.id, role: "owner" }
+        }
+      }
+    }
+
+    assert_redirected_to organization_onboarding_confirm_path
+
+    @organization_onboarding.reload
+
+    assert_equal "maintainer", @organization_onboarding.invites.find_by(user_id: @other_users[0].id).role
+    assert_nil @organization_onboarding.invites.find_by(user_id: @other_users[1].id).role
+    assert_equal 1, @organization_onboarding.approved_invites.count
+  end
+
+  test "should update multiple users" do
+    patch :update, params: {
+      organization_onboarding: {
+        invites_attributes: {
+          "0" => { id: @invites[0].id, role: "maintainer" },
+          "1" => { id: @invites[1].id, role: "admin" }
+        }
+      }
+    }
+
+    assert_redirected_to organization_onboarding_confirm_path
+
+    @organization_onboarding.reload
+
+    assert_equal "maintainer", @organization_onboarding.invites.find_by(user_id: @other_users[0].id).role
+    assert_equal "admin", @organization_onboarding.invites.find_by(user_id: @other_users[1].id).role
+  end
+
+  test "should update users including existing invites" do
+    patch :update, params: {
+      organization_onboarding: {
+        invites_attributes: {
+          "0" => { id: @invites[0].id, role: "admin" },
+          "1" => { id: @invites[1].id, role: "maintainer" }
+        }
+      }
+    }
+
+    @organization_onboarding.reload
+
+    assert_redirected_to organization_onboarding_confirm_path
+    assert_equal "admin", @organization_onboarding.invites.find_by(user_id: @other_users[0].id).role
+    assert_equal "maintainer", @organization_onboarding.invites.find_by(user_id: @other_users[1].id).role
+
+    get :edit
+
+    assert_select "input[name='organization_onboarding[invites_attributes][0][id]'][value='#{@invites[0].id}']"
+    assert_select "select[name='organization_onboarding[invites_attributes][0][role]'] option[selected][value='admin']"
+    assert_select "input[name='organization_onboarding[invites_attributes][1][id]'][value='#{@invites[1].id}']"
+    assert_select "select[name='organization_onboarding[invites_attributes][1][role]'] option[selected][value='maintainer']"
+
+    patch :update, params: {
+      organization_onboarding: {
+        invites_attributes: {
+          "0" => { id: @invites[0].id, role: "maintainer" },
+          "1" => { id: @invites[1].id, role: "" }
+        }
+      }
+    }
+
+    @organization_onboarding.reload
+
+    assert_equal "maintainer", @organization_onboarding.invites.find_by(user_id: @other_users[0].id).role
+    assert_nil @organization_onboarding.invites.find_by(user_id: @other_users[1].id).role
+  end
+end
diff --git a/test/integration/organizations/onboarding_test.rb b/test/integration/organizations/onboarding_test.rb
new file mode 100644
index 00000000000..8158d94a655
--- /dev/null
+++ b/test/integration/organizations/onboarding_test.rb
@@ -0,0 +1,51 @@
+require "test_helper"
+
+class Organizations::OnboardingControllerTest < ActionDispatch::IntegrationTest
+  setup do
+    @user = create(:user, remember_token_expires_at: Gemcutter::REMEMBER_FOR.from_now)
+    post session_path(session: { who: @user.handle, password: PasswordHelpers::SECURE_TEST_PASSWORD })
+  end
+
+  context "GET /organizations/onboarding" do
+    should "redirect to onboarding start page" do
+      get "/organizations/onboarding"
+
+      assert_redirected_to organization_onboarding_name_path
+    end
+  end
+
+  context "DELETE /organizations/onboarding" do
+    should "not destroy an OrganizationOnboarding that is already completed" do
+      organization_onboarding = create(:organization_onboarding, :completed, created_by: @user)
+
+      delete "/organizations/onboarding"
+
+      assert_redirected_to dashboard_path
+      assert OrganizationOnboarding.exists?(id: organization_onboarding.id)
+    end
+
+    should "destroy a pending OrganizationOnboarding created by the current user" do
+      organization_onboarding = create(:organization_onboarding, created_by: @user)
+
+      delete "/organizations/onboarding"
+
+      assert_redirected_to dashboard_path
+      refute OrganizationOnboarding.exists?(id: organization_onboarding.id)
+    end
+
+    should "destroy a failed OrganizationOnboarding created by the current user" do
+      organization_onboarding = create(:organization_onboarding, :failed, created_by: @user)
+
+      delete "/organizations/onboarding"
+
+      assert_redirected_to dashboard_path
+      refute OrganizationOnboarding.exists?(id: organization_onboarding.id)
+    end
+
+    should "redirect to the dashboarding if the current user has not started organization onboarding" do
+      delete "/organizations/onboarding"
+
+      assert_redirected_to dashboard_path
+    end
+  end
+end
diff --git a/test/integration/owner_test.rb b/test/integration/owner_test.rb
index d7aa11e91bb..e13015369cc 100644
--- a/test/integration/owner_test.rb
+++ b/test/integration/owner_test.rb
@@ -256,6 +256,44 @@ class OwnerTest < SystemTest
     refute page.has_content? @other_user.handle
   end
 
+  test "updating user to maintainer role" do
+    maintainer = create(:user)
+    create(:ownership, user: maintainer, rubygem: @rubygem)
+
+    visit_ownerships_page
+
+    within_element owner_row(maintainer) do
+      click_button "Edit"
+    end
+
+    select "Maintainer", from: "role"
+
+    click_button "Update"
+
+    assert_cell maintainer, "Role", "Maintainer"
+  end
+
+  test "editing the ownership of the current user" do
+    visit_ownerships_page
+
+    within_element owner_row(@user) do
+      assert_selector "button[disabled]", text: "Edit"
+    end
+  end
+
+  test "creating new owner with maintainer role" do
+    maintainer = create(:user)
+
+    visit_ownerships_page
+
+    fill_in "Handle", with: maintainer.handle
+    select "Maintainer", from: "role"
+
+    click_button "Add Owner"
+
+    assert_cell maintainer, "Role", "Maintainer"
+  end
+
   teardown do
     @authenticator&.remove!
     Capybara.reset_sessions!
diff --git a/test/integration/pages_test.rb b/test/integration/pages_test.rb
index 25cce82ef58..d326d207682 100644
--- a/test/integration/pages_test.rb
+++ b/test/integration/pages_test.rb
@@ -1,20 +1,55 @@
 require "test_helper"
 
 class PagesTest < SystemTest
-  test "renders existing page" do
-    visit "/"
-    click_link "About"
-
-    assert page.has_content? "Welcome to RubyGems.org"
-  end
-
   test "gracefully fails on unknown page" do
     assert_raises(ActionController::RoutingError) do
       visit "/pages/not-existing-one"
     end
+  end
 
+  test "it only allows html format" do
     assert_raises(ActionController::RoutingError) do
       visit "/pages/data.zip"
     end
   end
+
+  test "renders /pages/about for all supported languages" do
+    I18n.available_locales.each do |locale|
+      visit "/?locale=#{locale}"
+      click_link I18n.t("layouts.application.footer.about")
+
+      assert page.has_content? I18n.t("pages.about.title")
+    end
+  end
+
+  test "renders /pages/download" do
+    rubygem = create(:rubygem, name: "rubygems-update")
+    create(:version, number: "1.4.8", rubygem: rubygem)
+    create(:version,
+      number: "3.5.22",
+      created_at: Time.zone.local(2024, 10, 16),
+      rubygem: rubygem)
+
+    visit "/pages/download"
+
+    assert page.has_content?("v3.5.22 - October 16, 2024")
+  end
+
+  test "renders /pages/data" do
+    visit "/pages/data"
+
+    assert page.has_content?("PostgreSQL Data")
+  end
+
+  test "renders /pages/security" do
+    visit "/pages/security"
+
+    assert page.has_content?("Security")
+  end
+
+  test "renders /pages/sponsors" do
+    visit "/pages/sponsors"
+
+    assert page.has_content?("Sponsors")
+  end
 end
diff --git a/test/integration/password_reset_test.rb b/test/integration/password_reset_test.rb
index 7ddc617c325..327ff07a8a0 100644
--- a/test/integration/password_reset_test.rb
+++ b/test/integration/password_reset_test.rb
@@ -38,11 +38,8 @@ def forgot_password_with(email)
     fill_in "Password", with: PasswordHelpers::SECURE_TEST_PASSWORD
     click_button "Save this password"
 
-    assert_equal dashboard_path, page.current_path
+    assert_equal sign_in_path, page.current_path
 
-    click_link "Sign out"
-
-    visit sign_in_path
     fill_in "Email or Username", with: @user.email
     fill_in "Password", with: PasswordHelpers::SECURE_TEST_PASSWORD
     click_button "Sign in"
@@ -55,8 +52,6 @@ def forgot_password_with(email)
 
     visit password_reset_link
 
-    assert page.has_content?("Sign out")
-
     fill_in "Password", with: ""
     click_button "Save this password"
 
@@ -75,6 +70,7 @@ def forgot_password_with(email)
     fill_in "Password", with: PasswordHelpers::SECURE_TEST_PASSWORD
     click_button "Save this password"
 
+    assert_equal sign_in_path, page.current_path
     assert @user.reload.authenticated? PasswordHelpers::SECURE_TEST_PASSWORD
   end
 
@@ -113,6 +109,7 @@ def forgot_password_with(email)
     fill_in "Password", with: PasswordHelpers::SECURE_TEST_PASSWORD
     click_button "Save this password"
 
+    assert_equal sign_in_path, page.current_path
     assert @user.reload.authenticated? PasswordHelpers::SECURE_TEST_PASSWORD
 
     assert_event Events::UserEvent::PASSWORD_CHANGED, {},
@@ -130,10 +127,13 @@ def forgot_password_with(email)
     fill_in "otp", with: ROTP::TOTP.new(@user.totp_seed).now
     click_button "Authenticate"
 
-    assert page.has_content?("Sign out")
+    refute page.has_content?("Sign out")
 
     fill_in "Password", with: PasswordHelpers::SECURE_TEST_PASSWORD
     click_button "Save this password"
+
+    assert_equal sign_in_path, page.current_path
+    assert @user.reload.authenticated? PasswordHelpers::SECURE_TEST_PASSWORD
   end
 
   test "resetting a password when mfa is enabled but mfa session is expired" do
@@ -166,9 +166,9 @@ def forgot_password_with(email)
     fill_in "Password", with: PasswordHelpers::SECURE_TEST_PASSWORD
     click_button "Save this password"
 
-    find(:css, ".header__popup-link").click
-
-    assert page.has_content?("SIGN OUT")
+    assert page.has_content?("Sign in")
+    assert_equal sign_in_path, page.current_path
+    assert @user.reload.authenticated? PasswordHelpers::SECURE_TEST_PASSWORD
   end
 
   test "resetting password when webauthn is enabled using recovery codes" do
@@ -190,9 +190,9 @@ def forgot_password_with(email)
     fill_in "Password", with: PasswordHelpers::SECURE_TEST_PASSWORD
     click_button "Save this password"
 
-    find(:css, ".header__popup-link").click
-
-    assert page.has_content?("SIGN OUT")
+    assert page.has_content?("Sign in")
+    assert_equal sign_in_path, page.current_path
+    assert @user.reload.authenticated? PasswordHelpers::SECURE_TEST_PASSWORD
   end
 
   test "resetting password with pending email change" do
diff --git a/test/integration/profile_test.rb b/test/integration/profile_test.rb
index 748e159fb10..8585cfed4ad 100644
--- a/test/integration/profile_test.rb
+++ b/test/integration/profile_test.rb
@@ -88,7 +88,7 @@ def sign_out
     assert_changes -> { @user.reload.mail_fails }, from: 1, to: 0 do
       visit link
 
-      assert page.has_selector? "#flash_notice", text: "Your email address has been verified"
+      assert page.has_content?("Your email address has been verified")
       visit edit_profile_path
 
       assert page.has_selector? "input[value='nick2@example.com']"
@@ -166,8 +166,9 @@ def sign_out
 
   test "seeing ownership calls and requests" do
     rubygem = create(:rubygem, owners: [@user], number: "1.0.0")
+    requested_gem = create(:rubygem, number: "2.0.0")
     create(:ownership_call, rubygem: rubygem, user: @user, note: "special note")
-    create(:ownership_request, rubygem: rubygem, user: @user, note: "request note")
+    create(:ownership_request, rubygem: requested_gem, user: @user, note: "request note")
 
     sign_in
     visit profile_path("nick1")
diff --git a/test/integration/push_test.rb b/test/integration/push_test.rb
index b3ec204aa0f..ae4471a3852 100644
--- a/test/integration/push_test.rb
+++ b/test/integration/push_test.rb
@@ -8,6 +8,66 @@ class PushTest < ActionDispatch::IntegrationTest
     @key = "12345"
     @user = create(:user)
     create(:api_key, owner: @user, key: @key, scopes: %i[push_rubygem])
+
+    stub_request(:get, "https://tuf-repo-cdn.sigstore.dev/10.root.json")
+      .to_return(status: 404, body: "", headers: {})
+  end
+
+  test "multipart" do
+    rubygem = create(:rubygem, name: "sigstore", number: "0.0.1")
+    create(:ownership, rubygem: rubygem, user: @user)
+
+    rubygem_trusted_publisher = create(:oidc_rubygem_trusted_publisher, rubygem: rubygem)
+    rubygem_trusted_publisher.trusted_publisher.update!(
+      repository_owner: "sigstore-conformance",
+      repository_name: "extremely-dangerous-public-oidc-beacon",
+      workflow_filename: "extremely-dangerous-oidc-beacon.yml"
+    )
+
+    @key = "543321"
+    create(:api_key, owner: rubygem_trusted_publisher.trusted_publisher, key: @key, scopes: %i[push_rubygem])
+
+    signing_jwt = ["", {
+      aud: "sigstore",
+      iat: Time.zone.now.to_i - 60,
+      exp: Time.zone.now.to_i + 60,
+      nbf: Time.zone.now.to_i - 60,
+      iss: "sigstore-conformance",
+      sub: "sigstore-conformance"
+    }.to_json, ""].map { Base64.strict_encode64(_1) }.join(".")
+
+    Pusher.any_instance.stubs(:sigstore_signing_jwt).returns(signing_jwt)
+    Sigstore::Signer.any_instance.stubs(:sign).returns({})
+    bundle = JSON.parse(File.read(gem_file("sigstore-1.0.0.gem.sigstore.json")))
+
+    post api_v1_rubygems_path,
+         params: { "gem" => Rack::Test::UploadedFile.new(gem_file("sigstore-1.0.0.gem"), "application/octet-stream"),
+                   "attestations" => JSON.dump([bundle]) },
+         headers: { "CONTENT_TYPE" => "multipart/mixed", "HTTP_AUTHORIZATION" => @key }
+
+    assert_response :success, response.body
+
+    get info_path("sigstore")
+    info_file = response.body
+
+    assert_response :success
+    assert_equal <<~INFO, info_file
+      ---
+      0.0.1 |checksum:b5d4045c3f466fa91fe2cc6abe79232a1a57cdf104f7a26e716e0a1e2789df78,ruby:>= 2.0.0,rubygems:>= 2.6.3
+      1.0.0 |checksum:#{Digest::SHA256.hexdigest File.binread(gem_file('sigstore-1.0.0.gem'))}
+    INFO
+    assert_equal Digest::MD5.hexdigest(info_file), Rubygem.find_by!(name: "sigstore").versions.find_by(number: "1.0.0").info_checksum
+
+    get api_v2_rubygem_version_path("sigstore", "1.0.0", format: "json")
+
+    assert_response :success
+
+    assert_equal [["application/vnd.dev.sigstore.bundle.v0.3+json", bundle]], Attestation.pluck(:media_type, :body)
+
+    get api_v1_attestation_path("sigstore-1.0.0", format: "json")
+
+    assert_response :success
+    assert_equal [bundle], response.parsed_body
   end
 
   test "pushing a gem" do
@@ -77,7 +137,7 @@ class PushTest < ActionDispatch::IntegrationTest
 
     push_gem "sandworm-2.0.0.gem"
 
-    assert_response :success
+    assert_response :success, response.body
 
     perform_enqueued_jobs
     perform_enqueued_jobs only: ActionMailer::MailDeliveryJob
diff --git a/test/integration/routing_test.rb b/test/integration/routing_test.rb
index 173e9a28fc8..8bbe312016f 100644
--- a/test/integration/routing_test.rb
+++ b/test/integration/routing_test.rb
@@ -38,6 +38,7 @@ def contoller_in_ui?(controller)
       format_path.gsub!(":id", "someid")
       format_path.gsub!("*id", "about") # used in high voltage route
       format_path.gsub!(":version_id", "someid")
+      format_path.gsub!(":organization_id", "someid")
 
       assert_nothing_raised do
         # ex: get(/password/new?format=json)
diff --git a/test/integration/rubygems_test.rb b/test/integration/rubygems_test.rb
index f6d1095e31a..1fc945eed7e 100644
--- a/test/integration/rubygems_test.rb
+++ b/test/integration/rubygems_test.rb
@@ -12,9 +12,20 @@ class RubygemsTest < ActionDispatch::IntegrationTest
     assert page.has_content? "arrakis"
   end
 
-  test "gems list doesn't fall pray to path_params query param" do
+  test "gems list doesn't fall prey to path_params query param" do
     get "/gems?path_params=string"
 
     assert page.has_content? "arrakis"
   end
+
+  test "GET to show for a gem published with an attestation" do
+    rubygem = create(:rubygem, name: "attested", number: "1.0.0")
+    trusted_publisher = create(:oidc_rubygem_trusted_publisher, rubygem: rubygem)
+    create(:api_key, scopes: %i[push_rubygem], owner: trusted_publisher.trusted_publisher)
+    create(:attestation, version: rubygem.versions.sole)
+
+    get "/gems/attested"
+
+    assert page.has_content? "Provenance"
+  end
 end
diff --git a/test/integration/sign_in_test.rb b/test/integration/sign_in_test.rb
index dc24d2a5fd1..da222320e5d 100644
--- a/test/integration/sign_in_test.rb
+++ b/test/integration/sign_in_test.rb
@@ -297,8 +297,8 @@ class SignInTest < SystemTest
     fill_in "Password", with: PasswordHelpers::SECURE_TEST_PASSWORD
     click_button "Sign in"
 
-    page.assert_text "Sign in"
-    page.assert_text "Bad email or password."
+    assert page.has_content? "Sign in"
+    assert page.has_content? "Bad email or password."
   end
 
   teardown do
diff --git a/test/integration/subscriptions_test.rb b/test/integration/subscriptions_test.rb
new file mode 100644
index 00000000000..6e7d65644bb
--- /dev/null
+++ b/test/integration/subscriptions_test.rb
@@ -0,0 +1,36 @@
+require "test_helper"
+
+class SubscriptionsTest < SystemTest
+  setup do
+    @user = create(:user)
+    @rubygem = create(:rubygem, name: "sandworm", number: "1.0.0")
+    @version = create(:version, rubygem: @rubygem, number: "1.1.1")
+  end
+
+  test "subscribe to a gem" do
+    visit subscriptions_path(as: @user.id)
+
+    assert page.has_content? "You're not subscribed to any gems yet."
+
+    visit rubygem_path(@rubygem.slug)
+
+    click_link "Subscribe"
+
+    assert page.has_content? "Unsubscribe"
+
+    visit dashboard_path
+
+    assert page.has_content? @rubygem.name
+    assert page.has_content? @version.number
+
+    visit subscriptions_path
+
+    assert page.has_content? @rubygem.name
+
+    page.find("button[title='Unsubscribe']").click # rubocop:disable Capybara/SpecificActions
+
+    visit subscriptions_path
+
+    assert page.has_content? "You're not subscribed to any gems yet."
+  end
+end
diff --git a/test/jobs/delete_user_job_test.rb b/test/jobs/delete_user_job_test.rb
index 77cbfcfa034..361d13954d3 100644
--- a/test/jobs/delete_user_job_test.rb
+++ b/test/jobs/delete_user_job_test.rb
@@ -134,9 +134,9 @@ class DeleteUserJobTest < ActiveJob::TestCase
     open_call = create(:ownership_call, rubygem: rubygem, user: user)
 
     other_call = create(:ownership_call, rubygem: other_rubygem, user: other_user)
-    closed_request = create(:ownership_request, ownership_call: other_call, rubygem: rubygem, user: user, status: :closed)
-    approved_request = create(:ownership_request, ownership_call: other_call, rubygem: rubygem, user: user, status: :approved)
-    open_request = create(:ownership_request, ownership_call: other_call, rubygem: rubygem, user: user)
+    closed_request = create(:ownership_request, ownership_call: other_call, rubygem: other_rubygem, user: user, status: :closed)
+    approved_request = create(:ownership_request, ownership_call: other_call, rubygem: other_rubygem, user: user, status: :approved)
+    open_request = create(:ownership_request, ownership_call: other_call, rubygem: other_rubygem, user: user)
     other_request = create(:ownership_request, ownership_call: open_call, rubygem: rubygem, user: other_user)
 
     assert_delete user
diff --git a/test/jobs/notify_web_hook_job_test.rb b/test/jobs/notify_web_hook_job_test.rb
index 7ab3aaa48c6..88425ca8012 100644
--- a/test/jobs/notify_web_hook_job_test.rb
+++ b/test/jobs/notify_web_hook_job_test.rb
@@ -46,30 +46,12 @@ class NotifyWebHookJobTest < ActiveJob::TestCase
     end
 
     should "succeed with hook relay" do
-      NotifyWebHookJob.any_instance.expects(:use_hook_relay?).once.returns(true)
       stub_request(:post, "https://api.hookrelay.dev/hooks///webhook_id-#{@hook.id}")
         .with(headers: {
                 "Content-Type" => "application/json",
                 "HR_TARGET_URL" => @hook.url,
                 "HR_MAX_ATTEMPTS" => "3"
-              }).to_return(status: 200, body: { id: 12_345 }.to_json)
-
-      perform_enqueued_jobs do
-        @job.enqueue
-      end
-
-      assert_performed_jobs 1, only: NotifyWebHookJob
-      assert_enqueued_jobs 0, only: NotifyWebHookJob
-    end
-
-    should "succeed without hook relay" do
-      NotifyWebHookJob.any_instance.expects(:use_hook_relay?).once.returns(false)
-      stub_request(:post, @hook.url)
-        .with(headers: {
-                "Content-Type" => "application/json",
-                "HR_TARGET_URL" => @hook.url,
-                "HR_MAX_ATTEMPTS" => "3"
-              }).to_return(status: 200, body: "")
+              }).to_return_json(status: 200, body: { id: 12_345 })
 
       perform_enqueued_jobs do
         @job.enqueue
@@ -87,30 +69,12 @@ class NotifyWebHookJobTest < ActiveJob::TestCase
     end
 
     should "discard the job on a 422 with hook relay" do
-      NotifyWebHookJob.any_instance.expects(:use_hook_relay?).twice.returns(true)
       stub_request(:post, "https://api.hookrelay.dev/hooks///webhook_id-#{@hook.id}")
         .with(headers: {
                 "Content-Type" => "application/json",
                 "HR_TARGET_URL" => @hook.url,
                 "HR_MAX_ATTEMPTS" => "3"
-              }).to_return(status: 422, body: { error: "Invalid url" }.to_json)
-
-      perform_enqueued_jobs do
-        @job.enqueue
-      end
-
-      assert_performed_jobs 1, only: NotifyWebHookJob
-      assert_enqueued_jobs 0, only: NotifyWebHookJob
-    end
-
-    should "finish the job on a 422 without hook relay" do
-      NotifyWebHookJob.any_instance.expects(:use_hook_relay?).once.returns(false)
-      stub_request(:post, @hook.url)
-        .with(headers: {
-                "Content-Type" => "application/json",
-                "HR_TARGET_URL" => @hook.url,
-                "HR_MAX_ATTEMPTS" => "3"
-              }).to_return(status: 422, body: "")
+              }).to_return_json(status: 422, body: { error: "Invalid url" })
 
       perform_enqueued_jobs do
         @job.enqueue
diff --git a/test/jobs/refresh_oidc_provider_job_test.rb b/test/jobs/refresh_oidc_provider_job_test.rb
index d11f87bf398..d90a7d2be12 100644
--- a/test/jobs/refresh_oidc_provider_job_test.rb
+++ b/test/jobs/refresh_oidc_provider_job_test.rb
@@ -142,4 +142,15 @@ def stub_requests(config_status: 200, jwks_status: 200, config_body: {}, jwks_bo
       assert_nil @provider.reload.configuration
     end
   end
+
+  context "when the config endpoint returns a different URI for jwks" do
+    setup do
+      stub_requests(config_body: { jwks_uri: "https://example.com/jwks" })
+    end
+
+    should "raise an error" do
+      assert_kind_of RefreshOIDCProviderJob::JWKSURIMismatchError, RefreshOIDCProviderJob.perform_now(provider: @provider)
+      assert_nil @provider.reload.configuration
+    end
+  end
 end
diff --git a/test/jobs/rstuf/check_job_test.rb b/test/jobs/rstuf/check_job_test.rb
index d45a535de96..9298770393d 100644
--- a/test/jobs/rstuf/check_job_test.rb
+++ b/test/jobs/rstuf/check_job_test.rb
@@ -47,6 +47,16 @@ class Rstuf::CheckJobTest < ActiveJob::TestCase
     end
   end
 
+  test "perform raises a retry exception on pre_run state and retries" do
+    retry_response = { "data" => { "state" => "PRE_RUN" } }
+    stub_request(:get, "#{Rstuf.base_url}/api/v1/task/?task_id=#{@task_id}")
+      .to_return(status: 200, body: retry_response.to_json, headers: { "Content-Type" => "application/json" })
+
+    assert_enqueued_with(job: Rstuf::CheckJob, args: [@task_id]) do
+      Rstuf::CheckJob.perform_now(@task_id)
+    end
+  end
+
   test "perform raises a retry exception on retry state and retries" do
     retry_response = { "data" => { "state" => "UNKNOWN" } }
     stub_request(:get, "#{Rstuf.base_url}/api/v1/task/?task_id=#{@task_id}")
diff --git a/test/jobs/verify_link_job_test.rb b/test/jobs/verify_link_job_test.rb
index 5874f7e0584..121aeed0224 100644
--- a/test/jobs/verify_link_job_test.rb
+++ b/test/jobs/verify_link_job_test.rb
@@ -199,4 +199,16 @@ class VerifyLinkJobTest < ActiveJob::TestCase
     assert_equal 1, @docs.failures_since_last_verification
     assert_enqueued_jobs 0, only: VerifyLinkJob
   end
+
+  test "does not retry link verification for localhost link" do
+    @home.update!(uri: "https://localhost")
+    freeze_time
+
+    VerifyLinkJob.perform_now(link_verification: @home)
+
+    refute_predicate @home.reload, :verified?
+    assert_nil @home.last_verified_at
+    assert_equal 1, @home.failures_since_last_verification
+    assert_enqueued_jobs 0, only: VerifyLinkJob
+  end
 end
diff --git a/test/lib/access_test.rb b/test/lib/access_test.rb
new file mode 100644
index 00000000000..190cffcfd73
--- /dev/null
+++ b/test/lib/access_test.rb
@@ -0,0 +1,46 @@
+require "test_helper"
+
+class AccessTest < ActiveSupport::TestCase
+  context "roles are correctly sequenced" do
+    should "be in the correct order" do
+      assert_operator Access::OWNER, :>, Access::ADMIN
+      assert_operator Access::ADMIN, :>, Access::MAINTAINER
+    end
+  end
+
+  context ".role_for_flag" do
+    should "return the role for a given permission flag" do
+      assert_equal "owner", Access.role_for_flag(Access::OWNER)
+    end
+
+    context "when the permission flag does not exist" do
+      should "raise an error" do
+        assert_raises(ArgumentError) { Access.role_for_flag(999) }
+      end
+    end
+  end
+
+  context ".flag_for_role" do
+    should "return the role for a given permission flag" do
+      assert_equal Access::OWNER, Access.flag_for_role("owner")
+    end
+
+    should "cast the given input into the correct type" do
+      assert_equal Access::OWNER, Access.flag_for_role(:owner)
+    end
+
+    context "when the role does not exist" do
+      should "raise an error" do
+        assert_raises(KeyError) { Access.flag_for_role("unknown") }
+      end
+    end
+  end
+
+  context ".with_minimum_role" do
+    should "return the range of roles for a given permission flag" do
+      assert_equal (Access::OWNER..), Access.with_minimum_role("owner")
+      assert_equal (Access::ADMIN..), Access.with_minimum_role("admin")
+      assert_equal (Access::MAINTAINER..), Access.with_minimum_role("maintainer")
+    end
+  end
+end
diff --git a/test/mailers/owners_test.rb b/test/mailers/owners_test.rb
new file mode 100644
index 00000000000..a4bd094fd7d
--- /dev/null
+++ b/test/mailers/owners_test.rb
@@ -0,0 +1,20 @@
+require "test_helper"
+
+class OwnersMailerTest < ActionMailer::TestCase
+  setup do
+    @owner = create(:user)
+    @maintainer = create(:user)
+    @rubygem = create(:rubygem, name: "test-gem")
+    @owner_ownership = create(:ownership, rubygem: @rubygem, user: @owner)
+    @maintainer_ownership = create(:ownership, rubygem: @rubygem, user: @maintainer)
+  end
+
+  context "#owner_updated" do
+    should "include host in subject" do
+      email = OwnersMailer.with(ownership: @maintainer_ownership).owner_updated
+
+      assert_emails(1) { email.deliver_now }
+      assert_equal email.subject, "Your role was updated for #{@rubygem.name} gem"
+    end
+  end
+end
diff --git a/test/mailers/previews/mailer_preview.rb b/test/mailers/previews/mailer_preview.rb
index 7487ff01316..e2241ae7712 100644
--- a/test/mailers/previews/mailer_preview.rb
+++ b/test/mailers/previews/mailer_preview.rb
@@ -96,6 +96,13 @@ def owner_added
     OwnersMailer.owner_added(user.id, owner.id, authorizer.id, gem.id)
   end
 
+  def owner_updated
+    ownership = Ownership.last
+    owner = User.last
+
+    OwnersMailer.with(ownership: ownership, authorizer: owner).owner_updated
+  end
+
   def api_key_created
     api_key = ApiKey.where(owner_type: "User").last
     Mailer.api_key_created(api_key.id)
@@ -215,4 +222,14 @@ def totp_disabled
 
     Mailer.totp_disabled(user_id, Time.now.utc)
   end
+
+  def admin_manual
+    Mailer.admin_manual(User.last, "A subject", <<~TEXT)
+      A body
+      with multiple lines
+      and a link to https://example.com
+      and an emoji 🎉
+      and a p tag <p foo="bar" style="color: yellow;">with html</p> and a <a href="https://example.com">link</a>
+    TEXT
+  end
 end
diff --git a/test/models/attestation_test.rb b/test/models/attestation_test.rb
new file mode 100644
index 00000000000..3d8eb1a4ecd
--- /dev/null
+++ b/test/models/attestation_test.rb
@@ -0,0 +1,7 @@
+require "test_helper"
+
+class AttestationTest < ActiveSupport::TestCase
+  should belong_to(:version)
+  should validate_presence_of(:media_type)
+  should validate_presence_of(:body)
+end
diff --git a/test/models/concerns/rubygem_searchable_test.rb b/test/models/concerns/rubygem_searchable_test.rb
index c72eeaf79de..d7089196e78 100644
--- a/test/models/concerns/rubygem_searchable_test.rb
+++ b/test/models/concerns/rubygem_searchable_test.rb
@@ -79,6 +79,48 @@ class RubygemSearchableTest < ActiveSupport::TestCase
         assert_equal v, json[k], "value doesn't match for key: #{k}"
       end
     end
+
+    should "set the suggest json" do
+      json = @rubygem.search_data
+
+      assert_equal "example_gem", json[:suggest][:input]
+    end
+
+    should "calculate the suggestion weight based on the number of downloads" do
+      weights = [
+        [0, 0],
+        [10, 1],
+        [100, 2],
+        [1_000, 3],
+        [10_000, 4],
+        [100_000, 5],
+        [1_000_000, 6],
+        [10_000_000, 7],
+        [100_000_000, 8],
+        [1_000_000_000, 9]
+      ]
+
+      weights.each do |downloads, weight|
+        @rubygem.gem_download.update(count: downloads)
+        json = @rubygem.search_data
+
+        assert_equal weight, json[:suggest][:weight]
+      end
+    end
+
+    context "when the number of downloads exceeds a 32 bit integer" do
+      setup do
+        @rubygem = create(:rubygem, name: "large_downloads_example_gem", downloads: 10_000_000_000) # 10 Billion downloads
+        @version = create(:version, number: "1.0.0", rubygem: @rubygem)
+        import_and_refresh
+      end
+
+      should "allow the number of downloads to be stored as a 64 bit integer" do
+        json = @rubygem.search_data
+
+        assert_equal 10_000_000_000, json[:downloads]
+      end
+    end
   end
 
   context "rubygems analyzer" do
diff --git a/test/models/gem_name_reservation_test.rb b/test/models/gem_name_reservation_test.rb
index 2a46647f449..809355804e0 100644
--- a/test/models/gem_name_reservation_test.rb
+++ b/test/models/gem_name_reservation_test.rb
@@ -13,21 +13,24 @@ class GemNameReservationTest < ActiveSupport::TestCase
     should_not allow_value("Abc").for(:name)
     should allow_value("abc").for(:name)
     should validate_uniqueness_of(:name).case_insensitive
+    should validate_length_of(:name).is_at_most(Gemcutter::MAX_FIELD_LENGTH)
   end
 
   context "#reserved?" do
     should "recognize reserved gem name" do
       create(:gem_name_reservation, name: "reserved-gem-name")
-      GemNameReservation.reserved?("reserved-gem-name")
+
+      assert GemNameReservation.reserved?("reserved-gem-name")
     end
 
     should "recognize reserved case insensitive gem name" do
       create(:gem_name_reservation, name: "reserved-gem-name")
-      GemNameReservation.reserved?("RESERVED-gem-name")
+
+      assert GemNameReservation.reserved?("RESERVED-gem-name")
     end
 
     should "recognize not reserved gem name" do
-      GemNameReservation.reserved?("totally-random-gem-name")
+      refute GemNameReservation.reserved?("totally-random-gem-name")
     end
   end
 end
diff --git a/test/models/gem_typo_exception_test.rb b/test/models/gem_typo_exception_test.rb
index f9d4acef3ac..1dc77b7fe9a 100644
--- a/test/models/gem_typo_exception_test.rb
+++ b/test/models/gem_typo_exception_test.rb
@@ -3,6 +3,7 @@
 class GemTypoExceptionTest < ActiveSupport::TestCase
   context "name validations" do
     should validate_uniqueness_of(:name).case_insensitive
+    should validate_length_of(:name).is_at_most(Gemcutter::MAX_FIELD_LENGTH)
 
     should "be a valid factory" do
       assert_predicate build(:gem_typo_exception), :valid?
diff --git a/test/models/linkset_test.rb b/test/models/linkset_test.rb
index 261890a1bcc..a57d2c58db9 100644
--- a/test/models/linkset_test.rb
+++ b/test/models/linkset_test.rb
@@ -36,4 +36,11 @@ class LinksetTest < ActiveSupport::TestCase
       assert_equal @spec.homepage, @linkset.home
     end
   end
+
+  context "validations" do
+    %w[home code docs wiki mail bugs].each do |link|
+      should allow_value("http://example.com").for(link.to_sym)
+      should validate_length_of(link).is_at_most(Gemcutter::MAX_FIELD_LENGTH)
+    end
+  end
 end
diff --git a/test/models/log_ticket_test.rb b/test/models/log_ticket_test.rb
index bd8cbd34fb6..876c42587fb 100644
--- a/test/models/log_ticket_test.rb
+++ b/test/models/log_ticket_test.rb
@@ -12,8 +12,10 @@ class LogTicketTest < ActiveSupport::TestCase
   end
 
   should "allow different keys for the same directory" do
-    LogTicket.create!(directory: "test", key: "bar")
-    LogTicket.create!(directory: "test", key: "baz")
+    assert_nothing_raised do
+      LogTicket.create!(directory: "test", key: "bar")
+      LogTicket.create!(directory: "test", key: "baz")
+    end
   end
 
   context "#pop" do
diff --git a/test/models/membership_test.rb b/test/models/membership_test.rb
new file mode 100644
index 00000000000..08d0bedce0b
--- /dev/null
+++ b/test/models/membership_test.rb
@@ -0,0 +1,31 @@
+require "test_helper"
+
+class MembershipTest < ActiveSupport::TestCase
+  should belong_to(:organization)
+  should belong_to(:user)
+
+  setup do
+    @organization = FactoryBot.create(:organization)
+    @user = FactoryBot.create(:user)
+  end
+
+  should "be unconfirmed by default" do
+    membership = Membership.create!(organization: @organization, user: @user)
+
+    assert_not(membership.confirmed?)
+    assert_empty(Membership.confirmed)
+  end
+
+  should "be confirmed with confirmed_at" do
+    membership = Membership.create!(organization: @organization, user: @user, confirmed_at: Time.zone.now)
+
+    assert_predicate(membership, :confirmed?)
+    assert_equal(Membership.confirmed, [membership])
+  end
+
+  should "have a default role" do
+    membership = Membership.create!(organization: @organization, user: @user)
+
+    assert_predicate membership, :maintainer?
+  end
+end
diff --git a/test/models/oidc/api_key_role_test.rb b/test/models/oidc/api_key_role_test.rb
index 790f6a1ee16..bce620fd32b 100644
--- a/test/models/oidc/api_key_role_test.rb
+++ b/test/models/oidc/api_key_role_test.rb
@@ -8,6 +8,8 @@ class OIDC::ApiKeyRoleTest < ActiveSupport::TestCase
   should have_many :id_tokens
   should validate_presence_of :api_key_permissions
   should validate_presence_of :access_policy
+  should validate_presence_of :name
+  should validate_length_of(:name).is_at_most(Gemcutter::MAX_FIELD_LENGTH)
 
   setup do
     @role = build(:oidc_api_key_role)
diff --git a/test/models/oidc/trusted_publisher/github_action_test.rb b/test/models/oidc/trusted_publisher/github_action_test.rb
index b87e8e63e8f..bae69432ff9 100644
--- a/test/models/oidc/trusted_publisher/github_action_test.rb
+++ b/test/models/oidc/trusted_publisher/github_action_test.rb
@@ -7,10 +7,22 @@ class OIDC::TrustedPublisher::GitHubActionTest < ActiveSupport::TestCase
   should have_many(:rubygem_trusted_publishers)
   should have_many(:api_keys).inverse_of(:owner)
 
-  should validate_presence_of(:repository_owner)
-  should validate_presence_of(:repository_name)
-  should validate_presence_of(:workflow_filename)
-  should validate_presence_of(:repository_owner_id)
+  context "validations" do
+    setup do
+      stub_request(:get, Addressable::Template.new("https://api.github.com/users/{user}"))
+        .to_return(status: 404, body: "", headers: {})
+    end
+    should validate_presence_of(:repository_owner)
+    should validate_length_of(:repository_owner).is_at_most(Gemcutter::MAX_FIELD_LENGTH)
+    should validate_presence_of(:repository_name)
+    should validate_length_of(:repository_name).is_at_most(Gemcutter::MAX_FIELD_LENGTH)
+    should validate_presence_of(:workflow_filename)
+    should validate_length_of(:workflow_filename).is_at_most(Gemcutter::MAX_FIELD_LENGTH)
+    should validate_presence_of(:repository_owner_id)
+    should validate_length_of(:repository_owner_id).is_at_most(Gemcutter::MAX_FIELD_LENGTH)
+
+    should validate_length_of(:environment).is_at_most(Gemcutter::MAX_FIELD_LENGTH)
+  end
 
   test "validates publisher uniqueness" do
     publisher = create(:oidc_trusted_publisher_github_action)
diff --git a/test/models/organization_onboarding_test.rb b/test/models/organization_onboarding_test.rb
new file mode 100644
index 00000000000..df92aeef198
--- /dev/null
+++ b/test/models/organization_onboarding_test.rb
@@ -0,0 +1,267 @@
+require "test_helper"
+
+class OrganizationOnboardingTest < ActiveSupport::TestCase
+  setup do
+    @owner = create(:user)
+    @maintainer = create(:user)
+    @rubygem = create(:rubygem, owners: [@owner], maintainers: [@maintainer])
+
+    @onboarding = create(
+      :organization_onboarding,
+      name_type: "gem",
+      organization_name: "Test Organization",
+      organization_handle: @rubygem.name,
+      created_by: @owner,
+      namesake_rubygem: @rubygem
+    )
+    maintainer_invite = @onboarding.invites.first
+    maintainer_invite.update(role: :maintainer)
+  end
+
+  context "validations" do
+    context "when the created_by field is blank" do
+      setup do
+        @onboarding.created_by = nil
+      end
+
+      should "require a onboarded by user" do
+        assert_predicate @onboarding, :invalid?
+        assert_equal ["must exist"], @onboarding.errors[:created_by]
+      end
+    end
+
+    context "when the user does not have the required gem roles" do
+      setup do
+        @onboarding.created_by = @maintainer
+      end
+
+      should "be invalid" do
+        assert_predicate @onboarding, :invalid?
+      end
+
+      should "add an error to the rubygems attribute" do
+        @onboarding.valid?
+
+        assert_equal ["must be an owner of the #{@rubygem.name} gem"], @onboarding.errors[:created_by]
+      end
+    end
+
+    context "when the user specifies a gem they do not own" do
+      setup do
+        @other_user = create(:user)
+        @other_rubygem = create(:rubygem, owners: [@other_user])
+        @onboarding.rubygems = [@other_rubygem.id]
+      end
+
+      should "be invalid" do
+        assert_predicate @onboarding, :invalid?
+      end
+
+      should "add an error to the rubygems attribute" do
+        @onboarding.valid?
+
+        assert_equal ["must be an owner of the #{@other_rubygem.name} gem"], @onboarding.errors[:created_by]
+      end
+
+      should "not add an invite for the users on the gem" do
+        @onboarding.save
+        @onboarding.reload
+
+        assert_nil @onboarding.invites.find_by(user_id: @other_user.id)
+      end
+    end
+
+    context "when the user specifices a user as the name of the organization" do
+      setup do
+        @onboarding.name_type = :user
+      end
+
+      should "set the Organization Onboarding handle to the handle of the User" do
+        assert_equal @rubygem.name, @onboarding.organization_handle
+      end
+    end
+
+    context "when the user specifies a gem as the name of the organization" do
+      setup do
+        @onboarding.name_type = :gem
+      end
+
+      context "when the name is a valid gem that the user owns" do
+        should "be valid" do
+          @onboarding.organization_handle = @rubygem.name
+
+          assert_predicate @onboarding, :valid?
+        end
+      end
+
+      context "when the name is not valid" do
+        should "it is ignored and set to the gem name" do
+          @onboarding.organization_handle = "invalid"
+
+          assert_predicate @onboarding, :invalid?
+        end
+      end
+    end
+  end
+
+  context "#set_user_handle" do
+    context "when the gem name is set to user" do
+      setup do
+        @onboarding.name_type = :user
+      end
+
+      should "automatically set the organization handle to the handle of the user" do
+        @onboarding.valid?
+
+        assert_equal @owner.handle, @onboarding.organization_handle
+      end
+    end
+  end
+
+  context "#available_rubygems" do
+    should "exclude gems that already have an organization" do
+      create(:rubygem, owners: [@owner], organization: create(:organization))
+
+      assert_equal [@rubygem], @onboarding.available_rubygems
+    end
+  end
+
+  context "#rubygems=" do
+    should "exclude gems that already have an organization" do
+      other_rubygem = create(:rubygem, owners: [@owner], organization: create(:organization))
+      @onboarding.rubygems = [@rubygem.id, other_rubygem.id]
+
+      assert_equal [@rubygem.id], @onboarding.rubygems
+    end
+
+    should "add invites for the owners and maintainers of the specified rubygems" do
+      other_user = create(:user)
+      rubygem = create(:rubygem, owners: [@owner, other_user])
+      @onboarding.rubygems = [rubygem.id]
+      @onboarding.save
+      @onboarding.reload
+
+      assert_equal [@maintainer, other_user].map(&:handle).sort, @onboarding.users.map(&:handle).sort
+    end
+  end
+
+  context "#invites_attributes=" do
+    should "allow upding the role of an existing invite" do
+      invite = @onboarding.invites.find_by(user_id: @maintainer.id)
+
+      assert_equal "maintainer", invite.role
+
+      @onboarding.invites_attributes = {
+        "0" => { id: invite.id, role: "admin" }
+      }
+
+      @onboarding.save
+
+      invite.reload
+
+      assert_equal "admin", invite.role
+    end
+
+    should "prevent adding users that are not already invited" do
+      other_user = create(:user)
+      @onboarding.invites_attributes = {
+        "0" => { user_id: other_user.id, role: "maintainer" }
+      }
+
+      assert_equal 1, @onboarding.invites.count
+      assert_nil @onboarding.invites.find_by(user_id: other_user.id)
+    end
+  end
+
+  context "#onboard!" do
+    setup do
+      @onboarding.onboard!
+    end
+
+    should "mark the onboarding as completed" do
+      assert_predicate @onboarding, :completed?
+    end
+
+    should "create an organization with the specified name and handle" do
+      assert_not_nil @onboarding.organization
+      assert_equal @onboarding.organization_name, @onboarding.organization.name
+      assert_equal @onboarding.organization_handle, @onboarding.organization.handle
+    end
+
+    should "create a confirmed owner membership for the person that onboarded the organization" do
+      membership = @onboarding.organization.memberships.find_by(user_id: @onboarding.created_by)
+
+      assert_predicate membership, :owner?
+      assert_predicate membership, :confirmed?
+    end
+
+    should "create unconfirmed memberships for each invitee" do
+      membership = @onboarding.organization.unconfirmed_memberships.find_by(user_id: @maintainer.id)
+
+      assert_predicate membership, :maintainer?
+      assert_not_predicate membership, :confirmed?
+    end
+
+    should "set the organization_id for each specified rubygem" do
+      assert_equal @onboarding.organization.id, @rubygem.reload.organization_id
+    end
+
+    should "remove Ownership records that have been migrated to Memberships" do
+      assert_nil Ownership.find_by(user: @owner, rubygem: @rubygem)
+      assert_nil Ownership.find_by(user: @maintainer, rubygem: @rubygem)
+    end
+
+    context "when a user is marked as an Outside Contributor" do
+      setup do
+        @contributor = create(:user)
+        @ownership = create(:ownership, user: @contributor, rubygem: @rubygem, role: "owner")
+        @onboarding.invites << create(:organization_onboarding_invite, user: @contributor, role: :outside_contributor)
+      end
+
+      should "not remove the Ownership record" do
+        assert_not_nil Ownership.find_by(user: @contributor, rubygem: @rubygem)
+      end
+    end
+
+    context "when onboarding encounters an error" do
+      setup do
+        @onboarding = create(:organization_onboarding, created_by: @owner)
+        @onboarding.stubs(:create_organization!).raises(ActiveRecord::ActiveRecordError, "stubbed error")
+      end
+
+      should "mark the onboarding as failed" do
+        assert_raises ActiveRecord::ActiveRecordError, "stubbed error" do
+          @onboarding.onboard!
+        end
+
+        assert_predicate @onboarding, :failed?
+      end
+
+      should "record the error message" do
+        assert_raises ActiveRecord::ActiveRecordError, "stubbed error" do
+          @onboarding.onboard!
+        end
+
+        assert_equal "stubbed error", @onboarding.error
+      end
+    end
+
+    context "when the onboarding is already completed" do
+      setup do
+        @onboarding = create(:organization_onboarding, :completed, created_by: @owner)
+      end
+
+      should "raise an error" do
+        assert_raises StandardError, "onboard has already been completed" do
+          @onboarding.onboard!
+        end
+      end
+    end
+  end
+
+  context "#available_rubygems" do
+    should "return the rubygems that the user owns" do
+      assert_equal [@rubygem], @onboarding.available_rubygems
+    end
+  end
+end
diff --git a/test/models/organization_test.rb b/test/models/organization_test.rb
new file mode 100644
index 00000000000..2f956c0f33c
--- /dev/null
+++ b/test/models/organization_test.rb
@@ -0,0 +1,67 @@
+require "test_helper"
+
+class OrganizationTest < ActiveSupport::TestCase
+  should have_many(:memberships).dependent(:destroy)
+  should have_many(:unconfirmed_memberships).dependent(:destroy)
+  should have_many(:users).through(:memberships)
+  should have_many(:rubygems).dependent(:nullify)
+
+  # Waiting for Ownerships to be made polymorphic
+  #
+  # should have_many(:ownerships).dependent(:destroy)
+  # should have_many(:unconfirmed_ownerships).dependent(:destroy)
+  # should have_many(:rubygems).through(:ownerships)
+
+  context "validations" do
+    context "handle" do
+      should allow_value("CapsLOCK").for(:handle)
+      should_not allow_value(nil).for(:handle)
+      should_not allow_value("1abcde").for(:handle)
+      should_not allow_value("abc^%def").for(:handle)
+      should_not allow_value("abc\n<script>bad").for(:handle)
+
+      should "be between 2 and 40 characters" do
+        organization = build(:organization, handle: "a")
+
+        refute_predicate organization, :valid?
+        assert_contains organization.errors[:handle], "is too short (minimum is 2 characters)"
+
+        organization.handle = "a" * 41
+
+        refute_predicate organization, :valid?
+        assert_contains organization.errors[:handle], "is too long (maximum is 40 characters)"
+
+        organization.handle = "abcdef"
+        organization.valid?
+
+        assert_nil organization.errors[:handle].first
+      end
+
+      should "be invalid when an empty string" do
+        organization = build(:organization, handle: "")
+
+        refute_predicate organization, :valid?
+      end
+
+      should "be invalid when nil" do
+        refute_predicate build(:organization, handle: nil), :valid?
+      end
+
+      should "be invalid with duplicate handle on create" do
+        create(:organization, handle: "test")
+        organization = build(:organization, handle: "Test")
+
+        refute_predicate organization, :valid?
+      end
+
+      should "be invalid with duplicate handle on update" do
+        create(:organization, handle: "test")
+        organization = create(:organization, handle: "test2")
+        organization.update(handle: "Test")
+
+        assert_contains organization.errors[:handle], "has already been taken"
+        refute_predicate organization, :valid?
+      end
+    end
+  end
+end
diff --git a/test/models/ownership_request_test.rb b/test/models/ownership_request_test.rb
index 94c6ce58943..7b81a9a3983 100644
--- a/test/models/ownership_request_test.rb
+++ b/test/models/ownership_request_test.rb
@@ -57,7 +57,16 @@ class OwnershipRequestTest < ActiveSupport::TestCase
       ownership_request = build(:ownership_request, user: @user, rubygem: @rubygem)
 
       refute_predicate ownership_request, :valid?
-      assert_contains ownership_request.errors[:user_id], "has already been taken"
+      assert_contains ownership_request.errors[:user_id], "has already requested ownership"
+    end
+
+    should "not create a call when already an owner" do
+      owner = create(:user, handle: "owner")
+      create(:ownership, rubygem: @rubygem, user: owner)
+      ownership_request = build(:ownership_request, user: owner, rubygem: @rubygem)
+
+      refute_predicate ownership_request, :valid?
+      assert_contains ownership_request.errors[:user_id], "is already an owner"
     end
   end
 
diff --git a/test/models/ownership_test.rb b/test/models/ownership_test.rb
index 1b3e5f1d6c5..963027faecd 100644
--- a/test/models/ownership_test.rb
+++ b/test/models/ownership_test.rb
@@ -1,6 +1,8 @@
 require "test_helper"
 
 class OwnershipTest < ActiveSupport::TestCase
+  include ActionMailer::TestHelper
+
   should "be valid with factory" do
     assert_predicate build(:ownership), :valid?
   end
@@ -123,6 +125,41 @@ class OwnershipTest < ActiveSupport::TestCase
     end
   end
 
+  context "#update" do
+    context "when updating the role" do
+      setup do
+        @actor = create(:user)
+        @ownership = create(:ownership, role: :owner)
+
+        Current.user = @actor
+      end
+
+      should "record an event" do
+        @ownership.update!(role: :maintainer)
+
+        event = @ownership.rubygem.events.last
+        attributes = {
+          "user_agent_info" => nil,
+          "owner" => @ownership.user.display_handle,
+          "updated_by" => @actor.display_handle,
+          "actor_gid" => @actor.to_gid,
+          "owner_gid" => @ownership.user.to_gid,
+          "previous_role" => "owner",
+          "current_role" => "maintainer"
+        }
+
+        assert_equal "rubygem:owner:role_updated", event.tag
+        assert_equal attributes, event.additional.attributes
+      end
+
+      should "enqueue the owner updated email" do
+        assert_enqueued_emails 1 do
+          @ownership.update!(role: :maintainer)
+        end
+      end
+    end
+  end
+
   context "#valid_confirmation_token?" do
     setup do
       @ownership = create(:ownership)
@@ -165,14 +202,12 @@ class OwnershipTest < ActiveSupport::TestCase
     end
 
     should "find owner by matching handle/id" do
-      assert_equal @ownership, @rubygem.ownerships.find_by_owner_handle!(@user.handle)
-      assert_equal @ownership, @rubygem.ownerships.find_by_owner_handle!(@user)
+      assert_equal @ownership, @rubygem.ownerships.find_by_owner_handle(@user.handle)
+      assert_equal @ownership, @rubygem.ownerships.find_by_owner_handle(@user)
     end
 
-    should "raise not found" do
-      assert_raise ActiveRecord::RecordNotFound do
-        @rubygem.ownerships.find_by_owner_handle!("wrong user")
-      end
+    should "return nil" do
+      assert_nil @rubygem.ownerships.find_by_owner_handle("wronguser")
     end
   end
 
@@ -248,4 +283,26 @@ class OwnershipTest < ActiveSupport::TestCase
       refute_predicate @ownership, :unconfirmed?
     end
   end
+
+  context "#role" do
+    setup do
+      @ownership = create(:ownership)
+    end
+
+    should "set a default role" do
+      assert_predicate @ownership, :owner?
+    end
+  end
+
+  context "#user_with_minimum_role" do
+    setup do
+      @user = create(:user)
+      @ownership = create(:ownership, user: @user, role: :owner)
+    end
+
+    should "return the ownerships with a role less than or equal to the given role" do
+      assert_includes Ownership.user_with_minimum_role(@user, :owner), @ownership
+      assert_includes Ownership.user_with_minimum_role(@user, :maintainer), @ownership
+    end
+  end
 end
diff --git a/test/models/pusher_test.rb b/test/models/pusher_test.rb
index ae382a07e38..14fd53443cd 100644
--- a/test/models/pusher_test.rb
+++ b/test/models/pusher_test.rb
@@ -48,9 +48,11 @@ class PusherTest < ActiveSupport::TestCase
         @cutter.stubs(:verify_mfa_requirement).returns true
         @cutter.stubs(:verify_gem_scope).returns true
         @cutter.stubs(:validate).returns true
-        @cutter.stubs(:save)
+        @cutter.stubs(:verify_sigstore).returns true
+        @cutter.stubs(:sign_sigstore).returns true
+        @cutter.stubs(:save).returns true
 
-        @cutter.process
+        assert @cutter.process
       end
 
       should "not attempt to find rubygem if spec can't be pulled" do
@@ -123,15 +125,6 @@ class PusherTest < ActiveSupport::TestCase
       end
     end
 
-    should "not be able to pull spec from a bad path" do
-      @cutter.stubs(:body).stubs(:stub!).stubs(:read)
-      @cutter.pull_spec
-
-      assert_nil @cutter.spec
-      assert_match(/RubyGems\.org cannot process this gem/, @cutter.message)
-      assert_equal 422, @cutter.code
-    end
-
     should "not be able to pull spec with metadata containing bad ruby objects" do
       @gem = gem_file("exploit.gem")
       @cutter = Pusher.new(@api_key, @gem)
@@ -825,6 +818,103 @@ def two_cert_chain(signing_key:, root_not_before: Time.current, cert_not_before:
     end
   end
 
+  context "with attestations" do
+    should "not push gem if api key owner is not a trusted publisher" do
+      @cutter.stubs(:attestations).returns([{}])
+
+      refute @cutter.verify_sigstore
+      assert_equal "Pushing with an attestation requires trusted publishing", @cutter.message
+    end
+
+    should "not push gem if attestation fails to validate" do
+      @cutter.stubs(:attestations).returns(
+        [
+          { "media_type" => Sigstore::BundleType::BUNDLE_0_3.media_type,
+            "verification_material" => {
+              "certificate" => {
+                "rawBytes" => [build(:x509_certificate, :key_usage).to_der].pack("m0")
+              },
+              "tlogEntries" => [
+                {
+                  "inclusionProof" => {
+                    "checkpoint" => { "envelope" => "" }
+                  },
+                  "canonicalizedBody" => [
+                    JSON.dump(
+                      spec: {
+                        signature: {
+                          content: {
+                            publicKey: { content: [""].pack("m0") }
+                          }
+                        },
+                        kind: "hashedrekord",
+                        apiVersion: "0.0.1"
+                      }
+                    )
+                  ].pack("m0")
+                }
+              ]
+            },
+            "message_signature" => {} }
+        ]
+      )
+      @api_key.owner = create(:oidc_trusted_publisher_github_action)
+      @api_key.oidc_id_token = create(:oidc_id_token)
+
+      @cutter.send(:sigstore_verifier).expects(:verify).with(input: anything, policy: anything, offline: true)
+        .returns Sigstore::VerificationFailure.new("Attestation failed to validate")
+
+      refute @cutter.verify_sigstore
+      assert_equal "Attestation verification failed:\nAttestation failed to validate", @cutter.message
+    end
+
+    context "with attestations and trusted publisher" do
+      setup do
+        attestations = build_list(:sigstore_bundle, 2)
+        rubygem = create(:rubygem, name: "test", owners: [@user])
+        create(:version, rubygem: rubygem, number: "0.1.1", indexed: true)
+        rubygem_trusted_publisher = create(:oidc_rubygem_trusted_publisher, rubygem: rubygem)
+        rubygem_trusted_publisher.trusted_publisher.update!(
+          repository_owner: "sigstore-conformance",
+          repository_name: "extremely-dangerous-public-oidc-beacon",
+          workflow_filename: "extremely-dangerous-oidc-beacon.yml"
+        )
+
+        @api_key = create(:api_key, owner: rubygem_trusted_publisher.trusted_publisher, key: "54321", scopes: %i[push_rubygem])
+        create(:oidc_id_token, api_key: @api_key, jwt: { claims: { "ref" => "refs/heads/main" } })
+        @cutter = Pusher.new(@api_key, gem_file("test-1.0.0.gem"), attestations: attestations.map(&:as_json))
+      end
+
+      should "add valid attestations to version" do
+        @cutter.send(:sigstore_verifier).expects(:verify).twice
+          .returns Sigstore::VerificationSuccess.new
+
+        assert @cutter.process, @cutter.message # rubocop:disable Minitest/AssertWithExpectedArgument
+        assert_equal 2, @cutter.version.attestations.size
+      end
+
+      should "fail when first attestation fails to validate" do
+        @cutter.send(:sigstore_verifier).expects(:verify).once
+          .returns Sigstore::VerificationFailure.new("abc")
+
+        refute @cutter.process
+        assert_equal "Attestation verification failed:\nabc", @cutter.message
+        assert_equal 422, @cutter.code
+      end
+
+      should "fail when second attestation fails to validate" do
+        @cutter.send(:sigstore_verifier).expects(:verify).once
+          .returns Sigstore::VerificationFailure.new("abc")
+        @cutter.send(:sigstore_verifier).expects(:verify).once
+          .returns Sigstore::VerificationSuccess.new
+
+        refute @cutter.process
+        assert_equal "Attestation verification failed:\nabc", @cutter.message
+        assert_equal 422, @cutter.code
+      end
+    end
+  end
+
   context "the gem has been signed and not tampered with" do
     setup do
       @gem = gem_file("valid_signature-0.0.0.gem")
diff --git a/test/models/rubygem_contents_entry_test.rb b/test/models/rubygem_contents_entry_test.rb
index 685f5fb714f..d3a0d45af16 100644
--- a/test/models/rubygem_contents_entry_test.rb
+++ b/test/models/rubygem_contents_entry_test.rb
@@ -226,7 +226,7 @@ def persisted_symlink_entry
     end
 
     should "not evaluate the reader when setting the body with a block" do
-      create_persisted_entry(file_entry.metadata) { raise }
+      assert_nothing_raised { create_persisted_entry(file_entry.metadata) { raise } }
     end
   end
 
diff --git a/test/models/rubygem_test.rb b/test/models/rubygem_test.rb
index 7ccddf44871..7b23a1573de 100644
--- a/test/models/rubygem_test.rb
+++ b/test/models/rubygem_test.rb
@@ -15,17 +15,22 @@ class RubygemTest < ActiveSupport::TestCase
     should have_many(:versions).dependent(:destroy)
     should have_many(:web_hooks).dependent(:destroy)
     should have_one(:linkset).dependent(:destroy)
+    should belong_to(:organization).optional
     should validate_uniqueness_of(:name).case_insensitive
     should allow_value("rails").for(:name)
     should allow_value("awesome42").for(:name)
     should allow_value("factory_girl").for(:name)
     should allow_value("rack-test").for(:name)
     should allow_value("perftools.rb").for(:name)
+    should allow_value("s3-4-2").for(:name)
+    should allow_value("its.a.gem.ok").for(:name)
     should_not allow_value("\342\230\203").for(:name)
     should_not allow_value("2.2").for(:name)
     should_not allow_value(".omghi").for(:name)
     should_not allow_value("-omghi").for(:name)
     should_not allow_value("_omghi").for(:name)
+    should_not allow_value("omg-").for(:name)
+    should_not allow_value("omg.gem").for(:name)
 
     context "with reserved Ruby gem" do
       setup do
@@ -265,6 +270,18 @@ class RubygemTest < ActiveSupport::TestCase
       assert_nil dependency.rubygem_id
       assert_equal dependency.unresolved_name, @rubygem.name
     end
+
+    should "allow destroying a gem with versions" do
+      @rubygem.save!
+      create(:ownership, rubygem: @rubygem)
+      create(:version, rubygem: @rubygem)
+      v2 = create(:version, rubygem: @rubygem)
+      create(:deletion, version: v2)
+
+      @rubygem.destroy!
+
+      assert_predicate Rubygem.where(id: @rubygem.id), :none?
+    end
   end
 
   context "with reverse dependencies" do
@@ -431,6 +448,26 @@ class RubygemTest < ActiveSupport::TestCase
       end
     end
 
+    context "with a user that belongs to an organization" do
+      setup do
+        @owner = create(:user)
+        @admin = create(:user)
+        @maintainer = create(:user)
+        @guest = create(:user)
+
+        @organization = create(:organization, admins: [@admin], owners: [@owner], maintainers: [@maintainer], rubygems: [@rubygem])
+      end
+
+      should "be owned by organization user" do
+        assert @rubygem.owned_by?(@owner)
+        assert @rubygem.owned_by?(@admin)
+        assert @rubygem.owned_by?(@maintainer)
+        refute @rubygem.owned_by?(@guest)
+
+        refute_predicate @rubygem, :unowned?
+      end
+    end
+
     context "with subscribed users" do
       setup do
         @subscribed_user   = create(:user)
@@ -1164,4 +1201,63 @@ class RubygemTest < ActiveSupport::TestCase
       refute_predicate @version_three, :yanked?
     end
   end
+
+  context "#owned_by_with_role?" do
+    setup do
+      @rubygem = create(:rubygem)
+      @owner = create(:user)
+    end
+
+    context "when the user is not an owner of a gem" do
+      should "return false" do
+        refute @rubygem.owned_by_with_role?(@owner, :maintainer)
+      end
+    end
+
+    context "when the user is an owner of a gem" do
+      setup do
+        @ownership = create(:ownership, user: @owner, rubygem: @rubygem)
+      end
+
+      should "return true" do
+        assert @rubygem.owned_by_with_role?(@owner, :maintainer)
+      end
+    end
+
+    context "when the role is less than the given value" do
+      setup do
+        @ownership = create(:ownership, user: @owner, rubygem: @rubygem, role: :maintainer)
+      end
+
+      should "return false" do
+        refute @rubygem.owned_by_with_role?(@owner, :owner)
+      end
+    end
+
+    context "when the role is more than the given value" do
+      setup do
+        @ownership = create(:ownership, user: @owner, rubygem: @rubygem, role: :owner)
+      end
+
+      should "return true" do
+        assert @rubygem.owned_by_with_role?(@owner, :maintainer)
+      end
+    end
+
+    context "when the role is equal to the given role" do
+      setup do
+        @ownership = create(:ownership, user: @owner, rubygem: @rubygem, role: :owner)
+      end
+
+      should "return true" do
+        assert @rubygem.owned_by_with_role?(@owner, :owner)
+      end
+    end
+
+    context "when the given role does not exist" do
+      should "not raise an argument" do
+        refute @rubygem.owned_by_with_role?(@owner, :nonexistent_role)
+      end
+    end
+  end
 end
diff --git a/test/models/user/with_private_fields_test.rb b/test/models/user/with_private_fields_test.rb
index 2c6b15b19ce..2741aef1382 100644
--- a/test/models/user/with_private_fields_test.rb
+++ b/test/models/user/with_private_fields_test.rb
@@ -14,11 +14,9 @@ class User::WithPrivateFieldsTest < ActiveSupport::TestCase
 
       context "when mfa is disabled" do
         should "include warning in user json" do
-          expected_notice =
-            "[WARNING] For protection of your account and gems, we encourage you to set up multi-factor authentication " \
-            "at https://rubygems.org/totp/new. Your account will be required to have MFA enabled in the future."
+          expected_notice = I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
 
-          assert_match expected_notice, @user.to_json
+          assert_includes JSON.parse(@user.to_json)["warning"], expected_notice
         end
       end
 
@@ -29,12 +27,9 @@ class User::WithPrivateFieldsTest < ActiveSupport::TestCase
           end
 
           should "include warning in user json" do
-            expected_notice =
-              "[WARNING] For protection of your account and gems, we encourage you to change your multi-factor authentication " \
-              "level to 'UI and gem signin' or 'UI and API' at https://rubygems.org/settings/edit. " \
-              "Your account will be required to have MFA enabled on one of these levels in the future."
+            expected_notice = I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
 
-            assert_match expected_notice, @user.to_json
+            assert_includes JSON.parse(@user.to_json)["warning"], expected_notice
           end
         end
 
@@ -44,10 +39,9 @@ class User::WithPrivateFieldsTest < ActiveSupport::TestCase
           end
 
           should "not include warning in user json" do
-            unexpected_notice =
-              "[WARNING] For protection of your account and gems"
+            unexpected_notice = I18n.t("multifactor_auths.api.mfa_recommended_not_yet_enabled").chomp
 
-            refute_match unexpected_notice, @user.to_json
+            refute_includes JSON.parse(@user.to_json)["warning"].to_s, unexpected_notice
           end
         end
 
@@ -57,10 +51,9 @@ class User::WithPrivateFieldsTest < ActiveSupport::TestCase
           end
 
           should "not include warning in user json" do
-            unexpected_notice =
-              "[WARNING] For protection of your account and gems"
+            unexpected_notice = I18n.t("multifactor_auths.api.mfa_recommended_weak_level_enabled").chomp
 
-            refute_match unexpected_notice, @user.to_json
+            refute_includes JSON.parse(@user.to_json)["warning"].to_s, unexpected_notice
           end
         end
       end
diff --git a/test/models/user_test.rb b/test/models/user_test.rb
index ad5e82958c2..add6d52b9a5 100644
--- a/test/models/user_test.rb
+++ b/test/models/user_test.rb
@@ -17,6 +17,7 @@ class UserTest < ActiveSupport::TestCase
       should_not allow_value("1abcde").for(:handle)
       should_not allow_value("abc^%def").for(:handle)
       should_not allow_value("abc\n<script>bad").for(:handle)
+      should validate_length_of(:handle).is_at_least(2).is_at_most(40)
 
       should "be between 2 and 40 characters" do
         user = build(:user, handle: "a")
@@ -162,7 +163,7 @@ class UserTest < ActiveSupport::TestCase
     end
 
     context "twitter_username" do
-      should validate_length_of(:twitter_username)
+      should validate_length_of(:twitter_username).is_at_most(20)
       should allow_value("user123_32").for(:twitter_username)
       should_not allow_value("@user").for(:twitter_username)
       should_not allow_value("user 1").for(:twitter_username)
@@ -172,7 +173,7 @@ class UserTest < ActiveSupport::TestCase
     end
 
     context "password" do
-      should "be between 10 and 200 characters" do
+      should "be between 10 characters and 72 bytes" do
         user = build(:user, password: "%5a&12ed/")
 
         refute_predicate user, :valid?
@@ -181,7 +182,7 @@ class UserTest < ActiveSupport::TestCase
         user.password = "#{'a8b5d2d451' * 20}a"
 
         refute_predicate user, :valid?
-        assert_contains user.errors[:password], "is too long (maximum is 200 characters)"
+        assert_contains user.errors[:password], "is too long (maximum is 72 bytes)"
 
         user.password = "633!cdf7b3426c9%f6dd1a0b62d4ce44c4f544e%"
         user.valid?
@@ -924,13 +925,74 @@ class UserTest < ActiveSupport::TestCase
     end
   end
 
+  context "#unblock!" do
+    setup do
+      @user = create(:user, :blocked)
+      @original_email = @user.blocked_email
+      @user.unblock!
+    end
+
+    should "restore the email field" do
+      assert_equal @original_email, @user.email
+    end
+
+    should "make the blocked email field nil" do
+      assert_nil @user.blocked_email
+    end
+
+    context "when the user is not currently blocked" do
+      setup do
+        @user = create(:user)
+      end
+
+      should "raise an error" do
+        assert_raises(ArgumentError) do
+          @user.unblock!
+        end
+      end
+    end
+  end
+
+  context "#blocked?" do
+    setup do
+      @blocked_user = build(:user, :blocked)
+      @unblocked_user = build(:user)
+    end
+
+    should "be true when the user has a blocked email" do
+      assert_predicate @blocked_user, :blocked?
+    end
+
+    should "be false when the user does not have a blocked email" do
+      refute_predicate @unblocked_user, :blocked?
+    end
+  end
+
   context ".normalize_email" do
     should "return the normalized email" do
-      assert_equal "UsEr@example.COM", User.normalize_email(:"UsEr@ example . COM")
+      assert_equal "UsEr@example.COM", User.normalize_email(:"UsEr@\texample . COM")
+    end
+
+    should "preserve valid characters so that the format error can be returned" do
+      # UTF-8 "香" character, which is valid UTF-8, but we reject utf-8 in email addresses
+      assert_equal "香@example.com", User.normalize_email("\u9999@example.com".force_encoding("utf-8"))
+
+      # ISO-8859-1 "Å" character (valid in ISO-8859-1)
+      encoded_email = "myem\xC5il@example.com".force_encoding("ISO-8859-1")
+
+      assert_equal encoded_email, User.normalize_email(encoded_email)
     end
 
     should "return an empty string on invalid inputs" do
-      assert_equal "", User.normalize_email("\u9999".force_encoding("ascii"))
+      # bad encoding when sent as ASCII-8BIT
+      assert_equal "", User.normalize_email("\u9999@example.com".force_encoding("ascii"))
+
+      # ISO-8859-1 "Å" character (invalid in UTF-8, which uses \xC385 for this character)
+      assert_equal "", User.normalize_email("myem\xC5il@example.com".force_encoding("UTF-8"))
+    end
+
+    should "return an empty string for nil" do
+      assert_equal "", User.normalize_email(nil)
     end
   end
 end
diff --git a/test/models/version_manifest_test.rb b/test/models/version_manifest_test.rb
index cc9cd8ef8f0..8b89032ced0 100644
--- a/test/models/version_manifest_test.rb
+++ b/test/models/version_manifest_test.rb
@@ -287,9 +287,9 @@ def create_entry(path, sha256, body: rand.to_s, mime: "text/plain")
     end
 
     should "gracefully no-op when there's nothing to delete" do
-      @manifest.yank
+      assert @manifest.yank
 
-      @manifest.yank
+      assert @manifest.yank
     end
   end
 
diff --git a/test/models/version_test.rb b/test/models/version_test.rb
index 0e361d26b46..98b9194785c 100644
--- a/test/models/version_test.rb
+++ b/test/models/version_test.rb
@@ -406,16 +406,21 @@ class VersionTest < ActiveSupport::TestCase
     end
     subject { @version }
 
+    should allow_value("1.2.3.pre").for(:number)
     should_not allow_value("#YAML<CEREALIZATION-FAIL>").for(:number)
     should_not allow_value("1.2.3-\"[javalol]\"").for(:number)
     should_not allow_value("0.8.45::Gem::PLATFORM::FAILBOAT").for(:number)
     should_not allow_value("1.2.3\n<bad>").for(:number)
     should_not allow_value("1.2.3-bad").for(:number)
+    should_not allow_value("1.2.3.").for(:number)
+    should_not allow_value("1.2.3.gem").for(:number)
 
     should allow_value("ruby").for(:platform)
     should allow_value("mswin32").for(:platform)
     should allow_value("x86_64-linux").for(:platform)
+    should allow_value("it.is.fine").for(:platform)
     should_not allow_value("Gem::Platform::Ruby").for(:platform)
+    should_not allow_value("ruby.gem").for(:platform)
 
     should "be invalid with platform longer than maximum field length" do
       @version.platform = "r" * (Gemcutter::MAX_FIELD_LENGTH + 1)
@@ -632,29 +637,31 @@ class VersionTest < ActiveSupport::TestCase
 
   context "with a very long authors string." do
     should "create without error" do
-      create(:version,
-        authors: [
-          "Fbdoorman: David Pelaez",
-          "MiniFB:Appoxy",
-          "Dan Croak",
-          "Mike Burns",
-          "Jason Morrison",
-          "Joe Ferris",
-          "Eugene Bolshakov",
-          "Nick Quaranto",
-          "Josh Nichols",
-          "Mike Breen",
-          "Marcel G\303\266rner",
-          "Bence Nagy",
-          "Ben Mabey",
-          "Eloy Duran",
-          "Tim Pope",
-          "Mihai Anca",
-          "Mark Cornick",
-          "Shay Arnett",
-          "Jon Yurek",
-          "Chad Pytel"
-        ])
+      assert_nothing_raised do
+        create(:version,
+          authors: [
+            "Fbdoorman: David Pelaez",
+            "MiniFB:Appoxy",
+            "Dan Croak",
+            "Mike Burns",
+            "Jason Morrison",
+            "Joe Ferris",
+            "Eugene Bolshakov",
+            "Nick Quaranto",
+            "Josh Nichols",
+            "Mike Breen",
+            "Marcel G\303\266rner",
+            "Bence Nagy",
+            "Ben Mabey",
+            "Eloy Duran",
+            "Tim Pope",
+            "Mihai Anca",
+            "Mark Cornick",
+            "Shay Arnett",
+            "Jon Yurek",
+            "Chad Pytel"
+          ])
+      end
     end
   end
 
diff --git a/test/models/web_hook_test.rb b/test/models/web_hook_test.rb
index 87468c90ddf..048eced3c6b 100644
--- a/test/models/web_hook_test.rb
+++ b/test/models/web_hook_test.rb
@@ -6,6 +6,19 @@ class WebHookTest < ActiveSupport::TestCase
   should belong_to :user
   should belong_to(:rubygem).optional(true)
 
+  def stub_hook_relay_request(url, webhook_id, authorization, max_attempts = 3)
+    stub_request(:post, "https://api.hookrelay.dev/hooks///webhook_id-#{webhook_id}")
+      .with(
+        headers: {
+          "Accept" => "*/*",
+          "Authorization" => authorization,
+          "Content-Type" => "application/json",
+          "Hr-Max-Attempts" => max_attempts,
+          "Hr-Target-Url" => url
+        }.compact
+      )
+  end
+
   should "be valid for normal hook" do
     hook = create(:web_hook)
 
@@ -162,7 +175,7 @@ class WebHookTest < ActiveSupport::TestCase
 
     should "include an Authorization header" do
       authorization = Digest::SHA2.hexdigest(@rubygem.name + @version.number + @hook.user.api_key)
-      stub_request(:post, @url).with(headers: { "Authorization" => authorization })
+      stub_hook_relay_request(@url, @hook.id, authorization).to_return_json(status: 200, body: { id: 1 })
 
       perform_enqueued_jobs only: NotifyWebHookJob do
         @hook.fire("https", "rubygems.org", @version)
@@ -172,7 +185,7 @@ class WebHookTest < ActiveSupport::TestCase
     should "include an Authorization header for a user with no API key" do
       @hook.user.update(api_key: nil)
       authorization = Digest::SHA2.hexdigest(@rubygem.name + @version.number)
-      stub_request(:post, @url).with(headers: { "Authorization" => authorization })
+      stub_hook_relay_request(@url, @hook.id, authorization).to_return_json(status: 200, body: { id: 1 })
 
       perform_enqueued_jobs only: NotifyWebHookJob do
         @hook.fire("https", "rubygems.org", @version)
@@ -183,7 +196,8 @@ class WebHookTest < ActiveSupport::TestCase
       @hook.user.update(api_key: nil)
       create(:api_key, owner: @hook.user)
       authorization = Digest::SHA2.hexdigest(@rubygem.name + @version.number + @hook.user.api_keys.first.hashed_key)
-      stub_request(:post, @url).with(headers: { "Authorization" => authorization })
+      stub_hook_relay_request(@url, @hook.id, authorization).to_return(status: 200, body: { id: 1 }.to_json,
+                              headers: { "Content-Type" => "application/json" })
 
       perform_enqueued_jobs only: NotifyWebHookJob do
         @hook.fire("https", "rubygems.org", @version)
@@ -191,7 +205,7 @@ class WebHookTest < ActiveSupport::TestCase
     end
 
     should "not increment failure count for hook" do
-      stub_request(:post, @url).to_return(status: 200, body: "", headers: {})
+      stub_hook_relay_request(@url, @hook.id, nil).to_return_json(status: 200, body: { id: 1 })
 
       perform_enqueued_jobs only: NotifyWebHookJob do
         @hook.fire("https", "rubygems.org", @version)
@@ -201,38 +215,6 @@ class WebHookTest < ActiveSupport::TestCase
     end
   end
 
-  context "with invalid URL" do
-    setup do
-      @url     = "http://someinvaliddomain.com"
-      @user    = create(:user)
-      @rubygem = create(:rubygem)
-      @version = create(:version, rubygem: @rubygem)
-      @hook    = create(:global_web_hook, url: @url, user: @user)
-    end
-
-    should "increment failure count for hook on errors" do
-      [
-        SocketError,
-        Timeout::Error,
-        Errno::EINVAL,
-        Errno::ECONNRESET,
-        EOFError,
-        Net::HTTPBadResponse,
-        Net::HTTPHeaderSyntaxError,
-        Net::ProtocolError
-      ].each_with_index do |exception, index|
-        stub_request(:post, @url).to_raise(exception)
-
-        perform_enqueued_jobs only: NotifyWebHookJob do
-          @hook.fire("https", "rubygems.org", @version)
-        end
-
-        assert_equal index + 1, @hook.reload.failure_count
-        assert_predicate @hook, :global?
-      end
-    end
-  end
-
   context "yaml" do
     setup do
       @webhook = create(:web_hook)
diff --git a/test/models/webauthn_credential_test.rb b/test/models/webauthn_credential_test.rb
index a470cbaa7d6..78458a31c32 100644
--- a/test/models/webauthn_credential_test.rb
+++ b/test/models/webauthn_credential_test.rb
@@ -6,8 +6,12 @@ class WebauthnCredentialTest < ActiveSupport::TestCase
   should belong_to :user
   should validate_presence_of(:external_id)
   should validate_uniqueness_of(:external_id)
+  should validate_length_of(:external_id).is_at_most(512)
   should validate_presence_of(:public_key)
+  should validate_length_of(:public_key).is_at_most(512)
   should validate_presence_of(:nickname)
+  should validate_uniqueness_of(:nickname).scoped_to(:user_id)
+  should validate_length_of(:nickname).is_at_most(64)
   should validate_presence_of(:sign_count)
   should validate_numericality_of(:sign_count).is_greater_than_or_equal_to(0)
 
diff --git a/test/policies/admin/audit_policy_test.rb b/test/policies/admin/audit_policy_test.rb
deleted file mode 100644
index d5e8ca21936..00000000000
--- a/test/policies/admin/audit_policy_test.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-require "test_helper"
-
-class Admin::AuditPolicyTest < AdminPolicyTestCase
-  def test_scope
-  end
-
-  def test_show
-  end
-
-  def test_create
-  end
-
-  def test_update
-  end
-
-  def test_destroy
-  end
-end
diff --git a/test/policies/admin/avo_policies_test.rb b/test/policies/admin/avo_policies_test.rb
deleted file mode 100644
index e03ee0e9cc0..00000000000
--- a/test/policies/admin/avo_policies_test.rb
+++ /dev/null
@@ -1,35 +0,0 @@
-require "test_helper"
-
-class Admin::AvoPoliciesTest < AdminPolicyTestCase
-  def test_association_methods_defined
-    resources = Avo::App.init_resources
-    association_actions = %w[create attach detach destroy edit show view]
-
-    aggregate_assertions do
-      resources.each do |resource|
-        policy =
-          if resource.authorization_policy
-            resource.authorization_policy.new(nil, resource)
-          else
-            policy!(nil, resource)
-          end
-
-        refute_nil policy
-
-        aggregate_assertions policy.class.name do
-          resource.fields.each do |field|
-            aggregate_assertions field.id do
-              case field
-              when Avo::Fields::HasBaseField
-
-                association_actions.each do |action|
-                  assert_respond_to policy, :"#{action}_#{field.id}?"
-                end
-              end
-            end
-          end
-        end
-      end
-    end
-  end
-end
diff --git a/test/policies/admin/dependency_policy_test.rb b/test/policies/admin/dependency_policy_test.rb
deleted file mode 100644
index e056ea610a0..00000000000
--- a/test/policies/admin/dependency_policy_test.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-require "test_helper"
-
-class Admin::DependencyPolicyTest < AdminPolicyTestCase
-  def test_scope
-  end
-
-  def test_show
-  end
-
-  def test_create
-  end
-
-  def test_update
-  end
-
-  def test_destroy
-  end
-end
diff --git a/test/policies/admin/events/organization_event_policy_test.rb b/test/policies/admin/events/organization_event_policy_test.rb
new file mode 100644
index 00000000000..103096ebebd
--- /dev/null
+++ b/test/policies/admin/events/organization_event_policy_test.rb
@@ -0,0 +1,34 @@
+require "test_helper"
+
+class Admin::Events::OrganizationEventPolicyTest < AdminPolicyTestCase
+  setup do
+    @organization = FactoryBot.create(:organization)
+    @event = Events::OrganizationEvent.first
+    @admin = FactoryBot.create(:admin_github_user, :is_admin)
+    @non_admin = FactoryBot.create(:admin_github_user)
+  end
+
+  def test_scope
+    assert_equal [@event], policy_scope!(@admin, Events::OrganizationEvent).to_a
+  end
+
+  def test_show
+    assert_authorizes @admin, @event, :avo_show?
+    refute_authorizes @non_admin, @event, :avo_show?
+  end
+
+  def test_create
+    refute_authorizes @admin, @event, :avo_create?
+    refute_authorizes @non_admin, @event, :avo_create?
+  end
+
+  def test_update
+    refute_authorizes @admin, @event, :avo_update?
+    refute_authorizes @non_admin, @event, :avo_update?
+  end
+
+  def test_destroy
+    refute_authorizes @admin, @event, :avo_destroy?
+    refute_authorizes @non_admin, @event, :avo_destroy?
+  end
+end
diff --git a/test/policies/admin/events/rubygem_event_policy_test.rb b/test/policies/admin/events/rubygem_event_policy_test.rb
deleted file mode 100644
index 4807bd780a1..00000000000
--- a/test/policies/admin/events/rubygem_event_policy_test.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-require "test_helper"
-
-class Admin::Events::RubygemEventPolicyTest < AdminPolicyTestCase
-  def test_scope
-  end
-
-  def test_show
-  end
-
-  def test_create
-  end
-
-  def test_update
-  end
-
-  def test_destroy
-  end
-end
diff --git a/test/policies/admin/events/user_event_policy_test.rb b/test/policies/admin/events/user_event_policy_test.rb
deleted file mode 100644
index d40fcffe93e..00000000000
--- a/test/policies/admin/events/user_event_policy_test.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-require "test_helper"
-
-class Admin::Events::UserEventPolicyTest < AdminPolicyTestCase
-  def test_scope
-  end
-
-  def test_show
-  end
-
-  def test_create
-  end
-
-  def test_update
-  end
-
-  def test_destroy
-  end
-end
diff --git a/test/policies/admin/gem_download_policy_test.rb b/test/policies/admin/gem_download_policy_test.rb
deleted file mode 100644
index 74598a944f1..00000000000
--- a/test/policies/admin/gem_download_policy_test.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-require "test_helper"
-
-class Admin::GemDownloadPolicyTest < AdminPolicyTestCase
-  def test_scope
-  end
-
-  def test_show
-  end
-
-  def test_create
-  end
-
-  def test_update
-  end
-
-  def test_destroy
-  end
-end
diff --git a/test/policies/admin/github_user_policy_test.rb b/test/policies/admin/github_user_policy_test.rb
index 88eed2da631..0bcc86b9fc4 100644
--- a/test/policies/admin/github_user_policy_test.rb
+++ b/test/policies/admin/github_user_policy_test.rb
@@ -2,7 +2,7 @@
 
 class Admin::GitHubUserPolicyTest < AdminPolicyTestCase
   def policy_class
-    Admin::GitHubUserPolicy
+    Admin::Admin::GitHubUserPolicy
   end
 
   setup do
diff --git a/test/policies/admin/ip_address_policy_test.rb b/test/policies/admin/ip_address_policy_test.rb
deleted file mode 100644
index be4485beed2..00000000000
--- a/test/policies/admin/ip_address_policy_test.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-require "test_helper"
-
-class Admin::IpAddressPolicyTest < AdminPolicyTestCase
-  def test_scope
-  end
-
-  def test_show
-  end
-
-  def test_create
-  end
-
-  def test_update
-  end
-
-  def test_destroy
-  end
-end
diff --git a/test/policies/admin/membership_policy_test.rb b/test/policies/admin/membership_policy_test.rb
new file mode 100644
index 00000000000..4474bcc0a65
--- /dev/null
+++ b/test/policies/admin/membership_policy_test.rb
@@ -0,0 +1,39 @@
+require "test_helper"
+
+class Admin::MembershipPolicyTest < AdminPolicyTestCase
+  setup do
+    @membership = FactoryBot.create(:membership)
+    @admin = FactoryBot.create(:admin_github_user, :is_admin)
+    @non_admin = FactoryBot.create(:admin_github_user)
+  end
+
+  def test_scope
+    assert_equal [@membership], policy_scope!(@admin, Membership).to_a
+  end
+
+  def test_avo_index
+    refute_authorizes @admin, Membership, :avo_index?
+    refute_authorizes @non_admin, Membership, :avo_index?
+  end
+
+  def test_avo_show
+    assert_authorizes @admin, @membership, :avo_show?
+
+    refute_authorizes @non_admin, @membership, :avo_show?
+  end
+
+  def test_avo_create
+    refute_authorizes @admin, Membership, :avo_create?
+    refute_authorizes @non_admin, Membership, :avo_create?
+  end
+
+  def test_avo_update
+    refute_authorizes @admin, @membership, :avo_update?
+    refute_authorizes @non_admin, @membership, :avo_update?
+  end
+
+  def test_avo_destroy
+    refute_authorizes @admin, @membership, :avo_destroy?
+    refute_authorizes @non_admin, @membership, :avo_destroy?
+  end
+end
diff --git a/test/policies/admin/oidc/api_key_role_policy_test.rb b/test/policies/admin/oidc/api_key_role_policy_test.rb
index 41861431aab..917abd3d3ea 100644
--- a/test/policies/admin/oidc/api_key_role_policy_test.rb
+++ b/test/policies/admin/oidc/api_key_role_policy_test.rb
@@ -28,13 +28,13 @@ def test_avo_show
   end
 
   def test_avo_create
-    assert_authorizes @admin, OIDC::ApiKeyRole, :avo_create?
+    refute_authorizes @admin, OIDC::ApiKeyRole, :avo_create?
 
     refute_authorizes @non_admin, OIDC::ApiKeyRole, :avo_create?
   end
 
   def test_avo_update
-    assert_authorizes @admin, @api_key_role, :avo_update?
+    refute_authorizes @admin, @api_key_role, :avo_update?
 
     refute_authorizes @non_admin, @api_key_role, :avo_update?
   end
diff --git a/test/policies/admin/organization_onboarding_invite_policy_test.rb b/test/policies/admin/organization_onboarding_invite_policy_test.rb
new file mode 100644
index 00000000000..164c423fc36
--- /dev/null
+++ b/test/policies/admin/organization_onboarding_invite_policy_test.rb
@@ -0,0 +1,38 @@
+require "test_helper"
+
+class Admin::OrganizationOnboardingInvitePolicyTest < AdminPolicyTestCase
+  setup do
+    @onboarding_invite = FactoryBot.create(:organization_onboarding_invite)
+    @admin = FactoryBot.create(:admin_github_user, :is_admin)
+    @non_admin = FactoryBot.create(:admin_github_user)
+  end
+
+  def test_scope
+    assert_equal [@onboarding_invite], policy_scope!(@admin, OrganizationOnboardingInvite).to_a
+  end
+
+  def test_avo_index
+    assert_authorizes @admin, OrganizationOnboardingInvite, :avo_index?
+    refute_authorizes @non_admin, OrganizationOnboardingInvite, :avo_index?
+  end
+
+  def test_avo_show
+    assert_authorizes @admin, OrganizationOnboardingInvite, :avo_show?
+    refute_authorizes @non_admin, OrganizationOnboardingInvite, :avo_show?
+  end
+
+  def test_avo_create
+    refute_authorizes @admin, OrganizationOnboardingInvite, :avo_create?
+    refute_authorizes @non_admin, OrganizationOnboardingInvite, :avo_create?
+  end
+
+  def test_avo_update
+    refute_authorizes @admin, @onboarding_invite, :avo_update?
+    refute_authorizes @non_admin, @onboarding_invite, :avo_update?
+  end
+
+  def test_avo_destroy
+    refute_authorizes @admin, @onboarding_invite, :avo_destroy?
+    refute_authorizes @non_admin, @onboarding_invite, :avo_destroy?
+  end
+end
diff --git a/test/policies/admin/organization_onboarding_policy_test.rb b/test/policies/admin/organization_onboarding_policy_test.rb
new file mode 100644
index 00000000000..f708c49f43e
--- /dev/null
+++ b/test/policies/admin/organization_onboarding_policy_test.rb
@@ -0,0 +1,38 @@
+require "test_helper"
+
+class Admin::OrganizationOnboardingPolicyTest < AdminPolicyTestCase
+  setup do
+    @onboarding = FactoryBot.create(:organization_onboarding)
+    @admin = FactoryBot.create(:admin_github_user, :is_admin)
+    @non_admin = FactoryBot.create(:admin_github_user)
+  end
+
+  def test_scope
+    assert_equal [@onboarding], policy_scope!(@admin, OrganizationOnboarding).to_a
+  end
+
+  def test_avo_index
+    assert_authorizes @admin, OrganizationOnboarding, :avo_index?
+    refute_authorizes @non_admin, OrganizationOnboarding, :avo_index?
+  end
+
+  def test_avo_show
+    assert_authorizes @admin, OrganizationOnboarding, :avo_show?
+    refute_authorizes @non_admin, OrganizationOnboarding, :avo_show?
+  end
+
+  def test_avo_create
+    refute_authorizes @admin, OrganizationOnboarding, :avo_create?
+    refute_authorizes @non_admin, OrganizationOnboarding, :avo_create?
+  end
+
+  def test_avo_update
+    refute_authorizes @admin, @onboarding, :avo_update?
+    refute_authorizes @non_admin, @onboarding, :avo_update?
+  end
+
+  def test_avo_destroy
+    refute_authorizes @admin, @onboarding, :avo_destroy?
+    refute_authorizes @non_admin, @onboarding, :avo_destroy?
+  end
+end
diff --git a/test/policies/admin/organization_policy_test.rb b/test/policies/admin/organization_policy_test.rb
new file mode 100644
index 00000000000..2bda6ccfc65
--- /dev/null
+++ b/test/policies/admin/organization_policy_test.rb
@@ -0,0 +1,38 @@
+require "test_helper"
+
+class Admin::OrganizationPolicyTest < AdminPolicyTestCase
+  setup do
+    @organization = FactoryBot.create(:organization)
+    @admin = FactoryBot.create(:admin_github_user, :is_admin)
+    @non_admin = FactoryBot.create(:admin_github_user)
+  end
+
+  def test_scope
+    assert_equal [@organization], policy_scope!(@admin, Organization).to_a
+  end
+
+  def test_show
+    assert_authorizes @admin, @organization, :avo_show?
+    refute_authorizes @non_admin, @organization, :avo_show?
+  end
+
+  def test_create
+    refute_authorizes @admin, @organization, :avo_create?
+    refute_authorizes @non_admin, @organization, :avo_create?
+  end
+
+  def test_update
+    refute_authorizes @admin, @organization, :avo_update?
+    refute_authorizes @non_admin, @organization, :avo_update?
+  end
+
+  def test_destroy
+    refute_authorizes @admin, @organization, :avo_destroy?
+    refute_authorizes @non_admin, @organization, :avo_destroy?
+  end
+
+  def test_search
+    assert_authorizes @admin, @organization, :avo_search?
+    refute_authorizes @non_admin, @organization, :avo_search?
+  end
+end
diff --git a/test/policies/admin/user_policy_test.rb b/test/policies/admin/user_policy_test.rb
index bcd362c4bed..019cfb33313 100644
--- a/test/policies/admin/user_policy_test.rb
+++ b/test/policies/admin/user_policy_test.rb
@@ -7,21 +7,6 @@ class Admin::UserPolicyTest < AdminPolicyTestCase
     @non_admin = FactoryBot.create(:admin_github_user)
   end
 
-  def test_scope
-  end
-
-  def test_show
-  end
-
-  def test_create
-  end
-
-  def test_update
-  end
-
-  def test_destroy
-  end
-
   def test_search
     assert_authorizes @admin, @user, :avo_search?
     refute_authorizes @non_admin, @user, :avo_search?
diff --git a/test/policies/admin/version_policy_test.rb b/test/policies/admin/version_policy_test.rb
deleted file mode 100644
index fa53c031e37..00000000000
--- a/test/policies/admin/version_policy_test.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-require "test_helper"
-
-class Admin::VersionPolicyTest < AdminPolicyTestCase
-  def test_scope
-  end
-
-  def test_show
-  end
-
-  def test_create
-  end
-
-  def test_update
-  end
-
-  def test_destroy
-  end
-end
diff --git a/test/policies/api/oidc/rubygem_trusted_publisher_policy_test.rb b/test/policies/api/oidc/rubygem_trusted_publisher_policy_test.rb
deleted file mode 100644
index d597a73caa3..00000000000
--- a/test/policies/api/oidc/rubygem_trusted_publisher_policy_test.rb
+++ /dev/null
@@ -1,65 +0,0 @@
-require "test_helper"
-
-class Api::OIDC::RubygemTrustedPublisherPolicyTest < ActiveSupport::TestCase
-  setup do
-    @owner = create(:user)
-    @rubygem = create(:rubygem, owners: [@owner])
-    @trusted_publisher = create(:oidc_rubygem_trusted_publisher, rubygem: @rubygem)
-
-    OIDC::RubygemTrustedPublisherPolicy.any_instance.stubs(show?: true, create?: true, destroy?: true)
-  end
-
-  def policy!(api_key, record = @trusted_publisher)
-    Pundit.policy!(api_key, [:api, record])
-  end
-
-  def refute_authorized(api_key)
-    refute_predicate policy!(api_key), :show?
-    refute_predicate policy!(api_key), :create?
-    refute_predicate policy!(api_key), :destroy?
-  end
-
-  def assert_authorized(api_key)
-    assert_predicate policy!(api_key), :show?
-    assert_predicate policy!(api_key), :create?
-    assert_predicate policy!(api_key), :destroy?
-  end
-
-  should "be false if the ApiKey scope does not include :configure_trusted_publishers" do
-    api_key = create(:api_key, owner: @owner, scopes: %w[push_rubygem])
-
-    refute_authorized api_key
-  end
-
-  should "be false if the ApiKey scope includes the rubygem but does not include :configure_trusted_publishers" do
-    api_key = create(:api_key, owner: @owner, scopes: %w[push_rubygem], rubygem: @rubygem)
-
-    refute_authorized api_key
-  end
-
-  should "be false if the ApiKey specifies a different rubygem" do
-    other_gem = create(:rubygem, owners: [@owner])
-    api_key = create(:api_key, owner: @owner, scopes: %w[configure_trusted_publishers], rubygem: other_gem)
-
-    refute_authorized api_key
-  end
-
-  should "be false if the user policy for the gem does not allow show_trusted_publishers?" do
-    OIDC::RubygemTrustedPublisherPolicy.any_instance.stubs(show?: false, create?: false, destroy?: false)
-    api_key = create(:api_key, owner: @owner, scopes: %w[configure_trusted_publishers])
-
-    refute_authorized api_key
-  end
-
-  should "be true for ApiKey without rubygem" do
-    api_key = create(:api_key, owner: @owner, scopes: %w[configure_trusted_publishers])
-
-    assert_authorized api_key
-  end
-
-  should "be true for ApiKey with correct rubygem" do
-    api_key = create(:api_key, owner: @owner, scopes: %w[configure_trusted_publishers], rubygem: @rubygem)
-
-    assert_authorized api_key
-  end
-end
diff --git a/test/policies/api/ownership_policy_test.rb b/test/policies/api/ownership_policy_test.rb
new file mode 100644
index 00000000000..d0641f6533e
--- /dev/null
+++ b/test/policies/api/ownership_policy_test.rb
@@ -0,0 +1,31 @@
+require "test_helper"
+
+class Api::OwnershipPolicyTest < ApiPolicyTestCase
+  setup do
+    @owner = create(:user, handle: "owner")
+    @user = create(:user, handle: "user")
+    @rubygem = create(:rubygem, owners: [@owner])
+
+    @record = create(:ownership, rubygem: @rubygem, user: @user, authorizer: @owner)
+
+    OwnershipPolicy.any_instance.stubs(
+      update?: true,
+      destroy?: true
+    )
+  end
+
+  def policy!(api_key)
+    Pundit.policy!(api_key, [:api, @record])
+  end
+
+  context "#update?" do
+    scope = :update_owner
+    action = :update?
+
+    should_require_user_key scope, action
+    should_require_mfa scope, action
+    should_require_scope scope, action
+    should_require_rubygem_scope scope, action
+    should_delegate_to_policy scope, action, OwnershipPolicy
+  end
+end
diff --git a/test/policies/api/rubygem_policy_test.rb b/test/policies/api/rubygem_policy_test.rb
index 63e7c1093b8..fd4e0cff8b8 100644
--- a/test/policies/api/rubygem_policy_test.rb
+++ b/test/policies/api/rubygem_policy_test.rb
@@ -1,54 +1,85 @@
 require "test_helper"
 
-class Api::RubygemPolicyTest < ActiveSupport::TestCase
+class Api::RubygemPolicyTest < ApiPolicyTestCase
   setup do
-    @owner = create(:user)
+    @owner = create(:user, handle: "owner")
     @rubygem = create(:rubygem, owners: [@owner])
 
-    RubygemPolicy.any_instance.stubs(show_trusted_publishers?: true)
+    RubygemPolicy.any_instance.stubs(
+      configure_trusted_publishers?: true,
+      add_owner?: true,
+      remove_owner?: true
+    )
   end
 
-  def policy!(api_key, rubygem = @rubygem)
-    Pundit.policy!(api_key, [:api, rubygem])
+  def policy!(api_key)
+    Pundit.policy!(api_key, [:api, @rubygem])
   end
 
-  context "#show_trusted_publishers?" do
-    should "be false if the ApiKey scope does not include :configure_trusted_publishers" do
-      api_key = create(:api_key, owner: @owner, scopes: %w[push_rubygem])
+  context "#index?" do
+    scope = :index_rubygems
+    action = :index?
 
-      refute_predicate policy!(api_key), :show_trusted_publishers?
-    end
+    should_require_scope scope, action
 
-    should "be false if the ApiKey scope includes the rubygem but does not include :configure_trusted_publishers" do
-      api_key = create(:api_key, owner: @owner, scopes: %w[push_rubygem], rubygem: @rubygem)
+    should "allow ApiKey with scope and any rubygem" do
+      api_key = key_with_scope([:push_rubygem, scope], rubygem: create(:rubygem, owners: [@owner]))
 
-      refute_predicate policy!(api_key), :show_trusted_publishers?
+      assert_authorized api_key, action
     end
+  end
+
+  context "#create?" do
+    scope = :push_rubygem
+    action = :create?
 
-    should "be false if the ApiKey specifies a different rubygem" do
-      other_gem = create(:rubygem, owners: [@owner])
-      api_key = create(:api_key, owner: @owner, scopes: %w[configure_trusted_publishers], rubygem: other_gem)
+    should_require_scope scope, action
+    should_require_mfa scope, action
 
-      refute_predicate policy!(api_key), :show_trusted_publishers?
+    should "deny ApiKey without scope but with rubygem" do
+      refute_authorized key_without_scope(:push_rubygem, rubygem: @rubygem), :create?
     end
+  end
 
-    should "be false if the user policy for the gem does not allow show_trusted_publishers?" do
-      RubygemPolicy.any_instance.stubs(show_trusted_publishers?: false)
-      api_key = create(:api_key, owner: @owner, scopes: %w[configure_trusted_publishers])
+  context "#yank?" do
+    scope = :yank_rubygem
+    action = :yank?
 
-      refute_predicate policy!(api_key), :show_trusted_publishers?
-    end
+    should_require_user_key scope, action
+    should_require_scope scope, action
+    should_require_rubygem_scope scope, action
+  end
 
-    should "be true for ApiKey without rubygem" do
-      api_key = create(:api_key, owner: @owner, scopes: %w[configure_trusted_publishers])
+  context "#configure_trusted_publishers?" do
+    scope = :configure_trusted_publishers
+    action = :configure_trusted_publishers?
 
-      assert_predicate policy!(api_key), :show_trusted_publishers?
-    end
+    should_require_user_key scope, action
+    should_require_mfa scope, action
+    should_require_scope scope, action
+    should_require_rubygem_scope scope, action
+    should_delegate_to_policy scope, action, RubygemPolicy
+  end
 
-    should "be true for ApiKey with correct rubygem" do
-      api_key = create(:api_key, owner: @owner, scopes: %w[configure_trusted_publishers], rubygem: @rubygem)
+  context "#add_owner" do
+    scope = :add_owner
+    action = :add_owner?
 
-      assert_predicate policy!(api_key), :show_trusted_publishers?
-    end
+    should_require_user_key scope, action
+    should_require_mfa scope, action
+    should_require_scope scope, action
+    should_require_rubygem_scope scope, action
+    should_delegate_to_policy scope, action, RubygemPolicy
+  end
+
+  context "#remove_owner" do
+    scope = :remove_owner
+    action = :remove_owner?
+
+    should_require_user_key scope, action
+    should_require_mfa scope, action
+    should_require_scope scope, action
+    should_require_rubygem_scope scope, action
+    should_delegate_to_policy scope, action, RubygemPolicy
   end
 end
diff --git a/test/policies/membership_policy_test.rb b/test/policies/membership_policy_test.rb
new file mode 100644
index 00000000000..cc3e3465a3c
--- /dev/null
+++ b/test/policies/membership_policy_test.rb
@@ -0,0 +1,122 @@
+require "test_helper"
+class MembershipPolicyTest < PolicyTestCase
+  setup do
+    @owner = create(:user, handle: "owner")
+    @admin = create(:user, handle: "admin")
+    @maintainer = create(:user, handle: "maintainer")
+    @guest = create(:user)
+    @organization = create(:organization, owners: [@owner], admins: [@admin], maintainers: [@maintainer])
+  end
+
+  def policy!(user, record = Membership)
+    Pundit.policy!(user, record)
+  end
+
+  context "#create?" do
+    context "adding an owner" do
+      should "be authorized for org owners only" do
+        membership = build(:membership, :owner, organization: @organization)
+
+        assert_authorized policy!(@owner, membership), :create?
+
+        refute_authorized policy!(@admin, membership), :create?
+        refute_authorized policy!(@maintainer, membership), :create?
+        refute_authorized policy!(@guest, membership), :create?
+      end
+    end
+
+    context "adding an admin" do
+      should "be authorized for org admins and owners" do
+        membership = build(:membership, :admin, organization: @organization)
+
+        assert_authorized policy!(@owner, membership), :create?
+        assert_authorized policy!(@admin, membership), :create?
+
+        refute_authorized policy!(@maintainer, membership), :create?
+        refute_authorized policy!(@guest, membership), :create?
+      end
+    end
+  end
+
+  context "#update?" do
+    context "changing to owner" do
+      should "be authorized for org owners only" do
+        membership = create(:membership, :admin, organization: @organization)
+        membership.role = :owner
+
+        assert_authorized policy!(@owner, membership), :update?
+
+        refute_authorized policy!(@admin, membership), :update?
+        refute_authorized policy!(@maintainer, membership), :update?
+        refute_authorized policy!(@guest, membership), :update?
+      end
+    end
+
+    context "changing from owner" do
+      should "be authorized for org owners only" do
+        membership = create(:membership, :owner, organization: @organization)
+        membership.role = :admin
+
+        assert_authorized policy!(@owner, membership), :update?
+
+        refute_authorized policy!(@admin, membership), :update?
+        refute_authorized policy!(@maintainer, membership), :update?
+        refute_authorized policy!(@guest, membership), :update?
+      end
+    end
+
+    context "changing from admin" do
+      should "be authorized for org admins and owners" do
+        membership = create(:membership, :admin, organization: @organization)
+        membership.role = :maintainer
+
+        assert_authorized policy!(@owner, membership), :update?
+        assert_authorized policy!(@admin, membership), :update?
+
+        refute_authorized policy!(@maintainer, membership), :update?
+        refute_authorized policy!(@guest, membership), :update?
+      end
+    end
+
+    context "changing to admin" do
+      should "be authorized for org admins and owners" do
+        membership = create(:membership, :maintainer, organization: @organization)
+        membership.role = :admin
+
+        assert_authorized policy!(@owner, membership), :update?
+        assert_authorized policy!(@admin, membership), :update?
+
+        refute_authorized policy!(@maintainer, membership), :update?
+        refute_authorized policy!(@guest, membership), :update?
+      end
+    end
+  end
+
+  context "#destroy?" do
+    context "removing owner" do
+      should "be authorized for org owners only" do
+        membership = create(:membership, :owner, organization: @organization)
+        membership.role = :admin
+
+        assert_authorized policy!(@owner, membership), :update?
+
+        refute_authorized policy!(@admin, membership), :update?
+        refute_authorized policy!(@maintainer, membership), :update?
+        refute_authorized policy!(@guest, membership), :update?
+      end
+    end
+
+    context "removing admin" do
+      should "be authorized for org admins and owners" do
+        membership = create(:membership, :admin, organization: @organization)
+        membership.role = :maintainer
+
+        assert_authorized policy!(@owner, membership), :update?
+        assert_authorized policy!(@admin, membership), :update?
+
+        refute_authorized policy!(@maintainer, membership), :update?
+        refute_authorized policy!(@guest, membership), :update?
+      end
+    end
+  end
+end
diff --git a/test/policies/oidc/rubygem_trusted_publisher_policy_test.rb b/test/policies/oidc/rubygem_trusted_publisher_policy_test.rb
deleted file mode 100644
index c485853307a..00000000000
--- a/test/policies/oidc/rubygem_trusted_publisher_policy_test.rb
+++ /dev/null
@@ -1,28 +0,0 @@
-require "test_helper"
-
-class OIDC::RubygemTrustedPublisherPolicyTest < ActiveSupport::TestCase
-  setup do
-    @owner = FactoryBot.create(:user)
-    @rubygem = FactoryBot.create(:rubygem, owners: [@owner])
-    @trusted_publisher = create(:oidc_rubygem_trusted_publisher, rubygem: @rubygem)
-    @user = FactoryBot.create(:user)
-  end
-
-  def test_show
-    assert_predicate Pundit.policy!(@owner, @trusted_publisher), :show?
-    refute_predicate Pundit.policy!(@user, @trusted_publisher), :show?
-    refute_predicate Pundit.policy!(nil, @trusted_publisher), :show?
-  end
-
-  def test_create
-    assert_predicate Pundit.policy!(@owner, @trusted_publisher), :create?
-    refute_predicate Pundit.policy!(@user, @trusted_publisher), :create?
-    refute_predicate Pundit.policy!(nil, @trusted_publisher), :create?
-  end
-
-  def test_destroy
-    assert_predicate Pundit.policy!(@owner, @trusted_publisher), :destroy?
-    refute_predicate Pundit.policy!(@user, @trusted_publisher), :destroy?
-    refute_predicate Pundit.policy!(nil, @trusted_publisher), :destroy?
-  end
-end
diff --git a/test/policies/organization_policy_test.rb b/test/policies/organization_policy_test.rb
new file mode 100644
index 00000000000..ca032ba3bd0
--- /dev/null
+++ b/test/policies/organization_policy_test.rb
@@ -0,0 +1,91 @@
+require "test_helper"
+class OrganizationPolicyTest < PolicyTestCase
+  setup do
+    @owner = create(:user, handle: "owner")
+    @admin = create(:user, handle: "admin")
+    @maintainer = create(:user, handle: "maintainer")
+    @guest = create(:user)
+    @organization = create(:organization, owners: [@owner], admins: [@admin], maintainers: [@maintainer])
+  end
+
+  def policy!(user)
+    Pundit.policy!(user, @organization)
+  end
+
+  context "#show?" do
+    should "be authorized for all users" do
+      assert_authorized @owner, :show?
+      assert_authorized @admin, :show?
+      assert_authorized @maintainer, :show?
+      assert_authorized @guest, :show?
+    end
+  end
+
+  context "#create?" do
+    should "be authorized for all users" do
+      assert_authorized @owner, :create?
+      assert_authorized @admin, :create?
+      assert_authorized @maintainer, :create?
+      assert_authorized @guest, :create?
+    end
+  end
+
+  context "#destroy?" do
+    should "be disallowed for all users until further development" do
+      refute_authorized @owner, :destroy?
+      refute_authorized @admin, :destroy?
+      refute_authorized @maintainer, :destroy?
+      refute_authorized @guest, :destroy?
+    end
+  end
+
+  context "#update?" do
+    should "only be authorized if the user is an owner" do
+      assert_authorized @owner, :update?
+
+      refute_authorized @admin, :update?
+      refute_authorized @maintainer, :update?
+      refute_authorized @guest, :update?
+    end
+  end
+
+  context "add_gem?" do
+    should "only be authorized if the user is an owner" do
+      assert_authorized @owner, :add_gem?
+      assert_authorized @admin, :add_gem?
+
+      refute_authorized @maintainer, :add_gem?
+      refute_authorized @guest, :add_gem?
+    end
+  end
+
+  context "#remove_gem?" do
+    should "only be authorized if the user is an owner" do
+      assert_authorized @owner, :remove_gem?
+
+      refute_authorized @admin, :remove_gem?
+      refute_authorized @maintainer, :remove_gem?
+      refute_authorized @guest, :remove_gem?
+    end
+  end
+
+  context "#manage_memberships?" do
+    should "only be authorized if the user is an owner" do
+      assert_authorized @owner, :manage_memberships?
+      assert_authorized @admin, :manage_memberships?
+
+      refute_authorized @maintainer, :manage_memberships?
+      refute_authorized @guest, :manage_memberships?
+    end
+  end
+
+  context "#list_memberships?" do
+    should "only be authorized if the user is an owner or maintainer" do
+      assert_authorized @owner, :list_memberships?
+      assert_authorized @admin, :list_memberships?
+      assert_authorized @maintainer, :list_memberships?
+
+      refute_authorized @guest, :list_memberships?
+    end
+  end
+end
diff --git a/test/policies/ownership_call_policy_test.rb b/test/policies/ownership_call_policy_test.rb
index 7437de1bef1..9bd3c3c93a9 100644
--- a/test/policies/ownership_call_policy_test.rb
+++ b/test/policies/ownership_call_policy_test.rb
@@ -1,21 +1,25 @@
 require "test_helper"
 
-class OwnershipCallPolicyTest < ActiveSupport::TestCase
+class OwnershipCallPolicyTest < PolicyTestCase
   setup do
-    @owner = FactoryBot.create(:user)
-    @rubygem = FactoryBot.create(:rubygem, owners: [@owner])
+    @owner = create(:user)
+    @rubygem = create(:rubygem, owners: [@owner])
     @ownership_call = @rubygem.ownership_calls.create(user: @owner, note: "valid note")
 
-    @user = FactoryBot.create(:user)
+    @user = create(:user)
+  end
+
+  def policy!(user)
+    Pundit.policy!(user, @ownership_call)
   end
 
   def test_create
-    assert_predicate Pundit.policy!(@owner, @ownership_call), :create?
-    refute_predicate Pundit.policy!(@user, @ownership_call), :create?
+    assert_authorized @owner, :create?
+    refute_authorized @user, :create?
   end
 
-  def test_destroy
-    assert_predicate Pundit.policy!(@owner, @ownership_call), :close?
-    refute_predicate Pundit.policy!(@user, @ownership_call), :close?
+  def test_close
+    assert_authorized @owner, :close?
+    refute_authorized @user, :close?
   end
 end
diff --git a/test/policies/ownership_policy_test.rb b/test/policies/ownership_policy_test.rb
index b6d77fa0846..2fa68b75d37 100644
--- a/test/policies/ownership_policy_test.rb
+++ b/test/policies/ownership_policy_test.rb
@@ -2,10 +2,13 @@
 
 class OwnershipPolicyTest < ActiveSupport::TestCase
   setup do
-    @authorizer = FactoryBot.create(:user)
-    @rubygem = FactoryBot.create(:rubygem, owners: [@authorizer])
-    @confirmed_ownership = @rubygem.ownerships.first
+    @authorizer = FactoryBot.create(:user, handle: "owner")
+    @maintainer = FactoryBot.create(:user, handle: "maintainer")
+    @rubygem = FactoryBot.create(:rubygem, owners: [@authorizer], maintainers: [@maintainer])
+    @authorizer_ownership = @rubygem.ownerships.first
+    @maintainer_ownership = @maintainer.ownerships.first
     @unconfirmed_ownership = FactoryBot.build(:ownership, :unconfirmed, rubygem: @rubygem, authorizer: @authorizer)
+    @unconfirmed_maintainer_ownership = FactoryBot.build(:ownership, :maintainer, rubygem: @rubygem, authorizer: @authorizer)
 
     @invited = @unconfirmed_ownership.user
     @user = FactoryBot.create(:user)
@@ -15,11 +18,25 @@ def test_create
     assert_predicate Pundit.policy!(@authorizer, @unconfirmed_ownership), :create?
     refute_predicate Pundit.policy!(@invited, @unconfirmed_ownership), :create?
     refute_predicate Pundit.policy!(@user, @unconfirmed_ownership), :create?
+    refute_predicate Pundit.policy!(@maintainer, @maintainer_ownership), :create?
+    refute_predicate Pundit.policy!(@maintainer, @unconfirmed_maintainer_ownership), :create?
+  end
+
+  def test_update
+    assert_predicate Pundit.policy!(@authorizer, @maintainer_ownership), :update?
+    refute_predicate Pundit.policy!(@authorizer, @authorizer_ownership), :update?
+    refute_predicate Pundit.policy!(@invited, @unconfirmed_ownership), :update?
+    refute_predicate Pundit.policy!(@user, @unconfirmed_ownership), :update?
+    refute_predicate Pundit.policy!(@user, @unconfirmed_maintainer_ownership), :update?
+    refute_predicate Pundit.policy!(@maintainer, @maintainer_ownership), :update?
+    refute_predicate Pundit.policy!(@maintainer, @unconfirmed_maintainer_ownership), :update?
   end
 
   def test_destroy
-    assert_predicate Pundit.policy!(@authorizer, @confirmed_ownership), :destroy?
-    refute_predicate Pundit.policy!(@owner, @confirmed_ownership), :destroy?
-    refute_predicate Pundit.policy!(@user, @confirmed_ownership), :destroy?
+    assert_predicate Pundit.policy!(@authorizer, @authorizer_ownership), :destroy?
+    refute_predicate Pundit.policy!(@maintainer, @authorizer_ownership), :destroy?
+    refute_predicate Pundit.policy!(@user, @authorizer_ownership), :destroy?
+    refute_predicate Pundit.policy!(@user, @maintainer_ownership), :destroy?
+    refute_predicate Pundit.policy!(@user, @unconfirmed_maintainer_ownership), :destroy?
   end
 end
diff --git a/test/policies/rubygem_policy_test.rb b/test/policies/rubygem_policy_test.rb
index c363254351e..4979fa27697 100644
--- a/test/policies/rubygem_policy_test.rb
+++ b/test/policies/rubygem_policy_test.rb
@@ -1,21 +1,79 @@
 require "test_helper"
 
-class RubygemPolicyTest < ActiveSupport::TestCase
+class RubygemPolicyTest < PolicyTestCase
   setup do
     @owner = create(:user, handle: "owner")
-    @rubygem = create(:rubygem, owners: [@owner])
+    @maintainer = create(:user, handle: "maintainer")
+    @rubygem = create(:rubygem, owners: [@owner], maintainers: [@maintainer])
+
+    @org_owner = create(:user, handle: "org_owner")
+    @org_admin = create(:user, handle: "org_admin")
+    @org_maintainer = create(:user, handle: "org_maintainer")
+    @organization = create(
+      :organization,
+      owners: [@org_owner],
+      maintainers: [@org_maintainer],
+      admins: [@org_admin]
+    )
+    @org_rubygem = create(
+      :rubygem,
+      organization: @organization,
+      owners: [@owner],
+      maintainers: [@maintainer]
+    )
+
     @user = create(:user, handle: "user")
   end
 
-  context "#request_ownership?" do
-    should "be false if the gem is owned by the user" do
-      refute_predicate Pundit.policy!(@owner, @rubygem), :request_ownership?
+  def policy!(user)
+    Pundit.policy!(user, @rubygem)
+  end
+
+  def org_policy!(user)
+    Pundit.policy!(user, @org_rubygem)
+  end
+
+  context "#configure_oidc?" do
+    should "only allow the owner" do
+      assert_authorized policy!(@owner), :configure_oidc?
+      refute_authorized policy!(@user), :configure_oidc?
+      refute_authorized policy!(nil), :configure_oidc?
+    end
+
+    should "only allow owners, org owners and admins" do
+      assert_authorized org_policy!(@org_owner), :configure_oidc?
+      assert_authorized org_policy!(@org_admin), :configure_oidc?
+      assert_authorized org_policy!(@owner), :configure_oidc?
+
+      refute_authorized org_policy!(@org_maintainer), :configure_oidc?
+      refute_authorized org_policy!(@user), :configure_oidc?
+      refute_authorized org_policy!(nil), :configure_oidc?
+    end
+  end
+
+  context "#manage_adoption?" do
+    should "only allow the owner" do
+      assert_authorized policy!(@owner), :manage_adoption?
+      refute_authorized policy!(@user), :manage_adoption?
+      refute_authorized policy!(nil), :manage_adoption?
+    end
+
+    should "only allow owners and org owners" do
+      assert_authorized org_policy!(@org_owner), :manage_adoption?
+      assert_authorized org_policy!(@owner), :manage_adoption?
+
+      refute_authorized org_policy!(@org_admin), :manage_adoption?
+      refute_authorized org_policy!(@org_maintainer), :manage_adoption?
+      refute_authorized org_policy!(@user), :manage_adoption?
+      refute_authorized org_policy!(nil), :manage_adoption?
     end
+  end
 
+  context "#request_ownership?" do
     should "be true if the gem has ownership calls" do
       create(:ownership_call, rubygem: @rubygem, user: @owner)
 
-      assert_predicate Pundit.policy!(@user, @rubygem), :request_ownership?
+      assert_authorized policy!(@user), :request_ownership?
     end
 
     should "be false if the gem has more than 10,000 downloads" do
@@ -23,60 +81,143 @@ class RubygemPolicyTest < ActiveSupport::TestCase
       create(:version, rubygem: @rubygem, created_at: 2.years.ago)
 
       assert_operator @rubygem.downloads, :>, RubygemPolicy::ABANDONED_DOWNLOADS_MAX
-      refute_predicate Pundit.policy!(@user, @rubygem), :request_ownership?
+      refute_authorized policy!(@user), :request_ownership?
     end
 
     should "be false if the gem has no versions" do
       assert_empty @rubygem.versions
-      refute_predicate Pundit.policy!(@user, @rubygem), :request_ownership?
+      refute_authorized policy!(@user), :request_ownership?
     end
 
-    should "be false if the gem has a version newer than 1 year" do
-      create(:version, rubygem: @rubygem, created_at: 11.months.ago)
+    context "when the gem has a version newer than 1 year" do
+      should "be false" do
+        create(:version, rubygem: @rubygem, created_at: 11.months.ago)
 
-      refute_predicate Pundit.policy!(@user, @rubygem), :request_ownership?
+        refute_authorized policy!(@user), :request_ownership?
+      end
     end
 
     should "be true if the gem's latest version is older than 1 year and less than 10,000 downloads" do
       create(:version, rubygem: @rubygem, created_at: 2.years.ago)
 
-      assert_predicate Pundit.policy!(@user, @rubygem), :request_ownership?
+      assert_authorized policy!(@user), :request_ownership?
+    end
+  end
+
+  context "#close_ownership_requests" do
+    should "only allow the owner to close ownership requests" do
+      assert_authorized policy!(@owner), :close_ownership_requests?
+      refute_authorized policy!(@maintainer), :close_ownership_requests?
+      refute_authorized policy!(@user), :close_ownership_requests?
+    end
+
+    should "only allow owners and org owners" do
+      assert_authorized org_policy!(@org_owner), :close_ownership_requests?
+      assert_authorized org_policy!(@owner), :close_ownership_requests?
+
+      refute_authorized org_policy!(@org_admin), :close_ownership_requests?
+      refute_authorized org_policy!(@org_maintainer), :close_ownership_requests?
+      refute_authorized org_policy!(@user), :close_ownership_requests?
+      refute_authorized org_policy!(nil), :close_ownership_requests?
     end
   end
 
   context "#show_adoption?" do
     should "be true if the gem is owned by the user" do
-      assert_predicate Pundit.policy!(@owner, @rubygem), :show_adoption?
+      assert_authorized policy!(@owner), :show_adoption?
+      refute_authorized policy!(@maintainer), :show_adoption?
     end
 
     should "be true if the rubygem is adoptable" do
       create(:version, rubygem: @rubygem, created_at: 2.years.ago)
 
-      assert_predicate Pundit.policy!(@owner, @rubygem), :show_adoption?
+      assert_authorized policy!(@user), :show_adoption?
     end
   end
 
   context "#show_events?" do
-    should "only allow the owner" do
-      assert_predicate Pundit.policy!(@owner, @rubygem), :show_events?
-      refute_predicate Pundit.policy!(@user, @rubygem), :show_events?
-      refute_predicate Pundit.policy!(nil, @rubygem), :show_events?
+    should "only allow the owner and maintainer" do
+      assert_authorized policy!(@owner), :show_events?
+      assert_authorized policy!(@maintainer), :show_events?
+      refute_authorized policy!(@user), :show_events?
+      refute_authorized policy!(nil), :show_events?
+    end
+
+    should "only allow anyone with access to the gem" do
+      assert_authorized org_policy!(@org_owner), :show_events?
+      assert_authorized org_policy!(@org_admin), :show_events?
+      assert_authorized org_policy!(@org_maintainer), :show_events?
+      assert_authorized org_policy!(@owner), :show_events?
+      assert_authorized org_policy!(@maintainer), :show_events?
+
+      refute_authorized org_policy!(@user), :show_events?
+      refute_authorized org_policy!(nil), :show_events?
     end
   end
 
-  context "#show_trusted_publishers?" do
+  context "#configure_trusted_publishers?" do
     should "only allow the owner" do
-      assert_predicate Pundit.policy!(@owner, @rubygem), :show_trusted_publishers?
-      refute_predicate Pundit.policy!(@user, @rubygem), :show_trusted_publishers?
-      refute_predicate Pundit.policy!(nil, @rubygem), :show_trusted_publishers?
+      assert_authorized policy!(@owner), :configure_trusted_publishers?
+      refute_authorized policy!(@maintainer), :configure_trusted_publishers?
+      refute_authorized policy!(@user), :configure_trusted_publishers?
+      refute_authorized policy!(nil), :configure_trusted_publishers?
+    end
+
+    should "only allow owners, org owners and admins" do
+      assert_authorized org_policy!(@org_owner), :configure_trusted_publishers?
+      assert_authorized org_policy!(@org_admin), :configure_trusted_publishers?
+      assert_authorized org_policy!(@owner), :configure_trusted_publishers?
+
+      refute_authorized org_policy!(@org_maintainer), :configure_trusted_publishers?
+      refute_authorized org_policy!(@maintainer), :configure_trusted_publishers?
+      refute_authorized org_policy!(@user), :configure_trusted_publishers?
+      refute_authorized org_policy!(nil), :configure_trusted_publishers?
     end
   end
 
   context "#show_unconfirmed_ownerships?" do
     should "only allow the owner" do
-      assert_predicate Pundit.policy!(@owner, @rubygem), :show_unconfirmed_ownerships?
-      refute_predicate Pundit.policy!(@user, @rubygem), :show_unconfirmed_ownerships?
-      refute_predicate Pundit.policy!(nil, @rubygem), :show_unconfirmed_ownerships?
+      assert_authorized policy!(@owner), :show_unconfirmed_ownerships?
+      refute_authorized policy!(@maintainer), :show_unconfirmed_ownerships?
+      refute_authorized policy!(@user), :show_unconfirmed_ownerships?
+      refute_authorized policy!(nil), :show_unconfirmed_ownerships?
+    end
+
+    should "only allow owners, org owners and admins" do
+      assert_authorized org_policy!(@org_owner), :show_unconfirmed_ownerships?
+      assert_authorized org_policy!(@org_admin), :show_unconfirmed_ownerships?
+      assert_authorized org_policy!(@owner), :show_unconfirmed_ownerships?
+
+      refute_authorized org_policy!(@org_maintainer), :show_unconfirmed_ownerships?
+      refute_authorized org_policy!(@user), :show_unconfirmed_ownerships?
+      refute_authorized org_policy!(nil), :show_unconfirmed_ownerships?
+    end
+  end
+
+  context "#add_owner?" do
+    should "only allow the owner" do
+      assert_authorized policy!(@owner), :add_owner?
+      refute_authorized policy!(@maintainer), :add_owner?
+      refute_authorized policy!(@user), :add_owner?
+      refute_authorized policy!(nil), :add_owner?
+    end
+  end
+
+  context "#update_owner?" do
+    should "only allow the owner" do
+      assert_authorized policy!(@owner), :update_owner?
+      refute_authorized policy!(@maintainer), :update_owner?
+      refute_authorized policy!(@user), :update_owner?
+      refute_authorized policy!(nil), :update_owner?
+    end
+  end
+
+  context "#remove_owner?" do
+    should "only allow the owner" do
+      assert_authorized policy!(@owner), :remove_owner?
+      refute_authorized policy!(@maintainer), :remove_owner?
+      refute_authorized policy!(@user), :remove_owner?
+      refute_authorized policy!(nil), :remove_owner?
     end
   end
 end
diff --git a/test/policies/rubygem_trusted_publishing_policy_test.rb b/test/policies/rubygem_trusted_publishing_policy_test.rb
new file mode 100644
index 00000000000..953044e4c7a
--- /dev/null
+++ b/test/policies/rubygem_trusted_publishing_policy_test.rb
@@ -0,0 +1,42 @@
+require "test_helper"
+
+class RubygemTrustedPublishingPolicyTest < PolicyTestCase
+  setup do
+    @owner = create(:user, handle: "owner")
+    @maintainer = create(:user, handle: "maintainer")
+    @user = create(:user, handle: "user")
+    @rubygem = create(:rubygem, owners: [@owner], maintainers: [@maintainer])
+    @rubygem_trusted_publisher = create(:oidc_rubygem_trusted_publisher, rubygem: @rubygem)
+  end
+
+  def policy!(user)
+    Pundit.policy!(user, @rubygem_trusted_publisher)
+  end
+
+  context "#show?" do
+    should "only allow the owner" do
+      assert_authorized @owner, :show?
+      refute_authorized @maintainer, :show?
+      refute_authorized @user, :show?
+      refute_authorized nil, :show?
+    end
+  end
+
+  context "create?" do
+    should "only allow the owner" do
+      assert_authorized @owner, :create?
+      refute_authorized @maintainer, :create?
+      refute_authorized @user, :create?
+      refute_authorized nil, :create?
+    end
+  end
+
+  context "#destroy?" do
+    should "only allow the owner" do
+      assert_authorized @owner, :destroy?
+      refute_authorized @maintainer, :destroy?
+      refute_authorized @user, :destroy?
+      refute_authorized nil, :destroy?
+    end
+  end
+end
diff --git a/test/system/admin_test.rb b/test/system/admin_test.rb
index 64f6f1a4dbf..9fb440cba5f 100644
--- a/test/system/admin_test.rb
+++ b/test/system/admin_test.rb
@@ -2,6 +2,8 @@
 
 class AdminTest < ApplicationSystemTestCase
   test "development login as an admin" do
+    requires_avo_pro
+
     @admin_user = create(:admin_github_user, :is_admin)
 
     visit "/admin"
diff --git a/test/system/avo/events_test.rb b/test/system/avo/events_test.rb
index 31ecf3e9565..1e493143415 100644
--- a/test/system/avo/events_test.rb
+++ b/test/system/avo/events_test.rb
@@ -5,29 +5,8 @@ class Avo::EventsSystemTest < ApplicationSystemTestCase
 
   include ActiveJob::TestHelper
 
-  def sign_in_as(user)
-    OmniAuth.config.mock_auth[:github] = OmniAuth::AuthHash.new(
-      provider: "github",
-      uid: "1",
-      credentials: {
-        token: user.oauth_token,
-        expires: false
-      },
-      info: {
-        name: user.login
-      }
-    )
-    @ip_address = create(:ip_address, ip_address: "127.0.0.1")
-    stub_github_info_request(user.info_data)
-
-    visit avo.root_path
-    click_button "Log in with GitHub"
-
-    page.assert_text user.login
-  end
-
   test "user events" do
-    sign_in_as(create(:admin_github_user, :is_admin))
+    avo_sign_in_as(create(:admin_github_user, :is_admin))
 
     visit avo.root_path
     click_link "Events user events"
@@ -46,7 +25,7 @@ def sign_in_as(user)
   end
 
   test "rubygem events" do
-    sign_in_as(create(:admin_github_user, :is_admin))
+    avo_sign_in_as(create(:admin_github_user, :is_admin))
 
     visit avo.root_path
     click_link "Events rubygem events"
diff --git a/test/system/avo/manual_changes_test.rb b/test/system/avo/manual_changes_test.rb
index ad990b0bf1a..8d47468e5ea 100644
--- a/test/system/avo/manual_changes_test.rb
+++ b/test/system/avo/manual_changes_test.rb
@@ -3,30 +3,9 @@
 class Avo::ManualChangesSystemTest < ApplicationSystemTestCase
   make_my_diffs_pretty!
 
-  def sign_in_as(user)
-    OmniAuth.config.mock_auth[:github] = OmniAuth::AuthHash.new(
-      provider: "github",
-      uid: "1",
-      credentials: {
-        token: user.oauth_token,
-        expires: false
-      },
-      info: {
-        name: user.login
-      }
-    )
-
-    stub_github_info_request(user.info_data)
-
-    visit avo.root_path
-    click_button "Log in with GitHub"
-
-    page.assert_text user.login
-  end
-
   test "auditing changes" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     Admin::LogTicketPolicy.any_instance.stubs(:avo_create?).returns(true)
     Admin::LogTicketPolicy.any_instance.stubs(:avo_update?).returns(true)
@@ -35,6 +14,7 @@ def sign_in_as(user)
     visit avo.resources_log_tickets_path
     click_on "Create new log ticket"
 
+    page.find_by_id("log_ticket_key", wait: Capybara.default_max_wait_time) # Wait for input to be available.
     fill_in "Key", with: "key"
     fill_in "Directory", with: "dir"
     fill_in "Processed count", with: "0"
@@ -132,9 +112,8 @@ def sign_in_as(user)
 
     page.assert_title(/^#{log_ticket.to_param}/)
 
-    accept_alert("Are you sure?") do
-      click_on "Delete"
-    end
+    click_on "Delete"
+    click_on "Yes, I'm sure"
 
     page.assert_text "Record destroyed"
 
diff --git a/test/system/avo/oidc_api_key_roles_test.rb b/test/system/avo/oidc_api_key_roles_test.rb
deleted file mode 100644
index 26ddc401784..00000000000
--- a/test/system/avo/oidc_api_key_roles_test.rb
+++ /dev/null
@@ -1,79 +0,0 @@
-require "application_system_test_case"
-
-class Avo::OIDCApiKeyRolesSystemTest < ApplicationSystemTestCase
-  make_my_diffs_pretty!
-
-  def sign_in_as(user)
-    OmniAuth.config.mock_auth[:github] = OmniAuth::AuthHash.new(
-      provider: "github",
-      uid: "1",
-      credentials: {
-        token: user.oauth_token,
-        expires: false
-      },
-      info: {
-        name: user.login
-      }
-    )
-
-    stub_github_info_request(user.info_data)
-
-    visit avo.root_path
-    click_button "Log in with GitHub"
-
-    page.assert_text user.login
-  end
-
-  test "manually changing roles" do
-    admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
-
-    provider = create(:oidc_provider)
-    user = create(:user)
-
-    visit avo.resources_oidc_api_key_roles_path
-    click_on "Create new OIDC api key role"
-
-    select provider.issuer, from: "oidc_api_key_role_oidc_provider_id"
-    find_field(id: "oidc_api_key_role_user_id").click
-    send_keys user.display_handle
-    find("li", text: user.display_handle).click
-    fill_in "Name", with: "Role"
-    fill_in "Valid for", with: "PT15M"
-    fill_in "Comment", with: "A nice long comment"
-
-    click_on "Save"
-
-    page.assert_text "can't be blank"
-    page.assert_text "Access policy can't be blank"
-
-    assert_field "oidc_api_key_role_oidc_provider_id", with: provider.id
-    assert_field "oidc_api_key_role_user_id", with: user.display_handle
-    assert_field "Name", with: "Role"
-    assert_field "Valid for", with: "PT15M"
-
-    find("div[data-field-id='scopes'] tags").click
-    send_keys "push_rubygem", :enter
-    fill_in "Comment", with: "A nice long comment"
-
-    click_on "Add another Statement"
-    click_on "Add another Condition"
-
-    click_on "Save"
-
-    fill_in "oidc_api_key_role_access_policy_statements_0__principal_oidc", with: provider.issuer
-    select "String Matches", from: "oidc_api_key_role_access_policy_statements_0__conditions_0__operator"
-    fill_in "oidc_api_key_role_access_policy_statements_0__conditions_0__claim", with: "sub"
-    fill_in "oidc_api_key_role_access_policy_statements_0__conditions_0__value", with: "sub-value"
-    fill_in "Comment", with: "A nice long comment"
-
-    click_on "Save"
-
-    page.assert_text "Role"
-
-    role = provider.api_key_roles.sole
-
-    assert_equal "string_matches", role.access_policy.statements[0].conditions[0].operator
-    assert_equal OIDC::ApiKeyPermissions.new(valid_for: 15.minutes, gems: [], scopes: ["push_rubygem"]), role.api_key_permissions
-  end
-end
diff --git a/test/system/avo/oidc_providers_test.rb b/test/system/avo/oidc_providers_test.rb
index 8b91d0ecaf0..a3d56d9462a 100644
--- a/test/system/avo/oidc_providers_test.rb
+++ b/test/system/avo/oidc_providers_test.rb
@@ -3,30 +3,9 @@
 class Avo::OIDCProvidersSystemTest < ApplicationSystemTestCase
   make_my_diffs_pretty!
 
-  def sign_in_as(user)
-    OmniAuth.config.mock_auth[:github] = OmniAuth::AuthHash.new(
-      provider: "github",
-      uid: "1",
-      credentials: {
-        token: user.oauth_token,
-        expires: false
-      },
-      info: {
-        name: user.login
-      }
-    )
-
-    stub_github_info_request(user.info_data)
-
-    visit avo.root_path
-    click_button "Log in with GitHub"
-
-    page.assert_text user.login
-  end
-
   test "refreshing provider" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     provider = create(:oidc_provider, issuer: "https://token.actions.githubusercontent.com", configuration: nil, jwks: nil)
 
diff --git a/test/system/avo/rubygems_test.rb b/test/system/avo/rubygems_test.rb
index b79ccc0ee3f..e9d9dda8c00 100644
--- a/test/system/avo/rubygems_test.rb
+++ b/test/system/avo/rubygems_test.rb
@@ -5,32 +5,9 @@ class Avo::RubygemsSystemTest < ApplicationSystemTestCase
 
   include ActiveJob::TestHelper
 
-  def sign_in_as(user)
-    OmniAuth.config.mock_auth[:github] = OmniAuth::AuthHash.new(
-      provider: "github",
-      uid: "1",
-      credentials: {
-        token: user.oauth_token,
-        expires: false
-      },
-      info: {
-        name: user.login
-      }
-    )
-
-    create(:ip_address, ip_address: "127.0.0.1")
-
-    stub_github_info_request(user.info_data)
-
-    visit avo.root_path
-    click_button "Log in with GitHub"
-
-    page.assert_text user.login
-  end
-
   test "release reserved namespace" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     rubygem = create(:rubygem, created_at: 40.days.ago)
     rubygem_attributes = rubygem.attributes.with_indifferent_access
@@ -88,7 +65,7 @@ def sign_in_as(user)
   test "Yank a rubygem" do
     Minitest::Test.make_my_diffs_pretty!
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     security_user = create(:user, email: "security@rubygems.org")
     rubygem = create(:rubygem)
@@ -163,7 +140,7 @@ def sign_in_as(user)
 
   test "Yank all version of rubygem" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     security_user = create(:user, email: "security@rubygems.org")
     rubygem = create(:rubygem)
@@ -251,8 +228,10 @@ def sign_in_as(user)
   end
 
   test "add owner" do
+    requires_avo_pro # for search
+
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     security_user = create(:user, email: "security@rubygems.org")
     rubygem = create(:rubygem)
@@ -271,7 +250,8 @@ def sign_in_as(user)
     page.assert_text "Must supply a sufficiently detailed comment"
 
     fill_in "Comment", with: "A nice long comment"
-    find_field("New owner").click
+    find_field("New owner").click(delay: 0.05)
+    find("form[role='search'] input").click
     send_keys new_owner.email
     find("li", text: new_owner.handle).click
 
@@ -314,7 +294,8 @@ def sign_in_as(user)
                 "token_expires_at" => [nil, ownership.token_expires_at.as_json],
                 "owner_notifier" => [nil, true],
                 "authorizer_id" => [nil, security_user.id],
-                "ownership_request_notifier" => [nil, true]
+                "ownership_request_notifier" => [nil, true],
+                "role" => [nil, ownership.role]
               },
               "unchanged" => {}
             },
@@ -332,7 +313,7 @@ def sign_in_as(user)
 
   test "upload versions file" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     visit avo.resources_rubygems_path
 
@@ -353,7 +334,7 @@ def sign_in_as(user)
 
   test "upload names file" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     visit avo.resources_rubygems_path
 
@@ -374,7 +355,7 @@ def sign_in_as(user)
 
   test "upload info file" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     version = create(:version)
     visit avo.resources_rubygem_path(version.rubygem)
diff --git a/test/system/avo/sendgrid_events_test.rb b/test/system/avo/sendgrid_events_test.rb
index 01d309c0e25..363742cb49c 100644
--- a/test/system/avo/sendgrid_events_test.rb
+++ b/test/system/avo/sendgrid_events_test.rb
@@ -3,29 +3,9 @@
 class Avo::SendgridEventsSystemTest < ApplicationSystemTestCase
   include ActiveJob::TestHelper
 
-  def sign_in_as(user)
-    OmniAuth.config.mock_auth[:github] = OmniAuth::AuthHash.new(
-      provider: "github",
-      uid: "1",
-      credentials: {
-        token: user.oauth_token,
-        expires: false
-      },
-      info: {
-        name: user.login
-      }
-    )
-    stub_github_info_request(user.info_data)
-
-    visit avo.root_path
-    click_button "Log in with GitHub"
-
-    page.assert_text user.login
-  end
-
   test "search for event" do
     user = FactoryBot.create(:admin_github_user, :is_admin)
-    sign_in_as(user)
+    avo_sign_in_as(user)
 
     visit avo.resources_sendgrid_events_path
 
diff --git a/test/system/avo/users_test.rb b/test/system/avo/users_test.rb
index 3c04bc1a8a8..19a99118c28 100644
--- a/test/system/avo/users_test.rb
+++ b/test/system/avo/users_test.rb
@@ -5,31 +5,10 @@ class Avo::UsersSystemTest < ApplicationSystemTestCase
 
   include ActiveJob::TestHelper
 
-  def sign_in_as(user)
-    OmniAuth.config.mock_auth[:github] = OmniAuth::AuthHash.new(
-      provider: "github",
-      uid: "1",
-      credentials: {
-        token: user.oauth_token,
-        expires: false
-      },
-      info: {
-        name: user.login
-      }
-    )
-    @ip_address = create(:ip_address, ip_address: "127.0.0.1")
-    stub_github_info_request(user.info_data)
-
-    visit avo.root_path
-    click_button "Log in with GitHub"
-
-    page.assert_text user.login
-  end
-
   test "reset mfa" do
     Minitest::Test.make_my_diffs_pretty!
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     user = create(:user)
     user.enable_totp!(ROTP::Base32.random_base32, :ui_and_api)
@@ -102,7 +81,7 @@ def sign_in_as(user)
   test "block user" do
     Minitest::Test.make_my_diffs_pretty!
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     user = create(:user)
     user.enable_totp!(ROTP::Base32.random_base32, :ui_and_api)
@@ -200,7 +179,7 @@ def sign_in_as(user)
   test "reset api key" do
     perform_enqueued_jobs do
       admin_user = create(:admin_github_user, :is_admin)
-      sign_in_as admin_user
+      avo_sign_in_as admin_user
 
       user = create(:user)
       user_attributes = user.attributes.with_indifferent_access
@@ -267,7 +246,7 @@ def sign_in_as(user)
 
   test "Yank rubygems" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
     security_user = create(:user, email: "security@rubygems.org")
 
     ownership = create(:ownership)
@@ -366,7 +345,7 @@ def sign_in_as(user)
 
   test "yank user" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
     security_user = create(:user, email: "security@rubygems.org")
 
     user = create(:user)
@@ -510,7 +489,7 @@ def sign_in_as(user)
   test "change user email" do
     perform_enqueued_jobs do
       admin_user = create(:admin_github_user, :is_admin)
-      sign_in_as admin_user
+      avo_sign_in_as admin_user
 
       user = create(:user)
       user_attributes = user.attributes.with_indifferent_access
@@ -588,7 +567,7 @@ def sign_in_as(user)
 
   test "create user" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     visit avo.resources_users_path
 
@@ -628,7 +607,7 @@ def sign_in_as(user)
         },
         "fields" => { "email" => "gem-user-001@example.com" },
         "arguments" => {},
-        "models" => nil
+        "models" => []
       },
       audit.audited_changes
     )
diff --git a/test/system/avo/versions_test.rb b/test/system/avo/versions_test.rb
index 69a9d8c0934..75a868ad56f 100644
--- a/test/system/avo/versions_test.rb
+++ b/test/system/avo/versions_test.rb
@@ -5,31 +5,9 @@ class Avo::VersionsSystemTest < ApplicationSystemTestCase
 
   include ActiveJob::TestHelper
 
-  def sign_in_as(user)
-    OmniAuth.config.mock_auth[:github] = OmniAuth::AuthHash.new(
-      provider: "github",
-      uid: "1",
-      credentials: {
-        token: user.oauth_token,
-        expires: false
-      },
-      info: {
-        name: user.login
-      }
-    )
-
-    @ip_address = create(:ip_address, ip_address: "127.0.0.1")
-    stub_github_info_request(user.info_data)
-
-    visit avo.root_path
-    click_button "Log in with GitHub"
-
-    page.assert_text user.login
-  end
-
   test "restore a rubygem version" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     rubygem = create(:rubygem)
     version = create(:version, rubygem: rubygem)
@@ -139,7 +117,7 @@ def sign_in_as(user)
 
   test "run afer version write job" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     rubygem = create(:rubygem, owners: [create(:user)])
     version = create(:version, rubygem: rubygem)
@@ -147,7 +125,6 @@ def sign_in_as(user)
     visit avo.resources_version_path(version)
 
     click_button "Actions"
-
     click_on "Run version post-write job"
 
     fill_in "Comment", with: "A nice long comment"
diff --git a/test/system/avo/web_hooks_test.rb b/test/system/avo/web_hooks_test.rb
index 58a3ad99824..bbc2c22ca7b 100644
--- a/test/system/avo/web_hooks_test.rb
+++ b/test/system/avo/web_hooks_test.rb
@@ -3,30 +3,10 @@
 class Avo::WebHooksSystemTest < ApplicationSystemTestCase
   include ActiveJob::TestHelper
 
-  def sign_in_as(user)
-    OmniAuth.config.mock_auth[:github] = OmniAuth::AuthHash.new(
-      provider: "github",
-      uid: "1",
-      credentials: {
-        token: user.oauth_token,
-        expires: false
-      },
-      info: {
-        name: user.login
-      }
-    )
-    stub_github_info_request(user.info_data)
-
-    visit avo.root_path
-    click_button "Log in with GitHub"
-
-    page.assert_text user.login
-  end
-
   test "delete webhook" do
     Minitest::Test.make_my_diffs_pretty!
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     web_hook = create(:global_web_hook)
 
diff --git a/test/system/gem_server_conformance_test.rb b/test/system/gem_server_conformance_test.rb
new file mode 100644
index 00000000000..ef303da1767
--- /dev/null
+++ b/test/system/gem_server_conformance_test.rb
@@ -0,0 +1,68 @@
+require "application_system_test_case"
+
+require_relative "../../lib/gemcutter/middleware/hostess"
+
+class GemServerConformanceTest < ApplicationSystemTestCase
+  include ActionDispatch::Assertions::RoutingAssertions
+  include ActiveJob::TestHelper
+
+  setup do
+    @tmp_versions_file = Tempfile.new("tmp_versions_file")
+    tmp_path = @tmp_versions_file.path
+
+    Rails.application.config.rubygems.stubs(:[]).with("versions_file_location").returns(tmp_path)
+    Rails.application.config.rubygems.stubs(:[]).with("s3_compact_index_bucket").returns("s3_compact_index_bucket")
+    Rails.application.config.rubygems.stubs(:[]).with("s3_contents_bucket").returns("s3_contents_bucket")
+
+    test = self
+    Rails.application.routes.disable_clear_and_finalize = true
+    Rails.application.routes.draw do
+      post "/set_time", to: lambda { |env|
+        test.travel_to Time.iso8601(Rack::Request.new(env).body.read)
+        [200, {}, ["OK"]]
+      }
+      post "/rebuild_versions_list", to: lambda { |_env|
+        Rake::Task["compact_index:update_versions_file"].execute
+        Rake::Task["compact_index:update_versions_file"].reenable
+        [200, {}, ["OK"]]
+      }
+      hostess = Gemcutter::Middleware::Hostess.new(nil)
+      to = lambda { |env|
+        hostess.call(env)
+          .tap do |response|
+          response[1].delete("x-cascade")
+        end
+      }
+      match "/quick/Marshal.4.8/:name", to:, via: :get, constraints: { name: /[A-Za-z0-9._-]+/ }
+      match "/gems/:name", to:, via: :get, constraints: { name: Patterns::ROUTE_PATTERN }
+      match "/specs.4.8.gz", to:, via: :get
+      match "/prerelease_specs.4.8.gz", to:, via: :get
+      match "/latest_specs.4.8.gz", to:, via: :get
+    end
+
+    Indexer.perform_now
+    @subscriber = ActiveSupport::Notifications.subscribe("process_action.action_controller") do
+      perform_enqueued_jobs only: [Indexer]
+    end
+  end
+
+  teardown do
+    ActiveSupport::Notifications.unsubscribe(@subscriber)
+    Rails.application.reload_routes!
+  end
+
+  test "is a conformant gem server" do
+    create(:api_key, scopes: %w[push_rubygem yank_rubygem], key: "12345")
+
+    output, status = Open3.capture2e(
+      {
+        "UPSTREAM" => "http://#{Capybara.current_session.config.server_host}:#{Capybara.current_session.config.server_port}",
+        "GEM_HOST_API_KEY" => "12345"
+      },
+      "gem_server_conformance",
+      "--fail-fast", "--tag=~content_type_header", "--tag=~content_length_header"
+    )
+
+    assert_predicate status, :success?, output
+  end
+end
diff --git a/test/system/maintenance_tasks_test.rb b/test/system/maintenance_tasks_test.rb
index 5a07054de2f..207ea25cb7c 100644
--- a/test/system/maintenance_tasks_test.rb
+++ b/test/system/maintenance_tasks_test.rb
@@ -5,30 +5,9 @@ class MaintenanceTasksTest < ApplicationSystemTestCase
 
   include ActiveJob::TestHelper
 
-  def sign_in_as(user)
-    OmniAuth.config.mock_auth[:github] = OmniAuth::AuthHash.new(
-      provider: "github",
-      uid: "1",
-      credentials: {
-        token: user.oauth_token,
-        expires: false
-      },
-      info: {
-        name: user.login
-      }
-    )
-
-    stub_github_info_request(user.info_data)
-
-    visit admin_maintenance_tasks.root_path
-    click_button "Log in with GitHub"
-
-    page.assert_text "Maintenance Tasks"
-  end
-
   test "auditing create run" do
     admin_user = create(:admin_github_user, :is_admin)
-    sign_in_as admin_user
+    avo_sign_in_as admin_user
 
     visit admin_maintenance_tasks.root_path
     click_on "Maintenance::UserTotpSeedEmptyToNilTask"
diff --git a/test/system/multifactor_auths_test.rb b/test/system/multifactor_auths_test.rb
index 37d82e5a15f..69a06758f53 100644
--- a/test/system/multifactor_auths_test.rb
+++ b/test/system/multifactor_auths_test.rb
@@ -35,7 +35,7 @@ class MultifactorAuthsTest < ApplicationSystemTestCase
       register_otp_device
 
       assert page.has_content? "Recovery codes"
-      click_link "[ copy ]"
+      click_link "Copy to clipboard"
       check "ack"
       click_button "Continue"
 
@@ -174,7 +174,7 @@ def redirect_test_mfa_disabled(path)
     register_otp_device
 
     assert page.has_content? "Recovery codes"
-    click_link "[ copy ]"
+    click_link "Copy to clipboard"
     check "ack"
     click_button "Continue"
     yield if block_given?
diff --git a/test/system/oidc_test.rb b/test/system/oidc_test.rb
index 2f42f6eb0d5..a6e19618a8a 100644
--- a/test/system/oidc_test.rb
+++ b/test/system/oidc_test.rb
@@ -227,7 +227,7 @@ def verify_session # rubocop:disable Minitest/TestMethodName
     visit new_rubygem_trusted_publisher_path(rubygem.slug)
     verify_session
 
-    assert_text "forbidden"
+    assert_text "Forbidden"
 
     create(:ownership, rubygem: rubygem, user: @user)
 
@@ -276,8 +276,8 @@ def verify_session # rubocop:disable Minitest/TestMethodName
 
     click_button "Delete"
 
-    page.assert_text "Trusted Publisher deleted"
-    page.assert_text "NO RUBYGEM TRUSTED PUBLISHERS FOUND"
+    assert_content "Trusted Publisher deleted"
+    assert_content "NO RUBYGEM TRUSTED PUBLISHERS FOUND"
   end
 
   test "creating pending trusted publishers" do
@@ -349,7 +349,7 @@ def verify_session # rubocop:disable Minitest/TestMethodName
 
     click_button "Delete"
 
-    page.assert_text "Pending Trusted Publisher deleted"
-    page.assert_text "NO PENDING TRUSTED PUBLISHERS FOUND"
+    assert_content "Pending Trusted Publisher deleted"
+    assert_content "NO PENDING TRUSTED PUBLISHERS FOUND"
   end
 end
diff --git a/test/system/onboarding_test.rb b/test/system/onboarding_test.rb
new file mode 100644
index 00000000000..280a7742e03
--- /dev/null
+++ b/test/system/onboarding_test.rb
@@ -0,0 +1,103 @@
+require "application_system_test_case"
+
+class OnboardingTest < ApplicationSystemTestCase
+  setup do
+    @user = create(:user, :mfa_enabled)
+    @other_user = create(:user)
+    @admin = create(:user)
+    @maintainer = create(:user)
+    @rubygem = create(:rubygem, owners: [@user, @other_user, @admin, @maintainer])
+    @other_rubygem = create(:rubygem, owners: [@user, @other_user])
+  end
+
+  test "onboarding an organization with a single gem and user" do
+    visit sign_in_path
+
+    click_link "login as #{@user[:handle]}"
+
+    visit organization_onboarding_path
+
+    assert_text "Create an Org"
+
+    visit organization_onboarding_name_path
+
+    find("label", text: "a gem you own").click
+
+    select @rubygem.name, from: "rubygems.org/organizations/"
+
+    click_button "Continue"
+
+    assert_text "Add gems to your Org"
+
+    click_button "Continue"
+
+    assert_text "Manage Members"
+
+    click_button "Continue"
+
+    assert_text "Finalize"
+
+    click_button "Create Org"
+  end
+
+  test "onboarding an organization with multiple gems and users" do
+    visit sign_in_path
+
+    click_link "login as #{@user[:handle]}"
+
+    visit organization_onboarding_name_path
+
+    find("label", text: "a gem you own").click
+
+    select @rubygem.name, from: "rubygems.org/organizations/"
+
+    click_button "Continue"
+
+    assert_text "Add gems to your Org"
+
+    check @other_rubygem.name
+
+    click_button "Continue"
+
+    assert_text "Manage Members"
+
+    select "Owner", from: @other_user.handle
+
+    click_button "Continue"
+
+    assert_text "Finalize"
+
+    click_button "Create Org"
+  end
+
+  test "onboarding an organization with many different user roles" do
+    visit sign_in_path
+
+    click_link "login as #{@user[:handle]}"
+
+    visit organization_onboarding_name_path
+
+    find("label", text: "a gem you own").click
+
+    select @rubygem.name, from: "rubygems.org/organizations/"
+
+    click_button "Continue"
+
+    assert_text "Add gems to your Org"
+
+    check @other_rubygem.name
+
+    click_button "Continue"
+
+    assert_text "Manage Members"
+
+    select "Owner", from: @other_user.handle
+    select "Admin", from: @admin.handle
+
+    click_button "Continue"
+
+    assert_text "Finalize"
+
+    click_button "Create Org"
+  end
+end
diff --git a/test/system/settings_test.rb b/test/system/settings_test.rb
index 9a6b948f82c..aa67f60cd68 100644
--- a/test/system/settings_test.rb
+++ b/test/system/settings_test.rb
@@ -40,7 +40,7 @@ def otp_key
 
     assert page.has_content? "Recovery codes"
 
-    click_link "[ copy ]"
+    click_link "Copy to clipboard"
     check "ack"
     click_button "Continue"
 
@@ -101,9 +101,9 @@ def otp_key
 
     assert page.has_content? "Recovery codes"
 
-    recoveries = page.find_by_id("recovery-code-list").text.split
+    recoveries = page.find(:css, ".recovery-code-list").value.split
 
-    click_link "[ copy ]"
+    click_link "Copy to clipboard"
     check "ack"
     click_button "Continue"
     page.fill_in "otp", with: recoveries.sample
@@ -145,18 +145,17 @@ def otp_key
     click_button "Enable"
 
     check "ack"
-    confirm_text = dismiss_confirm do
-      visit root_path
+    dismiss_confirm("Leave without copying recovery codes?") do
+      click_on "Continue"
     end
 
-    assert_equal("", confirm_text)
     assert_equal recovery_multifactor_auth_path, page.current_path
 
-    accept_confirm do
-      visit root_path
+    accept_confirm("Leave without copying recovery codes?") do
+      click_on "Continue"
     end
 
-    assert_equal root_path, page.current_path
+    assert_equal edit_settings_path, page.current_path
   end
 
   test "shows 'ui only' if user's level is ui_only" do
diff --git a/test/system/webauthn_credentials_test.rb b/test/system/webauthn_credentials_test.rb
index 62a80bf6c60..6930ec829ee 100644
--- a/test/system/webauthn_credentials_test.rb
+++ b/test/system/webauthn_credentials_test.rb
@@ -108,7 +108,7 @@ def sign_in
     end
 
     assert_equal recovery_multifactor_auth_path, current_path
-    click_on "[ copy ]"
+    click_on "Copy to clipboard"
     check "ack"
     click_on "Continue"
 
diff --git a/test/test_helper.rb b/test/test_helper.rb
index 9c4f5fc3775..3245db98809 100644
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -25,33 +25,33 @@
 require "shoulda/context"
 require "shoulda/matchers"
 require "helpers/admin_helpers"
+require "helpers/api_policy_helpers"
 require "helpers/gem_helpers"
 require "helpers/email_helpers"
 require "helpers/es_helper"
 require "helpers/password_helpers"
+require "helpers/policy_helpers"
 require "helpers/webauthn_helpers"
 require "helpers/oauth_helpers"
 require 'helpers/timescaledb_helpers'
+require "helpers/avo_helpers"
 require "webmock/minitest"
 require "phlex/testing/rails/view_helper"
 
 # setup license early since some tests are testing Avo outside of requests
 # and license is set with first request
-Avo::App.license = Avo::Licensing::LicenseManager.new(Avo::Licensing::HQ.new.response).license
+Avo::Current.license = Avo::Licensing::LicenseManager.new(Avo::Licensing::HQ.new.response).license
 
 WebMock.disable_net_connect!(
   allow_localhost: true,
   allow: [
-    "chromedriver.storage.googleapis.com"
+    "chromedriver.storage.googleapis.com",
+    "search", # DevContainer services
+    "selenium",
+    "rails-app"
   ]
 )
 WebMock.globally_stub_request(:after_local_stubs) do |request|
-  avo_request_pattern = WebMock::RequestPattern.new(:post, "https://avohq.io/api/v1/licenses/check")
-  if avo_request_pattern.matches?(request)
-    { status: 200, body: { id: :pro, valid: true, payload: {} }.to_json,
-      headers: { "Content-Type" => "application/json" } }
-  end
-
   if WebMock::RequestPattern.new(:get, Addressable::Template.new("https://secure.gravatar.com/avatar/{hash}.png?d=404&r=PG&s={size}")).matches?(request)
     { status: 404, body: "", headers: {} }
   end
@@ -115,6 +115,16 @@ def requires_toxiproxy
     skip("Toxiproxy is not running, but was required for this test.")
   end
 
+  def requires_avo_pro
+    return if Avo.configuration.license == "advanced" && defined?(Avo::Pro)
+
+    if ActiveRecord::Type::Boolean.new.cast(ENV["REQUIRE_AVO_PRO"])
+      raise "REQUIRE_AVO_PRO is set but Avo::Pro is missing in #{Rails.env}." \
+            "\nRAILS_GROUPS=#{ENV['RAILS_GROUPS'].inspect}\nAvo.license=#{Avo.license.inspect}"
+    end
+    skip "avo pro is not present but was required for this test"
+  end
+
   def assert_changed(object, *attributes)
     original_attributes = attributes.index_with { |a| object.send(a) }
     yield if block_given?
@@ -180,8 +190,9 @@ def create_webauthn_credential_while_signed_in
     fill_in "Nickname", with: credential_nickname
     click_on "Register device"
 
-    click_on "[ copy ]"
-    @mfa_recovery_codes = find_all(:css, ".recovery-code-list__item").map(&:text)
+    click_on "Copy to clipboard"
+    @mfa_recovery_codes = find(:css, ".recovery-code-list").value.split
+
     check "ack"
     click_on "Continue"
 
@@ -217,6 +228,22 @@ def verified_sign_in_as(user)
     session[:verification] = 10.minutes.from_now
     session[:verified_user] = user.id
   end
+
+  def assert_text(text, context = page)
+    assert context.has_content?(text), "page is missing content #{text}"
+  end
+
+  def refute_text(text)
+    refute page.has_content?(text), "page has unexpected content #{text}"
+  end
+
+  def assert_selector(selector)
+    assert page.has_selector?(selector), "page is missing selector #{selector}"
+  end
+
+  def refute_selector(selector)
+    refute page.has_selector?(selector), "page has unexpected selector #{selector}"
+  end
 end
 
 class ActionDispatch::IntegrationTest
@@ -242,6 +269,8 @@ class SystemTest < ActionDispatch::IntegrationTest
 
 class AdminPolicyTestCase < ActiveSupport::TestCase
   def setup
+    requires_avo_pro
+
     @authorization_client = Admin::AuthorizationClient.new
   end
 
@@ -254,12 +283,9 @@ def assert_authorizes(user, record, action)
   end
 
   def refute_authorizes(user, record, action)
-    @authorization_client.authorize(user, record, action, policy_class: policy_class)
-    policy_class ||= policy!(user, record).class
-
-    flunk("Expected #{policy_class} not to authorize #{action} on #{record} for #{user}")
-  rescue Avo::NotAuthorizedError
-    # Expected
+    assert_raise(Avo::NotAuthorizedError) do
+      @authorization_client.authorize(user, record, action, policy_class: policy_class)
+    end
   end
 
   def policy_class
@@ -275,6 +301,14 @@ def policy_scope!(user, record)
   end
 end
 
+class ApiPolicyTestCase < ActiveSupport::TestCase
+  include ApiPolicyHelpers
+end
+
+class PolicyTestCase < ActiveSupport::TestCase
+  include PolicyHelpers
+end
+
 class ComponentTest < ActiveSupport::TestCase
   include Phlex::Testing::Rails::ViewHelper
   include Capybara::Minitest::Assertions
diff --git a/test/unit/avo/actions/base_action_test.rb b/test/unit/avo/actions/base_action_test.rb
index fd5f46600a5..ff803c1da39 100644
--- a/test/unit/avo/actions/base_action_test.rb
+++ b/test/unit/avo/actions/base_action_test.rb
@@ -1,24 +1,24 @@
 require "test_helper"
 
 class BaseActionTest < ActiveSupport::TestCase
-  class DestroyerAction < BaseAction
-    class ActionHandler < ActionHandler
-      def handle_model(model)
+  class DestroyerAction < Avo::Actions::ApplicationAction
+    class ActionHandler < Avo::Actions::ActionHandler
+      def handle_record(model)
         model.destroy!
       end
     end
   end
 
-  class EmptyAction < BaseAction
-    class ActionHandler < ActionHandler
-      def handle_model(model)
+  class EmptyAction < Avo::Actions::ApplicationAction
+    class ActionHandler < Avo::Actions::ActionHandler
+      def handle_record(model)
       end
     end
   end
 
-  class WebHookCreateAction < BaseAction
-    class ActionHandler < BaseAction::ActionHandler
-      def handle_model(user)
+  class WebHookCreateAction < Avo::Actions::ApplicationAction
+    class ActionHandler < Avo::Actions::ActionHandler
+      def handle_record(user)
         user.web_hooks.create(url: "https://example.com/path")
       end
     end
@@ -31,8 +31,7 @@ def handle_model(user)
     @avo = mock
     @view_context.stubs(:avo).returns(@avo)
     @avo.stubs(:resources_audit_path).returns("resources_audit_path")
-
-    ::Avo::App.init request: nil, context: nil, current_user: nil, view_context: @view_context, params: {}
+    Avo::Current.stubs(:view_context).returns(@view_context)
   end
 
   test "handles errors" do
@@ -41,7 +40,7 @@ def each
         raise "Cannot enumerate"
       end
     end.new
-    action = BaseAction.new
+    action = EmptyAction.new
 
     args = {
       fields: {
@@ -49,13 +48,14 @@ def each
       },
       current_user: create(:admin_github_user, :is_admin),
       resource: nil,
-      models: raises_on_each
+      records: raises_on_each,
+      query: nil
     }
 
     action.handle(**args)
 
     assert_equal [{ type: :error, body: "Cannot enumerate" }], action.response[:messages]
-    assert action.response[:keep_modal_open]
+    assert_equal :keep_modal_open, action.response[:type]
   end
 
   test "tracks deletions" do
@@ -69,7 +69,8 @@ def each
       },
       current_user: admin,
       resource: nil,
-      models: [webhook]
+      records: [webhook],
+      query: nil
     }
 
     action.handle(**args)
@@ -115,7 +116,8 @@ def each
       },
       current_user: admin,
       resource: nil,
-      models: [user]
+      records: [user],
+      query: nil
     }
 
     action.handle(**args)
@@ -152,7 +154,8 @@ def each
       },
       current_user: admin,
       resource: nil,
-      models: [user]
+      records: [user],
+      query: nil
     }
 
     action.handle(**args)
diff --git a/test/unit/avo/actions/onboard_organization_test.rb b/test/unit/avo/actions/onboard_organization_test.rb
new file mode 100644
index 00000000000..bd68bc9e3cc
--- /dev/null
+++ b/test/unit/avo/actions/onboard_organization_test.rb
@@ -0,0 +1,40 @@
+require "test_helper"
+
+class OnboardOrganizationTest < ActiveSupport::TestCase
+  setup do
+    @onboarding = create(:organization_onboarding)
+    @current_user = create(:admin_github_user, :is_admin)
+    @resource = Avo::Resources::OrganizationOnboarding.new.hydrate(record: @onboarding)
+    @action = Avo::Actions::OnboardOrganization.new(resource: @resource, user: @current_user, view: :edit)
+  end
+
+  should "onboard an organization" do
+    args = {
+      current_user: @current_user,
+      resource: @resource,
+      fields: {
+        comment: "Onboarding a new organization 1234567"
+      },
+      query: [@onboarding]
+    }
+
+    @action.handle(**args)
+
+    assert_predicate @onboarding.reload, :completed?
+  end
+
+  # Avo does not have an easy and direct way to test the message & visible class attributes.
+  # calling the lambda directly will raise an error because Avo requires the entire app to be loaded.
+
+  should "ask for confirmation" do
+    action_mock = Data.define(:record).new(record: @onboarding)
+
+    assert_not_nil action_mock.instance_exec(&Avo::Actions::OnboardOrganization.message)
+  end
+
+  should "be visible" do
+    action_mock = Data.define(:current_user, :view, :record).new(current_user: @current_user, view: :show, record: @onboarding)
+
+    assert action_mock.instance_exec(&Avo::Actions::OnboardOrganization.visible)
+  end
+end
diff --git a/test/unit/avo/actions/unblock_user_test.rb b/test/unit/avo/actions/unblock_user_test.rb
new file mode 100644
index 00000000000..1bbfb015599
--- /dev/null
+++ b/test/unit/avo/actions/unblock_user_test.rb
@@ -0,0 +1,53 @@
+require "test_helper"
+
+class UnblockUserTest < ActiveSupport::TestCase
+  setup do
+    @user = create(:user, :blocked)
+    @current_user = create(:admin_github_user, :is_admin)
+    @resource = Avo::Resources::User.new.hydrate(record: @user)
+    @action = Avo::Actions::UnblockUser.new(record: @user, resource: @resource, user: @current_user, view: :edit)
+  end
+
+  should "unblock user" do
+    args = {
+      current_user: @current_user,
+      resource: @resource,
+      records: [@user],
+      fields: {
+        comment: "Unblocking incorrectly flagged user"
+      },
+      query: nil
+    }
+
+    @action.handle(**args)
+
+    refute_predicate @user.reload, :blocked?
+  end
+
+  # Avo does not have an easy and direct way to test the message & visible class attributes.
+  # calling the lambda directly will raise an error because Avo requires the entire app to be loaded.
+
+  should "ask for confirmation" do
+    action_mock = Data.define(:record).new(record: @user)
+
+    assert_not_nil action_mock.instance_exec(&Avo::Actions::UnblockUser.message)
+  end
+
+  should "be visible" do
+    action_mock = Data.define(:current_user, :view, :record).new(current_user: @current_user, view: :show, record: @user)
+
+    assert action_mock.instance_exec(&Avo::Actions::UnblockUser.visible)
+  end
+
+  context "when the user is not blocked" do
+    setup do
+      @user = create(:user)
+    end
+
+    should "not be visible" do
+      action_mock = Data.define(:current_user, :view, :record).new(current_user: @current_user, view: :show, record: @user)
+
+      refute action_mock.instance_exec(&Avo::Actions::UnblockUser.visible)
+    end
+  end
+end
diff --git a/test/unit/erb_implementation_test.rb b/test/unit/erb_implementation_test.rb
index a937b7dc385..0d6a05d54c7 100644
--- a/test/unit/erb_implementation_test.rb
+++ b/test/unit/erb_implementation_test.rb
@@ -10,7 +10,7 @@ class ErbImplementationTest < ActiveSupport::TestCase
   Dir[ERB_GLOB, base: Rails.root].each do |filename|
     test "html errors in #{filename}" do
       data = Rails.root.join(filename).read
-      BetterHtml::BetterErb::ErubiImplementation.new(data, filename:).validate!
+      assert_nothing_raised { BetterHtml::BetterErb::ErubiImplementation.new(data, filename:).validate! }
     end
   end
 end
diff --git a/test/unit/factories_test.rb b/test/unit/factories_test.rb
index cf1de6e4418..fb103e9336e 100644
--- a/test/unit/factories_test.rb
+++ b/test/unit/factories_test.rb
@@ -2,6 +2,6 @@
 
 class FactoriesTest < ActiveSupport::TestCase
   test "can create factories including traits" do
-    FactoryBot.lint(traits: true)
+    assert_nothing_raised { FactoryBot.lint(traits: true) }
   end
 end
diff --git a/test/unit/fastly_test.rb b/test/unit/fastly_test.rb
index ccca038dd44..102ad92bff2 100644
--- a/test/unit/fastly_test.rb
+++ b/test/unit/fastly_test.rb
@@ -21,7 +21,8 @@ class FastlyTest < ActiveSupport::TestCase
       stub_request(:purge, "https://domain2.example.com/some-url")
         .with(headers: { "Fastly-Key" => "api-key" })
         .to_return(status: 200, body: "{}")
-      Fastly.purge(path: "some-url")
+
+      assert Fastly.purge(path: "some-url")
     end
 
     should "soft purge for each domain" do
@@ -31,7 +32,8 @@ class FastlyTest < ActiveSupport::TestCase
       stub_request(:purge, "https://domain2.example.com/some-url")
         .with(headers: { "Fastly-Key" => "api-key", "Fastly-Soft-Purge" => "1" })
         .to_return(status: 200, body: "{}")
-      Fastly.purge(path: "some-url", soft: true)
+
+      assert Fastly.purge(path: "some-url", soft: true)
     end
   end
 
@@ -40,13 +42,15 @@ class FastlyTest < ActiveSupport::TestCase
       stub_request(:post, "https://api.fastly.com/service/service-id/purge/some-key")
         .with(headers: { "Fastly-Key" => "api-key" })
         .to_return(status: 200, body: "{}")
-      Fastly.purge_key("some-key")
+
+      assert Fastly.purge_key("some-key")
     end
     should "send a post request for soft purges" do
       stub_request(:post, "https://api.fastly.com/service/service-id/purge/some-key")
         .with(headers: { "Fastly-Key" => "api-key", "Fastly-Soft-Purge" => "1" })
         .to_return(status: 200, body: "{}")
-      Fastly.purge_key("some-key", soft: true)
+
+      assert Fastly.purge_key("some-key", soft: true)
     end
   end
 end
diff --git a/test/unit/helpers/pages_helper_test.rb b/test/unit/helpers/pages_helper_test.rb
index 6adce171e5d..f8517cdcf27 100644
--- a/test/unit/helpers/pages_helper_test.rb
+++ b/test/unit/helpers/pages_helper_test.rb
@@ -2,39 +2,4 @@
 
 class PagesHelperTest < ActionView::TestCase
   include RubygemsHelper
-
-  context "downloads" do
-    setup do
-      @rubygem = create(:rubygem, name: "rubygems-update")
-      @version_first = create(:version, number: "1.4.8", rubygem: @rubygem)
-      @version_last = create(:version,
-        number: "2.4.8",
-        built_at: Time.zone.local(2015, 1, 1),
-        rubygem: @rubygem)
-    end
-
-    should "return latest rubygem release version number" do
-      assert_equal @version_last.number, version_number
-    end
-
-    should "return 0.0.0 as version number if version doesn't exist" do
-      @rubygem.versions.each(&:destroy)
-
-      assert_equal "0.0.0", version_number
-    end
-
-    should "return latest rubygem release" do
-      assert_equal @version_last, version
-    end
-
-    should "return subtitle with release date and version number if both exist" do
-      assert_equal "v#{@version_last.number} - #{nice_date_for(@version_last.created_at)}", subtitle
-    end
-
-    should "return subtitle with only version number if version doesn't exist" do
-      @rubygem.destroy
-
-      assert_equal "v0.0.0", subtitle
-    end
-  end
 end
diff --git a/test/unit/patterns_test.rb b/test/unit/patterns_test.rb
index 1d51fef7228..b8cbf99782d 100644
--- a/test/unit/patterns_test.rb
+++ b/test/unit/patterns_test.rb
@@ -3,10 +3,6 @@
 require "test_helper"
 
 class PatternsTest < ActiveSupport::TestCase
-  test "JAVA_HTTP_USER_AGENT is linear" do
-    assert Regexp.linear_time?(Patterns::JAVA_HTTP_USER_AGENT)
-  end
-
   test "ROUTE_PATTERN is linear" do
     assert Regexp.linear_time?(Patterns::ROUTE_PATTERN)
   end
diff --git a/test/unit/webauthn_verification_test.rb b/test/unit/webauthn_verification_test.rb
index 4a7e100dc4b..5d0eb01db2b 100644
--- a/test/unit/webauthn_verification_test.rb
+++ b/test/unit/webauthn_verification_test.rb
@@ -8,6 +8,8 @@ class WebauthnVerificationTest < ActiveSupport::TestCase
   should validate_uniqueness_of(:user_id)
   should validate_presence_of(:path_token)
   should validate_uniqueness_of(:path_token)
+  should validate_presence_of(:path_token)
+  should validate_length_of(:path_token).is_at_most(128)
   should validate_presence_of(:path_token_expires_at)
 
   context "#expire_path_token" do
diff --git a/test/views/alert_component_test.rb b/test/views/alert_component_test.rb
new file mode 100644
index 00000000000..4a70a968447
--- /dev/null
+++ b/test/views/alert_component_test.rb
@@ -0,0 +1,53 @@
+require "test_helper"
+require "phlex/testing/rails/view_helper"
+
+class AlertComponentTest < ComponentTest
+  def alert(...)
+    AlertComponent.new(...)
+  end
+
+  def render(...)
+    response = super
+    Capybara.string(response)
+  end
+
+  test "renders a non-closable (blue) notice by default" do
+    page = render(alert { "Hello, world!" })
+
+    assert_selector ".bg-blue-200.text-neutral-800"
+    assert_text page, "Hello, world!"
+    refute_selector "button[title='Hide']"
+  end
+
+  test "renders a closable alert" do
+    page = render(alert(style: :alert, closeable: true) { "Alert!" })
+
+    assert_selector ".bg-yellow-200.text-neutral-800"
+    assert_text page, "Alert!"
+    assert_selector "button[title='Hide']"
+  end
+
+  test "renders a closable error" do
+    page = render(alert(style: :error, closeable: true) { "Error!" })
+
+    assert_selector ".bg-red-200.text-neutral-800"
+    assert_text page, "Error!"
+    assert_selector "button[title='Hide']"
+  end
+
+  test "renders a closable success" do
+    page = render(alert(style: :success, closeable: true) { "Success!" })
+
+    assert_selector ".bg-green-200.text-neutral-800"
+    assert_text page, "Success!"
+    assert_selector "button[title='Hide']"
+  end
+
+  test "renders a neutral alert" do
+    page = render(alert(style: :neutral, closeable: false) { "Here's some info" })
+
+    assert_selector ".bg-neutral-200.text-neutral-800"
+    assert_text page, "Here's some info"
+    refute_selector "button[title='Hide']"
+  end
+end
diff --git a/test/views/events/table_component_test.rb b/test/views/events/table_component_test.rb
index 911677c2243..412e57adade 100644
--- a/test/views/events/table_component_test.rb
+++ b/test/views/events/table_component_test.rb
@@ -1,9 +1,7 @@
 require "test_helper"
 require "phlex/testing/rails/view_helper"
 
-class Events::TableComponentTest < ActiveSupport::TestCase
-  include Phlex::Testing::Rails::ViewHelper
-
+class Events::TableComponentTest < ComponentTest
   class TestEvent
     include ActiveModel::Model
     include ActiveModel::Attributes
@@ -47,14 +45,14 @@ def page(array, page: 0, per: 10)
   test "renders an empty view" do
     page = render table
 
-    page.assert_text "No entries found"
+    assert_text page, "No entries found"
   end
 
   test "renders an unknown event" do
     page = render table(page([TestEvent.new(tag: "unknown:other")]))
 
-    page.assert_text "Displaying 1 entry"
-    page.assert_text "unknown:other"
+    assert_text page, "Displaying 1 entry"
+    assert_text page, "unknown:other"
   end
 
   test "renders redacted additional info when user_id does not match" do
@@ -68,11 +66,11 @@ def page(array, page: 0, per: 10)
                                                  })
                              ]), stubs: { current_user: user })
 
-    page.assert_text "Displaying 1 entry"
-    page.assert_text "user2:created"
-    page.assert_text "Redacted"
-    page.assert_no_text "Buffalo, NY, US"
-    page.assert_no_text "installer (implementation on system)"
+    assert_text page, "Displaying 1 entry"
+    assert_text page, "user2:created"
+    assert_text page, "Redacted"
+    assert_no_text page, "Buffalo, NY, US"
+    assert_no_text page, "installer (implementation on system)"
   end
 
   test "renders additional info when user_id matches" do
@@ -86,9 +84,9 @@ def page(array, page: 0, per: 10)
                                                  })
                              ]), stubs: { current_user: user })
 
-    page.assert_text "Displaying 1 entry"
-    page.assert_text "user:created"
-    page.assert_text "Buffalo, NY, US"
-    page.assert_text "installer (implementation on system)"
+    assert_text page, "Displaying 1 entry"
+    assert_text page, "user:created"
+    assert_text page, "Buffalo, NY, US"
+    assert_text page, "installer (implementation on system)"
   end
 end
diff --git a/vendor/assets/stylesheets/github_buttons.css.scss b/vendor/assets/stylesheets/github_buttons.css
similarity index 98%
rename from vendor/assets/stylesheets/github_buttons.css.scss
rename to vendor/assets/stylesheets/github_buttons.css
index ebb3356741a..a1c36ae230d 100644
--- a/vendor/assets/stylesheets/github_buttons.css.scss
+++ b/vendor/assets/stylesheets/github_buttons.css
@@ -63,7 +63,7 @@
   width: 14px;
   height: 14px;
   margin-right: 4px;
-  background: image-url('github_icon.png');
+  background: url('github_icon.png');
   background-size: 100% 100%;
   background-repeat: no-repeat;
 }
diff --git a/vendor/javascript/@hotwired--stimulus.js b/vendor/javascript/@hotwired--stimulus.js
new file mode 100644
index 00000000000..07dd4a6cc36
--- /dev/null
+++ b/vendor/javascript/@hotwired--stimulus.js
@@ -0,0 +1,4 @@
+// @hotwired/stimulus@3.2.2 downloaded from https://ga.jspm.io/npm:@hotwired/stimulus@3.2.2/dist/stimulus.js
+
+class EventListener{constructor(e,t,r){this.eventTarget=e;this.eventName=t;this.eventOptions=r;this.unorderedBindings=new Set}connect(){this.eventTarget.addEventListener(this.eventName,this,this.eventOptions)}disconnect(){this.eventTarget.removeEventListener(this.eventName,this,this.eventOptions)}bindingConnected(e){this.unorderedBindings.add(e)}bindingDisconnected(e){this.unorderedBindings.delete(e)}handleEvent(e){const t=extendEvent(e);for(const e of this.bindings){if(t.immediatePropagationStopped)break;e.handleEvent(t)}}hasBindings(){return this.unorderedBindings.size>0}get bindings(){return Array.from(this.unorderedBindings).sort(((e,t)=>{const r=e.index,s=t.index;return r<s?-1:r>s?1:0}))}}function extendEvent(e){if("immediatePropagationStopped"in e)return e;{const{stopImmediatePropagation:t}=e;return Object.assign(e,{immediatePropagationStopped:false,stopImmediatePropagation(){this.immediatePropagationStopped=true;t.call(this)}})}}class Dispatcher{constructor(e){this.application=e;this.eventListenerMaps=new Map;this.started=false}start(){if(!this.started){this.started=true;this.eventListeners.forEach((e=>e.connect()))}}stop(){if(this.started){this.started=false;this.eventListeners.forEach((e=>e.disconnect()))}}get eventListeners(){return Array.from(this.eventListenerMaps.values()).reduce(((e,t)=>e.concat(Array.from(t.values()))),[])}bindingConnected(e){this.fetchEventListenerForBinding(e).bindingConnected(e)}bindingDisconnected(e,t=false){this.fetchEventListenerForBinding(e).bindingDisconnected(e);t&&this.clearEventListenersForBinding(e)}handleError(e,t,r={}){this.application.handleError(e,`Error ${t}`,r)}clearEventListenersForBinding(e){const t=this.fetchEventListenerForBinding(e);if(!t.hasBindings()){t.disconnect();this.removeMappedEventListenerFor(e)}}removeMappedEventListenerFor(e){const{eventTarget:t,eventName:r,eventOptions:s}=e;const n=this.fetchEventListenerMapForEventTarget(t);const i=this.cacheKey(r,s);n.delete(i);0==n.size&&this.eventListenerMaps.delete(t)}fetchEventListenerForBinding(e){const{eventTarget:t,eventName:r,eventOptions:s}=e;return this.fetchEventListener(t,r,s)}fetchEventListener(e,t,r){const s=this.fetchEventListenerMapForEventTarget(e);const n=this.cacheKey(t,r);let i=s.get(n);if(!i){i=this.createEventListener(e,t,r);s.set(n,i)}return i}createEventListener(e,t,r){const s=new EventListener(e,t,r);this.started&&s.connect();return s}fetchEventListenerMapForEventTarget(e){let t=this.eventListenerMaps.get(e);if(!t){t=new Map;this.eventListenerMaps.set(e,t)}return t}cacheKey(e,t){const r=[e];Object.keys(t).sort().forEach((e=>{r.push(`${t[e]?"":"!"}${e}`)}));return r.join(":")}}const e={stop({event:e,value:t}){t&&e.stopPropagation();return true},prevent({event:e,value:t}){t&&e.preventDefault();return true},self({event:e,value:t,element:r}){return!t||r===e.target}};const t=/^(?:(?:([^.]+?)\+)?(.+?)(?:\.(.+?))?(?:@(window|document))?->)?(.+?)(?:#([^:]+?))(?::(.+))?$/;function parseActionDescriptorString(e){const r=e.trim();const s=r.match(t)||[];let n=s[2];let i=s[3];if(i&&!["keydown","keyup","keypress"].includes(n)){n+=`.${i}`;i=""}return{eventTarget:parseEventTarget(s[4]),eventName:n,eventOptions:s[7]?parseEventOptions(s[7]):{},identifier:s[5],methodName:s[6],keyFilter:s[1]||i}}function parseEventTarget(e){return"window"==e?window:"document"==e?document:void 0}function parseEventOptions(e){return e.split(":").reduce(((e,t)=>Object.assign(e,{[t.replace(/^!/,"")]:!/^!/.test(t)})),{})}function stringifyEventTarget(e){return e==window?"window":e==document?"document":void 0}function camelize(e){return e.replace(/(?:[_-])([a-z0-9])/g,((e,t)=>t.toUpperCase()))}function namespaceCamelize(e){return camelize(e.replace(/--/g,"-").replace(/__/g,"_"))}function capitalize(e){return e.charAt(0).toUpperCase()+e.slice(1)}function dasherize(e){return e.replace(/([A-Z])/g,((e,t)=>`-${t.toLowerCase()}`))}function tokenize(e){return e.match(/[^\s]+/g)||[]}function isSomething(e){return null!==e&&void 0!==e}function hasProperty(e,t){return Object.prototype.hasOwnProperty.call(e,t)}const r=["meta","ctrl","alt","shift"];class Action{constructor(e,t,r,s){this.element=e;this.index=t;this.eventTarget=r.eventTarget||e;this.eventName=r.eventName||getDefaultEventNameForElement(e)||error("missing event name");this.eventOptions=r.eventOptions||{};this.identifier=r.identifier||error("missing identifier");this.methodName=r.methodName||error("missing method name");this.keyFilter=r.keyFilter||"";this.schema=s}static forToken(e,t){return new this(e.element,e.index,parseActionDescriptorString(e.content),t)}toString(){const e=this.keyFilter?`.${this.keyFilter}`:"";const t=this.eventTargetName?`@${this.eventTargetName}`:"";return`${this.eventName}${e}${t}->${this.identifier}#${this.methodName}`}shouldIgnoreKeyboardEvent(e){if(!this.keyFilter)return false;const t=this.keyFilter.split("+");if(this.keyFilterDissatisfied(e,t))return true;const s=t.filter((e=>!r.includes(e)))[0];if(!s)return false;hasProperty(this.keyMappings,s)||error(`contains unknown key filter: ${this.keyFilter}`);return this.keyMappings[s].toLowerCase()!==e.key.toLowerCase()}shouldIgnoreMouseEvent(e){if(!this.keyFilter)return false;const t=[this.keyFilter];return!!this.keyFilterDissatisfied(e,t)}get params(){const e={};const t=new RegExp(`^data-${this.identifier}-(.+)-param$`,"i");for(const{name:r,value:s}of Array.from(this.element.attributes)){const n=r.match(t);const i=n&&n[1];i&&(e[camelize(i)]=typecast(s))}return e}get eventTargetName(){return stringifyEventTarget(this.eventTarget)}get keyMappings(){return this.schema.keyMappings}keyFilterDissatisfied(e,t){const[s,n,i,o]=r.map((e=>t.includes(e)));return e.metaKey!==s||e.ctrlKey!==n||e.altKey!==i||e.shiftKey!==o}}const s={a:()=>"click",button:()=>"click",form:()=>"submit",details:()=>"toggle",input:e=>"submit"==e.getAttribute("type")?"click":"input",select:()=>"change",textarea:()=>"input"};function getDefaultEventNameForElement(e){const t=e.tagName.toLowerCase();if(t in s)return s[t](e)}function error(e){throw new Error(e)}function typecast(e){try{return JSON.parse(e)}catch(t){return e}}class Binding{constructor(e,t){this.context=e;this.action=t}get index(){return this.action.index}get eventTarget(){return this.action.eventTarget}get eventOptions(){return this.action.eventOptions}get identifier(){return this.context.identifier}handleEvent(e){const t=this.prepareActionEvent(e);this.willBeInvokedByEvent(e)&&this.applyEventModifiers(t)&&this.invokeWithEvent(t)}get eventName(){return this.action.eventName}get method(){const e=this.controller[this.methodName];if("function"==typeof e)return e;throw new Error(`Action "${this.action}" references undefined method "${this.methodName}"`)}applyEventModifiers(e){const{element:t}=this.action;const{actionDescriptorFilters:r}=this.context.application;const{controller:s}=this.context;let n=true;for(const[i,o]of Object.entries(this.eventOptions))if(i in r){const c=r[i];n=n&&c({name:i,value:o,event:e,element:t,controller:s})}return n}prepareActionEvent(e){return Object.assign(e,{params:this.action.params})}invokeWithEvent(e){const{target:t,currentTarget:r}=e;try{this.method.call(this.controller,e);this.context.logDebugActivity(this.methodName,{event:e,target:t,currentTarget:r,action:this.methodName})}catch(t){const{identifier:r,controller:s,element:n,index:i}=this;const o={identifier:r,controller:s,element:n,index:i,event:e};this.context.handleError(t,`invoking action "${this.action}"`,o)}}willBeInvokedByEvent(e){const t=e.target;return!(e instanceof KeyboardEvent&&this.action.shouldIgnoreKeyboardEvent(e))&&(!(e instanceof MouseEvent&&this.action.shouldIgnoreMouseEvent(e))&&(this.element===t||(t instanceof Element&&this.element.contains(t)?this.scope.containsElement(t):this.scope.containsElement(this.action.element))))}get controller(){return this.context.controller}get methodName(){return this.action.methodName}get element(){return this.scope.element}get scope(){return this.context.scope}}class ElementObserver{constructor(e,t){this.mutationObserverInit={attributes:true,childList:true,subtree:true};this.element=e;this.started=false;this.delegate=t;this.elements=new Set;this.mutationObserver=new MutationObserver((e=>this.processMutations(e)))}start(){if(!this.started){this.started=true;this.mutationObserver.observe(this.element,this.mutationObserverInit);this.refresh()}}pause(e){if(this.started){this.mutationObserver.disconnect();this.started=false}e();if(!this.started){this.mutationObserver.observe(this.element,this.mutationObserverInit);this.started=true}}stop(){if(this.started){this.mutationObserver.takeRecords();this.mutationObserver.disconnect();this.started=false}}refresh(){if(this.started){const e=new Set(this.matchElementsInTree());for(const t of Array.from(this.elements))e.has(t)||this.removeElement(t);for(const t of Array.from(e))this.addElement(t)}}processMutations(e){if(this.started)for(const t of e)this.processMutation(t)}processMutation(e){if("attributes"==e.type)this.processAttributeChange(e.target,e.attributeName);else if("childList"==e.type){this.processRemovedNodes(e.removedNodes);this.processAddedNodes(e.addedNodes)}}processAttributeChange(e,t){this.elements.has(e)?this.delegate.elementAttributeChanged&&this.matchElement(e)?this.delegate.elementAttributeChanged(e,t):this.removeElement(e):this.matchElement(e)&&this.addElement(e)}processRemovedNodes(e){for(const t of Array.from(e)){const e=this.elementFromNode(t);e&&this.processTree(e,this.removeElement)}}processAddedNodes(e){for(const t of Array.from(e)){const e=this.elementFromNode(t);e&&this.elementIsActive(e)&&this.processTree(e,this.addElement)}}matchElement(e){return this.delegate.matchElement(e)}matchElementsInTree(e=this.element){return this.delegate.matchElementsInTree(e)}processTree(e,t){for(const r of this.matchElementsInTree(e))t.call(this,r)}elementFromNode(e){if(e.nodeType==Node.ELEMENT_NODE)return e}elementIsActive(e){return e.isConnected==this.element.isConnected&&this.element.contains(e)}addElement(e){if(!this.elements.has(e)&&this.elementIsActive(e)){this.elements.add(e);this.delegate.elementMatched&&this.delegate.elementMatched(e)}}removeElement(e){if(this.elements.has(e)){this.elements.delete(e);this.delegate.elementUnmatched&&this.delegate.elementUnmatched(e)}}}class AttributeObserver{constructor(e,t,r){this.attributeName=t;this.delegate=r;this.elementObserver=new ElementObserver(e,this)}get element(){return this.elementObserver.element}get selector(){return`[${this.attributeName}]`}start(){this.elementObserver.start()}pause(e){this.elementObserver.pause(e)}stop(){this.elementObserver.stop()}refresh(){this.elementObserver.refresh()}get started(){return this.elementObserver.started}matchElement(e){return e.hasAttribute(this.attributeName)}matchElementsInTree(e){const t=this.matchElement(e)?[e]:[];const r=Array.from(e.querySelectorAll(this.selector));return t.concat(r)}elementMatched(e){this.delegate.elementMatchedAttribute&&this.delegate.elementMatchedAttribute(e,this.attributeName)}elementUnmatched(e){this.delegate.elementUnmatchedAttribute&&this.delegate.elementUnmatchedAttribute(e,this.attributeName)}elementAttributeChanged(e,t){this.delegate.elementAttributeValueChanged&&this.attributeName==t&&this.delegate.elementAttributeValueChanged(e,t)}}function add(e,t,r){fetch(e,t).add(r)}function del(e,t,r){fetch(e,t).delete(r);prune(e,t)}function fetch(e,t){let r=e.get(t);if(!r){r=new Set;e.set(t,r)}return r}function prune(e,t){const r=e.get(t);null!=r&&0==r.size&&e.delete(t)}class Multimap{constructor(){this.valuesByKey=new Map}get keys(){return Array.from(this.valuesByKey.keys())}get values(){const e=Array.from(this.valuesByKey.values());return e.reduce(((e,t)=>e.concat(Array.from(t))),[])}get size(){const e=Array.from(this.valuesByKey.values());return e.reduce(((e,t)=>e+t.size),0)}add(e,t){add(this.valuesByKey,e,t)}delete(e,t){del(this.valuesByKey,e,t)}has(e,t){const r=this.valuesByKey.get(e);return null!=r&&r.has(t)}hasKey(e){return this.valuesByKey.has(e)}hasValue(e){const t=Array.from(this.valuesByKey.values());return t.some((t=>t.has(e)))}getValuesForKey(e){const t=this.valuesByKey.get(e);return t?Array.from(t):[]}getKeysForValue(e){return Array.from(this.valuesByKey).filter((([t,r])=>r.has(e))).map((([e,t])=>e))}}class IndexedMultimap extends Multimap{constructor(){super();this.keysByValue=new Map}get values(){return Array.from(this.keysByValue.keys())}add(e,t){super.add(e,t);add(this.keysByValue,t,e)}delete(e,t){super.delete(e,t);del(this.keysByValue,t,e)}hasValue(e){return this.keysByValue.has(e)}getKeysForValue(e){const t=this.keysByValue.get(e);return t?Array.from(t):[]}}class SelectorObserver{constructor(e,t,r,s){this._selector=t;this.details=s;this.elementObserver=new ElementObserver(e,this);this.delegate=r;this.matchesByElement=new Multimap}get started(){return this.elementObserver.started}get selector(){return this._selector}set selector(e){this._selector=e;this.refresh()}start(){this.elementObserver.start()}pause(e){this.elementObserver.pause(e)}stop(){this.elementObserver.stop()}refresh(){this.elementObserver.refresh()}get element(){return this.elementObserver.element}matchElement(e){const{selector:t}=this;if(t){const r=e.matches(t);return this.delegate.selectorMatchElement?r&&this.delegate.selectorMatchElement(e,this.details):r}return false}matchElementsInTree(e){const{selector:t}=this;if(t){const r=this.matchElement(e)?[e]:[];const s=Array.from(e.querySelectorAll(t)).filter((e=>this.matchElement(e)));return r.concat(s)}return[]}elementMatched(e){const{selector:t}=this;t&&this.selectorMatched(e,t)}elementUnmatched(e){const t=this.matchesByElement.getKeysForValue(e);for(const r of t)this.selectorUnmatched(e,r)}elementAttributeChanged(e,t){const{selector:r}=this;if(r){const t=this.matchElement(e);const s=this.matchesByElement.has(r,e);t&&!s?this.selectorMatched(e,r):!t&&s&&this.selectorUnmatched(e,r)}}selectorMatched(e,t){this.delegate.selectorMatched(e,t,this.details);this.matchesByElement.add(t,e)}selectorUnmatched(e,t){this.delegate.selectorUnmatched(e,t,this.details);this.matchesByElement.delete(t,e)}}class StringMapObserver{constructor(e,t){this.element=e;this.delegate=t;this.started=false;this.stringMap=new Map;this.mutationObserver=new MutationObserver((e=>this.processMutations(e)))}start(){if(!this.started){this.started=true;this.mutationObserver.observe(this.element,{attributes:true,attributeOldValue:true});this.refresh()}}stop(){if(this.started){this.mutationObserver.takeRecords();this.mutationObserver.disconnect();this.started=false}}refresh(){if(this.started)for(const e of this.knownAttributeNames)this.refreshAttribute(e,null)}processMutations(e){if(this.started)for(const t of e)this.processMutation(t)}processMutation(e){const t=e.attributeName;t&&this.refreshAttribute(t,e.oldValue)}refreshAttribute(e,t){const r=this.delegate.getStringMapKeyForAttribute(e);if(null!=r){this.stringMap.has(e)||this.stringMapKeyAdded(r,e);const s=this.element.getAttribute(e);this.stringMap.get(e)!=s&&this.stringMapValueChanged(s,r,t);if(null==s){const t=this.stringMap.get(e);this.stringMap.delete(e);t&&this.stringMapKeyRemoved(r,e,t)}else this.stringMap.set(e,s)}}stringMapKeyAdded(e,t){this.delegate.stringMapKeyAdded&&this.delegate.stringMapKeyAdded(e,t)}stringMapValueChanged(e,t,r){this.delegate.stringMapValueChanged&&this.delegate.stringMapValueChanged(e,t,r)}stringMapKeyRemoved(e,t,r){this.delegate.stringMapKeyRemoved&&this.delegate.stringMapKeyRemoved(e,t,r)}get knownAttributeNames(){return Array.from(new Set(this.currentAttributeNames.concat(this.recordedAttributeNames)))}get currentAttributeNames(){return Array.from(this.element.attributes).map((e=>e.name))}get recordedAttributeNames(){return Array.from(this.stringMap.keys())}}class TokenListObserver{constructor(e,t,r){this.attributeObserver=new AttributeObserver(e,t,this);this.delegate=r;this.tokensByElement=new Multimap}get started(){return this.attributeObserver.started}start(){this.attributeObserver.start()}pause(e){this.attributeObserver.pause(e)}stop(){this.attributeObserver.stop()}refresh(){this.attributeObserver.refresh()}get element(){return this.attributeObserver.element}get attributeName(){return this.attributeObserver.attributeName}elementMatchedAttribute(e){this.tokensMatched(this.readTokensForElement(e))}elementAttributeValueChanged(e){const[t,r]=this.refreshTokensForElement(e);this.tokensUnmatched(t);this.tokensMatched(r)}elementUnmatchedAttribute(e){this.tokensUnmatched(this.tokensByElement.getValuesForKey(e))}tokensMatched(e){e.forEach((e=>this.tokenMatched(e)))}tokensUnmatched(e){e.forEach((e=>this.tokenUnmatched(e)))}tokenMatched(e){this.delegate.tokenMatched(e);this.tokensByElement.add(e.element,e)}tokenUnmatched(e){this.delegate.tokenUnmatched(e);this.tokensByElement.delete(e.element,e)}refreshTokensForElement(e){const t=this.tokensByElement.getValuesForKey(e);const r=this.readTokensForElement(e);const s=zip(t,r).findIndex((([e,t])=>!tokensAreEqual(e,t)));return-1==s?[[],[]]:[t.slice(s),r.slice(s)]}readTokensForElement(e){const t=this.attributeName;const r=e.getAttribute(t)||"";return parseTokenString(r,e,t)}}function parseTokenString(e,t,r){return e.trim().split(/\s+/).filter((e=>e.length)).map(((e,s)=>({element:t,attributeName:r,content:e,index:s})))}function zip(e,t){const r=Math.max(e.length,t.length);return Array.from({length:r},((r,s)=>[e[s],t[s]]))}function tokensAreEqual(e,t){return e&&t&&e.index==t.index&&e.content==t.content}class ValueListObserver{constructor(e,t,r){this.tokenListObserver=new TokenListObserver(e,t,this);this.delegate=r;this.parseResultsByToken=new WeakMap;this.valuesByTokenByElement=new WeakMap}get started(){return this.tokenListObserver.started}start(){this.tokenListObserver.start()}stop(){this.tokenListObserver.stop()}refresh(){this.tokenListObserver.refresh()}get element(){return this.tokenListObserver.element}get attributeName(){return this.tokenListObserver.attributeName}tokenMatched(e){const{element:t}=e;const{value:r}=this.fetchParseResultForToken(e);if(r){this.fetchValuesByTokenForElement(t).set(e,r);this.delegate.elementMatchedValue(t,r)}}tokenUnmatched(e){const{element:t}=e;const{value:r}=this.fetchParseResultForToken(e);if(r){this.fetchValuesByTokenForElement(t).delete(e);this.delegate.elementUnmatchedValue(t,r)}}fetchParseResultForToken(e){let t=this.parseResultsByToken.get(e);if(!t){t=this.parseToken(e);this.parseResultsByToken.set(e,t)}return t}fetchValuesByTokenForElement(e){let t=this.valuesByTokenByElement.get(e);if(!t){t=new Map;this.valuesByTokenByElement.set(e,t)}return t}parseToken(e){try{const t=this.delegate.parseValueForToken(e);return{value:t}}catch(e){return{error:e}}}}class BindingObserver{constructor(e,t){this.context=e;this.delegate=t;this.bindingsByAction=new Map}start(){if(!this.valueListObserver){this.valueListObserver=new ValueListObserver(this.element,this.actionAttribute,this);this.valueListObserver.start()}}stop(){if(this.valueListObserver){this.valueListObserver.stop();delete this.valueListObserver;this.disconnectAllActions()}}get element(){return this.context.element}get identifier(){return this.context.identifier}get actionAttribute(){return this.schema.actionAttribute}get schema(){return this.context.schema}get bindings(){return Array.from(this.bindingsByAction.values())}connectAction(e){const t=new Binding(this.context,e);this.bindingsByAction.set(e,t);this.delegate.bindingConnected(t)}disconnectAction(e){const t=this.bindingsByAction.get(e);if(t){this.bindingsByAction.delete(e);this.delegate.bindingDisconnected(t)}}disconnectAllActions(){this.bindings.forEach((e=>this.delegate.bindingDisconnected(e,true)));this.bindingsByAction.clear()}parseValueForToken(e){const t=Action.forToken(e,this.schema);if(t.identifier==this.identifier)return t}elementMatchedValue(e,t){this.connectAction(t)}elementUnmatchedValue(e,t){this.disconnectAction(t)}}class ValueObserver{constructor(e,t){this.context=e;this.receiver=t;this.stringMapObserver=new StringMapObserver(this.element,this);this.valueDescriptorMap=this.controller.valueDescriptorMap}start(){this.stringMapObserver.start();this.invokeChangedCallbacksForDefaultValues()}stop(){this.stringMapObserver.stop()}get element(){return this.context.element}get controller(){return this.context.controller}getStringMapKeyForAttribute(e){if(e in this.valueDescriptorMap)return this.valueDescriptorMap[e].name}stringMapKeyAdded(e,t){const r=this.valueDescriptorMap[t];this.hasValue(e)||this.invokeChangedCallback(e,r.writer(this.receiver[e]),r.writer(r.defaultValue))}stringMapValueChanged(e,t,r){const s=this.valueDescriptorNameMap[t];if(null!==e){null===r&&(r=s.writer(s.defaultValue));this.invokeChangedCallback(t,e,r)}}stringMapKeyRemoved(e,t,r){const s=this.valueDescriptorNameMap[e];this.hasValue(e)?this.invokeChangedCallback(e,s.writer(this.receiver[e]),r):this.invokeChangedCallback(e,s.writer(s.defaultValue),r)}invokeChangedCallbacksForDefaultValues(){for(const{key:e,name:t,defaultValue:r,writer:s}of this.valueDescriptors)void 0==r||this.controller.data.has(e)||this.invokeChangedCallback(t,s(r),void 0)}invokeChangedCallback(e,t,r){const s=`${e}Changed`;const n=this.receiver[s];if("function"==typeof n){const s=this.valueDescriptorNameMap[e];try{const e=s.reader(t);let i=r;r&&(i=s.reader(r));n.call(this.receiver,e,i)}catch(e){e instanceof TypeError&&(e.message=`Stimulus Value "${this.context.identifier}.${s.name}" - ${e.message}`);throw e}}}get valueDescriptors(){const{valueDescriptorMap:e}=this;return Object.keys(e).map((t=>e[t]))}get valueDescriptorNameMap(){const e={};Object.keys(this.valueDescriptorMap).forEach((t=>{const r=this.valueDescriptorMap[t];e[r.name]=r}));return e}hasValue(e){const t=this.valueDescriptorNameMap[e];const r=`has${capitalize(t.name)}`;return this.receiver[r]}}class TargetObserver{constructor(e,t){this.context=e;this.delegate=t;this.targetsByName=new Multimap}start(){if(!this.tokenListObserver){this.tokenListObserver=new TokenListObserver(this.element,this.attributeName,this);this.tokenListObserver.start()}}stop(){if(this.tokenListObserver){this.disconnectAllTargets();this.tokenListObserver.stop();delete this.tokenListObserver}}tokenMatched({element:e,content:t}){this.scope.containsElement(e)&&this.connectTarget(e,t)}tokenUnmatched({element:e,content:t}){this.disconnectTarget(e,t)}connectTarget(e,t){var r;if(!this.targetsByName.has(t,e)){this.targetsByName.add(t,e);null===(r=this.tokenListObserver)||void 0===r?void 0:r.pause((()=>this.delegate.targetConnected(e,t)))}}disconnectTarget(e,t){var r;if(this.targetsByName.has(t,e)){this.targetsByName.delete(t,e);null===(r=this.tokenListObserver)||void 0===r?void 0:r.pause((()=>this.delegate.targetDisconnected(e,t)))}}disconnectAllTargets(){for(const e of this.targetsByName.keys)for(const t of this.targetsByName.getValuesForKey(e))this.disconnectTarget(t,e)}get attributeName(){return`data-${this.context.identifier}-target`}get element(){return this.context.element}get scope(){return this.context.scope}}function readInheritableStaticArrayValues(e,t){const r=getAncestorsForConstructor(e);return Array.from(r.reduce(((e,r)=>{getOwnStaticArrayValues(r,t).forEach((t=>e.add(t)));return e}),new Set))}function readInheritableStaticObjectPairs(e,t){const r=getAncestorsForConstructor(e);return r.reduce(((e,r)=>{e.push(...getOwnStaticObjectPairs(r,t));return e}),[])}function getAncestorsForConstructor(e){const t=[];while(e){t.push(e);e=Object.getPrototypeOf(e)}return t.reverse()}function getOwnStaticArrayValues(e,t){const r=e[t];return Array.isArray(r)?r:[]}function getOwnStaticObjectPairs(e,t){const r=e[t];return r?Object.keys(r).map((e=>[e,r[e]])):[]}class OutletObserver{constructor(e,t){this.started=false;this.context=e;this.delegate=t;this.outletsByName=new Multimap;this.outletElementsByName=new Multimap;this.selectorObserverMap=new Map;this.attributeObserverMap=new Map}start(){if(!this.started){this.outletDefinitions.forEach((e=>{this.setupSelectorObserverForOutlet(e);this.setupAttributeObserverForOutlet(e)}));this.started=true;this.dependentContexts.forEach((e=>e.refresh()))}}refresh(){this.selectorObserverMap.forEach((e=>e.refresh()));this.attributeObserverMap.forEach((e=>e.refresh()))}stop(){if(this.started){this.started=false;this.disconnectAllOutlets();this.stopSelectorObservers();this.stopAttributeObservers()}}stopSelectorObservers(){if(this.selectorObserverMap.size>0){this.selectorObserverMap.forEach((e=>e.stop()));this.selectorObserverMap.clear()}}stopAttributeObservers(){if(this.attributeObserverMap.size>0){this.attributeObserverMap.forEach((e=>e.stop()));this.attributeObserverMap.clear()}}selectorMatched(e,t,{outletName:r}){const s=this.getOutlet(e,r);s&&this.connectOutlet(s,e,r)}selectorUnmatched(e,t,{outletName:r}){const s=this.getOutletFromMap(e,r);s&&this.disconnectOutlet(s,e,r)}selectorMatchElement(e,{outletName:t}){const r=this.selector(t);const s=this.hasOutlet(e,t);const n=e.matches(`[${this.schema.controllerAttribute}~=${t}]`);return!!r&&(s&&n&&e.matches(r))}elementMatchedAttribute(e,t){const r=this.getOutletNameFromOutletAttributeName(t);r&&this.updateSelectorObserverForOutlet(r)}elementAttributeValueChanged(e,t){const r=this.getOutletNameFromOutletAttributeName(t);r&&this.updateSelectorObserverForOutlet(r)}elementUnmatchedAttribute(e,t){const r=this.getOutletNameFromOutletAttributeName(t);r&&this.updateSelectorObserverForOutlet(r)}connectOutlet(e,t,r){var s;if(!this.outletElementsByName.has(r,t)){this.outletsByName.add(r,e);this.outletElementsByName.add(r,t);null===(s=this.selectorObserverMap.get(r))||void 0===s?void 0:s.pause((()=>this.delegate.outletConnected(e,t,r)))}}disconnectOutlet(e,t,r){var s;if(this.outletElementsByName.has(r,t)){this.outletsByName.delete(r,e);this.outletElementsByName.delete(r,t);null===(s=this.selectorObserverMap.get(r))||void 0===s?void 0:s.pause((()=>this.delegate.outletDisconnected(e,t,r)))}}disconnectAllOutlets(){for(const e of this.outletElementsByName.keys)for(const t of this.outletElementsByName.getValuesForKey(e))for(const r of this.outletsByName.getValuesForKey(e))this.disconnectOutlet(r,t,e)}updateSelectorObserverForOutlet(e){const t=this.selectorObserverMap.get(e);t&&(t.selector=this.selector(e))}setupSelectorObserverForOutlet(e){const t=this.selector(e);const r=new SelectorObserver(document.body,t,this,{outletName:e});this.selectorObserverMap.set(e,r);r.start()}setupAttributeObserverForOutlet(e){const t=this.attributeNameForOutletName(e);const r=new AttributeObserver(this.scope.element,t,this);this.attributeObserverMap.set(e,r);r.start()}selector(e){return this.scope.outlets.getSelectorForOutletName(e)}attributeNameForOutletName(e){return this.scope.schema.outletAttributeForScope(this.identifier,e)}getOutletNameFromOutletAttributeName(e){return this.outletDefinitions.find((t=>this.attributeNameForOutletName(t)===e))}get outletDependencies(){const e=new Multimap;this.router.modules.forEach((t=>{const r=t.definition.controllerConstructor;const s=readInheritableStaticArrayValues(r,"outlets");s.forEach((r=>e.add(r,t.identifier)))}));return e}get outletDefinitions(){return this.outletDependencies.getKeysForValue(this.identifier)}get dependentControllerIdentifiers(){return this.outletDependencies.getValuesForKey(this.identifier)}get dependentContexts(){const e=this.dependentControllerIdentifiers;return this.router.contexts.filter((t=>e.includes(t.identifier)))}hasOutlet(e,t){return!!this.getOutlet(e,t)||!!this.getOutletFromMap(e,t)}getOutlet(e,t){return this.application.getControllerForElementAndIdentifier(e,t)}getOutletFromMap(e,t){return this.outletsByName.getValuesForKey(t).find((t=>t.element===e))}get scope(){return this.context.scope}get schema(){return this.context.schema}get identifier(){return this.context.identifier}get application(){return this.context.application}get router(){return this.application.router}}class Context{constructor(e,t){this.logDebugActivity=(e,t={})=>{const{identifier:r,controller:s,element:n}=this;t=Object.assign({identifier:r,controller:s,element:n},t);this.application.logDebugActivity(this.identifier,e,t)};this.module=e;this.scope=t;this.controller=new e.controllerConstructor(this);this.bindingObserver=new BindingObserver(this,this.dispatcher);this.valueObserver=new ValueObserver(this,this.controller);this.targetObserver=new TargetObserver(this,this);this.outletObserver=new OutletObserver(this,this);try{this.controller.initialize();this.logDebugActivity("initialize")}catch(e){this.handleError(e,"initializing controller")}}connect(){this.bindingObserver.start();this.valueObserver.start();this.targetObserver.start();this.outletObserver.start();try{this.controller.connect();this.logDebugActivity("connect")}catch(e){this.handleError(e,"connecting controller")}}refresh(){this.outletObserver.refresh()}disconnect(){try{this.controller.disconnect();this.logDebugActivity("disconnect")}catch(e){this.handleError(e,"disconnecting controller")}this.outletObserver.stop();this.targetObserver.stop();this.valueObserver.stop();this.bindingObserver.stop()}get application(){return this.module.application}get identifier(){return this.module.identifier}get schema(){return this.application.schema}get dispatcher(){return this.application.dispatcher}get element(){return this.scope.element}get parentElement(){return this.element.parentElement}handleError(e,t,r={}){const{identifier:s,controller:n,element:i}=this;r=Object.assign({identifier:s,controller:n,element:i},r);this.application.handleError(e,`Error ${t}`,r)}targetConnected(e,t){this.invokeControllerMethod(`${t}TargetConnected`,e)}targetDisconnected(e,t){this.invokeControllerMethod(`${t}TargetDisconnected`,e)}outletConnected(e,t,r){this.invokeControllerMethod(`${namespaceCamelize(r)}OutletConnected`,e,t)}outletDisconnected(e,t,r){this.invokeControllerMethod(`${namespaceCamelize(r)}OutletDisconnected`,e,t)}invokeControllerMethod(e,...t){const r=this.controller;"function"==typeof r[e]&&r[e](...t)}}function bless(e){return shadow(e,getBlessedProperties(e))}function shadow(e,t){const r=i(e);const s=getShadowProperties(e.prototype,t);Object.defineProperties(r.prototype,s);return r}function getBlessedProperties(e){const t=readInheritableStaticArrayValues(e,"blessings");return t.reduce(((t,r)=>{const s=r(e);for(const e in s){const r=t[e]||{};t[e]=Object.assign(r,s[e])}return t}),{})}function getShadowProperties(e,t){return n(t).reduce(((r,s)=>{const n=getShadowedDescriptor(e,t,s);n&&Object.assign(r,{[s]:n});return r}),{})}function getShadowedDescriptor(e,t,r){const s=Object.getOwnPropertyDescriptor(e,r);const n=s&&"value"in s;if(!n){const e=Object.getOwnPropertyDescriptor(t,r).value;if(s){e.get=s.get||e.get;e.set=s.set||e.set}return e}}const n=(()=>"function"==typeof Object.getOwnPropertySymbols?e=>[...Object.getOwnPropertyNames(e),...Object.getOwnPropertySymbols(e)]:Object.getOwnPropertyNames)();const i=(()=>{function extendWithReflect(e){function extended(){return Reflect.construct(e,arguments,new.target)}extended.prototype=Object.create(e.prototype,{constructor:{value:extended}});Reflect.setPrototypeOf(extended,e);return extended}function testReflectExtension(){const a=function(){this.a.call(this)};const e=extendWithReflect(a);e.prototype.a=function(){};return new e}try{testReflectExtension();return extendWithReflect}catch(e){return e=>class extended extends e{}}})();function blessDefinition(e){return{identifier:e.identifier,controllerConstructor:bless(e.controllerConstructor)}}class Module{constructor(e,t){this.application=e;this.definition=blessDefinition(t);this.contextsByScope=new WeakMap;this.connectedContexts=new Set}get identifier(){return this.definition.identifier}get controllerConstructor(){return this.definition.controllerConstructor}get contexts(){return Array.from(this.connectedContexts)}connectContextForScope(e){const t=this.fetchContextForScope(e);this.connectedContexts.add(t);t.connect()}disconnectContextForScope(e){const t=this.contextsByScope.get(e);if(t){this.connectedContexts.delete(t);t.disconnect()}}fetchContextForScope(e){let t=this.contextsByScope.get(e);if(!t){t=new Context(this,e);this.contextsByScope.set(e,t)}return t}}class ClassMap{constructor(e){this.scope=e}has(e){return this.data.has(this.getDataKey(e))}get(e){return this.getAll(e)[0]}getAll(e){const t=this.data.get(this.getDataKey(e))||"";return tokenize(t)}getAttributeName(e){return this.data.getAttributeNameForKey(this.getDataKey(e))}getDataKey(e){return`${e}-class`}get data(){return this.scope.data}}class DataMap{constructor(e){this.scope=e}get element(){return this.scope.element}get identifier(){return this.scope.identifier}get(e){const t=this.getAttributeNameForKey(e);return this.element.getAttribute(t)}set(e,t){const r=this.getAttributeNameForKey(e);this.element.setAttribute(r,t);return this.get(e)}has(e){const t=this.getAttributeNameForKey(e);return this.element.hasAttribute(t)}delete(e){if(this.has(e)){const t=this.getAttributeNameForKey(e);this.element.removeAttribute(t);return true}return false}getAttributeNameForKey(e){return`data-${this.identifier}-${dasherize(e)}`}}class Guide{constructor(e){this.warnedKeysByObject=new WeakMap;this.logger=e}warn(e,t,r){let s=this.warnedKeysByObject.get(e);if(!s){s=new Set;this.warnedKeysByObject.set(e,s)}if(!s.has(t)){s.add(t);this.logger.warn(r,e)}}}function attributeValueContainsToken(e,t){return`[${e}~="${t}"]`}class TargetSet{constructor(e){this.scope=e}get element(){return this.scope.element}get identifier(){return this.scope.identifier}get schema(){return this.scope.schema}has(e){return null!=this.find(e)}find(...e){return e.reduce(((e,t)=>e||this.findTarget(t)||this.findLegacyTarget(t)),void 0)}findAll(...e){return e.reduce(((e,t)=>[...e,...this.findAllTargets(t),...this.findAllLegacyTargets(t)]),[])}findTarget(e){const t=this.getSelectorForTargetName(e);return this.scope.findElement(t)}findAllTargets(e){const t=this.getSelectorForTargetName(e);return this.scope.findAllElements(t)}getSelectorForTargetName(e){const t=this.schema.targetAttributeForScope(this.identifier);return attributeValueContainsToken(t,e)}findLegacyTarget(e){const t=this.getLegacySelectorForTargetName(e);return this.deprecate(this.scope.findElement(t),e)}findAllLegacyTargets(e){const t=this.getLegacySelectorForTargetName(e);return this.scope.findAllElements(t).map((t=>this.deprecate(t,e)))}getLegacySelectorForTargetName(e){const t=`${this.identifier}.${e}`;return attributeValueContainsToken(this.schema.targetAttribute,t)}deprecate(e,t){if(e){const{identifier:r}=this;const s=this.schema.targetAttribute;const n=this.schema.targetAttributeForScope(r);this.guide.warn(e,`target:${t}`,`Please replace ${s}="${r}.${t}" with ${n}="${t}". The ${s} attribute is deprecated and will be removed in a future version of Stimulus.`)}return e}get guide(){return this.scope.guide}}class OutletSet{constructor(e,t){this.scope=e;this.controllerElement=t}get element(){return this.scope.element}get identifier(){return this.scope.identifier}get schema(){return this.scope.schema}has(e){return null!=this.find(e)}find(...e){return e.reduce(((e,t)=>e||this.findOutlet(t)),void 0)}findAll(...e){return e.reduce(((e,t)=>[...e,...this.findAllOutlets(t)]),[])}getSelectorForOutletName(e){const t=this.schema.outletAttributeForScope(this.identifier,e);return this.controllerElement.getAttribute(t)}findOutlet(e){const t=this.getSelectorForOutletName(e);if(t)return this.findElement(t,e)}findAllOutlets(e){const t=this.getSelectorForOutletName(e);return t?this.findAllElements(t,e):[]}findElement(e,t){const r=this.scope.queryElements(e);return r.filter((r=>this.matchesElement(r,e,t)))[0]}findAllElements(e,t){const r=this.scope.queryElements(e);return r.filter((r=>this.matchesElement(r,e,t)))}matchesElement(e,t,r){const s=e.getAttribute(this.scope.schema.controllerAttribute)||"";return e.matches(t)&&s.split(" ").includes(r)}}class Scope{constructor(e,t,r,s){this.targets=new TargetSet(this);this.classes=new ClassMap(this);this.data=new DataMap(this);this.containsElement=e=>e.closest(this.controllerSelector)===this.element;this.schema=e;this.element=t;this.identifier=r;this.guide=new Guide(s);this.outlets=new OutletSet(this.documentScope,t)}findElement(e){return this.element.matches(e)?this.element:this.queryElements(e).find(this.containsElement)}findAllElements(e){return[...this.element.matches(e)?[this.element]:[],...this.queryElements(e).filter(this.containsElement)]}queryElements(e){return Array.from(this.element.querySelectorAll(e))}get controllerSelector(){return attributeValueContainsToken(this.schema.controllerAttribute,this.identifier)}get isDocumentScope(){return this.element===document.documentElement}get documentScope(){return this.isDocumentScope?this:new Scope(this.schema,document.documentElement,this.identifier,this.guide.logger)}}class ScopeObserver{constructor(e,t,r){this.element=e;this.schema=t;this.delegate=r;this.valueListObserver=new ValueListObserver(this.element,this.controllerAttribute,this);this.scopesByIdentifierByElement=new WeakMap;this.scopeReferenceCounts=new WeakMap}start(){this.valueListObserver.start()}stop(){this.valueListObserver.stop()}get controllerAttribute(){return this.schema.controllerAttribute}parseValueForToken(e){const{element:t,content:r}=e;return this.parseValueForElementAndIdentifier(t,r)}parseValueForElementAndIdentifier(e,t){const r=this.fetchScopesByIdentifierForElement(e);let s=r.get(t);if(!s){s=this.delegate.createScopeForElementAndIdentifier(e,t);r.set(t,s)}return s}elementMatchedValue(e,t){const r=(this.scopeReferenceCounts.get(t)||0)+1;this.scopeReferenceCounts.set(t,r);1==r&&this.delegate.scopeConnected(t)}elementUnmatchedValue(e,t){const r=this.scopeReferenceCounts.get(t);if(r){this.scopeReferenceCounts.set(t,r-1);1==r&&this.delegate.scopeDisconnected(t)}}fetchScopesByIdentifierForElement(e){let t=this.scopesByIdentifierByElement.get(e);if(!t){t=new Map;this.scopesByIdentifierByElement.set(e,t)}return t}}class Router{constructor(e){this.application=e;this.scopeObserver=new ScopeObserver(this.element,this.schema,this);this.scopesByIdentifier=new Multimap;this.modulesByIdentifier=new Map}get element(){return this.application.element}get schema(){return this.application.schema}get logger(){return this.application.logger}get controllerAttribute(){return this.schema.controllerAttribute}get modules(){return Array.from(this.modulesByIdentifier.values())}get contexts(){return this.modules.reduce(((e,t)=>e.concat(t.contexts)),[])}start(){this.scopeObserver.start()}stop(){this.scopeObserver.stop()}loadDefinition(e){this.unloadIdentifier(e.identifier);const t=new Module(this.application,e);this.connectModule(t);const r=e.controllerConstructor.afterLoad;r&&r.call(e.controllerConstructor,e.identifier,this.application)}unloadIdentifier(e){const t=this.modulesByIdentifier.get(e);t&&this.disconnectModule(t)}getContextForElementAndIdentifier(e,t){const r=this.modulesByIdentifier.get(t);if(r)return r.contexts.find((t=>t.element==e))}proposeToConnectScopeForElementAndIdentifier(e,t){const r=this.scopeObserver.parseValueForElementAndIdentifier(e,t);r?this.scopeObserver.elementMatchedValue(r.element,r):console.error(`Couldn't find or create scope for identifier: "${t}" and element:`,e)}handleError(e,t,r){this.application.handleError(e,t,r)}createScopeForElementAndIdentifier(e,t){return new Scope(this.schema,e,t,this.logger)}scopeConnected(e){this.scopesByIdentifier.add(e.identifier,e);const t=this.modulesByIdentifier.get(e.identifier);t&&t.connectContextForScope(e)}scopeDisconnected(e){this.scopesByIdentifier.delete(e.identifier,e);const t=this.modulesByIdentifier.get(e.identifier);t&&t.disconnectContextForScope(e)}connectModule(e){this.modulesByIdentifier.set(e.identifier,e);const t=this.scopesByIdentifier.getValuesForKey(e.identifier);t.forEach((t=>e.connectContextForScope(t)))}disconnectModule(e){this.modulesByIdentifier.delete(e.identifier);const t=this.scopesByIdentifier.getValuesForKey(e.identifier);t.forEach((t=>e.disconnectContextForScope(t)))}}const o={controllerAttribute:"data-controller",actionAttribute:"data-action",targetAttribute:"data-target",targetAttributeForScope:e=>`data-${e}-target`,outletAttributeForScope:(e,t)=>`data-${e}-${t}-outlet`,keyMappings:Object.assign(Object.assign({enter:"Enter",tab:"Tab",esc:"Escape",space:" ",up:"ArrowUp",down:"ArrowDown",left:"ArrowLeft",right:"ArrowRight",home:"Home",end:"End",page_up:"PageUp",page_down:"PageDown"},objectFromEntries("abcdefghijklmnopqrstuvwxyz".split("").map((e=>[e,e])))),objectFromEntries("0123456789".split("").map((e=>[e,e]))))};function objectFromEntries(e){return e.reduce(((e,[t,r])=>Object.assign(Object.assign({},e),{[t]:r})),{})}class Application{constructor(t=document.documentElement,r=o){this.logger=console;this.debug=false;this.logDebugActivity=(e,t,r={})=>{this.debug&&this.logFormattedMessage(e,t,r)};this.element=t;this.schema=r;this.dispatcher=new Dispatcher(this);this.router=new Router(this);this.actionDescriptorFilters=Object.assign({},e)}static start(e,t){const r=new this(e,t);r.start();return r}async start(){await domReady();this.logDebugActivity("application","starting");this.dispatcher.start();this.router.start();this.logDebugActivity("application","start")}stop(){this.logDebugActivity("application","stopping");this.dispatcher.stop();this.router.stop();this.logDebugActivity("application","stop")}register(e,t){this.load({identifier:e,controllerConstructor:t})}registerActionOption(e,t){this.actionDescriptorFilters[e]=t}load(e,...t){const r=Array.isArray(e)?e:[e,...t];r.forEach((e=>{e.controllerConstructor.shouldLoad&&this.router.loadDefinition(e)}))}unload(e,...t){const r=Array.isArray(e)?e:[e,...t];r.forEach((e=>this.router.unloadIdentifier(e)))}get controllers(){return this.router.contexts.map((e=>e.controller))}getControllerForElementAndIdentifier(e,t){const r=this.router.getContextForElementAndIdentifier(e,t);return r?r.controller:null}handleError(e,t,r){var s;this.logger.error("%s\n\n%o\n\n%o",t,e,r);null===(s=window.onerror)||void 0===s?void 0:s.call(window,t,"",0,0,e)}logFormattedMessage(e,t,r={}){r=Object.assign({application:this},r);this.logger.groupCollapsed(`${e} #${t}`);this.logger.log("details:",Object.assign({},r));this.logger.groupEnd()}}function domReady(){return new Promise((e=>{"loading"==document.readyState?document.addEventListener("DOMContentLoaded",(()=>e())):e()}))}function ClassPropertiesBlessing(e){const t=readInheritableStaticArrayValues(e,"classes");return t.reduce(((e,t)=>Object.assign(e,propertiesForClassDefinition(t))),{})}function propertiesForClassDefinition(e){return{[`${e}Class`]:{get(){const{classes:t}=this;if(t.has(e))return t.get(e);{const r=t.getAttributeName(e);throw new Error(`Missing attribute "${r}"`)}}},[`${e}Classes`]:{get(){return this.classes.getAll(e)}},[`has${capitalize(e)}Class`]:{get(){return this.classes.has(e)}}}}function OutletPropertiesBlessing(e){const t=readInheritableStaticArrayValues(e,"outlets");return t.reduce(((e,t)=>Object.assign(e,propertiesForOutletDefinition(t))),{})}function getOutletController(e,t,r){return e.application.getControllerForElementAndIdentifier(t,r)}function getControllerAndEnsureConnectedScope(e,t,r){let s=getOutletController(e,t,r);if(s)return s;e.application.router.proposeToConnectScopeForElementAndIdentifier(t,r);s=getOutletController(e,t,r);return s||void 0}function propertiesForOutletDefinition(e){const t=namespaceCamelize(e);return{[`${t}Outlet`]:{get(){const t=this.outlets.find(e);const r=this.outlets.getSelectorForOutletName(e);if(t){const r=getControllerAndEnsureConnectedScope(this,t,e);if(r)return r;throw new Error(`The provided outlet element is missing an outlet controller "${e}" instance for host controller "${this.identifier}"`)}throw new Error(`Missing outlet element "${e}" for host controller "${this.identifier}". Stimulus couldn't find a matching outlet element using selector "${r}".`)}},[`${t}Outlets`]:{get(){const t=this.outlets.findAll(e);return t.length>0?t.map((t=>{const r=getControllerAndEnsureConnectedScope(this,t,e);if(r)return r;console.warn(`The provided outlet element is missing an outlet controller "${e}" instance for host controller "${this.identifier}"`,t)})).filter((e=>e)):[]}},[`${t}OutletElement`]:{get(){const t=this.outlets.find(e);const r=this.outlets.getSelectorForOutletName(e);if(t)return t;throw new Error(`Missing outlet element "${e}" for host controller "${this.identifier}". Stimulus couldn't find a matching outlet element using selector "${r}".`)}},[`${t}OutletElements`]:{get(){return this.outlets.findAll(e)}},[`has${capitalize(t)}Outlet`]:{get(){return this.outlets.has(e)}}}}function TargetPropertiesBlessing(e){const t=readInheritableStaticArrayValues(e,"targets");return t.reduce(((e,t)=>Object.assign(e,propertiesForTargetDefinition(t))),{})}function propertiesForTargetDefinition(e){return{[`${e}Target`]:{get(){const t=this.targets.find(e);if(t)return t;throw new Error(`Missing target element "${e}" for "${this.identifier}" controller`)}},[`${e}Targets`]:{get(){return this.targets.findAll(e)}},[`has${capitalize(e)}Target`]:{get(){return this.targets.has(e)}}}}function ValuePropertiesBlessing(e){const t=readInheritableStaticObjectPairs(e,"values");const r={valueDescriptorMap:{get(){return t.reduce(((e,t)=>{const r=parseValueDefinitionPair(t,this.identifier);const s=this.data.getAttributeNameForKey(r.key);return Object.assign(e,{[s]:r})}),{})}}};return t.reduce(((e,t)=>Object.assign(e,propertiesForValueDefinitionPair(t))),r)}function propertiesForValueDefinitionPair(e,t){const r=parseValueDefinitionPair(e,t);const{key:s,name:n,reader:i,writer:o}=r;return{[n]:{get(){const e=this.data.get(s);return null!==e?i(e):r.defaultValue},set(e){void 0===e?this.data.delete(s):this.data.set(s,o(e))}},[`has${capitalize(n)}`]:{get(){return this.data.has(s)||r.hasCustomDefaultValue}}}}function parseValueDefinitionPair([e,t],r){return valueDescriptorForTokenAndTypeDefinition({controller:r,token:e,typeDefinition:t})}function parseValueTypeConstant(e){switch(e){case Array:return"array";case Boolean:return"boolean";case Number:return"number";case Object:return"object";case String:return"string"}}function parseValueTypeDefault(e){switch(typeof e){case"boolean":return"boolean";case"number":return"number";case"string":return"string"}return Array.isArray(e)?"array":"[object Object]"===Object.prototype.toString.call(e)?"object":void 0}function parseValueTypeObject(e){const{controller:t,token:r,typeObject:s}=e;const n=isSomething(s.type);const i=isSomething(s.default);const o=n&&i;const c=n&&!i;const l=!n&&i;const h=parseValueTypeConstant(s.type);const u=parseValueTypeDefault(e.typeObject.default);if(c)return h;if(l)return u;if(h!==u){const e=t?`${t}.${r}`:r;throw new Error(`The specified default value for the Stimulus Value "${e}" must match the defined type "${h}". The provided default value of "${s.default}" is of type "${u}".`)}return o?h:void 0}function parseValueTypeDefinition(e){const{controller:t,token:r,typeDefinition:s}=e;const n={controller:t,token:r,typeObject:s};const i=parseValueTypeObject(n);const o=parseValueTypeDefault(s);const c=parseValueTypeConstant(s);const l=i||o||c;if(l)return l;const h=t?`${t}.${s}`:r;throw new Error(`Unknown value type "${h}" for "${r}" value`)}function defaultValueForDefinition(e){const t=parseValueTypeConstant(e);if(t)return c[t];const r=hasProperty(e,"default");const s=hasProperty(e,"type");const n=e;if(r)return n.default;if(s){const{type:e}=n;const t=parseValueTypeConstant(e);if(t)return c[t]}return e}function valueDescriptorForTokenAndTypeDefinition(e){const{token:t,typeDefinition:r}=e;const s=`${dasherize(t)}-value`;const n=parseValueTypeDefinition(e);return{type:n,key:s,name:camelize(s),get defaultValue(){return defaultValueForDefinition(r)},get hasCustomDefaultValue(){return void 0!==parseValueTypeDefault(r)},reader:l[n],writer:h[n]||h.default}}const c={get array(){return[]},boolean:false,number:0,get object(){return{}},string:""};const l={array(e){const t=JSON.parse(e);if(!Array.isArray(t))throw new TypeError(`expected value of type "array" but instead got value "${e}" of type "${parseValueTypeDefault(t)}"`);return t},boolean(e){return!("0"==e||"false"==String(e).toLowerCase())},number(e){return Number(e.replace(/_/g,""))},object(e){const t=JSON.parse(e);if(null===t||"object"!=typeof t||Array.isArray(t))throw new TypeError(`expected value of type "object" but instead got value "${e}" of type "${parseValueTypeDefault(t)}"`);return t},string(e){return e}};const h={default:writeString,array:writeJSON,object:writeJSON};function writeJSON(e){return JSON.stringify(e)}function writeString(e){return`${e}`}class Controller{constructor(e){this.context=e}static get shouldLoad(){return true}static afterLoad(e,t){}get application(){return this.context.application}get scope(){return this.context.scope}get element(){return this.scope.element}get identifier(){return this.scope.identifier}get targets(){return this.scope.targets}get outlets(){return this.scope.outlets}get classes(){return this.scope.classes}get data(){return this.scope.data}initialize(){}connect(){}disconnect(){}dispatch(e,{target:t=this.element,detail:r={},prefix:s=this.identifier,bubbles:n=true,cancelable:i=true}={}){const o=s?`${s}:${e}`:e;const c=new CustomEvent(o,{detail:r,bubbles:n,cancelable:i});t.dispatchEvent(c);return c}}Controller.blessings=[ClassPropertiesBlessing,TargetPropertiesBlessing,ValuePropertiesBlessing,OutletPropertiesBlessing];Controller.targets=[];Controller.outlets=[];Controller.values={};export{Application,AttributeObserver,Context,Controller,ElementObserver,IndexedMultimap,Multimap,SelectorObserver,StringMapObserver,TokenListObserver,ValueListObserver,add,o as defaultSchema,del,fetch,prune};
+
diff --git a/vendor/javascript/@rails--ujs.js b/vendor/javascript/@rails--ujs.js
index bb3135b1de5..57803d29178 100644
--- a/vendor/javascript/@rails--ujs.js
+++ b/vendor/javascript/@rails--ujs.js
@@ -1,2 +1,4 @@
+// @rails/ujs@7.1.3-4 downloaded from https://ga.jspm.io/npm:@rails/ujs@7.1.3-4/app/assets/javascripts/rails-ujs.esm.js
+
 const t="a[data-confirm], a[data-method], a[data-remote]:not([disabled]), a[data-disable-with], a[data-disable]";const e={selector:"button[data-remote]:not([form]), button[data-confirm]:not([form])",exclude:"form button"};const n="select[data-remote], input[data-remote], textarea[data-remote]";const o="form:not([data-turbo=true])";const a="form:not([data-turbo=true]) input[type=submit], form:not([data-turbo=true]) input[type=image], form:not([data-turbo=true]) button[type=submit], form:not([data-turbo=true]) button:not([type]), input[type=submit][form], input[type=image][form], button[type=submit][form], button[form]:not([type])";const r="input[data-disable-with]:enabled, button[data-disable-with]:enabled, textarea[data-disable-with]:enabled, input[data-disable]:enabled, button[data-disable]:enabled, textarea[data-disable]:enabled";const c="input[data-disable-with]:disabled, button[data-disable-with]:disabled, textarea[data-disable-with]:disabled, input[data-disable]:disabled, button[data-disable]:disabled, textarea[data-disable]:disabled";const s="input[name][type=file]:not([disabled])";const i="a[data-disable-with], a[data-disable]";const u="button[data-remote][data-disable-with], button[data-remote][data-disable]";let l=null;const loadCSPNonce=()=>{const t=document.querySelector("meta[name=csp-nonce]");return l=t&&t.content};const cspNonce=()=>l||loadCSPNonce();const d=Element.prototype.matches||Element.prototype.matchesSelector||Element.prototype.mozMatchesSelector||Element.prototype.msMatchesSelector||Element.prototype.oMatchesSelector||Element.prototype.webkitMatchesSelector;const matches=function(t,e){return e.exclude?d.call(t,e.selector)&&!d.call(t,e.exclude):d.call(t,e)};const m="_ujsData";const getData=(t,e)=>t[m]?t[m][e]:void 0;const setData=function(t,e,n){t[m]||(t[m]={});return t[m][e]=n};const $=t=>Array.prototype.slice.call(document.querySelectorAll(t));const isContentEditable=function(t){var e=false;do{if(t.isContentEditable){e=true;break}t=t.parentElement}while(t);return e};const csrfToken=()=>{const t=document.querySelector("meta[name=csrf-token]");return t&&t.content};const csrfParam=()=>{const t=document.querySelector("meta[name=csrf-param]");return t&&t.content};const CSRFProtection=t=>{const e=csrfToken();if(e)return t.setRequestHeader("X-CSRF-Token",e)};const refreshCSRFTokens=()=>{const t=csrfToken();const e=csrfParam();if(t&&e)return $('form input[name="'+e+'"]').forEach((e=>e.value=t))};const p={"*":"*/*",text:"text/plain",html:"text/html",xml:"application/xml, text/xml",json:"application/json, text/javascript",script:"text/javascript, application/javascript, application/ecmascript, application/x-ecmascript"};const ajax=t=>{t=prepareOptions(t);var e=createXHR(t,(function(){const n=processResponse(e.response!=null?e.response:e.responseText,e.getResponseHeader("Content-Type"));Math.floor(e.status/100)===2?typeof t.success==="function"&&t.success(n,e.statusText,e):typeof t.error==="function"&&t.error(n,e.statusText,e);return typeof t.complete==="function"?t.complete(e,e.statusText):void 0}));return!(t.beforeSend&&!t.beforeSend(e,t))&&(e.readyState===XMLHttpRequest.OPENED?e.send(t.data):void 0)};var prepareOptions=function(t){t.url=t.url||location.href;t.type=t.type.toUpperCase();t.type==="GET"&&t.data&&(t.url.indexOf("?")<0?t.url+="?"+t.data:t.url+="&"+t.data);t.dataType in p||(t.dataType="*");t.accept=p[t.dataType];t.dataType!=="*"&&(t.accept+=", */*; q=0.01");return t};var createXHR=function(t,e){const n=new XMLHttpRequest;n.open(t.type,t.url,true);n.setRequestHeader("Accept",t.accept);typeof t.data==="string"&&n.setRequestHeader("Content-Type","application/x-www-form-urlencoded; charset=UTF-8");if(!t.crossDomain){n.setRequestHeader("X-Requested-With","XMLHttpRequest");CSRFProtection(n)}n.withCredentials=!!t.withCredentials;n.onreadystatechange=function(){if(n.readyState===XMLHttpRequest.DONE)return e(n)};return n};var processResponse=function(t,e){if(typeof t==="string"&&typeof e==="string")if(e.match(/\bjson\b/))try{t=JSON.parse(t)}catch(t){}else if(e.match(/\b(?:java|ecma)script\b/)){const e=document.createElement("script");e.setAttribute("nonce",cspNonce());e.text=t;document.head.appendChild(e).parentNode.removeChild(e)}else if(e.match(/\b(xml|html|svg)\b/)){const n=new DOMParser;e=e.replace(/;.+/,"");try{t=n.parseFromString(t,e)}catch(t){}}return t};const href=t=>t.href;const isCrossDomain=function(t){const e=document.createElement("a");e.href=location.href;const n=document.createElement("a");try{n.href=t;return!((!n.protocol||n.protocol===":")&&!n.host||e.protocol+"//"+e.host===n.protocol+"//"+n.host)}catch(t){return true}};let f;let{CustomEvent:b}=window;if(typeof b!=="function"){b=function(t,e){const n=document.createEvent("CustomEvent");n.initCustomEvent(t,e.bubbles,e.cancelable,e.detail);return n};b.prototype=window.Event.prototype;({preventDefault:f}=b.prototype);b.prototype.preventDefault=function(){const t=f.call(this);this.cancelable&&!this.defaultPrevented&&Object.defineProperty(this,"defaultPrevented",{get(){return true}});return t}}const fire=(t,e,n)=>{const o=new b(e,{bubbles:true,cancelable:true,detail:n});t.dispatchEvent(o);return!o.defaultPrevented};const stopEverything=t=>{fire(t.target,"ujs:everythingStopped");t.preventDefault();t.stopPropagation();t.stopImmediatePropagation()};const delegate=(t,e,n,o)=>t.addEventListener(n,(function(t){let{target:n}=t;while(!!(n instanceof Element)&&!matches(n,e))n=n.parentNode;if(n instanceof Element&&o.call(n,t)===false){t.preventDefault();t.stopPropagation()}}));const toArray=t=>Array.prototype.slice.call(t);const serializeElement=(t,e)=>{let n=[t];matches(t,"form")&&(n=toArray(t.elements));const o=[];n.forEach((function(t){t.name&&!t.disabled&&(matches(t,"fieldset[disabled] *")||(matches(t,"select")?toArray(t.options).forEach((function(e){e.selected&&o.push({name:t.name,value:e.value})})):(t.checked||["radio","checkbox","submit"].indexOf(t.type)===-1)&&o.push({name:t.name,value:t.value})))}));e&&o.push(e);return o.map((function(t){return t.name?`${encodeURIComponent(t.name)}=${encodeURIComponent(t.value)}`:t})).join("&")};const formElements=(t,e)=>matches(t,"form")?toArray(t.elements).filter((t=>matches(t,e))):toArray(t.querySelectorAll(e));const handleConfirmWithRails=t=>function(e){allowAction(this,t)||stopEverything(e)};const confirm=(t,e)=>window.confirm(t);var allowAction=function(t,e){let n;const o=t.getAttribute("data-confirm");if(!o)return true;let a=false;if(fire(t,"confirm")){try{a=e.confirm(o,t)}catch(t){}n=fire(t,"confirm:complete",[a])}return a&&n};const handleDisabledElement=function(t){const e=this;e.disabled&&stopEverything(t)};const enableElement=t=>{let e;if(t instanceof Event){if(isXhrRedirect(t))return;e=t.target}else e=t;if(!isContentEditable(e))return matches(e,i)?enableLinkElement(e):matches(e,u)||matches(e,c)?enableFormElement(e):matches(e,o)?enableFormElements(e):void 0};const disableElement=t=>{const e=t instanceof Event?t.target:t;if(!isContentEditable(e))return matches(e,i)?disableLinkElement(e):matches(e,u)||matches(e,r)?disableFormElement(e):matches(e,o)?disableFormElements(e):void 0};var disableLinkElement=function(t){if(getData(t,"ujs:disabled"))return;const e=t.getAttribute("data-disable-with");if(e!=null){setData(t,"ujs:enable-with",t.innerHTML);t.innerHTML=e}t.addEventListener("click",stopEverything);return setData(t,"ujs:disabled",true)};var enableLinkElement=function(t){const e=getData(t,"ujs:enable-with");if(e!=null){t.innerHTML=e;setData(t,"ujs:enable-with",null)}t.removeEventListener("click",stopEverything);return setData(t,"ujs:disabled",null)};var disableFormElements=t=>formElements(t,r).forEach(disableFormElement);var disableFormElement=function(t){if(getData(t,"ujs:disabled"))return;const e=t.getAttribute("data-disable-with");if(e!=null)if(matches(t,"button")){setData(t,"ujs:enable-with",t.innerHTML);t.innerHTML=e}else{setData(t,"ujs:enable-with",t.value);t.value=e}t.disabled=true;return setData(t,"ujs:disabled",true)};var enableFormElements=t=>formElements(t,c).forEach((t=>enableFormElement(t)));var enableFormElement=function(t){const e=getData(t,"ujs:enable-with");if(e!=null){matches(t,"button")?t.innerHTML=e:t.value=e;setData(t,"ujs:enable-with",null)}t.disabled=false;return setData(t,"ujs:disabled",null)};var isXhrRedirect=function(t){const e=t.detail?t.detail[0]:void 0;return e&&e.getResponseHeader("X-Xhr-Redirect")};const handleMethodWithRails=t=>function(e){const n=this;const o=n.getAttribute("data-method");if(!o)return;if(isContentEditable(this))return;const a=t.href(n);const r=csrfToken();const c=csrfParam();const s=document.createElement("form");let i=`<input name='_method' value='${o}' type='hidden' />`;c&&r&&!isCrossDomain(a)&&(i+=`<input name='${c}' value='${r}' type='hidden' />`);i+='<input type="submit" />';s.method="post";s.action=a;s.target=n.target;s.innerHTML=i;s.style.display="none";document.body.appendChild(s);s.querySelector('[type="submit"]').click();stopEverything(e)};const isRemote=function(t){const e=t.getAttribute("data-remote");return e!=null&&e!=="false"};const handleRemoteWithRails=t=>function(a){let r,c,s;const i=this;if(!isRemote(i))return true;if(!fire(i,"ajax:before")){fire(i,"ajax:stopped");return false}if(isContentEditable(i)){fire(i,"ajax:stopped");return false}const u=i.getAttribute("data-with-credentials");const l=i.getAttribute("data-type")||"script";if(matches(i,o)){const t=getData(i,"ujs:submit-button");c=getData(i,"ujs:submit-button-formmethod")||i.getAttribute("method")||"get";s=getData(i,"ujs:submit-button-formaction")||i.getAttribute("action")||location.href;c.toUpperCase()==="GET"&&(s=s.replace(/\?.*$/,""));if(i.enctype==="multipart/form-data"){r=new FormData(i);t!=null&&r.append(t.name,t.value)}else r=serializeElement(i,t);setData(i,"ujs:submit-button",null);setData(i,"ujs:submit-button-formmethod",null);setData(i,"ujs:submit-button-formaction",null)}else if(matches(i,e)||matches(i,n)){c=i.getAttribute("data-method");s=i.getAttribute("data-url");r=serializeElement(i,i.getAttribute("data-params"))}else{c=i.getAttribute("data-method");s=t.href(i);r=i.getAttribute("data-params")}ajax({type:c||"GET",url:s,data:r,dataType:l,beforeSend(t,e){if(fire(i,"ajax:beforeSend",[t,e]))return fire(i,"ajax:send",[t]);fire(i,"ajax:stopped");return false},success(...t){return fire(i,"ajax:success",t)},error(...t){return fire(i,"ajax:error",t)},complete(...t){return fire(i,"ajax:complete",t)},crossDomain:isCrossDomain(s),withCredentials:u!=null&&u!=="false"});stopEverything(a)};const formSubmitButtonClick=function(t){const e=this;const{form:n}=e;if(n){e.name&&setData(n,"ujs:submit-button",{name:e.name,value:e.value});setData(n,"ujs:formnovalidate-button",e.formNoValidate);setData(n,"ujs:submit-button-formaction",e.getAttribute("formaction"));return setData(n,"ujs:submit-button-formmethod",e.getAttribute("formmethod"))}};const preventInsignificantClick=function(t){const e=this;const n=(e.getAttribute("data-method")||"GET").toUpperCase();const o=e.getAttribute("data-params");const a=t.metaKey||t.ctrlKey;const r=a&&n==="GET"&&!o;const c=t.button!=null&&t.button!==0;(c||r)&&t.stopImmediatePropagation()};const h={$:$,ajax:ajax,buttonClickSelector:e,buttonDisableSelector:u,confirm:confirm,cspNonce:cspNonce,csrfToken:csrfToken,csrfParam:csrfParam,CSRFProtection:CSRFProtection,delegate:delegate,disableElement:disableElement,enableElement:enableElement,fileInputSelector:s,fire:fire,formElements:formElements,formEnableSelector:c,formDisableSelector:r,formInputClickSelector:a,formSubmitButtonClick:formSubmitButtonClick,formSubmitSelector:o,getData:getData,handleDisabledElement:handleDisabledElement,href:href,inputChangeSelector:n,isCrossDomain:isCrossDomain,linkClickSelector:t,linkDisableSelector:i,loadCSPNonce:loadCSPNonce,matches:matches,preventInsignificantClick:preventInsignificantClick,refreshCSRFTokens:refreshCSRFTokens,serializeElement:serializeElement,setData:setData,stopEverything:stopEverything};const y=handleConfirmWithRails(h);h.handleConfirm=y;const j=handleMethodWithRails(h);h.handleMethod=j;const v=handleRemoteWithRails(h);h.handleRemote=v;const start=function(){if(window._rails_loaded)throw new Error("rails-ujs has already been loaded!");window.addEventListener("pageshow",(function(){$(c).forEach((function(t){getData(t,"ujs:disabled")&&enableElement(t)}));$(i).forEach((function(t){getData(t,"ujs:disabled")&&enableElement(t)}))}));delegate(document,i,"ajax:complete",enableElement);delegate(document,i,"ajax:stopped",enableElement);delegate(document,u,"ajax:complete",enableElement);delegate(document,u,"ajax:stopped",enableElement);delegate(document,t,"click",preventInsignificantClick);delegate(document,t,"click",handleDisabledElement);delegate(document,t,"click",y);delegate(document,t,"click",disableElement);delegate(document,t,"click",v);delegate(document,t,"click",j);delegate(document,e,"click",preventInsignificantClick);delegate(document,e,"click",handleDisabledElement);delegate(document,e,"click",y);delegate(document,e,"click",disableElement);delegate(document,e,"click",v);delegate(document,n,"change",handleDisabledElement);delegate(document,n,"change",y);delegate(document,n,"change",v);delegate(document,o,"submit",handleDisabledElement);delegate(document,o,"submit",y);delegate(document,o,"submit",v);delegate(document,o,"submit",(t=>setTimeout((()=>disableElement(t)),13)));delegate(document,o,"ajax:send",disableElement);delegate(document,o,"ajax:complete",enableElement);delegate(document,a,"click",preventInsignificantClick);delegate(document,a,"click",handleDisabledElement);delegate(document,a,"click",y);delegate(document,a,"click",formSubmitButtonClick);document.addEventListener("DOMContentLoaded",refreshCSRFTokens);document.addEventListener("DOMContentLoaded",loadCSPNonce);return window._rails_loaded=true};h.start=start;if(typeof jQuery!=="undefined"&&jQuery&&jQuery.ajax){if(jQuery.rails)throw new Error("If you load both jquery_ujs and rails-ujs, use rails-ujs only.");jQuery.rails=h;jQuery.ajaxPrefilter((function(t,e,n){if(!t.crossDomain)return CSRFProtection(n)}))}export{h as default};
 
diff --git a/vendor/javascript/@stimulus-components--checkbox-select-all.js b/vendor/javascript/@stimulus-components--checkbox-select-all.js
new file mode 100644
index 00000000000..a64fd75896d
--- /dev/null
+++ b/vendor/javascript/@stimulus-components--checkbox-select-all.js
@@ -0,0 +1,4 @@
+// @stimulus-components/checkbox-select-all@6.0.0 downloaded from https://ga.jspm.io/npm:@stimulus-components/checkbox-select-all@6.0.0/dist/stimulus-checkbox-select-all.mjs
+
+import{Controller as e}from"@hotwired/stimulus";const t=class _CheckboxSelectAll extends e{initialize(){this.toggle=this.toggle.bind(this),this.refresh=this.refresh.bind(this)}checkboxAllTargetConnected(e){e.addEventListener("change",this.toggle),this.refresh()}checkboxTargetConnected(e){e.addEventListener("change",this.refresh),this.refresh()}checkboxAllTargetDisconnected(e){e.removeEventListener("change",this.toggle),this.refresh()}checkboxTargetDisconnected(e){e.removeEventListener("change",this.refresh),this.refresh()}toggle(e){e.preventDefault(),this.checkboxTargets.forEach((t=>{t.checked=e.target.checked,this.triggerInputEvent(t)}))}refresh(){const e=this.checkboxTargets.length,t=this.checked.length;this.checkboxAllTarget.checked=t>0,this.checkboxAllTarget.indeterminate=t>0&&t<e}triggerInputEvent(e){const t=new Event("input",{bubbles:!1,cancelable:!0});e.dispatchEvent(t)}get checked(){return this.checkboxTargets.filter((e=>e.checked))}get unchecked(){return this.checkboxTargets.filter((e=>!e.checked))}};t.targets=["checkboxAll","checkbox"];let h=t;export{h as default};
+
diff --git a/vendor/javascript/@stimulus-components--clipboard.js b/vendor/javascript/@stimulus-components--clipboard.js
new file mode 100644
index 00000000000..c623162f92b
--- /dev/null
+++ b/vendor/javascript/@stimulus-components--clipboard.js
@@ -0,0 +1,4 @@
+// @stimulus-components/clipboard@5.0.0 downloaded from https://ga.jspm.io/npm:@stimulus-components/clipboard@5.0.0/dist/stimulus-clipboard.mjs
+
+import{Controller as t}from"@hotwired/stimulus";const e=class _Clipboard extends t{connect(){this.hasButtonTarget&&(this.originalContent=this.buttonTarget.innerHTML)}copy(t){t.preventDefault();const e=this.sourceTarget.innerHTML||this.sourceTarget.value;navigator.clipboard.writeText(e).then((()=>this.copied()))}copied(){this.hasButtonTarget&&(this.timeout&&clearTimeout(this.timeout),this.buttonTarget.innerHTML=this.successContentValue,this.timeout=setTimeout((()=>{this.buttonTarget.innerHTML=this.originalContent}),this.successDurationValue))}};e.targets=["button","source"],e.values={successContent:String,successDuration:{type:Number,default:2e3}};let s=e;export{s as default};
+
diff --git a/vendor/javascript/@stimulus-components--dialog.js b/vendor/javascript/@stimulus-components--dialog.js
new file mode 100644
index 00000000000..6c877875fa9
--- /dev/null
+++ b/vendor/javascript/@stimulus-components--dialog.js
@@ -0,0 +1,2 @@
+import{Controller as e}from"@hotwired/stimulus";const t=class _Dialog extends e{initialize(){this.forceClose=this.forceClose.bind(this)}connect(){this.openValue&&this.open(),document.addEventListener("turbo:before-render",this.forceClose)}disconnect(){document.removeEventListener("turbo:before-render",this.forceClose)}open(){this.dialogTarget.showModal()}close(){this.dialogTarget.setAttribute("closing",""),Promise.all(this.dialogTarget.getAnimations().map((e=>e.finished))).then((()=>{this.dialogTarget.removeAttribute("closing"),this.dialogTarget.close()}))}backdropClose(e){e.target===this.dialogTarget&&this.close()}forceClose(){this.dialogTarget.close()}};t.targets=["dialog"],t.values={open:{type:Boolean,default:!1}};let o=t;export{o as default};
+
diff --git a/vendor/javascript/@stimulus-components--reveal.js b/vendor/javascript/@stimulus-components--reveal.js
new file mode 100644
index 00000000000..91615312192
--- /dev/null
+++ b/vendor/javascript/@stimulus-components--reveal.js
@@ -0,0 +1,2 @@
+import{Controller as s}from"@hotwired/stimulus";const t=class _Reveal extends s{connect(){this.class=this.hasHiddenClass?this.hiddenClass:"hidden"}toggle(){this.itemTargets.forEach((s=>{s.classList.toggle(this.class)}))}show(){this.itemTargets.forEach((s=>{s.classList.remove(this.class)}))}hide(){this.itemTargets.forEach((s=>{s.classList.add(this.class)}))}};t.targets=["item"],t.classes=["hidden"];let e=t;export{e as default};
+
diff --git a/vendor/javascript/clipboard.js b/vendor/javascript/clipboard.js
deleted file mode 100644
index 6f86b6ef044..00000000000
--- a/vendor/javascript/clipboard.js
+++ /dev/null
@@ -1,186 +0,0 @@
-var t="undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:global;var e={};(function webpackUniversalModuleDefinition(t,n){e=n()})(0,(function(){return function(){var e={686:function(e,n,r){r.d(n,{default:function(){return h}});var o=r(279);var i=r.n(o);var a=r(370);var u=r.n(a);var c=r(817);var l=r.n(c);
-/**
-           * Executes a given operation type.
-           * @param {String} type
-           * @return {Boolean}
-           */
-function command(t){try{return document.execCommand(t)}catch(t){return false}}
-/**
-           * Cut action wrapper.
-           * @param {String|HTMLElement} target
-           * @return {String}
-           */
-var f=function ClipboardActionCut(t){var e=l()(t);command("cut");return e};var s=f;
-/**
-           * Creates a fake textarea element with a value.
-           * @param {String} value
-           * @return {HTMLElement}
-           */
-function createFakeElement(t){var e="rtl"===document.documentElement.getAttribute("dir");var n=document.createElement("textarea");n.style.fontSize="12pt";n.style.border="0";n.style.padding="0";n.style.margin="0";n.style.position="absolute";n.style[e?"right":"left"]="-9999px";var r=window.pageYOffset||document.documentElement.scrollTop;n.style.top="".concat(r,"px");n.setAttribute("readonly","");n.value=t;return n}
-/**
-           * Create fake copy action wrapper using a fake element.
-           * @param {String} target
-           * @param {Object} options
-           * @return {String}
-           */
-var p=function fakeCopyAction(t,e){var n=createFakeElement(t);e.container.appendChild(n);var r=l()(n);command("copy");n.remove();return r};
-/**
-           * Copy action wrapper.
-           * @param {String|HTMLElement} target
-           * @param {Object} options
-           * @return {String}
-           */var d=function ClipboardActionCopy(t){var e=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{container:document.body};var n="";if("string"===typeof t)n=p(t,e);else if(t instanceof HTMLInputElement&&!["text","search","url","tel","password"].includes(null===t||void 0===t?void 0:t.type))n=p(t.value,e);else{n=l()(t);command("copy")}return n};var y=d;function _typeof(t){_typeof="function"===typeof Symbol&&"symbol"===typeof Symbol.iterator?function _typeof(t){return typeof t}:function _typeof(t){return t&&"function"===typeof Symbol&&t.constructor===Symbol&&t!==Symbol.prototype?"symbol":typeof t};return _typeof(t)}
-/**
-           * Inner function which performs selection from either `text` or `target`
-           * properties and then executes copy or cut operations.
-           * @param {Object} options
-           */var v=function ClipboardActionDefault(){var t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};var e=t.action,n=void 0===e?"copy":e,r=t.container,o=t.target,i=t.text;if("copy"!==n&&"cut"!==n)throw new Error('Invalid "action" value, use either "copy" or "cut"');if(void 0!==o){if(!o||"object"!==_typeof(o)||1!==o.nodeType)throw new Error('Invalid "target" value, use a valid Element');if("copy"===n&&o.hasAttribute("disabled"))throw new Error('Invalid "target" attribute. Please use "readonly" instead of "disabled" attribute');if("cut"===n&&(o.hasAttribute("readonly")||o.hasAttribute("disabled")))throw new Error('Invalid "target" attribute. You can\'t cut text from elements with "readonly" or "disabled" attributes')}return i?y(i,{container:r}):o?"cut"===n?s(o):y(o,{container:r}):void 0};var b=v;function clipboard_typeof(t){clipboard_typeof="function"===typeof Symbol&&"symbol"===typeof Symbol.iterator?function _typeof(t){return typeof t}:function _typeof(t){return t&&"function"===typeof Symbol&&t.constructor===Symbol&&t!==Symbol.prototype?"symbol":typeof t};return clipboard_typeof(t)}function _classCallCheck(t,e){if(!(t instanceof e))throw new TypeError("Cannot call a class as a function")}function _defineProperties(t,e){for(var n=0;n<e.length;n++){var r=e[n];r.enumerable=r.enumerable||false;r.configurable=true;"value"in r&&(r.writable=true);Object.defineProperty(t,r.key,r)}}function _createClass(t,e,n){e&&_defineProperties(t.prototype,e);n&&_defineProperties(t,n);return t}function _inherits(t,e){if("function"!==typeof e&&null!==e)throw new TypeError("Super expression must either be null or a function");t.prototype=Object.create(e&&e.prototype,{constructor:{value:t,writable:true,configurable:true}});e&&_setPrototypeOf(t,e)}function _setPrototypeOf(t,e){_setPrototypeOf=Object.setPrototypeOf||function _setPrototypeOf(t,e){t.__proto__=e;return t};return _setPrototypeOf(t,e)}function _createSuper(e){var n=_isNativeReflectConstruct();return function _createSuperInternal(){var r,o=_getPrototypeOf(e);if(n){var i=_getPrototypeOf(this||t).constructor;r=Reflect.construct(o,arguments,i)}else r=o.apply(this||t,arguments);return _possibleConstructorReturn(this||t,r)}}function _possibleConstructorReturn(t,e){return!e||"object"!==clipboard_typeof(e)&&"function"!==typeof e?_assertThisInitialized(t):e}function _assertThisInitialized(t){if(void 0===t)throw new ReferenceError("this hasn't been initialised - super() hasn't been called");return t}function _isNativeReflectConstruct(){if("undefined"===typeof Reflect||!Reflect.construct)return false;if(Reflect.construct.sham)return false;if("function"===typeof Proxy)return true;try{Date.prototype.toString.call(Reflect.construct(Date,[],(function(){})));return true}catch(t){return false}}function _getPrototypeOf(t){_getPrototypeOf=Object.setPrototypeOf?Object.getPrototypeOf:function _getPrototypeOf(t){return t.__proto__||Object.getPrototypeOf(t)};return _getPrototypeOf(t)}
-/**
-           * Helper function to retrieve attribute value.
-           * @param {String} suffix
-           * @param {Element} element
-           */function getAttributeValue(t,e){var n="data-clipboard-".concat(t);if(e.hasAttribute(n))return e.getAttribute(n)}var _=function(e){_inherits(Clipboard,e);var n=_createSuper(Clipboard);
-/**
-             * @param {String|HTMLElement|HTMLCollection|NodeList} trigger
-             * @param {Object} options
-             */function Clipboard(e,r){var o;_classCallCheck(this||t,Clipboard);o=n.call(this||t);o.resolveOptions(r);o.listenClick(e);return o}
-/**
-             * Defines if attributes would be resolved using internal setter functions
-             * or custom functions that were passed in the constructor.
-             * @param {Object} options
-             */_createClass(Clipboard,[{key:"resolveOptions",value:function resolveOptions(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};(this||t).action="function"===typeof e.action?e.action:(this||t).defaultAction;(this||t).target="function"===typeof e.target?e.target:(this||t).defaultTarget;(this||t).text="function"===typeof e.text?e.text:(this||t).defaultText;(this||t).container="object"===clipboard_typeof(e.container)?e.container:document.body}
-/**
-               * Adds a click event listener to the passed trigger.
-               * @param {String|HTMLElement|HTMLCollection|NodeList} trigger
-               */},{key:"listenClick",value:function listenClick(e){var n=this||t;(this||t).listener=u()(e,"click",(function(t){return n.onClick(t)}))}
-/**
-               * Defines a new `ClipboardAction` on each click event.
-               * @param {Event} e
-               */},{key:"onClick",value:function onClick(e){var n=e.delegateTarget||e.currentTarget;var r=this.action(n)||"copy";var o=b({action:r,container:(this||t).container,target:this.target(n),text:this.text(n)});this.emit(o?"success":"error",{action:r,text:o,trigger:n,clearSelection:function clearSelection(){n&&n.focus();window.getSelection().removeAllRanges()}})}
-/**
-               * Default `action` lookup function.
-               * @param {Element} trigger
-               */},{key:"defaultAction",value:function defaultAction(t){return getAttributeValue("action",t)}
-/**
-               * Default `target` lookup function.
-               * @param {Element} trigger
-               */},{key:"defaultTarget",value:function defaultTarget(t){var e=getAttributeValue("target",t);if(e)return document.querySelector(e)}
-/**
-               * Allow fire programmatically a copy action
-               * @param {String|HTMLElement} target
-               * @param {Object} options
-               * @returns Text copied.
-               */},{key:"defaultText",
-/**
-               * Default `text` lookup function.
-               * @param {Element} trigger
-               */
-value:function defaultText(t){return getAttributeValue("text",t)}},{key:"destroy",value:function destroy(){(this||t).listener.destroy()}}],[{key:"copy",value:function copy(t){var e=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{container:document.body};return y(t,e)}
-/**
-               * Allow fire programmatically a cut action
-               * @param {String|HTMLElement} target
-               * @returns Text cutted.
-               */},{key:"cut",value:function cut(t){return s(t)}
-/**
-               * Returns the support of the given action, or all actions if no action is
-               * given.
-               * @param {String} [action]
-               */},{key:"isSupported",value:function isSupported(){var t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:["copy","cut"];var e="string"===typeof t?[t]:t;var n=!!document.queryCommandSupported;e.forEach((function(t){n=n&&!!document.queryCommandSupported(t)}));return n}}]);return Clipboard}(i());var h=_},828:function(t){var e=9;if("undefined"!==typeof Element&&!Element.prototype.matches){var n=Element.prototype;n.matches=n.matchesSelector||n.mozMatchesSelector||n.msMatchesSelector||n.oMatchesSelector||n.webkitMatchesSelector}
-/**
-           * Finds the closest parent that matches a selector.
-           *
-           * @param {Element} element
-           * @param {String} selector
-           * @return {Function}
-           */function closest(t,n){while(t&&t.nodeType!==e){if("function"===typeof t.matches&&t.matches(n))return t;t=t.parentNode}}t.exports=closest},438:function(e,n,r){var o=r(828);
-/**
-           * Delegates event to a selector.
-           *
-           * @param {Element} element
-           * @param {String} selector
-           * @param {String} type
-           * @param {Function} callback
-           * @param {Boolean} useCapture
-           * @return {Object}
-           */function _delegate(e,n,r,o,i){var a=listener.apply(this||t,arguments);e.addEventListener(r,a,i);return{destroy:function(){e.removeEventListener(r,a,i)}}}
-/**
-           * Delegates event to a selector.
-           *
-           * @param {Element|String|Array} [elements]
-           * @param {String} selector
-           * @param {String} type
-           * @param {Function} callback
-           * @param {Boolean} useCapture
-           * @return {Object}
-           */function delegate(t,e,n,r,o){if("function"===typeof t.addEventListener)return _delegate.apply(null,arguments);if("function"===typeof n)return _delegate.bind(null,document).apply(null,arguments);"string"===typeof t&&(t=document.querySelectorAll(t));return Array.prototype.map.call(t,(function(t){return _delegate(t,e,n,r,o)}))}
-/**
-           * Finds closest match and invokes callback.
-           *
-           * @param {Element} element
-           * @param {String} selector
-           * @param {String} type
-           * @param {Function} callback
-           * @return {Function}
-           */function listener(t,e,n,r){return function(n){n.delegateTarget=o(n.target,e);n.delegateTarget&&r.call(t,n)}}e.exports=delegate},879:function(t,e){
-/**
-           * Check if argument is a HTML element.
-           *
-           * @param {Object} value
-           * @return {Boolean}
-           */
-e.node=function(t){return void 0!==t&&t instanceof HTMLElement&&1===t.nodeType};
-/**
-           * Check if argument is a list of HTML elements.
-           *
-           * @param {Object} value
-           * @return {Boolean}
-           */e.nodeList=function(t){var n=Object.prototype.toString.call(t);return void 0!==t&&("[object NodeList]"===n||"[object HTMLCollection]"===n)&&"length"in t&&(0===t.length||e.node(t[0]))};
-/**
-           * Check if argument is a string.
-           *
-           * @param {Object} value
-           * @return {Boolean}
-           */e.string=function(t){return"string"===typeof t||t instanceof String};
-/**
-           * Check if argument is a function.
-           *
-           * @param {Object} value
-           * @return {Boolean}
-           */e.fn=function(t){var e=Object.prototype.toString.call(t);return"[object Function]"===e}},370:function(t,e,n){var r=n(879);var o=n(438);
-/**
-           * Validates all params and calls the right
-           * listener function based on its target type.
-           *
-           * @param {String|HTMLElement|HTMLCollection|NodeList} target
-           * @param {String} type
-           * @param {Function} callback
-           * @return {Object}
-           */function listen(t,e,n){if(!t&&!e&&!n)throw new Error("Missing required arguments");if(!r.string(e))throw new TypeError("Second argument must be a String");if(!r.fn(n))throw new TypeError("Third argument must be a Function");if(r.node(t))return listenNode(t,e,n);if(r.nodeList(t))return listenNodeList(t,e,n);if(r.string(t))return listenSelector(t,e,n);throw new TypeError("First argument must be a String, HTMLElement, HTMLCollection, or NodeList")}
-/**
-           * Adds an event listener to a HTML element
-           * and returns a remove listener function.
-           *
-           * @param {HTMLElement} node
-           * @param {String} type
-           * @param {Function} callback
-           * @return {Object}
-           */function listenNode(t,e,n){t.addEventListener(e,n);return{destroy:function(){t.removeEventListener(e,n)}}}
-/**
-           * Add an event listener to a list of HTML elements
-           * and returns a remove listener function.
-           *
-           * @param {NodeList|HTMLCollection} nodeList
-           * @param {String} type
-           * @param {Function} callback
-           * @return {Object}
-           */function listenNodeList(t,e,n){Array.prototype.forEach.call(t,(function(t){t.addEventListener(e,n)}));return{destroy:function(){Array.prototype.forEach.call(t,(function(t){t.removeEventListener(e,n)}))}}}
-/**
-           * Add an event listener to a selector
-           * and returns a remove listener function.
-           *
-           * @param {String} selector
-           * @param {String} type
-           * @param {Function} callback
-           * @return {Object}
-           */function listenSelector(t,e,n){return o(document.body,t,e,n)}t.exports=listen},817:function(t){function select(t){var e;if("SELECT"===t.nodeName){t.focus();e=t.value}else if("INPUT"===t.nodeName||"TEXTAREA"===t.nodeName){var n=t.hasAttribute("readonly");n||t.setAttribute("readonly","");t.select();t.setSelectionRange(0,t.value.length);n||t.removeAttribute("readonly");e=t.value}else{t.hasAttribute("contenteditable")&&t.focus();var r=window.getSelection();var o=document.createRange();o.selectNodeContents(t);r.removeAllRanges();r.addRange(o);e=r.toString()}return e}t.exports=select},279:function(e){function E(){}E.prototype={on:function(e,n,r){var o=(this||t).e||((this||t).e={});(o[e]||(o[e]=[])).push({fn:n,ctx:r});return this||t},once:function(e,n,r){var o=this||t;function listener(){o.off(e,listener);n.apply(r,arguments)}listener._=n;return this.on(e,listener,r)},emit:function(e){var n=[].slice.call(arguments,1);var r=(((this||t).e||((this||t).e={}))[e]||[]).slice();var o=0;var i=r.length;for(o;o<i;o++)r[o].fn.apply(r[o].ctx,n);return this||t},off:function(e,n){var r=(this||t).e||((this||t).e={});var o=r[e];var i=[];if(o&&n)for(var a=0,u=o.length;a<u;a++)o[a].fn!==n&&o[a].fn._!==n&&i.push(o[a]);i.length?r[e]=i:delete r[e];return this||t}};e.exports=E;e.exports.TinyEmitter=E}};var n={};function __webpack_require__(t){if(n[t])return n[t].exports;var r=n[t]={exports:{}};e[t](r,r.exports,__webpack_require__);return r.exports}!function(){__webpack_require__.n=function(t){var e=t&&t.__esModule?function(){return t.default}:function(){return t};__webpack_require__.d(e,{a:e});return e}}();!function(){__webpack_require__.d=function(t,e){for(var n in e)__webpack_require__.o(e,n)&&!__webpack_require__.o(t,n)&&Object.defineProperty(t,n,{enumerable:true,get:e[n]})}}();!function(){__webpack_require__.o=function(t,e){return Object.prototype.hasOwnProperty.call(t,e)}}();return __webpack_require__(686)}().default}));var n=e;const r=e.ClipboardJS,o=e.node,i=e.nodeList,a=e.string,u=e.fn,c=e.TinyEmitter;export{r as ClipboardJS,c as TinyEmitter,n as default,u as fn,o as node,i as nodeList,a as string};
-
diff --git a/vendor/javascript/jquery.js b/vendor/javascript/jquery.js
index 7adbef72fcd..7c97c5004a2 100644
--- a/vendor/javascript/jquery.js
+++ b/vendor/javascript/jquery.js
@@ -1,3 +1,5 @@
+// jquery@3.7.1 downloaded from https://ga.jspm.io/npm:jquery@3.7.1/dist/jquery.js
+
 var e="undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:global;var t={};(function(e,n){t=e.document?n(e,true):function(e){if(!e.document)throw new Error("jQuery requires a window with a document");return n(e)}})("undefined"!==typeof window?window:t,(function(t,n){var r=[];var i=Object.getPrototypeOf;var o=r.slice;var a=r.flat?function(e){return r.flat.call(e)}:function(e){return r.concat.apply([],e)};var s=r.push;var u=r.indexOf;var l={};var c=l.toString;var f=l.hasOwnProperty;var d=f.toString;var p=d.call(Object);var h={};var g=function isFunction(e){return"function"===typeof e&&"number"!==typeof e.nodeType&&"function"!==typeof e.item};var m=function isWindow(e){return null!=e&&e===e.window};var v=t.document;var y={type:true,src:true,nonce:true,noModule:true};function DOMEval(e,t,n){n=n||v;var r,i,o=n.createElement("script");o.text=e;if(t)for(r in y){i=t[r]||t.getAttribute&&t.getAttribute(r);i&&o.setAttribute(r,i)}n.head.appendChild(o).parentNode.removeChild(o)}function toType(e){return null==e?e+"":"object"===typeof e||"function"===typeof e?l[c.call(e)]||"object":typeof e}var x="3.7.1",b=/HTML$/i,jQuery=function(e,t){return new jQuery.fn.init(e,t)};jQuery.fn=jQuery.prototype={jquery:x,constructor:jQuery,length:0,toArray:function(){return o.call(this||e)},get:function(t){return null==t?o.call(this||e):t<0?(this||e)[t+(this||e).length]:(this||e)[t]},pushStack:function(t){var n=jQuery.merge(this.constructor(),t);n.prevObject=this||e;return n},each:function(t){return jQuery.each(this||e,t)},map:function(t){return this.pushStack(jQuery.map(this||e,(function(e,n){return t.call(e,n,e)})))},slice:function(){return this.pushStack(o.apply(this||e,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},even:function(){return this.pushStack(jQuery.grep(this||e,(function(e,t){return(t+1)%2})))},odd:function(){return this.pushStack(jQuery.grep(this||e,(function(e,t){return t%2})))},eq:function(t){var n=(this||e).length,r=+t+(t<0?n:0);return this.pushStack(r>=0&&r<n?[(this||e)[r]]:[])},end:function(){return(this||e).prevObject||this.constructor()},push:s,sort:r.sort,splice:r.splice};jQuery.extend=jQuery.fn.extend=function(){var t,n,r,i,o,a,s=arguments[0]||{},u=1,l=arguments.length,c=false;if("boolean"===typeof s){c=s;s=arguments[u]||{};u++}"object"===typeof s||g(s)||(s={});if(u===l){s=this||e;u--}for(;u<l;u++)if(null!=(t=arguments[u]))for(n in t){i=t[n];if("__proto__"!==n&&s!==i)if(c&&i&&(jQuery.isPlainObject(i)||(o=Array.isArray(i)))){r=s[n];a=o&&!Array.isArray(r)?[]:o||jQuery.isPlainObject(r)?r:{};o=false;s[n]=jQuery.extend(c,a,i)}else void 0!==i&&(s[n]=i)}return s};jQuery.extend({expando:"jQuery"+(x+Math.random()).replace(/\D/g,""),isReady:true,error:function(e){throw new Error(e)},noop:function(){},isPlainObject:function(e){var t,n;if(!e||"[object Object]"!==c.call(e))return false;t=i(e);if(!t)return true;n=f.call(t,"constructor")&&t.constructor;return"function"===typeof n&&d.call(n)===p},isEmptyObject:function(e){var t;for(t in e)return false;return true},globalEval:function(e,t,n){DOMEval(e,{nonce:t&&t.nonce},n)},each:function(e,t){var n,r=0;if(isArrayLike(e)){n=e.length;for(;r<n;r++)if(false===t.call(e[r],r,e[r]))break}else for(r in e)if(false===t.call(e[r],r,e[r]))break;return e},text:function(e){var t,n="",r=0,i=e.nodeType;if(!i)while(t=e[r++])n+=jQuery.text(t);return 1===i||11===i?e.textContent:9===i?e.documentElement.textContent:3===i||4===i?e.nodeValue:n},makeArray:function(e,t){var n=t||[];null!=e&&(isArrayLike(Object(e))?jQuery.merge(n,"string"===typeof e?[e]:e):s.call(n,e));return n},inArray:function(e,t,n){return null==t?-1:u.call(t,e,n)},isXMLDoc:function(e){var t=e&&e.namespaceURI,n=e&&(e.ownerDocument||e).documentElement;return!b.test(t||n&&n.nodeName||"HTML")},merge:function(e,t){var n=+t.length,r=0,i=e.length;for(;r<n;r++)e[i++]=t[r];e.length=i;return e},grep:function(e,t,n){var r,i=[],o=0,a=e.length,s=!n;for(;o<a;o++){r=!t(e[o],o);r!==s&&i.push(e[o])}return i},map:function(e,t,n){var r,i,o=0,s=[];if(isArrayLike(e)){r=e.length;for(;o<r;o++){i=t(e[o],o,n);null!=i&&s.push(i)}}else for(o in e){i=t(e[o],o,n);null!=i&&s.push(i)}return a(s)},guid:1,support:h});"function"===typeof Symbol&&(jQuery.fn[Symbol.iterator]=r[Symbol.iterator]);jQuery.each("Boolean Number String Function Array Date RegExp Object Error Symbol".split(" "),(function(e,t){l["[object "+t+"]"]=t.toLowerCase()}));function isArrayLike(e){var t=!!e&&"length"in e&&e.length,n=toType(e);return!g(e)&&!m(e)&&("array"===n||0===t||"number"===typeof t&&t>0&&t-1 in e)}function nodeName(e,t){return e.nodeName&&e.nodeName.toLowerCase()===t.toLowerCase()}var w=r.pop;var T=r.sort;var C=r.splice;var S="[\\x20\\t\\r\\n\\f]";var k=new RegExp("^"+S+"+|((?:^|[^\\\\])(?:\\\\.)*)"+S+"+$","g");jQuery.contains=function(e,t){var n=t&&t.parentNode;return e===n||!!(n&&1===n.nodeType&&(e.contains?e.contains(n):e.compareDocumentPosition&&16&e.compareDocumentPosition(n)))};var A=/([\0-\x1f\x7f]|^-?\d)|^-$|[^\x80-\uFFFF\w-]/g;function fcssescape(e,t){return t?"\0"===e?"�":e.slice(0,-1)+"\\"+e.charCodeAt(e.length-1).toString(16)+" ":"\\"+e}jQuery.escapeSelector=function(e){return(e+"").replace(A,fcssescape)};var E=v,D=s;(function(){var n,i,a,s,l,c,d,p,g,m,v=D,y=jQuery.expando,x=0,b=0,A=createCache(),N=createCache(),j=createCache(),P=createCache(),sortOrder=function(e,t){e===t&&(l=true);return 0},H="checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",M="(?:\\\\[\\da-fA-F]{1,6}"+S+"?|\\\\[^\\r\\n\\f]|[\\w-]|[^\0-\\x7f])+",L="\\["+S+"*("+M+")(?:"+S+"*([*^$|!~]?=)"+S+"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|("+M+"))|)"+S+"*\\]",q=":("+M+")(?:\\((('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|((?:\\\\.|[^\\\\()[\\]]|"+L+")*)|.*)\\)|)",O=new RegExp(S+"+","g"),F=new RegExp("^"+S+"*,"+S+"*"),R=new RegExp("^"+S+"*([>+~]|"+S+")"+S+"*"),I=new RegExp(S+"|>"),W=new RegExp(q),$=new RegExp("^"+M+"$"),B={ID:new RegExp("^#("+M+")"),CLASS:new RegExp("^\\.("+M+")"),TAG:new RegExp("^("+M+"|[*])"),ATTR:new RegExp("^"+L),PSEUDO:new RegExp("^"+q),CHILD:new RegExp("^:(only|first|last|nth|nth-last)-(child|of-type)(?:\\("+S+"*(even|odd|(([+-]|)(\\d*)n|)"+S+"*(?:([+-]|)"+S+"*(\\d+)|))"+S+"*\\)|)","i"),bool:new RegExp("^(?:"+H+")$","i"),needsContext:new RegExp("^"+S+"*[>+~]|:(even|odd|eq|gt|lt|nth|first|last)(?:\\("+S+"*((?:-\\d)?\\d*)"+S+"*\\)|)(?=[^-]|$)","i")},_=/^(?:input|select|textarea|button)$/i,z=/^h\d$/i,X=/^(?:#([\w-]+)|(\w+)|\.([\w-]+))$/,U=/[+~]/,G=new RegExp("\\\\[\\da-fA-F]{1,6}"+S+"?|\\\\([^\\r\\n\\f])","g"),funescape=function(e,t){var n="0x"+e.slice(1)-65536;return t||(n<0?String.fromCharCode(n+65536):String.fromCharCode(n>>10|55296,1023&n|56320))},unloadHandler=function(){setDocument()},V=addCombinator((function(e){return true===e.disabled&&nodeName(e,"fieldset")}),{dir:"parentNode",next:"legend"});function safeActiveElement(){try{return c.activeElement}catch(e){}}try{v.apply(r=o.call(E.childNodes),E.childNodes);r[E.childNodes.length].nodeType}catch(e){v={apply:function(e,t){D.apply(e,o.call(t))},call:function(e){D.apply(e,o.call(arguments,1))}}}function find(e,t,n,r){var i,o,a,s,u,l,f,d=t&&t.ownerDocument,m=t?t.nodeType:9;n=n||[];if("string"!==typeof e||!e||1!==m&&9!==m&&11!==m)return n;if(!r){setDocument(t);t=t||c;if(p){if(11!==m&&(u=X.exec(e)))if(i=u[1]){if(9===m){if(!(a=t.getElementById(i)))return n;if(a.id===i){v.call(n,a);return n}}else if(d&&(a=d.getElementById(i))&&find.contains(t,a)&&a.id===i){v.call(n,a);return n}}else{if(u[2]){v.apply(n,t.getElementsByTagName(e));return n}if((i=u[3])&&t.getElementsByClassName){v.apply(n,t.getElementsByClassName(i));return n}}if(!P[e+" "]&&(!g||!g.test(e))){f=e;d=t;if(1===m&&(I.test(e)||R.test(e))){d=U.test(e)&&testContext(t.parentNode)||t;d==t&&h.scope||((s=t.getAttribute("id"))?s=jQuery.escapeSelector(s):t.setAttribute("id",s=y));l=tokenize(e);o=l.length;while(o--)l[o]=(s?"#"+s:":scope")+" "+toSelector(l[o]);f=l.join(",")}try{v.apply(n,d.querySelectorAll(f));return n}catch(t){P(e,true)}finally{s===y&&t.removeAttribute("id")}}}}return select(e.replace(k,"$1"),t,n,r)}
 /**
      * Create key-value caches of limited size
diff --git a/vendor/javascript/local-time.js b/vendor/javascript/local-time.js
new file mode 100644
index 00000000000..64d6e799587
--- /dev/null
+++ b/vendor/javascript/local-time.js
@@ -0,0 +1,4 @@
+// local-time@3.0.2 downloaded from https://ga.jspm.io/npm:local-time@3.0.2/app/assets/javascripts/local-time.es2017-esm.js
+
+var t;t={config:{},run:function(){return this.getController().processElements()},process:function(...t){var e,r,a;for(r=0,a=t.length;r<a;r++)e=t[r],this.getController().processElement(e);return t.length},getController:function(){return null!=this.controller?this.controller:this.controller=new t.Controller}};var e,r,a,n,s,i,o,u,l,c,d,m,h,f,g,p,S,v,y,T,b,M,D,w,E,I,C,N,A,O,$,F,Y,k,W,L=t;L.config.useFormat24=!1,L.config.i18n={en:{date:{dayNames:["Sunday","Monday","Tuesday","Wednesday","Thursday","Friday","Saturday"],abbrDayNames:["Sun","Mon","Tue","Wed","Thu","Fri","Sat"],monthNames:["January","February","March","April","May","June","July","August","September","October","November","December"],abbrMonthNames:["Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"],yesterday:"yesterday",today:"today",tomorrow:"tomorrow",on:"on {date}",formats:{default:"%b %e, %Y",thisYear:"%b %e"}},time:{am:"am",pm:"pm",singular:"a {time}",singularAn:"an {time}",elapsed:"{time} ago",second:"second",seconds:"seconds",minute:"minute",minutes:"minutes",hour:"hour",hours:"hours",formats:{default:"%l:%M%P",default_24h:"%H:%M"}},datetime:{at:"{date} at {time}",formats:{default:"%B %e, %Y at %l:%M%P %Z",default_24h:"%B %e, %Y at %H:%M %Z"}}}},L.config.locale="en",L.config.defaultLocale="en",L.config.timerInterval=6e4,a=!isNaN(Date.parse("2011-01-01T12:00:00-05:00")),L.parseDate=function(t){return t=t.toString(),a||(t=r(t)),new Date(Date.parse(t))},e=/^(\d{4})-(\d{2})-(\d{2})T(\d{2}):(\d{2}):(\d{2})(Z|[-+]?[\d:]+)$/,r=function(t){var r,a,n,s,i,o,u,l,c,d;if(s=t.match(e))return[r,c,o,a,n,i,l,d]=s,"Z"!==d&&(u=d.replace(":","")),`${c}/${o}/${a} ${n}:${i}:${l} GMT${[u]}`},L.elementMatchesSelector=(n=document.documentElement,s=null!=(i=null!=(o=null!=(u=null!=(l=n.matches)?l:n.matchesSelector)?u:n.webkitMatchesSelector)?o:n.mozMatchesSelector)?i:n.msMatchesSelector,function(t,e){if((null!=t?t.nodeType:void 0)===Node.ELEMENT_NODE)return s.call(t,e)}),({config:c}=L),({i18n:m}=c),L.getI18nValue=function(t="",{locale:e}={locale:c.locale}){var r;return null!=(r=d(m[e],t))?r:e!==c.defaultLocale?L.getI18nValue(t,{locale:c.defaultLocale}):void 0},L.translate=function(t,e={},r){var a,n,s;for(a in s=L.getI18nValue(t,r),e)n=e[a],s=s.replace(`{${a}}`,n);return s},d=function(t,e){var r,a,n,s,i;for(i=t,r=0,n=(s=e.split(".")).length;r<n;r++){if(null==i[a=s[r]])return null;i=i[a]}return i},({getI18nValue:f,translate:M}=L),b="function"==typeof("undefined"!=typeof Intl&&null!==Intl?Intl.DateTimeFormat:void 0),g={"Central European Standard Time":"CET","Central European Summer Time":"CEST","China Standard Time":"CST","Israel Daylight Time":"IDT","Israel Standard Time":"IST","Moscow Standard Time":"MSK","Philippine Standard Time":"PHT","Singapore Standard Time":"SGT","Western Indonesia Time":"WIB"},L.knownEdgeCaseTimeZones=g,L.strftime=T=function(t,e){var r,a,n,s,i,o,u;return a=t.getDay(),r=t.getDate(),i=t.getMonth(),u=t.getFullYear(),n=t.getHours(),s=t.getMinutes(),o=t.getSeconds(),e.replace(/%(-?)([%aAbBcdeHIlmMpPSwyYZ])/g,(function(e,l,c){switch(c){case"%":return"%";case"a":return f("date.abbrDayNames")[a];case"A":return f("date.dayNames")[a];case"b":return f("date.abbrMonthNames")[i];case"B":return f("date.monthNames")[i];case"c":return t.toString();case"d":return p(r,l);case"e":return r;case"H":return p(n,l);case"I":return p(T(t,"%l"),l);case"l":return 0===n||12===n?12:(n+12)%12;case"m":return p(i+1,l);case"M":return p(s,l);case"p":return M("time."+(n>11?"pm":"am")).toUpperCase();case"P":return M("time."+(n>11?"pm":"am"));case"S":return p(o,l);case"w":return a;case"y":return p(u%100,l);case"Y":return u;case"Z":return S(t)}}))},p=function(t,e){return"-"===e?t:`0${t}`.slice(-2)},S=function(t){var e,r,a;return(r=h(t))?g[r]:(a=y(t,{allowGMT:!1}))||(a=v(t))?a:(e=y(t,{allowGMT:!0}))?e:""},h=function(t){return Object.keys(g).find((function(e){return b?new Date(t).toLocaleString("en-US",{timeZoneName:"long"}).includes(e):t.toString().includes(e)}))},y=function(t,{allowGMT:e}){var r;if(b&&(r=new Date(t).toLocaleString("en-US",{timeZoneName:"short"}).split(" ").pop(),e||!r.includes("GMT")))return r},v=function(t){var e,r,a,n,s;return(e=null!=(r=(s=t.toString()).match(/\(([\w\s]+)\)$/))?r[1]:void 0)?/\s/.test(e)?e.match(/\b(\w)/g).join(""):e:(e=null!=(a=s.match(/(\w{3,4})\s\d{4}$/))?a[1]:void 0)||(e=null!=(n=s.match(/(UTC[\+\-]\d+)/))?n[1]:void 0)?e:void 0},L.CalendarDate=class{static fromDate(t){return new this(t.getFullYear(),t.getMonth()+1,t.getDate())}static today(){return this.fromDate(new Date)}constructor(t,e,r){this.date=new Date(Date.UTC(t,e-1)),this.date.setUTCDate(r),this.year=this.date.getUTCFullYear(),this.month=this.date.getUTCMonth()+1,this.day=this.date.getUTCDate(),this.value=this.date.getTime()}equals(t){return(null!=t?t.value:void 0)===this.value}is(t){return this.equals(t)}isToday(){return this.is(this.constructor.today())}occursOnSameYearAs(t){return this.year===(null!=t?t.year:void 0)}occursThisYear(){return this.occursOnSameYearAs(this.constructor.today())}daysSince(t){if(t)return(this.date-t.date)/864e5}daysPassed(){return this.constructor.today().daysSince(this)}},({strftime:E,translate:I,getI18nValue:w,config:D}=L),L.RelativeTime=class{constructor(t){this.date=t,this.calendarDate=L.CalendarDate.fromDate(this.date)}toString(){var t,e;return(e=this.toTimeElapsedString())?I("time.elapsed",{time:e}):(t=this.toWeekdayString())?(e=this.toTimeString(),I("datetime.at",{date:t,time:e})):I("date.on",{date:this.toDateString()})}toTimeOrDateString(){return this.calendarDate.isToday()?this.toTimeString():this.toDateString()}toTimeElapsedString(){var t,e,r,a,n;return r=(new Date).getTime()-this.date.getTime(),a=Math.round(r/1e3),e=Math.round(a/60),t=Math.round(e/60),r<0?null:a<10?(n=I("time.second"),I("time.singular",{time:n})):a<45?`${a} ${I("time.seconds")}`:a<90?(n=I("time.minute"),I("time.singular",{time:n})):e<45?`${e} ${I("time.minutes")}`:e<90?(n=I("time.hour"),I("time.singularAn",{time:n})):t<24?`${t} ${I("time.hours")}`:""}toWeekdayString(){switch(this.calendarDate.daysPassed()){case 0:return I("date.today");case 1:return I("date.yesterday");case-1:return I("date.tomorrow");case 2:case 3:case 4:case 5:case 6:return E(this.date,"%A");default:return""}}toDateString(){var t;return t=this.calendarDate.occursThisYear()?w("date.formats.thisYear"):w("date.formats.default"),E(this.date,t)}toTimeString(){var t;return t=D.useFormat24?"default_24h":"default",E(this.date,w(`time.formats.${t}`))}},({elementMatchesSelector:C}=L),L.PageObserver=class{constructor(t,e){this.processMutations=this.processMutations.bind(this),this.processInsertion=this.processInsertion.bind(this),this.selector=t,this.callback=e}start(){if(!this.started)return this.observeWithMutationObserver()||this.observeWithMutationEvent(),this.started=!0}observeWithMutationObserver(){if("undefined"!=typeof MutationObserver&&null!==MutationObserver)return new MutationObserver(this.processMutations).observe(document.documentElement,{childList:!0,subtree:!0}),!0}observeWithMutationEvent(){return addEventListener("DOMNodeInserted",this.processInsertion,!1),!0}findSignificantElements(t){var e;return e=[],(null!=t?t.nodeType:void 0)===Node.ELEMENT_NODE&&(C(t,this.selector)&&e.push(t),e.push(...t.querySelectorAll(this.selector))),e}processMutations(t){var e,r,a,n,s,i,o,u;for(e=[],r=0,n=t.length;r<n;r++)if("childList"===(i=t[r]).type)for(a=0,s=(u=i.addedNodes).length;a<s;a++)o=u[a],e.push(...this.findSignificantElements(o));return this.notify(e)}processInsertion(t){var e;return e=this.findSignificantElements(t.target),this.notify(e)}notify(t){if(null!=t?t.length:void 0)return"function"==typeof this.callback?this.callback(t):void 0}},({parseDate:O,strftime:$,getI18nValue:A,config:N}=L),L.Controller=function(){var t,e,r,a;return t="time[data-local]:not([data-localized])",e=function(t){return t.setAttribute("data-localized","")},r=function(t){return t.setAttribute("data-processed-at",(new Date).toISOString())},a=function(t){return new L.RelativeTime(t)},class{constructor(){this.processElements=this.processElements.bind(this),this.pageObserver=new L.PageObserver(t,this.processElements)}start(){if(!this.started)return this.processElements(),this.startTimer(),this.pageObserver.start(),this.started=!0}startTimer(){var t;if(t=N.timerInterval)return null!=this.timer?this.timer:this.timer=setInterval(this.processElements,t)}processElements(e=document.querySelectorAll(t)){var r,a,n;for(a=0,n=e.length;a<n;a++)r=e[a],this.processElement(r);return e.length}processElement(t){var n,s,i,o,u,l;if(n=t.getAttribute("datetime"),i=t.getAttribute("data-local"),s=N.useFormat24&&t.getAttribute("data-format24")||t.getAttribute("data-format"),o=O(n),!isNaN(o))return t.hasAttribute("title")||(l=N.useFormat24?"default_24h":"default",u=$(o,A(`datetime.formats.${l}`)),t.setAttribute("title",u)),r(t),t.textContent=function(){switch(i){case"time":return e(t),$(o,s);case"date":return e(t),a(o).toDateString();case"time-ago":return a(o).toString();case"time-or-date":return a(o).toTimeOrDateString();case"weekday":return a(o).toWeekdayString();case"weekday-or-date":return a(o).toWeekdayString()||a(o).toDateString()}}()}}}.call(window),W=!1,F=function(){return document.attachEvent?"complete"===document.readyState:"loading"!==document.readyState},Y=function(t){var e;return null!=(e="function"==typeof requestAnimationFrame?requestAnimationFrame(t):void 0)?e:setTimeout(t,17)},k=function(){return L.getController().start()},L.start=function(){return W?L.run():(W=!0,"undefined"!=typeof MutationObserver&&null!==MutationObserver||F()?k():Y(k))},L.processing=function(){return L.getController().started},window.LocalTime===L&&L.start();export{L as default};
+
diff --git a/vendor/javascript/stimulus-rails-nested-form.js b/vendor/javascript/stimulus-rails-nested-form.js
index 69d15ade87c..207fd164b60 100644
--- a/vendor/javascript/stimulus-rails-nested-form.js
+++ b/vendor/javascript/stimulus-rails-nested-form.js
@@ -1,2 +1,4 @@
+// stimulus-rails-nested-form@4.1.0 downloaded from https://ga.jspm.io/npm:stimulus-rails-nested-form@4.1.0/dist/stimulus-rails-nested-form.mjs
+
 import{Controller as e}from"@hotwired/stimulus";class r extends e{add(e){e.preventDefault();const t=this.templateTarget.innerHTML.replace(/NEW_RECORD/g,(new Date).getTime().toString());this.targetTarget.insertAdjacentHTML("beforebegin",t)}remove(e){e.preventDefault();const t=e.target.closest(this.wrapperSelectorValue);if("true"===t.dataset.newRecord)t.remove();else{t.style.display="none";const e=t.querySelector("input[name*='_destroy']");e.value="1"}}}r.targets=["target","template"];r.values={wrapperSelector:{type:String,default:".nested-form-wrapper"}};export{r as default};