Fix partial backup/restore API to remap addons key to apps

The external API accepts `addons` as the request body key (since ATTR_APPS = "addons"), but do_backup_partial and do_restore_partial now take an `apps` parameter after the rename. The **body expansion in both endpoints would pass `addons=...` causing a TypeError. Remap the key before expansion in both backup_partial and restore_partial: if ATTR_APPS in body: body["apps"] = body.pop(ATTR_APPS) Also adds test_restore_partial_with_addons_key to verify the restore path correctly receives apps= when addons is passed in the request body. This path had no existing test coverage. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Rename addon→app in code (variables, args, class names, functions)
2026-04-14 04:24:25 +00:00 · 2026-04-10 18:01:08 +00:00 · 2026-04-10 18:01:07 +00:00 · 2026-04-10 17:56:43 +00:00 · 2026-04-10 15:09:38 +02:00 · 2026-04-10 15:00:03 +02:00
4517 changed files with 54746 additions and 516869 deletions
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -1,38 +1,55 @@
 {
  "name": "Supervisor dev",
-  "image": "ghcr.io/home-assistant/devcontainer:supervisor",
+  "image": "ghcr.io/home-assistant/devcontainer:4-supervisor",
+  "overrideCommand": false,
+  "remoteUser": "vscode",
  "containerEnv": {
    "WORKSPACE_DIRECTORY": "${containerWorkspaceFolder}"
  },
+  "remoteEnv": {
+    "PATH": "${containerEnv:VIRTUAL_ENV}/bin:${containerEnv:PATH}"
+  },
  "appPort": ["9123:8123", "7357:4357"],
-  "postCreateCommand": "bash devcontainer_bootstrap",
+  "postCreateCommand": "bash devcontainer_setup",
+  "postStartCommand": "bash devcontainer_bootstrap",
  "runArgs": ["-e", "GIT_EDITOR=code --wait", "--privileged"],
  "customizations": {
    "vscode": {
      "extensions": [
-        "ms-python.python",
+        "charliermarsh.ruff",
        "ms-python.pylint",
        "ms-python.vscode-pylance",
        "visualstudioexptteam.vscodeintellicode",
-        "esbenp.prettier-vscode"
+        "redhat.vscode-yaml",
+        "esbenp.prettier-vscode",
+        "GitHub.vscode-pull-request-github"
      ],
      "settings": {
+        "python.defaultInterpreterPath": "/home/vscode/.local/ha-venv/bin/python",
+        "python.pythonPath": "/home/vscode/.local/ha-venv/bin/python",
+        "python.terminal.activateEnvInCurrentTerminal": true,
+        "python.testing.pytestArgs": ["--no-cov"],
+        "pylint.importStrategy": "fromEnvironment",
+        "editor.formatOnPaste": false,
+        "editor.formatOnSave": true,
+        "editor.formatOnType": true,
+        "files.trimTrailingWhitespace": true,
        "terminal.integrated.profiles.linux": {
          "zsh": {
            "path": "/usr/bin/zsh"
          }
        },
        "terminal.integrated.defaultProfile.linux": "zsh",
-        "editor.formatOnPaste": false,
-        "editor.formatOnSave": true,
-        "editor.formatOnType": true,
-        "files.trimTrailingWhitespace": true,
-        "python.pythonPath": "/usr/local/bin/python3",
-        "python.formatting.provider": "black",
-        "python.formatting.blackArgs": ["--target-version", "py311"],
-        "python.formatting.blackPath": "/usr/local/bin/black"
+        "[python]": {
+          "editor.defaultFormatter": "charliermarsh.ruff"
+        }
      }
    }
  },
-  "mounts": ["type=volume,target=/var/lib/docker"]
+  "mounts": [
+    "type=volume,target=/var/lib/docker",
+    "type=volume,target=/var/lib/containerd",
+    "type=volume,target=/mnt/supervisor",
+    "type=tmpfs,target=/tmp"
+  ]
 }
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,6 +1,7 @@
 # General files
 .git
 .github
+.gitkeep
 .devcontainer
 .vscode

--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -1,69 +0,0 @@
---
-name: Report a bug with the Supervisor on a supported System
-about: Report an issue related to the Home Assistant Supervisor.
-labels: bug
---
-
-<!-- READ THIS FIRST:
- If you need additional help with this template please refer to https://www.home-assistant.io/help/reporting_issues/
- This is for bugs only. Feature and enhancement requests should go in our community forum: https://community.home-assistant.io/c/feature-requests
- Provide as many details as possible. Paste logs, configuration sample and code into the backticks. Do not delete any text from this template!
- If you have a problem with an add-on, make an issue in it's repository.
-->
-
-<!--
-Important: You can only fill a bug repport for an supported system! If you run an unsupported installation. This report would be closed without comment.
-->
-
-### Describe the issue
-
-<!-- Provide as many details as possible. -->
-
-### Steps to reproduce
-
-<!-- What do you do to encounter the issue. -->
-
-1. ...
-2. ...
-3. ...
-
-### Enviroment details
-
-<!-- You can find these details in the system tab of the supervisor panel, or by using the `ha` CLI. -->
-
- **Operating System:**: xxx
- **Supervisor version:**: xxx
- **Home Assistant version**: xxx
-
-### Supervisor logs
-
-<details>
-<summary>Supervisor logs</summary>
-<!--
- Frontend -> Supervisor -> System
- Or use this command: ha supervisor logs
- Logs are more than just errors, even if you don't think it's important, it is.
-->
-
-```
-Paste supervisor logs here
-
-```
-
-</details>
-
-### System Information
-
-<details>
-<summary>System Information</summary>
-<!--
- Use this command: ha info
-->
-
-```
-Paste system info here
-
-```
-
-</details>
-
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -1,6 +1,5 @@
-name: Bug Report Form
+name: Report an issue with Home Assistant Supervisor
 description: Report an issue related to the Home Assistant Supervisor.
-labels: bug
 body:
  - type: markdown
    attributes:
@@ -9,7 +8,7 @@ body:

        If you have a feature or enhancement request, please use the [feature request][fr] section of our [Community Forum][fr].

-        [fr]: https://community.home-assistant.io/c/feature-requests
+        [fr]: https://github.com/orgs/home-assistant/discussions
  - type: textarea
    validations:
      required: true
@@ -26,7 +25,7 @@ body:
    attributes:
      label: What type of installation are you running?
      description: >
-        If you don't know, can be found in [Settings -> System -> Repairs -> System Information](https://my.home-assistant.io/redirect/system_health/).
+        If you don't know, can be found in [Settings -> System -> Repairs -> (three dot menu) -> System Information](https://my.home-assistant.io/redirect/system_health/).
        It is listed as the `Installation Type` value.
      options:
        - Home Assistant OS
@@ -72,20 +71,21 @@ body:
    validations:
      required: true
    attributes:
-      label: System Health information
+      label: System information
      description: >
-        System Health information can be found in the top right menu in [Settings -> System -> Repairs](https://my.home-assistant.io/redirect/repairs/).
+        The System information can be found in [Settings -> System -> Repairs -> (three dot menu) -> System Information](https://my.home-assistant.io/redirect/system_health/).
        Click the copy button at the bottom of the pop-up and paste it here.
-        
+
        [![Open your Home Assistant instance and show health information about your system.](https://my.home-assistant.io/badges/system_health.svg)](https://my.home-assistant.io/redirect/system_health/)
  - type: textarea
    attributes:
      label: Supervisor diagnostics
      placeholder: "drag-and-drop the diagnostics data file here (do not copy-and-paste the content)"
      description: >-
-        Supervisor diagnostics can be found in [Settings -> Integrations](https://my.home-assistant.io/redirect/integrations/).
-        Find the card that says `Home Assistant Supervisor`, open its menu and select 'Download diagnostics'.
-        
+        Supervisor diagnostics can be found in [Settings -> Devices & services](https://my.home-assistant.io/redirect/integrations/).
+        Find the card that says `Home Assistant Supervisor`, open it, and select the three dot menu of the Supervisor integration entry
+        and select 'Download diagnostics'.
+
        **Please drag-and-drop the downloaded file into the textbox below. Do not copy and paste its contents.**
  - type: textarea
    attributes:
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -13,7 +13,7 @@ contact_links:
    about: Our documentation has its own issue tracker. Please report issues with the website there.

  - name: Request a feature for the Supervisor
-    url: https://community.home-assistant.io/c/feature-requests
+    url: https://github.com/orgs/home-assistant/discussions
    about: Request an new feature for the Supervisor.

  - name: I have a question or need support
--- a/.github/ISSUE_TEMPLATE/task.yml
+++ b/.github/ISSUE_TEMPLATE/task.yml
@@ -0,0 +1,53 @@
+name: Task
+description: For staff only - Create a task
+type: Task
+body:
+  - type: markdown
+    attributes:
+      value: |
+        ## ⚠️ RESTRICTED ACCESS
+
+        **This form is restricted to Open Home Foundation staff and authorized contributors only.**
+
+        If you are a community member wanting to contribute, please:
+        - For bug reports: Use the [bug report form](https://github.com/home-assistant/supervisor/issues/new?template=bug_report.yml)
+        - For feature requests: Submit to [Feature Requests](https://github.com/orgs/home-assistant/discussions)
+
+        ---
+
+        ### For authorized contributors
+
+        Use this form to create tasks for development work, improvements, or other actionable items that need to be tracked.
+  - type: textarea
+    id: description
+    attributes:
+      label: Description
+      description: |
+        Provide a clear and detailed description of the task that needs to be accomplished.
+
+        Be specific about what needs to be done, why it's important, and any constraints or requirements.
+      placeholder: |
+        Describe the task, including:
+        - What needs to be done
+        - Why this task is needed
+        - Expected outcome
+        - Any constraints or requirements
+    validations:
+      required: true
+  - type: textarea
+    id: additional_context
+    attributes:
+      label: Additional context
+      description: |
+        Any additional information, links, research, or context that would be helpful.
+
+        Include links to related issues, research, prototypes, roadmap opportunities etc.
+      placeholder: |
+        - Roadmap opportunity: [link]
+        - Epic: [link]
+        - Feature request: [link]
+        - Technical design documents: [link]
+        - Prototype/mockup: [link]
+        - Dependencies: [links]
+    validations:
+      required: false
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -38,6 +38,7 @@
 - This PR is related to issue:
 - Link to documentation pull request:
 - Link to cli pull request:
+- Link to client library pull request:

 ## Checklist

@@ -52,12 +53,14 @@
 - [ ] Local tests pass. **Your PR cannot be merged unless tests pass**
 - [ ] There is no commented out code in this PR.
 - [ ] I have followed the [development checklist][dev-checklist]
- [ ] The code has been formatted using Black (`black --fast supervisor tests`)
+- [ ] The code has been formatted using Ruff (`ruff format supervisor tests`)
 - [ ] Tests have been added to verify that the new code works.

-If API endpoints of add-on configuration are added/changed:
+If API endpoints or add-on configuration are added/changed:

 - [ ] Documentation added/updated for [developers.home-assistant.io][docs-repository]
+- [ ] [CLI][cli-repository] updated (if necessary)
+- [ ] [Client library][client-library-repository] updated (if necessary)

 <!--
  Thank you for contributing <3
@@ -67,3 +70,5 @@ If API endpoints of add-on configuration are added/changed:

 [dev-checklist]: https://developers.home-assistant.io/docs/en/development_checklist.html
 [docs-repository]: https://github.com/home-assistant/developers.home-assistant
+[cli-repository]: https://github.com/home-assistant/cli
+[client-library-repository]: https://github.com/home-assistant-libs/python-supervisor-client/
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -0,0 +1,294 @@
+# GitHub Copilot & Claude Code Instructions
+
+This repository contains the Home Assistant Supervisor, a Python 3 based container
+orchestration and management system for Home Assistant.
+
+## Supervisor Capabilities & Features
+
+### Architecture Overview
+
+Home Assistant Supervisor is a Python-based container orchestration system that
+communicates with the Docker daemon to manage containerized components. It is tightly
+integrated with the underlying Operating System and core Operating System components
+through D-Bus.
+
+**Managed Components:**
+- **Home Assistant Core**: The main home automation application running in its own
+  container (also provides the web interface)
+- **Add-ons**: Third-party applications and services (each add-on runs in its own
+  container)
+- **Plugins**: Built-in system services like DNS, Audio, CLI, Multicast, and Observer
+- **Host System Integration**: OS-level operations and hardware access via D-Bus
+- **Container Networking**: Internal Docker network management and external
+  connectivity
+- **Storage & Backup**: Data persistence and backup management across all containers
+
+**Key Dependencies:**
+- **Docker Engine**: Required for all container operations
+- **D-Bus**: System-level communication with the host OS
+- **systemd**: Service management for host system operations
+- **NetworkManager**: Network configuration and management
+
+### Add-on System
+
+**Add-on Architecture**: Add-ons are containerized applications available through
+add-on stores. Each store contains multiple add-ons, and each add-on includes metadata
+that tells Supervisor the version, startup configuration (permissions), and available
+user configurable options. Add-on metadata typically references a container image that
+Supervisor fetches during installation. If not, the Supervisor builds the container
+image from a Dockerfile.
+
+**Built-in Stores**: Supervisor comes with several pre-configured stores:
+- **Core Add-ons**: Official add-ons maintained by the Home Assistant team
+- **Community Add-ons**: Popular third-party add-ons repository
+- **ESPHome**: Add-ons for ESPHome ecosystem integration
+- **Music Assistant**: Audio and music-related add-ons
+- **Local Development**: Local folder for testing custom add-ons during development
+
+**Store Management**: Stores are Git-based repositories that are periodically updated.
+When updates are available, users receive notifications.
+
+**Add-on Lifecycle**:
+- **Installation**: Supervisor fetches or builds container images based on add-on
+  metadata
+- **Configuration**: Schema-validated options with integrated UI management
+- **Runtime**: Full container lifecycle management, health monitoring
+- **Updates**: Automatic or manual version management
+
+### Update System
+
+**Core Components**: Supervisor, Home Assistant Core, HAOS, and built-in plugins
+receive version information from a central JSON file fetched from
+`https://version.home-assistant.io/{channel}.json`. The `Updater` class handles
+fetching this data, validating signatures, and updating internal version tracking.
+
+**Update Channels**: Three channels (`stable`/`beta`/`dev`) determine which version
+JSON file is fetched, allowing users to opt into different release streams.
+
+**Add-on Updates**: Add-on version information comes from store repository updates, not
+the central JSON file. When repositories are refreshed via the store system, add-ons
+compare their local versions against repository versions to determine update
+availability.
+
+### Backup & Recovery System
+
+**Backup Capabilities**:
+- **Full Backups**: Complete system state capture including all add-ons,
+  configuration, and data
+- **Partial Backups**: Selective backup of specific components (Home Assistant,
+  add-ons, folders)
+- **Encrypted Backups**: Optional backup encryption with user-provided passwords
+- **Multiple Storage Locations**: Local storage and remote backup destinations
+
+**Recovery Features**:
+- **One-click Restore**: Simple restoration from backup files
+- **Selective Restore**: Choose specific components to restore
+- **Automatic Recovery**: Self-healing for common system issues
+
+---
+
+## Supervisor Development
+
+### Python Requirements
+
+  - **Compatibility**: Python 3.14+
+  - **Language Features**: Use modern Python features:
+  - Type hints with `typing` module
+  - f-strings (preferred over `%` or `.format()`)
+  - Dataclasses and enum classes
+  - Async/await patterns
+  - Pattern matching where appropriate
+  - Parenthesis-free `except` clauses with comma-separated exceptions
+    (e.g., `except KeyError, TypeError:`) — available since Python 3.14
+
+### Code Quality Standards
+
+- **Formatting**: Ruff
+- **Linting**: PyLint and Ruff  
+- **Type Checking**: MyPy
+- **Testing**: pytest with asyncio support
+- **Language**: American English for all code, comments, and documentation
+
+### Code Organization
+
+**Core Structure**:
+```
+supervisor/
+├── __init__.py           # Package initialization
+├── const.py             # Constants and enums
+├── coresys.py           # Core system management
+├── bootstrap.py         # System initialization
+├── exceptions.py        # Custom exception classes
+├── api/                 # REST API endpoints
+├── addons/              # Add-on management
+├── backups/             # Backup system
+├── docker/              # Docker integration
+├── host/                # Host system interface
+├── homeassistant/       # Home Assistant Core management
+├── dbus/                # D-Bus system integration
+├── hardware/            # Hardware detection and management
+├── plugins/             # Plugin system
+├── resolution/          # Issue detection and resolution
+├── security/            # Security management
+├── services/            # Service discovery and management
+├── store/               # Add-on store management
+└── utils/               # Utility functions
+```
+
+**Shared Constants**: Use constants from `supervisor/const.py` instead of hardcoding
+values. Define new constants following existing patterns and group related constants
+together.
+
+### Supervisor Architecture Patterns
+
+**CoreSysAttributes Inheritance Pattern**: Nearly all major classes in Supervisor
+inherit from `CoreSysAttributes`, providing access to the centralized system state
+via `self.coresys` and convenient `sys_*` properties.
+
+```python
+# Standard Supervisor class pattern
+class MyManager(CoreSysAttributes):
+    """Manage my functionality."""
+    
+    def __init__(self, coresys: CoreSys):
+        """Initialize manager."""
+        self.coresys: CoreSys = coresys
+        self._component: MyComponent = MyComponent(coresys)
+    
+    @property
+    def component(self) -> MyComponent:
+        """Return component handler."""
+        return self._component
+    
+    # Access system components via inherited properties
+    async def do_something(self):
+        await self.sys_docker.containers.get("my_container")
+        self.sys_bus.fire_event(BusEvent.MY_EVENT, {"data": "value"})
+```
+
+**Key Inherited Properties from CoreSysAttributes**:
+- `self.sys_docker` - Docker API access
+- `self.sys_run_in_executor()` - Execute blocking operations
+- `self.sys_create_task()` - Create async tasks
+- `self.sys_bus` - Event bus for system events
+- `self.sys_config` - System configuration
+- `self.sys_homeassistant` - Home Assistant Core management
+- `self.sys_addons` - Add-on management
+- `self.sys_host` - Host system access
+- `self.sys_dbus` - D-Bus system interface
+
+**Load Pattern**: Many components implement a `load()` method which effectively
+initialize the component from external sources (containers, files, D-Bus services).
+
+### API Development
+
+**REST API Structure**:
+- **Base Path**: `/api/` for all endpoints
+- **Authentication**: Bearer token authentication
+- **Consistent Response Format**: `{"result": "ok", "data": {...}}` or
+  `{"result": "error", "message": "..."}`
+- **Validation**: Use voluptuous schemas with `api_validate()`
+
+**Use `@api_process` Decorator**: This decorator handles all standard error handling
+and response formatting automatically. The decorator catches `APIError`, `HassioError`,
+and other exceptions, returning appropriate HTTP responses.
+
+```python
+from ..api.utils import api_process, api_validate
+
+@api_process
+async def backup_full(self, request: web.Request) -> dict[str, Any]:
+    """Create full backup."""
+    body = await api_validate(SCHEMA_BACKUP_FULL, request)
+    job = await self.sys_backups.do_backup_full(**body)
+    return {ATTR_JOB_ID: job.uuid}
+```
+
+### Docker Integration
+
+- **Container Management**: Use Supervisor's Docker manager instead of direct
+  Docker API
+- **Networking**: Supervisor manages internal Docker networks with predefined IP
+  ranges
+- **Security**: AppArmor profiles, capability restrictions, and user namespace
+  isolation
+- **Health Checks**: Implement health monitoring for all managed containers
+
+### D-Bus Integration
+
+- **Use dbus-fast**: Async D-Bus library for system integration
+- **Service Management**: systemd, NetworkManager, hostname management
+- **Error Handling**: Wrap D-Bus exceptions in Supervisor-specific exceptions
+
+### Async Programming
+
+- **All I/O operations must be async**: File operations, network calls, subprocess
+  execution
+- **Use asyncio patterns**: Prefer `asyncio.gather()` over sequential awaits
+- **Executor jobs**: Use `self.sys_run_in_executor()` for blocking operations
+- **Two-phase initialization**: `__init__` for sync setup, `post_init()` for async
+  initialization
+
+### Testing
+
+- **Location**: `tests/` directory with module mirroring
+- **Fixtures**: Extensive use of pytest fixtures for CoreSys setup
+- **Mocking**: Mock external dependencies (Docker, D-Bus, network calls)
+- **Coverage**: Minimum 90% test coverage, 100% for security-sensitive code
+- **Style**: Use plain `test_` functions, not `Test*` classes — test classes are
+  considered legacy style in this project
+
+### Error Handling
+
+- **Custom Exceptions**: Defined in `exceptions.py` with clear inheritance hierarchy
+- **Error Propagation**: Use `from` clause for exception chaining
+- **API Errors**: Use `APIError` with appropriate HTTP status codes
+
+### Security Considerations
+
+- **Container Security**: AppArmor profiles mandatory for add-ons, minimal
+  capabilities
+- **Authentication**: Token-based API authentication with role-based access
+- **Data Protection**: Backup encryption, secure secret management, comprehensive
+  input validation
+
+### Development Commands
+
+```bash
+# Run tests, adjust paths as necessary
+pytest -qsx tests/
+
+# Linting and formatting
+ruff check supervisor/
+ruff format supervisor/
+
+# Type checking
+mypy --ignore-missing-imports supervisor/
+
+# Pre-commit hooks
+pre-commit run --all-files
+```
+
+Always run the pre-commit hooks at the end of code editing.
+
+### Common Patterns to Follow
+
+**✅ Use These Patterns**:
+- Inherit from `CoreSysAttributes` for system access
+- Use `@api_process` decorator for API endpoints
+- Use `self.sys_run_in_executor()` for blocking operations
+- Access Docker via `self.sys_docker` not direct Docker API
+- Use constants from `const.py` instead of hardcoding
+- Store types in (per-module) `const.py` (e.g. supervisor/store/const.py)
+- Use relative imports within the `supervisor/` package (e.g., `from ..docker.manager import ExecReturn`)
+
+**❌ Avoid These Patterns**:
+- Direct Docker API usage - use Supervisor's Docker manager
+- Blocking operations in async context (use asyncio alternatives)
+- Hardcoded values - use constants from `const.py`
+- Manual error handling in API endpoints - let `@api_process` handle it
+- Absolute imports within the `supervisor/` package (e.g., `from supervisor.docker.manager import ...`) - use relative imports instead
+
+This guide provides the foundation for contributing to Home Assistant Supervisor.
+Follow these patterns and guidelines to ensure code quality, security, and
+maintainability.
--- a/.github/release-drafter.yml
+++ b/.github/release-drafter.yml
@@ -5,45 +5,53 @@ categories:
  - title: ":boom: Breaking Changes"
    label: "breaking-change"

-  - title: ":wrench: Build"
-    label: "build"
-
-  - title: ":boar: Chore"
-    label: "chore"
-
  - title: ":sparkles: New Features"
    label: "new-feature"

-  - title: ":zap: Performance"
-    label: "performance"
-
-  - title: ":recycle: Refactor"
-    label: "refactor"
-
-  - title: ":green_heart: CI"
-    label: "ci"
-
  - title: ":bug: Bug Fixes"
    label: "bugfix"

-  - title: ":white_check_mark: Test"
+  - title: ":gem: Style"
+    label: "style"
+
+  - title: ":package: Refactor"
+    label: "refactor"
+
+  - title: ":rocket: Performance"
+    label: "performance"
+
+  - title: ":rotating_light: Test"
    label: "test"

+  - title: ":hammer_and_wrench: Build"
+    label: "build"
+
+  - title: ":gear: CI"
+    label: "ci"
+
+  - title: ":recycle: Chore"
+    label: "chore"
+
+  - title: ":wastebasket: Revert"
+    label: "revert"
+
  - title: ":arrow_up: Dependency Updates"
    label: "dependencies"
    collapse-after: 1

 include-labels:
  - "breaking-change"
-  - "build"
-  - "chore"
-  - "performance"
-  - "refactor"
  - "new-feature"
  - "bugfix"
-  - "dependencies"
+  - "style"
+  - "refactor"
+  - "performance"
  - "test"
+  - "build"
  - "ci"
+  - "chore"
+  - "revert"
+  - "dependencies"

 template: |

--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -25,17 +25,20 @@ on:
  push:
    branches: ["main"]
    paths:
+      - ".github/workflows/builder.yml"
      - "rootfs/**"
      - "supervisor/**"
-      - build.yaml
      - Dockerfile
      - requirements.txt
      - setup.py

 env:
-  DEFAULT_PYTHON: "3.11"
+  DEFAULT_PYTHON: "3.14.3"
+  COSIGN_VERSION: "v2.5.3"
  BUILD_NAME: supervisor
  BUILD_TYPE: supervisor
+  IMAGE_NAME: hassio-supervisor
+  ARCHITECTURES: '["amd64", "aarch64"]'

 concurrency:
  group: "${{ github.workflow }}-${{ github.ref }}"
@@ -46,21 +49,17 @@ jobs:
    name: Initialize build
    runs-on: ubuntu-latest
    outputs:
-      architectures: ${{ steps.info.outputs.architectures }}
      version: ${{ steps.version.outputs.version }}
      channel: ${{ steps.version.outputs.channel }}
      publish: ${{ steps.version.outputs.publish }}
-      requirements: ${{ steps.requirements.outputs.changed }}
+      build_wheels: ${{ steps.requirements.outputs.build_wheels }}
+      matrix: ${{ steps.matrix.outputs.matrix }}
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

-      - name: Get information
-        id: info
-        uses: home-assistant/actions/helpers/info@master
-
      - name: Get version
        id: version
        uses: home-assistant/actions/helpers/version@master
@@ -69,76 +68,113 @@ jobs:

      - name: Get changed files
        id: changed_files
-        if: steps.version.outputs.publish == 'false'
-        uses: jitterbit/get-changed-files@v1
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        uses: masesgroup/retrieve-changed-files@45a8b3b496d2d6037cbd553e8a3450989b9384a2 # v4.0.0

      - name: Check if requirements files changed
        id: requirements
        run: |
-          if [[ "${{ steps.changed_files.outputs.all }}" =~ (requirements.txt|build.json) ]]; then
-            echo "::set-output name=changed::true"
+          # No wheels build necessary for releases
+          if [[ "${{ github.event_name }}" == "release" ]]; then
+            echo "build_wheels=false" >> "$GITHUB_OUTPUT"
+          # Always build wheels for manual dispatches
+          elif [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            echo "build_wheels=true" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ steps.changed_files.outputs.all }}" =~ (requirements\.txt|\.github/workflows/builder\.yml) ]]; then
+            echo "build_wheels=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "build_wheels=false" >> "$GITHUB_OUTPUT"
          fi

+      - name: Get build matrix
+        id: matrix
+        uses: home-assistant/builder/actions/prepare-multi-arch-matrix@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
+        with:
+          architectures: ${{ env.ARCHITECTURES }}
+          image-name: ${{ env.IMAGE_NAME }}
+
  build:
    name: Build ${{ matrix.arch }} supervisor
    needs: init
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
    permissions:
      contents: read
      id-token: write
      packages: write
    strategy:
-      matrix:
-        arch: ${{ fromJson(needs.init.outputs.architectures) }}
+      matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
+    env:
+      WHEELS_ABI: cp314
+      WHEELS_TAG: musllinux_1_2
+      WHEELS_APK_DEPS: "libffi-dev;openssl-dev;yaml-dev"
+      WHEELS_SKIP_BINARY: aiohttp
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

-      - name: Write env-file
-        if: needs.init.outputs.requirements == 'true'
+      - name: Write env-file for wheels build
+        if: needs.init.outputs.build_wheels == 'true'
        run: |
          (
            # Fix out of memory issues with rust
            echo "CARGO_NET_GIT_FETCH_WITH_CLI=true"
          ) > .env_file

-      - name: Build wheels
-        if: needs.init.outputs.requirements == 'true'
-        uses: home-assistant/wheels@2023.10.5
+      - name: Build and publish wheels
+        if: needs.init.outputs.build_wheels == 'true' && needs.init.outputs.publish == 'true'
+        uses: home-assistant/wheels@e5742a69d69f0e274e2689c998900c7d19652c21 # 2025.12.0
        with:
-          abi: cp311
-          tag: musllinux_1_2
-          arch: ${{ matrix.arch }}
          wheels-key: ${{ secrets.WHEELS_KEY }}
-          apk: "libffi-dev;openssl-dev;yaml-dev"
-          skip-binary: aiohttp
+          abi: ${{ env.WHEELS_ABI }}
+          tag: ${{ env.WHEELS_TAG }}
+          arch: ${{ matrix.arch }}
+          apk: ${{ env.WHEELS_APK_DEPS }}
+          skip-binary: ${{ env.WHEELS_SKIP_BINARY }}
          env-file: true
          requirements: "requirements.txt"

-      - name: Set version
-        if: needs.init.outputs.publish == 'true'
-        uses: home-assistant/actions/helpers/version@master
+      - name: Build local wheels
+        if: needs.init.outputs.build_wheels == 'true' && needs.init.outputs.publish == 'false'
+        uses: home-assistant/wheels@e5742a69d69f0e274e2689c998900c7d19652c21 # 2025.12.0
        with:
-          type: ${{ env.BUILD_TYPE }}
+          wheels-host: ""
+          wheels-user: ""
+          wheels-key: ""
+          local-wheels-repo-path: "wheels/"
+          abi: ${{ env.WHEELS_ABI }}
+          tag: ${{ env.WHEELS_TAG }}
+          arch: ${{ matrix.arch }}
+          apk: ${{ env.WHEELS_APK_DEPS }}
+          skip-binary: ${{ env.WHEELS_SKIP_BINARY }}
+          env-file: true
+          requirements: "requirements.txt"
+
+      - name: Upload local wheels artifact
+        if: needs.init.outputs.build_wheels == 'true' && needs.init.outputs.publish == 'false'
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        with:
+          name: wheels-${{ matrix.arch }}
+          path: wheels
+          retention-days: 1

      - name: Set up Python ${{ env.DEFAULT_PYTHON }}
        if: needs.init.outputs.publish == 'true'
-        uses: actions/setup-python@v4.7.1
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ env.DEFAULT_PYTHON }}

      - name: Install Cosign
        if: needs.init.outputs.publish == 'true'
-        uses: sigstore/cosign-installer@v3.2.0
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
        with:
-          cosign-release: "v2.0.2"
+          cosign-release: ${{ env.COSIGN_VERSION }}

      - name: Install dirhash and calc hash
        if: needs.init.outputs.publish == 'true'
        run: |
-          pip3 install dirhash
+          pip3 install setuptools dirhash
          dir_hash="$(dirhash "${{ github.workspace }}/supervisor" -a sha256 --match "*.py")"
          echo "${dir_hash}" > rootfs/supervisor.sha256

@@ -147,38 +183,48 @@ jobs:
        run: |
          cosign sign-blob --yes rootfs/supervisor.sha256 --bundle rootfs/supervisor.sha256.sig

-      - name: Login to GitHub Container Registry
-        if: needs.init.outputs.publish == 'true'
-        uses: docker/login-action@v3.0.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Set build arguments
-        if: needs.init.outputs.publish == 'false'
-        run: echo "BUILD_ARGS=--test" >> $GITHUB_ENV
-
      - name: Build supervisor
-        uses: home-assistant/builder@2023.09.0
+        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
        with:
-          args: |
-            $BUILD_ARGS \
-            --${{ matrix.arch }} \
-            --target /data \
-            --cosign \
-            --generic ${{ needs.init.outputs.version }}
-        env:
-          CAS_API_KEY: ${{ secrets.CAS_TOKEN }}
+          arch: ${{ matrix.arch }}
+          container-registry-password: ${{ secrets.GITHUB_TOKEN }}
+          cosign-base-identity: 'https://github.com/home-assistant/docker-base/.*'
+          cosign-base-verify: ghcr.io/home-assistant/base-python:3.14-alpine3.22
+          image: ${{ matrix.image }}
+          image-tags: |
+            ${{ needs.init.outputs.version }}
+            latest
+          push: ${{ needs.init.outputs.publish == 'true' }}
+          version: ${{ needs.init.outputs.version }}
+
+  manifest:
+    name: Publish multi-arch manifest
+    needs: ["init", "build"]
+    if: needs.init.outputs.publish == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+    steps:
+      - name: Publish multi-arch manifest
+        uses: home-assistant/builder/actions/publish-multi-arch-manifest@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
+        with:
+          architectures: ${{ env.ARCHITECTURES }}
+          container-registry-password: ${{ secrets.GITHUB_TOKEN }}
+          image-name: ${{ env.IMAGE_NAME }}
+          image-tags: |
+            ${{ needs.init.outputs.version }}
+            latest

  version:
    name: Update version
+    if: github.repository_owner == 'home-assistant'
    needs: ["init", "run_supervisor"]
    runs-on: ubuntu-latest
    steps:
      - name: Checkout the repository
        if: needs.init.outputs.publish == 'true'
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Initialize git
        if: needs.init.outputs.publish == 'true'
@@ -203,18 +249,28 @@ jobs:
    timeout-minutes: 60
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

+      - name: Download local wheels artifact
+        if: needs.init.outputs.build_wheels == 'true' && needs.init.outputs.publish == 'false'
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: wheels-amd64
+          path: wheels
+
+      # Build the Supervisor for non-publish runs (e.g. PRs)
      - name: Build the Supervisor
        if: needs.init.outputs.publish != 'true'
-        uses: home-assistant/builder@2023.09.0
+        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
        with:
-          args: |
-            --test \
-            --amd64 \
-            --target /data \
-            --generic runner
+          arch: amd64
+          container-registry-password: ${{ secrets.GITHUB_TOKEN }}
+          image: ghcr.io/home-assistant/amd64-hassio-supervisor
+          image-tags: runner
+          load: true
+          version: ${{ needs.init.outputs.version }}

+      # Pull the Supervisor for publish runs to test the published image
      - name: Pull Supervisor
        if: needs.init.outputs.publish == 'true'
        run: |
@@ -228,9 +284,10 @@ jobs:
            --privileged \
            --security-opt seccomp=unconfined \
            --security-opt apparmor=unconfined \
-            -v /run/docker.sock:/run/docker.sock \
-            -v /run/dbus:/run/dbus \
-            -v /tmp/supervisor/data:/data \
+            -v /run/docker.sock:/run/docker.sock:rw \
+            -v /run/dbus:/run/dbus:ro \
+            -v /run/supervisor:/run/os:rw \
+            -v /tmp/supervisor/data:/data:rw,slave \
            -v /etc/machine-id:/etc/machine-id:ro \
            -e SUPERVISOR_SHARE="/tmp/supervisor/data" \
            -e SUPERVISOR_NAME=hassio_supervisor \
@@ -241,14 +298,68 @@ jobs:
      - name: Start the Supervisor
        run: docker start hassio_supervisor

-      - name: Wait for Supervisor to come up
+      - &wait_for_supervisor
+        name: Wait for Supervisor to come up
        run: |
-          SUPERVISOR=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' hassio_supervisor)
-          ping="error"
-          while [ "$ping" != "ok" ]; do
-            ping=$(curl -sSL "http://$SUPERVISOR/supervisor/ping" | jq -r '.result')
-            sleep 5
+          until SUPERVISOR=$(docker inspect --format='{{.NetworkSettings.Networks.hassio.IPAddress}}' hassio_supervisor 2>/dev/null) && \
+                [ -n "$SUPERVISOR" ] && [ "$SUPERVISOR" != "<no value>" ]; do
+            echo "Waiting for network configuration..."
+            sleep 1
          done
+          echo "Waiting for Supervisor API at http://${SUPERVISOR}/supervisor/ping"
+          timeout=300
+          elapsed=0
+
+          while [ $elapsed -lt $timeout ]; do
+            if response=$(curl -sSf "http://${SUPERVISOR}/supervisor/ping" 2>/dev/null); then
+              if echo "$response" | jq -e '.result == "ok"' >/dev/null 2>&1; then
+                echo "Supervisor is up! (took ${elapsed}s)"
+                exit 0
+              fi
+            fi
+
+            if [ $((elapsed % 15)) -eq 0 ]; then
+              echo "Still waiting... (${elapsed}s/${timeout}s)"
+            fi
+
+            sleep 5
+            elapsed=$((elapsed + 5))
+          done
+
+          echo "ERROR: Supervisor failed to start within ${timeout}s"
+          echo "Last response: $response"
+          echo "Checking supervisor logs..."
+          docker logs --tail 50 hassio_supervisor
+          exit 1
+
+      # Wait for Core to come up so subsequent steps (backup, addon install) succeed.
+      # On first startup, Supervisor installs Core via the "home_assistant_core_install"
+      # job (which pulls the image and then starts Core). Jobs with cleanup=True are
+      # removed from the jobs list once done, so we poll until it's gone.
+      - name: Wait for Core to be started
+        run: |
+          echo "Waiting for Home Assistant Core to be installed and started..."
+          timeout=300
+          elapsed=0
+
+          while [ $elapsed -lt $timeout ]; do
+            jobs=$(docker exec hassio_cli ha jobs info --no-progress --raw-json | jq -r '.data.jobs[] | select(.name == "home_assistant_core_install" and .done == false) | .name' 2>/dev/null)
+            if [ -z "$jobs" ]; then
+              echo "Home Assistant Core install/start complete (took ${elapsed}s)"
+              exit 0
+            fi
+
+            if [ $((elapsed % 15)) -eq 0 ]; then
+              echo "Core still installing... (${elapsed}s/${timeout}s)"
+            fi
+
+            sleep 5
+            elapsed=$((elapsed + 5))
+          done
+
+          echo "ERROR: Home Assistant Core failed to install/start within ${timeout}s"
+          docker logs --tail 50 hassio_supervisor
+          exit 1

      - name: Check the Supervisor
        run: |
@@ -264,59 +375,32 @@ jobs:
            exit 1
          fi

-      - name: Check the Store / Addon
+      - name: Check the Store / App
        run: |
-          echo "Install Core SSH Add-on"
-          test=$(docker exec hassio_cli ha addons install core_ssh --no-progress --raw-json | jq -r '.result')
+          echo "Install Core SSH app"
+          test=$(docker exec hassio_cli ha apps install core_ssh --no-progress --raw-json | jq -r '.result')
          if [ "$test" != "ok" ]; then
            exit 1
          fi

          # Make sure it actually installed
-          test=$(docker exec hassio_cli ha addons info core_ssh --no-progress --raw-json | jq -r '.data.version')
+          test=$(docker exec hassio_cli ha apps info core_ssh --no-progress --raw-json | jq -r '.data.version')
          if [[ "$test" == "null" ]]; then
            exit 1
          fi

-          echo "Start Core SSH Add-on"
-          test=$(docker exec hassio_cli ha addons start core_ssh --no-progress --raw-json | jq -r '.result')
+          echo "Start Core SSH app"
+          test=$(docker exec hassio_cli ha apps start core_ssh --no-progress --raw-json | jq -r '.result')
          if [ "$test" != "ok" ]; then
            exit 1
          fi

          # Make sure its state is started
-          test="$(docker exec hassio_cli ha addons info core_ssh --no-progress --raw-json | jq -r '.data.state')"
+          test="$(docker exec hassio_cli ha apps info core_ssh --no-progress --raw-json | jq -r '.data.state')"
          if [ "$test" != "started" ]; then
            exit 1
          fi

-      - name: Check the Supervisor code sign
-        if: needs.init.outputs.publish == 'true'
-        run: |
-          echo "Enable Content-Trust"
-          test=$(docker exec hassio_cli ha security options --content-trust=true --no-progress --raw-json | jq -r '.result')
-          if [ "$test" != "ok" ]; then
-            exit 1
-          fi
-
-          echo "Run supervisor health check"
-          test=$(docker exec hassio_cli ha resolution healthcheck --no-progress --raw-json | jq -r '.result')
-          if [ "$test" != "ok" ]; then
-            exit 1
-          fi
-
-          echo "Check supervisor unhealthy"
-          test=$(docker exec hassio_cli ha resolution info --no-progress --raw-json | jq -r '.data.unhealthy[]')
-          if [ "$test" != "" ]; then
-            exit 1
-          fi
-
-          echo "Check supervisor supported"
-          test=$(docker exec hassio_cli ha resolution info --no-progress --raw-json | jq -r '.data.unsupported[]')
-          if [[ "$test" =~ source_mods ]]; then
-            exit 1
-          fi
-
      - name: Create full backup
        id: backup
        run: |
@@ -324,11 +408,11 @@ jobs:
          if [ "$(echo $test | jq -r '.result')" != "ok" ]; then
            exit 1
          fi
-          echo "::set-output name=slug::$(echo $test | jq -r '.data.slug')"
+          echo "slug=$(echo $test | jq -r '.data.slug')" >> "$GITHUB_OUTPUT"

-      - name: Uninstall SSH add-on
+      - name: Uninstall SSH app
        run: |
-          test=$(docker exec hassio_cli ha addons uninstall core_ssh --no-progress --raw-json | jq -r '.result')
+          test=$(docker exec hassio_cli ha apps uninstall core_ssh --no-progress --raw-json | jq -r '.result')
          if [ "$test" != "ok" ]; then
            exit 1
          fi
@@ -340,30 +424,23 @@ jobs:
            exit 1
          fi

-      - name: Wait for Supervisor to come up
-        run: |
-          SUPERVISOR=$(docker inspect --format='{{.NetworkSettings.IPAddress}}' hassio_supervisor)
-          ping="error"
-          while [ "$ping" != "ok" ]; do
-            ping=$(curl -sSL "http://$SUPERVISOR/supervisor/ping" | jq -r '.result')
-            sleep 5
-          done
+      - *wait_for_supervisor

-      - name: Restore SSH add-on from backup
+      - name: Restore SSH app from backup
        run: |
-          test=$(docker exec hassio_cli ha backups restore ${{ steps.backup.outputs.slug }} --addons core_ssh --no-progress --raw-json | jq -r '.result')
+          test=$(docker exec hassio_cli ha backups restore ${{ steps.backup.outputs.slug }} --app core_ssh --no-progress --raw-json | jq -r '.result')
          if [ "$test" != "ok" ]; then
            exit 1
          fi

          # Make sure it actually installed
-          test=$(docker exec hassio_cli ha addons info core_ssh --no-progress --raw-json | jq -r '.data.version')
+          test=$(docker exec hassio_cli ha apps info core_ssh --no-progress --raw-json | jq -r '.data.version')
          if [[ "$test" == "null" ]]; then
            exit 1
          fi

          # Make sure its state is started
-          test="$(docker exec hassio_cli ha addons info core_ssh --no-progress --raw-json | jq -r '.data.state')"
+          test="$(docker exec hassio_cli ha apps info core_ssh --no-progress --raw-json | jq -r '.data.state')"
          if [ "$test" != "started" ]; then
            exit 1
          fi
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -8,8 +8,9 @@ on:
  pull_request: ~

 env:
-  DEFAULT_PYTHON: "3.11"
-  PRE_COMMIT_HOME: ~/.cache/pre-commit
+  DEFAULT_PYTHON: "3.14.3"
+  PRE_COMMIT_CACHE: ~/.cache/pre-commit
+  MYPY_CACHE_VERSION: 1

 concurrency:
  group: "${{ github.workflow }}-${{ github.ref }}"
@@ -25,15 +26,15 @@ jobs:
    name: Prepare Python dependencies
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up Python
        id: python
-        uses: actions/setup-python@v4.7.1
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        with:
          python-version: ${{ env.DEFAULT_PYTHON }}
      - name: Restore Python virtual environment
        id: cache-venv
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: venv
          key: |
@@ -47,9 +48,10 @@ jobs:
          pip install -r requirements.txt -r requirements_tests.txt
      - name: Restore pre-commit environment from cache
        id: cache-precommit
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: ${{ env.PRE_COMMIT_HOME }}
+          path: ${{ env.PRE_COMMIT_CACHE }}
+          lookup-only: true
          key: |
            ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
          restore-keys: |
@@ -60,21 +62,21 @@ jobs:
          . venv/bin/activate
          pre-commit install-hooks

-  lint-black:
-    name: Check black
+  lint-ruff-format:
+    name: Check ruff-format
    runs-on: ubuntu-latest
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@v4.7.1
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
      - name: Restore Python virtual environment
        id: cache-venv
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: venv
          key: |
@@ -84,10 +86,67 @@ jobs:
        run: |
          echo "Failed to restore Python virtual environment from cache"
          exit 1
-      - name: Run black
+      - name: Restore pre-commit environment from cache
+        id: cache-precommit
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        with:
+          path: ${{ env.PRE_COMMIT_CACHE }}
+          key: |
+            ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
+      - name: Fail job if cache restore failed
+        if: steps.cache-venv.outputs.cache-hit != 'true'
+        run: |
+          echo "Failed to restore Python virtual environment from cache"
+          exit 1
+      - name: Run ruff-format
        run: |
          . venv/bin/activate
-          black --target-version py311 --check supervisor tests setup.py
+          pre-commit run --hook-stage manual ruff-format --all-files --show-diff-on-failure
+        env:
+          RUFF_OUTPUT_FORMAT: github
+
+  lint-ruff:
+    name: Check ruff
+    runs-on: ubuntu-latest
+    needs: prepare
+    steps:
+      - name: Check out code from GitHub
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        id: python
+        with:
+          python-version: ${{ needs.prepare.outputs.python-version }}
+      - name: Restore Python virtual environment
+        id: cache-venv
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        with:
+          path: venv
+          key: |
+            ${{ runner.os }}-venv-${{ needs.prepare.outputs.python-version }}-${{ hashFiles('requirements.txt') }}-${{ hashFiles('requirements_tests.txt') }}
+      - name: Fail job if Python cache restore failed
+        if: steps.cache-venv.outputs.cache-hit != 'true'
+        run: |
+          echo "Failed to restore Python virtual environment from cache"
+          exit 1
+      - name: Restore pre-commit environment from cache
+        id: cache-precommit
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        with:
+          path: ${{ env.PRE_COMMIT_CACHE }}
+          key: |
+            ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
+      - name: Fail job if cache restore failed
+        if: steps.cache-venv.outputs.cache-hit != 'true'
+        run: |
+          echo "Failed to restore Python virtual environment from cache"
+          exit 1
+      - name: Run ruff
+        run: |
+          . venv/bin/activate
+          pre-commit run --hook-stage manual ruff --all-files --show-diff-on-failure
+        env:
+          RUFF_OUTPUT_FORMAT: github

  lint-dockerfile:
    name: Check Dockerfile
@@ -95,7 +154,7 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Register hadolint problem matcher
        run: |
          echo "::add-matcher::.github/workflows/matchers/hadolint.json"
@@ -110,15 +169,15 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@v4.7.1
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
      - name: Restore Python virtual environment
        id: cache-venv
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: venv
          key: |
@@ -130,9 +189,9 @@ jobs:
          exit 1
      - name: Restore pre-commit environment from cache
        id: cache-precommit
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: ${{ env.PRE_COMMIT_HOME }}
+          path: ${{ env.PRE_COMMIT_CACHE }}
          key: |
            ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
      - name: Fail job if cache restore failed
@@ -148,94 +207,21 @@ jobs:
          . venv/bin/activate
          pre-commit run --hook-stage manual check-executables-have-shebangs --all-files

-  lint-flake8:
-    name: Check flake8
-    runs-on: ubuntu-latest
-    needs: prepare
-    steps:
-      - name: Check out code from GitHub
-        uses: actions/checkout@v4.1.1
-      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@v4.7.1
-        id: python
-        with:
-          python-version: ${{ needs.prepare.outputs.python-version }}
-      - name: Restore Python virtual environment
-        id: cache-venv
-        uses: actions/cache@v3.3.2
-        with:
-          path: venv
-          key: |
-            ${{ runner.os }}-venv-${{ needs.prepare.outputs.python-version }}-${{ hashFiles('requirements.txt') }}-${{ hashFiles('requirements_tests.txt') }}
-      - name: Fail job if Python cache restore failed
-        if: steps.cache-venv.outputs.cache-hit != 'true'
-        run: |
-          echo "Failed to restore Python virtual environment from cache"
-          exit 1
-      - name: Register flake8 problem matcher
-        run: |
-          echo "::add-matcher::.github/workflows/matchers/flake8.json"
-      - name: Run flake8
-        run: |
-          . venv/bin/activate
-          flake8 supervisor tests
-
-  lint-isort:
-    name: Check isort
-    runs-on: ubuntu-latest
-    needs: prepare
-    steps:
-      - name: Check out code from GitHub
-        uses: actions/checkout@v4.1.1
-      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@v4.7.1
-        id: python
-        with:
-          python-version: ${{ needs.prepare.outputs.python-version }}
-      - name: Restore Python virtual environment
-        id: cache-venv
-        uses: actions/cache@v3.3.2
-        with:
-          path: venv
-          key: |
-            ${{ runner.os }}-venv-${{ needs.prepare.outputs.python-version }}-${{ hashFiles('requirements.txt') }}-${{ hashFiles('requirements_tests.txt') }}
-      - name: Fail job if Python cache restore failed
-        if: steps.cache-venv.outputs.cache-hit != 'true'
-        run: |
-          echo "Failed to restore Python virtual environment from cache"
-          exit 1
-      - name: Restore pre-commit environment from cache
-        id: cache-precommit
-        uses: actions/cache@v3.3.2
-        with:
-          path: ${{ env.PRE_COMMIT_HOME }}
-          key: |
-            ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
-      - name: Fail job if cache restore failed
-        if: steps.cache-venv.outputs.cache-hit != 'true'
-        run: |
-          echo "Failed to restore Python virtual environment from cache"
-          exit 1
-      - name: Run isort
-        run: |
-          . venv/bin/activate
-          pre-commit run --hook-stage manual isort --all-files --show-diff-on-failure
-
  lint-json:
    name: Check JSON
    runs-on: ubuntu-latest
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@v4.7.1
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
      - name: Restore Python virtual environment
        id: cache-venv
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: venv
          key: |
@@ -247,9 +233,9 @@ jobs:
          exit 1
      - name: Restore pre-commit environment from cache
        id: cache-precommit
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
-          path: ${{ env.PRE_COMMIT_HOME }}
+          path: ${{ env.PRE_COMMIT_CACHE }}
          key: |
            ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
      - name: Fail job if cache restore failed
@@ -271,92 +257,15 @@ jobs:
    needs: prepare
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@v4.7.1
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
      - name: Restore Python virtual environment
        id: cache-venv
-        uses: actions/cache@v3.3.2
-        with:
-          path: venv
-          key: |
-            ${{ runner.os }}-venv-${{ needs.prepare.outputs.python-version }}-${{ hashFiles('requirements.txt') }}-${{ hashFiles('requirements_tests.txt') }}
-      - name: Fail job if Python cache restore failed
-        if: steps.cache-venv.outputs.cache-hit != 'true'
-        run: |
-          echo "Failed to restore Python virtual environment from cache"
-          exit 1
-      - name: Register pylint problem matcher
-        run: |
-          echo "::add-matcher::.github/workflows/matchers/pylint.json"
-      - name: Run pylint
-        run: |
-          . venv/bin/activate
-          pylint supervisor tests
-
-  lint-pyupgrade:
-    name: Check pyupgrade
-    runs-on: ubuntu-latest
-    needs: prepare
-    steps:
-      - name: Check out code from GitHub
-        uses: actions/checkout@v4.1.1
-      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@v4.7.1
-        id: python
-        with:
-          python-version: ${{ needs.prepare.outputs.python-version }}
-      - name: Restore Python virtual environment
-        id: cache-venv
-        uses: actions/cache@v3.3.2
-        with:
-          path: venv
-          key: |
-            ${{ runner.os }}-venv-${{ needs.prepare.outputs.python-version }}-${{ hashFiles('requirements.txt') }}-${{ hashFiles('requirements_tests.txt') }}
-      - name: Fail job if Python cache restore failed
-        if: steps.cache-venv.outputs.cache-hit != 'true'
-        run: |
-          echo "Failed to restore Python virtual environment from cache"
-          exit 1
-      - name: Restore pre-commit environment from cache
-        id: cache-precommit
-        uses: actions/cache@v3.3.2
-        with:
-          path: ${{ env.PRE_COMMIT_HOME }}
-          key: |
-            ${{ runner.os }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}
-      - name: Fail job if cache restore failed
-        if: steps.cache-venv.outputs.cache-hit != 'true'
-        run: |
-          echo "Failed to restore Python virtual environment from cache"
-          exit 1
-      - name: Run pyupgrade
-        run: |
-          . venv/bin/activate
-          pre-commit run --hook-stage manual pyupgrade --all-files --show-diff-on-failure
-
-  pytest:
-    runs-on: ubuntu-latest
-    needs: prepare
-    name: Run tests Python ${{ needs.prepare.outputs.python-version }}
-    steps:
-      - name: Check out code from GitHub
-        uses: actions/checkout@v4.1.1
-      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@v4.7.1
-        id: python
-        with:
-          python-version: ${{ needs.prepare.outputs.python-version }}
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.2.0
-        with:
-          cosign-release: "v2.0.2"
-      - name: Restore Python virtual environment
-        id: cache-venv
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: venv
          key: |
@@ -369,7 +278,93 @@ jobs:
      - name: Install additional system dependencies
        run: |
          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends libpulse0 libudev1 dbus dbus-x11
+          sudo apt-get install -y --no-install-recommends libpulse0
+      - name: Register pylint problem matcher
+        run: |
+          echo "::add-matcher::.github/workflows/matchers/pylint.json"
+      - name: Run pylint
+        run: |
+          . venv/bin/activate
+          pylint supervisor tests
+
+  mypy:
+    name: Check mypy
+    runs-on: ubuntu-latest
+    needs: prepare
+    steps:
+      - name: Check out code from GitHub
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        id: python
+        with:
+          python-version: ${{ needs.prepare.outputs.python-version }}
+      - name: Generate partial mypy restore key
+        id: generate-mypy-key
+        run: |
+          mypy_version=$(cat requirements_test.txt | grep mypy | cut -d '=' -f 3)
+          echo "version=$mypy_version" >> $GITHUB_OUTPUT
+          echo "key=mypy-${{ env.MYPY_CACHE_VERSION }}-$mypy_version-$(date -u '+%Y-%m-%dT%H:%M:%s')" >> $GITHUB_OUTPUT
+      - name: Restore Python virtual environment
+        id: cache-venv
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        with:
+          path: venv
+          key: >-
+            ${{ runner.os }}-venv-${{ needs.prepare.outputs.python-version }}-${{ hashFiles('requirements.txt') }}-${{ hashFiles('requirements_tests.txt') }}
+      - name: Fail job if Python cache restore failed
+        if: steps.cache-venv.outputs.cache-hit != 'true'
+        run: |
+          echo "Failed to restore Python virtual environment from cache"
+          exit 1
+      - name: Restore mypy cache
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        with:
+          path: .mypy_cache
+          key: >-
+            ${{ runner.os }}-mypy-${{ needs.prepare.outputs.python-version }}-${{ steps.generate-mypy-key.outputs.key }}
+          restore-keys: >-
+            ${{ runner.os }}-venv-${{ needs.prepare.outputs.python-version }}-mypy-${{ env.MYPY_CACHE_VERSION }}-${{ steps.generate-mypy-key.outputs.version }}
+      - name: Register mypy problem matcher
+        run: |
+          echo "::add-matcher::.github/workflows/matchers/mypy.json"
+      - name: Run mypy
+        run: |
+          . venv/bin/activate
+          mypy --ignore-missing-imports supervisor
+
+  pytest:
+    runs-on: ubuntu-latest
+    needs: prepare
+    name: Run tests Python ${{ needs.prepare.outputs.python-version }}
+    steps:
+      - name: Check out code from GitHub
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        id: python
+        with:
+          python-version: ${{ needs.prepare.outputs.python-version }}
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+        with:
+          cosign-release: "v2.5.3"
+      - name: Restore Python virtual environment
+        id: cache-venv
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        with:
+          path: venv
+          key: |
+            ${{ runner.os }}-venv-${{ needs.prepare.outputs.python-version }}-${{ hashFiles('requirements.txt') }}-${{ hashFiles('requirements_tests.txt') }}
+      - name: Fail job if Python cache restore failed
+        if: steps.cache-venv.outputs.cache-hit != 'true'
+        run: |
+          echo "Failed to restore Python virtual environment from cache"
+          exit 1
+      - name: Install additional system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y --no-install-recommends libpulse0 libudev1 dbus-daemon
      - name: Register Python problem matcher
        run: |
          echo "::add-matcher::.github/workflows/matchers/python.json"
@@ -391,10 +386,11 @@ jobs:
            -o console_output_style=count \
            tests
      - name: Upload coverage artifact
-        uses: actions/upload-artifact@v3.1.3
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
-          name: coverage-${{ matrix.python-version }}
+          name: coverage
          path: .coverage
+          include-hidden-files: true

  coverage:
    name: Process test coverage
@@ -402,15 +398,15 @@ jobs:
    needs: ["pytest", "prepare"]
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up Python ${{ needs.prepare.outputs.python-version }}
-        uses: actions/setup-python@v4.7.1
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
        id: python
        with:
          python-version: ${{ needs.prepare.outputs.python-version }}
      - name: Restore Python virtual environment
        id: cache-venv
-        uses: actions/cache@v3.3.2
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
        with:
          path: venv
          key: |
@@ -421,7 +417,10 @@ jobs:
          echo "Failed to restore Python virtual environment from cache"
          exit 1
      - name: Download all coverage artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        with:
+          name: coverage
+          path: coverage/
      - name: Combine coverage results
        run: |
          . venv/bin/activate
@@ -429,4 +428,4 @@ jobs:
          coverage report
          coverage xml
      - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v3.1.4
+        uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -9,7 +9,7 @@ jobs:
  lock:
    runs-on: ubuntu-latest
    steps:
-      - uses: dessant/lock-threads@v5.0.0
+      - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6.0.0
        with:
          github-token: ${{ github.token }}
          issue-inactive-days: "30"
--- a/.github/workflows/matchers/flake8.json
+++ b/.github/workflows/matchers/flake8.json
@@ -1,30 +0,0 @@
-{
-  "problemMatcher": [
-    {
-      "owner": "flake8-error",
-      "severity": "error",
-      "pattern": [
-        {
-          "regexp": "^(.*):(\\d+):(\\d+):\\s(E\\d{3}\\s.*)$",
-          "file": 1,
-          "line": 2,
-          "column": 3,
-          "message": 4
-        }
-      ]
-    },
-    {
-      "owner": "flake8-warning",
-      "severity": "warning",
-      "pattern": [
-        {
-          "regexp": "^(.*):(\\d+):(\\d+):\\s([CDFNW]\\d{3}\\s.*)$",
-          "file": 1,
-          "line": 2,
-          "column": 3,
-          "message": 4
-        }
-      ]
-    }
-  ]
-}
--- a/.github/workflows/matchers/mypy.json
+++ b/.github/workflows/matchers/mypy.json
@@ -0,0 +1,16 @@
+{
+    "problemMatcher": [
+        {
+            "owner": "mypy",
+            "pattern": [
+                {
+                    "regexp": "^(.+):(\\d+):\\s(error|warning):\\s(.+)$",
+                    "file": 1,
+                    "line": 2,
+                    "severity": 3,
+                    "message": 4
+                }
+            ]
+        }
+    ]
+}
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -11,7 +11,7 @@ jobs:
    name: Release Drafter
    steps:
      - name: Checkout the repository
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0

@@ -33,10 +33,10 @@ jobs:

          echo Current version:    $latest
          echo New target version: $datepre.$newpost
-          echo "::set-output name=version::$datepre.$newpost"
+          echo "version=$datepre.$newpost" >> "$GITHUB_OUTPUT"

      - name: Run Release Drafter
-        uses: release-drafter/release-drafter@v5.25.0
+        uses: release-drafter/release-drafter@5de93583980a40bd78603b6dfdcda5b4df377b32 # v7.2.0
        with:
          tag: ${{ steps.version.outputs.version }}
          name: ${{ steps.version.outputs.version }}
--- a/.github/workflows/restrict-task-creation.yml
+++ b/.github/workflows/restrict-task-creation.yml
@@ -0,0 +1,58 @@
+name: Restrict task creation
+
+# yamllint disable-line rule:truthy
+on:
+  issues:
+    types: [opened]
+
+jobs:
+  check-authorization:
+    runs-on: ubuntu-latest
+    # Only run if this is a Task issue type (from the issue form)
+    if: github.event.issue.type.name == 'Task'
+    steps:
+      - name: Check if user is authorized
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        with:
+          script: |
+            const issueAuthor = context.payload.issue.user.login;
+
+            // Check if user is an organization member
+            try {
+              await github.rest.orgs.checkMembershipForUser({
+                org: 'home-assistant',
+                username: issueAuthor
+              });
+              console.log(`✅ ${issueAuthor} is an organization member`);
+              return; // Authorized
+            } catch (error) {
+              console.log(`❌ ${issueAuthor} is not authorized to create Task issues`);
+            }
+
+            // Close the issue with a comment
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              body: `Hi @${issueAuthor}, thank you for your contribution!\n\n` +
+                    `Task issues are restricted to Open Home Foundation staff and authorized contributors.\n\n` +
+                    `If you would like to:\n` +
+                    `- Report a bug: Please use the [bug report form](https://github.com/home-assistant/supervisor/issues/new?template=bug_report.yml)\n` +
+                    `- Request a feature: Please submit to [Feature Requests](https://github.com/orgs/home-assistant/discussions)\n\n` +
+                    `If you believe you should have access to create Task issues, please contact the maintainers.`
+            });
+
+            await github.rest.issues.update({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              state: 'closed'
+            });
+
+            // Add a label to indicate this was auto-closed
+            await github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              labels: ['auto-closed']
+            });
--- a/.github/workflows/sentry.yaml
+++ b/.github/workflows/sentry.yaml
@@ -10,9 +10,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out code from GitHub
-        uses: actions/checkout@v4.1.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Sentry Release
-        uses: getsentry/action-release@v1.4.1
+        uses: getsentry/action-release@5657c9e888b4e2cc85f4d29143ea4131fde4a73a # v3.6.0
        env:
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
          SENTRY_ORG: ${{ secrets.SENTRY_ORG }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -9,13 +9,14 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v8.0.0
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: 30
          days-before-close: 7
          stale-issue-label: "stale"
          exempt-issue-labels: "no-stale,Help%20wanted,help-wanted,pinned,rfc,security"
+          only-issue-types: "bug"
          stale-issue-message: >
            There hasn't been any activity on this issue recently. Due to the
            high number of incoming GitHub notifications, we have to clean some
--- a/.gitignore
+++ b/.gitignore
@@ -24,6 +24,9 @@ var/
 .installed.cfg
 *.egg

+# Local wheels
+wheels/**/*.whl
+
 # PyInstaller
 #  Usually these files are written by a python script from a template
 #  before PyInstaller builds the exe, so as to inject date/other infos into it.
@@ -100,3 +103,6 @@ ENV/
 # mypy
 /.mypy_cache/*
 /.dmypy.json
+
+# Mac
+.DS_Store
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,4 +0,0 @@
-[submodule "home-assistant-polymer"]
-	path = home-assistant-polymer
-	url = https://github.com/home-assistant/home-assistant-polymer
-	branch = dev
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,34 +1,27 @@
 repos:
-  - repo: https://github.com/psf/black
-    rev: 23.1.0
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.14.3
    hooks:
-      - id: black
+      - id: ruff
        args:
-          - --safe
-          - --quiet
-          - --target-version
-          - py311
+          - --fix
+      - id: ruff-format
        files: ^((supervisor|tests)/.+)?[^/]+\.py$
-  - repo: https://github.com/PyCQA/flake8
-    rev: 6.0.0
-    hooks:
-      - id: flake8
-        additional_dependencies:
-          - flake8-docstrings==1.7.0
-          - pydocstyle==6.3.0
-        files: ^(supervisor|script|tests)/.+\.py$
  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.3.0
+    rev: v5.0.0
    hooks:
      - id: check-executables-have-shebangs
        stages: [manual]
      - id: check-json
-  - repo: https://github.com/PyCQA/isort
-    rev: 5.12.0
+  - repo: local
    hooks:
-      - id: isort
-  - repo: https://github.com/asottile/pyupgrade
-    rev: v3.15.0
-    hooks:
-      - id: pyupgrade
-        args: [--py311-plus]
+      # Run mypy through our wrapper script in order to get the possible
+      # pyenv and/or virtualenv activated; it may not have been e.g. if
+      # committing from a GUI tool that was not launched from an activated
+      # shell.
+      - id: mypy
+        name: mypy
+        entry: script/run-in-env.sh mypy --ignore-missing-imports
+        language: script
+        types_or: [python, pyi]
+        files: ^supervisor/.+\.(py|pyi)$
--- a/.vscode/tasks.json
+++ b/.vscode/tasks.json
@@ -58,9 +58,23 @@
      "problemMatcher": []
    },
    {
-      "label": "Flake8",
+      "label": "Ruff Check",
      "type": "shell",
-      "command": "flake8 supervisor tests",
+      "command": "ruff check --fix supervisor tests",
+      "group": {
+        "kind": "test",
+        "isDefault": true
+      },
+      "presentation": {
+        "reveal": "always",
+        "panel": "new"
+      },
+      "problemMatcher": []
+    },
+    {
+      "label": "Ruff Format",
+      "type": "shell",
+      "command": "ruff format supervisor tests",
      "group": {
        "kind": "test",
        "isDefault": true
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1 @@
+.github/copilot-instructions.md
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1 @@
+.github/copilot-instructions.md
--- a/44
+++ b/44
@@ -1,21 +1,18 @@
-ARG BUILD_FROM
+ARG BUILD_FROM=ghcr.io/home-assistant/base-python:3.14-alpine3.22-2026.03.1
 FROM ${BUILD_FROM}

 ENV \
    S6_SERVICES_GRACETIME=10000 \
    SUPERVISOR_API=http://localhost \
-    CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
-
-ARG \
-    COSIGN_VERSION \
-    BUILD_ARCH
+    CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 \
+    UV_SYSTEM_PYTHON=true

 # Install base
 WORKDIR /usr/src
 RUN \
    set -x \
    && apk add --no-cache \
-        coreutils \
+        findutils \
        eudev \
        eudev-libs \
        git \
@@ -25,23 +22,40 @@ RUN \
        openssl \
        yaml \
    \
-    && curl -Lso /usr/bin/cosign "https://github.com/home-assistant/cosign/releases/download/${COSIGN_VERSION}/cosign_${BUILD_ARCH}" \
-    && chmod a+x /usr/bin/cosign
+    && pip3 install uv==0.10.9

 # Install requirements
-COPY requirements.txt .
 RUN \
-    export MAKEFLAGS="-j$(nproc)" \
-    && pip3 install --only-binary=:all: \
-        -r ./requirements.txt \
-    && rm -f requirements.txt
+    --mount=type=bind,source=./requirements.txt,target=/usr/src/requirements.txt \
+    --mount=type=bind,source=./wheels,target=/usr/src/wheels \
+    if ls /usr/src/wheels/musllinux/* >/dev/null 2>&1; then \
+        LOCAL_WHEELS=/usr/src/wheels/musllinux; \
+        echo "Using local wheels from: $LOCAL_WHEELS"; \
+    else \
+        LOCAL_WHEELS=; \
+        echo "No local wheels found"; \
+    fi && \
+    uv pip install --compile-bytecode --no-cache --no-build \
+        -r requirements.txt \
+        ${LOCAL_WHEELS:+--find-links $LOCAL_WHEELS}

 # Install Home Assistant Supervisor
+ARG BUILD_VERSION="9999.09.9.dev9999"
 COPY . supervisor
 RUN \
-    pip3 install -e ./supervisor \
+    sed -i "s/^SUPERVISOR_VERSION =.*/SUPERVISOR_VERSION = \"${BUILD_VERSION}\"/g" /usr/src/supervisor/supervisor/const.py \
+    && uv pip install --no-cache -e ./supervisor \
    && python3 -m compileall ./supervisor/supervisor


 WORKDIR /
 COPY rootfs /
+
+LABEL \
+    io.hass.type="supervisor" \
+    org.opencontainers.image.title="Home Assistant Supervisor" \
+    org.opencontainers.image.description="Container-based system for managing Home Assistant Core installation" \
+    org.opencontainers.image.authors="The Home Assistant Authors" \
+    org.opencontainers.image.url="https://www.home-assistant.io/" \
+    org.opencontainers.image.documentation="https://www.home-assistant.io/docs/" \
+    org.opencontainers.image.licenses="Apache License 2.0"
--- a/README.md
+++ b/README.md
@@ -30,3 +30,5 @@ Releases are done in 3 stages (channels) with this structure:

 [development]: https://developers.home-assistant.io/docs/supervisor/development
 [stable]: https://github.com/home-assistant/version/blob/master/stable.json
+
+[![Home Assistant - A project from the Open Home Foundation](https://www.openhomefoundation.org/badges/home-assistant.png)](https://www.openhomefoundation.org/)
--- a/build.yaml
+++ b/build.yaml
@@ -1,24 +0,0 @@
-image: ghcr.io/home-assistant/{arch}-hassio-supervisor
-build_from:
-  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.11-alpine3.18
-  armhf: ghcr.io/home-assistant/armhf-base-python:3.11-alpine3.18
-  armv7: ghcr.io/home-assistant/armv7-base-python:3.11-alpine3.18
-  amd64: ghcr.io/home-assistant/amd64-base-python:3.11-alpine3.18
-  i386: ghcr.io/home-assistant/i386-base-python:3.11-alpine3.18
-codenotary:
-  signer: notary@home-assistant.io
-  base_image: notary@home-assistant.io
-cosign:
-  base_identity: https://github.com/home-assistant/docker-base/.*
-  identity: https://github.com/home-assistant/supervisor/.*
-args:
-  COSIGN_VERSION: 2.0.2
-labels:
-  io.hass.type: supervisor
-  org.opencontainers.image.title: Home Assistant Supervisor
-  org.opencontainers.image.description: Container-based system for managing Home Assistant Core installation
-  org.opencontainers.image.source: https://github.com/home-assistant/supervisor
-  org.opencontainers.image.authors: The Home Assistant Authors
-  org.opencontainers.image.url: https://www.home-assistant.io/
-  org.opencontainers.image.documentation: https://www.home-assistant.io/docs/
-  org.opencontainers.image.licenses: Apache License 2.0
--- a/codecov.yaml
+++ b/codecov.yaml
@@ -4,8 +4,11 @@ coverage:
  status:
    project:
      default:
-        target: 40
-        threshold: 0.09
+        target: auto
+        threshold: 1
+    patch:
+      default:
+        target: 80
 comment: false
 github_checks:
    annotations: false
--- a/1
+++ b/1
--- a/45
+++ b/45
@@ -1,45 +0,0 @@
-[MASTER]
-reports=no
-jobs=2
-
-good-names=id,i,j,k,ex,Run,_,fp,T,os
-
-extension-pkg-whitelist=
-  ciso8601
-
-# Reasons disabled:
-# format - handled by black
-# locally-disabled - it spams too much
-# duplicate-code - unavoidable
-# cyclic-import - doesn't test if both import on load
-# abstract-class-not-used - is flaky, should not show up but does
-# unused-argument - generic callbacks and setup methods create a lot of warnings
-# too-many-* - are not enforced for the sake of readability
-# too-few-* - same as too-many-*
-# abstract-method - with intro of async there are always methods missing
-disable=
-  format,
-  abstract-method,
-  cyclic-import,
-  duplicate-code,
-  locally-disabled,
-  no-else-return,
-  not-context-manager,
-  too-few-public-methods,
-  too-many-arguments,
-  too-many-branches,
-  too-many-instance-attributes,
-  too-many-lines,
-  too-many-locals,
-  too-many-public-methods,
-  too-many-return-statements,
-  too-many-statements,
-  unused-argument,
-  consider-using-with
-
-[EXCEPTIONS]
-overgeneral-exceptions=builtins.Exception
-
-
-[TYPECHECK]
-ignored-modules = distutils
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -0,0 +1,374 @@
+[build-system]
+requires = ["setuptools~=82.0.0", "wheel~=0.46.1"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "Supervisor"
+dynamic = ["version", "dependencies"]
+license = { text = "Apache-2.0" }
+description = "Open-source private cloud os for Home-Assistant based on HassOS"
+readme = "README.md"
+authors = [
+  { name = "The Home Assistant Authors", email = "hello@home-assistant.io" },
+]
+keywords = ["docker", "home-assistant", "api"]
+requires-python = ">=3.14.0"
+
+[project.urls]
+"Homepage" = "https://www.home-assistant.io/"
+"Source Code" = "https://github.com/home-assistant/supervisor"
+"Bug Reports" = "https://github.com/home-assistant/supervisor/issues"
+"Docs: Dev" = "https://developers.home-assistant.io/"
+"Discord" = "https://www.home-assistant.io/join-chat/"
+"Forum" = "https://community.home-assistant.io/"
+
+[tool.setuptools]
+platforms = ["any"]
+zip-safe = false
+include-package-data = true
+
+[tool.setuptools.packages.find]
+include = ["supervisor*"]
+
+[tool.pylint.MAIN]
+py-version = "3.14"
+# Use a conservative default here; 2 should speed up most setups and not hurt
+# any too bad. Override on command line as appropriate.
+jobs = 2
+persistent = false
+extension-pkg-allow-list = ["ciso8601"]
+
+[tool.pylint.BASIC]
+class-const-naming-style = "any"
+good-names = ["id", "i", "j", "k", "ex", "Run", "_", "fp", "T", "os"]
+
+[tool.pylint."MESSAGES CONTROL"]
+# Reasons disabled:
+# format - handled by ruff
+# abstract-method - with intro of async there are always methods missing
+# cyclic-import - doesn't test if both import on load
+# duplicate-code - unavoidable
+# locally-disabled - it spams too much
+# too-many-* - are not enforced for the sake of readability
+# too-few-* - same as too-many-*
+# unused-argument - generic callbacks and setup methods create a lot of warnings
+disable = [
+  "format",
+  "abstract-method",
+  "cyclic-import",
+  "duplicate-code",
+  "locally-disabled",
+  "no-else-return",
+  "not-context-manager",
+  "too-few-public-methods",
+  "too-many-arguments",
+  "too-many-branches",
+  "too-many-instance-attributes",
+  "too-many-lines",
+  "too-many-locals",
+  "too-many-public-methods",
+  "too-many-return-statements",
+  "too-many-statements",
+  "unused-argument",
+  "consider-using-with",
+
+  # Handled by ruff
+  # Ref: <https://github.com/astral-sh/ruff/issues/970>
+  "await-outside-async",    # PLE1142
+  "bad-str-strip-call",     # PLE1310
+  "bad-string-format-type", # PLE1307
+  "bidirectional-unicode",  # PLE2502
+  "continue-in-finally",    # PLE0116
+  "duplicate-bases",        # PLE0241
+  "format-needs-mapping",   # F502
+  "function-redefined",     # F811
+  # Needed because ruff does not understand type of __all__ generated by a function
+  # "invalid-all-format", # PLE0605
+  "invalid-all-object",                 # PLE0604
+  "invalid-character-backspace",        # PLE2510
+  "invalid-character-esc",              # PLE2513
+  "invalid-character-nul",              # PLE2514
+  "invalid-character-sub",              # PLE2512
+  "invalid-character-zero-width-space", # PLE2515
+  "logging-too-few-args",               # PLE1206
+  "logging-too-many-args",              # PLE1205
+  "missing-format-string-key",          # F524
+  "mixed-format-string",                # F506
+  "no-method-argument",                 # N805
+  "no-self-argument",                   # N805
+  "nonexistent-operator",               # B002
+  "nonlocal-without-binding",           # PLE0117
+  "not-in-loop",                        # F701, F702
+  "notimplemented-raised",              # F901
+  "return-in-init",                     # PLE0101
+  "return-outside-function",            # F706
+  "syntax-error",                       # E999
+  "too-few-format-args",                # F524
+  "too-many-format-args",               # F522
+  "too-many-star-expressions",          # F622
+  "truncated-format-string",            # F501
+  "undefined-all-variable",             # F822
+  "undefined-variable",                 # F821
+  "used-prior-global-declaration",      # PLE0118
+  "yield-inside-async-function",        # PLE1700
+  "yield-outside-function",             # F704
+  "anomalous-backslash-in-string",      # W605
+  "assert-on-string-literal",           # PLW0129
+  "assert-on-tuple",                    # F631
+  "bad-format-string",                  # W1302, F
+  "bad-format-string-key",              # W1300, F
+  "bare-except",                        # E722
+  "binary-op-exception",                # PLW0711
+  "cell-var-from-loop",                 # B023
+  # "dangerous-default-value", # B006, ruff catches new occurrences, needs more work
+  "duplicate-except",                     # B014
+  "duplicate-key",                        # F601
+  "duplicate-string-formatting-argument", # F
+  "duplicate-value",                      # F
+  "eval-used",                            # PGH001
+  "exec-used",                            # S102
+  # "expression-not-assigned", # B018, ruff catches new occurrences, needs more work
+  "f-string-without-interpolation",      # F541
+  "forgotten-debug-statement",           # T100
+  "format-string-without-interpolation", # F
+  # "global-statement", # PLW0603, ruff catches new occurrences, needs more work
+  "global-variable-not-assigned",  # PLW0602
+  "implicit-str-concat",           # ISC001
+  "import-self",                   # PLW0406
+  "inconsistent-quotes",           # Q000
+  "invalid-envvar-default",        # PLW1508
+  "keyword-arg-before-vararg",     # B026
+  "logging-format-interpolation",  # G
+  "logging-fstring-interpolation", # G
+  "logging-not-lazy",              # G
+  "misplaced-future",              # F404
+  "named-expr-without-context",    # PLW0131
+  "nested-min-max",                # PLW3301
+  # "pointless-statement", # B018, ruff catches new occurrences, needs more work
+  "raise-missing-from", # TRY200
+  # "redefined-builtin", # A001, ruff is way more stricter, needs work
+  "try-except-raise",               # TRY203
+  "unused-argument",                # ARG001, we don't use it
+  "unused-format-string-argument",  #F507
+  "unused-format-string-key",       # F504
+  "unused-import",                  # F401
+  "unused-variable",                # F841
+  "useless-else-on-loop",           # PLW0120
+  "wildcard-import",                # F403
+  "bad-classmethod-argument",       # N804
+  "consider-iterating-dictionary",  # SIM118
+  "empty-docstring",                # D419
+  "invalid-name",                   # N815
+  "line-too-long",                  # E501, disabled globally
+  "missing-class-docstring",        # D101
+  "missing-final-newline",          # W292
+  "missing-function-docstring",     # D103
+  "missing-module-docstring",       # D100
+  "multiple-imports",               #E401
+  "singleton-comparison",           # E711, E712
+  "subprocess-run-check",           # PLW1510
+  "superfluous-parens",             # UP034
+  "ungrouped-imports",              # I001
+  "unidiomatic-typecheck",          # E721
+  "unnecessary-direct-lambda-call", # PLC3002
+  "unnecessary-lambda-assignment",  # PLC3001
+  "unneeded-not",                   # SIM208
+  "useless-import-alias",           # PLC0414
+  "wrong-import-order",             # I001
+  "wrong-import-position",          # E402
+  "comparison-of-constants",        # PLR0133
+  "comparison-with-itself",         # PLR0124
+  # "consider-alternative-union-syntax", # UP007, typing extension
+  "consider-merging-isinstance", # PLR1701
+  # "consider-using-alias",              # UP006, typing extension
+  "consider-using-dict-comprehension", # C402
+  "consider-using-generator",          # C417
+  "consider-using-get",                # SIM401
+  "consider-using-set-comprehension",  # C401
+  "consider-using-sys-exit",           # PLR1722
+  "consider-using-ternary",            # SIM108
+  "literal-comparison",                # F632
+  "property-with-parameters",          # PLR0206
+  "super-with-arguments",              # UP008
+  "too-many-branches",                 # PLR0912
+  "too-many-return-statements",        # PLR0911
+  "too-many-statements",               # PLR0915
+  "trailing-comma-tuple",              # COM818
+  "unnecessary-comprehension",         # C416
+  "use-a-generator",                   # C417
+  "use-dict-literal",                  # C406
+  "use-list-literal",                  # C405
+  "useless-object-inheritance",        # UP004
+  "useless-return",                    # PLR1711
+  # "no-self-use", # PLR6301  # Optional plugin, not enabled
+]
+
+[tool.pylint.REPORTS]
+score = false
+
+[tool.pylint.TYPECHECK]
+ignored-modules = ["distutils"]
+
+[tool.pylint.FORMAT]
+expected-line-ending-format = "LF"
+
+[tool.pylint.EXCEPTIONS]
+overgeneral-exceptions = ["builtins.BaseException", "builtins.Exception"]
+
+[tool.pylint.DESIGN]
+max-positional-arguments = 10
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+norecursedirs = [".git"]
+log_format = "%(asctime)s.%(msecs)03d %(levelname)-8s %(threadName)s %(name)s:%(filename)s:%(lineno)s %(message)s"
+log_date_format = "%Y-%m-%d %H:%M:%S"
+asyncio_default_fixture_loop_scope = "function"
+asyncio_mode = "auto"
+filterwarnings = [
+  "error",
+  "ignore:pkg_resources is deprecated as an API:DeprecationWarning:dirhash",
+  "ignore::pytest.PytestUnraisableExceptionWarning",
+]
+markers = [
+  "no_mock_init_websession: disable the autouse mock of init_websession for this test",
+]
+
+[tool.ruff]
+lint.select = [
+  "B002",    # Python does not support the unary prefix increment
+  "B007",    # Loop control variable {name} not used within loop body
+  "B014",    # Exception handler with duplicate exception
+  "B023",    # Function definition does not bind loop variable {name}
+  "B026",    # Star-arg unpacking after a keyword argument is strongly discouraged
+  "B904",    # Use raise from to specify exception cause
+  "C",       # complexity
+  "COM818",  # Trailing comma on bare tuple prohibited
+  "D",       # docstrings
+  "DTZ003",  # Use datetime.now(tz=) instead of datetime.utcnow()
+  "DTZ004",  # Use datetime.fromtimestamp(ts, tz=) instead of datetime.utcfromtimestamp(ts)
+  "E",       # pycodestyle
+  "F",       # pyflakes/autoflake
+  "G",       # flake8-logging-format
+  "I",       # isort
+  "ICN001",  # import concentions; {name} should be imported as {asname}
+  "N804",    # First argument of a class method should be named cls
+  "N805",    # First argument of a method should be named self
+  "N815",    # Variable {name} in class scope should not be mixedCase
+  "PGH004",  # Use specific rule codes when using noqa
+  "PLC0414", # Useless import alias. Import alias does not rename original package.
+  "PLC",     # pylint
+  "PLE",     # pylint
+  "PLR",     # pylint
+  "PLW",     # pylint
+  "Q000",    # Double quotes found but single quotes preferred
+  "RUF006",  # Store a reference to the return value of asyncio.create_task
+  "S102",    # Use of exec detected
+  "S103",    # bad-file-permissions
+  "S108",    # hardcoded-temp-file
+  "S306",    # suspicious-mktemp-usage
+  "S307",    # suspicious-eval-usage
+  "S313",    # suspicious-xmlc-element-tree-usage
+  "S314",    # suspicious-xml-element-tree-usage
+  "S315",    # suspicious-xml-expat-reader-usage
+  "S316",    # suspicious-xml-expat-builder-usage
+  "S317",    # suspicious-xml-sax-usage
+  "S318",    # suspicious-xml-mini-dom-usage
+  "S319",    # suspicious-xml-pull-dom-usage
+  "S601",    # paramiko-call
+  "S602",    # subprocess-popen-with-shell-equals-true
+  "S604",    # call-with-shell-equals-true
+  "S608",    # hardcoded-sql-expression
+  "S609",    # unix-command-wildcard-injection
+  "SIM105",  # Use contextlib.suppress({exception}) instead of try-except-pass
+  "SIM117",  # Merge with-statements that use the same scope
+  "SIM118",  # Use {key} in {dict} instead of {key} in {dict}.keys()
+  "SIM201",  # Use {left} != {right} instead of not {left} == {right}
+  "SIM208",  # Use {expr} instead of not (not {expr})
+  "SIM212",  # Use {a} if {a} else {b} instead of {b} if not {a} else {a}
+  "SIM300",  # Yoda conditions. Use 'age == 42' instead of '42 == age'.
+  "SIM401",  # Use get from dict with default instead of an if block
+  "T100",    # Trace found: {name} used
+  "T20",     # flake8-print
+  "TID251",  # Banned imports
+  "TRY004",  # Prefer TypeError exception for invalid type
+  "TRY203",  # Remove exception handler; error is immediately re-raised
+  "UP",      # pyupgrade
+  "W",       # pycodestyle
+]
+
+lint.ignore = [
+  "D202", # No blank lines allowed after function docstring
+  "D203", # 1 blank line required before class docstring
+  "D213", # Multi-line docstring summary should start at the second line
+  "D406", # Section name should end with a newline
+  "D407", # Section name underlining
+  "E501", # line too long
+  "E731", # do not assign a lambda expression, use a def
+
+  # Ignore ignored, as the rule is now back in preview/nursery, which cannot
+  # be ignored anymore without warnings.
+  # https://github.com/astral-sh/ruff/issues/7491
+  # "PLC1901", # Lots of false positives
+
+  # False positives https://github.com/astral-sh/ruff/issues/5386
+  "PLC0208", # Use a sequence type instead of a `set` when iterating over values
+  "PLR0911", # Too many return statements ({returns} > {max_returns})
+  "PLR0912", # Too many branches ({branches} > {max_branches})
+  "PLR0913", # Too many arguments to function call ({c_args} > {max_args})
+  "PLR0915", # Too many statements ({statements} > {max_statements})
+  "PLR2004", # Magic value used in comparison, consider replacing {value} with a constant variable
+  "PLW2901", # Outer {outer_kind} variable {name} overwritten by inner {inner_kind} target
+  "UP006",   # keep type annotation style as is
+  "UP007",   # keep type annotation style as is
+
+  # May conflict with the formatter, https://docs.astral.sh/ruff/formatter/#conflicting-lint-rules
+  "W191",
+  "E111",
+  "E114",
+  "E117",
+  "D206",
+  "D300",
+  "Q000",
+  "Q001",
+  "Q002",
+  "Q003",
+  "COM812",
+  "COM819",
+  "ISC001",
+  "ISC002",
+
+  # Disabled because ruff does not understand type of __all__ generated by a function
+  "PLE0605",
+]
+
+[tool.ruff.lint.flake8-import-conventions.extend-aliases]
+voluptuous = "vol"
+
+[tool.ruff.lint.flake8-pytest-style]
+fixture-parentheses = false
+
+[tool.ruff.lint.flake8-tidy-imports.banned-api]
+"pytz".msg = "use zoneinfo instead"
+
+[tool.ruff.lint.isort]
+force-sort-within-sections = true
+section-order = [
+  "future",
+  "standard-library",
+  "third-party",
+  "first-party",
+  "local-folder",
+]
+forced-separate = ["tests"]
+known-first-party = ["supervisor", "tests"]
+combine-as-imports = true
+split-on-trailing-comma = false
+
+[tool.ruff.lint.per-file-ignores]
+
+# DBus Service Mocks must use typing and names understood by dbus-fast
+"tests/dbus_service_mocks/*.py" = ["F722", "F821", "N815", "UP037"]
+
+[tool.ruff.lint.mccabe]
+max-complexity = 25
--- a/pytest.ini
+++ b/pytest.ini
@@ -1,6 +0,0 @@
-[pytest]
-asyncio_mode = auto
-filterwarnings =
-    error
-    ignore:pkg_resources is deprecated as an API:DeprecationWarning:dirhash
-    ignore::pytest.PytestUnraisableExceptionWarning
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,27 +1,29 @@
-aiodns==3.1.1
-aiohttp==3.9.0
-aiohttp-fast-url-dispatcher==0.1.1
-async_timeout==4.0.3
+aiodns==4.0.0
+aiodocker==0.26.0
+aiohttp==3.13.5
 atomicwrites-homeassistant==1.4.1
-attrs==23.1.0
-awesomeversion==23.11.0
-brotli==1.1.0
-ciso8601==2.3.1
-colorlog==6.7.0
-cpe==1.2.1
-cryptography==41.0.5
-debugpy==1.8.0
-deepmerge==1.1.0
-dirhash==0.2.1
-docker==6.1.3
+attrs==26.1.0
+awesomeversion==25.8.0
+blockbuster==1.5.26
+brotli==1.2.0
+ciso8601==2.3.3
+colorlog==6.10.1
+cpe==1.3.1
+cryptography==46.0.7
+debugpy==1.8.20
+deepmerge==2.0
+dirhash==0.5.0
 faust-cchardet==2.1.19
-gitpython==3.1.40
-jinja2==3.1.2
-pulsectl==23.5.2
-pyudev==0.24.1
-PyYAML==6.0.1
-securetar==2023.3.0
-sentry-sdk==1.35.0
-voluptuous==0.14.1
-dbus-fast==2.14.0
-typing_extensions==4.8.0
+gitpython==3.1.46
+jinja2==3.1.6
+log-rate-limit==1.4.2
+orjson==3.11.8
+pulsectl==24.12.0
+pyudev==0.24.4
+PyYAML==6.0.3
+securetar==2026.4.1
+sentry-sdk==2.57.0
+setuptools==82.0.1
+voluptuous==0.16.0
+dbus-fast==4.0.4
+zlib-fast==0.2.1
--- a/requirements_tests.txt
+++ b/requirements_tests.txt
@@ -1,16 +1,14 @@
-black==23.11.0
-coverage==7.3.2
-flake8-docstrings==1.7.0
-flake8==6.1.0
-pre-commit==3.5.0
-pydocstyle==6.3.0
-pylint==3.0.2
-pytest-aiohttp==1.0.5
-pytest-asyncio==0.18.3
-pytest-cov==4.1.0
-pytest-timeout==2.2.0
-pytest==7.4.3
-pyupgrade==3.15.0
-time-machine==2.13.0
-typing_extensions==4.8.0
-urllib3==2.1.0
+astroid==4.0.3
+coverage==7.13.5
+mypy==1.20.0
+pre-commit==4.5.1
+pylint==4.0.5
+pytest-aiohttp==1.1.0
+pytest-asyncio==1.3.0
+pytest-cov==7.1.0
+pytest-timeout==2.4.0
+pytest==9.0.3
+ruff==0.15.10
+time-machine==3.2.0
+types-pyyaml==6.0.12.20260408
+urllib3==2.6.3
--- a/script/run-in-env.sh
+++ b/script/run-in-env.sh
@@ -0,0 +1,30 @@
+#!/usr/bin/env sh
+set -eu
+
+# Used in venv activate script.
+# Would be an error if undefined.
+OSTYPE="${OSTYPE-}"
+
+# Activate pyenv and virtualenv if present, then run the specified command
+
+# pyenv, pyenv-virtualenv
+if [ -s .python-version ]; then
+    PYENV_VERSION=$(head -n 1 .python-version)
+    export PYENV_VERSION
+fi
+
+if [ -n "${VIRTUAL_ENV-}" ] && [ -f "${VIRTUAL_ENV}/bin/activate" ]; then
+  . "${VIRTUAL_ENV}/bin/activate"
+else
+  # other common virtualenvs
+  my_path=$(git rev-parse --show-toplevel)
+
+  for venv in venv .venv .; do
+    if [ -f "${my_path}/${venv}/bin/activate" ]; then
+      . "${my_path}/${venv}/bin/activate"
+      break
+    fi
+  done
+fi
+
+exec "$@"
--- a/scripts/update-frontend.sh
+++ b/scripts/update-frontend.sh
@@ -1,30 +0,0 @@
-#!/bin/bash
-source "/etc/supervisor_scripts/common"
-
-set -e
-
-# Update frontend
-git submodule update --init --recursive --remote
-
-[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
-cd home-assistant-polymer
-nvm install
-script/bootstrap
-
-# Download translations
-start_docker
-./script/translations_download
-
-# build frontend
-cd hassio
-./script/build_hassio
-
-# Copy frontend
-rm -rf ../../supervisor/api/panel/*
-cp -rf build/* ../../supervisor/api/panel/
-
-# Reset frontend git
-cd ..
-git reset --hard HEAD
-
-stop_docker
--- a/setup.cfg
+++ b/setup.cfg
@@ -1,31 +0,0 @@
-[isort]
-multi_line_output = 3
-include_trailing_comma=True
-force_grid_wrap=0
-line_length=88
-indent = "    "
-force_sort_within_sections = true
-sections = FUTURE,STDLIB,THIRDPARTY,FIRSTPARTY,LOCALFOLDER
-default_section = THIRDPARTY
-forced_separate = tests
-combine_as_imports = true
-use_parentheses = true
-known_first_party = supervisor,tests
-
-[flake8]
-exclude = .venv,.git,.tox,docs,venv,bin,lib,deps,build
-doctests = True
-max-line-length = 88
-# E501: line too long
-# W503: Line break occurred before a binary operator
-# E203: Whitespace before ':'
-# D202 No blank lines allowed after function docstring
-# W504 line break after binary operator
-ignore =
-    E501,
-    W503,
-    E203,
-    D202,
-    W504
-per-file-ignores =
-    tests/dbus_service_mocks/*.py: F821,F722
--- a/setup.py
+++ b/setup.py
@@ -1,48 +1,32 @@
 """Home Assistant Supervisor setup."""
+
+from pathlib import Path
+import re
+
 from setuptools import setup

-from supervisor.const import SUPERVISOR_VERSION
+RE_SUPERVISOR_VERSION = re.compile(
+    r'^SUPERVISOR_VERSION =\s*"?((?P<git_sha>[0-9a-f]{40})|[^"]+)"?$'
+)
+
+SUPERVISOR_DIR = Path(__file__).parent
+REQUIREMENTS_FILE = SUPERVISOR_DIR / "requirements.txt"
+CONST_FILE = SUPERVISOR_DIR / "supervisor/const.py"
+
+REQUIREMENTS = REQUIREMENTS_FILE.read_text(encoding="utf-8")
+CONSTANTS = CONST_FILE.read_text(encoding="utf-8")
+
+
+def _get_supervisor_version():
+    for line in CONSTANTS.split("\n"):
+        if match := RE_SUPERVISOR_VERSION.match(line):
+            if git_sha := match.group("git_sha"):
+                return f"9999.09.9.dev9999+{git_sha}"
+            return match.group(1)
+    return "9999.09.9.dev9999"
+

 setup(
-    name="Supervisor",
-    version=SUPERVISOR_VERSION,
-    license="BSD License",
-    author="The Home Assistant Authors",
-    author_email="hello@home-assistant.io",
-    url="https://home-assistant.io/",
-    description=("Open-source private cloud os for Home-Assistant" " based on HassOS"),
-    long_description=(
-        "A maintainless private cloud operator system that"
-        "setup a Home-Assistant instance. Based on HassOS"
-    ),
-    keywords=["docker", "home-assistant", "api"],
-    zip_safe=False,
-    platforms="any",
-    packages=[
-        "supervisor.addons",
-        "supervisor.api",
-        "supervisor.backups",
-        "supervisor.dbus.network",
-        "supervisor.dbus.network.setting",
-        "supervisor.dbus",
-        "supervisor.discovery.services",
-        "supervisor.discovery",
-        "supervisor.docker",
-        "supervisor.homeassistant",
-        "supervisor.host",
-        "supervisor.jobs",
-        "supervisor.misc",
-        "supervisor.plugins",
-        "supervisor.resolution.checks",
-        "supervisor.resolution.evaluations",
-        "supervisor.resolution.fixups",
-        "supervisor.resolution",
-        "supervisor.security",
-        "supervisor.services.modules",
-        "supervisor.services",
-        "supervisor.store",
-        "supervisor.utils",
-        "supervisor",
-    ],
-    include_package_data=True,
+    version=_get_supervisor_version(),
+    dependencies=REQUIREMENTS.split("\n"),
 )
--- a/supervisor/main.py
+++ b/supervisor/main.py
@@ -1,12 +1,22 @@
 """Main file for Supervisor."""
+
 import asyncio
 from concurrent.futures import ThreadPoolExecutor
 import logging
 from pathlib import Path
 import sys

-from supervisor import bootstrap
-from supervisor.utils.logging import activate_log_queue_handler
+import zlib_fast
+
+# Enable fast zlib before importing supervisor
+zlib_fast.enable()
+
+# pylint: disable=wrong-import-position
+from supervisor import bootstrap  # noqa: E402
+from supervisor.utils.blockbuster import BlockBusterManager  # noqa: E402
+from supervisor.utils.logging import activate_log_queue_handler  # noqa: E402
+
+# pylint: enable=wrong-import-position

 _LOGGER: logging.Logger = logging.getLogger(__name__)

@@ -44,10 +54,11 @@ if __name__ == "__main__":
    _LOGGER.info("Initializing Supervisor setup")
    coresys = loop.run_until_complete(bootstrap.initialize_coresys())
    loop.set_debug(coresys.config.debug)
+    if coresys.config.detect_blocking_io:
+        BlockBusterManager.activate()
    loop.run_until_complete(coresys.core.connect())

-    bootstrap.supervisor_debugger(coresys)
-    bootstrap.migrate_system_env(coresys)
+    loop.run_until_complete(bootstrap.supervisor_debugger(coresys))

    # Signal health startup for container
    run_os_startup_check_cleanup()
@@ -55,8 +66,28 @@ if __name__ == "__main__":
    _LOGGER.info("Setting up Supervisor")
    loop.run_until_complete(coresys.core.setup())

-    loop.call_soon_threadsafe(loop.create_task, coresys.core.start())
-    loop.call_soon_threadsafe(bootstrap.reg_signal, loop, coresys)
+    # Create startup task that can be cancelled gracefully
+    startup_task = loop.create_task(coresys.core.start())
+
+    def shutdown_handler() -> None:
+        """Handle shutdown signals gracefully during startup."""
+        if not startup_task.done():
+            _LOGGER.warning("Supervisor startup interrupted by shutdown signal")
+            startup_task.cancel()
+
+        coresys.create_task(coresys.core.stop())
+
+    bootstrap.register_signal_handlers(loop, shutdown_handler)
+
+    try:
+        loop.run_until_complete(startup_task)
+    except asyncio.CancelledError:
+        _LOGGER.warning("Supervisor startup cancelled")
+    except Exception as err:  # pylint: disable=broad-except
+        # Supervisor itself is running at this point, just something didn't
+        # start as expected. Log with traceback to get more insights for
+        # such cases.
+        _LOGGER.critical("Supervisor start failed: %s", err, exc_info=True)

    try:
        _LOGGER.info("Running Supervisor")
--- a/supervisor/addons/init.py
+++ b/supervisor/addons/init.py
@@ -1,374 +1 @@
-"""Init file for Supervisor add-ons."""
-import asyncio
-from collections.abc import Awaitable
-from contextlib import suppress
-import logging
-import tarfile
-from typing import Union
-
-from ..const import AddonBoot, AddonStartup, AddonState
-from ..coresys import CoreSys, CoreSysAttributes
-from ..exceptions import (
-    AddonConfigurationError,
-    AddonsError,
-    AddonsJobError,
-    AddonsNotSupportedError,
-    CoreDNSError,
-    DockerAPIError,
-    DockerError,
-    DockerNotFound,
-    HassioError,
-    HomeAssistantAPIError,
-)
-from ..jobs.decorator import Job, JobCondition
-from ..resolution.const import ContextType, IssueType, SuggestionType
-from ..store.addon import AddonStore
-from ..utils import check_exception_chain
-from ..utils.sentry import capture_exception
-from .addon import Addon
-from .const import ADDON_UPDATE_CONDITIONS
-from .data import AddonsData
-
-_LOGGER: logging.Logger = logging.getLogger(__name__)
-
-AnyAddon = Union[Addon, AddonStore]
-
-
-class AddonManager(CoreSysAttributes):
-    """Manage add-ons inside Supervisor."""
-
-    def __init__(self, coresys: CoreSys):
-        """Initialize Docker base wrapper."""
-        self.coresys: CoreSys = coresys
-        self.data: AddonsData = AddonsData(coresys)
-        self.local: dict[str, Addon] = {}
-        self.store: dict[str, AddonStore] = {}
-
-    @property
-    def all(self) -> list[AnyAddon]:
-        """Return a list of all add-ons."""
-        addons: dict[str, AnyAddon] = {**self.store, **self.local}
-        return list(addons.values())
-
-    @property
-    def installed(self) -> list[Addon]:
-        """Return a list of all installed add-ons."""
-        return list(self.local.values())
-
-    def get(self, addon_slug: str, local_only: bool = False) -> AnyAddon | None:
-        """Return an add-on from slug.
-
-        Prio:
-          1 - Local
-          2 - Store
-        """
-        if addon_slug in self.local:
-            return self.local[addon_slug]
-        if not local_only:
-            return self.store.get(addon_slug)
-        return None
-
-    def from_token(self, token: str) -> Addon | None:
-        """Return an add-on from Supervisor token."""
-        for addon in self.installed:
-            if token == addon.supervisor_token:
-                return addon
-        return None
-
-    async def load(self) -> None:
-        """Start up add-on management."""
-        tasks = []
-        for slug in self.data.system:
-            addon = self.local[slug] = Addon(self.coresys, slug)
-            tasks.append(self.sys_create_task(addon.load()))
-
-        # Run initial tasks
-        _LOGGER.info("Found %d installed add-ons", len(tasks))
-        if tasks:
-            await asyncio.wait(tasks)
-
-        # Sync DNS
-        await self.sync_dns()
-
-    async def boot(self, stage: AddonStartup) -> None:
-        """Boot add-ons with mode auto."""
-        tasks: list[Addon] = []
-        for addon in self.installed:
-            if addon.boot != AddonBoot.AUTO or addon.startup != stage:
-                continue
-            tasks.append(addon)
-
-        # Evaluate add-ons which need to be started
-        _LOGGER.info("Phase '%s' starting %d add-ons", stage, len(tasks))
-        if not tasks:
-            return
-
-        # Start Add-ons sequential
-        # avoid issue on slow IO
-        # Config.wait_boot is deprecated. Until addons update with healthchecks,
-        # add a sleep task for it to keep the same minimum amount of wait time
-        wait_boot: list[Awaitable[None]] = [asyncio.sleep(self.sys_config.wait_boot)]
-        for addon in tasks:
-            try:
-                if start_task := await addon.start():
-                    wait_boot.append(start_task)
-            except AddonsError as err:
-                # Check if there is an system/user issue
-                if check_exception_chain(
-                    err, (DockerAPIError, DockerNotFound, AddonConfigurationError)
-                ):
-                    addon.boot = AddonBoot.MANUAL
-                    addon.save_persist()
-            except HassioError:
-                pass  # These are already handled
-            else:
-                continue
-
-            _LOGGER.warning("Can't start Add-on %s", addon.slug)
-
-        # Ignore exceptions from waiting for addon startup, addon errors handled elsewhere
-        await asyncio.gather(*wait_boot, return_exceptions=True)
-
-    async def shutdown(self, stage: AddonStartup) -> None:
-        """Shutdown addons."""
-        tasks: list[Addon] = []
-        for addon in self.installed:
-            if addon.state != AddonState.STARTED or addon.startup != stage:
-                continue
-            tasks.append(addon)
-
-        # Evaluate add-ons which need to be stopped
-        _LOGGER.info("Phase '%s' stopping %d add-ons", stage, len(tasks))
-        if not tasks:
-            return
-
-        # Stop Add-ons sequential
-        # avoid issue on slow IO
-        for addon in tasks:
-            try:
-                await addon.stop()
-            except Exception as err:  # pylint: disable=broad-except
-                _LOGGER.warning("Can't stop Add-on %s: %s", addon.slug, err)
-                capture_exception(err)
-
-    @Job(
-        name="addon_manager_install",
-        conditions=ADDON_UPDATE_CONDITIONS,
-        on_condition=AddonsJobError,
-    )
-    async def install(self, slug: str) -> None:
-        """Install an add-on."""
-        self.sys_jobs.current.reference = slug
-
-        if slug in self.local:
-            raise AddonsError(f"Add-on {slug} is already installed", _LOGGER.warning)
-        store = self.store.get(slug)
-
-        if not store:
-            raise AddonsError(f"Add-on {slug} does not exist", _LOGGER.error)
-
-        store.validate_availability()
-
-        await Addon(self.coresys, slug).install()
-
-        _LOGGER.info("Add-on '%s' successfully installed", slug)
-
-    async def uninstall(self, slug: str) -> None:
-        """Remove an add-on."""
-        if slug not in self.local:
-            _LOGGER.warning("Add-on %s is not installed", slug)
-            return
-
-        await self.local[slug].uninstall()
-
-        _LOGGER.info("Add-on '%s' successfully removed", slug)
-
-    @Job(
-        name="addon_manager_update",
-        conditions=ADDON_UPDATE_CONDITIONS,
-        on_condition=AddonsJobError,
-    )
-    async def update(
-        self, slug: str, backup: bool | None = False
-    ) -> asyncio.Task | None:
-        """Update add-on.
-
-        Returns a Task that completes when addon has state 'started' (see addon.start)
-        if addon is started after update. Else nothing is returned.
-        """
-        self.sys_jobs.current.reference = slug
-
-        if slug not in self.local:
-            raise AddonsError(f"Add-on {slug} is not installed", _LOGGER.error)
-        addon = self.local[slug]
-
-        if addon.is_detached:
-            raise AddonsError(
-                f"Add-on {slug} is not available inside store", _LOGGER.error
-            )
-        store = self.store[slug]
-
-        if addon.version == store.version:
-            raise AddonsError(f"No update available for add-on {slug}", _LOGGER.warning)
-
-        # Check if available, Maybe something have changed
-        store.validate_availability()
-
-        if backup:
-            await self.sys_backups.do_backup_partial(
-                name=f"addon_{addon.slug}_{addon.version}",
-                homeassistant=False,
-                addons=[addon.slug],
-            )
-
-        return await addon.update()
-
-    @Job(
-        name="addon_manager_rebuild",
-        conditions=[
-            JobCondition.FREE_SPACE,
-            JobCondition.INTERNET_HOST,
-            JobCondition.HEALTHY,
-        ],
-        on_condition=AddonsJobError,
-    )
-    async def rebuild(self, slug: str) -> asyncio.Task | None:
-        """Perform a rebuild of local build add-on.
-
-        Returns a Task that completes when addon has state 'started' (see addon.start)
-        if addon is started after rebuild. Else nothing is returned.
-        """
-        self.sys_jobs.current.reference = slug
-
-        if slug not in self.local:
-            raise AddonsError(f"Add-on {slug} is not installed", _LOGGER.error)
-        addon = self.local[slug]
-
-        if addon.is_detached:
-            raise AddonsError(
-                f"Add-on {slug} is not available inside store", _LOGGER.error
-            )
-        store = self.store[slug]
-
-        # Check if a rebuild is possible now
-        if addon.version != store.version:
-            raise AddonsError(
-                "Version changed, use Update instead Rebuild", _LOGGER.error
-            )
-        if not addon.need_build:
-            raise AddonsNotSupportedError(
-                "Can't rebuild a image based add-on", _LOGGER.error
-            )
-
-        return await addon.rebuild()
-
-    @Job(
-        name="addon_manager_restore",
-        conditions=[
-            JobCondition.FREE_SPACE,
-            JobCondition.INTERNET_HOST,
-            JobCondition.HEALTHY,
-        ],
-        on_condition=AddonsJobError,
-    )
-    async def restore(
-        self, slug: str, tar_file: tarfile.TarFile
-    ) -> asyncio.Task | None:
-        """Restore state of an add-on.
-
-        Returns a Task that completes when addon has state 'started' (see addon.start)
-        if addon is started after restore. Else nothing is returned.
-        """
-        self.sys_jobs.current.reference = slug
-
-        if slug not in self.local:
-            _LOGGER.debug("Add-on %s is not local available for restore", slug)
-            addon = Addon(self.coresys, slug)
-            had_ingress = False
-        else:
-            _LOGGER.debug("Add-on %s is local available for restore", slug)
-            addon = self.local[slug]
-            had_ingress = addon.ingress_panel
-
-        wait_for_start = await addon.restore(tar_file)
-
-        # Check if new
-        if slug not in self.local:
-            _LOGGER.info("Detect new Add-on after restore %s", slug)
-            self.local[slug] = addon
-
-        # Update ingress
-        if had_ingress != addon.ingress_panel:
-            await self.sys_ingress.reload()
-            with suppress(HomeAssistantAPIError):
-                await self.sys_ingress.update_hass_panel(addon)
-
-        return wait_for_start
-
-    @Job(
-        name="addon_manager_repair",
-        conditions=[JobCondition.FREE_SPACE, JobCondition.INTERNET_HOST],
-    )
-    async def repair(self) -> None:
-        """Repair local add-ons."""
-        needs_repair: list[Addon] = []
-
-        # Evaluate Add-ons to repair
-        for addon in self.installed:
-            if await addon.instance.exists():
-                continue
-            needs_repair.append(addon)
-
-        _LOGGER.info("Found %d add-ons to repair", len(needs_repair))
-        if not needs_repair:
-            return
-
-        for addon in needs_repair:
-            _LOGGER.info("Repairing for add-on: %s", addon.slug)
-            with suppress(DockerError, KeyError):
-                # Need pull a image again
-                if not addon.need_build:
-                    await addon.instance.install(addon.version, addon.image)
-                    continue
-
-                # Need local lookup
-                if addon.need_build and not addon.is_detached:
-                    store = self.store[addon.slug]
-                    # If this add-on is available for rebuild
-                    if addon.version == store.version:
-                        await addon.instance.install(addon.version, addon.image)
-                        continue
-
-            _LOGGER.error("Can't repair %s", addon.slug)
-            with suppress(AddonsError):
-                await self.uninstall(addon.slug)
-
-    async def sync_dns(self) -> None:
-        """Sync add-ons DNS names."""
-        # Update hosts
-        add_host_coros: list[Awaitable[None]] = []
-        for addon in self.installed:
-            try:
-                if not await addon.instance.is_running():
-                    continue
-            except DockerError as err:
-                _LOGGER.warning("Add-on %s is corrupt: %s", addon.slug, err)
-                self.sys_resolution.create_issue(
-                    IssueType.CORRUPT_DOCKER,
-                    ContextType.ADDON,
-                    reference=addon.slug,
-                    suggestions=[SuggestionType.EXECUTE_REPAIR],
-                )
-                capture_exception(err)
-            else:
-                add_host_coros.append(
-                    self.sys_plugins.dns.add_host(
-                        ipv4=addon.ip_address, names=[addon.hostname], write=False
-                    )
-                )
-
-        await asyncio.gather(*add_host_coros)
-
-        # Write hosts files
-        with suppress(CoreDNSError):
-            await self.sys_plugins.dns.write_hosts()
+"""Init file for Supervisor apps."""
--- a/supervisor/addons/addon.py
+++ b/supervisor/addons/addon.py
--- a/supervisor/addons/build.py
+++ b/supervisor/addons/build.py
@@ -1,139 +1,304 @@
-"""Supervisor add-on build environment."""
+"""Supervisor app build environment."""
+
 from __future__ import annotations

+import base64
 from functools import cached_property
-from pathlib import Path
-from typing import TYPE_CHECKING
+import json
+import logging
+from pathlib import Path, PurePath
+from typing import TYPE_CHECKING, Any, Self

 from awesomeversion import AwesomeVersion
+import voluptuous as vol

 from ..const import (
    ATTR_ARGS,
    ATTR_BUILD_FROM,
    ATTR_LABELS,
+    ATTR_PASSWORD,
    ATTR_SQUASH,
+    ATTR_USERNAME,
    FILE_SUFFIX_CONFIGURATION,
-    META_ADDON,
+    LABEL_ARCH,
+    LABEL_DESCRIPTION,
+    LABEL_NAME,
+    LABEL_TYPE,
+    LABEL_URL,
+    LABEL_VERSION,
+    META_APP,
+    SOCKET_DOCKER,
+    CpuArch,
 )
 from ..coresys import CoreSys, CoreSysAttributes
+from ..docker.const import DOCKER_HUB, DOCKER_HUB_LEGACY, DockerMount, MountType
 from ..docker.interface import MAP_ARCH
-from ..exceptions import ConfigurationFileError, HassioArchNotFound
-from ..utils.common import FileConfiguration, find_one_filetype
+from ..exceptions import (
+    AppBuildArchitectureNotSupportedError,
+    AppBuildDockerfileMissingError,
+    ConfigurationFileError,
+    HassioArchNotFound,
+)
+from ..utils.common import find_one_filetype, read_json_or_yaml_file
 from .validate import SCHEMA_BUILD_CONFIG

 if TYPE_CHECKING:
-    from . import AnyAddon
+    from .manager import AnyApp
+
+_LOGGER: logging.Logger = logging.getLogger(__name__)


-class AddonBuild(FileConfiguration, CoreSysAttributes):
-    """Handle build options for add-ons."""
+class AppBuild(CoreSysAttributes):
+    """Handle build options for apps."""

-    def __init__(self, coresys: CoreSys, addon: AnyAddon) -> None:
-        """Initialize Supervisor add-on builder."""
+    def __init__(self, coresys: CoreSys, app: AnyApp, data: dict[str, Any]) -> None:
+        """Initialize Supervisor app builder."""
        self.coresys: CoreSys = coresys
-        self.addon = addon
+        self.app = app
+        self._build_config: dict[str, Any] = data

+    @classmethod
+    async def create(cls, coresys: CoreSys, app: AnyApp) -> Self:
+        """Create an AppBuild by reading the build configuration from disk."""
+        data = await coresys.run_in_executor(cls._read_build_config, app)
+
+        if data:
+            _LOGGER.warning(
+                "App %s uses build.yaml which is deprecated. "
+                "Move build parameters into the Dockerfile directly.",
+                app.slug,
+            )
+
+            if data[ATTR_SQUASH]:
+                _LOGGER.warning(
+                    "Ignoring squash build option for %s as Docker BuildKit"
+                    " does not support it.",
+                    app.slug,
+                )
+
+        return cls(coresys, app, data or {})
+
+    @staticmethod
+    def _read_build_config(app: AnyApp) -> dict[str, Any] | None:
+        """Find and read the build configuration file.
+
+        Must be run in executor.
+        """
        try:
            build_file = find_one_filetype(
-                self.addon.path_location, "build", FILE_SUFFIX_CONFIGURATION
+                app.path_location, "build", FILE_SUFFIX_CONFIGURATION
            )
        except ConfigurationFileError:
-            build_file = self.addon.path_location / "build.json"
+            # No build config file found, assuming modernized build
+            return None

-        super().__init__(build_file, SCHEMA_BUILD_CONFIG)
+        try:
+            raw = read_json_or_yaml_file(build_file)
+            build_config = SCHEMA_BUILD_CONFIG(raw)
+        except ConfigurationFileError as ex:
+            _LOGGER.exception(
+                "Error reading %s build config (%s), using defaults",
+                app.slug,
+                ex,
+            )
+            build_config = SCHEMA_BUILD_CONFIG({})
+        except vol.Invalid as ex:
+            _LOGGER.warning(
+                "Error parsing %s build config (%s), using defaults", app.slug, ex
+            )
+            build_config = SCHEMA_BUILD_CONFIG({})

-    def save_data(self):
-        """Ignore save function."""
-        raise RuntimeError()
+        # Default base image is passed in BUILD_FROM only when build.yaml is used
+        # (this is legacy behavior - without build config, Dockerfile should specify it)
+        if not build_config[ATTR_BUILD_FROM]:
+            build_config[ATTR_BUILD_FROM] = "ghcr.io/home-assistant/base:latest"
+
+        return build_config

    @cached_property
-    def arch(self) -> str:
-        """Return arch of the add-on."""
-        return self.sys_arch.match(self.addon.arch)
+    def arch(self) -> CpuArch:
+        """Return arch of the app."""
+        return self.sys_arch.match([self.app.arch])

    @property
-    def base_image(self) -> str:
-        """Return base image for this add-on."""
-        if not self._data[ATTR_BUILD_FROM]:
-            return f"ghcr.io/home-assistant/{self.sys_arch.default}-base:latest"
+    def base_image(self) -> str | None:
+        """Return base image for this app, or None to use Dockerfile default."""
+        # No build config (otherwise default is coerced when reading the config)
+        if not self._build_config.get(ATTR_BUILD_FROM):
+            return None

-        if isinstance(self._data[ATTR_BUILD_FROM], str):
-            return self._data[ATTR_BUILD_FROM]
+        # Single base image in build config
+        if isinstance(self._build_config[ATTR_BUILD_FROM], str):
+            return self._build_config[ATTR_BUILD_FROM]

-        # Evaluate correct base image
-        if self.arch not in self._data[ATTR_BUILD_FROM]:
+        # Dict - per-arch base images in build config
+        if self.arch not in self._build_config[ATTR_BUILD_FROM]:
            raise HassioArchNotFound(
-                f"Add-on {self.addon.slug} is not supported on {self.arch}"
+                f"App {self.app.slug} is not supported on {self.arch}"
            )
-        return self._data[ATTR_BUILD_FROM][self.arch]
-
-    @property
-    def dockerfile(self) -> Path:
-        """Return Dockerfile path."""
-        if self.addon.path_location.joinpath(f"Dockerfile.{self.arch}").exists():
-            return self.addon.path_location.joinpath(f"Dockerfile.{self.arch}")
-        return self.addon.path_location.joinpath("Dockerfile")
-
-    @property
-    def squash(self) -> bool:
-        """Return True or False if squash is active."""
-        return self._data[ATTR_SQUASH]
+        return self._build_config[ATTR_BUILD_FROM][self.arch]

    @property
    def additional_args(self) -> dict[str, str]:
        """Return additional Docker build arguments."""
-        return self._data[ATTR_ARGS]
+        return self._build_config.get(ATTR_ARGS, {})

    @property
    def additional_labels(self) -> dict[str, str]:
        """Return additional Docker labels."""
-        return self._data[ATTR_LABELS]
+        return self._build_config.get(ATTR_LABELS, {})

-    @property
-    def is_valid(self) -> bool:
+    def get_dockerfile(self) -> Path:
+        """Return Dockerfile path.
+
+        Must be run in executor.
+        """
+        if self.app.path_location.joinpath(f"Dockerfile.{self.arch}").exists():
+            return self.app.path_location.joinpath(f"Dockerfile.{self.arch}")
+        return self.app.path_location.joinpath("Dockerfile")
+
+    async def is_valid(self) -> None:
        """Return true if the build env is valid."""
-        try:
+
+        def build_is_valid() -> bool:
            return all(
                [
-                    self.addon.path_location.is_dir(),
-                    self.dockerfile.is_file(),
+                    self.app.path_location.is_dir(),
+                    self.get_dockerfile().is_file(),
                ]
            )
-        except HassioArchNotFound:
-            return False

-    def get_docker_args(self, version: AwesomeVersion):
-        """Create a dict with Docker build arguments."""
-        args = {
-            "path": str(self.addon.path_location),
-            "tag": f"{self.addon.image}:{version!s}",
-            "dockerfile": str(self.dockerfile),
-            "pull": True,
-            "forcerm": not self.sys_dev,
-            "squash": self.squash,
-            "platform": MAP_ARCH[self.arch],
-            "labels": {
-                "io.hass.version": version,
-                "io.hass.arch": self.arch,
-                "io.hass.type": META_ADDON,
-                "io.hass.name": self._fix_label("name"),
-                "io.hass.description": self._fix_label("description"),
-                **self.additional_labels,
-            },
-            "buildargs": {
-                "BUILD_FROM": self.base_image,
-                "BUILD_VERSION": version,
-                "BUILD_ARCH": self.sys_arch.default,
-                **self.additional_args,
-            },
+        try:
+            if not await self.sys_run_in_executor(build_is_valid):
+                raise AppBuildDockerfileMissingError(_LOGGER.error, app=self.app.slug)
+        except HassioArchNotFound:
+            raise AppBuildArchitectureNotSupportedError(
+                _LOGGER.error,
+                app=self.app.slug,
+                app_arch_list=self.app.supported_arch,
+                system_arch_list=[arch.value for arch in self.sys_arch.supported],
+            ) from None
+
+    def _registry_key(self, registry: str) -> str:
+        """Return the Docker config.json key for a registry."""
+        if registry in (DOCKER_HUB, DOCKER_HUB_LEGACY):
+            return "https://index.docker.io/v1/"
+        return registry
+
+    def _registry_auth(self, registry: str) -> str:
+        """Return base64-encoded auth string for a registry."""
+        stored = self.sys_docker.config.registries[registry]
+        return base64.b64encode(
+            f"{stored[ATTR_USERNAME]}:{stored[ATTR_PASSWORD]}".encode()
+        ).decode()
+
+    def get_docker_config_json(self) -> str | None:
+        """Generate Docker config.json content with all configured registry credentials.
+
+        Returns a JSON string with registry credentials, or None if no registries
+        are configured.
+        """
+        if not self.sys_docker.config.registries:
+            return None
+
+        auths = {
+            self._registry_key(registry): {"auth": self._registry_auth(registry)}
+            for registry in self.sys_docker.config.registries
+        }
+        return json.dumps({"auths": auths})
+
+    def get_docker_args(
+        self, version: AwesomeVersion, image_tag: str, docker_config_path: Path | None
+    ) -> dict[str, Any]:
+        """Create a dict with Docker run args."""
+        dockerfile_path = self.get_dockerfile().relative_to(self.app.path_location)
+
+        build_cmd = [
+            "docker",
+            "buildx",
+            "build",
+            ".",
+            "--tag",
+            image_tag,
+            "--file",
+            str(dockerfile_path),
+            "--platform",
+            MAP_ARCH[self.arch],
+            "--pull",
+        ]
+
+        labels = {
+            LABEL_VERSION: version,
+            LABEL_ARCH: self.arch,
+            LABEL_TYPE: META_APP,
+            **self.additional_labels,
        }

-        if self.addon.url:
-            args["labels"]["io.hass.url"] = self.addon.url
+        # Set name only if non-empty, could have been set in Dockerfile
+        if name := self._fix_label("name"):
+            labels[LABEL_NAME] = name

-        return args
+        # Set description only if non-empty, could have been set in Dockerfile
+        if description := self._fix_label("description"):
+            labels[LABEL_DESCRIPTION] = description
+
+        if self.app.url:
+            labels[LABEL_URL] = self.app.url
+
+        for key, value in labels.items():
+            build_cmd.extend(["--label", f"{key}={value}"])
+
+        build_args = {
+            "BUILD_VERSION": version,
+            "BUILD_ARCH": self.arch,
+            **self.additional_args,
+        }
+
+        if self.base_image is not None:
+            build_args["BUILD_FROM"] = self.base_image
+
+        for key, value in build_args.items():
+            build_cmd.extend(["--build-arg", f"{key}={value}"])
+
+        # The app path will be mounted from the host system
+        app_extern_path = self.sys_config.local_to_extern_path(self.app.path_location)
+
+        mounts = [
+            DockerMount(
+                type=MountType.BIND,
+                source=SOCKET_DOCKER.as_posix(),
+                target="/var/run/docker.sock",
+                read_only=False,
+            ),
+            DockerMount(
+                type=MountType.BIND,
+                source=app_extern_path.as_posix(),
+                target="/addon",
+                read_only=True,
+            ),
+        ]
+
+        # Mount Docker config with registry credentials if available
+        if docker_config_path:
+            docker_config_extern_path = self.sys_config.local_to_extern_path(
+                docker_config_path
+            )
+            mounts.append(
+                DockerMount(
+                    type=MountType.BIND,
+                    source=docker_config_extern_path.as_posix(),
+                    target="/root/.docker/config.json",
+                    read_only=True,
+                )
+            )
+
+        return {
+            "command": build_cmd,
+            "mounts": mounts,
+            "working_dir": PurePath("/addon"),
+        }

    def _fix_label(self, label_name: str) -> str:
        """Remove characters they are not supported."""
-        label = getattr(self.addon, label_name, "")
+        label = getattr(self.app, label_name, "")
        return label.replace("'", "")
--- a/supervisor/addons/configuration.py
+++ b/supervisor/addons/configuration.py
@@ -0,0 +1,11 @@
+"""Confgiuration Objects for App Config."""
+
+from dataclasses import dataclass
+
+
+@dataclass(slots=True)
+class FolderMapping:
+    """Represent folder mapping configuration."""
+
+    path: str | None
+    read_only: bool
--- a/supervisor/addons/const.py
+++ b/supervisor/addons/const.py
@@ -1,25 +1,44 @@
-"""Add-on static data."""
+"""App static data."""
+
 from datetime import timedelta
 from enum import StrEnum

 from ..jobs.const import JobCondition


-class AddonBackupMode(StrEnum):
-    """Backup mode of an Add-on."""
+class AppBackupMode(StrEnum):
+    """Backup mode of an App."""

    HOT = "hot"
    COLD = "cold"


+class MappingType(StrEnum):
+    """Mapping type of an App Folder."""
+
+    DATA = "data"
+    CONFIG = "config"
+    SSL = "ssl"
+    ADDONS = "addons"
+    BACKUP = "backup"
+    SHARE = "share"
+    MEDIA = "media"
+    HOMEASSISTANT_CONFIG = "homeassistant_config"
+    ALL_ADDON_CONFIGS = "all_addon_configs"
+    ADDON_CONFIG = "addon_config"
+
+
 ATTR_BACKUP = "backup"
+ATTR_BREAKING_VERSIONS = "breaking_versions"
 ATTR_CODENOTARY = "codenotary"
+ATTR_READ_ONLY = "read_only"
+ATTR_PATH = "path"
 WATCHDOG_RETRY_SECONDS = 10
 WATCHDOG_MAX_ATTEMPTS = 5
 WATCHDOG_THROTTLE_PERIOD = timedelta(minutes=30)
 WATCHDOG_THROTTLE_MAX_CALLS = 10

-ADDON_UPDATE_CONDITIONS = [
+APP_UPDATE_CONDITIONS = [
    JobCondition.FREE_SPACE,
    JobCondition.HEALTHY,
    JobCondition.INTERNET_HOST,
--- a/supervisor/addons/data.py
+++ b/supervisor/addons/data.py
@@ -1,4 +1,5 @@
-"""Init file for Supervisor add-on data."""
+"""Init file for Supervisor app data."""
+
 from copy import deepcopy
 from typing import Any

@@ -11,16 +12,16 @@ from ..const import (
    FILE_HASSIO_ADDONS,
 )
 from ..coresys import CoreSys, CoreSysAttributes
-from ..store.addon import AddonStore
+from ..store.addon import AppStore
 from ..utils.common import FileConfiguration
-from .addon import Addon
+from .addon import App
 from .validate import SCHEMA_ADDONS_FILE

 Config = dict[str, Any]


-class AddonsData(FileConfiguration, CoreSysAttributes):
-    """Hold data for installed Add-ons inside Supervisor."""
+class AppsData(FileConfiguration, CoreSysAttributes):
+    """Hold data for installed Apps inside Supervisor."""

    def __init__(self, coresys: CoreSys):
        """Initialize data holder."""
@@ -29,42 +30,42 @@ class AddonsData(FileConfiguration, CoreSysAttributes):

    @property
    def user(self):
-        """Return local add-on user data."""
+        """Return local app user data."""
        return self._data[ATTR_USER]

    @property
    def system(self):
-        """Return local add-on data."""
+        """Return local app data."""
        return self._data[ATTR_SYSTEM]

-    def install(self, addon: AddonStore) -> None:
-        """Set addon as installed."""
-        self.system[addon.slug] = deepcopy(addon.data)
-        self.user[addon.slug] = {
+    async def install(self, app: AppStore) -> None:
+        """Set app as installed."""
+        self.system[app.slug] = deepcopy(app.data)
+        self.user[app.slug] = {
            ATTR_OPTIONS: {},
-            ATTR_VERSION: addon.version,
-            ATTR_IMAGE: addon.image,
+            ATTR_VERSION: app.version,
+            ATTR_IMAGE: app.image,
        }
-        self.save_data()
+        await self.save_data()

-    def uninstall(self, addon: Addon) -> None:
-        """Set add-on as uninstalled."""
-        self.system.pop(addon.slug, None)
-        self.user.pop(addon.slug, None)
-        self.save_data()
+    async def uninstall(self, app: App) -> None:
+        """Set app as uninstalled."""
+        self.system.pop(app.slug, None)
+        self.user.pop(app.slug, None)
+        await self.save_data()

-    def update(self, addon: AddonStore) -> None:
-        """Update version of add-on."""
-        self.system[addon.slug] = deepcopy(addon.data)
-        self.user[addon.slug].update(
-            {ATTR_VERSION: addon.version, ATTR_IMAGE: addon.image}
-        )
-        self.save_data()
+    async def update(self, app: AppStore) -> None:
+        """Update version of app."""
+        self.system[app.slug] = deepcopy(app.data)
+        self.user[app.slug].update({ATTR_VERSION: app.version, ATTR_IMAGE: app.image})
+        await self.save_data()

-    def restore(self, slug: str, user: Config, system: Config, image: str) -> None:
-        """Restore data to add-on."""
+    async def restore(
+        self, slug: str, user: Config, system: Config, image: str
+    ) -> None:
+        """Restore data to app."""
        self.user[slug] = deepcopy(user)
        self.system[slug] = deepcopy(system)

        self.user[slug][ATTR_IMAGE] = image
-        self.save_data()
+        await self.save_data()
--- a/supervisor/addons/manager.py
+++ b/supervisor/addons/manager.py
@@ -0,0 +1,441 @@
+"""Supervisor app manager."""
+
+import asyncio
+from collections.abc import Awaitable
+from contextlib import suppress
+import logging
+from typing import Self, Union
+
+from attr import evolve
+from securetar import SecureTarFile
+
+from ..const import AppBoot, AppStartup, AppState
+from ..coresys import CoreSys, CoreSysAttributes
+from ..exceptions import (
+    AppNotSupportedError,
+    AppsError,
+    AppsJobError,
+    CoreDNSError,
+    DockerError,
+    HassioError,
+)
+from ..jobs import ChildJobSyncFilter
+from ..jobs.const import JobConcurrency
+from ..jobs.decorator import Job, JobCondition
+from ..resolution.const import ContextType, IssueType, SuggestionType, UnhealthyReason
+from ..store.addon import AppStore
+from ..utils.sentry import async_capture_exception
+from .addon import App
+from .const import APP_UPDATE_CONDITIONS
+from .data import AppsData
+
+_LOGGER: logging.Logger = logging.getLogger(__name__)
+
+AnyApp = Union[App, AppStore]
+
+
+class AppManager(CoreSysAttributes):
+    """Manage apps inside Supervisor."""
+
+    def __init__(self, coresys: CoreSys):
+        """Initialize Docker base wrapper."""
+        self.coresys: CoreSys = coresys
+        self.data: AppsData = AppsData(coresys)
+        self.local: dict[str, App] = {}
+        self.store: dict[str, AppStore] = {}
+
+    @property
+    def all(self) -> list[AnyApp]:
+        """Return a list of all apps."""
+        apps: dict[str, AnyApp] = {**self.store, **self.local}
+        return list(apps.values())
+
+    @property
+    def installed(self) -> list[App]:
+        """Return a list of all installed apps."""
+        return list(self.local.values())
+
+    def get(self, app_slug: str, local_only: bool = False) -> AnyApp | None:
+        """Return an app from slug.
+
+        Prio:
+          1 - Local
+          2 - Store
+        """
+        if app_slug in self.local:
+            return self.local[app_slug]
+        if not local_only:
+            return self.store.get(app_slug)
+        return None
+
+    def get_local_only(self, app_slug: str) -> App | None:
+        """Return an installed app from slug."""
+        return self.local.get(app_slug)
+
+    def from_token(self, token: str) -> App | None:
+        """Return an app from Supervisor token."""
+        for app in self.installed:
+            if token == app.supervisor_token:
+                return app
+        return None
+
+    async def load_config(self) -> Self:
+        """Load config in executor."""
+        await self.data.read_data()
+        return self
+
+    async def load(self) -> None:
+        """Start up app management."""
+        # Refresh cache for all store apps
+        tasks: list[Awaitable[None]] = [
+            store.refresh_path_cache() for store in self.store.values()
+        ]
+
+        # Load all installed apps
+        for slug in self.data.system:
+            app = self.local[slug] = App(self.coresys, slug)
+            tasks.append(app.load())
+
+        # Run initial tasks
+        _LOGGER.info("Found %d installed apps", len(self.data.system))
+        if tasks:
+            await asyncio.gather(*tasks)
+
+        # Sync DNS
+        await self.sync_dns()
+
+    async def boot(self, stage: AppStartup) -> None:
+        """Boot apps with mode auto."""
+        tasks: list[App] = []
+        for app in self.installed:
+            if app.boot != AppBoot.AUTO or app.startup != stage:
+                continue
+            if (
+                app.host_network
+                and UnhealthyReason.DOCKER_GATEWAY_UNPROTECTED
+                in self.sys_resolution.unhealthy
+            ):
+                _LOGGER.warning(
+                    "Skipping boot of app %s because gateway firewall"
+                    " rules are not active",
+                    app.slug,
+                )
+                continue
+            tasks.append(app)
+
+        # Evaluate apps which need to be started
+        _LOGGER.info("Phase '%s' starting %d apps", stage, len(tasks))
+        if not tasks:
+            return
+
+        # Start Apps sequential
+        # avoid issue on slow IO
+        # Config.wait_boot is deprecated. Until apps update with healthchecks,
+        # add a sleep task for it to keep the same minimum amount of wait time
+        wait_boot: list[Awaitable[None]] = [asyncio.sleep(self.sys_config.wait_boot)]
+        for app in tasks:
+            try:
+                if start_task := await app.start():
+                    wait_boot.append(start_task)
+            except HassioError:
+                self.sys_resolution.add_issue(
+                    evolve(app.boot_failed_issue),
+                    suggestions=[
+                        SuggestionType.EXECUTE_START,
+                        SuggestionType.DISABLE_BOOT,
+                    ],
+                )
+            else:
+                continue
+
+            _LOGGER.warning("Can't start app %s", app.slug)
+
+        # Ignore exceptions from waiting for app startup, app errors handled elsewhere
+        await asyncio.gather(*wait_boot, return_exceptions=True)
+
+        # After waiting for startup, create an issue for boot apps that are error or unknown state
+        # Ignore stopped as single shot apps can be run at boot and this is successful exit
+        # Timeout waiting for startup is not a failure, app is probably just slow
+        for app in tasks:
+            if app.state in {AppState.ERROR, AppState.UNKNOWN}:
+                self.sys_resolution.add_issue(
+                    evolve(app.boot_failed_issue),
+                    suggestions=[
+                        SuggestionType.EXECUTE_START,
+                        SuggestionType.DISABLE_BOOT,
+                    ],
+                )
+
+    async def shutdown(self, stage: AppStartup) -> None:
+        """Shutdown apps."""
+        tasks: list[App] = []
+        for app in self.installed:
+            if app.state != AppState.STARTED or app.startup != stage:
+                continue
+            tasks.append(app)
+
+        # Evaluate apps which need to be stopped
+        _LOGGER.info("Phase '%s' stopping %d apps", stage, len(tasks))
+        if not tasks:
+            return
+
+        # Stop Apps sequential
+        # avoid issue on slow IO
+        for app in tasks:
+            try:
+                await app.stop()
+            except Exception as err:  # pylint: disable=broad-except
+                _LOGGER.warning("Can't stop app %s: %s", app.slug, err)
+                await async_capture_exception(err)
+
+    @Job(
+        name="addon_manager_install",
+        conditions=APP_UPDATE_CONDITIONS,
+        on_condition=AppsJobError,
+        concurrency=JobConcurrency.QUEUE,
+        child_job_syncs=[
+            ChildJobSyncFilter("docker_interface_install", progress_allocation=1.0)
+        ],
+    )
+    async def install(
+        self, slug: str, *, validation_complete: asyncio.Event | None = None
+    ) -> None:
+        """Install an app."""
+        self.sys_jobs.current.reference = slug
+
+        if slug in self.local:
+            raise AppsError(f"App {slug} is already installed", _LOGGER.warning)
+        store = self.store.get(slug)
+
+        if not store:
+            raise AppsError(f"App {slug} does not exist", _LOGGER.error)
+
+        store.validate_availability()
+
+        # If being run in the background, notify caller that validation has completed
+        if validation_complete:
+            validation_complete.set()
+
+        await App(self.coresys, slug).install()
+
+        _LOGGER.info("App '%s' successfully installed", slug)
+
+    @Job(name="addon_manager_uninstall")
+    async def uninstall(self, slug: str, *, remove_config: bool = False) -> None:
+        """Remove an app."""
+        if slug not in self.local:
+            _LOGGER.warning("App %s is not installed", slug)
+            return
+
+        shared_image = any(
+            self.local[slug].image == app.image
+            and self.local[slug].version == app.version
+            for app in self.installed
+            if app.slug != slug
+        )
+        await self.local[slug].uninstall(
+            remove_config=remove_config, remove_image=not shared_image
+        )
+
+        _LOGGER.info("App '%s' successfully removed", slug)
+
+    @Job(
+        name="addon_manager_update",
+        conditions=APP_UPDATE_CONDITIONS,
+        on_condition=AppsJobError,
+        # We assume for now the docker image pull is 100% of this task for progress
+        # allocation. But from a user perspective that isn't true. Other steps
+        # that take time which is not accounted for in progress include:
+        # partial backup, image cleanup, apparmor update, and app restart
+        child_job_syncs=[
+            ChildJobSyncFilter("docker_interface_install", progress_allocation=1.0)
+        ],
+    )
+    async def update(
+        self,
+        slug: str,
+        backup: bool | None = False,
+        *,
+        validation_complete: asyncio.Event | None = None,
+    ) -> asyncio.Task | None:
+        """Update app.
+
+        Returns a Task that completes when app has state 'started' (see app.start)
+        if app is started after update. Else nothing is returned.
+        """
+        self.sys_jobs.current.reference = slug
+
+        if slug not in self.local:
+            raise AppsError(f"App {slug} is not installed", _LOGGER.error)
+        app = self.local[slug]
+
+        if app.is_detached:
+            raise AppsError(f"App {slug} is not available inside store", _LOGGER.error)
+        store = self.store[slug]
+
+        if app.version == store.version:
+            raise AppsError(f"No update available for app {slug}", _LOGGER.warning)
+
+        # Check if available, Maybe something have changed
+        store.validate_availability()
+
+        # If being run in the background, notify caller that validation has completed
+        if validation_complete:
+            validation_complete.set()
+
+        if backup:
+            await self.sys_backups.do_backup_partial(
+                name=f"addon_{app.slug}_{app.version}",
+                homeassistant=False,
+                apps=[app.slug],
+            )
+
+        task = await app.update()
+
+        _LOGGER.info("App '%s' successfully updated", slug)
+        return task
+
+    @Job(
+        name="addon_manager_rebuild",
+        conditions=[
+            JobCondition.FREE_SPACE,
+            JobCondition.INTERNET_HOST,
+            JobCondition.HEALTHY,
+        ],
+        on_condition=AppsJobError,
+    )
+    async def rebuild(self, slug: str, *, force: bool = False) -> asyncio.Task | None:
+        """Perform a rebuild of local build app.
+
+        Returns a Task that completes when app has state 'started' (see app.start)
+        if app is started after rebuild. Else nothing is returned.
+        """
+        self.sys_jobs.current.reference = slug
+
+        if slug not in self.local:
+            raise AppsError(f"App {slug} is not installed", _LOGGER.error)
+        app = self.local[slug]
+
+        if app.is_detached:
+            raise AppsError(f"App {slug} is not available inside store", _LOGGER.error)
+        store = self.store[slug]
+
+        # Check if a rebuild is possible now
+        if app.version != store.version:
+            raise AppsError(
+                "Version changed, use Update instead Rebuild", _LOGGER.error
+            )
+        if not force and not app.need_build:
+            raise AppNotSupportedError(
+                "Can't rebuild an image-based app", _LOGGER.error
+            )
+
+        return await app.rebuild()
+
+    @Job(
+        name="addon_manager_restore",
+        conditions=[
+            JobCondition.FREE_SPACE,
+            JobCondition.INTERNET_HOST,
+            JobCondition.HEALTHY,
+        ],
+        on_condition=AppsJobError,
+    )
+    async def restore(self, slug: str, tar_file: SecureTarFile) -> asyncio.Task | None:
+        """Restore state of an app.
+
+        Returns a Task that completes when app has state 'started' (see app.start)
+        if app is started after restore. Else nothing is returned.
+        """
+        self.sys_jobs.current.reference = slug
+
+        if slug not in self.local:
+            _LOGGER.debug("App %s is not locally available for restore", slug)
+            app = App(self.coresys, slug)
+            had_ingress: bool | None = False
+        else:
+            _LOGGER.debug("App %s is locally available for restore", slug)
+            app = self.local[slug]
+            had_ingress = app.ingress_panel
+
+        wait_for_start = await app.restore(tar_file)
+
+        # Check if new
+        if slug not in self.local:
+            _LOGGER.info("Detected new app after restore: %s", slug)
+            self.local[slug] = app
+
+        # Update ingress
+        if had_ingress != app.ingress_panel:
+            await self.sys_ingress.reload()
+            await self.sys_ingress.update_hass_panel(app)
+
+        return wait_for_start
+
+    @Job(
+        name="addon_manager_repair",
+        conditions=[JobCondition.FREE_SPACE, JobCondition.INTERNET_HOST],
+    )
+    async def repair(self) -> None:
+        """Repair local apps."""
+        needs_repair: list[App] = []
+
+        # Evaluate Apps to repair
+        for app in self.installed:
+            if await app.instance.exists():
+                continue
+            needs_repair.append(app)
+
+        _LOGGER.info("Found %d apps to repair", len(needs_repair))
+        if not needs_repair:
+            return
+
+        for app in needs_repair:
+            _LOGGER.info("Repairing for app: %s", app.slug)
+            with suppress(DockerError, KeyError):
+                # Need pull a image again
+                if not app.need_build:
+                    await app.instance.install(app.version, app.image)
+                    continue
+
+                # Need local lookup
+                if app.need_build and not app.is_detached:
+                    store = self.store[app.slug]
+                    # If this app is available for rebuild
+                    if app.version == store.version:
+                        await app.instance.install(app.version, app.image)
+                        continue
+
+            _LOGGER.error("Can't repair %s", app.slug)
+            with suppress(AppsError):
+                await self.uninstall(app.slug)
+
+    async def sync_dns(self) -> None:
+        """Sync apps DNS names."""
+        # Update hosts
+        add_host_coros: list[Awaitable[None]] = []
+        for app in self.installed:
+            try:
+                if not await app.instance.is_running():
+                    continue
+            except DockerError as err:
+                _LOGGER.warning("App %s is corrupt: %s", app.slug, err)
+                self.sys_resolution.create_issue(
+                    IssueType.CORRUPT_DOCKER,
+                    ContextType.ADDON,
+                    reference=app.slug,
+                    suggestions=[SuggestionType.EXECUTE_REPAIR],
+                )
+                await async_capture_exception(err)
+            else:
+                add_host_coros.append(
+                    self.sys_plugins.dns.add_host(
+                        ipv4=app.ip_address, names=[app.hostname], write=False
+                    )
+                )
+
+        await asyncio.gather(*add_host_coros)
+
+        # Write hosts files
+        with suppress(CoreDNSError):
+            await self.sys_plugins.dns.write_hosts()
--- a/supervisor/addons/model.py
+++ b/supervisor/addons/model.py
@@ -1,8 +1,10 @@
-"""Init file for Supervisor add-ons."""
+"""Init file for Supervisor apps."""
+
 from abc import ABC, abstractmethod
 from collections import defaultdict
-from collections.abc import Callable
+from collections.abc import Awaitable, Callable
 from contextlib import suppress
+from datetime import datetime
 import logging
 from pathlib import Path
 from typing import Any
@@ -10,7 +12,7 @@ from typing import Any
 from awesomeversion import AwesomeVersion, AwesomeVersionException

 from ..const import (
-    ATTR_ADVANCED,
+    ARCH_DEPRECATED,
    ATTR_APPARMOR,
    ATTR_ARCH,
    ATTR_AUDIO,
@@ -43,7 +45,7 @@ from ..const import (
    ATTR_JOURNALD,
    ATTR_KERNEL_MODULES,
    ATTR_LEGACY,
-    ATTR_LOCATON,
+    ATTR_LOCATION,
    ATTR_MACHINE,
    ATTR_MAP,
    ATTR_NAME,
@@ -65,38 +67,59 @@ from ..const import (
    ATTR_TIMEOUT,
    ATTR_TMPFS,
    ATTR_TRANSLATIONS,
+    ATTR_TYPE,
    ATTR_UART,
    ATTR_UDEV,
+    ATTR_ULIMITS,
    ATTR_URL,
    ATTR_USB,
    ATTR_VERSION,
+    ATTR_VERSION_TIMESTAMP,
    ATTR_VIDEO,
    ATTR_WATCHDOG,
    ATTR_WEBUI,
+    MACHINE_DEPRECATED,
    SECURITY_DEFAULT,
    SECURITY_DISABLE,
    SECURITY_PROFILE,
-    AddonBoot,
-    AddonStage,
-    AddonStartup,
+    AppBoot,
+    AppBootConfig,
+    AppStage,
+    AppStartup,
+    CpuArch,
 )
 from ..coresys import CoreSys
 from ..docker.const import Capabilities
-from ..exceptions import AddonsNotSupportedError
+from ..exceptions import (
+    AppNotSupportedArchitectureError,
+    AppNotSupportedError,
+    AppNotSupportedHomeAssistantVersionError,
+    AppNotSupportedMachineTypeError,
+    HassioArchNotFound,
+)
 from ..jobs.const import JOB_GROUP_ADDON
 from ..jobs.job_group import JobGroup
 from ..utils import version_is_new_enough
-from .const import ATTR_BACKUP, ATTR_CODENOTARY, AddonBackupMode
-from .options import AddonOptions, UiOptions
-from .validate import RE_SERVICE, RE_VOLUME
+from ..utils.dt import utc_from_timestamp
+from .configuration import FolderMapping
+from .const import (
+    ATTR_BACKUP,
+    ATTR_BREAKING_VERSIONS,
+    ATTR_PATH,
+    ATTR_READ_ONLY,
+    AppBackupMode,
+    MappingType,
+)
+from .options import AppOptions, UiOptions
+from .validate import RE_SERVICE

 _LOGGER: logging.Logger = logging.getLogger(__name__)

 Data = dict[str, Any]


-class AddonModel(JobGroup, ABC):
-    """Add-on Data layout."""
+class AppModel(JobGroup, ABC):
+    """App Data layout."""

    def __init__(self, coresys: CoreSys, slug: str):
        """Initialize data holder."""
@@ -104,25 +127,29 @@ class AddonModel(JobGroup, ABC):
            coresys, JOB_GROUP_ADDON.format_map(defaultdict(str, slug=slug)), slug
        )
        self.slug: str = slug
+        self._path_icon_exists: bool = False
+        self._path_logo_exists: bool = False
+        self._path_changelog_exists: bool = False
+        self._path_documentation_exists: bool = False

    @property
    @abstractmethod
    def data(self) -> Data:
-        """Return add-on config/data."""
+        """Return app config/data."""

    @property
    @abstractmethod
    def is_installed(self) -> bool:
-        """Return True if an add-on is installed."""
+        """Return True if an app is installed."""

    @property
    @abstractmethod
    def is_detached(self) -> bool:
-        """Return True if add-on is detached."""
+        """Return True if app is detached."""

    @property
    def available(self) -> bool:
-        """Return True if this add-on is available on this platform."""
+        """Return True if this app is available on this platform."""
        return self._available(self.data)

    @property
@@ -131,10 +158,15 @@ class AddonModel(JobGroup, ABC):
        return self.data[ATTR_OPTIONS]

    @property
-    def boot(self) -> AddonBoot:
-        """Return boot config with prio local settings."""
+    def boot_config(self) -> AppBootConfig:
+        """Return boot config."""
        return self.data[ATTR_BOOT]

+    @property
+    def boot(self) -> AppBoot:
+        """Return boot config with prio local settings unless config is forced."""
+        return AppBoot(self.data[ATTR_BOOT])
+
    @property
    def auto_update(self) -> bool | None:
        """Return if auto update is enable."""
@@ -142,27 +174,27 @@ class AddonModel(JobGroup, ABC):

    @property
    def name(self) -> str:
-        """Return name of add-on."""
+        """Return name of app."""
        return self.data[ATTR_NAME]

    @property
    def hostname(self) -> str:
-        """Return slug/id of add-on."""
+        """Return slug/id of app."""
        return self.slug.replace("_", "-")

    @property
    def dns(self) -> list[str]:
-        """Return list of DNS name for that add-on."""
+        """Return list of DNS name for that app."""
        return []

    @property
    def timeout(self) -> int:
-        """Return timeout of addon for docker stop."""
+        """Return timeout of app for docker stop."""
        return self.data[ATTR_TIMEOUT]

    @property
    def uuid(self) -> str | None:
-        """Return an API token for this add-on."""
+        """Return an API token for this app."""
        return None

    @property
@@ -182,59 +214,54 @@ class AddonModel(JobGroup, ABC):

    @property
    def description(self) -> str:
-        """Return description of add-on."""
+        """Return description of app."""
        return self.data[ATTR_DESCRIPTON]

-    @property
-    def long_description(self) -> str | None:
-        """Return README.md as long_description."""
-        readme = Path(self.path_location, "README.md")
-
-        # If readme not exists
-        if not readme.exists():
-            return None
-
-        # Return data
-        return readme.read_text(encoding="utf-8")
-
    @property
    def repository(self) -> str:
-        """Return repository of add-on."""
+        """Return repository of app."""
        return self.data[ATTR_REPOSITORY]

    @property
    def translations(self) -> dict:
-        """Return add-on translations."""
+        """Return app translations."""
        return self.data[ATTR_TRANSLATIONS]

    @property
    def latest_version(self) -> AwesomeVersion:
-        """Return latest version of add-on."""
+        """Return latest version of app."""
        return self.data[ATTR_VERSION]

+    @property
+    def latest_version_timestamp(self) -> datetime:
+        """Return when latest version was first seen."""
+        return utc_from_timestamp(self.data[ATTR_VERSION_TIMESTAMP])
+
    @property
    def version(self) -> AwesomeVersion:
-        """Return version of add-on."""
+        """Return version of app."""
        return self.data[ATTR_VERSION]

    @property
    def protected(self) -> bool:
-        """Return if add-on is in protected mode."""
+        """Return if app is in protected mode."""
        return True

    @property
-    def startup(self) -> AddonStartup:
-        """Return startup type of add-on."""
+    def startup(self) -> AppStartup:
+        """Return startup type of app."""
        return self.data[ATTR_STARTUP]

    @property
    def advanced(self) -> bool:
-        """Return advanced mode of add-on."""
-        return self.data[ATTR_ADVANCED]
+        """Return False; advanced mode is deprecated and no longer supported."""
+        # Deprecated since Supervisor 2026.03.0; always returns False and can be
+        # removed once that version is the minimum supported.
+        return False

    @property
-    def stage(self) -> AddonStage:
-        """Return stage mode of add-on."""
+    def stage(self) -> AppStage:
+        """Return stage mode of app."""
        return self.data[ATTR_STAGE]

    @property
@@ -262,7 +289,7 @@ class AddonModel(JobGroup, ABC):

    @property
    def ports(self) -> dict[str, int | None] | None:
-        """Return ports of add-on."""
+        """Return ports of app."""
        return self.data.get(ATTR_PORTS)

    @property
@@ -276,7 +303,7 @@ class AddonModel(JobGroup, ABC):
        return self.data.get(ATTR_WEBUI)

    @property
-    def watchdog(self) -> str | None:
+    def watchdog_url(self) -> str | None:
        """Return URL to for watchdog or None."""
        return self.data.get(ATTR_WATCHDOG)

@@ -292,47 +319,47 @@ class AddonModel(JobGroup, ABC):

    @property
    def panel_title(self) -> str:
-        """Return panel icon for Ingress frame."""
+        """Return panel title for Ingress frame."""
        return self.data.get(ATTR_PANEL_TITLE, self.name)

    @property
-    def panel_admin(self) -> str:
-        """Return panel icon for Ingress frame."""
+    def panel_admin(self) -> bool:
+        """Return if panel is only available for admin users."""
        return self.data[ATTR_PANEL_ADMIN]

    @property
    def host_network(self) -> bool:
-        """Return True if add-on run on host network."""
+        """Return True if app run on host network."""
        return self.data[ATTR_HOST_NETWORK]

    @property
    def host_pid(self) -> bool:
-        """Return True if add-on run on host PID namespace."""
+        """Return True if app run on host PID namespace."""
        return self.data[ATTR_HOST_PID]

    @property
    def host_ipc(self) -> bool:
-        """Return True if add-on run on host IPC namespace."""
+        """Return True if app run on host IPC namespace."""
        return self.data[ATTR_HOST_IPC]

    @property
    def host_uts(self) -> bool:
-        """Return True if add-on run on host UTS namespace."""
+        """Return True if app run on host UTS namespace."""
        return self.data[ATTR_HOST_UTS]

    @property
    def host_dbus(self) -> bool:
-        """Return True if add-on run on host D-BUS."""
+        """Return True if app run on host D-BUS."""
        return self.data[ATTR_HOST_DBUS]

    @property
    def static_devices(self) -> list[Path]:
-        """Return static devices of add-on."""
+        """Return static devices of app."""
        return [Path(node) for node in self.data.get(ATTR_DEVICES, [])]

    @property
    def environment(self) -> dict[str, str] | None:
-        """Return environment of add-on."""
+        """Return environment of app."""
        return self.data.get(ATTR_ENVIRONMENT)

    @property
@@ -351,22 +378,22 @@ class AddonModel(JobGroup, ABC):

    @property
    def legacy(self) -> bool:
-        """Return if the add-on don't support Home Assistant labels."""
+        """Return if the app don't support Home Assistant labels."""
        return self.data[ATTR_LEGACY]

    @property
    def access_docker_api(self) -> bool:
-        """Return if the add-on need read-only Docker API access."""
+        """Return if the app need read-only Docker API access."""
        return self.data[ATTR_DOCKER_API]

    @property
    def access_hassio_api(self) -> bool:
-        """Return True if the add-on access to Supervisor REASTful API."""
+        """Return True if the app access to Supervisor REASTful API."""
        return self.data[ATTR_HASSIO_API]

    @property
    def access_homeassistant_api(self) -> bool:
-        """Return True if the add-on access to Home Assistant API proxy."""
+        """Return True if the app access to Home Assistant API proxy."""
        return self.data[ATTR_HOMEASSISTANT_API]

    @property
@@ -390,28 +417,28 @@ class AddonModel(JobGroup, ABC):
        return self.data.get(ATTR_BACKUP_POST)

    @property
-    def backup_mode(self) -> AddonBackupMode:
+    def backup_mode(self) -> AppBackupMode:
        """Return if backup is hot/cold."""
        return self.data[ATTR_BACKUP]

    @property
    def default_init(self) -> bool:
-        """Return True if the add-on have no own init."""
+        """Return True if the app have no own init."""
        return self.data[ATTR_INIT]

    @property
    def with_stdin(self) -> bool:
-        """Return True if the add-on access use stdin input."""
+        """Return True if the app access use stdin input."""
        return self.data[ATTR_STDIN]

    @property
    def with_ingress(self) -> bool:
-        """Return True if the add-on access support ingress."""
+        """Return True if the app access support ingress."""
        return self.data[ATTR_INGRESS]

    @property
    def ingress_panel(self) -> bool | None:
-        """Return True if the add-on access support ingress."""
+        """Return True if the app access support ingress."""
        return None

    @property
@@ -421,12 +448,12 @@ class AddonModel(JobGroup, ABC):

    @property
    def with_gpio(self) -> bool:
-        """Return True if the add-on access to GPIO interface."""
+        """Return True if the app access to GPIO interface."""
        return self.data[ATTR_GPIO]

    @property
    def with_usb(self) -> bool:
-        """Return True if the add-on need USB access."""
+        """Return True if the app need USB access."""
        return self.data[ATTR_USB]

    @property
@@ -436,96 +463,127 @@ class AddonModel(JobGroup, ABC):

    @property
    def with_udev(self) -> bool:
-        """Return True if the add-on have his own udev."""
+        """Return True if the app have his own udev."""
        return self.data[ATTR_UDEV]

+    @property
+    def ulimits(self) -> dict[str, Any]:
+        """Return ulimits configuration."""
+        return self.data[ATTR_ULIMITS]
+
    @property
    def with_kernel_modules(self) -> bool:
-        """Return True if the add-on access to kernel modules."""
+        """Return True if the app access to kernel modules."""
        return self.data[ATTR_KERNEL_MODULES]

    @property
    def with_realtime(self) -> bool:
-        """Return True if the add-on need realtime schedule functions."""
+        """Return True if the app need realtime schedule functions."""
        return self.data[ATTR_REALTIME]

    @property
    def with_full_access(self) -> bool:
-        """Return True if the add-on want full access to hardware."""
+        """Return True if the app want full access to hardware."""
        return self.data[ATTR_FULL_ACCESS]

    @property
    def with_devicetree(self) -> bool:
-        """Return True if the add-on read access to devicetree."""
+        """Return True if the app read access to devicetree."""
        return self.data[ATTR_DEVICETREE]

    @property
-    def with_tmpfs(self) -> str | None:
-        """Return if tmp is in memory of add-on."""
+    def with_tmpfs(self) -> bool:
+        """Return if tmp is in memory of app."""
        return self.data[ATTR_TMPFS]

    @property
    def access_auth_api(self) -> bool:
-        """Return True if the add-on access to login/auth backend."""
+        """Return True if the app access to login/auth backend."""
        return self.data[ATTR_AUTH_API]

    @property
    def with_audio(self) -> bool:
-        """Return True if the add-on access to audio."""
+        """Return True if the app access to audio."""
        return self.data[ATTR_AUDIO]

    @property
    def with_video(self) -> bool:
-        """Return True if the add-on access to video."""
+        """Return True if the app access to video."""
        return self.data[ATTR_VIDEO]

    @property
-    def homeassistant_version(self) -> str | None:
-        """Return min Home Assistant version they needed by Add-on."""
+    def homeassistant_version(self) -> AwesomeVersion | None:
+        """Return min Home Assistant version they needed by App."""
        return self.data.get(ATTR_HOMEASSISTANT)

    @property
    def url(self) -> str | None:
-        """Return URL of add-on."""
+        """Return URL of app."""
        return self.data.get(ATTR_URL)

    @property
    def with_icon(self) -> bool:
        """Return True if an icon exists."""
-        return self.path_icon.exists()
+        return self._path_icon_exists

    @property
    def with_logo(self) -> bool:
        """Return True if a logo exists."""
-        return self.path_logo.exists()
+        return self._path_logo_exists

    @property
    def with_changelog(self) -> bool:
        """Return True if a changelog exists."""
-        return self.path_changelog.exists()
+        return self._path_changelog_exists

    @property
    def with_documentation(self) -> bool:
        """Return True if a documentation exists."""
-        return self.path_documentation.exists()
+        return self._path_documentation_exists

    @property
    def supported_arch(self) -> list[str]:
        """Return list of supported arch."""
        return self.data[ATTR_ARCH]

+    @property
+    def has_deprecated_arch(self) -> bool:
+        """Return True if app includes deprecated architectures."""
+        return any(arch in ARCH_DEPRECATED for arch in self.supported_arch)
+
+    @property
+    def has_supported_arch(self) -> bool:
+        """Return True if app supports any architecture on this system."""
+        return self.sys_arch.is_supported(self.supported_arch)
+
+    @property
+    def has_deprecated_machine(self) -> bool:
+        """Return True if app includes deprecated machine entries."""
+        return any(
+            machine.lstrip("!") in MACHINE_DEPRECATED
+            for machine in self.supported_machine
+        )
+
+    @property
+    def has_supported_machine(self) -> bool:
+        """Return True if app supports this machine."""
+        if not (machine_types := self.supported_machine):
+            return True
+
+        return (
+            f"!{self.sys_machine}" not in machine_types
+            and self.sys_machine in machine_types
+        )
+
    @property
    def supported_machine(self) -> list[str]:
        """Return list of supported machine."""
        return self.data.get(ATTR_MACHINE, [])

    @property
-    def arch(self) -> str:
-        """Return architecture to use for the addon's image."""
-        if ATTR_IMAGE in self.data:
-            return self.sys_arch.match(self.data[ATTR_ARCH])
-
-        return self.sys_arch.default
+    def arch(self) -> CpuArch:
+        """Return architecture to use for the app's image."""
+        return self.sys_arch.match(self.data[ATTR_ARCH])

    @property
    def image(self) -> str | None:
@@ -534,44 +592,43 @@ class AddonModel(JobGroup, ABC):

    @property
    def need_build(self) -> bool:
-        """Return True if this  add-on need a local build."""
+        """Return True if this  app need a local build."""
        return ATTR_IMAGE not in self.data

    @property
-    def map_volumes(self) -> dict[str, bool]:
-        """Return a dict of {volume: read-only} from add-on."""
+    def map_volumes(self) -> dict[MappingType, FolderMapping]:
+        """Return a dict of {MappingType: FolderMapping} from app."""
        volumes = {}
        for volume in self.data[ATTR_MAP]:
-            result = RE_VOLUME.match(volume)
-            if not result:
-                continue
-            volumes[result.group(1)] = result.group(2) != "rw"
+            volumes[MappingType(volume[ATTR_TYPE])] = FolderMapping(
+                volume.get(ATTR_PATH), volume[ATTR_READ_ONLY]
+            )

        return volumes

    @property
    def path_location(self) -> Path:
-        """Return path to this add-on."""
-        return Path(self.data[ATTR_LOCATON])
+        """Return path to this app."""
+        return Path(self.data[ATTR_LOCATION])

    @property
    def path_icon(self) -> Path:
-        """Return path to add-on icon."""
+        """Return path to app icon."""
        return Path(self.path_location, "icon.png")

    @property
    def path_logo(self) -> Path:
-        """Return path to add-on logo."""
+        """Return path to app logo."""
        return Path(self.path_location, "logo.png")

    @property
    def path_changelog(self) -> Path:
-        """Return path to add-on changelog."""
+        """Return path to app changelog."""
        return Path(self.path_location, "CHANGELOG.md")

    @property
    def path_documentation(self) -> Path:
-        """Return path to add-on changelog."""
+        """Return path to app changelog."""
        return Path(self.path_location, "DOCS.md")

    @property
@@ -580,17 +637,17 @@ class AddonModel(JobGroup, ABC):
        return Path(self.path_location, "apparmor.txt")

    @property
-    def schema(self) -> AddonOptions:
-        """Return Addon options validation object."""
+    def schema(self) -> AppOptions:
+        """Return App options validation object."""
        raw_schema = self.data[ATTR_SCHEMA]
        if isinstance(raw_schema, bool):
            raw_schema = {}

-        return AddonOptions(self.coresys, raw_schema, self.name, self.slug)
+        return AppOptions(self.coresys, raw_schema, self.name, self.slug)

    @property
-    def schema_ui(self) -> list[dict[any, any]] | None:
-        """Create a UI schema for add-on options."""
+    def schema_ui(self) -> list[dict[Any, Any]] | None:
+        """Create a UI schema for app options."""
        raw_schema = self.data[ATTR_SCHEMA]

        if isinstance(raw_schema, bool):
@@ -599,38 +656,67 @@ class AddonModel(JobGroup, ABC):

    @property
    def with_journald(self) -> bool:
-        """Return True if the add-on accesses the system journal."""
+        """Return True if the app accesses the system journal."""
        return self.data[ATTR_JOURNALD]

    @property
    def signed(self) -> bool:
-        """Return True if the image is signed."""
-        return ATTR_CODENOTARY in self.data
+        """Currently no signing support."""
+        return False

    @property
-    def codenotary(self) -> str | None:
-        """Return Signer email address for CAS."""
-        return self.data.get(ATTR_CODENOTARY)
+    def breaking_versions(self) -> list[AwesomeVersion]:
+        """Return breaking versions of app."""
+        return self.data[ATTR_BREAKING_VERSIONS]
+
+    async def long_description(self) -> str | None:
+        """Return README.md as long_description."""
+
+        def read_readme() -> str | None:
+            readme = Path(self.path_location, "README.md")
+
+            # If readme not exists
+            if not readme.exists():
+                return None
+
+            # Return data
+            return readme.read_text(encoding="utf-8", errors="replace")
+
+        return await self.sys_run_in_executor(read_readme)
+
+    def refresh_path_cache(self) -> Awaitable[None]:
+        """Refresh cache of existing paths."""
+
+        def check_paths():
+            self._path_icon_exists = self.path_icon.exists()
+            self._path_logo_exists = self.path_logo.exists()
+            self._path_changelog_exists = self.path_changelog.exists()
+            self._path_documentation_exists = self.path_documentation.exists()
+
+        return self.sys_run_in_executor(check_paths)

    def validate_availability(self) -> None:
-        """Validate if addon is available for current system."""
+        """Validate if app is available for current system."""
        return self._validate_availability(self.data, logger=_LOGGER.error)

-    def __eq__(self, other):
-        """Compaired add-on objects."""
-        if not isinstance(other, AddonModel):
+    def __eq__(self, other: Any) -> bool:
+        """Compare app objects."""
+        if not isinstance(other, AppModel):
            return False
        return self.slug == other.slug

+    def __hash__(self) -> int:
+        """Hash for app objects."""
+        return hash(self.slug)
+
    def _validate_availability(
        self, config, *, logger: Callable[..., None] | None = None
    ) -> None:
-        """Validate if addon is available for current system."""
+        """Validate if app is available for current system."""
        # Architecture
        if not self.sys_arch.is_supported(config[ATTR_ARCH]):
-            raise AddonsNotSupportedError(
-                f"Add-on {self.slug} not supported on this platform, supported architectures: {', '.join(config[ATTR_ARCH])}",
-                logger,
+            raise AppNotSupportedArchitectureError(
+                logger, slug=self.slug, architectures=config[ATTR_ARCH]
            )

        # Machine / Hardware
@@ -638,9 +724,8 @@ class AddonModel(JobGroup, ABC):
        if machine and (
            f"!{self.sys_machine}" in machine or self.sys_machine not in machine
        ):
-            raise AddonsNotSupportedError(
-                f"Add-on {self.slug} not supported on this machine, supported machine types: {', '.join(machine)}",
-                logger,
+            raise AppNotSupportedMachineTypeError(
+                logger, slug=self.slug, machine_types=machine
            )

        # Home Assistant
@@ -649,16 +734,15 @@ class AddonModel(JobGroup, ABC):
            if version and not version_is_new_enough(
                self.sys_homeassistant.version, version
            ):
-                raise AddonsNotSupportedError(
-                    f"Add-on {self.slug} not supported on this system, requires Home Assistant version {version} or greater",
-                    logger,
+                raise AppNotSupportedHomeAssistantVersionError(
+                    logger, slug=self.slug, version=str(version)
                )

    def _available(self, config) -> bool:
-        """Return True if this add-on is available on this platform."""
+        """Return True if this app is available on this platform."""
        try:
            self._validate_availability(config)
-        except AddonsNotSupportedError:
+        except AppNotSupportedError:
            return False

        return True
@@ -667,8 +751,12 @@ class AddonModel(JobGroup, ABC):
        """Generate image name from data."""
        # Repository with Dockerhub images
        if ATTR_IMAGE in config:
-            arch = self.sys_arch.match(config[ATTR_ARCH])
+            try:
+                arch = self.sys_arch.match(config[ATTR_ARCH])
+            except HassioArchNotFound:
+                arch = self.sys_arch.default
            return config[ATTR_IMAGE].format(arch=arch)

        # local build
-        return f"{config[ATTR_REPOSITORY]}/{self.sys_arch.default}-addon-{config[ATTR_SLUG]}"
+        arch = self.sys_arch.match(config[ATTR_ARCH])
+        return f"{config[ATTR_REPOSITORY]}/{arch!s}-addon-{config[ATTR_SLUG]}"
--- a/supervisor/addons/options.py
+++ b/supervisor/addons/options.py
@@ -1,4 +1,5 @@
-"""Add-on Options / UI rendering."""
+"""App Options / UI rendering."""
+
 import hashlib
 import logging
 from pathlib import Path
@@ -36,8 +37,8 @@ RE_SCHEMA_ELEMENT = re.compile(
    r"|device(?:\((?P<filter>subsystem=[a-z]+)\))?"
    r"|str(?:\((?P<s_min>\d+)?,(?P<s_max>\d+)?\))?"
    r"|password(?:\((?P<p_min>\d+)?,(?P<p_max>\d+)?\))?"
-    r"|int(?:\((?P<i_min>\d+)?,(?P<i_max>\d+)?\))?"
-    r"|float(?:\((?P<f_min>[\d\.]+)?,(?P<f_max>[\d\.]+)?\))?"
+    r"|int(?:\((?P<i_min>-?\d+)?,(?P<i_max>-?\d+)?\))?"
+    r"|float(?:\((?P<f_min>-?\d*\.?\d+)?,(?P<f_max>-?\d*\.?\d+)?\))?"
    r"|match\((?P<match>.*)\)"
    r"|list\((?P<list>.+)\)"
    r")\??$"
@@ -55,8 +56,8 @@ _SCHEMA_LENGTH_PARTS = (
 )


-class AddonOptions(CoreSysAttributes):
-    """Validate Add-ons Options."""
+class AppOptions(CoreSysAttributes):
+    """Validate Apps Options."""

    def __init__(
        self, coresys: CoreSys, raw_schema: dict[str, Any], name: str, slug: str
@@ -71,11 +72,11 @@ class AddonOptions(CoreSysAttributes):

    @property
    def validate(self) -> vol.Schema:
-        """Create a schema for add-on options."""
+        """Create a schema for app options."""
        return vol.Schema(vol.All(dict, self))

-    def __call__(self, struct):
-        """Create schema validator for add-ons options."""
+    def __call__(self, struct: dict[str, Any]) -> dict[str, Any]:
+        """Create schema validator for apps options."""
        options = {}

        # read options
@@ -92,15 +93,7 @@ class AddonOptions(CoreSysAttributes):

            typ = self.raw_schema[key]
            try:
-                if isinstance(typ, list):
-                    # nested value list
-                    options[key] = self._nested_validate_list(typ[0], value, key)
-                elif isinstance(typ, dict):
-                    # nested value dict
-                    options[key] = self._nested_validate_dict(typ, value, key)
-                else:
-                    # normal value
-                    options[key] = self._single_validate(typ, value, key)
+                options[key] = self._validate_element(typ, value, key)
            except (IndexError, KeyError):
                raise vol.Invalid(
                    f"Type error for option '{key}' in {self._name} ({self._slug})"
@@ -110,7 +103,20 @@ class AddonOptions(CoreSysAttributes):
        return options

    # pylint: disable=no-value-for-parameter
-    def _single_validate(self, typ: str, value: Any, key: str):
+    def _validate_element(self, typ: Any, value: Any, key: str) -> Any:
+        """Validate a value against a type specification."""
+        if isinstance(typ, list):
+            # nested value list
+            return self._nested_validate_list(typ[0], value, key)
+        elif isinstance(typ, dict):
+            # nested value dict
+            return self._nested_validate_dict(typ, value, key)
+        else:
+            # normal value
+            return self._single_validate(typ, value, key)
+
+    # pylint: disable=no-value-for-parameter
+    def _single_validate(self, typ: str, value: Any, key: str) -> Any:
        """Validate a single element."""
        # if required argument
        if value is None:
@@ -136,7 +142,7 @@ class AddonOptions(CoreSysAttributes):
            ) from None

        # prepare range
-        range_args = {}
+        range_args: dict[str, Any] = {}
        for group_name in _SCHEMA_LENGTH_PARTS:
            group_value = match.group(group_name)
            if group_value:
@@ -163,6 +169,10 @@ class AddonOptions(CoreSysAttributes):
        elif typ.startswith(_LIST):
            return vol.In(match.group("list").split("|"))(str(value))
        elif typ.startswith(_DEVICE):
+            if not isinstance(value, str):
+                raise vol.Invalid(
+                    f"Expected a string for option '{key}' in {self._name} ({self._slug})"
+                )
            try:
                device = self.sys_hardware.get_by_path(Path(value))
            except HardwareNotFound:
@@ -181,13 +191,13 @@ class AddonOptions(CoreSysAttributes):

            # Device valid
            self.devices.add(device)
-            return str(device.path)
+            return str(value)

        raise vol.Invalid(
            f"Fatal error for option '{key}' with type '{typ}' in {self._name} ({self._slug})"
        ) from None

-    def _nested_validate_list(self, typ: Any, data_list: list[Any], key: str):
+    def _nested_validate_list(self, typ: Any, data_list: Any, key: str) -> list[Any]:
        """Validate nested items."""
        options = []

@@ -200,17 +210,13 @@ class AddonOptions(CoreSysAttributes):
        # Process list
        for element in data_list:
            # Nested?
-            if isinstance(typ, dict):
-                c_options = self._nested_validate_dict(typ, element, key)
-                options.append(c_options)
-            else:
-                options.append(self._single_validate(typ, element, key))
+            options.append(self._validate_element(typ, element, key))

        return options

    def _nested_validate_dict(
-        self, typ: dict[Any, Any], data_dict: dict[Any, Any], key: str
-    ):
+        self, typ: dict[Any, Any], data_dict: Any, key: str
+    ) -> dict[Any, Any]:
        """Validate nested items."""
        options = {}

@@ -230,12 +236,7 @@ class AddonOptions(CoreSysAttributes):
                continue

            # Nested?
-            if isinstance(typ[c_key], list):
-                options[c_key] = self._nested_validate_list(
-                    typ[c_key][0], c_value, c_key
-                )
-            else:
-                options[c_key] = self._single_validate(typ[c_key], c_value, c_key)
+            options[c_key] = self._validate_element(typ[c_key], c_value, c_key)

        self._check_missing_options(typ, options, key)
        return options
@@ -261,11 +262,11 @@ class AddonOptions(CoreSysAttributes):


 class UiOptions(CoreSysAttributes):
-    """Render UI Add-ons Options."""
+    """Render UI Apps Options."""

    def __init__(self, coresys: CoreSys) -> None:
        """Initialize UI option render."""
-        self.coresys = coresys
+        self.coresys: CoreSys = coresys

    def __call__(self, raw_schema: dict[str, Any]) -> list[dict[str, Any]]:
        """Generate UI schema."""
@@ -273,18 +274,28 @@ class UiOptions(CoreSysAttributes):

        # read options
        for key, value in raw_schema.items():
-            if isinstance(value, list):
-                # nested value list
-                self._nested_ui_list(ui_schema, value, key)
-            elif isinstance(value, dict):
-                # nested value dict
-                self._nested_ui_dict(ui_schema, value, key)
-            else:
-                # normal value
-                self._single_ui_option(ui_schema, value, key)
+            self._ui_schema_element(ui_schema, value, key)

        return ui_schema

+    def _ui_schema_element(
+        self,
+        ui_schema: list[dict[str, Any]],
+        value: str | list[Any] | dict[str, Any],
+        key: str,
+        multiple: bool = False,
+    ) -> None:
+        if isinstance(value, list):
+            # nested value list
+            assert not multiple
+            self._nested_ui_list(ui_schema, value, key)
+        elif isinstance(value, dict):
+            # nested value dict
+            self._nested_ui_dict(ui_schema, value, key, multiple)
+        else:
+            # normal value
+            self._single_ui_option(ui_schema, value, key, multiple)
+
    def _single_ui_option(
        self,
        ui_schema: list[dict[str, Any]],
@@ -376,10 +387,7 @@ class UiOptions(CoreSysAttributes):
            _LOGGER.error("Invalid schema %s", key)
            return

-        if isinstance(element, dict):
-            self._nested_ui_dict(ui_schema, element, key, multiple=True)
-        else:
-            self._single_ui_option(ui_schema, element, key, multiple=True)
+        self._ui_schema_element(ui_schema, element, key, multiple=True)

    def _nested_ui_dict(
        self,
@@ -389,20 +397,16 @@ class UiOptions(CoreSysAttributes):
        multiple: bool = False,
    ) -> None:
        """UI nested dict items."""
-        ui_node = {
+        ui_node: dict[str, Any] = {
            "name": key,
            "type": "schema",
            "optional": True,
            "multiple": multiple,
        }

-        nested_schema = []
+        nested_schema: list[dict[str, Any]] = []
        for c_key, c_value in option_dict.items():
-            # Nested?
-            if isinstance(c_value, list):
-                self._nested_ui_list(nested_schema, c_value, c_key)
-            else:
-                self._single_ui_option(nested_schema, c_value, c_key)
+            self._ui_schema_element(nested_schema, c_value, c_key)

        ui_node["schema"] = nested_schema
        ui_schema.append(ui_node)
@@ -412,7 +416,7 @@ def _create_device_filter(str_filter: str) -> dict[str, Any]:
    """Generate device Filter."""
    raw_filter = dict(value.split("=") for value in str_filter.split(";"))

-    clean_filter = {}
+    clean_filter: dict[str, Any] = {}
    for key, value in raw_filter.items():
        if key == "subsystem":
            clean_filter[key] = UdevSubsystem(value)
--- a/supervisor/addons/utils.py
+++ b/supervisor/addons/utils.py
@@ -1,21 +1,22 @@
-"""Util add-ons functions."""
+"""Util apps functions."""
+
 from __future__ import annotations

-import asyncio
 import logging
 from pathlib import Path
+import subprocess
 from typing import TYPE_CHECKING

 from ..const import ROLE_ADMIN, ROLE_MANAGER, SECURITY_DISABLE, SECURITY_PROFILE
 from ..docker.const import Capabilities

 if TYPE_CHECKING:
-    from .model import AddonModel
+    from .model import AppModel

 _LOGGER: logging.Logger = logging.getLogger(__name__)


-def rating_security(addon: AddonModel) -> int:
+def rating_security(app: AppModel) -> int:
    """Return 1-8 for security rating.

    1 = not secure
@@ -24,27 +25,28 @@ def rating_security(addon: AddonModel) -> int:
    rating = 5

    # AppArmor
-    if addon.apparmor == SECURITY_DISABLE:
+    if app.apparmor == SECURITY_DISABLE:
        rating += -1
-    elif addon.apparmor == SECURITY_PROFILE:
+    elif app.apparmor == SECURITY_PROFILE:
        rating += 1

    # Home Assistant Login & Ingress
-    if addon.with_ingress:
+    if app.with_ingress:
        rating += 2
-    elif addon.access_auth_api:
+    elif app.access_auth_api:
        rating += 1

    # Signed
-    if addon.signed:
+    if app.signed:
        rating += 1

    # Privileged options
    if (
        any(
-            privilege in addon.privileged
+            privilege in app.privileged
            for privilege in (
                Capabilities.BPF,
+                Capabilities.CHECKPOINT_RESTORE,
                Capabilities.DAC_READ_SEARCH,
                Capabilities.NET_ADMIN,
                Capabilities.NET_RAW,
@@ -55,47 +57,49 @@ def rating_security(addon: AddonModel) -> int:
                Capabilities.SYS_RAWIO,
            )
        )
-        or addon.with_kernel_modules
+        or app.with_kernel_modules
    ):
        rating += -1

    # API Supervisor role
-    if addon.hassio_role == ROLE_MANAGER:
+    if app.hassio_role == ROLE_MANAGER:
        rating += -1
-    elif addon.hassio_role == ROLE_ADMIN:
+    elif app.hassio_role == ROLE_ADMIN:
        rating += -2

    # Not secure Networking
-    if addon.host_network:
+    if app.host_network:
        rating += -1

    # Insecure PID namespace
-    if addon.host_pid:
+    if app.host_pid:
        rating += -2

    # UTS host namespace allows to set hostname only with SYS_ADMIN
-    if addon.host_uts and Capabilities.SYS_ADMIN in addon.privileged:
+    if app.host_uts and Capabilities.SYS_ADMIN in app.privileged:
        rating += -1

    # Docker Access & full Access
-    if addon.access_docker_api or addon.with_full_access:
+    if app.access_docker_api or app.with_full_access:
        rating = 1

    return max(min(8, rating), 1)


-async def remove_data(folder: Path) -> None:
-    """Remove folder and reset privileged."""
-    try:
-        proc = await asyncio.create_subprocess_exec(
-            "rm", "-rf", str(folder), stdout=asyncio.subprocess.DEVNULL
-        )
+def remove_data(folder: Path) -> None:
+    """Remove folder and reset privileged.

-        _, error_msg = await proc.communicate()
+    Must be run in executor.
+    """
+    try:
+        subprocess.run(
+            ["rm", "-rf", str(folder)], stdout=subprocess.DEVNULL, text=True, check=True
+        )
    except OSError as err:
        error_msg = str(err)
+    except subprocess.CalledProcessError as procerr:
+        error_msg = procerr.stderr.strip()
    else:
-        if proc.returncode == 0:
-            return
+        return

-    _LOGGER.error("Can't remove Add-on Data: %s", error_msg)
+    _LOGGER.error("Can't remove app data: %s", error_msg)
--- a/supervisor/addons/validate.py
+++ b/supervisor/addons/validate.py
@@ -1,4 +1,5 @@
-"""Validate add-ons options schema."""
+"""Validate apps options schema."""
+
 import logging
 import re
 import secrets
@@ -8,7 +9,8 @@ import uuid
 import voluptuous as vol

 from ..const import (
-    ARCH_ALL,
+    ARCH_ALL_COMPAT,
+    ARCH_DEPRECATED,
    ATTR_ACCESS_TOKEN,
    ATTR_ADVANCED,
    ATTR_APPARMOR,
@@ -31,6 +33,7 @@ from ..const import (
    ATTR_DISCOVERY,
    ATTR_DOCKER_API,
    ATTR_ENVIRONMENT,
+    ATTR_FIELDS,
    ATTR_FULL_ACCESS,
    ATTR_GPIO,
    ATTR_HASSIO_API,
@@ -54,7 +57,7 @@ from ..const import (
    ATTR_KERNEL_MODULES,
    ATTR_LABELS,
    ATTR_LEGACY,
-    ATTR_LOCATON,
+    ATTR_LOCATION,
    ATTR_MACHINE,
    ATTR_MAP,
    ATTR_NAME,
@@ -78,11 +81,15 @@ from ..const import (
    ATTR_STATE,
    ATTR_STDIN,
    ATTR_SYSTEM,
+    ATTR_SYSTEM_MANAGED,
+    ATTR_SYSTEM_MANAGED_CONFIG_ENTRY,
    ATTR_TIMEOUT,
    ATTR_TMPFS,
    ATTR_TRANSLATIONS,
+    ATTR_TYPE,
    ATTR_UART,
    ATTR_UDEV,
+    ATTR_ULIMITS,
    ATTR_URL,
    ATTR_USB,
    ATTR_USER,
@@ -91,17 +98,15 @@ from ..const import (
    ATTR_VIDEO,
    ATTR_WATCHDOG,
    ATTR_WEBUI,
-    MAP_ADDON_CONFIG,
-    MAP_CONFIG,
-    MAP_HOMEASSISTANT_CONFIG,
+    MACHINE_DEPRECATED,
    ROLE_ALL,
    ROLE_DEFAULT,
-    AddonBoot,
-    AddonStage,
-    AddonStartup,
-    AddonState,
+    AppBoot,
+    AppBootConfig,
+    AppStage,
+    AppStartup,
+    AppState,
 )
-from ..discovery.validate import valid_discovery_service
 from ..docker.const import Capabilities
 from ..validate import (
    docker_image,
@@ -112,13 +117,22 @@ from ..validate import (
    uuid_match,
    version_tag,
 )
-from .const import ATTR_BACKUP, ATTR_CODENOTARY, RE_SLUG, AddonBackupMode
+from .const import (
+    ATTR_BACKUP,
+    ATTR_BREAKING_VERSIONS,
+    ATTR_CODENOTARY,
+    ATTR_PATH,
+    ATTR_READ_ONLY,
+    RE_SLUG,
+    AppBackupMode,
+    MappingType,
+)
 from .options import RE_SCHEMA_ELEMENT

 _LOGGER: logging.Logger = logging.getLogger(__name__)

 RE_VOLUME = re.compile(
-    r"^(config|ssl|addons|backup|share|media|homeassistant_config|all_addon_configs|addon_config)(?::(rw|ro))?$"
+    r"^(data|config|ssl|addons|backup|share|media|homeassistant_config|all_addon_configs|addon_config)(?::(rw|ro))?$"
 )
 RE_SERVICE = re.compile(r"^(?P<service>mqtt|mysql):(?P<rights>provide|want|need)$")

@@ -127,11 +141,25 @@ RE_DOCKER_IMAGE_BUILD = re.compile(
    r"^([a-zA-Z\-\.:\d{}]+/)*?([\-\w{}]+)/([\-\w{}]+)(:[\.\-\w{}]+)?$"
 )

-SCHEMA_ELEMENT = vol.Match(RE_SCHEMA_ELEMENT)
+SCHEMA_ELEMENT = vol.Schema(
+    vol.Any(
+        vol.Match(RE_SCHEMA_ELEMENT),
+        [
+            # A list may not directly contain another list
+            vol.Any(
+                vol.Match(RE_SCHEMA_ELEMENT),
+                {str: vol.Self},
+            )
+        ],
+        {str: vol.Self},
+    )
+)

 RE_MACHINE = re.compile(
    r"^!?(?:"
    r"|intel-nuc"
+    r"|khadas-vim3"
+    r"|generic-aarch64"
    r"|generic-x86-64"
    r"|odroid-c2"
    r"|odroid-c4"
@@ -148,6 +176,7 @@ RE_MACHINE = re.compile(
    r"|raspberrypi3"
    r"|raspberrypi4-64"
    r"|raspberrypi4"
+    r"|raspberrypi5-64"
    r"|yellow"
    r"|green"
    r"|tinker"
@@ -157,11 +186,20 @@ RE_MACHINE = re.compile(
 RE_SLUG_FIELD = re.compile(r"^" + RE_SLUG + r"$")


-def _warn_addon_config(config: dict[str, Any]):
+def _warn_app_config(config: dict[str, Any]):
    """Warn about miss configs."""
    name = config.get(ATTR_NAME)
    if not name:
-        raise vol.Invalid("Invalid Add-on config!")
+        raise vol.Invalid("Invalid app config!")
+
+    if ATTR_ADVANCED in config:
+        # Deprecated since Supervisor 2026.03.0; this field is ignored and the
+        # warning can be removed once that version is the minimum supported.
+        _LOGGER.warning(
+            "App '%s' uses deprecated 'advanced' field in config. "
+            "This field is ignored by the Supervisor. Please report this to the maintainer.",
+            name,
+        )

    if config.get(ATTR_FULL_ACCESS, False) and (
        config.get(ATTR_DEVICES)
@@ -170,62 +208,76 @@ def _warn_addon_config(config: dict[str, Any]):
        or config.get(ATTR_GPIO)
    ):
        _LOGGER.warning(
-            "Add-on have full device access, and selective device access in the configuration. Please report this to the maintainer of %s",
+            "App has full device access, and selective device access in the configuration. Please report this to the maintainer of %s",
            name,
        )

-    if config.get(ATTR_BACKUP, AddonBackupMode.HOT) == AddonBackupMode.COLD and (
+    if config.get(ATTR_BACKUP, AppBackupMode.HOT) == AppBackupMode.COLD and (
        config.get(ATTR_BACKUP_POST) or config.get(ATTR_BACKUP_PRE)
    ):
        _LOGGER.warning(
-            "Add-on which only support COLD backups trying to use post/pre commands. Please report this to the maintainer of %s",
+            "An app that only supports COLD backups is trying to use pre/post commands. Please report this to the maintainer of %s",
            name,
        )

-    invalid_services: list[str] = []
-    for service in config.get(ATTR_DISCOVERY, []):
-        try:
-            valid_discovery_service(service)
-        except vol.Invalid:
-            invalid_services.append(service)
-
-    if invalid_services:
+    if deprecated_arches := [
+        arch for arch in config.get(ATTR_ARCH, []) if arch in ARCH_DEPRECATED
+    ]:
        _LOGGER.warning(
-            "Add-on lists the following unknown services for discovery: %s. Please report this to the maintainer of %s",
-            ", ".join(invalid_services),
+            "App config 'arch' uses deprecated values %s. Please report this to the maintainer of %s",
+            deprecated_arches,
+            name,
+        )
+
+    if deprecated_machines := [
+        machine
+        for machine in config.get(ATTR_MACHINE, [])
+        if machine.lstrip("!") in MACHINE_DEPRECATED
+    ]:
+        _LOGGER.warning(
+            "App config 'machine' uses deprecated values %s. Please report this to the maintainer of %s",
+            deprecated_machines,
+            name,
+        )
+
+    if ATTR_CODENOTARY in config:
+        _LOGGER.warning(
+            "App '%s' uses deprecated 'codenotary' field in config. This field is no longer used and will be ignored. Please report this to the maintainer.",
            name,
        )

    return config


-def _migrate_addon_config(protocol=False):
-    """Migrate addon config."""
+def _migrate_app_config(protocol=False):
+    """Migrate app config."""

    def _migrate(config: dict[str, Any]):
+        if not isinstance(config, dict):
+            raise vol.Invalid("App config must be a dictionary!")
        name = config.get(ATTR_NAME)
        if not name:
-            raise vol.Invalid("Invalid Add-on config!")
+            raise vol.Invalid("Invalid app config!")

        # Startup 2018-03-30
        if config.get(ATTR_STARTUP) in ("before", "after"):
            value = config[ATTR_STARTUP]
            if protocol:
                _LOGGER.warning(
-                    "Add-on config 'startup' with '%s' is deprecated. Please report this to the maintainer of %s",
+                    "App config 'startup' with '%s' is deprecated. Please report this to the maintainer of %s",
                    value,
                    name,
                )
            if value == "before":
-                config[ATTR_STARTUP] = AddonStartup.SERVICES
+                config[ATTR_STARTUP] = AppStartup.SERVICES
            elif value == "after":
-                config[ATTR_STARTUP] = AddonStartup.APPLICATION
+                config[ATTR_STARTUP] = AppStartup.APPLICATION

        # UART 2021-01-20
        if "auto_uart" in config:
            if protocol:
                _LOGGER.warning(
-                    "Add-on config 'auto_uart' is deprecated, use 'uart'. Please report this to the maintainer of %s",
+                    "App config 'auto_uart' is deprecated, use 'uart'. Please report this to the maintainer of %s",
                    name,
                )
            config[ATTR_UART] = config.pop("auto_uart")
@@ -234,7 +286,7 @@ def _migrate_addon_config(protocol=False):
        if ATTR_DEVICES in config and any(":" in line for line in config[ATTR_DEVICES]):
            if protocol:
                _LOGGER.warning(
-                    "Add-on config 'devices' use a deprecated format, the new format uses a list of paths only. Please report this to the maintainer of %s",
+                    "App config 'devices' uses a deprecated format instead of a list of paths only. Please report this to the maintainer of %s",
                    name,
                )
            config[ATTR_DEVICES] = [line.split(":")[0] for line in config[ATTR_DEVICES]]
@@ -243,7 +295,7 @@ def _migrate_addon_config(protocol=False):
        if ATTR_TMPFS in config and not isinstance(config[ATTR_TMPFS], bool):
            if protocol:
                _LOGGER.warning(
-                    "Add-on config 'tmpfs' use a deprecated format, new it's only a boolean. Please report this to the maintainer of %s",
+                    "App config 'tmpfs' uses a deprecated format instead of just a boolean. Please report this to the maintainer of %s",
                    name,
                )
            config[ATTR_TMPFS] = True
@@ -259,32 +311,64 @@ def _migrate_addon_config(protocol=False):
                new_entry = entry.replace("snapshot", "backup")
                config[new_entry] = config.pop(entry)
                _LOGGER.warning(
-                    "Add-on config '%s' is deprecated, '%s' should be used instead. Please report this to the maintainer of %s",
+                    "App config '%s' is deprecated, '%s' should be used instead. Please report this to the maintainer of %s",
                    entry,
                    new_entry,
                    name,
                )

-        # 2023-10 "config" became "homeassistant" so /config can be used for addon's public config
-        volumes = [RE_VOLUME.match(entry) for entry in config.get(ATTR_MAP, [])]
-        if any(volume and volume.group(1) == MAP_CONFIG for volume in volumes):
+        # 2023-11 "map" entries can also be dict to allow path configuration
+        volumes = []
+        for entry in config.get(ATTR_MAP, []):
+            if isinstance(entry, dict):
+                # Validate that dict entries have required 'type' field
+                if ATTR_TYPE not in entry:
+                    _LOGGER.warning(
+                        "App config has invalid map entry missing 'type' field: %s. Skipping invalid entry for %s",
+                        entry,
+                        name,
+                    )
+                    continue
+                volumes.append(entry)
+            if isinstance(entry, str):
+                result = RE_VOLUME.match(entry)
+                if not result:
+                    _LOGGER.warning(
+                        "App config has invalid map entry: %s. Skipping invalid entry for %s",
+                        entry,
+                        name,
+                    )
+                    continue
+                volumes.append(
+                    {
+                        ATTR_TYPE: result.group(1),
+                        ATTR_READ_ONLY: result.group(2) != "rw",
+                    }
+                )
+
+        # Always update config to clear potentially malformed ones
+        config[ATTR_MAP] = volumes
+
+        # 2023-10 "config" became "homeassistant" so /config can be used for app's public config
+        if any(volume[ATTR_TYPE] == MappingType.CONFIG for volume in volumes):
            if any(
                volume
-                and volume.group(1) in {MAP_ADDON_CONFIG, MAP_HOMEASSISTANT_CONFIG}
+                and volume[ATTR_TYPE]
+                in {MappingType.ADDON_CONFIG, MappingType.HOMEASSISTANT_CONFIG}
                for volume in volumes
            ):
                _LOGGER.warning(
-                    "Add-on config using incompatible map options, '%s' and '%s' are ignored if '%s' is included. Please report this to the maintainer of %s",
-                    MAP_ADDON_CONFIG,
-                    MAP_HOMEASSISTANT_CONFIG,
-                    MAP_CONFIG,
+                    "App config using incompatible map options, '%s' and '%s' are ignored if '%s' is included. Please report this to the maintainer of %s",
+                    MappingType.ADDON_CONFIG,
+                    MappingType.HOMEASSISTANT_CONFIG,
+                    MappingType.CONFIG,
                    name,
                )
            else:
                _LOGGER.debug(
-                    "Add-on config using deprecated map option '%s' instead of '%s'. Please report this to the maintainer of %s",
-                    MAP_CONFIG,
-                    MAP_HOMEASSISTANT_CONFIG,
+                    "App config using deprecated map option '%s' instead of '%s'. Please report this to the maintainer of %s",
+                    MappingType.CONFIG,
+                    MappingType.HOMEASSISTANT_CONFIG,
                    name,
                )

@@ -300,16 +384,16 @@ _SCHEMA_ADDON_CONFIG = vol.Schema(
        vol.Required(ATTR_VERSION): version_tag,
        vol.Required(ATTR_SLUG): vol.Match(RE_SLUG_FIELD),
        vol.Required(ATTR_DESCRIPTON): str,
-        vol.Required(ATTR_ARCH): [vol.In(ARCH_ALL)],
+        vol.Required(ATTR_ARCH): [vol.In(ARCH_ALL_COMPAT)],
        vol.Optional(ATTR_MACHINE): vol.All([vol.Match(RE_MACHINE)], vol.Unique()),
        vol.Optional(ATTR_URL): vol.Url(),
-        vol.Optional(ATTR_STARTUP, default=AddonStartup.APPLICATION): vol.Coerce(
-            AddonStartup
+        vol.Optional(ATTR_STARTUP, default=AppStartup.APPLICATION): vol.Coerce(
+            AppStartup
        ),
-        vol.Optional(ATTR_BOOT, default=AddonBoot.AUTO): vol.Coerce(AddonBoot),
+        vol.Optional(ATTR_BOOT, default=AppBootConfig.AUTO): vol.Coerce(AppBootConfig),
        vol.Optional(ATTR_INIT, default=True): vol.Boolean(),
        vol.Optional(ATTR_ADVANCED, default=False): vol.Boolean(),
-        vol.Optional(ATTR_STAGE, default=AddonStage.STABLE): vol.Coerce(AddonStage),
+        vol.Optional(ATTR_STAGE, default=AppStage.STABLE): vol.Coerce(AppStage),
        vol.Optional(ATTR_PORTS): docker_ports,
        vol.Optional(ATTR_PORTS_DESCRIPTION): docker_ports_description,
        vol.Optional(ATTR_WATCHDOG): vol.Match(
@@ -336,7 +420,15 @@ _SCHEMA_ADDON_CONFIG = vol.Schema(
        vol.Optional(ATTR_DEVICES): [str],
        vol.Optional(ATTR_UDEV, default=False): vol.Boolean(),
        vol.Optional(ATTR_TMPFS, default=False): vol.Boolean(),
-        vol.Optional(ATTR_MAP, default=list): [vol.Match(RE_VOLUME)],
+        vol.Optional(ATTR_MAP, default=list): [
+            vol.Schema(
+                {
+                    vol.Required(ATTR_TYPE): vol.Coerce(MappingType),
+                    vol.Optional(ATTR_READ_ONLY, default=True): bool,
+                    vol.Optional(ATTR_PATH): str,
+                }
+            )
+        ],
        vol.Optional(ATTR_ENVIRONMENT): {vol.Match(r"\w*"): str},
        vol.Optional(ATTR_PRIVILEGED): [vol.Coerce(Capabilities)],
        vol.Optional(ATTR_APPARMOR, default=True): vol.Boolean(),
@@ -361,39 +453,38 @@ _SCHEMA_ADDON_CONFIG = vol.Schema(
        vol.Optional(ATTR_BACKUP_EXCLUDE): [str],
        vol.Optional(ATTR_BACKUP_PRE): str,
        vol.Optional(ATTR_BACKUP_POST): str,
-        vol.Optional(ATTR_BACKUP, default=AddonBackupMode.HOT): vol.Coerce(
-            AddonBackupMode
-        ),
-        vol.Optional(ATTR_CODENOTARY): vol.Email(),
+        vol.Optional(ATTR_BACKUP, default=AppBackupMode.HOT): vol.Coerce(AppBackupMode),
        vol.Optional(ATTR_OPTIONS, default={}): dict,
        vol.Optional(ATTR_SCHEMA, default={}): vol.Any(
-            vol.Schema(
-                {
-                    str: vol.Any(
-                        SCHEMA_ELEMENT,
-                        [
-                            vol.Any(
-                                SCHEMA_ELEMENT,
-                                {str: vol.Any(SCHEMA_ELEMENT, [SCHEMA_ELEMENT])},
-                            )
-                        ],
-                        vol.Schema({str: vol.Any(SCHEMA_ELEMENT, [SCHEMA_ELEMENT])}),
-                    )
-                }
-            ),
+            vol.Schema({str: SCHEMA_ELEMENT}),
            False,
        ),
        vol.Optional(ATTR_IMAGE): docker_image,
+        vol.Optional(ATTR_ULIMITS, default=dict): vol.Any(
+            {str: vol.Coerce(int)},  # Simple format: {name: limit}
+            {
+                str: vol.Any(
+                    vol.Coerce(int),  # Simple format for individual entries
+                    vol.Schema(
+                        {  # Detailed format for individual entries
+                            vol.Required("soft"): vol.Coerce(int),
+                            vol.Required("hard"): vol.Coerce(int),
+                        }
+                    ),
+                )
+            },
+        ),
        vol.Optional(ATTR_TIMEOUT, default=10): vol.All(
            vol.Coerce(int), vol.Range(min=10, max=300)
        ),
        vol.Optional(ATTR_JOURNALD, default=False): vol.Boolean(),
+        vol.Optional(ATTR_BREAKING_VERSIONS, default=list): [version_tag],
    },
    extra=vol.REMOVE_EXTRA,
 )

 SCHEMA_ADDON_CONFIG = vol.All(
-    _migrate_addon_config(True), _warn_addon_config, _SCHEMA_ADDON_CONFIG
+    _migrate_app_config(True), _warn_app_config, _SCHEMA_ADDON_CONFIG
 )


@@ -402,7 +493,7 @@ SCHEMA_BUILD_CONFIG = vol.Schema(
    {
        vol.Optional(ATTR_BUILD_FROM, default=dict): vol.Any(
            vol.Match(RE_DOCKER_IMAGE_BUILD),
-            vol.Schema({vol.In(ARCH_ALL): vol.Match(RE_DOCKER_IMAGE_BUILD)}),
+            vol.Schema({vol.In(ARCH_ALL_COMPAT): vol.Match(RE_DOCKER_IMAGE_BUILD)}),
        ),
        vol.Optional(ATTR_SQUASH, default=False): vol.Boolean(),
        vol.Optional(ATTR_ARGS, default=dict): vol.Schema({str: str}),
@@ -415,6 +506,7 @@ SCHEMA_TRANSLATION_CONFIGURATION = vol.Schema(
    {
        vol.Required(ATTR_NAME): str,
        vol.Optional(ATTR_DESCRIPTON): vol.Maybe(str),
+        vol.Optional(ATTR_FIELDS): {str: vol.Self},
    },
    extra=vol.REMOVE_EXTRA,
 )
@@ -439,22 +531,24 @@ SCHEMA_ADDON_USER = vol.Schema(
        vol.Optional(ATTR_INGRESS_TOKEN, default=secrets.token_urlsafe): str,
        vol.Optional(ATTR_OPTIONS, default=dict): dict,
        vol.Optional(ATTR_AUTO_UPDATE, default=False): vol.Boolean(),
-        vol.Optional(ATTR_BOOT): vol.Coerce(AddonBoot),
+        vol.Optional(ATTR_BOOT): vol.Coerce(AppBoot),
        vol.Optional(ATTR_NETWORK): docker_ports,
        vol.Optional(ATTR_AUDIO_OUTPUT): vol.Maybe(str),
        vol.Optional(ATTR_AUDIO_INPUT): vol.Maybe(str),
        vol.Optional(ATTR_PROTECTED, default=True): vol.Boolean(),
        vol.Optional(ATTR_INGRESS_PANEL, default=False): vol.Boolean(),
        vol.Optional(ATTR_WATCHDOG, default=False): vol.Boolean(),
+        vol.Optional(ATTR_SYSTEM_MANAGED, default=False): vol.Boolean(),
+        vol.Optional(ATTR_SYSTEM_MANAGED_CONFIG_ENTRY, default=None): vol.Maybe(str),
    },
    extra=vol.REMOVE_EXTRA,
 )

 SCHEMA_ADDON_SYSTEM = vol.All(
-    _migrate_addon_config(),
+    _migrate_app_config(),
    _SCHEMA_ADDON_CONFIG.extend(
        {
-            vol.Required(ATTR_LOCATON): str,
+            vol.Required(ATTR_LOCATION): str,
            vol.Required(ATTR_REPOSITORY): str,
            vol.Required(ATTR_TRANSLATIONS, default=dict): {
                str: SCHEMA_ADDON_TRANSLATIONS
@@ -477,7 +571,7 @@ SCHEMA_ADDON_BACKUP = vol.Schema(
    {
        vol.Required(ATTR_USER): SCHEMA_ADDON_USER,
        vol.Required(ATTR_SYSTEM): SCHEMA_ADDON_SYSTEM,
-        vol.Required(ATTR_STATE): vol.Coerce(AddonState),
+        vol.Required(ATTR_STATE): vol.Coerce(AppState),
        vol.Required(ATTR_VERSION): version_tag,
    },
    extra=vol.REMOVE_EXTRA,
--- a/supervisor/api/init.py
+++ b/supervisor/api/init.py
@@ -1,20 +1,23 @@
 """Init file for Supervisor RESTful API."""
+
+from dataclasses import dataclass
 from functools import partial
 import logging
 from pathlib import Path
 from typing import Any

-from aiohttp import web
-from aiohttp_fast_url_dispatcher import FastUrlDispatcher, attach_fast_url_dispatcher
+from aiohttp import hdrs, web

-from ..const import AddonState
+from ..const import SUPERVISOR_DOCKER_NAME, AppState
 from ..coresys import CoreSys, CoreSysAttributes
-from ..exceptions import APIAddonNotInstalled
-from .addons import APIAddons
+from ..exceptions import APIAppNotInstalled, HostNotSupportedError
+from ..utils.sentry import async_capture_exception
+from .addons import APIApps
 from .audio import APIAudio
 from .auth import APIAuth
 from .backups import APIBackups
 from .cli import APICli
+from .const import CONTENT_TYPE_TEXT
 from .discovery import APIDiscovery
 from .dns import APICoreDNS
 from .docker import APIDocker
@@ -36,7 +39,7 @@ from .security import APISecurity
 from .services import APIServices
 from .store import APIStore
 from .supervisor import APISupervisor
-from .utils import api_process
+from .utils import api_process, api_process_raw

 _LOGGER: logging.Logger = logging.getLogger(__name__)

@@ -45,6 +48,14 @@ MAX_CLIENT_SIZE: int = 1024**2 * 16
 MAX_LINE_SIZE: int = 24570


+@dataclass(slots=True, frozen=True)
+class StaticResourceConfig:
+    """Configuration for a static resource."""
+
+    prefix: str
+    path: Path
+
+
 class RestAPI(CoreSysAttributes):
    """Handle RESTful API for Supervisor."""

@@ -65,15 +76,20 @@ class RestAPI(CoreSysAttributes):
                "max_field_size": MAX_LINE_SIZE,
            },
        )
-        attach_fast_url_dispatcher(self.webapp, FastUrlDispatcher())

        # service stuff
        self._runner: web.AppRunner = web.AppRunner(self.webapp, shutdown_timeout=5)
        self._site: web.TCPSite | None = None

+        # share single host API handler for reuse in logging endpoints
+        self._api_host: APIHost = APIHost()
+        self._api_host.coresys = coresys
+
    async def load(self) -> None:
        """Register REST API Calls."""
-        self._register_addons()
+        static_resource_configs: list[StaticResourceConfig] = []
+
+        self._register_apps()
        self._register_audio()
        self._register_auth()
        self._register_backups()
@@ -91,7 +107,7 @@ class RestAPI(CoreSysAttributes):
        self._register_network()
        self._register_observer()
        self._register_os()
-        self._register_panel()
+        static_resource_configs.extend(self._register_panel())
        self._register_proxy()
        self._register_resolution()
        self._register_root()
@@ -100,20 +116,90 @@ class RestAPI(CoreSysAttributes):
        self._register_store()
        self._register_supervisor()

+        if static_resource_configs:
+
+            def process_configs() -> list[web.StaticResource]:
+                return [
+                    web.StaticResource(config.prefix, config.path)
+                    for config in static_resource_configs
+                ]
+
+            for resource in await self.sys_run_in_executor(process_configs):
+                self.webapp.router.register_resource(resource)
+
        await self.start()

+    def _register_advanced_logs(
+        self,
+        path: str,
+        syslog_identifier: str,
+        default_verbose: bool = False,
+    ):
+        """Register logs endpoint for a given path, returning logs for single syslog identifier."""
+
+        self.webapp.add_routes(
+            [
+                web.get(
+                    f"{path}/logs",
+                    partial(
+                        self._api_host.advanced_logs,
+                        identifier=syslog_identifier,
+                        default_verbose=default_verbose,
+                    ),
+                ),
+                web.get(
+                    f"{path}/logs/follow",
+                    partial(
+                        self._api_host.advanced_logs,
+                        identifier=syslog_identifier,
+                        follow=True,
+                        default_verbose=default_verbose,
+                    ),
+                ),
+                web.get(
+                    f"{path}/logs/latest",
+                    partial(
+                        self._api_host.advanced_logs,
+                        identifier=syslog_identifier,
+                        latest=True,
+                        no_colors=True,
+                        default_verbose=default_verbose,
+                    ),
+                ),
+                web.get(
+                    f"{path}/logs/boots/{{bootid}}",
+                    partial(
+                        self._api_host.advanced_logs,
+                        identifier=syslog_identifier,
+                        default_verbose=default_verbose,
+                    ),
+                ),
+                web.get(
+                    f"{path}/logs/boots/{{bootid}}/follow",
+                    partial(
+                        self._api_host.advanced_logs,
+                        identifier=syslog_identifier,
+                        follow=True,
+                        default_verbose=default_verbose,
+                    ),
+                ),
+            ]
+        )
+
    def _register_host(self) -> None:
        """Register hostcontrol functions."""
-        api_host = APIHost()
-        api_host.coresys = self.coresys
+        api_host = self._api_host

        self.webapp.add_routes(
            [
                web.get("/host/info", api_host.info),
-                web.get("/host/logs", api_host.advanced_logs),
+                web.get(
+                    "/host/logs",
+                    partial(api_host.advanced_logs, default_verbose=True),
+                ),
                web.get(
                    "/host/logs/follow",
-                    partial(api_host.advanced_logs, follow=True),
+                    partial(api_host.advanced_logs, follow=True, default_verbose=True),
                ),
                web.get("/host/logs/identifiers", api_host.list_identifiers),
                web.get("/host/logs/identifiers/{identifier}", api_host.advanced_logs),
@@ -122,10 +208,13 @@ class RestAPI(CoreSysAttributes):
                    partial(api_host.advanced_logs, follow=True),
                ),
                web.get("/host/logs/boots", api_host.list_boots),
-                web.get("/host/logs/boots/{bootid}", api_host.advanced_logs),
+                web.get(
+                    "/host/logs/boots/{bootid}",
+                    partial(api_host.advanced_logs, default_verbose=True),
+                ),
                web.get(
                    "/host/logs/boots/{bootid}/follow",
-                    partial(api_host.advanced_logs, follow=True),
+                    partial(api_host.advanced_logs, follow=True, default_verbose=True),
                ),
                web.get(
                    "/host/logs/boots/{bootid}/identifiers/{identifier}",
@@ -140,6 +229,7 @@ class RestAPI(CoreSysAttributes):
                web.post("/host/reload", api_host.reload),
                web.post("/host/options", api_host.options),
                web.get("/host/services", api_host.services),
+                web.get("/host/disks/default/usage", api_host.disk_usage),
            ]
        )

@@ -179,9 +269,13 @@ class RestAPI(CoreSysAttributes):
            [
                web.get("/os/info", api_os.info),
                web.post("/os/update", api_os.update),
+                web.get("/os/config/swap", api_os.config_swap_info),
+                web.post("/os/config/swap", api_os.config_swap_options),
                web.post("/os/config/sync", api_os.config_sync),
                web.post("/os/datadisk/move", api_os.migrate_data),
                web.get("/os/datadisk/list", api_os.list_data),
+                web.post("/os/datadisk/wipe", api_os.wipe_data),
+                web.post("/os/boot-slot", api_os.set_boot_slot),
            ]
        )

@@ -219,6 +313,8 @@ class RestAPI(CoreSysAttributes):
                web.get("/jobs/info", api_jobs.info),
                web.post("/jobs/options", api_jobs.options),
                web.post("/jobs/reset", api_jobs.reset),
+                web.get("/jobs/{uuid}", api_jobs.job_info),
+                web.delete("/jobs/{uuid}", api_jobs.remove_job),
            ]
        )

@@ -257,11 +353,13 @@ class RestAPI(CoreSysAttributes):
            [
                web.get("/multicast/info", api_multicast.info),
                web.get("/multicast/stats", api_multicast.stats),
-                web.get("/multicast/logs", api_multicast.logs),
                web.post("/multicast/update", api_multicast.update),
                web.post("/multicast/restart", api_multicast.restart),
            ]
        )
+        self._register_advanced_logs(
+            "/multicast", "hassio_multicast", default_verbose=True
+        )

    def _register_hardware(self) -> None:
        """Register hardware functions."""
@@ -281,6 +379,9 @@ class RestAPI(CoreSysAttributes):
        api_root.coresys = self.coresys

        self.webapp.add_routes([web.get("/info", api_root.info)])
+        self.webapp.add_routes([web.post("/reload_updates", api_root.reload_updates)])
+
+        # Discouraged
        self.webapp.add_routes([web.post("/refresh_updates", api_root.refresh_updates)])
        self.webapp.add_routes(
            [web.get("/available_updates", api_root.available_updates)]
@@ -334,6 +435,7 @@ class RestAPI(CoreSysAttributes):
                web.post("/auth", api_auth.auth),
                web.post("/auth/reset", api_auth.reset),
                web.delete("/auth/cache", api_auth.cache),
+                web.get("/auth/list", api_auth.list_users),
            ]
        )

@@ -347,7 +449,6 @@ class RestAPI(CoreSysAttributes):
                web.get("/supervisor/ping", api_supervisor.ping),
                web.get("/supervisor/info", api_supervisor.info),
                web.get("/supervisor/stats", api_supervisor.stats),
-                web.get("/supervisor/logs", api_supervisor.logs),
                web.post("/supervisor/update", api_supervisor.update),
                web.post("/supervisor/reload", api_supervisor.reload),
                web.post("/supervisor/restart", api_supervisor.restart),
@@ -356,6 +457,45 @@ class RestAPI(CoreSysAttributes):
            ]
        )

+        async def get_supervisor_logs(*args, **kwargs):
+            try:
+                return await self._api_host.advanced_logs_handler(
+                    *args, identifier=SUPERVISOR_DOCKER_NAME, **kwargs
+                )
+            except Exception as err:  # pylint: disable=broad-exception-caught
+                # Supervisor logs are critical, so catch everything, log the exception
+                # and try to return Docker container logs as the fallback
+                _LOGGER.exception(
+                    "Failed to get supervisor logs using advanced_logs API"
+                )
+                if not isinstance(err, HostNotSupportedError):
+                    # No need to capture HostNotSupportedError to Sentry, the cause
+                    # is known and reported to the user using the resolution center.
+                    await async_capture_exception(err)
+                kwargs.pop("follow", None)  # Follow is not supported for Docker logs
+                kwargs.pop("latest", None)  # Latest is not supported for Docker logs
+                kwargs.pop("no_colors", None)  # no_colors not supported for Docker logs
+                return await api_supervisor.logs(*args, **kwargs)
+
+        self.webapp.add_routes(
+            [
+                web.get("/supervisor/logs", get_supervisor_logs),
+                web.get(
+                    "/supervisor/logs/follow",
+                    partial(get_supervisor_logs, follow=True),
+                ),
+                web.get(
+                    "/supervisor/logs/latest",
+                    partial(get_supervisor_logs, latest=True, no_colors=True),
+                ),
+                web.get("/supervisor/logs/boots/{bootid}", get_supervisor_logs),
+                web.get(
+                    "/supervisor/logs/boots/{bootid}/follow",
+                    partial(get_supervisor_logs, follow=True),
+                ),
+            ]
+        )
+
    def _register_homeassistant(self) -> None:
        """Register Home Assistant functions."""
        api_hass = APIHomeAssistant()
@@ -364,7 +504,6 @@ class RestAPI(CoreSysAttributes):
        self.webapp.add_routes(
            [
                web.get("/core/info", api_hass.info),
-                web.get("/core/logs", api_hass.logs),
                web.get("/core/stats", api_hass.stats),
                web.post("/core/options", api_hass.options),
                web.post("/core/update", api_hass.update),
@@ -376,11 +515,12 @@ class RestAPI(CoreSysAttributes):
            ]
        )

+        self._register_advanced_logs("/core", "homeassistant")
+
        # Reroute from legacy
        self.webapp.add_routes(
            [
                web.get("/homeassistant/info", api_hass.info),
-                web.get("/homeassistant/logs", api_hass.logs),
                web.get("/homeassistant/stats", api_hass.stats),
                web.post("/homeassistant/options", api_hass.options),
                web.post("/homeassistant/restart", api_hass.restart),
@@ -392,6 +532,8 @@ class RestAPI(CoreSysAttributes):
            ]
        )

+        self._register_advanced_logs("/homeassistant", "homeassistant")
+
    def _register_proxy(self) -> None:
        """Register Home Assistant API Proxy."""
        api_proxy = APIProxy()
@@ -404,6 +546,7 @@ class RestAPI(CoreSysAttributes):
                web.get("/core/api/stream", api_proxy.stream),
                web.post("/core/api/{path:.+}", api_proxy.api),
                web.get("/core/api/{path:.+}", api_proxy.api),
+                web.delete("/core/api/{path:.+}", api_proxy.api),
                web.get("/core/api/", api_proxy.api),
            ]
        )
@@ -420,49 +563,72 @@ class RestAPI(CoreSysAttributes):
            ]
        )

-    def _register_addons(self) -> None:
-        """Register Add-on functions."""
-        api_addons = APIAddons()
-        api_addons.coresys = self.coresys
+    def _register_apps(self) -> None:
+        """Register App functions."""
+        api_apps = APIApps()
+        api_apps.coresys = self.coresys

        self.webapp.add_routes(
            [
-                web.get("/addons", api_addons.list),
-                web.post("/addons/{addon}/uninstall", api_addons.uninstall),
-                web.post("/addons/{addon}/start", api_addons.start),
-                web.post("/addons/{addon}/stop", api_addons.stop),
-                web.post("/addons/{addon}/restart", api_addons.restart),
-                web.post("/addons/{addon}/options", api_addons.options),
-                web.post(
-                    "/addons/{addon}/options/validate", api_addons.options_validate
-                ),
-                web.get("/addons/{addon}/options/config", api_addons.options_config),
-                web.post("/addons/{addon}/rebuild", api_addons.rebuild),
-                web.get("/addons/{addon}/logs", api_addons.logs),
-                web.post("/addons/{addon}/stdin", api_addons.stdin),
-                web.post("/addons/{addon}/security", api_addons.security),
-                web.get("/addons/{addon}/stats", api_addons.stats),
+                web.get("/addons", api_apps.list_apps),
+                web.post("/addons/{app}/uninstall", api_apps.uninstall),
+                web.post("/addons/{app}/start", api_apps.start),
+                web.post("/addons/{app}/stop", api_apps.stop),
+                web.post("/addons/{app}/restart", api_apps.restart),
+                web.post("/addons/{app}/options", api_apps.options),
+                web.post("/addons/{app}/sys_options", api_apps.sys_options),
+                web.post("/addons/{app}/options/validate", api_apps.options_validate),
+                web.get("/addons/{app}/options/config", api_apps.options_config),
+                web.post("/addons/{app}/rebuild", api_apps.rebuild),
+                web.post("/addons/{app}/stdin", api_apps.stdin),
+                web.post("/addons/{app}/security", api_apps.security),
+                web.get("/addons/{app}/stats", api_apps.stats),
            ]
        )

-        # Legacy routing to support requests for not installed addons
+        @api_process_raw(CONTENT_TYPE_TEXT, error_type=CONTENT_TYPE_TEXT)
+        async def get_app_logs(request, *args, **kwargs):
+            app = api_apps.get_app_for_request(request)
+            kwargs["identifier"] = f"addon_{app.slug}"
+            return await self._api_host.advanced_logs(request, *args, **kwargs)
+
+        self.webapp.add_routes(
+            [
+                web.get("/addons/{app}/logs", get_app_logs),
+                web.get(
+                    "/addons/{app}/logs/follow",
+                    partial(get_app_logs, follow=True),
+                ),
+                web.get(
+                    "/addons/{app}/logs/latest",
+                    partial(get_app_logs, latest=True, no_colors=True),
+                ),
+                web.get("/addons/{app}/logs/boots/{bootid}", get_app_logs),
+                web.get(
+                    "/addons/{app}/logs/boots/{bootid}/follow",
+                    partial(get_app_logs, follow=True),
+                ),
+            ]
+        )
+
+        # Legacy routing to support requests for not installed apps
        api_store = APIStore()
        api_store.coresys = self.coresys

        @api_process
-        async def addons_addon_info(request: web.Request) -> dict[str, Any]:
-            """Route to store if info requested for not installed addon."""
+        async def apps_app_info(request: web.Request) -> dict[str, Any]:
+            """Route to store if info requested for not installed app."""
            try:
-                return await api_addons.info(request)
-            except APIAddonNotInstalled:
-                # Route to store/{addon}/info but add missing fields
+                return await api_apps.info(request)
+            except APIAppNotInstalled:
+                # Route to store/{app}/info but add missing fields
                return dict(
-                    await api_store.addons_addon_info_wrapped(request),
-                    state=AddonState.UNKNOWN,
-                    options=self.sys_addons.store[request.match_info["addon"]].options,
+                    await api_store.apps_app_info_wrapped(request),
+                    state=AppState.UNKNOWN,
+                    options=self.sys_apps.store[request.match_info["app"]].options,
                )

-        self.webapp.add_routes([web.get("/addons/{addon}/info", addons_addon_info)])
+        self.webapp.add_routes([web.get("/addons/{app}/info", apps_app_info)])

    def _register_ingress(self) -> None:
        """Register Ingress functions."""
@@ -474,7 +640,9 @@ class RestAPI(CoreSysAttributes):
                web.post("/ingress/session", api_ingress.create_session),
                web.post("/ingress/validate_session", api_ingress.validate_session),
                web.get("/ingress/panels", api_ingress.panels),
-                web.view("/ingress/{token}/{path:.*}", api_ingress.handler),
+                web.route(
+                    hdrs.METH_ANY, "/ingress/{token}/{path:.*}", api_ingress.handler
+                ),
            ]
        )

@@ -485,7 +653,7 @@ class RestAPI(CoreSysAttributes):

        self.webapp.add_routes(
            [
-                web.get("/backups", api_backups.list),
+                web.get("/backups", api_backups.list_backups),
                web.get("/backups/info", api_backups.info),
                web.post("/backups/options", api_backups.options),
                web.post("/backups/reload", api_backups.reload),
@@ -512,7 +680,7 @@ class RestAPI(CoreSysAttributes):

        self.webapp.add_routes(
            [
-                web.get("/services", api_services.list),
+                web.get("/services", api_services.list_services),
                web.get("/services/{service}", api_services.get_service),
                web.post("/services/{service}", api_services.set_service),
                web.delete("/services/{service}", api_services.del_service),
@@ -526,7 +694,7 @@ class RestAPI(CoreSysAttributes):

        self.webapp.add_routes(
            [
-                web.get("/discovery", api_discovery.list),
+                web.get("/discovery", api_discovery.list_discovery),
                web.get("/discovery/{uuid}", api_discovery.get_discovery),
                web.delete("/discovery/{uuid}", api_discovery.del_discovery),
                web.post("/discovery", api_discovery.set_discovery),
@@ -542,7 +710,6 @@ class RestAPI(CoreSysAttributes):
            [
                web.get("/dns/info", api_dns.info),
                web.get("/dns/stats", api_dns.stats),
-                web.get("/dns/logs", api_dns.logs),
                web.post("/dns/update", api_dns.update),
                web.post("/dns/options", api_dns.options),
                web.post("/dns/restart", api_dns.restart),
@@ -550,18 +717,17 @@ class RestAPI(CoreSysAttributes):
            ]
        )

+        self._register_advanced_logs("/dns", "hassio_dns", default_verbose=True)
+
    def _register_audio(self) -> None:
        """Register Audio functions."""
        api_audio = APIAudio()
        api_audio.coresys = self.coresys
-        api_host = APIHost()
-        api_host.coresys = self.coresys

        self.webapp.add_routes(
            [
                web.get("/audio/info", api_audio.info),
                web.get("/audio/stats", api_audio.stats),
-                web.get("/audio/logs", api_audio.logs),
                web.post("/audio/update", api_audio.update),
                web.post("/audio/restart", api_audio.restart),
                web.post("/audio/reload", api_audio.reload),
@@ -574,6 +740,8 @@ class RestAPI(CoreSysAttributes):
            ]
        )

+        self._register_advanced_logs("/audio", "hassio_audio", default_verbose=True)
+
    def _register_mounts(self) -> None:
        """Register mounts endpoints."""
        api_mounts = APIMounts()
@@ -598,30 +766,31 @@ class RestAPI(CoreSysAttributes):
        self.webapp.add_routes(
            [
                web.get("/store", api_store.store_info),
-                web.get("/store/addons", api_store.addons_list),
-                web.get("/store/addons/{addon}", api_store.addons_addon_info),
-                web.get("/store/addons/{addon}/{version}", api_store.addons_addon_info),
-                web.get("/store/addons/{addon}/icon", api_store.addons_addon_icon),
-                web.get("/store/addons/{addon}/logo", api_store.addons_addon_logo),
+                web.get("/store/addons", api_store.apps_list),
+                web.get("/store/addons/{app}", api_store.apps_app_info),
+                web.get("/store/addons/{app}/icon", api_store.apps_app_icon),
+                web.get("/store/addons/{app}/logo", api_store.apps_app_logo),
+                web.get("/store/addons/{app}/changelog", api_store.apps_app_changelog),
                web.get(
-                    "/store/addons/{addon}/changelog", api_store.addons_addon_changelog
+                    "/store/addons/{app}/documentation",
+                    api_store.apps_app_documentation,
                ),
                web.get(
-                    "/store/addons/{addon}/documentation",
-                    api_store.addons_addon_documentation,
+                    "/store/addons/{app}/availability",
+                    api_store.apps_app_availability,
                ),
+                web.post("/store/addons/{app}/install", api_store.apps_app_install),
                web.post(
-                    "/store/addons/{addon}/install", api_store.addons_addon_install
+                    "/store/addons/{app}/install/{version}",
+                    api_store.apps_app_install,
                ),
+                web.post("/store/addons/{app}/update", api_store.apps_app_update),
                web.post(
-                    "/store/addons/{addon}/install/{version}",
-                    api_store.addons_addon_install,
-                ),
-                web.post("/store/addons/{addon}/update", api_store.addons_addon_update),
-                web.post(
-                    "/store/addons/{addon}/update/{version}",
-                    api_store.addons_addon_update,
+                    "/store/addons/{app}/update/{version}",
+                    api_store.apps_app_update,
                ),
+                # Must be below others since it has a wildcard in resource path
+                web.get("/store/addons/{app}/{version}", api_store.apps_app_info),
                web.post("/store/reload", api_store.reload),
                web.get("/store/repositories", api_store.repositories_list),
                web.get(
@@ -632,6 +801,10 @@ class RestAPI(CoreSysAttributes):
                web.delete(
                    "/store/repositories/{repository}", api_store.remove_repository
                ),
+                web.post(
+                    "/store/repositories/{repository}/repair",
+                    api_store.repositories_repository_repair,
+                ),
            ]
        )

@@ -639,22 +812,21 @@ class RestAPI(CoreSysAttributes):
        self.webapp.add_routes(
            [
                web.post("/addons/reload", api_store.reload),
-                web.post("/addons/{addon}/install", api_store.addons_addon_install),
-                web.post("/addons/{addon}/update", api_store.addons_addon_update),
-                web.get("/addons/{addon}/icon", api_store.addons_addon_icon),
-                web.get("/addons/{addon}/logo", api_store.addons_addon_logo),
-                web.get("/addons/{addon}/changelog", api_store.addons_addon_changelog),
+                web.post("/addons/{app}/install", api_store.apps_app_install),
+                web.post("/addons/{app}/update", api_store.apps_app_update),
+                web.get("/addons/{app}/icon", api_store.apps_app_icon),
+                web.get("/addons/{app}/logo", api_store.apps_app_logo),
+                web.get("/addons/{app}/changelog", api_store.apps_app_changelog),
                web.get(
-                    "/addons/{addon}/documentation",
-                    api_store.addons_addon_documentation,
+                    "/addons/{app}/documentation",
+                    api_store.apps_app_documentation,
                ),
            ]
        )

-    def _register_panel(self) -> None:
+    def _register_panel(self) -> list[StaticResourceConfig]:
        """Register panel for Home Assistant."""
-        panel_dir = Path(__file__).parent.joinpath("panel")
-        self.webapp.add_routes([web.static("/app", panel_dir)])
+        return [StaticResourceConfig("/app", Path(__file__).parent.joinpath("panel"))]

    def _register_docker(self) -> None:
        """Register docker configuration functions."""
@@ -664,6 +836,11 @@ class RestAPI(CoreSysAttributes):
        self.webapp.add_routes(
            [
                web.get("/docker/info", api_docker.info),
+                web.post(
+                    "/docker/migrate-storage-driver",
+                    api_docker.migrate_docker_storage_driver,
+                ),
+                web.post("/docker/options", api_docker.options),
                web.get("/docker/registries", api_docker.registries),
                web.post("/docker/registries", api_docker.create_registry),
                web.delete("/docker/registries/{hostname}", api_docker.remove_registry),
--- a/supervisor/api/addons.py
+++ b/supervisor/api/addons.py
@@ -1,20 +1,20 @@
 """Init file for Supervisor Home Assistant RESTful API."""
+
 import asyncio
 from collections.abc import Awaitable
 import logging
-from typing import Any
+from typing import Any, TypedDict

 from aiohttp import web
 import voluptuous as vol
 from voluptuous.humanize import humanize_error

-from ..addons import AnyAddon
-from ..addons.addon import Addon
+from ..addons.addon import App
 from ..addons.utils import rating_security
 from ..const import (
-    ATTR_ADDONS,
    ATTR_ADVANCED,
    ATTR_APPARMOR,
+    ATTR_APPS,
    ATTR_ARCH,
    ATTR_AUDIO,
    ATTR_AUDIO_INPUT,
@@ -36,6 +36,7 @@ from ..const import (
    ATTR_DNS,
    ATTR_DOCKER_API,
    ATTR_DOCUMENTATION,
+    ATTR_FORCE,
    ATTR_FULL_ACCESS,
    ATTR_GPIO,
    ATTR_HASSIO_API,
@@ -62,7 +63,6 @@ from ..const import (
    ATTR_MEMORY_LIMIT,
    ATTR_MEMORY_PERCENT,
    ATTR_MEMORY_USAGE,
-    ATTR_MESSAGE,
    ATTR_NAME,
    ATTR_NETWORK,
    ATTR_NETWORK_DESCRIPTION,
@@ -71,7 +71,6 @@ from ..const import (
    ATTR_OPTIONS,
    ATTR_PRIVILEGED,
    ATTR_PROTECTED,
-    ATTR_PWNED,
    ATTR_RATING,
    ATTR_REPOSITORY,
    ATTR_SCHEMA,
@@ -81,33 +80,39 @@ from ..const import (
    ATTR_STARTUP,
    ATTR_STATE,
    ATTR_STDIN,
+    ATTR_SYSTEM_MANAGED,
+    ATTR_SYSTEM_MANAGED_CONFIG_ENTRY,
    ATTR_TRANSLATIONS,
    ATTR_UART,
    ATTR_UDEV,
    ATTR_UPDATE_AVAILABLE,
    ATTR_URL,
    ATTR_USB,
-    ATTR_VALID,
    ATTR_VERSION,
    ATTR_VERSION_LATEST,
    ATTR_VIDEO,
    ATTR_WATCHDOG,
    ATTR_WEBUI,
    REQUEST_FROM,
-    AddonBoot,
+    AppBoot,
+    AppBootConfig,
 )
 from ..coresys import CoreSysAttributes
 from ..docker.stats import DockerStats
 from ..exceptions import (
-    APIAddonNotInstalled,
+    APIAppNotInstalled,
    APIError,
    APIForbidden,
+    APINotFound,
+    AppBootConfigCannotChangeError,
+    AppConfigurationInvalidError,
+    AppNotSupportedWriteStdinError,
    PwnedError,
    PwnedSecret,
 )
 from ..validate import docker_ports
-from .const import ATTR_SIGNED, CONTENT_TYPE_BINARY
-from .utils import api_process, api_process_raw, api_validate, json_loads
+from .const import ATTR_BOOT_CONFIG, ATTR_REMOVE_CONFIG, ATTR_SIGNED
+from .utils import api_process, api_validate, json_loads

 _LOGGER: logging.Logger = logging.getLogger(__name__)

@@ -116,205 +121,253 @@ SCHEMA_VERSION = vol.Schema({vol.Optional(ATTR_VERSION): str})
 # pylint: disable=no-value-for-parameter
 SCHEMA_OPTIONS = vol.Schema(
    {
-        vol.Optional(ATTR_BOOT): vol.Coerce(AddonBoot),
+        vol.Optional(ATTR_BOOT): vol.Coerce(AppBoot),
        vol.Optional(ATTR_NETWORK): vol.Maybe(docker_ports),
        vol.Optional(ATTR_AUTO_UPDATE): vol.Boolean(),
        vol.Optional(ATTR_AUDIO_OUTPUT): vol.Maybe(str),
        vol.Optional(ATTR_AUDIO_INPUT): vol.Maybe(str),
        vol.Optional(ATTR_INGRESS_PANEL): vol.Boolean(),
        vol.Optional(ATTR_WATCHDOG): vol.Boolean(),
+        vol.Optional(ATTR_OPTIONS): vol.Maybe(dict),
+    }
+)
+
+SCHEMA_SYS_OPTIONS = vol.Schema(
+    {
+        vol.Optional(ATTR_SYSTEM_MANAGED): vol.Boolean(),
+        vol.Optional(ATTR_SYSTEM_MANAGED_CONFIG_ENTRY): vol.Maybe(str),
    }
 )

-# pylint: disable=no-value-for-parameter
 SCHEMA_SECURITY = vol.Schema({vol.Optional(ATTR_PROTECTED): vol.Boolean()})

+SCHEMA_UNINSTALL = vol.Schema(
+    {vol.Optional(ATTR_REMOVE_CONFIG, default=False): vol.Boolean()}
+)

-class APIAddons(CoreSysAttributes):
-    """Handle RESTful API for add-on functions."""
+SCHEMA_REBUILD = vol.Schema({vol.Optional(ATTR_FORCE, default=False): vol.Boolean()})
+# pylint: enable=no-value-for-parameter

-    def _extract_addon(self, request: web.Request) -> Addon:
-        """Return addon, throw an exception it it doesn't exist."""
-        addon_slug: str = request.match_info.get("addon")
+
+class OptionsValidateResponse(TypedDict):
+    """Response object for options validate."""
+
+    message: str
+    valid: bool
+    pwned: bool | None
+
+
+class APIApps(CoreSysAttributes):
+    """Handle RESTful API for app functions."""
+
+    def get_app_for_request(self, request: web.Request) -> App:
+        """Return app, throw an exception if it doesn't exist."""
+        app_slug: str = request.match_info["app"]

        # Lookup itself
-        if addon_slug == "self":
-            addon = request.get(REQUEST_FROM)
-            if not isinstance(addon, Addon):
-                raise APIError("Self is not an Addon")
-            return addon
+        if app_slug == "self":
+            app = request.get(REQUEST_FROM)
+            if not isinstance(app, App):
+                raise APIError("Self is not an App")
+            return app

-        addon = self.sys_addons.get(addon_slug)
-        if not addon:
-            raise APIError(f"Addon {addon_slug} does not exist")
-        if not isinstance(addon, Addon) or not addon.is_installed:
-            raise APIAddonNotInstalled("Addon is not installed")
+        app = self.sys_apps.get(app_slug)
+        if not app:
+            raise APINotFound(f"App {app_slug} does not exist")
+        if not isinstance(app, App) or not app.is_installed:
+            raise APIAppNotInstalled("App is not installed")

-        return addon
+        return app

    @api_process
-    async def list(self, request: web.Request) -> dict[str, Any]:
-        """Return all add-ons or repositories."""
-        data_addons = [
+    async def list_apps(self, request: web.Request) -> dict[str, Any]:
+        """Return all apps or repositories."""
+        data_apps = [
            {
-                ATTR_NAME: addon.name,
-                ATTR_SLUG: addon.slug,
-                ATTR_DESCRIPTON: addon.description,
-                ATTR_ADVANCED: addon.advanced,
-                ATTR_STAGE: addon.stage,
-                ATTR_VERSION: addon.version,
-                ATTR_VERSION_LATEST: addon.latest_version,
-                ATTR_UPDATE_AVAILABLE: addon.need_update,
-                ATTR_AVAILABLE: addon.available,
-                ATTR_DETACHED: addon.is_detached,
-                ATTR_HOMEASSISTANT: addon.homeassistant_version,
-                ATTR_STATE: addon.state,
-                ATTR_REPOSITORY: addon.repository,
-                ATTR_BUILD: addon.need_build,
-                ATTR_URL: addon.url,
-                ATTR_ICON: addon.with_icon,
-                ATTR_LOGO: addon.with_logo,
+                ATTR_NAME: app.name,
+                ATTR_SLUG: app.slug,
+                ATTR_DESCRIPTON: app.description,
+                ATTR_ADVANCED: app.advanced,  # Deprecated 2026.03
+                ATTR_STAGE: app.stage,
+                ATTR_VERSION: app.version,
+                ATTR_VERSION_LATEST: app.latest_version,
+                ATTR_UPDATE_AVAILABLE: app.need_update,
+                ATTR_AVAILABLE: app.available,
+                ATTR_DETACHED: app.is_detached,
+                ATTR_HOMEASSISTANT: app.homeassistant_version,
+                ATTR_STATE: app.state,
+                ATTR_REPOSITORY: app.repository,
+                ATTR_BUILD: app.need_build,
+                ATTR_URL: app.url,
+                ATTR_ICON: app.with_icon,
+                ATTR_LOGO: app.with_logo,
+                ATTR_SYSTEM_MANAGED: app.system_managed,
            }
-            for addon in self.sys_addons.installed
+            for app in self.sys_apps.installed
        ]

-        return {ATTR_ADDONS: data_addons}
+        return {ATTR_APPS: data_apps}

    @api_process
    async def reload(self, request: web.Request) -> None:
-        """Reload all add-on data from store."""
+        """Reload all app data from store."""
        await asyncio.shield(self.sys_store.reload())

    async def info(self, request: web.Request) -> dict[str, Any]:
-        """Return add-on information."""
-        addon: AnyAddon = self._extract_addon(request)
+        """Return app information."""
+        app: App = self.get_app_for_request(request)

        data = {
-            ATTR_NAME: addon.name,
-            ATTR_SLUG: addon.slug,
-            ATTR_HOSTNAME: addon.hostname,
-            ATTR_DNS: addon.dns,
-            ATTR_DESCRIPTON: addon.description,
-            ATTR_LONG_DESCRIPTION: addon.long_description,
-            ATTR_ADVANCED: addon.advanced,
-            ATTR_STAGE: addon.stage,
-            ATTR_REPOSITORY: addon.repository,
-            ATTR_VERSION_LATEST: addon.latest_version,
-            ATTR_PROTECTED: addon.protected,
-            ATTR_RATING: rating_security(addon),
-            ATTR_BOOT: addon.boot,
-            ATTR_OPTIONS: addon.options,
-            ATTR_SCHEMA: addon.schema_ui,
-            ATTR_ARCH: addon.supported_arch,
-            ATTR_MACHINE: addon.supported_machine,
-            ATTR_HOMEASSISTANT: addon.homeassistant_version,
-            ATTR_URL: addon.url,
-            ATTR_DETACHED: addon.is_detached,
-            ATTR_AVAILABLE: addon.available,
-            ATTR_BUILD: addon.need_build,
-            ATTR_NETWORK: addon.ports,
-            ATTR_NETWORK_DESCRIPTION: addon.ports_description,
-            ATTR_HOST_NETWORK: addon.host_network,
-            ATTR_HOST_PID: addon.host_pid,
-            ATTR_HOST_IPC: addon.host_ipc,
-            ATTR_HOST_UTS: addon.host_uts,
-            ATTR_HOST_DBUS: addon.host_dbus,
-            ATTR_PRIVILEGED: addon.privileged,
-            ATTR_FULL_ACCESS: addon.with_full_access,
-            ATTR_APPARMOR: addon.apparmor,
-            ATTR_ICON: addon.with_icon,
-            ATTR_LOGO: addon.with_logo,
-            ATTR_CHANGELOG: addon.with_changelog,
-            ATTR_DOCUMENTATION: addon.with_documentation,
-            ATTR_STDIN: addon.with_stdin,
-            ATTR_HASSIO_API: addon.access_hassio_api,
-            ATTR_HASSIO_ROLE: addon.hassio_role,
-            ATTR_AUTH_API: addon.access_auth_api,
-            ATTR_HOMEASSISTANT_API: addon.access_homeassistant_api,
-            ATTR_GPIO: addon.with_gpio,
-            ATTR_USB: addon.with_usb,
-            ATTR_UART: addon.with_uart,
-            ATTR_KERNEL_MODULES: addon.with_kernel_modules,
-            ATTR_DEVICETREE: addon.with_devicetree,
-            ATTR_UDEV: addon.with_udev,
-            ATTR_DOCKER_API: addon.access_docker_api,
-            ATTR_VIDEO: addon.with_video,
-            ATTR_AUDIO: addon.with_audio,
-            ATTR_STARTUP: addon.startup,
-            ATTR_SERVICES: _pretty_services(addon),
-            ATTR_DISCOVERY: addon.discovery,
-            ATTR_TRANSLATIONS: addon.translations,
-            ATTR_INGRESS: addon.with_ingress,
-            ATTR_SIGNED: addon.signed,
-            ATTR_STATE: addon.state,
-            ATTR_WEBUI: addon.webui,
-            ATTR_INGRESS_ENTRY: addon.ingress_entry,
-            ATTR_INGRESS_URL: addon.ingress_url,
-            ATTR_INGRESS_PORT: addon.ingress_port,
-            ATTR_INGRESS_PANEL: addon.ingress_panel,
-            ATTR_AUDIO_INPUT: addon.audio_input,
-            ATTR_AUDIO_OUTPUT: addon.audio_output,
-            ATTR_AUTO_UPDATE: addon.auto_update,
-            ATTR_IP_ADDRESS: str(addon.ip_address),
-            ATTR_VERSION: addon.version,
-            ATTR_UPDATE_AVAILABLE: addon.need_update,
-            ATTR_WATCHDOG: addon.watchdog,
-            ATTR_DEVICES: addon.static_devices
-            + [device.path for device in addon.devices],
+            ATTR_NAME: app.name,
+            ATTR_SLUG: app.slug,
+            ATTR_HOSTNAME: app.hostname,
+            ATTR_DNS: app.dns,
+            ATTR_DESCRIPTON: app.description,
+            ATTR_LONG_DESCRIPTION: await app.long_description(),
+            ATTR_ADVANCED: app.advanced,  # Deprecated 2026.03
+            ATTR_STAGE: app.stage,
+            ATTR_REPOSITORY: app.repository,
+            ATTR_VERSION_LATEST: app.latest_version,
+            ATTR_PROTECTED: app.protected,
+            ATTR_RATING: rating_security(app),
+            ATTR_BOOT_CONFIG: app.boot_config,
+            ATTR_BOOT: app.boot,
+            ATTR_OPTIONS: app.options,
+            ATTR_SCHEMA: app.schema_ui,
+            ATTR_ARCH: app.supported_arch,
+            ATTR_MACHINE: app.supported_machine,
+            ATTR_HOMEASSISTANT: app.homeassistant_version,
+            ATTR_URL: app.url,
+            ATTR_DETACHED: app.is_detached,
+            ATTR_AVAILABLE: app.available,
+            ATTR_BUILD: app.need_build,
+            ATTR_NETWORK: app.ports,
+            ATTR_NETWORK_DESCRIPTION: app.ports_description,
+            ATTR_HOST_NETWORK: app.host_network,
+            ATTR_HOST_PID: app.host_pid,
+            ATTR_HOST_IPC: app.host_ipc,
+            ATTR_HOST_UTS: app.host_uts,
+            ATTR_HOST_DBUS: app.host_dbus,
+            ATTR_PRIVILEGED: app.privileged,
+            ATTR_FULL_ACCESS: app.with_full_access,
+            ATTR_APPARMOR: app.apparmor,
+            ATTR_ICON: app.with_icon,
+            ATTR_LOGO: app.with_logo,
+            ATTR_CHANGELOG: app.with_changelog,
+            ATTR_DOCUMENTATION: app.with_documentation,
+            ATTR_STDIN: app.with_stdin,
+            ATTR_HASSIO_API: app.access_hassio_api,
+            ATTR_HASSIO_ROLE: app.hassio_role,
+            ATTR_AUTH_API: app.access_auth_api,
+            ATTR_HOMEASSISTANT_API: app.access_homeassistant_api,
+            ATTR_GPIO: app.with_gpio,
+            ATTR_USB: app.with_usb,
+            ATTR_UART: app.with_uart,
+            ATTR_KERNEL_MODULES: app.with_kernel_modules,
+            ATTR_DEVICETREE: app.with_devicetree,
+            ATTR_UDEV: app.with_udev,
+            ATTR_DOCKER_API: app.access_docker_api,
+            ATTR_VIDEO: app.with_video,
+            ATTR_AUDIO: app.with_audio,
+            ATTR_STARTUP: app.startup,
+            ATTR_SERVICES: _pretty_services(app),
+            ATTR_DISCOVERY: app.discovery,
+            ATTR_TRANSLATIONS: app.translations,
+            ATTR_INGRESS: app.with_ingress,
+            ATTR_SIGNED: app.signed,
+            ATTR_STATE: app.state,
+            ATTR_WEBUI: app.webui,
+            ATTR_INGRESS_ENTRY: app.ingress_entry,
+            ATTR_INGRESS_URL: app.ingress_url,
+            ATTR_INGRESS_PORT: app.ingress_port,
+            ATTR_INGRESS_PANEL: app.ingress_panel,
+            ATTR_AUDIO_INPUT: app.audio_input,
+            ATTR_AUDIO_OUTPUT: app.audio_output,
+            ATTR_AUTO_UPDATE: app.auto_update,
+            ATTR_IP_ADDRESS: str(app.ip_address),
+            ATTR_VERSION: app.version,
+            ATTR_UPDATE_AVAILABLE: app.need_update,
+            ATTR_WATCHDOG: app.watchdog,
+            ATTR_DEVICES: app.static_devices + [device.path for device in app.devices],
+            ATTR_SYSTEM_MANAGED: app.system_managed,
+            ATTR_SYSTEM_MANAGED_CONFIG_ENTRY: app.system_managed_config_entry,
        }

        return data

    @api_process
    async def options(self, request: web.Request) -> None:
-        """Store user options for add-on."""
-        addon = self._extract_addon(request)
+        """Store user options for app."""
+        app = self.get_app_for_request(request)

        # Update secrets for validation
        await self.sys_homeassistant.secrets.reload()

-        # Extend schema with add-on specific validation
-        addon_schema = SCHEMA_OPTIONS.extend(
-            {vol.Optional(ATTR_OPTIONS): vol.Maybe(addon.schema)}
-        )
-
        # Validate/Process Body
-        body = await api_validate(addon_schema, request, origin=[ATTR_OPTIONS])
+        body = await api_validate(SCHEMA_OPTIONS, request)
        if ATTR_OPTIONS in body:
-            addon.options = body[ATTR_OPTIONS]
+            # None resets options to defaults, otherwise validate the options
+            if body[ATTR_OPTIONS] is None:
+                app.options = None
+            else:
+                try:
+                    app.options = app.schema(body[ATTR_OPTIONS])
+                except vol.Invalid as ex:
+                    raise AppConfigurationInvalidError(
+                        app=app.slug,
+                        validation_error=humanize_error(body[ATTR_OPTIONS], ex),
+                    ) from None
        if ATTR_BOOT in body:
-            addon.boot = body[ATTR_BOOT]
+            if app.boot_config == AppBootConfig.MANUAL_ONLY:
+                raise AppBootConfigCannotChangeError(
+                    app=app.slug, boot_config=app.boot_config.value
+                )
+            app.boot = body[ATTR_BOOT]
        if ATTR_AUTO_UPDATE in body:
-            addon.auto_update = body[ATTR_AUTO_UPDATE]
+            app.auto_update = body[ATTR_AUTO_UPDATE]
        if ATTR_NETWORK in body:
-            addon.ports = body[ATTR_NETWORK]
+            app.ports = body[ATTR_NETWORK]
        if ATTR_AUDIO_INPUT in body:
-            addon.audio_input = body[ATTR_AUDIO_INPUT]
+            app.audio_input = body[ATTR_AUDIO_INPUT]
        if ATTR_AUDIO_OUTPUT in body:
-            addon.audio_output = body[ATTR_AUDIO_OUTPUT]
+            app.audio_output = body[ATTR_AUDIO_OUTPUT]
        if ATTR_INGRESS_PANEL in body:
-            addon.ingress_panel = body[ATTR_INGRESS_PANEL]
-            await self.sys_ingress.update_hass_panel(addon)
+            app.ingress_panel = body[ATTR_INGRESS_PANEL]
+            await self.sys_ingress.update_hass_panel(app)
        if ATTR_WATCHDOG in body:
-            addon.watchdog = body[ATTR_WATCHDOG]
+            app.watchdog = body[ATTR_WATCHDOG]

-        addon.save_persist()
+        await app.save_persist()

    @api_process
-    async def options_validate(self, request: web.Request) -> None:
-        """Validate user options for add-on."""
-        addon = self._extract_addon(request)
-        data = {ATTR_MESSAGE: "", ATTR_VALID: True, ATTR_PWNED: False}
+    async def sys_options(self, request: web.Request) -> None:
+        """Store system options for an app."""
+        app = self.get_app_for_request(request)

-        options = await request.json(loads=json_loads) or addon.options
+        # Validate/Process Body
+        body = await api_validate(SCHEMA_SYS_OPTIONS, request)
+        if ATTR_SYSTEM_MANAGED in body:
+            app.system_managed = body[ATTR_SYSTEM_MANAGED]
+        if ATTR_SYSTEM_MANAGED_CONFIG_ENTRY in body:
+            app.system_managed_config_entry = body[ATTR_SYSTEM_MANAGED_CONFIG_ENTRY]
+
+        await app.save_persist()
+
+    @api_process
+    async def options_validate(self, request: web.Request) -> OptionsValidateResponse:
+        """Validate user options for app."""
+        app = self.get_app_for_request(request)
+        data = OptionsValidateResponse(message="", valid=True, pwned=False)
+
+        options = await request.json(loads=json_loads) or app.options

        # Validate config
-        options_schema = addon.schema
+        options_schema = app.schema
        try:
            options_schema.validate(options)
        except vol.Invalid as ex:
-            data[ATTR_MESSAGE] = humanize_error(options, ex)
-            data[ATTR_VALID] = False
+            data["message"] = humanize_error(options, ex)
+            data["valid"] = False

        if not self.sys_security.pwned:
            return data
@@ -325,53 +378,53 @@ class APIAddons(CoreSysAttributes):
                await self.sys_security.verify_secret(secret)
                continue
            except PwnedSecret:
-                data[ATTR_PWNED] = True
+                data["pwned"] = True
            except PwnedError:
-                data[ATTR_PWNED] = None
+                data["pwned"] = None
            break

-        if self.sys_security.force and data[ATTR_PWNED] in (None, True):
-            data[ATTR_VALID] = False
-            if data[ATTR_PWNED] is None:
-                data[ATTR_MESSAGE] = "Error happening on pwned secrets check!"
+        if self.sys_security.force and data["pwned"] in (None, True):
+            data["valid"] = False
+            if data["pwned"] is None:
+                data["message"] = "Error happening on pwned secrets check!"
            else:
-                data[ATTR_MESSAGE] = "Add-on uses pwned secrets!"
+                data["message"] = "App uses pwned secrets!"

        return data

    @api_process
-    async def options_config(self, request: web.Request) -> None:
-        """Validate user options for add-on."""
-        slug: str = request.match_info.get("addon")
+    async def options_config(self, request: web.Request) -> dict[str, Any]:
+        """Validate user options for app."""
+        slug: str = request.match_info["app"]
        if slug != "self":
-            raise APIForbidden("This can be only read by the Add-on itself!")
-        addon = self._extract_addon(request)
+            raise APIForbidden("This can be only read by the app itself!")
+        app = self.get_app_for_request(request)

        # Lookup/reload secrets
        await self.sys_homeassistant.secrets.reload()
        try:
-            return addon.schema.validate(addon.options)
+            return app.schema.validate(app.options)
        except vol.Invalid:
-            raise APIError("Invalid configuration data for the add-on") from None
+            raise APIError("Invalid configuration data for the app") from None

    @api_process
    async def security(self, request: web.Request) -> None:
-        """Store security options for add-on."""
-        addon = self._extract_addon(request)
+        """Store security options for app."""
+        app = self.get_app_for_request(request)
        body: dict[str, Any] = await api_validate(SCHEMA_SECURITY, request)

        if ATTR_PROTECTED in body:
-            _LOGGER.warning("Changing protected flag for %s!", addon.slug)
-            addon.protected = body[ATTR_PROTECTED]
+            _LOGGER.warning("Changing protected flag for %s!", app.slug)
+            app.protected = body[ATTR_PROTECTED]

-        addon.save_persist()
+        await app.save_persist()

    @api_process
    async def stats(self, request: web.Request) -> dict[str, Any]:
        """Return resource information."""
-        addon = self._extract_addon(request)
+        app = self.get_app_for_request(request)

-        stats: DockerStats = await addon.stats()
+        stats: DockerStats = await app.stats()

        return {
            ATTR_CPU_PERCENT: stats.cpu_percent,
@@ -385,55 +438,56 @@ class APIAddons(CoreSysAttributes):
        }

    @api_process
-    def uninstall(self, request: web.Request) -> Awaitable[None]:
-        """Uninstall add-on."""
-        addon = self._extract_addon(request)
-        return asyncio.shield(self.sys_addons.uninstall(addon.slug))
+    async def uninstall(self, request: web.Request) -> None:
+        """Uninstall app."""
+        app = self.get_app_for_request(request)
+        body: dict[str, Any] = await api_validate(SCHEMA_UNINSTALL, request)
+        await asyncio.shield(
+            self.sys_apps.uninstall(app.slug, remove_config=body[ATTR_REMOVE_CONFIG])
+        )

    @api_process
    async def start(self, request: web.Request) -> None:
-        """Start add-on."""
-        addon = self._extract_addon(request)
-        if start_task := await asyncio.shield(addon.start()):
+        """Start app."""
+        app = self.get_app_for_request(request)
+        if start_task := await asyncio.shield(app.start()):
            await start_task

    @api_process
    def stop(self, request: web.Request) -> Awaitable[None]:
-        """Stop add-on."""
-        addon = self._extract_addon(request)
-        return asyncio.shield(addon.stop())
+        """Stop app."""
+        app = self.get_app_for_request(request)
+        return asyncio.shield(app.stop())

    @api_process
    async def restart(self, request: web.Request) -> None:
-        """Restart add-on."""
-        addon: Addon = self._extract_addon(request)
-        if start_task := await asyncio.shield(addon.restart()):
+        """Restart app."""
+        app: App = self.get_app_for_request(request)
+        if start_task := await asyncio.shield(app.restart()):
            await start_task

    @api_process
    async def rebuild(self, request: web.Request) -> None:
-        """Rebuild local build add-on."""
-        addon = self._extract_addon(request)
-        if start_task := await asyncio.shield(self.sys_addons.rebuild(addon.slug)):
-            await start_task
+        """Rebuild local build app."""
+        app = self.get_app_for_request(request)
+        body: dict[str, Any] = await api_validate(SCHEMA_REBUILD, request)

-    @api_process_raw(CONTENT_TYPE_BINARY)
-    def logs(self, request: web.Request) -> Awaitable[bytes]:
-        """Return logs from add-on."""
-        addon = self._extract_addon(request)
-        return addon.logs()
+        if start_task := await asyncio.shield(
+            self.sys_apps.rebuild(app.slug, force=body[ATTR_FORCE])
+        ):
+            await start_task

    @api_process
    async def stdin(self, request: web.Request) -> None:
-        """Write to stdin of add-on."""
-        addon = self._extract_addon(request)
-        if not addon.with_stdin:
-            raise APIError(f"STDIN not supported the {addon.slug} add-on")
+        """Write to stdin of app."""
+        app = self.get_app_for_request(request)
+        if not app.with_stdin:
+            raise AppNotSupportedWriteStdinError(_LOGGER.error, app=app.slug)

        data = await request.read()
-        await asyncio.shield(addon.write_stdin(data))
+        await asyncio.shield(app.write_stdin(data))


-def _pretty_services(addon: Addon) -> list[str]:
+def _pretty_services(app: App) -> list[str]:
    """Return a simplified services role list."""
-    return [f"{name}:{access}" for name, access in addon.services_role.items()]
+    return [f"{name}:{access}" for name, access in app.services_role.items()]
--- a/supervisor/api/audio.py
+++ b/supervisor/api/audio.py
@@ -1,4 +1,5 @@
 """Init file for Supervisor Audio RESTful API."""
+
 import asyncio
 from collections.abc import Awaitable
 from dataclasses import asdict
@@ -35,8 +36,7 @@ from ..coresys import CoreSysAttributes
 from ..exceptions import APIError
 from ..host.sound import StreamType
 from ..validate import version_tag
-from .const import CONTENT_TYPE_BINARY
-from .utils import api_process, api_process_raw, api_validate
+from .utils import api_process, api_validate

 _LOGGER: logging.Logger = logging.getLogger(__name__)

@@ -111,11 +111,6 @@ class APIAudio(CoreSysAttributes):
            raise APIError(f"Version {version} is already in use")
        await asyncio.shield(self.sys_plugins.audio.update(version))

-    @api_process_raw(CONTENT_TYPE_BINARY)
-    def logs(self, request: web.Request) -> Awaitable[bytes]:
-        """Return Audio Docker logs."""
-        return self.sys_plugins.audio.logs()
-
    @api_process
    def restart(self, request: web.Request) -> Awaitable[None]:
        """Restart Audio plugin."""
@@ -129,7 +124,7 @@ class APIAudio(CoreSysAttributes):
    @api_process
    async def set_volume(self, request: web.Request) -> None:
        """Set audio volume on stream."""
-        source: StreamType = StreamType(request.match_info.get("source"))
+        source: StreamType = StreamType(request.match_info["source"])
        application: bool = request.path.endswith("application")
        body = await api_validate(SCHEMA_VOLUME, request)

@@ -142,7 +137,7 @@ class APIAudio(CoreSysAttributes):
    @api_process
    async def set_mute(self, request: web.Request) -> None:
        """Mute audio volume on stream."""
-        source: StreamType = StreamType(request.match_info.get("source"))
+        source: StreamType = StreamType(request.match_info["source"])
        application: bool = request.path.endswith("application")
        body = await api_validate(SCHEMA_MUTE, request)

@@ -155,7 +150,7 @@ class APIAudio(CoreSysAttributes):
    @api_process
    async def set_default(self, request: web.Request) -> None:
        """Set audio default stream."""
-        source: StreamType = StreamType(request.match_info.get("source"))
+        source: StreamType = StreamType(request.match_info["source"])
        body = await api_validate(SCHEMA_DEFAULT, request)

        await asyncio.shield(self.sys_host.sound.set_default(source, body[ATTR_NAME]))
--- a/supervisor/api/auth.py
+++ b/supervisor/api/auth.py
@@ -1,18 +1,31 @@
 """Init file for Supervisor auth/SSO RESTful API."""
+
 import asyncio
+from collections.abc import Awaitable
 import logging
+from typing import Any, cast

 from aiohttp import BasicAuth, web
 from aiohttp.hdrs import AUTHORIZATION, CONTENT_TYPE, WWW_AUTHENTICATE
+from aiohttp.web import FileField
 from aiohttp.web_exceptions import HTTPUnauthorized
+from multidict import MultiDictProxy
 import voluptuous as vol

-from ..addons.addon import Addon
-from ..const import ATTR_PASSWORD, ATTR_USERNAME, REQUEST_FROM
+from ..addons.addon import App
+from ..const import ATTR_NAME, ATTR_PASSWORD, ATTR_USERNAME, REQUEST_FROM
 from ..coresys import CoreSysAttributes
-from ..exceptions import APIForbidden
-from .const import CONTENT_TYPE_JSON, CONTENT_TYPE_URL
-from .utils import api_process, api_validate
+from ..exceptions import APIForbidden, AuthInvalidNonStringValueError
+from .const import (
+    ATTR_GROUP_IDS,
+    ATTR_IS_ACTIVE,
+    ATTR_IS_OWNER,
+    ATTR_LOCAL_ONLY,
+    ATTR_USERS,
+    CONTENT_TYPE_JSON,
+    CONTENT_TYPE_URL,
+)
+from .utils import api_process, api_validate, json_loads

 _LOGGER: logging.Logger = logging.getLogger(__name__)

@@ -31,17 +44,23 @@ REALM_HEADER: dict[str, str] = {
 class APIAuth(CoreSysAttributes):
    """Handle RESTful API for auth functions."""

-    def _process_basic(self, request: web.Request, addon: Addon) -> bool:
+    def _process_basic(self, request: web.Request, app: App) -> Awaitable[bool]:
        """Process login request with basic auth.

        Return a coroutine.
        """
-        auth = BasicAuth.decode(request.headers[AUTHORIZATION])
-        return self.sys_auth.check_login(addon, auth.login, auth.password)
+        try:
+            auth = BasicAuth.decode(request.headers[AUTHORIZATION])
+        except ValueError as err:
+            raise HTTPUnauthorized(headers=REALM_HEADER) from err
+        return self.sys_auth.check_login(app, auth.login, auth.password)

    def _process_dict(
-        self, request: web.Request, addon: Addon, data: dict[str, str]
-    ) -> bool:
+        self,
+        request: web.Request,
+        app: App,
+        data: dict[str, Any] | MultiDictProxy[str | bytes | FileField],
+    ) -> Awaitable[bool]:
        """Process login with dict data.

        Return a coroutine.
@@ -49,32 +68,45 @@ class APIAuth(CoreSysAttributes):
        username = data.get("username") or data.get("user")
        password = data.get("password")

-        return self.sys_auth.check_login(addon, username, password)
+        # Test that we did receive strings and not something else, raise if so
+        try:
+            _ = username.encode and password.encode  # type: ignore
+        except AttributeError:
+            raise AuthInvalidNonStringValueError(
+                _LOGGER.error, headers=REALM_HEADER
+            ) from None
+
+        return self.sys_auth.check_login(app, cast(str, username), cast(str, password))

    @api_process
    async def auth(self, request: web.Request) -> bool:
        """Process login request."""
-        addon = request[REQUEST_FROM]
+        app = request[REQUEST_FROM]

-        if not addon.access_auth_api:
+        if not isinstance(app, App) or not app.access_auth_api:
            raise APIForbidden("Can't use Home Assistant auth!")

        # BasicAuth
        if AUTHORIZATION in request.headers:
-            if not await self._process_basic(request, addon):
+            if not await self._process_basic(request, app):
                raise HTTPUnauthorized(headers=REALM_HEADER)
            return True

        # Json
        if request.headers.get(CONTENT_TYPE) == CONTENT_TYPE_JSON:
-            data = await request.json()
-            return await self._process_dict(request, addon, data)
+            data = await request.json(loads=json_loads)
+            if not await self._process_dict(request, app, data):
+                raise HTTPUnauthorized()
+            return True

        # URL encoded
        if request.headers.get(CONTENT_TYPE) == CONTENT_TYPE_URL:
            data = await request.post()
-            return await self._process_dict(request, addon, data)
+            if not await self._process_dict(request, app, data):
+                raise HTTPUnauthorized()
+            return True

+        # Advertise Basic authentication by default
        raise HTTPUnauthorized(headers=REALM_HEADER)

    @api_process
@@ -88,4 +120,22 @@ class APIAuth(CoreSysAttributes):
    @api_process
    async def cache(self, request: web.Request) -> None:
        """Process cache reset request."""
-        self.sys_auth.reset_data()
+        await self.sys_auth.reset_data()
+
+    @api_process
+    async def list_users(self, request: web.Request) -> dict[str, list[dict[str, Any]]]:
+        """List users on the Home Assistant instance."""
+        return {
+            ATTR_USERS: [
+                {
+                    ATTR_USERNAME: user.username,
+                    ATTR_NAME: user.name,
+                    ATTR_IS_OWNER: user.is_owner,
+                    ATTR_IS_ACTIVE: user.is_active,
+                    ATTR_LOCAL_ONLY: user.local_only,
+                    ATTR_GROUP_IDS: user.group_ids,
+                }
+                for user in await self.sys_auth.list_users()
+                if user.username
+            ]
+        }
--- a/supervisor/api/backups.py
+++ b/supervisor/api/backups.py
@@ -1,93 +1,136 @@
 """Backups RESTful API."""
+
+from __future__ import annotations
+
 import asyncio
+from io import BufferedWriter
 import logging
 from pathlib import Path
 import re
 from tempfile import TemporaryDirectory
-from typing import Any
+from typing import Any, cast

-from aiohttp import web
+from aiohttp import BodyPartReader, web
 from aiohttp.hdrs import CONTENT_DISPOSITION
 import voluptuous as vol
+from voluptuous.humanize import humanize_error

+from ..backups.backup import Backup
+from ..backups.const import LOCATION_CLOUD_BACKUP, LOCATION_TYPE
 from ..backups.validate import ALL_FOLDERS, FOLDER_HOMEASSISTANT, days_until_stale
 from ..const import (
-    ATTR_ADDONS,
+    ATTR_APPS,
    ATTR_BACKUPS,
    ATTR_COMPRESSED,
    ATTR_CONTENT,
    ATTR_DATE,
    ATTR_DAYS_UNTIL_STALE,
+    ATTR_EXTRA,
+    ATTR_FILENAME,
    ATTR_FOLDERS,
    ATTR_HOMEASSISTANT,
    ATTR_HOMEASSISTANT_EXCLUDE_DATABASE,
-    ATTR_LOCATON,
+    ATTR_JOB_ID,
+    ATTR_LOCATION,
    ATTR_NAME,
    ATTR_PASSWORD,
    ATTR_PROTECTED,
    ATTR_REPOSITORIES,
    ATTR_SIZE,
+    ATTR_SIZE_BYTES,
    ATTR_SLUG,
    ATTR_SUPERVISOR_VERSION,
    ATTR_TIMEOUT,
    ATTR_TYPE,
    ATTR_VERSION,
+    DEFAULT_CHUNK_SIZE,
+    REQUEST_FROM,
 )
 from ..coresys import CoreSysAttributes
-from ..exceptions import APIError
+from ..exceptions import APIError, APIForbidden, APINotFound
 from ..mounts.const import MountUsage
-from .const import CONTENT_TYPE_TAR
-from .utils import api_process, api_validate
+from .const import (
+    ATTR_ADDITIONAL_LOCATIONS,
+    ATTR_BACKGROUND,
+    ATTR_LOCATION_ATTRIBUTES,
+    ATTR_LOCATIONS,
+    CONTENT_TYPE_TAR,
+)
+from .utils import api_process, api_validate, background_task

 _LOGGER: logging.Logger = logging.getLogger(__name__)

+ALL_ADDONS_FLAG = "ALL"
+
+LOCATION_LOCAL = ".local"
+
 RE_SLUGIFY_NAME = re.compile(r"[^A-Za-z0-9]+")
+RE_BACKUP_FILENAME = re.compile(r"^[^\\\/]+\.tar$")

 # Backwards compatible
 # Remove: 2022.08
 _ALL_FOLDERS = ALL_FOLDERS + [FOLDER_HOMEASSISTANT]

+
+def _ensure_list(item: Any) -> list:
+    """Ensure value is a list."""
+    if not isinstance(item, list):
+        return [item]
+    return item
+
+
+def _convert_local_location(item: str | None) -> str | None:
+    """Convert local location value."""
+    if item in {LOCATION_LOCAL, ""}:
+        return None
+    return item
+
+
 # pylint: disable=no-value-for-parameter
-SCHEMA_RESTORE_PARTIAL = vol.Schema(
+SCHEMA_FOLDERS = vol.All([vol.In(_ALL_FOLDERS)], vol.Unique())
+SCHEMA_LOCATION = vol.All(vol.Maybe(str), _convert_local_location)
+SCHEMA_LOCATION_LIST = vol.All(_ensure_list, [SCHEMA_LOCATION], vol.Unique())
+
+SCHEMA_RESTORE_FULL = vol.Schema(
    {
        vol.Optional(ATTR_PASSWORD): vol.Maybe(str),
-        vol.Optional(ATTR_HOMEASSISTANT): vol.Boolean(),
-        vol.Optional(ATTR_ADDONS): vol.All([str], vol.Unique()),
-        vol.Optional(ATTR_FOLDERS): vol.All([vol.In(_ALL_FOLDERS)], vol.Unique()),
+        vol.Optional(ATTR_BACKGROUND, default=False): vol.Boolean(),
+        vol.Optional(ATTR_LOCATION): SCHEMA_LOCATION,
    }
 )

-SCHEMA_RESTORE_FULL = vol.Schema({vol.Optional(ATTR_PASSWORD): vol.Maybe(str)})
+SCHEMA_RESTORE_PARTIAL = SCHEMA_RESTORE_FULL.extend(
+    {
+        vol.Optional(ATTR_HOMEASSISTANT): vol.Boolean(),
+        vol.Optional(ATTR_APPS): vol.All([str], vol.Unique()),
+        vol.Optional(ATTR_FOLDERS): SCHEMA_FOLDERS,
+    }
+)

 SCHEMA_BACKUP_FULL = vol.Schema(
    {
        vol.Optional(ATTR_NAME): str,
+        vol.Optional(ATTR_FILENAME): vol.Match(RE_BACKUP_FILENAME),
        vol.Optional(ATTR_PASSWORD): vol.Maybe(str),
        vol.Optional(ATTR_COMPRESSED): vol.Maybe(vol.Boolean()),
-        vol.Optional(ATTR_LOCATON): vol.Maybe(str),
+        vol.Optional(ATTR_LOCATION): SCHEMA_LOCATION_LIST,
        vol.Optional(ATTR_HOMEASSISTANT_EXCLUDE_DATABASE): vol.Boolean(),
+        vol.Optional(ATTR_BACKGROUND, default=False): vol.Boolean(),
+        vol.Optional(ATTR_EXTRA): dict,
    }
 )

 SCHEMA_BACKUP_PARTIAL = SCHEMA_BACKUP_FULL.extend(
    {
-        vol.Optional(ATTR_ADDONS): vol.All([str], vol.Unique()),
-        vol.Optional(ATTR_FOLDERS): vol.All([vol.In(_ALL_FOLDERS)], vol.Unique()),
+        vol.Optional(ATTR_APPS): vol.Or(ALL_ADDONS_FLAG, vol.All([str], vol.Unique())),
+        vol.Optional(ATTR_FOLDERS): SCHEMA_FOLDERS,
        vol.Optional(ATTR_HOMEASSISTANT): vol.Boolean(),
    }
 )

-SCHEMA_OPTIONS = vol.Schema(
-    {
-        vol.Optional(ATTR_DAYS_UNTIL_STALE): days_until_stale,
-    }
-)
-
-SCHEMA_FREEZE = vol.Schema(
-    {
-        vol.Optional(ATTR_TIMEOUT): vol.All(int, vol.Range(min=1)),
-    }
-)
+SCHEMA_OPTIONS = vol.Schema({vol.Optional(ATTR_DAYS_UNTIL_STALE): days_until_stale})
+SCHEMA_FREEZE = vol.Schema({vol.Optional(ATTR_TIMEOUT): vol.All(int, vol.Range(min=1))})
+SCHEMA_REMOVE = vol.Schema({vol.Optional(ATTR_LOCATION): SCHEMA_LOCATION_LIST})


 class APIBackups(CoreSysAttributes):
@@ -97,9 +140,19 @@ class APIBackups(CoreSysAttributes):
        """Return backup, throw an exception if it doesn't exist."""
        backup = self.sys_backups.get(request.match_info.get("slug"))
        if not backup:
-            raise APIError("Backup does not exist")
+            raise APINotFound("Backup does not exist")
        return backup

+    def _make_location_attributes(self, backup: Backup) -> dict[str, dict[str, Any]]:
+        """Make location attributes dictionary."""
+        return {
+            loc if loc else LOCATION_LOCAL: {
+                ATTR_PROTECTED: backup.all_locations[loc].protected,
+                ATTR_SIZE_BYTES: backup.all_locations[loc].size_bytes,
+            }
+            for loc in backup.locations
+        }
+
    def _list_backups(self):
        """Return list of backups."""
        return [
@@ -109,20 +162,24 @@ class APIBackups(CoreSysAttributes):
                ATTR_DATE: backup.date,
                ATTR_TYPE: backup.sys_type,
                ATTR_SIZE: backup.size,
-                ATTR_LOCATON: backup.location,
+                ATTR_SIZE_BYTES: backup.size_bytes,
+                ATTR_LOCATION: backup.location,
+                ATTR_LOCATIONS: backup.locations,
                ATTR_PROTECTED: backup.protected,
+                ATTR_LOCATION_ATTRIBUTES: self._make_location_attributes(backup),
                ATTR_COMPRESSED: backup.compressed,
                ATTR_CONTENT: {
                    ATTR_HOMEASSISTANT: backup.homeassistant_version is not None,
-                    ATTR_ADDONS: backup.addon_list,
+                    ATTR_APPS: backup.app_list,
                    ATTR_FOLDERS: backup.folders,
                },
            }
            for backup in self.sys_backups.list_backups
+            if backup.location != LOCATION_CLOUD_BACKUP
        ]

    @api_process
-    async def list(self, request):
+    async def list_backups(self, request):
        """Return backup list."""
        data_backups = self._list_backups()

@@ -148,10 +205,10 @@ class APIBackups(CoreSysAttributes):
        if ATTR_DAYS_UNTIL_STALE in body:
            self.sys_backups.days_until_stale = body[ATTR_DAYS_UNTIL_STALE]

-        self.sys_backups.save_data()
+        await self.sys_backups.save_data()

    @api_process
-    async def reload(self, _):
+    async def reload(self, _: web.Request) -> bool:
        """Reload backup list."""
        await asyncio.shield(self.sys_backups.reload())
        return True
@@ -161,14 +218,14 @@ class APIBackups(CoreSysAttributes):
        """Return backup info."""
        backup = self._extract_slug(request)

-        data_addons = []
-        for addon_data in backup.addons:
-            data_addons.append(
+        data_apps = []
+        for app_data in backup.apps:
+            data_apps.append(
                {
-                    ATTR_SLUG: addon_data[ATTR_SLUG],
-                    ATTR_NAME: addon_data[ATTR_NAME],
-                    ATTR_VERSION: addon_data[ATTR_VERSION],
-                    ATTR_SIZE: addon_data[ATTR_SIZE],
+                    ATTR_SLUG: app_data[ATTR_SLUG],
+                    ATTR_NAME: app_data[ATTR_NAME],
+                    ATTR_VERSION: app_data[ATTR_VERSION],
+                    ATTR_SIZE: app_data[ATTR_SIZE],
                }
            )

@@ -178,123 +235,299 @@ class APIBackups(CoreSysAttributes):
            ATTR_NAME: backup.name,
            ATTR_DATE: backup.date,
            ATTR_SIZE: backup.size,
+            ATTR_SIZE_BYTES: backup.size_bytes,
            ATTR_COMPRESSED: backup.compressed,
            ATTR_PROTECTED: backup.protected,
+            ATTR_LOCATION_ATTRIBUTES: self._make_location_attributes(backup),
            ATTR_SUPERVISOR_VERSION: backup.supervisor_version,
            ATTR_HOMEASSISTANT: backup.homeassistant_version,
-            ATTR_LOCATON: backup.location,
-            ATTR_ADDONS: data_addons,
+            ATTR_LOCATION: backup.location,
+            ATTR_LOCATIONS: backup.locations,
+            ATTR_APPS: data_apps,
            ATTR_REPOSITORIES: backup.repositories,
            ATTR_FOLDERS: backup.folders,
            ATTR_HOMEASSISTANT_EXCLUDE_DATABASE: backup.homeassistant_exclude_database,
+            ATTR_EXTRA: backup.extra,
        }

-    def _location_to_mount(self, body: dict[str, Any]) -> dict[str, Any]:
-        """Change location field to mount if necessary."""
-        if not body.get(ATTR_LOCATON):
-            return body
+    def _location_to_mount(self, location: str | None) -> LOCATION_TYPE:
+        """Convert a single location to a mount if possible."""
+        if not location or location == LOCATION_CLOUD_BACKUP:
+            return cast(LOCATION_TYPE, location)

-        body[ATTR_LOCATON] = self.sys_mounts.get(body[ATTR_LOCATON])
-        if body[ATTR_LOCATON].usage != MountUsage.BACKUP:
+        mount = self.sys_mounts.get(location)
+        if mount.usage != MountUsage.BACKUP:
            raise APIError(
-                f"Mount {body[ATTR_LOCATON].name} is not used for backups, cannot backup to there"
+                f"Mount {mount.name} is not used for backups, cannot backup to there"
            )

+        return mount
+
+    def _location_field_to_mount(self, body: dict[str, Any]) -> dict[str, Any]:
+        """Change location field to mount if necessary."""
+        body[ATTR_LOCATION] = self._location_to_mount(body.get(ATTR_LOCATION))
        return body

+    def _validate_cloud_backup_location(
+        self, request: web.Request, location: list[str | None] | str | None
+    ) -> None:
+        """Cloud backup location is only available to Home Assistant."""
+        if not isinstance(location, list):
+            location = [location]
+        if (
+            LOCATION_CLOUD_BACKUP in location
+            and request.get(REQUEST_FROM) != self.sys_homeassistant
+        ):
+            raise APIForbidden(
+                f"Location {LOCATION_CLOUD_BACKUP} is only available for Home Assistant"
+            )
+
    @api_process
-    async def backup_full(self, request):
+    async def backup_full(self, request: web.Request):
        """Create full backup."""
        body = await api_validate(SCHEMA_BACKUP_FULL, request)
+        locations: list[LOCATION_TYPE] | None = None

-        backup = await asyncio.shield(
-            self.sys_backups.do_backup_full(**self._location_to_mount(body))
+        if ATTR_LOCATION in body:
+            location_names: list[str | None] = body.pop(ATTR_LOCATION)
+            self._validate_cloud_backup_location(request, location_names)
+
+            locations = [
+                self._location_to_mount(location) for location in location_names
+            ]
+            body[ATTR_LOCATION] = locations.pop(0)
+            if locations:
+                body[ATTR_ADDITIONAL_LOCATIONS] = locations
+
+        background = body.pop(ATTR_BACKGROUND)
+        backup_task, job_id = await background_task(
+            self, self.sys_backups.do_backup_full, **body
        )

+        if background and not backup_task.done():
+            return {ATTR_JOB_ID: job_id}
+
+        backup: Backup | None = await backup_task
        if backup:
-            return {ATTR_SLUG: backup.slug}
-        return False
+            return {ATTR_JOB_ID: job_id, ATTR_SLUG: backup.slug}
+        raise APIError(
+            f"An error occurred while making backup, check job '{job_id}' or supervisor logs for details",
+            job_id=job_id,
+        )

    @api_process
-    async def backup_partial(self, request):
+    async def backup_partial(self, request: web.Request):
        """Create a partial backup."""
        body = await api_validate(SCHEMA_BACKUP_PARTIAL, request)
-        backup = await asyncio.shield(
-            self.sys_backups.do_backup_partial(**self._location_to_mount(body))
+        locations: list[LOCATION_TYPE] | None = None
+
+        if ATTR_LOCATION in body:
+            location_names: list[str | None] = body.pop(ATTR_LOCATION)
+            self._validate_cloud_backup_location(request, location_names)
+
+            locations = [
+                self._location_to_mount(location) for location in location_names
+            ]
+            body[ATTR_LOCATION] = locations.pop(0)
+            if locations:
+                body[ATTR_ADDITIONAL_LOCATIONS] = locations
+
+        if body.get(ATTR_APPS) == ALL_ADDONS_FLAG:
+            body[ATTR_APPS] = list(self.sys_apps.local)
+
+        if ATTR_APPS in body:
+            body["apps"] = body.pop(ATTR_APPS)
+        background = body.pop(ATTR_BACKGROUND)
+        backup_task, job_id = await background_task(
+            self, self.sys_backups.do_backup_partial, **body
        )

+        if background and not backup_task.done():
+            return {ATTR_JOB_ID: job_id}
+
+        backup: Backup | None = await backup_task
        if backup:
-            return {ATTR_SLUG: backup.slug}
-        return False
+            return {ATTR_JOB_ID: job_id, ATTR_SLUG: backup.slug}
+        raise APIError(
+            f"An error occurred while making backup, check job '{job_id}' or supervisor logs for details",
+            job_id=job_id,
+        )

    @api_process
-    async def restore_full(self, request):
+    async def restore_full(self, request: web.Request):
        """Full restore of a backup."""
        backup = self._extract_slug(request)
        body = await api_validate(SCHEMA_RESTORE_FULL, request)
+        self._validate_cloud_backup_location(
+            request, body.get(ATTR_LOCATION, backup.location)
+        )
+        background = body.pop(ATTR_BACKGROUND)
+        restore_task, job_id = await background_task(
+            self, self.sys_backups.do_restore_full, backup, **body
+        )

-        return await asyncio.shield(self.sys_backups.do_restore_full(backup, **body))
+        if background and not restore_task.done() or await restore_task:
+            return {ATTR_JOB_ID: job_id}
+        raise APIError(
+            f"An error occurred during restore of {backup.slug}, check job '{job_id}' or supervisor logs for details",
+            job_id=job_id,
+        )

    @api_process
-    async def restore_partial(self, request):
+    async def restore_partial(self, request: web.Request):
        """Partial restore a backup."""
        backup = self._extract_slug(request)
        body = await api_validate(SCHEMA_RESTORE_PARTIAL, request)
+        self._validate_cloud_backup_location(
+            request, body.get(ATTR_LOCATION, backup.location)
+        )
+        background = body.pop(ATTR_BACKGROUND)
+        if ATTR_APPS in body:
+            body["apps"] = body.pop(ATTR_APPS)
+        restore_task, job_id = await background_task(
+            self, self.sys_backups.do_restore_partial, backup, **body
+        )

-        return await asyncio.shield(self.sys_backups.do_restore_partial(backup, **body))
+        if background and not restore_task.done() or await restore_task:
+            return {ATTR_JOB_ID: job_id}
+        raise APIError(
+            f"An error occurred during restore of {backup.slug}, check job '{job_id}' or supervisor logs for details",
+            job_id=job_id,
+        )

    @api_process
-    async def freeze(self, request):
+    async def freeze(self, request: web.Request):
        """Initiate manual freeze for external backup."""
        body = await api_validate(SCHEMA_FREEZE, request)
        await asyncio.shield(self.sys_backups.freeze_all(**body))

    @api_process
-    async def thaw(self, request):
+    async def thaw(self, request: web.Request):
        """Begin thaw after manual freeze."""
        await self.sys_backups.thaw_all()

    @api_process
-    async def remove(self, request):
+    async def remove(self, request: web.Request):
        """Remove a backup."""
        backup = self._extract_slug(request)
-        return self.sys_backups.remove(backup)
+        body = await api_validate(SCHEMA_REMOVE, request)
+        locations: list[LOCATION_TYPE] | None = None

-    async def download(self, request):
+        if ATTR_LOCATION in body:
+            self._validate_cloud_backup_location(request, body[ATTR_LOCATION])
+            locations = [self._location_to_mount(name) for name in body[ATTR_LOCATION]]
+        else:
+            self._validate_cloud_backup_location(request, backup.location)
+
+        await self.sys_backups.remove(backup, locations=locations)
+
+    @api_process
+    async def download(self, request: web.Request) -> web.StreamResponse:
        """Download a backup file."""
        backup = self._extract_slug(request)
+        # Query will give us '' for /backups, convert value to None
+        location = _convert_local_location(
+            request.query.get(ATTR_LOCATION, backup.location)
+        )
+        self._validate_cloud_backup_location(request, location)
+        if location not in backup.all_locations:
+            raise APIError(f"Backup {backup.slug} is not in location {location}")

        _LOGGER.info("Downloading backup %s", backup.slug)
-        response = web.FileResponse(backup.tarfile)
+        filename = backup.all_locations[location].path
+        # If the file is missing, return 404 and trigger reload of location
+        if not await self.sys_run_in_executor(filename.is_file):
+            self.sys_create_task(self.sys_backups.reload(location))
+            return web.Response(status=404)
+
+        response = web.FileResponse(filename)
        response.content_type = CONTENT_TYPE_TAR
-        response.headers[
-            CONTENT_DISPOSITION
-        ] = f"attachment; filename={RE_SLUGIFY_NAME.sub('_', backup.name)}.tar"
+
+        download_filename = filename.name
+        if download_filename == f"{backup.slug}.tar":
+            download_filename = f"{RE_SLUGIFY_NAME.sub('_', backup.name)}.tar"
+        response.headers[CONTENT_DISPOSITION] = (
+            f"attachment; filename={download_filename}"
+        )
        return response

    @api_process
-    async def upload(self, request):
+    async def upload(self, request: web.Request) -> dict[str, str] | bool:
        """Upload a backup file."""
-        with TemporaryDirectory(dir=str(self.sys_config.path_tmp)) as temp_dir:
-            tar_file = Path(temp_dir, "backup.tar")
+        location: LOCATION_TYPE = None
+        locations: list[LOCATION_TYPE] | None = None
+
+        if ATTR_LOCATION in request.query:
+            location_names: list[str] = request.query.getall(ATTR_LOCATION, [])
+            self._validate_cloud_backup_location(
+                request, cast(list[str | None], location_names)
+            )
+            # Convert empty string to None if necessary
+            locations = [
+                self._location_to_mount(location)
+                if _convert_local_location(location)
+                else None
+                for location in location_names
+            ]
+            location = locations.pop(0)
+
+        filename: str | None = None
+        if ATTR_FILENAME in request.query:
+            filename = request.query.get(ATTR_FILENAME)
+            try:
+                vol.Match(RE_BACKUP_FILENAME)(filename)
+            except vol.Invalid as ex:
+                raise APIError(humanize_error(filename, ex)) from None
+
+        tmp_path = await self.sys_backups.get_upload_path_for_location(location)
+        temp_dir: TemporaryDirectory | None = None
+        backup_file_stream: BufferedWriter | None = None
+
+        def open_backup_file() -> tuple[Path, BufferedWriter]:
+            nonlocal temp_dir, backup_file_stream
+            temp_dir = TemporaryDirectory(dir=tmp_path.as_posix())
+            tar_file = Path(temp_dir.name, "upload.tar")
+            backup_file_stream = tar_file.open("wb")
+            return (tar_file, backup_file_stream)
+
+        def close_backup_file() -> None:
+            if backup_file_stream:
+                # Make sure it got closed, in case of exception. It is safe to
+                # close the file stream twice.
+                backup_file_stream.close()
+            if temp_dir:
+                temp_dir.cleanup()
+
+        try:
            reader = await request.multipart()
            contents = await reader.next()
-            try:
-                with tar_file.open("wb") as backup:
-                    while True:
-                        chunk = await contents.read_chunk()
-                        if not chunk:
-                            break
-                        backup.write(chunk)
+            if not isinstance(contents, BodyPartReader):
+                raise APIError("Improperly formatted upload, could not read backup")

-            except OSError as err:
-                _LOGGER.error("Can't write new backup file: %s", err)
-                return False
+            tar_file, backup_writer = await self.sys_run_in_executor(open_backup_file)
+            while chunk := await contents.read_chunk(size=DEFAULT_CHUNK_SIZE):
+                await self.sys_run_in_executor(backup_writer.write, chunk)
+            await self.sys_run_in_executor(backup_writer.close)

-            except asyncio.CancelledError:
-                return False
+            backup = await asyncio.shield(
+                self.sys_backups.import_backup(
+                    tar_file,
+                    filename,
+                    location=location,
+                    additional_locations=locations,
+                )
+            )
+        except OSError as err:
+            if location in {LOCATION_CLOUD_BACKUP, None}:
+                self.sys_resolution.check_oserror(err)
+            _LOGGER.error("Can't write new backup file: %s", err)
+            return False

-            backup = await asyncio.shield(self.sys_backups.import_backup(tar_file))
+        except asyncio.CancelledError:
+            return False
+
+        finally:
+            await self.sys_run_in_executor(close_backup_file)

        if backup:
            return {ATTR_SLUG: backup.slug}
--- a/supervisor/api/cli.py
+++ b/supervisor/api/cli.py
@@ -1,4 +1,5 @@
 """Init file for Supervisor HA cli RESTful API."""
+
 import asyncio
 import logging
 from typing import Any
--- a/supervisor/api/const.py
+++ b/supervisor/api/const.py
@@ -1,18 +1,26 @@
 """Const for API."""

+from enum import StrEnum
+
 CONTENT_TYPE_BINARY = "application/octet-stream"
 CONTENT_TYPE_JSON = "application/json"
 CONTENT_TYPE_PNG = "image/png"
 CONTENT_TYPE_TAR = "application/tar"
 CONTENT_TYPE_TEXT = "text/plain"
 CONTENT_TYPE_URL = "application/x-www-form-urlencoded"
+CONTENT_TYPE_X_LOG = "text/x-log"

 COOKIE_INGRESS = "ingress_session"

+ATTR_ADDITIONAL_LOCATIONS = "additional_locations"
 ATTR_AGENT_VERSION = "agent_version"
 ATTR_APPARMOR_VERSION = "apparmor_version"
 ATTR_ATTRIBUTES = "attributes"
 ATTR_AVAILABLE_UPDATES = "available_updates"
+ATTR_BACKGROUND = "background"
+ATTR_BOOT_CONFIG = "boot_config"
+ATTR_BOOT_SLOT = "boot_slot"
+ATTR_BOOT_SLOTS = "boot_slots"
 ATTR_BOOT_TIMESTAMP = "boot_timestamp"
 ATTR_BOOTS = "boots"
 ATTR_BROADCAST_LLMNR = "broadcast_llmnr"
@@ -30,25 +38,54 @@ ATTR_DT_UTC = "dt_utc"
 ATTR_EJECTABLE = "ejectable"
 ATTR_FALLBACK = "fallback"
 ATTR_FILESYSTEMS = "filesystems"
+ATTR_FORCE = "force"
+ATTR_GROUP_IDS = "group_ids"
 ATTR_IDENTIFIERS = "identifiers"
+ATTR_IS_ACTIVE = "is_active"
+ATTR_IS_OWNER = "is_owner"
 ATTR_JOBS = "jobs"
 ATTR_LLMNR = "llmnr"
 ATTR_LLMNR_HOSTNAME = "llmnr_hostname"
+ATTR_LOCAL_ONLY = "local_only"
+ATTR_LOCATION_ATTRIBUTES = "location_attributes"
+ATTR_LOCATIONS = "locations"
+ATTR_MAX_DEPTH = "max_depth"
 ATTR_MDNS = "mdns"
 ATTR_MODEL = "model"
 ATTR_MOUNTS = "mounts"
 ATTR_MOUNT_POINTS = "mount_points"
 ATTR_PANEL_PATH = "panel_path"
 ATTR_REMOVABLE = "removable"
+ATTR_REMOVE_CONFIG = "remove_config"
 ATTR_REVISION = "revision"
+ATTR_SAFE_MODE = "safe_mode"
 ATTR_SEAT = "seat"
 ATTR_SIGNED = "signed"
 ATTR_STARTUP_TIME = "startup_time"
+ATTR_STATUS = "status"
 ATTR_SUBSYSTEM = "subsystem"
 ATTR_SYSFS = "sysfs"
 ATTR_SYSTEM_HEALTH_LED = "system_health_led"
 ATTR_TIME_DETECTED = "time_detected"
 ATTR_UPDATE_TYPE = "update_type"
-ATTR_USE_NTP = "use_ntp"
 ATTR_USAGE = "usage"
+ATTR_USE_NTP = "use_ntp"
+ATTR_USERS = "users"
+ATTR_USER_PATH = "user_path"
 ATTR_VENDOR = "vendor"
+ATTR_VIRTUALIZATION = "virtualization"
+
+
+class BootSlot(StrEnum):
+    """Boot slots used by HAOS."""
+
+    A = "A"
+    B = "B"
+
+
+class DetectBlockingIO(StrEnum):
+    """Enable/Disable detection for blocking I/O in event loop."""
+
+    OFF = "off"
+    ON = "on"
+    ON_AT_STARTUP = "on-at-startup"
--- a/supervisor/api/discovery.py
+++ b/supervisor/api/discovery.py
@@ -1,22 +1,25 @@
 """Init file for Supervisor network RESTful API."""
-import logging

+import logging
+from typing import Any
+
+from aiohttp import web
 import voluptuous as vol

-from ..addons.addon import Addon
+from ..addons.addon import App
 from ..const import (
-    ATTR_ADDON,
+    ATTR_APP,
    ATTR_CONFIG,
    ATTR_DISCOVERY,
    ATTR_SERVICE,
    ATTR_SERVICES,
    ATTR_UUID,
    REQUEST_FROM,
-    AddonState,
+    AppState,
 )
 from ..coresys import CoreSysAttributes
-from ..discovery.validate import valid_discovery_service
-from ..exceptions import APIError, APIForbidden
+from ..discovery import Message
+from ..exceptions import APIForbidden, APINotFound
 from .utils import api_process, api_validate, require_home_assistant

 _LOGGER: logging.Logger = logging.getLogger(__name__)
@@ -24,7 +27,7 @@ _LOGGER: logging.Logger = logging.getLogger(__name__)
 SCHEMA_DISCOVERY = vol.Schema(
    {
        vol.Required(ATTR_SERVICE): str,
-        vol.Optional(ATTR_CONFIG): vol.Maybe(dict),
+        vol.Required(ATTR_CONFIG): dict,
    }
 )

@@ -32,92 +35,86 @@ SCHEMA_DISCOVERY = vol.Schema(
 class APIDiscovery(CoreSysAttributes):
    """Handle RESTful API for discovery functions."""

-    def _extract_message(self, request):
+    def _extract_message(self, request: web.Request) -> Message:
        """Extract discovery message from URL."""
-        message = self.sys_discovery.get(request.match_info.get("uuid"))
+        message = self.sys_discovery.get(request.match_info["uuid"])
        if not message:
-            raise APIError("Discovery message not found")
+            raise APINotFound("Discovery message not found")
        return message

    @api_process
    @require_home_assistant
-    async def list(self, request):
+    async def list_discovery(self, request: web.Request) -> dict[str, Any]:
        """Show registered and available services."""
        # Get available discovery
        discovery = [
            {
-                ATTR_ADDON: message.addon,
+                ATTR_APP: message.addon,
                ATTR_SERVICE: message.service,
                ATTR_UUID: message.uuid,
                ATTR_CONFIG: message.config,
            }
            for message in self.sys_discovery.list_messages
-            if (addon := self.sys_addons.get(message.addon, local_only=True))
-            and addon.state == AddonState.STARTED
+            if (
+                discovered := self.sys_apps.get_local_only(
+                    message.addon,
+                )
+            )
+            and discovered.state == AppState.STARTED
        ]

-        # Get available services/add-ons
-        services = {}
-        for addon in self.sys_addons.all:
-            for name in addon.discovery:
-                services.setdefault(name, []).append(addon.slug)
+        # Get available services/apps
+        services: dict[str, list[str]] = {}
+        for app in self.sys_apps.all:
+            for name in app.discovery:
+                services.setdefault(name, []).append(app.slug)

        return {ATTR_DISCOVERY: discovery, ATTR_SERVICES: services}

    @api_process
-    async def set_discovery(self, request):
+    async def set_discovery(self, request: web.Request) -> dict[str, str]:
        """Write data into a discovery pipeline."""
        body = await api_validate(SCHEMA_DISCOVERY, request)
-        addon: Addon = request[REQUEST_FROM]
+        app: App = request[REQUEST_FROM]
        service = body[ATTR_SERVICE]

-        try:
-            valid_discovery_service(service)
-        except vol.Invalid:
-            _LOGGER.warning(
-                "Received discovery message for unknown service %s from addon %s. Please report this to the maintainer of the add-on",
-                service,
-                addon.name,
-            )
-
        # Access?
-        if body[ATTR_SERVICE] not in addon.discovery:
+        if body[ATTR_SERVICE] not in app.discovery:
            _LOGGER.error(
-                "Add-on %s attempted to send discovery for service %s which is not listed in its config. Please report this to the maintainer of the add-on",
-                addon.name,
+                "App %s attempted to send discovery for service %s which is not listed in its config. Please report this to the maintainer of the app",
+                app.name,
                service,
            )
            raise APIForbidden(
-                "Add-ons must list services they provide via discovery in their config!"
+                "Apps must list services they provide via discovery in their config!"
            )

        # Process discovery message
-        message = self.sys_discovery.send(addon, **body)
+        message = await self.sys_discovery.send(app, **body)

        return {ATTR_UUID: message.uuid}

    @api_process
    @require_home_assistant
-    async def get_discovery(self, request):
+    async def get_discovery(self, request: web.Request) -> dict[str, Any]:
        """Read data into a discovery message."""
        message = self._extract_message(request)

        return {
-            ATTR_ADDON: message.addon,
+            ATTR_APP: message.addon,
            ATTR_SERVICE: message.service,
            ATTR_UUID: message.uuid,
            ATTR_CONFIG: message.config,
        }

    @api_process
-    async def del_discovery(self, request):
+    async def del_discovery(self, request: web.Request) -> None:
        """Delete data into a discovery message."""
        message = self._extract_message(request)
-        addon = request[REQUEST_FROM]
+        app = request[REQUEST_FROM]

        # Permission
-        if message.addon != addon.slug:
+        if message.addon != app.slug:
            raise APIForbidden("Can't remove discovery message")

-        self.sys_discovery.remove(message)
-        return True
+        await self.sys_discovery.remove(message)
--- a/supervisor/api/dns.py
+++ b/supervisor/api/dns.py
@@ -1,4 +1,5 @@
 """Init file for Supervisor DNS RESTful API."""
+
 import asyncio
 from collections.abc import Awaitable
 import logging
@@ -26,8 +27,8 @@ from ..const import (
 from ..coresys import CoreSysAttributes
 from ..exceptions import APIError
 from ..validate import dns_server_list, version_tag
-from .const import ATTR_FALLBACK, ATTR_LLMNR, ATTR_MDNS, CONTENT_TYPE_BINARY
-from .utils import api_process, api_process_raw, api_validate
+from .const import ATTR_FALLBACK, ATTR_LLMNR, ATTR_MDNS
+from .utils import api_process, api_validate

 _LOGGER: logging.Logger = logging.getLogger(__name__)

@@ -77,7 +78,7 @@ class APICoreDNS(CoreSysAttributes):
        if restart_required:
            self.sys_create_task(self.sys_plugins.dns.restart())

-        self.sys_plugins.dns.save_data()
+        await self.sys_plugins.dns.save_data()

    @api_process
    async def stats(self, request: web.Request) -> dict[str, Any]:
@@ -105,11 +106,6 @@ class APICoreDNS(CoreSysAttributes):
            raise APIError(f"Version {version} is already in use")
        await asyncio.shield(self.sys_plugins.dns.update(version))

-    @api_process_raw(CONTENT_TYPE_BINARY)
-    def logs(self, request: web.Request) -> Awaitable[bytes]:
-        """Return DNS Docker logs."""
-        return self.sys_plugins.dns.logs()
-
    @api_process
    def restart(self, request: web.Request) -> Awaitable[None]:
        """Restart CoreDNS plugin."""
--- a/supervisor/api/docker.py
+++ b/supervisor/api/docker.py
@@ -1,20 +1,27 @@
 """Init file for Supervisor Home Assistant RESTful API."""
+
 import logging
 from typing import Any

 from aiohttp import web
+from awesomeversion import AwesomeVersion
 import voluptuous as vol

 from ..const import (
+    ATTR_ENABLE_IPV6,
    ATTR_HOSTNAME,
    ATTR_LOGGING,
+    ATTR_MTU,
    ATTR_PASSWORD,
    ATTR_REGISTRIES,
    ATTR_STORAGE,
+    ATTR_STORAGE_DRIVER,
    ATTR_USERNAME,
    ATTR_VERSION,
 )
 from ..coresys import CoreSysAttributes
+from ..exceptions import APINotFound
+from ..resolution.const import ContextType, IssueType, SuggestionType
 from .utils import api_process, api_validate

 _LOGGER: logging.Logger = logging.getLogger(__name__)
@@ -28,10 +35,71 @@ SCHEMA_DOCKER_REGISTRY = vol.Schema(
    }
 )

+# pylint: disable=no-value-for-parameter
+SCHEMA_OPTIONS = vol.Schema(
+    {
+        vol.Optional(ATTR_ENABLE_IPV6): vol.Maybe(vol.Boolean()),
+        vol.Optional(ATTR_MTU): vol.Maybe(vol.All(int, vol.Range(min=68, max=65535))),
+    }
+)
+
+SCHEMA_MIGRATE_DOCKER_STORAGE_DRIVER = vol.Schema(
+    {
+        vol.Required(ATTR_STORAGE_DRIVER): vol.In(["overlayfs"]),
+    }
+)
+

 class APIDocker(CoreSysAttributes):
    """Handle RESTful API for Docker configuration."""

+    @api_process
+    async def info(self, request: web.Request) -> dict[str, Any]:
+        """Get docker info."""
+        data_registries = {}
+        for hostname, registry in self.sys_docker.config.registries.items():
+            data_registries[hostname] = {
+                ATTR_USERNAME: registry[ATTR_USERNAME],
+            }
+        return {
+            ATTR_VERSION: self.sys_docker.info.version,
+            ATTR_ENABLE_IPV6: self.sys_docker.config.enable_ipv6,
+            ATTR_MTU: self.sys_docker.config.mtu,
+            ATTR_STORAGE: self.sys_docker.info.storage,
+            ATTR_LOGGING: self.sys_docker.info.logging,
+            ATTR_REGISTRIES: data_registries,
+        }
+
+    @api_process
+    async def options(self, request: web.Request) -> None:
+        """Set docker options."""
+        body = await api_validate(SCHEMA_OPTIONS, request)
+
+        reboot_required = False
+
+        if (
+            ATTR_ENABLE_IPV6 in body
+            and self.sys_docker.config.enable_ipv6 != body[ATTR_ENABLE_IPV6]
+        ):
+            self.sys_docker.config.enable_ipv6 = body[ATTR_ENABLE_IPV6]
+            reboot_required = True
+
+        if ATTR_MTU in body and self.sys_docker.config.mtu != body[ATTR_MTU]:
+            self.sys_docker.config.mtu = body[ATTR_MTU]
+            reboot_required = True
+
+        if reboot_required:
+            _LOGGER.info(
+                "Host system reboot required to apply Docker configuration changes"
+            )
+            self.sys_resolution.create_issue(
+                IssueType.REBOOT_REQUIRED,
+                ContextType.SYSTEM,
+                suggestions=[SuggestionType.EXECUTE_REBOOT],
+            )
+
+        await self.sys_docker.config.save_data()
+
    @api_process
    async def registries(self, request) -> dict[str, Any]:
        """Return the list of registries."""
@@ -44,33 +112,45 @@ class APIDocker(CoreSysAttributes):
        return {ATTR_REGISTRIES: data_registries}

    @api_process
-    async def create_registry(self, request: web.Request):
+    async def create_registry(self, request: web.Request) -> None:
        """Create a new docker registry."""
        body = await api_validate(SCHEMA_DOCKER_REGISTRY, request)

        for hostname, registry in body.items():
            self.sys_docker.config.registries[hostname] = registry

-        self.sys_docker.config.save_data()
+        await self.sys_docker.config.save_data()

    @api_process
-    async def remove_registry(self, request: web.Request):
+    async def remove_registry(self, request: web.Request) -> None:
        """Delete a docker registry."""
        hostname = request.match_info.get(ATTR_HOSTNAME)
+        if hostname not in self.sys_docker.config.registries:
+            raise APINotFound(f"Hostname {hostname} does not exist in registries")
+
        del self.sys_docker.config.registries[hostname]
-        self.sys_docker.config.save_data()
+        await self.sys_docker.config.save_data()

    @api_process
-    async def info(self, request: web.Request):
-        """Get docker info."""
-        data_registries = {}
-        for hostname, registry in self.sys_docker.config.registries.items():
-            data_registries[hostname] = {
-                ATTR_USERNAME: registry[ATTR_USERNAME],
-            }
-        return {
-            ATTR_VERSION: self.sys_docker.info.version,
-            ATTR_STORAGE: self.sys_docker.info.storage,
-            ATTR_LOGGING: self.sys_docker.info.logging,
-            ATTR_REGISTRIES: data_registries,
-        }
+    async def migrate_docker_storage_driver(self, request: web.Request) -> None:
+        """Migrate Docker storage driver."""
+        if (
+            not self.coresys.os.available
+            or not self.coresys.os.version
+            or self.coresys.os.version < AwesomeVersion("17.0.dev0")
+        ):
+            raise APINotFound(
+                "Home Assistant OS 17.0 or newer required for Docker storage driver migration"
+            )
+
+        body = await api_validate(SCHEMA_MIGRATE_DOCKER_STORAGE_DRIVER, request)
+        await self.sys_dbus.agent.system.migrate_docker_storage_driver(
+            body[ATTR_STORAGE_DRIVER]
+        )
+
+        _LOGGER.info("Host system reboot required to apply Docker storage migration")
+        self.sys_resolution.create_issue(
+            IssueType.REBOOT_REQUIRED,
+            ContextType.SYSTEM,
+            suggestions=[SuggestionType.EXECUTE_REBOOT],
+        )
--- a/supervisor/api/hardware.py
+++ b/supervisor/api/hardware.py
@@ -1,4 +1,5 @@
 """Init file for Supervisor hardware RESTful API."""
+
 import logging
 from typing import Any

@@ -16,7 +17,7 @@ from ..const import (
    ATTR_SYSTEM,
 )
 from ..coresys import CoreSysAttributes
-from ..dbus.udisks2 import UDisks2
+from ..dbus.udisks2 import UDisks2Manager
 from ..dbus.udisks2.block import UDisks2Block
 from ..dbus.udisks2.drive import UDisks2Drive
 from ..hardware.data import Device
@@ -67,12 +68,15 @@ def filesystem_struct(fs_block: UDisks2Block) -> dict[str, Any]:
        ATTR_NAME: fs_block.id_label,
        ATTR_SYSTEM: fs_block.hint_system,
        ATTR_MOUNT_POINTS: [
-            str(mount_point) for mount_point in fs_block.filesystem.mount_points
+            str(mount_point)
+            for mount_point in (
+                fs_block.filesystem.mount_points if fs_block.filesystem else []
+            )
        ],
    }


-def drive_struct(udisks2: UDisks2, drive: UDisks2Drive) -> dict[str, Any]:
+def drive_struct(udisks2: UDisks2Manager, drive: UDisks2Drive) -> dict[str, Any]:
    """Return a dict with information of a disk to be used in the API."""
    return {
        ATTR_VENDOR: drive.vendor,
--- a/supervisor/api/homeassistant.py
+++ b/supervisor/api/homeassistant.py
@@ -1,4 +1,5 @@
 """Init file for Supervisor Home Assistant RESTful API."""
+
 import asyncio
 from collections.abc import Awaitable
 import logging
@@ -17,8 +18,10 @@ from ..const import (
    ATTR_BLK_WRITE,
    ATTR_BOOT,
    ATTR_CPU_PERCENT,
+    ATTR_DUPLICATE_LOG_FILE,
    ATTR_IMAGE,
    ATTR_IP_ADDRESS,
+    ATTR_JOB_ID,
    ATTR_MACHINE,
    ATTR_MEMORY_LIMIT,
    ATTR_MEMORY_PERCENT,
@@ -34,10 +37,10 @@ from ..const import (
    ATTR_WATCHDOG,
 )
 from ..coresys import CoreSysAttributes
-from ..exceptions import APIError
+from ..exceptions import APIDBMigrationInProgress, APIError
 from ..validate import docker_image, network_port, version_tag
-from .const import CONTENT_TYPE_BINARY
-from .utils import api_process, api_process_raw, api_validate
+from .const import ATTR_BACKGROUND, ATTR_FORCE, ATTR_SAFE_MODE
+from .utils import api_process, api_validate, background_task

 _LOGGER: logging.Logger = logging.getLogger(__name__)

@@ -53,6 +56,7 @@ SCHEMA_OPTIONS = vol.Schema(
        vol.Optional(ATTR_AUDIO_OUTPUT): vol.Maybe(str),
        vol.Optional(ATTR_AUDIO_INPUT): vol.Maybe(str),
        vol.Optional(ATTR_BACKUPS_EXCLUDE_DATABASE): vol.Boolean(),
+        vol.Optional(ATTR_DUPLICATE_LOG_FILE): vol.Boolean(),
    }
 )

@@ -60,6 +64,20 @@ SCHEMA_UPDATE = vol.Schema(
    {
        vol.Optional(ATTR_VERSION): version_tag,
        vol.Optional(ATTR_BACKUP): bool,
+        vol.Optional(ATTR_BACKGROUND, default=False): bool,
+    }
+)
+
+SCHEMA_RESTART = vol.Schema(
+    {
+        vol.Optional(ATTR_SAFE_MODE, default=False): vol.Boolean(),
+        vol.Optional(ATTR_FORCE, default=False): vol.Boolean(),
+    }
+)
+
+SCHEMA_STOP = vol.Schema(
+    {
+        vol.Optional(ATTR_FORCE, default=False): vol.Boolean(),
    }
 )

@@ -67,6 +85,17 @@ SCHEMA_UPDATE = vol.Schema(
 class APIHomeAssistant(CoreSysAttributes):
    """Handle RESTful API for Home Assistant functions."""

+    async def _check_offline_migration(self, force: bool = False) -> None:
+        """Check and raise if there's an offline DB migration in progress."""
+        if (
+            not force
+            and (state := await self.sys_homeassistant.api.get_api_state())
+            and state.offline_db_migration
+        ):
+            raise APIDBMigrationInProgress(
+                "Offline database migration in progress, try again after it has completed"
+            )
+
    @api_process
    async def info(self, request: web.Request) -> dict[str, Any]:
        """Return host information."""
@@ -85,6 +114,7 @@ class APIHomeAssistant(CoreSysAttributes):
            ATTR_AUDIO_INPUT: self.sys_homeassistant.audio_input,
            ATTR_AUDIO_OUTPUT: self.sys_homeassistant.audio_output,
            ATTR_BACKUPS_EXCLUDE_DATABASE: self.sys_homeassistant.backups_exclude_database,
+            ATTR_DUPLICATE_LOG_FILE: self.sys_homeassistant.duplicate_log_file,
        }

    @api_process
@@ -93,7 +123,10 @@ class APIHomeAssistant(CoreSysAttributes):
        body = await api_validate(SCHEMA_OPTIONS, request)

        if ATTR_IMAGE in body:
-            self.sys_homeassistant.image = body[ATTR_IMAGE]
+            self.sys_homeassistant.set_image(body[ATTR_IMAGE])
+            self.sys_homeassistant.override_image = (
+                self.sys_homeassistant.image != self.sys_homeassistant.default_image
+            )

        if ATTR_BOOT in body:
            self.sys_homeassistant.boot = body[ATTR_BOOT]
@@ -121,10 +154,13 @@ class APIHomeAssistant(CoreSysAttributes):
                ATTR_BACKUPS_EXCLUDE_DATABASE
            ]

-        self.sys_homeassistant.save_data()
+        if ATTR_DUPLICATE_LOG_FILE in body:
+            self.sys_homeassistant.duplicate_log_file = body[ATTR_DUPLICATE_LOG_FILE]
+
+        await self.sys_homeassistant.save_data()

    @api_process
-    async def stats(self, request: web.Request) -> dict[Any, str]:
+    async def stats(self, request: web.Request) -> dict[str, Any]:
        """Return resource information."""
        stats = await self.sys_homeassistant.core.stats()
        if not stats:
@@ -142,21 +178,31 @@ class APIHomeAssistant(CoreSysAttributes):
        }

    @api_process
-    async def update(self, request: web.Request) -> None:
+    async def update(self, request: web.Request) -> dict[str, str] | None:
        """Update Home Assistant."""
        body = await api_validate(SCHEMA_UPDATE, request)
+        await self._check_offline_migration()

-        await asyncio.shield(
-            self.sys_homeassistant.core.update(
-                version=body.get(ATTR_VERSION, self.sys_homeassistant.latest_version),
-                backup=body.get(ATTR_BACKUP),
-            )
+        background = body[ATTR_BACKGROUND]
+        update_task, job_id = await background_task(
+            self,
+            self.sys_homeassistant.core.update,
+            version=body.get(ATTR_VERSION, self.sys_homeassistant.latest_version),
+            backup=body.get(ATTR_BACKUP),
        )

+        if background and not update_task.done():
+            return {ATTR_JOB_ID: job_id}
+
+        return await update_task
+
    @api_process
-    def stop(self, request: web.Request) -> Awaitable[None]:
+    async def stop(self, request: web.Request) -> None:
        """Stop Home Assistant."""
-        return asyncio.shield(self.sys_homeassistant.core.stop())
+        body = await api_validate(SCHEMA_STOP, request)
+        await self._check_offline_migration(force=body[ATTR_FORCE])
+
+        return await asyncio.shield(self.sys_homeassistant.core.stop())

    @api_process
    def start(self, request: web.Request) -> Awaitable[None]:
@@ -164,19 +210,24 @@ class APIHomeAssistant(CoreSysAttributes):
        return asyncio.shield(self.sys_homeassistant.core.start())

    @api_process
-    def restart(self, request: web.Request) -> Awaitable[None]:
+    async def restart(self, request: web.Request) -> None:
        """Restart Home Assistant."""
-        return asyncio.shield(self.sys_homeassistant.core.restart())
+        body = await api_validate(SCHEMA_RESTART, request)
+        await self._check_offline_migration(force=body[ATTR_FORCE])
+
+        await asyncio.shield(
+            self.sys_homeassistant.core.restart(safe_mode=body[ATTR_SAFE_MODE])
+        )

    @api_process
-    def rebuild(self, request: web.Request) -> Awaitable[None]:
+    async def rebuild(self, request: web.Request) -> None:
        """Rebuild Home Assistant."""
-        return asyncio.shield(self.sys_homeassistant.core.rebuild())
+        body = await api_validate(SCHEMA_RESTART, request)
+        await self._check_offline_migration(force=body[ATTR_FORCE])

-    @api_process_raw(CONTENT_TYPE_BINARY)
-    def logs(self, request: web.Request) -> Awaitable[bytes]:
-        """Return Home Assistant Docker logs."""
-        return self.sys_homeassistant.core.logs()
+        await asyncio.shield(
+            self.sys_homeassistant.core.rebuild(safe_mode=body[ATTR_SAFE_MODE])
+        )

    @api_process
    async def check(self, request: web.Request) -> None:
--- a/supervisor/api/host.py
+++ b/supervisor/api/host.py
@@ -1,9 +1,19 @@
 """Init file for Supervisor host RESTful API."""
-import asyncio
-from contextlib import suppress
-import logging

-from aiohttp import web
+import asyncio
+from collections.abc import Awaitable
+from contextlib import suppress
+import json
+import logging
+from typing import Any
+
+from aiohttp import (
+    ClientConnectionResetError,
+    ClientError,
+    ClientPayloadError,
+    ClientTimeout,
+    web,
+)
 from aiohttp.hdrs import ACCEPT, RANGE
 import voluptuous as vol
 from voluptuous.error import CoerceInvalid
@@ -27,8 +37,16 @@ from ..const import (
    ATTR_TIMEZONE,
 )
 from ..coresys import CoreSysAttributes
-from ..exceptions import APIError, HostLogError
-from ..host.const import PARAM_BOOT_ID, PARAM_FOLLOW, PARAM_SYSLOG_IDENTIFIER
+from ..exceptions import APIDBMigrationInProgress, APIError, HostLogError
+from ..host.const import (
+    PARAM_BOOT_ID,
+    PARAM_FOLLOW,
+    PARAM_SYSLOG_IDENTIFIER,
+    LogFormat,
+    LogFormatter,
+)
+from ..host.logs import SYSTEMD_JOURNAL_GATEWAYD_LINES_MAX
+from ..utils.systemd_journal import journal_logs_reader
 from .const import (
    ATTR_AGENT_VERSION,
    ATTR_APPARMOR_VERSION,
@@ -38,39 +56,63 @@ from .const import (
    ATTR_BROADCAST_MDNS,
    ATTR_DT_SYNCHRONIZED,
    ATTR_DT_UTC,
+    ATTR_FORCE,
    ATTR_IDENTIFIERS,
    ATTR_LLMNR_HOSTNAME,
+    ATTR_MAX_DEPTH,
    ATTR_STARTUP_TIME,
    ATTR_USE_NTP,
+    ATTR_VIRTUALIZATION,
    CONTENT_TYPE_TEXT,
+    CONTENT_TYPE_X_LOG,
 )
-from .utils import api_process, api_validate
+from .utils import api_process, api_process_raw, api_validate

 _LOGGER: logging.Logger = logging.getLogger(__name__)

 IDENTIFIER = "identifier"
 BOOTID = "bootid"
-DEFAULT_RANGE = 100
+DEFAULT_LINES = 100

 SCHEMA_OPTIONS = vol.Schema({vol.Optional(ATTR_HOSTNAME): str})

+# pylint: disable=no-value-for-parameter
+SCHEMA_SHUTDOWN = vol.Schema(
+    {
+        vol.Optional(ATTR_FORCE, default=False): vol.Boolean(),
+    }
+)
+# pylint: enable=no-value-for-parameter
+

 class APIHost(CoreSysAttributes):
    """Handle RESTful API for host functions."""

+    async def _check_ha_offline_migration(self, force: bool) -> None:
+        """Check if HA has an offline migration in progress and raise if not forced."""
+        if (
+            not force
+            and (state := await self.sys_homeassistant.api.get_api_state())
+            and state.offline_db_migration
+        ):
+            raise APIDBMigrationInProgress(
+                "Home Assistant offline database migration in progress, please wait until complete before shutting down host"
+            )
+
    @api_process
-    async def info(self, request):
+    async def info(self, request: web.Request) -> dict[str, Any]:
        """Return host information."""
        return {
            ATTR_AGENT_VERSION: self.sys_dbus.agent.version,
            ATTR_APPARMOR_VERSION: self.sys_host.apparmor.version,
            ATTR_CHASSIS: self.sys_host.info.chassis,
+            ATTR_VIRTUALIZATION: self.sys_host.info.virtualization,
            ATTR_CPE: self.sys_host.info.cpe,
            ATTR_DEPLOYMENT: self.sys_host.info.deployment,
-            ATTR_DISK_FREE: self.sys_host.info.free_space,
-            ATTR_DISK_TOTAL: self.sys_host.info.total_space,
-            ATTR_DISK_USED: self.sys_host.info.used_space,
-            ATTR_DISK_LIFE_TIME: self.sys_host.info.disk_life_time,
+            ATTR_DISK_FREE: await self.sys_host.info.free_space(),
+            ATTR_DISK_TOTAL: await self.sys_host.info.total_space(),
+            ATTR_DISK_USED: await self.sys_host.info.used_space(),
+            ATTR_DISK_LIFE_TIME: await self.sys_host.info.disk_life_time(),
            ATTR_FEATURES: self.sys_host.features,
            ATTR_HOSTNAME: self.sys_host.info.hostname,
            ATTR_LLMNR_HOSTNAME: self.sys_host.info.llmnr_hostname,
@@ -87,7 +129,7 @@ class APIHost(CoreSysAttributes):
        }

    @api_process
-    async def options(self, request):
+    async def options(self, request: web.Request) -> None:
        """Edit host settings."""
        body = await api_validate(SCHEMA_OPTIONS, request)

@@ -98,22 +140,28 @@ class APIHost(CoreSysAttributes):
            )

    @api_process
-    def reboot(self, request):
+    async def reboot(self, request: web.Request) -> None:
        """Reboot host."""
-        return asyncio.shield(self.sys_host.control.reboot())
+        body = await api_validate(SCHEMA_SHUTDOWN, request)
+        await self._check_ha_offline_migration(force=body[ATTR_FORCE])
+
+        return await asyncio.shield(self.sys_host.control.reboot())

    @api_process
-    def shutdown(self, request):
+    async def shutdown(self, request: web.Request) -> None:
        """Poweroff host."""
-        return asyncio.shield(self.sys_host.control.shutdown())
+        body = await api_validate(SCHEMA_SHUTDOWN, request)
+        await self._check_ha_offline_migration(force=body[ATTR_FORCE])
+
+        return await asyncio.shield(self.sys_host.control.shutdown())

    @api_process
-    def reload(self, request):
+    def reload(self, request: web.Request) -> Awaitable[None]:
        """Reload host data."""
        return asyncio.shield(self.sys_host.reload())

    @api_process
-    async def services(self, request):
+    async def services(self, request: web.Request) -> dict[str, Any]:
        """Return list of available services."""
        services = []
        for unit in self.sys_host.services:
@@ -128,7 +176,7 @@ class APIHost(CoreSysAttributes):
        return {ATTR_SERVICES: services}

    @api_process
-    async def list_boots(self, _: web.Request):
+    async def list_boots(self, _: web.Request) -> dict[str, Any]:
        """Return a list of boot IDs."""
        boot_ids = await self.sys_host.logs.get_boot_ids()
        return {
@@ -139,7 +187,7 @@ class APIHost(CoreSysAttributes):
        }

    @api_process
-    async def list_identifiers(self, _: web.Request):
+    async def list_identifiers(self, _: web.Request) -> dict[str, list[str]]:
        """Return a list of syslog identifiers."""
        return {ATTR_IDENTIFIERS: await self.sys_host.logs.get_identifiers()}

@@ -153,50 +201,209 @@ class APIHost(CoreSysAttributes):
                raise APIError() from err
        return possible_offset

-    @api_process
-    async def advanced_logs(
-        self, request: web.Request, identifier: str | None = None, follow: bool = False
+    async def advanced_logs_handler(
+        self,
+        request: web.Request,
+        identifier: str | None = None,
+        follow: bool = False,
+        latest: bool = False,
+        no_colors: bool = False,
+        default_verbose: bool = False,
    ) -> web.StreamResponse:
        """Return systemd-journald logs."""
-        params = {}
+        log_formatter = LogFormatter.VERBOSE if default_verbose else LogFormatter.PLAIN
+        params: dict[str, Any] = {}
        if identifier:
            params[PARAM_SYSLOG_IDENTIFIER] = identifier
        elif IDENTIFIER in request.match_info:
-            params[PARAM_SYSLOG_IDENTIFIER] = request.match_info.get(IDENTIFIER)
+            params[PARAM_SYSLOG_IDENTIFIER] = request.match_info[IDENTIFIER]
        else:
            params[PARAM_SYSLOG_IDENTIFIER] = self.sys_host.logs.default_identifiers

        if BOOTID in request.match_info:
-            params[PARAM_BOOT_ID] = await self._get_boot_id(
-                request.match_info.get(BOOTID)
-            )
+            params[PARAM_BOOT_ID] = await self._get_boot_id(request.match_info[BOOTID])
        if follow:
            params[PARAM_FOLLOW] = ""

-        if ACCEPT in request.headers and request.headers[ACCEPT] not in [
+        if latest:
+            if not identifier:
+                raise APIError(
+                    "Latest logs can only be fetched for a specific identifier."
+                )
+
+            try:
+                epoch = await self._get_container_last_epoch(identifier)
+                params["CONTAINER_LOG_EPOCH"] = epoch
+            except HostLogError as err:
+                raise APIError(
+                    f"Cannot determine CONTAINER_LOG_EPOCH of {identifier}, latest logs not available."
+                ) from err
+
+        accept_header = request.headers.get(ACCEPT)
+
+        if accept_header and accept_header not in [
            CONTENT_TYPE_TEXT,
+            CONTENT_TYPE_X_LOG,
            "*/*",
        ]:
            raise APIError(
-                "Invalid content type requested. Only text/plain supported for now."
+                "Invalid content type requested. Only text/plain and text/x-log "
+                "supported for now."
            )

-        if RANGE in request.headers:
-            range_header = request.headers.get(RANGE)
+        if "verbose" in request.query or accept_header == CONTENT_TYPE_X_LOG:
+            log_formatter = LogFormatter.VERBOSE
+
+        if "no_colors" in request.query:
+            no_colors = True
+
+        if "lines" in request.query:
+            lines = request.query.get("lines", DEFAULT_LINES)
+            try:
+                lines = int(lines)
+            except ValueError:
+                # If the user passed a non-integer value, just use the default instead of error.
+                lines = DEFAULT_LINES
+            finally:
+                # We can't use the entries= Range header syntax to refer to the last 1 line,
+                # and passing 1 to the calculation below would return the 1st line of the logs
+                # instead. Since this is really an edge case that doesn't matter much, we'll just
+                # return 2 lines at minimum.
+                lines = max(2, lines)
+            # entries=cursor[[:num_skip]:num_entries]
+            range_header = f"entries=:-{lines - 1}:{SYSTEMD_JOURNAL_GATEWAYD_LINES_MAX if follow else lines}"
+        elif latest:
+            range_header = f"entries=:0:{SYSTEMD_JOURNAL_GATEWAYD_LINES_MAX}"
+        elif RANGE in request.headers:
+            range_header = request.headers[RANGE]
        else:
-            range_header = f"entries=:-{DEFAULT_RANGE}:"
+            range_header = f"entries=:-{DEFAULT_LINES - 1}:{SYSTEMD_JOURNAL_GATEWAYD_LINES_MAX if follow else DEFAULT_LINES}"

        async with self.sys_host.logs.journald_logs(
-            params=params, range_header=range_header
+            params=params, range_header=range_header, accept=LogFormat.JOURNAL
        ) as resp:
            try:
                response = web.StreamResponse()
                response.content_type = CONTENT_TYPE_TEXT
-                await response.prepare(request)
-                async for data in resp.content:
-                    await response.write(data)
-            except ConnectionResetError as ex:
+                headers_returned = False
+                async for cursor, line in journal_logs_reader(
+                    resp, log_formatter, no_colors
+                ):
+                    try:
+                        if not headers_returned:
+                            if cursor:
+                                response.headers["X-First-Cursor"] = cursor
+                            response.headers["X-Accel-Buffering"] = "no"
+                            await response.prepare(request)
+                            headers_returned = True
+                        await response.write(line.encode("utf-8") + b"\n")
+                    except ClientConnectionResetError as err:
+                        # When client closes the connection while reading busy logs, we
+                        # sometimes get this exception. It should be safe to ignore it.
+                        _LOGGER.debug(
+                            "ClientConnectionResetError raised when returning journal logs: %s",
+                            err,
+                        )
+                        break
+                    except ConnectionError as err:
+                        _LOGGER.warning(
+                            "%s raised when returning journal logs: %s",
+                            type(err).__name__,
+                            err,
+                        )
+                        break
+            except (ConnectionResetError, ClientPayloadError) as ex:
+                # ClientPayloadError is most likely caused by the closing the connection
                raise APIError(
                    "Connection reset when trying to fetch data from systemd-journald."
                ) from ex
            return response
+
+    @api_process_raw(CONTENT_TYPE_TEXT, error_type=CONTENT_TYPE_TEXT)
+    async def advanced_logs(
+        self,
+        request: web.Request,
+        identifier: str | None = None,
+        follow: bool = False,
+        latest: bool = False,
+        no_colors: bool = False,
+        default_verbose: bool = False,
+    ) -> web.StreamResponse:
+        """Return systemd-journald logs. Wrapped as standard API handler."""
+        return await self.advanced_logs_handler(
+            request, identifier, follow, latest, no_colors, default_verbose
+        )
+
+    @api_process
+    async def disk_usage(self, request: web.Request) -> dict[str, Any]:
+        """Return a breakdown of storage usage for the system."""
+
+        max_depth = request.query.get(ATTR_MAX_DEPTH, 1)
+        try:
+            max_depth = int(max_depth)
+        except ValueError:
+            max_depth = 1
+
+        disk = self.sys_hardware.disk
+
+        total, _, free = await self.sys_run_in_executor(
+            disk.disk_usage, self.sys_config.path_supervisor
+        )
+
+        # Calculate used by subtracting free makes sure we include reserved space
+        # in used space reporting.
+        used = total - free
+
+        known_paths = await self.sys_run_in_executor(
+            disk.get_dir_sizes,
+            {
+                "addons_data": self.sys_config.path_apps_data,
+                "addons_config": self.sys_config.path_app_configs,
+                "media": self.sys_config.path_media,
+                "share": self.sys_config.path_share,
+                "backup": self.sys_config.path_backup,
+                "ssl": self.sys_config.path_ssl,
+                "homeassistant": self.sys_config.path_homeassistant,
+            },
+            max_depth,
+        )
+        return {
+            # this can be the disk/partition ID in the future
+            "id": "root",
+            "label": "Root",
+            "total_bytes": total,
+            "used_bytes": used,
+            "children": [
+                {
+                    "id": "system",
+                    "label": "System",
+                    "used_bytes": used
+                    - sum(path["used_bytes"] for path in known_paths),
+                },
+                *known_paths,
+            ],
+        }
+
+    async def _get_container_last_epoch(self, identifier: str) -> str | None:
+        """Get Docker's internal log epoch of the latest log entry for the given identifier."""
+        try:
+            async with self.sys_host.logs.journald_logs(
+                params={"CONTAINER_NAME": identifier},
+                range_header="entries=:-1:2",  # -1 = next to the last entry
+                accept=LogFormat.JSON,
+                timeout=ClientTimeout(total=10),
+            ) as resp:
+                text = await resp.text()
+        except (ClientError, TimeoutError) as err:
+            raise HostLogError(
+                "Could not get last container epoch from systemd-journal-gatewayd",
+                _LOGGER.error,
+            ) from err
+
+        try:
+            return json.loads(text.strip().split("\n")[-1])["CONTAINER_LOG_EPOCH"]
+        except (json.JSONDecodeError, KeyError, IndexError) as err:
+            raise HostLogError(
+                f"Failed to parse CONTAINER_LOG_EPOCH of {identifier} container, got: {text}",
+                _LOGGER.error,
+            ) from err
--- a/supervisor/api/ingress.py
+++ b/supervisor/api/ingress.py
@@ -1,4 +1,5 @@
-"""Supervisor Add-on ingress service."""
+"""Supervisor App ingress service."""
+
 import asyncio
 from ipaddress import ip_address
 import logging
@@ -14,7 +15,7 @@ from aiohttp.web_exceptions import (
 from multidict import CIMultiDict, istr
 import voluptuous as vol

-from ..addons.addon import Addon
+from ..addons.addon import App
 from ..const import (
    ATTR_ADMIN,
    ATTR_ENABLE,
@@ -28,8 +29,8 @@ from ..const import (
    HEADER_REMOTE_USER_NAME,
    HEADER_TOKEN,
    HEADER_TOKEN_OLD,
+    HomeAssistantUser,
    IngressSessionData,
-    IngressSessionDataUser,
 )
 from ..coresys import CoreSysAttributes
 from ..exceptions import HomeAssistantAPIError
@@ -38,6 +39,8 @@ from .utils import api_process, api_validate, require_home_assistant

 _LOGGER: logging.Logger = logging.getLogger(__name__)

+MAX_WEBSOCKET_MESSAGE_SIZE = 16 * 1024 * 1024  # 16 MiB
+
 VALIDATE_SESSION_DATA = vol.Schema({ATTR_SESSION: str})

 """Expected optional payload of create session request"""
@@ -72,43 +75,37 @@ def status_code_must_be_empty_body(code: int) -> bool:


 class APIIngress(CoreSysAttributes):
-    """Ingress view to handle add-on webui routing."""
+    """Ingress view to handle app webui routing."""

-    _list_of_users: list[IngressSessionDataUser]
+    def _extract_app(self, request: web.Request) -> App:
+        """Return app, throw an exception it it doesn't exist."""
+        token = request.match_info["token"]

-    def __init__(self) -> None:
-        """Initialize APIIngress."""
-        self._list_of_users = []
-
-    def _extract_addon(self, request: web.Request) -> Addon:
-        """Return addon, throw an exception it it doesn't exist."""
-        token = request.match_info.get("token")
-
-        # Find correct add-on
-        addon = self.sys_ingress.get(token)
-        if not addon:
+        # Find correct app
+        app = self.sys_ingress.get(token)
+        if not app:
            _LOGGER.warning("Ingress for %s not available", token)
            raise HTTPServiceUnavailable()

-        return addon
+        return app

-    def _create_url(self, addon: Addon, path: str) -> str:
+    def _create_url(self, app: App, path: str) -> str:
        """Create URL to container."""
-        return f"http://{addon.ip_address}:{addon.ingress_port}/{path}"
+        return f"http://{app.ip_address}:{app.ingress_port}/{path}"

    @api_process
    async def panels(self, request: web.Request) -> dict[str, Any]:
        """Create a list of panel data."""
-        addons = {}
-        for addon in self.sys_ingress.addons:
-            addons[addon.slug] = {
-                ATTR_TITLE: addon.panel_title,
-                ATTR_ICON: addon.panel_icon,
-                ATTR_ADMIN: addon.panel_admin,
-                ATTR_ENABLE: addon.ingress_panel,
+        apps = {}
+        for app in self.sys_ingress.apps:
+            apps[app.slug] = {
+                ATTR_TITLE: app.panel_title,
+                ATTR_ICON: app.panel_icon,
+                ATTR_ADMIN: app.panel_admin,
+                ATTR_ENABLE: app.ingress_panel,
            }

-        return {ATTR_PANELS: addons}
+        return {ATTR_PANELS: apps}

    @api_process
    @require_home_assistant
@@ -131,7 +128,7 @@ class APIIngress(CoreSysAttributes):

    @api_process
    @require_home_assistant
-    async def validate_session(self, request: web.Request) -> dict[str, Any]:
+    async def validate_session(self, request: web.Request) -> None:
        """Validate session and extending how long it's valid for."""
        data = await api_validate(VALIDATE_SESSION_DATA, request)

@@ -146,22 +143,22 @@ class APIIngress(CoreSysAttributes):
        """Route data to Supervisor ingress service."""

        # Check Ingress Session
-        session = request.cookies.get(COOKIE_INGRESS)
+        session = request.cookies.get(COOKIE_INGRESS, "")
        if not self.sys_ingress.validate_session(session):
            _LOGGER.warning("No valid ingress session %s", session)
            raise HTTPUnauthorized()

        # Process requests
-        addon = self._extract_addon(request)
-        path = request.match_info.get("path")
+        app = self._extract_app(request)
+        path = request.match_info.get("path", "")
        session_data = self.sys_ingress.get_session_data(session)
        try:
            # Websocket
            if _is_websocket(request):
-                return await self._handle_websocket(request, addon, path, session_data)
+                return await self._handle_websocket(request, app, path, session_data)

            # Request
-            return await self._handle_request(request, addon, path, session_data)
+            return await self._handle_request(request, app, path, session_data)

        except aiohttp.ClientError as err:
            _LOGGER.error("Ingress error: %s", err)
@@ -171,7 +168,7 @@ class APIIngress(CoreSysAttributes):
    async def _handle_websocket(
        self,
        request: web.Request,
-        addon: Addon,
+        app: App,
        path: str,
        session_data: IngressSessionData | None,
    ) -> web.WebSocketResponse:
@@ -182,58 +179,66 @@ class APIIngress(CoreSysAttributes):
                for proto in request.headers[hdrs.SEC_WEBSOCKET_PROTOCOL].split(",")
            ]
        else:
-            req_protocols = ()
+            req_protocols = []

        ws_server = web.WebSocketResponse(
-            protocols=req_protocols, autoclose=False, autoping=False
+            protocols=req_protocols,
+            autoclose=False,
+            autoping=False,
+            max_msg_size=MAX_WEBSOCKET_MESSAGE_SIZE,
        )
        await ws_server.prepare(request)

        # Preparing
-        url = self._create_url(addon, path)
-        source_header = _init_header(request, addon, session_data)
+        url = self._create_url(app, path)
+        source_header = _init_header(request, app, session_data)

        # Support GET query
        if request.query_string:
            url = f"{url}?{request.query_string}"

        # Start proxy
-        async with self.sys_websession.ws_connect(
-            url,
-            headers=source_header,
-            protocols=req_protocols,
-            autoclose=False,
-            autoping=False,
-        ) as ws_client:
-            # Proxy requests
-            await asyncio.wait(
-                [
-                    self.sys_create_task(_websocket_forward(ws_server, ws_client)),
-                    self.sys_create_task(_websocket_forward(ws_client, ws_server)),
-                ],
-                return_when=asyncio.FIRST_COMPLETED,
-            )
+        try:
+            _LOGGER.debug("Proxing WebSocket to %s, upstream url: %s", app.slug, url)
+            async with self.sys_websession.ws_connect(
+                url,
+                headers=source_header,
+                protocols=req_protocols,
+                autoclose=False,
+                autoping=False,
+                max_msg_size=MAX_WEBSOCKET_MESSAGE_SIZE,
+            ) as ws_client:
+                # Proxy requests
+                await asyncio.wait(
+                    [
+                        self.sys_create_task(_websocket_forward(ws_server, ws_client)),
+                        self.sys_create_task(_websocket_forward(ws_client, ws_server)),
+                    ],
+                    return_when=asyncio.FIRST_COMPLETED,
+                )
+        except TimeoutError:
+            _LOGGER.warning("WebSocket proxy to %s timed out", app.slug)

        return ws_server

    async def _handle_request(
        self,
        request: web.Request,
-        addon: Addon,
+        app: App,
        path: str,
        session_data: IngressSessionData | None,
    ) -> web.Response | web.StreamResponse:
        """Ingress route for request."""
-        url = self._create_url(addon, path)
-        source_header = _init_header(request, addon, session_data)
+        url = self._create_url(app, path)
+        source_header = _init_header(request, app, session_data)

        # Passing the raw stream breaks requests for some webservers
        # since we just need it for POST requests really, for all other methods
-        # we read the bytes and pass that to the request to the add-on
-        # add-ons needs to add support with that in the configuration
+        # we read the bytes and pass that to the request to the app
+        # apps needs to add support with that in the configuration
        data = (
            request.content
-            if request.method == "POST" and addon.ingress_stream
+            if request.method == "POST" and app.ingress_stream
            else await request.read()
        )

@@ -248,18 +253,28 @@ class APIIngress(CoreSysAttributes):
            skip_auto_headers={hdrs.CONTENT_TYPE},
        ) as result:
            headers = _response_header(result)
+
            # Avoid parsing content_type in simple cases for better performance
            if maybe_content_type := result.headers.get(hdrs.CONTENT_TYPE):
                content_type = (maybe_content_type.partition(";"))[0].strip()
            else:
                content_type = result.content_type
+
+            # Empty body responses (304, 204, HEAD, etc.) should not be streamed,
+            # otherwise aiohttp < 3.9.0 may generate an invalid "0\r\n\r\n" chunk
+            # This also avoids setting content_type for empty responses.
+            if must_be_empty_body(request.method, result.status):
+                # If upstream contains content-type, preserve it (e.g. for HEAD requests)
+                if maybe_content_type:
+                    headers[hdrs.CONTENT_TYPE] = content_type
+                return web.Response(
+                    headers=headers,
+                    status=result.status,
+                )
+
            # Simple request
            if (
-                # empty body responses should not be streamed,
-                # otherwise aiohttp < 3.9.0 may generate
-                # an invalid "0\r\n\r\n" chunk instead of an empty response.
-                must_be_empty_body(request.method, result.status)
-                or hdrs.CONTENT_LENGTH in result.headers
+                hdrs.CONTENT_LENGTH in result.headers
                and int(result.headers.get(hdrs.CONTENT_LENGTH, 0)) < 4_194_000
            ):
                # Return Response
@@ -276,47 +291,44 @@ class APIIngress(CoreSysAttributes):
            response.content_type = content_type

            try:
+                response.headers["X-Accel-Buffering"] = "no"
                await response.prepare(request)
-                async for data in result.content.iter_chunked(4096):
+                async for data, _ in result.content.iter_chunks():
                    await response.write(data)

            except (
                aiohttp.ClientError,
                aiohttp.ClientPayloadError,
                ConnectionResetError,
+                ConnectionError,
            ) as err:
                _LOGGER.error("Stream error with %s: %s", url, err)

            return response

-    async def _find_user_by_id(self, user_id: str) -> IngressSessionDataUser | None:
+    async def _find_user_by_id(self, user_id: str) -> HomeAssistantUser | None:
        """Find user object by the user's ID."""
        try:
-            list_of_users = await self.sys_homeassistant.get_users()
-        except (HomeAssistantAPIError, TypeError) as err:
-            _LOGGER.error(
-                "%s error occurred while requesting list of users: %s", type(err), err
-            )
+            users = await self.sys_homeassistant.list_users()
+        except HomeAssistantAPIError as err:
+            _LOGGER.warning("Could not fetch list of users: %s", err)
            return None

-        if list_of_users is not None:
-            self._list_of_users = list_of_users
-
-        return next((user for user in self._list_of_users if user.id == user_id), None)
+        return next((user for user in users if user.id == user_id), None)


 def _init_header(
-    request: web.Request, addon: Addon, session_data: IngressSessionData | None
-) -> CIMultiDict | dict[str, str]:
+    request: web.Request, app: App, session_data: IngressSessionData | None
+) -> CIMultiDict[str]:
    """Create initial header."""
-    headers = {}
+    headers = CIMultiDict[str]()

    if session_data is not None:
        headers[HEADER_REMOTE_USER_ID] = session_data.user.id
        if session_data.user.username is not None:
            headers[HEADER_REMOTE_USER_NAME] = session_data.user.username
-        if session_data.user.display_name is not None:
-            headers[HEADER_REMOTE_USER_DISPLAY_NAME] = session_data.user.display_name
+        if session_data.user.name is not None:
+            headers[HEADER_REMOTE_USER_DISPLAY_NAME] = session_data.user.name

    # filter flags
    for name, value in request.headers.items():
@@ -335,19 +347,20 @@ def _init_header(
            istr(HEADER_REMOTE_USER_DISPLAY_NAME),
        ):
            continue
-        headers[name] = value
+        headers.add(name, value)

    # Update X-Forwarded-For
-    forward_for = request.headers.get(hdrs.X_FORWARDED_FOR)
-    connected_ip = ip_address(request.transport.get_extra_info("peername")[0])
-    headers[hdrs.X_FORWARDED_FOR] = f"{forward_for}, {connected_ip!s}"
+    if request.transport:
+        forward_for = request.headers.get(hdrs.X_FORWARDED_FOR)
+        connected_ip = ip_address(request.transport.get_extra_info("peername")[0])
+        headers[hdrs.X_FORWARDED_FOR] = f"{forward_for}, {connected_ip!s}"

    return headers


-def _response_header(response: aiohttp.ClientResponse) -> dict[str, str]:
+def _response_header(response: aiohttp.ClientResponse) -> CIMultiDict[str]:
    """Create response header."""
-    headers = {}
+    headers = CIMultiDict[str]()

    for name, value in response.headers.items():
        if name in (
@@ -357,7 +370,7 @@ def _response_header(response: aiohttp.ClientResponse) -> dict[str, str]:
            hdrs.CONTENT_ENCODING,
        ):
            continue
-        headers[name] = value
+        headers.add(name, value)

    return headers

@@ -383,9 +396,9 @@ async def _websocket_forward(ws_from, ws_to):
            elif msg.type == aiohttp.WSMsgType.BINARY:
                await ws_to.send_bytes(msg.data)
            elif msg.type == aiohttp.WSMsgType.PING:
-                await ws_to.ping()
+                await ws_to.ping(msg.data)
            elif msg.type == aiohttp.WSMsgType.PONG:
-                await ws_to.pong()
+                await ws_to.pong(msg.data)
            elif ws_to.closed:
                await ws_to.close(code=ws_to.close_code, message=msg.extra)
    except RuntimeError:
--- a/supervisor/api/jobs.py
+++ b/supervisor/api/jobs.py
@@ -1,4 +1,5 @@
 """Init file for Supervisor Jobs RESTful API."""
+
 import logging
 from typing import Any

@@ -6,6 +7,7 @@ from aiohttp import web
 import voluptuous as vol

 from ..coresys import CoreSysAttributes
+from ..exceptions import APIError, APINotFound, JobNotFound
 from ..jobs import SupervisorJob
 from ..jobs.const import ATTR_IGNORE_CONDITIONS, JobCondition
 from .const import ATTR_JOBS
@@ -21,10 +23,24 @@ SCHEMA_OPTIONS = vol.Schema(
 class APIJobs(CoreSysAttributes):
    """Handle RESTful API for OS functions."""

-    def _list_jobs(self) -> list[dict[str, Any]]:
-        """Return current job tree."""
+    def _extract_job(self, request: web.Request) -> SupervisorJob:
+        """Extract job from request or raise."""
+        try:
+            return self.sys_jobs.get_job(request.match_info["uuid"])
+        except JobNotFound:
+            raise APINotFound("Job does not exist") from None
+
+    def _list_jobs(self, start: SupervisorJob | None = None) -> list[dict[str, Any]]:
+        """Return current job tree.
+
+        Jobs are added to cache as they are created so by default they are in oldest to newest.
+        This is correct ordering for child jobs as it makes logical sense to present those in
+        the order they occurred within the parent. For the list as a whole, sort from newest
+        to oldest as its likely any client is most interested in the newer ones.
+        """
+        # Initially sort oldest to newest so all child lists end up in correct order
        jobs_by_parent: dict[str | None, list[SupervisorJob]] = {}
-        for job in self.sys_jobs.jobs:
+        for job in sorted(self.sys_jobs.jobs):
            if job.internal:
                continue

@@ -33,10 +49,16 @@ class APIJobs(CoreSysAttributes):
            else:
                jobs_by_parent[job.parent_id].append(job)

+        # After parent-child organization, sort the root jobs only from newest to oldest
        job_list: list[dict[str, Any]] = []
-        queue: list[tuple[list[dict[str, Any]], SupervisorJob]] = [
-            (job_list, job) for job in jobs_by_parent.get(None, [])
-        ]
+        queue: list[tuple[list[dict[str, Any]], SupervisorJob]] = (
+            [(job_list, start)]
+            if start
+            else [
+                (job_list, job)
+                for job in sorted(jobs_by_parent.get(None, []), reverse=True)
+            ]
+        )

        while queue:
            (current_list, current_job) = queue.pop(0)
@@ -49,7 +71,10 @@ class APIJobs(CoreSysAttributes):

            if current_job.uuid in jobs_by_parent:
                queue.extend(
-                    [(child_jobs, job) for job in jobs_by_parent.get(current_job.uuid)]
+                    [
+                        (child_jobs, job)
+                        for job in jobs_by_parent.get(current_job.uuid, [])
+                    ]
                )

        return job_list
@@ -70,11 +95,27 @@ class APIJobs(CoreSysAttributes):
        if ATTR_IGNORE_CONDITIONS in body:
            self.sys_jobs.ignore_conditions = body[ATTR_IGNORE_CONDITIONS]

-        self.sys_jobs.save_data()
+        await self.sys_jobs.save_data()

        await self.sys_resolution.evaluate.evaluate_system()

    @api_process
    async def reset(self, request: web.Request) -> None:
        """Reset options for JobManager."""
-        self.sys_jobs.reset_data()
+        await self.sys_jobs.reset_data()
+
+    @api_process
+    async def job_info(self, request: web.Request) -> dict[str, Any]:
+        """Get details of a job by ID."""
+        job = self._extract_job(request)
+        return self._list_jobs(job)[0]
+
+    @api_process
+    async def remove_job(self, request: web.Request) -> None:
+        """Remove a completed job."""
+        job = self._extract_job(request)
+
+        if not job.done:
+            raise APIError(f"Job {job.uuid} is not done!")
+
+        self.sys_jobs.remove_job(job)
--- a/supervisor/api/middleware/security.py
+++ b/supervisor/api/middleware/security.py
@@ -1,10 +1,12 @@
 """Handle security part of this API."""
+
+from collections.abc import Awaitable, Callable
 import logging
 import re
 from typing import Final
 from urllib.parse import unquote

-from aiohttp.web import Request, RequestHandler, Response, middleware
+from aiohttp.web import Request, StreamResponse, middleware
 from aiohttp.web_exceptions import HTTPBadRequest, HTTPForbidden, HTTPUnauthorized
 from awesomeversion import AwesomeVersion

@@ -16,11 +18,12 @@ from ...const import (
    ROLE_DEFAULT,
    ROLE_HOMEASSISTANT,
    ROLE_MANAGER,
-    CoreState,
+    VALID_API_STATES,
 )
 from ...coresys import CoreSys, CoreSysAttributes
+from ...homeassistant.const import LANDINGPAGE
 from ...utils import version_is_new_enough
-from ..utils import api_return_error, excract_supervisor_token
+from ..utils import api_return_error, extract_supervisor_token

 _LOGGER: logging.Logger = logging.getLogger(__name__)
 _CORE_VERSION: Final = AwesomeVersion("2023.3.4")
@@ -65,7 +68,7 @@ OBSERVER_CHECK: Final = re.compile(
    r")$"
 )

-# Can called by every add-on
+# Can called by every app
 ADDONS_API_BYPASS: Final = re.compile(
    r"^(?:"
    r"|/addons/self/(?!security|update)[^/]+"
@@ -77,8 +80,15 @@ ADDONS_API_BYPASS: Final = re.compile(
    r")$"
 )

-# Policy role add-on API access
-ADDONS_ROLE_ACCESS: dict[str, re.Pattern] = {
+# Home Assistant only
+CORE_ONLY_PATHS: Final = re.compile(
+    r"^(?:"
+    r"/addons/" + RE_SLUG + "/sys_options"
+    r")$"
+)
+
+# Policy role app API access
+ADDONS_ROLE_ACCESS: dict[str, re.Pattern[str]] = {
    ROLE_DEFAULT: re.compile(
        r"^(?:"
        r"|/.+/info"
@@ -103,6 +113,8 @@ ADDONS_ROLE_ACCESS: dict[str, re.Pattern] = {
        r"|/addons(?:/" + RE_SLUG + r"/(?!security).+|/reload)?"
        r"|/audio/.+"
        r"|/auth/cache"
+        r"|/available_updates"
+        r"|/backups.*"
        r"|/cli/.+"
        r"|/core/.+"
        r"|/dns/.+"
@@ -112,16 +124,17 @@ ADDONS_ROLE_ACCESS: dict[str, re.Pattern] = {
        r"|/hassos/.+"
        r"|/homeassistant/.+"
        r"|/host/.+"
+        r"|/mounts.*"
        r"|/multicast/.+"
        r"|/network/.+"
        r"|/observer/.+"
-        r"|/os/.+"
+        r"|/os/(?!datadisk/wipe).+"
+        r"|/refresh_updates"
        r"|/resolution/.+"
-        r"|/backups.*"
+        r"|/security/.+"
        r"|/snapshots.*"
        r"|/store.*"
        r"|/supervisor/.+"
-        r"|/security/.+"
        r")$"
    ),
    ROLE_ADMIN: re.compile(
@@ -167,8 +180,8 @@ class SecurityMiddleware(CoreSysAttributes):

    @middleware
    async def block_bad_requests(
-        self, request: Request, handler: RequestHandler
-    ) -> Response:
+        self, request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
+    ) -> StreamResponse:
        """Process request and tblock commonly known exploit attempts."""
        if FILTERS.search(self._recursive_unquote(request.path)):
            _LOGGER.warning(
@@ -187,14 +200,10 @@ class SecurityMiddleware(CoreSysAttributes):

    @middleware
    async def system_validation(
-        self, request: Request, handler: RequestHandler
-    ) -> Response:
+        self, request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
+    ) -> StreamResponse:
        """Check if core is ready to response."""
-        if self.sys_core.state not in (
-            CoreState.STARTUP,
-            CoreState.RUNNING,
-            CoreState.FREEZE,
-        ):
+        if self.sys_core.state not in VALID_API_STATES:
            return api_return_error(
                message=f"System is not ready with state: {self.sys_core.state}"
            )
@@ -203,11 +212,11 @@ class SecurityMiddleware(CoreSysAttributes):

    @middleware
    async def token_validation(
-        self, request: Request, handler: RequestHandler
-    ) -> Response:
+        self, request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
+    ) -> StreamResponse:
        """Check security access of this layer."""
-        request_from = None
-        supervisor_token = excract_supervisor_token(request)
+        request_from: CoreSysAttributes | None = None
+        supervisor_token = extract_supervisor_token(request)

        # Blacklist
        if BLACKLIST.match(request.path):
@@ -229,6 +238,9 @@ class SecurityMiddleware(CoreSysAttributes):
        if supervisor_token == self.sys_homeassistant.supervisor_token:
            _LOGGER.debug("%s access from Home Assistant", request.path)
            request_from = self.sys_homeassistant
+        elif CORE_ONLY_PATHS.match(request.path):
+            _LOGGER.warning("Attempted access to %s from client besides Home Assistant")
+            raise HTTPForbidden()

        # Host
        if supervisor_token == self.sys_plugins.cli.supervisor_token:
@@ -243,26 +255,24 @@ class SecurityMiddleware(CoreSysAttributes):
            _LOGGER.debug("%s access from Observer", request.path)
            request_from = self.sys_plugins.observer

-        # Add-on
-        addon = None
+        # App
+        app = None
        if supervisor_token and not request_from:
-            addon = self.sys_addons.from_token(supervisor_token)
+            app = self.sys_apps.from_token(supervisor_token)

-        # Check Add-on API access
-        if addon and ADDONS_API_BYPASS.match(request.path):
-            _LOGGER.debug("Passthrough %s from %s", request.path, addon.slug)
-            request_from = addon
-        elif addon and addon.access_hassio_api:
+        # Check App API access
+        if app and ADDONS_API_BYPASS.match(request.path):
+            _LOGGER.debug("Passthrough %s from %s", request.path, app.slug)
+            request_from = app
+        elif app and app.access_hassio_api:
            # Check Role
-            if ADDONS_ROLE_ACCESS[addon.hassio_role].match(request.path):
-                _LOGGER.info("%s access from %s", request.path, addon.slug)
-                request_from = addon
+            if ADDONS_ROLE_ACCESS[app.hassio_role].match(request.path):
+                _LOGGER.info("%s access from %s", request.path, app.slug)
+                request_from = app
            else:
-                _LOGGER.warning("%s no role for %s", request.path, addon.slug)
-        elif addon:
-            _LOGGER.warning(
-                "%s missing API permission for %s", addon.slug, request.path
-            )
+                _LOGGER.warning("%s no role for %s", request.path, app.slug)
+        elif app:
+            _LOGGER.warning("%s missing API permission for %s", app.slug, request.path)

        if request_from:
            request[REQUEST_FROM] = request_from
@@ -272,10 +282,14 @@ class SecurityMiddleware(CoreSysAttributes):
        raise HTTPForbidden()

    @middleware
-    async def core_proxy(self, request: Request, handler: RequestHandler) -> Response:
+    async def core_proxy(
+        self, request: Request, handler: Callable[[Request], Awaitable[StreamResponse]]
+    ) -> StreamResponse:
        """Validate user from Core API proxy."""
-        if request[REQUEST_FROM] != self.sys_homeassistant or version_is_new_enough(
-            self.sys_homeassistant.version, _CORE_VERSION
+        if (
+            request[REQUEST_FROM] != self.sys_homeassistant
+            or self.sys_homeassistant.version == LANDINGPAGE
+            or version_is_new_enough(self.sys_homeassistant.version, _CORE_VERSION)
        ):
            return await handler(request)

--- a/supervisor/api/mounts.py
+++ b/supervisor/api/mounts.py
@@ -1,17 +1,17 @@
 """Inits file for supervisor mounts REST API."""

-from typing import Any
+from typing import Any, cast

 from aiohttp import web
 import voluptuous as vol

 from ..const import ATTR_NAME, ATTR_STATE
 from ..coresys import CoreSysAttributes
-from ..exceptions import APIError
+from ..exceptions import APIError, APINotFound
 from ..mounts.const import ATTR_DEFAULT_BACKUP_MOUNT, MountUsage
 from ..mounts.mount import Mount
-from ..mounts.validate import SCHEMA_MOUNT_CONFIG
-from .const import ATTR_MOUNTS
+from ..mounts.validate import SCHEMA_MOUNT_CONFIG, MountData
+from .const import ATTR_MOUNTS, ATTR_USER_PATH
 from .utils import api_process, api_validate

 SCHEMA_OPTIONS = vol.Schema(
@@ -24,6 +24,13 @@ SCHEMA_OPTIONS = vol.Schema(
 class APIMounts(CoreSysAttributes):
    """Handle REST API for mounting options."""

+    def _extract_mount(self, request: web.Request) -> Mount:
+        """Extract mount from request or raise."""
+        name = request.match_info["mount"]
+        if name not in self.sys_mounts:
+            raise APINotFound(f"No mount exists with name {name}")
+        return self.sys_mounts.get(name)
+
    @api_process
    async def info(self, request: web.Request) -> dict[str, Any]:
        """Return MountManager info."""
@@ -32,7 +39,13 @@ class APIMounts(CoreSysAttributes):
            if self.sys_mounts.default_backup_mount
            else None,
            ATTR_MOUNTS: [
-                mount.to_dict() | {ATTR_STATE: mount.state}
+                mount.to_dict()
+                | {
+                    ATTR_STATE: mount.state,
+                    ATTR_USER_PATH: mount.container_where.as_posix()
+                    if mount.container_where
+                    else None,
+                }
                for mount in self.sys_mounts.mounts
            ],
        }
@@ -53,15 +66,15 @@ class APIMounts(CoreSysAttributes):
            else:
                self.sys_mounts.default_backup_mount = mount

-        self.sys_mounts.save_data()
+        await self.sys_mounts.save_data()

    @api_process
    async def create_mount(self, request: web.Request) -> None:
        """Create a new mount in supervisor."""
-        body = await api_validate(SCHEMA_MOUNT_CONFIG, request)
+        body = cast(MountData, await api_validate(SCHEMA_MOUNT_CONFIG, request))

-        if body[ATTR_NAME] in self.sys_mounts:
-            raise APIError(f"A mount already exists with name {body[ATTR_NAME]}")
+        if body["name"] in self.sys_mounts:
+            raise APIError(f"A mount already exists with name {body['name']}")

        mount = Mount.from_dict(self.coresys, body)
        await self.sys_mounts.create_mount(mount)
@@ -74,19 +87,20 @@ class APIMounts(CoreSysAttributes):
            if not self.sys_mounts.default_backup_mount:
                self.sys_mounts.default_backup_mount = mount

-        self.sys_mounts.save_data()
+        await self.sys_mounts.save_data()

    @api_process
    async def update_mount(self, request: web.Request) -> None:
        """Update an existing mount in supervisor."""
-        name = request.match_info.get("mount")
+        current = self._extract_mount(request)
        name_schema = vol.Schema(
-            {vol.Optional(ATTR_NAME, default=name): name}, extra=vol.ALLOW_EXTRA
+            {vol.Optional(ATTR_NAME, default=current.name): current.name},
+            extra=vol.ALLOW_EXTRA,
+        )
+        body = cast(
+            MountData,
+            await api_validate(vol.All(name_schema, SCHEMA_MOUNT_CONFIG), request),
        )
-        body = await api_validate(vol.All(name_schema, SCHEMA_MOUNT_CONFIG), request)
-
-        if name not in self.sys_mounts:
-            raise APIError(f"No mount exists with name {name}")

        mount = Mount.from_dict(self.coresys, body)
        await self.sys_mounts.create_mount(mount)
@@ -99,26 +113,26 @@ class APIMounts(CoreSysAttributes):
        elif self.sys_mounts.default_backup_mount == mount:
            self.sys_mounts.default_backup_mount = None

-        self.sys_mounts.save_data()
+        await self.sys_mounts.save_data()

    @api_process
    async def delete_mount(self, request: web.Request) -> None:
        """Delete an existing mount in supervisor."""
-        name = request.match_info.get("mount")
-        mount = await self.sys_mounts.remove_mount(name)
+        current = self._extract_mount(request)
+        mount = await self.sys_mounts.remove_mount(current.name)

        # If it was a backup mount, reload backups
        if mount.usage == MountUsage.BACKUP:
            self.sys_create_task(self.sys_backups.reload())

-        self.sys_mounts.save_data()
+        await self.sys_mounts.save_data()

    @api_process
    async def reload_mount(self, request: web.Request) -> None:
        """Reload an existing mount in supervisor."""
-        name = request.match_info.get("mount")
-        await self.sys_mounts.reload_mount(name)
+        mount = self._extract_mount(request)
+        await self.sys_mounts.reload_mount(mount.name)

        # If it's a backup mount, reload backups
-        if self.sys_mounts.get(name).usage == MountUsage.BACKUP:
+        if mount.usage == MountUsage.BACKUP:
            self.sys_create_task(self.sys_backups.reload())
--- a/supervisor/api/multicast.py
+++ b/supervisor/api/multicast.py
@@ -1,4 +1,5 @@
 """Init file for Supervisor Multicast RESTful API."""
+
 import asyncio
 from collections.abc import Awaitable
 import logging
@@ -23,8 +24,7 @@ from ..const import (
 from ..coresys import CoreSysAttributes
 from ..exceptions import APIError
 from ..validate import version_tag
-from .const import CONTENT_TYPE_BINARY
-from .utils import api_process, api_process_raw, api_validate
+from .utils import api_process, api_validate

 _LOGGER: logging.Logger = logging.getLogger(__name__)

@@ -69,11 +69,6 @@ class APIMulticast(CoreSysAttributes):
            raise APIError(f"Version {version} is already in use")
        await asyncio.shield(self.sys_plugins.multicast.update(version))

-    @api_process_raw(CONTENT_TYPE_BINARY)
-    def logs(self, request: web.Request) -> Awaitable[bytes]:
-        """Return Multicast Docker logs."""
-        return self.sys_plugins.multicast.logs()
-
    @api_process
    def restart(self, request: web.Request) -> Awaitable[None]:
        """Restart Multicast plugin."""
--- a/supervisor/api/network.py
+++ b/supervisor/api/network.py
@@ -1,8 +1,8 @@
 """REST API for network."""
+
 import asyncio
 from collections.abc import Awaitable
-from dataclasses import replace
-from ipaddress import ip_address, ip_interface
+from ipaddress import IPv4Address, IPv4Interface, IPv6Address, IPv6Interface
 from typing import Any

 from aiohttp import web
@@ -10,6 +10,7 @@ import voluptuous as vol

 from ..const import (
    ATTR_ACCESSPOINTS,
+    ATTR_ADDR_GEN_MODE,
    ATTR_ADDRESS,
    ATTR_AUTH,
    ATTR_CONNECTED,
@@ -22,9 +23,12 @@ from ..const import (
    ATTR_ID,
    ATTR_INTERFACE,
    ATTR_INTERFACES,
+    ATTR_IP6_PRIVACY,
    ATTR_IPV4,
    ATTR_IPV6,
+    ATTR_LLMNR,
    ATTR_MAC,
+    ATTR_MDNS,
    ATTR_METHOD,
    ATTR_MODE,
    ATTR_NAMESERVERS,
@@ -32,34 +36,53 @@ from ..const import (
    ATTR_PRIMARY,
    ATTR_PSK,
    ATTR_READY,
+    ATTR_ROUTE_METRIC,
    ATTR_SIGNAL,
    ATTR_SSID,
    ATTR_SUPERVISOR_INTERNET,
    ATTR_TYPE,
    ATTR_VLAN,
    ATTR_WIFI,
+    DOCKER_IPV4_NETWORK_MASK,
    DOCKER_NETWORK,
-    DOCKER_NETWORK_MASK,
 )
 from ..coresys import CoreSysAttributes
-from ..exceptions import APIError, HostNetworkNotFound
+from ..exceptions import APIError, APINotFound, HostNetworkNotFound
 from ..host.configuration import (
    AccessPoint,
    Interface,
+    InterfaceAddrGenMode,
+    InterfaceIp6Privacy,
    InterfaceMethod,
+    Ip6Setting,
    IpConfig,
+    IpSetting,
+    MulticastDnsMode,
    VlanConfig,
    WifiConfig,
 )
 from ..host.const import AuthMethod, InterfaceType, WifiMode
 from .utils import api_process, api_validate

-_SCHEMA_IP_CONFIG = vol.Schema(
+_SCHEMA_IPV4_CONFIG = vol.Schema(
    {
-        vol.Optional(ATTR_ADDRESS): [vol.Coerce(ip_interface)],
+        vol.Optional(ATTR_ADDRESS): [vol.Coerce(IPv4Interface)],
        vol.Optional(ATTR_METHOD): vol.Coerce(InterfaceMethod),
-        vol.Optional(ATTR_GATEWAY): vol.Coerce(ip_address),
-        vol.Optional(ATTR_NAMESERVERS): [vol.Coerce(ip_address)],
+        vol.Optional(ATTR_GATEWAY): vol.Coerce(IPv4Address),
+        vol.Optional(ATTR_ROUTE_METRIC): vol.Coerce(int),
+        vol.Optional(ATTR_NAMESERVERS): [vol.Coerce(IPv4Address)],
+    }
+)
+
+_SCHEMA_IPV6_CONFIG = vol.Schema(
+    {
+        vol.Optional(ATTR_ADDRESS): [vol.Coerce(IPv6Interface)],
+        vol.Optional(ATTR_METHOD): vol.Coerce(InterfaceMethod),
+        vol.Optional(ATTR_ADDR_GEN_MODE): vol.Coerce(InterfaceAddrGenMode),
+        vol.Optional(ATTR_IP6_PRIVACY): vol.Coerce(InterfaceIp6Privacy),
+        vol.Optional(ATTR_GATEWAY): vol.Coerce(IPv6Address),
+        vol.Optional(ATTR_ROUTE_METRIC): vol.Coerce(int),
+        vol.Optional(ATTR_NAMESERVERS): [vol.Coerce(IPv6Address)],
    }
 )

@@ -76,21 +99,38 @@ _SCHEMA_WIFI_CONFIG = vol.Schema(
 # pylint: disable=no-value-for-parameter
 SCHEMA_UPDATE = vol.Schema(
    {
-        vol.Optional(ATTR_IPV4): _SCHEMA_IP_CONFIG,
-        vol.Optional(ATTR_IPV6): _SCHEMA_IP_CONFIG,
+        vol.Optional(ATTR_IPV4): _SCHEMA_IPV4_CONFIG,
+        vol.Optional(ATTR_IPV6): _SCHEMA_IPV6_CONFIG,
        vol.Optional(ATTR_WIFI): _SCHEMA_WIFI_CONFIG,
        vol.Optional(ATTR_ENABLED): vol.Boolean(),
+        vol.Optional(ATTR_MDNS): vol.Coerce(MulticastDnsMode),
+        vol.Optional(ATTR_LLMNR): vol.Coerce(MulticastDnsMode),
    }
 )


-def ipconfig_struct(config: IpConfig) -> dict[str, Any]:
-    """Return a dict with information about ip configuration."""
+def ip4config_struct(config: IpConfig, setting: IpSetting) -> dict[str, Any]:
+    """Return a dict with information about IPv4 configuration."""
    return {
-        ATTR_METHOD: config.method,
+        ATTR_METHOD: setting.method,
        ATTR_ADDRESS: [address.with_prefixlen for address in config.address],
        ATTR_NAMESERVERS: [str(address) for address in config.nameservers],
        ATTR_GATEWAY: str(config.gateway) if config.gateway else None,
+        ATTR_ROUTE_METRIC: setting.route_metric,
+        ATTR_READY: config.ready,
+    }
+
+
+def ip6config_struct(config: IpConfig, setting: Ip6Setting) -> dict[str, Any]:
+    """Return a dict with information about IPv6 configuration."""
+    return {
+        ATTR_METHOD: setting.method,
+        ATTR_ADDR_GEN_MODE: setting.addr_gen_mode,
+        ATTR_IP6_PRIVACY: setting.ip6_privacy,
+        ATTR_ADDRESS: [address.with_prefixlen for address in config.address],
+        ATTR_NAMESERVERS: [str(address) for address in config.nameservers],
+        ATTR_GATEWAY: str(config.gateway) if config.gateway else None,
+        ATTR_ROUTE_METRIC: setting.route_metric,
        ATTR_READY: config.ready,
    }

@@ -122,10 +162,16 @@ def interface_struct(interface: Interface) -> dict[str, Any]:
        ATTR_CONNECTED: interface.connected,
        ATTR_PRIMARY: interface.primary,
        ATTR_MAC: interface.mac,
-        ATTR_IPV4: ipconfig_struct(interface.ipv4) if interface.ipv4 else None,
-        ATTR_IPV6: ipconfig_struct(interface.ipv6) if interface.ipv6 else None,
+        ATTR_IPV4: ip4config_struct(interface.ipv4, interface.ipv4setting)
+        if interface.ipv4 and interface.ipv4setting
+        else None,
+        ATTR_IPV6: ip6config_struct(interface.ipv6, interface.ipv6setting)
+        if interface.ipv6 and interface.ipv6setting
+        else None,
        ATTR_WIFI: wifi_struct(interface.wifi) if interface.wifi else None,
        ATTR_VLAN: vlan_struct(interface.vlan) if interface.vlan else None,
+        ATTR_MDNS: interface.mdns,
+        ATTR_LLMNR: interface.llmnr,
    }


@@ -157,10 +203,10 @@ class APINetwork(CoreSysAttributes):
            except HostNetworkNotFound:
                pass

-        raise APIError(f"Interface {name} does not exist") from None
+        raise APINotFound(f"Interface {name} does not exist") from None

    @api_process
-    async def info(self, request: web.Request) -> dict[str, Any]:
+    async def info(self, _: web.Request) -> dict[str, Any]:
        """Return network information."""
        return {
            ATTR_INTERFACES: [
@@ -169,7 +215,7 @@ class APINetwork(CoreSysAttributes):
            ],
            ATTR_DOCKER: {
                ATTR_INTERFACE: DOCKER_NETWORK,
-                ATTR_ADDRESS: str(DOCKER_NETWORK_MASK),
+                ATTR_ADDRESS: str(DOCKER_IPV4_NETWORK_MASK),
                ATTR_GATEWAY: str(self.sys_docker.network.gateway),
                ATTR_DNS: str(self.sys_docker.network.dns),
            },
@@ -180,14 +226,14 @@ class APINetwork(CoreSysAttributes):
    @api_process
    async def interface_info(self, request: web.Request) -> dict[str, Any]:
        """Return network information for a interface."""
-        interface = self._get_interface(request.match_info.get(ATTR_INTERFACE))
+        interface = self._get_interface(request.match_info[ATTR_INTERFACE])

        return interface_struct(interface)

    @api_process
    async def interface_update(self, request: web.Request) -> None:
        """Update the configuration of an interface."""
-        interface = self._get_interface(request.match_info.get(ATTR_INTERFACE))
+        interface = self._get_interface(request.match_info[ATTR_INTERFACE])

        # Validate data
        body = await api_validate(SCHEMA_UPDATE, request)
@@ -197,32 +243,46 @@ class APINetwork(CoreSysAttributes):
        # Apply config
        for key, config in body.items():
            if key == ATTR_IPV4:
-                interface.ipv4 = replace(
-                    interface.ipv4
-                    or IpConfig(InterfaceMethod.STATIC, [], None, [], None),
-                    **config,
+                interface.ipv4setting = IpSetting(
+                    method=config.get(ATTR_METHOD, InterfaceMethod.STATIC),
+                    address=config.get(ATTR_ADDRESS, []),
+                    gateway=config.get(ATTR_GATEWAY),
+                    route_metric=config.get(ATTR_ROUTE_METRIC),
+                    nameservers=config.get(ATTR_NAMESERVERS, []),
                )
            elif key == ATTR_IPV6:
-                interface.ipv6 = replace(
-                    interface.ipv6
-                    or IpConfig(InterfaceMethod.STATIC, [], None, [], None),
-                    **config,
+                interface.ipv6setting = Ip6Setting(
+                    method=config.get(ATTR_METHOD, InterfaceMethod.STATIC),
+                    addr_gen_mode=config.get(
+                        ATTR_ADDR_GEN_MODE, InterfaceAddrGenMode.DEFAULT
+                    ),
+                    ip6_privacy=config.get(
+                        ATTR_IP6_PRIVACY, InterfaceIp6Privacy.DEFAULT
+                    ),
+                    address=config.get(ATTR_ADDRESS, []),
+                    gateway=config.get(ATTR_GATEWAY),
+                    route_metric=config.get(ATTR_ROUTE_METRIC),
+                    nameservers=config.get(ATTR_NAMESERVERS, []),
                )
            elif key == ATTR_WIFI:
-                interface.wifi = replace(
-                    interface.wifi
-                    or WifiConfig(
-                        WifiMode.INFRASTRUCTURE, "", AuthMethod.OPEN, None, None
-                    ),
-                    **config,
+                interface.wifi = WifiConfig(
+                    mode=config.get(ATTR_MODE, WifiMode.INFRASTRUCTURE),
+                    ssid=config.get(ATTR_SSID, ""),
+                    auth=config.get(ATTR_AUTH, AuthMethod.OPEN),
+                    psk=config.get(ATTR_PSK, None),
+                    signal=None,
                )
            elif key == ATTR_ENABLED:
                interface.enabled = config
+            elif key == ATTR_MDNS:
+                interface.mdns = config
+            elif key == ATTR_LLMNR:
+                interface.llmnr = config

        await asyncio.shield(self.sys_host.network.apply_changes(interface))

    @api_process
-    def reload(self, request: web.Request) -> Awaitable[None]:
+    def reload(self, _: web.Request) -> Awaitable[None]:
        """Reload network data."""
        return asyncio.shield(
            self.sys_host.network.update(force_connectivity_check=True)
@@ -231,7 +291,7 @@ class APINetwork(CoreSysAttributes):
    @api_process
    async def scan_accesspoints(self, request: web.Request) -> dict[str, Any]:
        """Scan and return a list of available networks."""
-        interface = self._get_interface(request.match_info.get(ATTR_INTERFACE))
+        interface = self._get_interface(request.match_info[ATTR_INTERFACE])

        # Only wlan is supported
        if interface.type != InterfaceType.WIRELESS:
@@ -244,8 +304,10 @@ class APINetwork(CoreSysAttributes):
    @api_process
    async def create_vlan(self, request: web.Request) -> None:
        """Create a new vlan."""
-        interface = self._get_interface(request.match_info.get(ATTR_INTERFACE))
-        vlan = int(request.match_info.get(ATTR_VLAN))
+        interface = self._get_interface(request.match_info[ATTR_INTERFACE])
+        vlan = int(request.match_info.get(ATTR_VLAN, -1))
+        if vlan < 0:
+            raise APIError(f"Invalid vlan specified: {vlan}")

        # Only ethernet is supported
        if interface.type != InterfaceType.ETHERNET:
@@ -256,37 +318,56 @@ class APINetwork(CoreSysAttributes):

        vlan_config = VlanConfig(vlan, interface.name)

-        ipv4_config = None
+        mdns_mode = MulticastDnsMode.DEFAULT
+        llmnr_mode = MulticastDnsMode.DEFAULT
+
+        if ATTR_MDNS in body:
+            mdns_mode = body[ATTR_MDNS]
+
+        if ATTR_LLMNR in body:
+            llmnr_mode = body[ATTR_LLMNR]
+
+        ipv4_setting = None
        if ATTR_IPV4 in body:
-            ipv4_config = IpConfig(
-                body[ATTR_IPV4].get(ATTR_METHOD, InterfaceMethod.AUTO),
-                body[ATTR_IPV4].get(ATTR_ADDRESS, []),
-                body[ATTR_IPV4].get(ATTR_GATEWAY, None),
-                body[ATTR_IPV4].get(ATTR_NAMESERVERS, []),
-                None,
+            ipv4_setting = IpSetting(
+                method=body[ATTR_IPV4].get(ATTR_METHOD, InterfaceMethod.AUTO),
+                address=body[ATTR_IPV4].get(ATTR_ADDRESS, []),
+                gateway=body[ATTR_IPV4].get(ATTR_GATEWAY),
+                route_metric=body[ATTR_IPV4].get(ATTR_ROUTE_METRIC),
+                nameservers=body[ATTR_IPV4].get(ATTR_NAMESERVERS, []),
            )

-        ipv6_config = None
+        ipv6_setting = None
        if ATTR_IPV6 in body:
-            ipv6_config = IpConfig(
-                body[ATTR_IPV6].get(ATTR_METHOD, InterfaceMethod.AUTO),
-                body[ATTR_IPV6].get(ATTR_ADDRESS, []),
-                body[ATTR_IPV6].get(ATTR_GATEWAY, None),
-                body[ATTR_IPV6].get(ATTR_NAMESERVERS, []),
-                None,
+            ipv6_setting = Ip6Setting(
+                method=body[ATTR_IPV6].get(ATTR_METHOD, InterfaceMethod.AUTO),
+                addr_gen_mode=body[ATTR_IPV6].get(
+                    ATTR_ADDR_GEN_MODE, InterfaceAddrGenMode.DEFAULT
+                ),
+                ip6_privacy=body[ATTR_IPV6].get(
+                    ATTR_IP6_PRIVACY, InterfaceIp6Privacy.DEFAULT
+                ),
+                address=body[ATTR_IPV6].get(ATTR_ADDRESS, []),
+                gateway=body[ATTR_IPV6].get(ATTR_GATEWAY),
+                route_metric=body[ATTR_IPV6].get(ATTR_ROUTE_METRIC),
+                nameservers=body[ATTR_IPV6].get(ATTR_NAMESERVERS, []),
            )

        vlan_interface = Interface(
-            "",
+            f"{interface.name}.{vlan}",
            "",
            "",
            True,
            True,
            False,
            InterfaceType.VLAN,
-            ipv4_config,
-            ipv6_config,
+            None,
+            ipv4_setting,
+            None,
+            ipv6_setting,
            None,
            vlan_config,
+            mdns=mdns_mode,
+            llmnr=llmnr_mode,
        )
-        await asyncio.shield(self.sys_host.network.apply_changes(vlan_interface))
+        await asyncio.shield(self.sys_host.network.create_vlan(vlan_interface))
--- a/supervisor/api/observer.py
+++ b/supervisor/api/observer.py
@@ -1,4 +1,5 @@
 """Init file for Supervisor Observer RESTful API."""
+
 import asyncio
 import logging
 from typing import Any
--- a/supervisor/api/os.py
+++ b/supervisor/api/os.py
@@ -1,7 +1,9 @@
 """Init file for Supervisor HassOS RESTful API."""
+
 import asyncio
 from collections.abc import Awaitable
 import logging
+import re
 from typing import Any

 from aiohttp import web
@@ -19,22 +21,29 @@ from ..const import (
    ATTR_POWER_LED,
    ATTR_SERIAL,
    ATTR_SIZE,
+    ATTR_STATE,
+    ATTR_SWAP_SIZE,
+    ATTR_SWAPPINESS,
    ATTR_UPDATE_AVAILABLE,
    ATTR_VERSION,
    ATTR_VERSION_LATEST,
 )
 from ..coresys import CoreSysAttributes
-from ..exceptions import BoardInvalidError
+from ..exceptions import APINotFound, BoardInvalidError
 from ..resolution.const import ContextType, IssueType, SuggestionType
 from ..validate import version_tag
 from .const import (
+    ATTR_BOOT_SLOT,
+    ATTR_BOOT_SLOTS,
    ATTR_DATA_DISK,
    ATTR_DEV_PATH,
    ATTR_DEVICE,
    ATTR_DISKS,
    ATTR_MODEL,
+    ATTR_STATUS,
    ATTR_SYSTEM_HEALTH_LED,
    ATTR_VENDOR,
+    BootSlot,
 )
 from .utils import api_process, api_validate

@@ -42,6 +51,7 @@ _LOGGER: logging.Logger = logging.getLogger(__name__)

 # pylint: disable=no-value-for-parameter
 SCHEMA_VERSION = vol.Schema({vol.Optional(ATTR_VERSION): version_tag})
+SCHEMA_SET_BOOT_SLOT = vol.Schema({vol.Required(ATTR_BOOT_SLOT): vol.Coerce(BootSlot)})
 SCHEMA_DISK = vol.Schema({vol.Required(ATTR_DEVICE): str})

 SCHEMA_YELLOW_OPTIONS = vol.Schema(
@@ -58,6 +68,15 @@ SCHEMA_GREEN_OPTIONS = vol.Schema(
        vol.Optional(ATTR_SYSTEM_HEALTH_LED): vol.Boolean(),
    }
 )
+
+RE_SWAP_SIZE = re.compile(r"^\d+([KMG](i?B)?|B)?$", re.IGNORECASE)
+
+SCHEMA_SWAP_OPTIONS = vol.Schema(
+    {
+        vol.Optional(ATTR_SWAP_SIZE): vol.Match(RE_SWAP_SIZE),
+        vol.Optional(ATTR_SWAPPINESS): vol.All(int, vol.Range(min=0, max=200)),
+    }
+)
 # pylint: enable=no-value-for-parameter


@@ -74,6 +93,15 @@ class APIOS(CoreSysAttributes):
            ATTR_BOARD: self.sys_os.board,
            ATTR_BOOT: self.sys_dbus.rauc.boot_slot,
            ATTR_DATA_DISK: self.sys_os.datadisk.disk_used_id,
+            ATTR_BOOT_SLOTS: {
+                slot.bootname: {
+                    ATTR_STATE: slot.state,
+                    ATTR_STATUS: slot.boot_status,
+                    ATTR_VERSION: slot.bundle_version,
+                }
+                for slot in self.sys_os.slots
+                if slot.bootname
+            },
        }

    @api_process
@@ -96,6 +124,17 @@ class APIOS(CoreSysAttributes):

        await asyncio.shield(self.sys_os.datadisk.migrate_disk(body[ATTR_DEVICE]))

+    @api_process
+    def wipe_data(self, request: web.Request) -> Awaitable[None]:
+        """Trigger data disk wipe on Host."""
+        return asyncio.shield(self.sys_os.datadisk.wipe_disk())
+
+    @api_process
+    async def set_boot_slot(self, request: web.Request) -> None:
+        """Change the active boot slot and reboot into it."""
+        body = await api_validate(SCHEMA_SET_BOOT_SLOT, request)
+        await asyncio.shield(self.sys_os.set_boot_slot(body[ATTR_BOOT_SLOT]))
+
    @api_process
    async def list_data(self, request: web.Request) -> dict[str, Any]:
        """Return possible data targets."""
@@ -130,15 +169,19 @@ class APIOS(CoreSysAttributes):
        body = await api_validate(SCHEMA_GREEN_OPTIONS, request)

        if ATTR_ACTIVITY_LED in body:
-            self.sys_dbus.agent.board.green.activity_led = body[ATTR_ACTIVITY_LED]
+            await self.sys_dbus.agent.board.green.set_activity_led(
+                body[ATTR_ACTIVITY_LED]
+            )

        if ATTR_POWER_LED in body:
-            self.sys_dbus.agent.board.green.power_led = body[ATTR_POWER_LED]
+            await self.sys_dbus.agent.board.green.set_power_led(body[ATTR_POWER_LED])

        if ATTR_SYSTEM_HEALTH_LED in body:
-            self.sys_dbus.agent.board.green.user_led = body[ATTR_SYSTEM_HEALTH_LED]
+            await self.sys_dbus.agent.board.green.set_user_led(
+                body[ATTR_SYSTEM_HEALTH_LED]
+            )

-        self.sys_dbus.agent.board.green.save_data()
+        await self.sys_dbus.agent.board.green.save_data()

    @api_process
    async def boards_yellow_info(self, request: web.Request) -> dict[str, Any]:
@@ -155,15 +198,17 @@ class APIOS(CoreSysAttributes):
        body = await api_validate(SCHEMA_YELLOW_OPTIONS, request)

        if ATTR_DISK_LED in body:
-            self.sys_dbus.agent.board.yellow.disk_led = body[ATTR_DISK_LED]
+            await self.sys_dbus.agent.board.yellow.set_disk_led(body[ATTR_DISK_LED])

        if ATTR_HEARTBEAT_LED in body:
-            self.sys_dbus.agent.board.yellow.heartbeat_led = body[ATTR_HEARTBEAT_LED]
+            await self.sys_dbus.agent.board.yellow.set_heartbeat_led(
+                body[ATTR_HEARTBEAT_LED]
+            )

        if ATTR_POWER_LED in body:
-            self.sys_dbus.agent.board.yellow.power_led = body[ATTR_POWER_LED]
+            await self.sys_dbus.agent.board.yellow.set_power_led(body[ATTR_POWER_LED])

-        self.sys_dbus.agent.board.yellow.save_data()
+        await self.sys_dbus.agent.board.yellow.save_data()
        self.sys_resolution.create_issue(
            IssueType.REBOOT_REQUIRED,
            ContextType.SYSTEM,
@@ -179,3 +224,53 @@ class APIOS(CoreSysAttributes):
            )

        return {}
+
+    @api_process
+    async def config_swap_info(self, request: web.Request) -> dict[str, Any]:
+        """Get swap settings."""
+        if (
+            not self.coresys.os.available
+            or not self.coresys.os.version
+            or self.coresys.os.version < "15.0"
+        ):
+            raise APINotFound(
+                "Home Assistant OS 15.0 or newer required for swap settings"
+            )
+
+        return {
+            ATTR_SWAP_SIZE: self.sys_dbus.agent.swap.swap_size,
+            ATTR_SWAPPINESS: self.sys_dbus.agent.swap.swappiness,
+        }
+
+    @api_process
+    async def config_swap_options(self, request: web.Request) -> None:
+        """Update swap settings."""
+        if (
+            not self.coresys.os.available
+            or not self.coresys.os.version
+            or self.coresys.os.version < "15.0"
+        ):
+            raise APINotFound(
+                "Home Assistant OS 15.0 or newer required for swap settings"
+            )
+
+        body = await api_validate(SCHEMA_SWAP_OPTIONS, request)
+
+        reboot_required = False
+
+        if ATTR_SWAP_SIZE in body:
+            old_size = self.sys_dbus.agent.swap.swap_size
+            await self.sys_dbus.agent.swap.set_swap_size(body[ATTR_SWAP_SIZE])
+            reboot_required = reboot_required or old_size != body[ATTR_SWAP_SIZE]
+
+        if ATTR_SWAPPINESS in body:
+            old_swappiness = self.sys_dbus.agent.swap.swappiness
+            await self.sys_dbus.agent.swap.set_swappiness(body[ATTR_SWAPPINESS])
+            reboot_required = reboot_required or old_swappiness != body[ATTR_SWAPPINESS]
+
+        if reboot_required:
+            self.sys_resolution.create_issue(
+                IssueType.REBOOT_REQUIRED,
+                ContextType.SYSTEM,
+                suggestions=[SuggestionType.EXECUTE_REBOOT],
+            )
--- a/supervisor/api/panel/entrypoint.js
+++ b/supervisor/api/panel/entrypoint.js
@@ -1 +1 @@
-!function(){function n(n){var t=document.createElement("script");t.src=n,document.body.appendChild(t)}if(/.*Version\/(?:11|12)(?:\.\d+)*.*Safari\//.test(navigator.userAgent))n("/api/hassio/app/frontend_es5/entrypoint-5yRSddAJzJ4.js");else try{new Function("import('/api/hassio/app/frontend_latest/entrypoint-qzB1D0O4L9U.js')")()}catch(t){n("/api/hassio/app/frontend_es5/entrypoint-5yRSddAJzJ4.js")}}()
+!function(){function d(d){var e=document.createElement("script");e.src=d,document.body.appendChild(e)}if(/Edge?\/(13\d|1[4-9]\d|[2-9]\d{2}|\d{4,})\.\d+(\.\d+|)|Firefox\/(13[1-9]|1[4-9]\d|[2-9]\d{2}|\d{4,})\.\d+(\.\d+|)|Chrom(ium|e)\/(10[5-9]|1[1-9]\d|[2-9]\d{2}|\d{4,})\.\d+(\.\d+|)|(Maci|X1{2}).+ Version\/(18\.([1-9]|\d{2,})|(19|[2-9]\d|\d{3,})\.\d+)([,.]\d+|)( \(\w+\)|)( Mobile\/\w+|) Safari\/|Chrome.+OPR\/(1{2}[5-9]|1[2-9]\d|[2-9]\d{2}|\d{4,})\.\d+\.\d+|(CPU[ +]OS|iPhone[ +]OS|CPU[ +]iPhone|CPU IPhone OS|CPU iPad OS)[ +]+(18[._]([1-9]|\d{2,})|(19|[2-9]\d|\d{3,})[._]\d+)([._]\d+|)|Android:?[ /-](13\d|1[4-9]\d|[2-9]\d{2}|\d{4,})(\.\d+|)(\.\d+|)|Mobile Safari.+OPR\/([89]\d|\d{3,})\.\d+\.\d+|Android.+Firefox\/(13[1-9]|1[4-9]\d|[2-9]\d{2}|\d{4,})\.\d+(\.\d+|)|Android.+Chrom(ium|e)\/(13\d|1[4-9]\d|[2-9]\d{2}|\d{4,})\.\d+(\.\d+|)|SamsungBrowser\/(2[89]|[3-9]\d|\d{3,})\.\d+|Home As{2}istant\/[\d.]+ \(.+; macOS (1[3-9]|[2-9]\d|\d{3,})\.\d+(\.\d+)?\)/.test(navigator.userAgent))try{new Function("import('/api/hassio/app/frontend_latest/entrypoint.1e251476306cafd4.js')")()}catch(e){d("/api/hassio/app/frontend_es5/entrypoint.601ff5d4dddd11f9.js")}else d("/api/hassio/app/frontend_es5/entrypoint.601ff5d4dddd11f9.js")}()
--- a/supervisor/api/panel/entrypoint.js.br
+++ b/supervisor/api/panel/entrypoint.js.br
--- a/supervisor/api/panel/entrypoint.js.gz
+++ b/supervisor/api/panel/entrypoint.js.gz
--- a/supervisor/api/panel/frontend_es5/10.02c74d8ffd9bf568.js
+++ b/supervisor/api/panel/frontend_es5/10.02c74d8ffd9bf568.js
--- a/supervisor/api/panel/frontend_es5/10.02c74d8ffd9bf568.js.br
+++ b/supervisor/api/panel/frontend_es5/10.02c74d8ffd9bf568.js.br
--- a/supervisor/api/panel/frontend_es5/10.02c74d8ffd9bf568.js.gz
+++ b/supervisor/api/panel/frontend_es5/10.02c74d8ffd9bf568.js.gz
--- a/supervisor/api/panel/frontend_es5/10.02c74d8ffd9bf568.js.map
+++ b/supervisor/api/panel/frontend_es5/10.02c74d8ffd9bf568.js.map
--- a/supervisor/api/panel/frontend_es5/1008.c2e44b88f5829db4.js
+++ b/supervisor/api/panel/frontend_es5/1008.c2e44b88f5829db4.js
--- a/supervisor/api/panel/frontend_es5/1008.c2e44b88f5829db4.js.LICENSE.txt
+++ b/supervisor/api/panel/frontend_es5/1008.c2e44b88f5829db4.js.LICENSE.txt
--- a/supervisor/api/panel/frontend_es5/1008.c2e44b88f5829db4.js.br
+++ b/supervisor/api/panel/frontend_es5/1008.c2e44b88f5829db4.js.br
--- a/supervisor/api/panel/frontend_es5/1008.c2e44b88f5829db4.js.gz
+++ b/supervisor/api/panel/frontend_es5/1008.c2e44b88f5829db4.js.gz
--- a/supervisor/api/panel/frontend_es5/1008.c2e44b88f5829db4.js.map
+++ b/supervisor/api/panel/frontend_es5/1008.c2e44b88f5829db4.js.map
--- a/supervisor/api/panel/frontend_es5/1036-G1AUvfK_ULU.js
+++ b/supervisor/api/panel/frontend_es5/1036-G1AUvfK_ULU.js
--- a/supervisor/api/panel/frontend_es5/1036-G1AUvfK_ULU.js.gz
+++ b/supervisor/api/panel/frontend_es5/1036-G1AUvfK_ULU.js.gz
--- a/supervisor/api/panel/frontend_es5/1036-G1AUvfK_ULU.js.map
+++ b/supervisor/api/panel/frontend_es5/1036-G1AUvfK_ULU.js.map
--- a/supervisor/api/panel/frontend_es5/1047-g7fFLS9eP4I.js
+++ b/supervisor/api/panel/frontend_es5/1047-g7fFLS9eP4I.js
@@ -1,2 +0,0 @@
-"use strict";(self.webpackChunkhome_assistant_frontend=self.webpackChunkhome_assistant_frontend||[]).push([[1047],{32594:function(e,t,r){r.d(t,{U:function(){return n}});var n=function(e){return e.stopPropagation()}},75054:function(e,t,r){r.r(t),r.d(t,{HaTimeDuration:function(){return f}});var n,a=r(88962),i=r(33368),o=r(71650),d=r(82390),u=r(69205),l=r(70906),s=r(91808),c=r(68144),v=r(79932),f=(r(47289),(0,s.Z)([(0,v.Mo)("ha-selector-duration")],(function(e,t){var r=function(t){(0,u.Z)(n,t);var r=(0,l.Z)(n);function n(){var t;(0,o.Z)(this,n);for(var a=arguments.length,i=new Array(a),u=0;u<a;u++)i[u]=arguments[u];return t=r.call.apply(r,[this].concat(i)),e((0,d.Z)(t)),t}return(0,i.Z)(n)}(t);return{F:r,d:[{kind:"field",decorators:[(0,v.Cb)({attribute:!1})],key:"hass",value:void 0},{kind:"field",decorators:[(0,v.Cb)({attribute:!1})],key:"selector",value:void 0},{kind:"field",decorators:[(0,v.Cb)({attribute:!1})],key:"value",value:void 0},{kind:"field",decorators:[(0,v.Cb)()],key:"label",value:void 0},{kind:"field",decorators:[(0,v.Cb)()],key:"helper",value:void 0},{kind:"field",decorators:[(0,v.Cb)({type:Boolean})],key:"disabled",value:function(){return!1}},{kind:"field",decorators:[(0,v.Cb)({type:Boolean})],key:"required",value:function(){return!0}},{kind:"method",key:"render",value:function(){var e;return(0,c.dy)(n||(n=(0,a.Z)([' <ha-duration-input .label="','" .helper="','" .data="','" .disabled="','" .required="','" ?enableDay="','"></ha-duration-input> '])),this.label,this.helper,this.value,this.disabled,this.required,null===(e=this.selector.duration)||void 0===e?void 0:e.enable_day)}}]}}),c.oi))}}]);
-//# sourceMappingURL=1047-g7fFLS9eP4I.js.map
--- a/supervisor/api/panel/frontend_es5/1047-g7fFLS9eP4I.js.gz
+++ b/supervisor/api/panel/frontend_es5/1047-g7fFLS9eP4I.js.gz
--- a/supervisor/api/panel/frontend_es5/1047-g7fFLS9eP4I.js.map
+++ b/supervisor/api/panel/frontend_es5/1047-g7fFLS9eP4I.js.map
@@ -1 +0,0 @@
-{"version":3,"file":"1047-g7fFLS9eP4I.js","mappings":"yKAAO,IAAMA,EAAkB,SAACC,GAAE,OAAKA,EAAGD,iBAAiB,C,qLCQ9CE,G,UAAcC,EAAAA,EAAAA,GAAA,EAD1BC,EAAAA,EAAAA,IAAc,0BAAuB,SAAAC,EAAAC,GAAA,IACzBJ,EAAc,SAAAK,IAAAC,EAAAA,EAAAA,GAAAN,EAAAK,GAAA,IAAAE,GAAAC,EAAAA,EAAAA,GAAAR,GAAA,SAAAA,IAAA,IAAAS,GAAAC,EAAAA,EAAAA,GAAA,KAAAV,GAAA,QAAAW,EAAAC,UAAAC,OAAAC,EAAA,IAAAC,MAAAJ,GAAAK,EAAA,EAAAA,EAAAL,EAAAK,IAAAF,EAAAE,GAAAJ,UAAAI,GAAA,OAAAP,EAAAF,EAAAU,KAAAC,MAAAX,EAAA,OAAAY,OAAAL,IAAAX,GAAAiB,EAAAA,EAAAA,GAAAX,IAAAA,CAAA,QAAAY,EAAAA,EAAAA,GAAArB,EAAA,EAAAI,GAAA,OAAAkB,EAAdtB,EAAcuB,EAAA,EAAAC,KAAA,QAAAC,WAAA,EACxBC,EAAAA,EAAAA,IAAS,CAAEC,WAAW,KAAQC,IAAA,OAAAC,WAAA,IAAAL,KAAA,QAAAC,WAAA,EAE9BC,EAAAA,EAAAA,IAAS,CAAEC,WAAW,KAAQC,IAAA,WAAAC,WAAA,IAAAL,KAAA,QAAAC,WAAA,EAE9BC,EAAAA,EAAAA,IAAS,CAAEC,WAAW,KAAQC,IAAA,QAAAC,WAAA,IAAAL,KAAA,QAAAC,WAAA,EAE9BC,EAAAA,EAAAA,OAAUE,IAAA,QAAAC,WAAA,IAAAL,KAAA,QAAAC,WAAA,EAEVC,EAAAA,EAAAA,OAAUE,IAAA,SAAAC,WAAA,IAAAL,KAAA,QAAAC,WAAA,EAEVC,EAAAA,EAAAA,IAAS,CAAEI,KAAMC,WAAUH,IAAA,WAAAC,MAAA,kBAAmB,CAAK,IAAAL,KAAA,QAAAC,WAAA,EAEnDC,EAAAA,EAAAA,IAAS,CAAEI,KAAMC,WAAUH,IAAA,WAAAC,MAAA,kBAAmB,CAAI,IAAAL,KAAA,SAAAI,IAAA,SAAAC,MAEnD,WAAmB,IAAAG,EACjB,OAAOC,EAAAA,EAAAA,IAAIC,IAAAA,GAAAC,EAAAA,EAAAA,GAAA,wIAEEC,KAAKC,MACJD,KAAKE,OACPF,KAAKP,MACDO,KAAKG,SACLH,KAAKI,SACkB,QADVR,EACZI,KAAKK,SAASC,gBAAQ,IAAAV,OAAA,EAAtBA,EAAwBW,WAG3C,IAAC,GA1BiCC,EAAAA,I","sources":["https://raw.githubusercontent.com/home-assistant/frontend/20230703.0/src/common/dom/stop_propagation.ts","https://raw.githubusercontent.com/home-assistant/frontend/20230703.0/src/components/ha-selector/ha-selector-duration.ts"],"names":["stopPropagation","ev","HaTimeDuration","_decorate","customElement","_initialize","_LitElement","_LitElement2","_inherits","_super","_createSuper","_this","_classCallCheck","_len","arguments","length","args","Array","_key","call","apply","concat","_assertThisInitialized","_createClass","F","d","kind","decorators","property","attribute","key","value","type","Boolean","_this$selector$durati","html","_templateObject","_taggedTemplateLiteral","this","label","helper","disabled","required","selector","duration","enable_day","LitElement"],"sourceRoot":""}
--- a/supervisor/api/panel/frontend_es5/1057.d306824fd6aa0497.js
+++ b/supervisor/api/panel/frontend_es5/1057.d306824fd6aa0497.js
--- a/supervisor/api/panel/frontend_es5/1057.d306824fd6aa0497.js.br
+++ b/supervisor/api/panel/frontend_es5/1057.d306824fd6aa0497.js.br
--- a/supervisor/api/panel/frontend_es5/1057.d306824fd6aa0497.js.gz
+++ b/supervisor/api/panel/frontend_es5/1057.d306824fd6aa0497.js.gz
--- a/supervisor/api/panel/frontend_es5/1057.d306824fd6aa0497.js.map
+++ b/supervisor/api/panel/frontend_es5/1057.d306824fd6aa0497.js.map
@@ -0,0 +1 @@
+{"version":3,"file":"1057.d306824fd6aa0497.js","sources":["https://raw.githubusercontent.com/home-assistant/frontend/20250925.1/src/data/auth.ts","https://raw.githubusercontent.com/home-assistant/frontend/20250925.1/src/data/entity.ts","https://raw.githubusercontent.com/home-assistant/frontend/20250925.1/src/data/media-player.ts","https://raw.githubusercontent.com/home-assistant/frontend/20250925.1/src/data/tts.ts","https://raw.githubusercontent.com/home-assistant/frontend/20250925.1/src/util/brands-url.ts"],"names":["autocompleteLoginFields","schema","map","field","type","name","Object","assign","autocomplete","autofocus","getSignedPath","hass","path","callWS","UNAVAILABLE","UNKNOWN","ON","OFF","UNAVAILABLE_STATES","OFF_STATES","isUnavailableState","arrayLiteralIncludes","MediaPlayerEntityFeature","BROWSER_PLAYER","MediaClassBrowserSettings","album","icon","layout","app","show_list_images","artist","mdiAccountMusic","channel","mdiTelevisionClassic","thumbnail_ratio","composer","contributing_artist","directory","episode","game","genre","image","movie","music","playlist","podcast","season","track","tv_show","url","video","browseMediaPlayer","entityId","mediaContentId","mediaContentType","entity_id","media_content_id","media_content_type","convertTextToSpeech","data","callApi","TTS_MEDIA_SOURCE_PREFIX","isTTSMediaSource","startsWith","getProviderFromTTSMediaSource","substring","listTTSEngines","language","country","getTTSEngine","engine_id","listTTSVoices","brandsUrl","options","brand","useFallback","domain","darkOptimized","extractDomainFromBrandUrl","split","isBrandUrl","thumbnail"],"mappings":"2QAyBO,MAEMA,EAA2BC,GACtCA,EAAOC,IAAKC,IACV,GAAmB,WAAfA,EAAMC,KAAmB,OAAOD,EACpC,OAAQA,EAAME,MACZ,IAAK,WACH,OAAAC,OAAAC,OAAAD,OAAAC,OAAA,GAAYJ,GAAK,IAAEK,aAAc,WAAYC,WAAW,IAC1D,IAAK,WACH,OAAAH,OAAAC,OAAAD,OAAAC,OAAA,GAAYJ,GAAK,IAAEK,aAAc,qBACnC,IAAK,OACH,OAAAF,OAAAC,OAAAD,OAAAC,OAAA,GAAYJ,GAAK,IAAEK,aAAc,gBAAiBC,WAAW,IAC/D,QACE,OAAON,KAIFO,EAAgBA,CAC3BC,EACAC,IACwBD,EAAKE,OAAO,CAAET,KAAM,iBAAkBQ,Q,gMC3CzD,MAAME,EAAc,cACdC,EAAU,UACVC,EAAK,KACLC,EAAM,MAENC,EAAqB,CAACJ,EAAaC,GACnCI,EAAa,CAACL,EAAaC,EAASE,GAEpCG,GAAqBC,EAAAA,EAAAA,GAAqBH,IAC7BG,EAAAA,EAAAA,GAAqBF,E,+gCCuExC,IAAWG,EAAA,SAAAA,G,qnBAAAA,C,CAAA,C,IAyBX,MAAMC,EAAiB,UAWjBC,EAGT,CACFC,MAAO,CAAEC,K,mQAAgBC,OAAQ,QACjCC,IAAK,CAAEF,K,6GAAsBC,OAAQ,OAAQE,kBAAkB,GAC/DC,OAAQ,CAAEJ,KAAMK,EAAiBJ,OAAQ,OAAQE,kBAAkB,GACnEG,QAAS,CACPN,KAAMO,EACNC,gBAAiB,WACjBP,OAAQ,OACRE,kBAAkB,GAEpBM,SAAU,CACRT,K,4cACAC,OAAQ,OACRE,kBAAkB,GAEpBO,oBAAqB,CACnBV,KAAMK,EACNJ,OAAQ,OACRE,kBAAkB,GAEpBQ,UAAW,CAAEX,K,gGAAiBC,OAAQ,OAAQE,kBAAkB,GAChES,QAAS,CACPZ,KAAMO,EACNN,OAAQ,OACRO,gBAAiB,WACjBL,kBAAkB,GAEpBU,KAAM,CACJb,K,qWACAC,OAAQ,OACRO,gBAAiB,YAEnBM,MAAO,CAAEd,K,4hCAAqBC,OAAQ,OAAQE,kBAAkB,GAChEY,MAAO,CAAEf,K,sHAAgBC,OAAQ,OAAQE,kBAAkB,GAC3Da,MAAO,CACLhB,K,6GACAQ,gBAAiB,WACjBP,OAAQ,OACRE,kBAAkB,GAEpBc,MAAO,CAAEjB,K,+NAAgBG,kBAAkB,GAC3Ce,SAAU,CAAElB,K,mJAAwBC,OAAQ,OAAQE,kBAAkB,GACtEgB,QAAS,CAAEnB,K,qpBAAkBC,OAAQ,QACrCmB,OAAQ,CACNpB,KAAMO,EACNN,OAAQ,OACRO,gBAAiB,WACjBL,kBAAkB,GAEpBkB,MAAO,CAAErB,K,mLACTsB,QAAS,CACPtB,KAAMO,EACNN,OAAQ,OACRO,gBAAiB,YAEnBe,IAAK,CAAEvB,K,w5BACPwB,MAAO,CAAExB,K,2GAAgBC,OAAQ,OAAQE,kBAAkB,IAkChDsB,EAAoBA,CAC/BxC,EACAyC,EACAC,EACAC,IAEA3C,EAAKE,OAAwB,CAC3BT,KAAM,4BACNmD,UAAWH,EACXI,iBAAkBH,EAClBI,mBAAoBH,G,yLC/MjB,MAAMI,EAAsBA,CACjC/C,EACAgD,IAOGhD,EAAKiD,QAAuC,OAAQ,cAAeD,GAElEE,EAA0B,sBAEnBC,EAAoBT,GAC/BA,EAAeU,WAAWF,GAEfG,EAAiCX,GAC5CA,EAAeY,UAAUJ,IAEdK,EAAiBA,CAC5BvD,EACAwD,EACAC,IAEAzD,EAAKE,OAAO,CACVT,KAAM,kBACN+D,WACAC,YAGSC,EAAeA,CAC1B1D,EACA2D,IAEA3D,EAAKE,OAAO,CACVT,KAAM,iBACNkE,cAGSC,EAAgBA,CAC3B5D,EACA2D,EACAH,IAEAxD,EAAKE,OAAO,CACVT,KAAM,oBACNkE,YACAH,Y,kHC9CG,MAAMK,EAAaC,GACxB,oCAAoCA,EAAQC,MAAQ,UAAY,KAC9DD,EAAQE,YAAc,KAAO,KAC5BF,EAAQG,UAAUH,EAAQI,cAAgB,QAAU,KACrDJ,EAAQrE,WAQC0E,EAA6B7B,GAAgBA,EAAI8B,MAAM,KAAK,GAE5DC,EAAcC,GACzBA,EAAUlB,WAAW,oC"}
--- a/supervisor/api/panel/frontend_es5/1074-djfpWNdWsA8.js
+++ b/supervisor/api/panel/frontend_es5/1074-djfpWNdWsA8.js
--- a/supervisor/api/panel/frontend_es5/1074-djfpWNdWsA8.js.gz
+++ b/supervisor/api/panel/frontend_es5/1074-djfpWNdWsA8.js.gz
--- a/supervisor/api/panel/frontend_es5/1074-djfpWNdWsA8.js.map
+++ b/supervisor/api/panel/frontend_es5/1074-djfpWNdWsA8.js.map
--- a/supervisor/api/panel/frontend_es5/1076.205340b2a7c5d559.js
+++ b/supervisor/api/panel/frontend_es5/1076.205340b2a7c5d559.js
--- a/supervisor/api/panel/frontend_es5/1076.205340b2a7c5d559.js.LICENSE.txt
+++ b/supervisor/api/panel/frontend_es5/1076.205340b2a7c5d559.js.LICENSE.txt
@@ -0,0 +1,23 @@
+/**
+ * @license
+ * Copyright 2018 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/**
+ * @license
+ * Copyright 2018 Google LLC
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+/**
+ * @license
+ * Copyright 2020 Google LLC
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/**
+ * @license
+ * Copyright 2021 Google LLC
+ * SPDX-LIcense-Identifier: Apache-2.0
+ */
--- a/supervisor/api/panel/frontend_es5/1076.205340b2a7c5d559.js.br
+++ b/supervisor/api/panel/frontend_es5/1076.205340b2a7c5d559.js.br
--- a/supervisor/api/panel/frontend_es5/1076.205340b2a7c5d559.js.gz
+++ b/supervisor/api/panel/frontend_es5/1076.205340b2a7c5d559.js.gz
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				{"version":3,"file":"1047-g7fFLS9eP4I.js","mappings":"yKAAO,IAAMA,EAAkB,SAACC,GAAE,OAAKA,EAAGD,iBAAiB,C,qLCQ9CE,G,UAAcC,EAAAA,EAAAA,GAAA,EAD1BC,EAAAA,EAAAA,IAAc,0BAAuB,SAAAC,EAAAC,GAAA,IACzBJ,EAAc,SAAAK,IAAAC,EAAAA,EAAAA,GAAAN,EAAAK,GAAA,IAAAE,GAAAC,EAAAA,EAAAA,GAAAR,GAAA,SAAAA,IAAA,IAAAS,GAAAC,EAAAA,EAAAA,GAAA,KAAAV,GAAA,QAAAW,EAAAC,UAAAC,OAAAC,EAAA,IAAAC,MAAAJ,GAAAK,EAAA,EAAAA,EAAAL,EAAAK,IAAAF,EAAAE,GAAAJ,UAAAI,GAAA,OAAAP,EAAAF,EAAAU,KAAAC,MAAAX,EAAA,OAAAY,OAAAL,IAAAX,GAAAiB,EAAAA,EAAAA,GAAAX,IAAAA,CAAA,QAAAY,EAAAA,EAAAA,GAAArB,EAAA,EAAAI,GAAA,OAAAkB,EAAdtB,EAAcuB,EAAA,EAAAC,KAAA,QAAAC,WAAA,EACxBC,EAAAA,EAAAA,IAAS,CAAEC,WAAW,KAAQC,IAAA,OAAAC,WAAA,IAAAL,KAAA,QAAAC,WAAA,EAE9BC,EAAAA,EAAAA,IAAS,CAAEC,WAAW,KAAQC,IAAA,WAAAC,WAAA,IAAAL,KAAA,QAAAC,WAAA,EAE9BC,EAAAA,EAAAA,IAAS,CAAEC,WAAW,KAAQC,IAAA,QAAAC,WAAA,IAAAL,KAAA,QAAAC,WAAA,EAE9BC,EAAAA,EAAAA,OAAUE,IAAA,QAAAC,WAAA,IAAAL,KAAA,QAAAC,WAAA,EAEVC,EAAAA,EAAAA,OAAUE,IAAA,SAAAC,WAAA,IAAAL,KAAA,QAAAC,WAAA,EAEVC,EAAAA,EAAAA,IAAS,CAAEI,KAAMC,WAAUH,IAAA,WAAAC,MAAA,kBAAmB,CAAK,IAAAL,KAAA,QAAAC,WAAA,EAEnDC,EAAAA,EAAAA,IAAS,CAAEI,KAAMC,WAAUH,IAAA,WAAAC,MAAA,kBAAmB,CAAI,IAAAL,KAAA,SAAAI,IAAA,SAAAC,MAEnD,WAAmB,IAAAG,EACjB,OAAOC,EAAAA,EAAAA,IAAIC,IAAAA,GAAAC,EAAAA,EAAAA,GAAA,wIAEEC,KAAKC,MACJD,KAAKE,OACPF,KAAKP,MACDO,KAAKG,SACLH,KAAKI,SACkB,QADVR,EACZI,KAAKK,SAASC,gBAAQ,IAAAV,OAAA,EAAtBA,EAAwBW,WAG3C,IAAC,GA1BiCC,EAAAA,I","sources":["https://raw.githubusercontent.com/home-assistant/frontend/20230703.0/src/common/dom/stop_propagation.ts","https://raw.githubusercontent.com/home-assistant/frontend/20230703.0/src/components/ha-selector/ha-selector-duration.ts"],"names":["stopPropagation","ev","HaTimeDuration","_decorate","customElement","_initialize","_LitElement","_LitElement2","_inherits","_super","_createSuper","_this","_classCallCheck","_len","arguments","length","args","Array","_key","call","apply","concat","_assertThisInitialized","_createClass","F","d","kind","decorators","property","attribute","key","value","type","Boolean","_this$selector$durati","html","_templateObject","_taggedTemplateLiteral","this","label","helper","disabled","required","selector","duration","enable_day","LitElement"],"sourceRoot":""}
				`@@ -0,0 +1 @@`
				{"version":3,"file":"1057.d306824fd6aa0497.js","sources":["https://raw.githubusercontent.com/home-assistant/frontend/20250925.1/src/data/auth.ts","https://raw.githubusercontent.com/home-assistant/frontend/20250925.1/src/data/entity.ts","https://raw.githubusercontent.com/home-assistant/frontend/20250925.1/src/data/media-player.ts","https://raw.githubusercontent.com/home-assistant/frontend/20250925.1/src/data/tts.ts","https://raw.githubusercontent.com/home-assistant/frontend/20250925.1/src/util/brands-url.ts"],"names":["autocompleteLoginFields","schema","map","field","type","name","Object","assign","autocomplete","autofocus","getSignedPath","hass","path","callWS","UNAVAILABLE","UNKNOWN","ON","OFF","UNAVAILABLE_STATES","OFF_STATES","isUnavailableState","arrayLiteralIncludes","MediaPlayerEntityFeature","BROWSER_PLAYER","MediaClassBrowserSettings","album","icon","layout","app","show_list_images","artist","mdiAccountMusic","channel","mdiTelevisionClassic","thumbnail_ratio","composer","contributing_artist","directory","episode","game","genre","image","movie","music","playlist","podcast","season","track","tv_show","url","video","browseMediaPlayer","entityId","mediaContentId","mediaContentType","entity_id","media_content_id","media_content_type","convertTextToSpeech","data","callApi","TTS_MEDIA_SOURCE_PREFIX","isTTSMediaSource","startsWith","getProviderFromTTSMediaSource","substring","listTTSEngines","language","country","getTTSEngine","engine_id","listTTSVoices","brandsUrl","options","brand","useFallback","domain","darkOptimized","extractDomainFromBrandUrl","split","isBrandUrl","thumbnail"],"mappings":"2QAyBO,MAEMA,EAA2BC,GACtCA,EAAOC,IAAKC,IACV,GAAmB,WAAfA,EAAMC,KAAmB,OAAOD,EACpC,OAAQA,EAAME,MACZ,IAAK,WACH,OAAAC,OAAAC,OAAAD,OAAAC,OAAA,GAAYJ,GAAK,IAAEK,aAAc,WAAYC,WAAW,IAC1D,IAAK,WACH,OAAAH,OAAAC,OAAAD,OAAAC,OAAA,GAAYJ,GAAK,IAAEK,aAAc,qBACnC,IAAK,OACH,OAAAF,OAAAC,OAAAD,OAAAC,OAAA,GAAYJ,GAAK,IAAEK,aAAc,gBAAiBC,WAAW,IAC/D,QACE,OAAON,KAIFO,EAAgBA,CAC3BC,EACAC,IACwBD,EAAKE,OAAO,CAAET,KAAM,iBAAkBQ,Q,gMC3CzD,MAAME,EAAc,cACdC,EAAU,UACVC,EAAK,KACLC,EAAM,MAENC,EAAqB,CAACJ,EAAaC,GACnCI,EAAa,CAACL,EAAaC,EAASE,GAEpCG,GAAqBC,EAAAA,EAAAA,GAAqBH,IAC7BG,EAAAA,EAAAA,GAAqBF,E,+gCCuExC,IAAWG,EAAA,SAAAA,G,qnBAAAA,C,CAAA,C,IAyBX,MAAMC,EAAiB,UAWjBC,EAGT,CACFC,MAAO,CAAEC,K,mQAAgBC,OAAQ,QACjCC,IAAK,CAAEF,K,6GAAsBC,OAAQ,OAAQE,kBAAkB,GAC/DC,OAAQ,CAAEJ,KAAMK,EAAiBJ,OAAQ,OAAQE,kBAAkB,GACnEG,QAAS,CACPN,KAAMO,EACNC,gBAAiB,WACjBP,OAAQ,OACRE,kBAAkB,GAEpBM,SAAU,CACRT,K,4cACAC,OAAQ,OACRE,kBAAkB,GAEpBO,oBAAqB,CACnBV,KAAMK,EACNJ,OAAQ,OACRE,kBAAkB,GAEpBQ,UAAW,CAAEX,K,gGAAiBC,OAAQ,OAAQE,kBAAkB,GAChES,QAAS,CACPZ,KAAMO,EACNN,OAAQ,OACRO,gBAAiB,WACjBL,kBAAkB,GAEpBU,KAAM,CACJb,K,qWACAC,OAAQ,OACRO,gBAAiB,YAEnBM,MAAO,CAAEd,K,4hCAAqBC,OAAQ,OAAQE,kBAAkB,GAChEY,MAAO,CAAEf,K,sHAAgBC,OAAQ,OAAQE,kBAAkB,GAC3Da,MAAO,CACLhB,K,6GACAQ,gBAAiB,WACjBP,OAAQ,OACRE,kBAAkB,GAEpBc,MAAO,CAAEjB,K,+NAAgBG,kBAAkB,GAC3Ce,SAAU,CAAElB,K,mJAAwBC,OAAQ,OAAQE,kBAAkB,GACtEgB,QAAS,CAAEnB,K,qpBAAkBC,OAAQ,QACrCmB,OAAQ,CACNpB,KAAMO,EACNN,OAAQ,OACRO,gBAAiB,WACjBL,kBAAkB,GAEpBkB,MAAO,CAAErB,K,mLACTsB,QAAS,CACPtB,KAAMO,EACNN,OAAQ,OACRO,gBAAiB,YAEnBe,IAAK,CAAEvB,K,w5BACPwB,MAAO,CAAExB,K,2GAAgBC,OAAQ,OAAQE,kBAAkB,IAkChDsB,EAAoBA,CAC/BxC,EACAyC,EACAC,EACAC,IAEA3C,EAAKE,OAAwB,CAC3BT,KAAM,4BACNmD,UAAWH,EACXI,iBAAkBH,EAClBI,mBAAoBH,G,yLC/MjB,MAAMI,EAAsBA,CACjC/C,EACAgD,IAOGhD,EAAKiD,QAAuC,OAAQ,cAAeD,GAElEE,EAA0B,sBAEnBC,EAAoBT,GAC/BA,EAAeU,WAAWF,GAEfG,EAAiCX,GAC5CA,EAAeY,UAAUJ,IAEdK,EAAiBA,CAC5BvD,EACAwD,EACAC,IAEAzD,EAAKE,OAAO,CACVT,KAAM,kBACN+D,WACAC,YAGSC,EAAeA,CAC1B1D,EACA2D,IAEA3D,EAAKE,OAAO,CACVT,KAAM,iBACNkE,cAGSC,EAAgBA,CAC3B5D,EACA2D,EACAH,IAEAxD,EAAKE,OAAO,CACVT,KAAM,oBACNkE,YACAH,Y,kHC9CG,MAAMK,EAAaC,GACxB,oCAAoCA,EAAQC,MAAQ,UAAY,KAC9DD,EAAQE,YAAc,KAAO,KAC5BF,EAAQG,UAAUH,EAAQI,cAAgB,QAAU,KACrDJ,EAAQrE,WAQC0E,EAA6B7B,GAAgBA,EAAI8B,MAAM,KAAK,GAE5DC,EAAcC,GACzBA,EAAUlB,WAAW,oC"}