Merge branch 'zitadel:main' into main

Author: AaronDewes

.cursorrules

@@ -0,0 +1,21 @@
+# Cursor Rules for ZITADEL
+
+You are working in the ZITADEL monorepo. 
+
+**ALWAYS** read `AGENTS.md` files in this order:
+1. Root `AGENTS.md`
+2. The nearest scoped `AGENTS.md` for the files you are changing
+
+If you touch Go code or run Go tooling, inspect `go.mod` first for the required Go version/toolchain.
+
+Use verified Nx targets only. If a target is unclear or missing, run `pnpm nx show project <project>`.
+
+- **Root Context**: [AGENTS.md](AGENTS.md)
+- **API App**: [apps/api/AGENTS.md](apps/api/AGENTS.md)
+- **Login App**: [apps/login/AGENTS.md](apps/login/AGENTS.md)
+- **Docs Site**: [apps/docs/AGENTS.md](apps/docs/AGENTS.md)
+- **Management Console**: [console/AGENTS.md](console/AGENTS.md)
+- **Backend Internal**: [internal/AGENTS.md](internal/AGENTS.md)
+- **Proto Definitions**: [proto/AGENTS.md](proto/AGENTS.md)
+- **Shared Packages**: [packages/AGENTS.md](packages/AGENTS.md)
+- **Functional UI Tests**: [tests/functional-ui/AGENTS.md](tests/functional-ui/AGENTS.md)

.devcontainer/devcontainer.json

@@ -33,7 +33,7 @@
 	},
 	"features": {
 		"ghcr.io/devcontainers/features/go:1": {
-			"version": "1.25.3"
+			"version": "1.25"
 		},
 		"ghcr.io/devcontainers/features/docker-outside-of-docker": {},
 		"ghcr.io/schlich/devcontainer-features/cypress:1": {
@@ -46,7 +46,7 @@
 	"remoteEnv": {
 		"PATH": "${containerEnv:PATH}:/workspaces/zitadel/.artifacts/bin/linux/amd64"
 	},
-	"postStartCommand": "echo 'export PATH=\"${PWD}/.artifacts/bin/$(go env GOOS)/$(go env GOARCH):$PATH\"' >> ~/.bashrc",
+	"postStartCommand": "npm install -g nx@21.6.9 && echo 'export PATH=\"${PWD}/.artifacts/bin/$(go env GOOS)/$(go env GOARCH):$PATH\"' >> ~/.bashrc",
 	"customizations": {
 		"vscode": {
 			"extensions": [
@@ -58,4 +58,4 @@
 			]
 		}
 	}
-}
+}

.github/copilot-instructions.md

@@ -1 +1,23 @@
-Always respect the terminology defined in the 'Technical Glossary' section of agents.md when generating UI text or documentation.
+# GitHub Copilot Instructions for ZITADEL
+
+You are working in the ZITADEL monorepo. This codebase uses specific conventions for its Go backend and Angular/Next.js frontends.
+
+**CRITICAL**: Read `AGENTS.md` in the root first, then the nearest scoped `AGENTS.md` for changed files.
+
+## Key References
+- `AGENTS.md`: Root architecture map and global commands.
+- `apps/api/AGENTS.md`: API app workflows and backend orchestration targets.
+- `apps/login/AGENTS.md`: Specifics for the Next.js Login UI.
+- `apps/docs/AGENTS.md`: Specifics for the Fumadocs documentation.
+- `console/AGENTS.md`: Specifics for the Angular Console.
+- `internal/AGENTS.md`: Backend domain and event-sourcing boundaries.
+- `proto/AGENTS.md`: API schema and generation guidance.
+- `packages/AGENTS.md`: Shared client/proto package workflows.
+- `tests/functional-ui/AGENTS.md`: Cypress functional UI test workflows.
+
+## Behavior
+- Before Go-related work, inspect `go.mod` for required Go version/toolchain.
+- Use verified Nx targets only; if unsure, run `pnpm nx show project <project>`.
+- For backend changes, note we are in transition: relational data is becoming the system of record, while event writes are still required for history/audit.
+- Respect terminology defined in the `Technical Glossary` section of `AGENTS.md` when generating UI text or documentation.
+- Distinguish between `apps/login` (Next.js) and `console` (Angular) when suggesting frontend code.

.github/semantic.yml

@@ -1,2 +1,61 @@
 # Always validate the PR title, and ignore the commits
 titleOnly: true
+
+# Allowed types — the PR title type must be one of these.
+# This list is the single source of truth referenced by AGENTS.md and CONTRIBUTING.md.
+types:
+  - feat      # new feature
+  - fix       # bug fix
+  - docs      # documentation only (no code change)
+  - refactor  # code restructuring without behaviour change
+  - perf      # performance improvement
+  - test      # adding or fixing tests
+  - build     # build system or tooling
+  - ci        # CI/CD pipeline
+  - chore     # maintenance (deps, config, etc.)
+  - revert    # reverts a previous commit
+
+# Allowed scopes — if a scope is provided it must match one of these.
+# Scopes are optional; omit rather than invent one not on this list.
+# Note: 'docs' is a type, not a scope — use the type 'docs' for documentation changes.
+# This list is the single source of truth referenced by AGENTS.md and CONTRIBUTING.md.
+scopes:
+  # Backend — domain areas
+  - api
+  - session
+  - authz
+  - command
+  - query
+  - eventstore
+  - actions
+  - crypto
+  - domain
+  - feature
+  - idp
+  - notification
+  - oidc
+  - saml
+  - webauthn
+  # Backend — infrastructure
+  - cache
+  - config
+  - database
+  - migration
+  - setup
+  - telemetry
+  - queue
+  # Frontend
+  - console
+  - login
+  # API layer
+  - grpc
+  - proto
+  # Cross-cutting
+  - build
+  - ci
+  - deps
+  - i18n
+  - integration
+  - perf
+  - security
+  - test

.gitignore

@@ -102,8 +102,7 @@ go.work.sum
 
 # AI Files
 CLAUDE.md
-AGENTS.md
 .mcp.json
 .gemini/*
 
-docs_old
+docs_old

agents.md AGENTS.mdagents.md renamed to AGENTS.md

@@ -1,13 +1,45 @@
+# ZITADEL Monorepo Guide for AI Agents
+
+## Mission & Context
+ZITADEL is an open-source Identity Management System (IAM) written in Go and Angular/React. It provides secure login, multi-tenancy, and audit trails.
+
+## Read Order
+1. Read this file first.
+2. Read the nearest scoped `AGENTS.md` for the area you edit.
+3. If multiple scopes apply, use the most specific path.
+
+## Repository Structure Map
+- **`apps/`**: Consumer-facing web applications.
+  - **`login`**: Next.js authentication UI. See `apps/login/AGENTS.md`.
+  - **`docs`**: Fumadocs documentation app. See `apps/docs/AGENTS.md`.
+  - **`api`**: Backend Nx app target. See `apps/api/AGENTS.md`.
+- **`console/`**: Angular Management Console. See `console/AGENTS.md`.
+- **`internal/`**: Backend domain and service logic. See `internal/AGENTS.md`.
+- **`proto/`**: API definitions. See `proto/AGENTS.md`.
+- **`packages/`**: Shared TypeScript packages. See `packages/AGENTS.md`.
+- **`tests/functional-ui/`**: Cypress functional UI tests. See `tests/functional-ui/AGENTS.md`.
+
+## Technology Stack & Conventions
+- **Orchestration**: Nx is used for build and task orchestration.
+- **Package Manager**: pnpm.
+- **Backend**:
+  - **Go Version Source of Truth**: Inspect `go.mod` before Go work (`go` and optional `toolchain` directives).
+  - **Communication**: For V2 APIs, connectRPC is the primary transport. gRPC and HTTP/JSON endpoints are also supported.
+  - **Pattern**: The backend is transitioning to a relational design. Events are still persisted in a separate table for history/audit, but events are not the system of record.
+- **Frontend**:
+  - **Console**: Angular + RxJS.
+  - **Login/Docs**: Next.js + React.
+
 ## ZITADEL Domain & Multi-Tenancy Logic
 
 ### 1. Hierarchy & Ownership
 
 ZITADEL follows a strict hierarchical containment model. When generating code, logic, or translations, adhere to this structure:
 
 - **System (Installation):** The entire ZITADEL deployment. Global settings are applied through runtime configuration files or environment variables. See `cmd/defaults.yaml`.
-- **Instance (The "Identity System"):** 
+- **Instance (The "Identity System"):**
   - **Definition:** A logical partition/virtual tenant. It is a "System inside a System."
-  - **Isolation:** Data and configurations are strictly isolated between instances.
+  - **Isolation:** Data and settings are strictly isolated between instances.
   - **Translation Rule:** NEVER translate as "Example" or "Case." Use technical terms like "Tenant," "Environment," or the local equivalent of "Logical System Entity."
 - **Organization:** A group within an Instance. It owns Users, Projects, and Roles.
 - **Project:** A collection of Applications and Auth Policies within an Org.
@@ -43,3 +75,34 @@ If a translation is requested for a language not listed above, follow these prio
 2. **Priority 2 (System Entity):** Use a term that implies a "running process" or "logical environment."
 3. **Priority 3 (Tenant):** If 'Instance' is ambiguous, use the local word for 'Tenant' (e.g., 租户 in Chinese).
 4. **Strict Ban:** NEVER use words that mean "an illustration", "a case", "a sample", or "an example."
+
+## Command Rules
+Run commands from the repository root.
+
+- Use verified Nx targets only.
+- If target availability is unclear, run `pnpm nx show project <project>`.
+- Do not assume all projects have `test`, `lint`, `build`, or `generate` targets.
+- Known exception: `@zitadel/console` has no configured `test` target.
+
+## Verified Common Targets
+- `@zitadel/api`: `prod`, `build`, `generate`, `generate-install`, `lint`, `test`, `test-unit`, `test-integration`
+- `@zitadel/login`: `dev`, `build`, `lint`, `test`, `test-unit`, `test-integration`
+- `@zitadel/docs`: `dev`, `build`, `generate`, `install-proto-plugins`, `check-links`, `check-types`, `test`, `lint`
+- `@zitadel/console`: `dev`, `build`, `generate`, `install-proto-plugins`, `lint`
+
+## Proto Plugin Binaries
+All proto plugins are installed to `.artifacts/bin/<GOOS>/<GOARCH>/` and Nx-cached. `generate` targets wire up the correct install dependency and prepend `.artifacts/bin/` to `$PATH` — no manual install step is needed.
+
+## PR Title Convention
+
+PR titles are validated by the Semantic PR app. Format:
+
+`<type>(<scope>): <short summary>`
+
+**Types**: must come from the list in [`.github/semantic.yml`](.github/semantic.yml) under `types:` — e.g. `feat`, `fix`, `docs`, `refactor`, `perf`, `test`, `build`, `ci`, `chore`, `revert`.
+
+**Scopes**: optional, but if used must come from the list in [`.github/semantic.yml`](.github/semantic.yml) under `scopes:`. When in doubt, omit the scope — do not invent values not on that list.
+
+## Documentation
+- **Human Guide**: See `CONTRIBUTING.md` for setup and contribution details.
+- **API Design**: See `API_DESIGN.md` for API specific guidelines.

CONTRIBUTING.md

@@ -1,13 +1,13 @@
 # Contributing to Zitadel
 
-Zitadel is an open-source identity and access management platform built with a modern tech stack including Go (API), Next.js/React (Login), Angular (Console), and Docusaurus (Docs) - all orchestrated through an Nx monorepo with pnpm for efficient development workflows.
+Zitadel is an open-source identity and access management platform built with a modern tech stack including Go (API), Next.js/React (Login), Angular (Console), and Fumadocs (Docs) - all orchestrated through an Nx monorepo with pnpm for efficient development workflows.
 
 ## Quick Start
 
 1. Clone the repository: `git clone https://github.com/zitadel/zitadel` or [open it in a local Dev Container](https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/zitadel/zitadel) or [create a GitHub Codespace](https://codespaces.new/zitadel/zitadel)
 2. If you cloned the repository to your local machine, install the required development dependencies
    - [Node.js v22.x](https://nodejs.org/en/download/) - Required for UI development and to run development commands `pnpm nx ...`
-   - [Go 1.24.x](https://go.dev/doc/install) - Required for API development
+   - [Go](https://go.dev/doc/install) - Required for API development. Use the version declared in `go.mod`.
    - [Docker](https://docs.docker.com/engine/install/) - Required for supporting services like the development database and for tests.
    - [Cypress runtime dependencies](https://docs.cypress.io/guides/continuous-integration/introduction#Dependencies) - Required for Browser UI tests
    <details>
@@ -49,8 +49,9 @@ You can build and start any project with Nx commands.
 | **Develop**                   | `pnpm nx run PROJECT:dev`                   | Development server           |                                                                                                                                                                                                  |
 | **Generate**                  | `pnpm nx run PROJECT:generate`              | Generate .gitignored files   |                                                                                                                                                                                                  |
 | **Generate Go Files**         | `pnpm nx run @zitadel/api:generate-go`      | Regenerate checked-in files  | This is needed to generate files using [Stringer](https://pkg.go.dev/golang.org/x/tools/cmd/stringer), [Enumer](https://github.com/dmarkham/enumer) or [gomock](https://github.com/uber-go/mock) |
+| **Install Proto Plugins**     | `pnpm nx run @zitadel/api:generate-install` | Install proto toolchain      | Installs Go-based plugins (protoc-gen-go, connect-go, …) to `.artifacts/bin/`. Run automatically by `generate` targets; Nx caches the outputs. |
 | **Test - Unit**               | `pnpm nx run PROJECT:test-unit`             | Run unit tests               |                                                                                                                                                                                                  |
-| **Test - Integration**        | `pnpm nx run PROJECT:test-integration`      | Run integration tests        | Learn mnore about how to [debug API integration tests](#run-api-integration-tests)                                                                                                               |
+| **Test - Integration**        | `pnpm nx run PROJECT:test-integration`      | Run integration tests        | Learn more about how to [debug API integration tests](#run-api-integration-tests)                                                                                                               |
 | **Test - Integration Stop**   | `pnpm nx run PROJECT:test-integration-stop` | Stop integration containers  |                                                                                                                                                                                                  |
 | **Test - Functional UI**      | `pnpm nx run @zitadel/functional-ui:test`   | Run functional UI tests      | Learn more about how to [develop the Management Console and opening the interactive Test Suite](#pass-management-console-quality-checks)                                                                               |
 | **Test - Functional UI Stop** | `pnpm nx run @zitadel/functional-ui:stop`   | Run functional UI containers |                                                                                                                                                                                                  |
@@ -129,7 +130,7 @@ The code consists of the following parts:
 | API definitions    | Specifications of the API                          | [Protobuf](https://developers.google.com/protocol-buffers)                                                | [./proto/zitadel](./proto/zitadel)                  | [Contribute to API](#contribute-to-api)             |
 | Management Console            | Frontend the user interacts with after log in      | [Angular](https://angular.io), [Typescript](https://www.typescriptlang.org)                               | [./console](./console)                              | [Contribute to Frontend](#contribute-to-frontend)   |
 | Login              | Modern authentication UI built with Next.js        | [Next.js](https://nextjs.org), [React](https://reactjs.org), [TypeScript](https://www.typescriptlang.org) | [./apps/login](./apps/login)                        | [Contribute to Frontend](#contribute-to-frontend)   |
-| Docs               | Project documentation made with docusaurus         | [Docusaurus](https://docusaurus.io/)                                                                      | [./apps/docs](./apps/docs)                          | [Contribute to Frontend](#contribute-to-frontend)   |
+| Docs               | Project documentation made with Fumadocs           | [Fumadocs](https://fumadocs.dev/)                                                                         | [./apps/docs](./apps/docs)                          | [Contribute to Frontend](#contribute-to-frontend)   |
 | translations       | Internationalization files for default languages   | YAML                                                                                                      | [./console](./console) and [./internal](./internal) | [Contribute Translations](#contribute-translations) |
 
 Please follow the guides to validate and test the code before you contribute.
@@ -173,15 +174,13 @@ Make sure you use [semantic release messages format](https://github.com/angular/
 
 #### Type
 
-Must be one of the following:
-
-- **feat**: New Feature
-- **fix**: Bug Fix
-- **docs**: Documentation
+Allowed values are listed in [`.github/semantic.yml`](.github/semantic.yml) under `types:`.
 
 #### Scope
 
-This is optional to indicate which component is affected. If in doubt, leave blank (`<type>: <short summary>`)
+This is optional to indicate which component is affected.
+Allowed values are listed in [`.github/semantic.yml`](.github/semantic.yml) under `scopes:`.
+When in doubt, omit the scope — `<type>: <short summary>` is always valid.
 
 #### Short summary
 
@@ -368,7 +367,7 @@ Choose your contribution area:
 
 - **[Login App](#contribute-to-login)** (Next.js/React) - Modern authentication flows
 - **[Console](#contribute-to-console)** (Angular) - Admin dashboard and user management
-- **[Docs](#contribute-to-docs)** (Docusaurus) - Project documentation
+- **[Docs](#contribute-to-docs)** (Fumadocs) - Project documentation
 - **[Client Packages](#client-packages)** - Shared libraries for API communication
 
 ### Project Dependencies
@@ -580,6 +579,18 @@ pnpm nx run @zitadel/proto:generate  # Regenerate after proto changes
 pnpm nx run @zitadel/client:build  # Build after changes
 ```
 
+### Proto Plugin Convention
+
+All binary proto plugins are installed to `.artifacts/bin/<GOOS>/<GOARCH>/` and declared as Nx target outputs, making them eligible for Nx remote cache.
+
+| Scope | Target | Installs |
+|---|---|---|
+| `@zitadel/api` | `generate-install` | Go-based plugins: `buf`, `protoc-gen-go`, `protoc-gen-connect-go`, `protoc-gen-openapiv2`, `protoc-gen-validate`, `protoc-gen-authoption`, … |
+| `@zitadel/console` | `install-proto-plugins` | `protoc-gen-grpc-web`, `protoc-gen-js`, `protoc-gen-openapiv2` (pre-built binaries, no Go required) |
+| `@zitadel/docs` | `install-proto-plugins` | `protoc-gen-connect-openapi` (pre-built binary, no Go required) |
+
+`generate` targets depend on the appropriate install targets and prepend `.artifacts/bin/` to `$PATH` automatically. Running `pnpm nx run PROJECT:generate` is sufficient — no manual plugin installation needed.
+
 ### Contribute to Docs
 
 Project documentation is located under [./apps/docs](./apps/docs).

MEETING_SCHEDULE.md

@@ -96,7 +96,7 @@ We will showcase the new Login UI, provide insights into the application's archi
 
 * **Architecture of the Login UI**: Explore how server-side and client-side components interact within the new Login UI and NextJS framework.
 * **Session API**: Understand the workings of the Session API
-* **OIDC middleware configuration**: Learn how OIDC functions with the new Login UI and the necessary steps for a complete flow.
+* **OIDC middleware settings**: Learn how OIDC functions with the new Login UI and the necessary steps for a complete flow.
 * **Customization Options / Settings**: Discover how to personalize the login and which ZITADEL settings are implemented.
 * **Outlook**: Gain insights into future features
 * **Q&A**