In `@charts/janssen-all-in-one/README.md`:
- Line 64: Update the README entry for the configuration key
auth-server.appLoggers.auditStatsLogTarget so its description correctly reflects
that it configures the audit stats log target (use "jans-auth_audit.log target")
instead of the incorrect "jans-auth_script.log target"; locate the table row
containing auth-server.appLoggers.auditStatsLogTarget and replace the
description text to "jans-auth_audit.log target" to match the key name and the
neighboring Line 63 entry.
- Line 192: Update the kc-scheduler README entry to explicitly state that
kc-scheduler is only deployed/usable when saml.enabled is true and reference the
template condition used to enforce this ({{ if and (index .Values "kc-scheduler"
"enabled") (.Values.saml.enabled) }}); add a short note explaining what the SAML
service provides (Keycloak SAML clients and dependencies) and how it interacts
with config-api.plugins (e.g., that config-api.plugins may include saml-related
entries but kc-scheduler specifically requires saml.enabled: true), so users
understand the dependency and default behavior.

In `@charts/janssen-all-in-one/templates/gateway-api.yaml`:
- Around line 446-515: The ROUTE 4 GRPCRoute/HTTPRoute block (metadata name {{
$fullName }}-grpc-routes) can emit an empty spec.rules when the lock audit
condition is false; wrap the entire ROUTE 4 section (from the apiVersion line
through the end of this route) inside the same conditional used for lock audit
e.g. the if and (index .Values "auth-server" "lockEnabled") (index .Values
"auth-server" "ingress" "lockAuditEnabled") check so spec.rules is only rendered
when those conditions are true, and close the conditional after the existing
route content to prevent producing an empty rules: entry.

In `@charts/janssen/templates/gateway-api.yaml`:
- Around line 429-498: The GRPC route resource (metadata name {{ $fullName
}}-grpc-routes) can emit an empty spec.rules when lock audit is disabled; wrap
the entire ROUTE 4 resource block (from apiVersion/kind/metadata/spec through
the end of that section) in the same conditional that currently gates the inner
rules (the check using .Values.global "auth-server" "lockEnabled" and
.Values.global "auth-server" "ingress" "lockAuditEnabled") so the resource is
not rendered at all when those flags are false, ensuring no empty rules: field
is produced for HTTPRoute/GRPCRoute.

In `@docker-jans-all-in-one/app/templates/nginx/jans-auth-location.conf`:
- Around line 201-211: The location block for gRPC (location
/io.jans.lock.audit.AuditService/) incorrectly includes the proxy_http_version
1.1 directive which is only valid for the proxy_pass module; remove the
proxy_http_version line from this gRPC location so nginx uses its grpc_pass
handling (grpc_pass grpc://jans_auth_grpc_backend) and HTTP/2 is negotiated by
the gRPC module natively.

In `@docker-jans-all-in-one/Dockerfile`:
- Around line 286-289: Remove the leftover malformed continuation comments by
deleting the two lines containing "# \" and "# /opt/idp" (they follow the
"/usr/share/java" line) so there is no confusing broken-line continuation in the
Dockerfile; if a line continuation was intended for a chown or COPY target,
instead add a proper trailing backslash to the actual preceding line (e.g.,
after "/usr/share/java") and ensure the continuation line contains the real path
rather than commented text.
- Around line 325-328: Remove the orphaned commented lines ("# \\" and "#
/opt/idp") that follow the "/usr/share/java" entry in the Dockerfile and mirror
the same cleanup applied to the chown block so the chmod command block is clean
and has no stray commented lines; locate the chmod/chown sequence around the
"/usr/share/java" token and delete those leftover comment lines so the chmod
command is contiguous and readable.

In `@docker-jans-auth-server/Dockerfile`:
- Around line 95-100: The RUN block that downloads and unpacks jans-lock-server
deps contains an orphaned commented line ("&& rm -f
${JETTY_BASE}/jans-auth/custom/libs/grpc-bridge-runtime-*.jar") which breaks
readability and could accidentally be misjoined; either remove that dead comment
or incorporate it correctly into the RUN chain. Edit the Dockerfile RUN that
uses CN_VERSION and JETTY_BASE so it ends consistently: either delete the
commented rm line entirely, or restore it as a real chained command (add the
leading && before rm and ensure the previous line ends with a backslash) so the
cleanup of ${JETTY_BASE}/jans-auth/custom/libs/grpc-bridge-runtime-*.jar is
executed as intended.

In `@docker-jans-auth-server/scripts/upgrade.py`:
- Around line 83-102: The env var CN_LOCK_GRPC_PORT is being treated as a string
(grpc_port) causing wrong comparisons and string overwrites; update the upgrade
logic in upgrade.py so grpc_port is parsed to an int once (with
validation/fallback to default 8080 if non-numeric) and use that integer for
both creating conf["grpcConfiguration"]["grpcPort"] and for
comparisons/assignments in the update loop (i.e., compare
conf["grpcConfiguration"].get("grpcPort", 8080) to the parsed int and assign the
parsed int), ensuring no ValueError bubbles up on invalid env input.

In `@docker-jans-auth-server/templates/jans-auth/log4j2.xml`:
- Around line 78-85: The JANS_LOCK_FILE RollingFile appender currently only uses
SizeBasedTriggeringPolicy and a different PatternLayout; update the
JANS_LOCK_FILE RollingFile to add a TimeBasedTriggeringPolicy (daily) alongside
the existing SizeBasedTriggeringPolicy so logs rotate by date and size
consistent with other appenders, and align the PatternLayout to match the
standard layout (use the same timestamp format and include the MDC field
%X{X-Correlation-Id} for tracing); if the differences are intentional for
lock-specific behavior, add a brief comment above the RollingFile explaining the
rationale instead.

In `@charts/janssen-all-in-one/README.md`:
- Line 96: Update the README table entry for the auth-server flag
auth-server.ingress.lockAuditEnabled to use the imperative "Enable endpoint
/io.jans.lock.audit.AuditService" instead of "Enabled endpoint …" so it matches
the style of other entries (e.g., the /.well-known/lock-server-configuration
row); edit the table cell text accordingly in the README.md.

In `@charts/janssen-all-in-one/templates/gateway-api.yaml`:
- Around line 446-448: The YAML document separator '---' is placed before the
Helm conditional (the line with {{- if and (index .Values "auth-server"
"lockEnabled") (index .Values "auth-server" "ingress" "lockAuditEnabled") }})
causing an empty document when both lockEnabled and lockAuditEnabled are false;
move the '---' inside that if block (i.e., place the separator immediately after
the opening {{- if ... }} so it's only rendered when the condition is true) to
avoid emitting a trailing empty YAML document.
- Around line 453-459: The template currently emits GRPCRoute (or HTTPRoute)
based only on .Values.gatewayApi.gatewayClassName; add a values field (e.g.,
gatewayApi.apiVersion) and protect rendering of GRPCRoute by checking that the
configured/expected Gateway API version is v1 (or >= v1.1) before emitting kind:
GRPCRoute, otherwise either emit a safe alternative (HTTPRoute) or fail
rendering with a clear error message; update the template logic in
gateway-api.yaml (the conditional that chooses kind) to reference
gatewayApi.apiVersion and adjust README/values documentation to state the
minimum required Gateway API version (v1.1+/v1) so cluster compatibility is
explicit.
- Around line 488-489: The gRPC port 50051 is hardcoded in gateway-api.yaml (the
backendRefs and the port block using name {{ $svcName }}-grpc) and duplicated in
service.yml, causing possible mismatches; add a configurable value (e.g.,
values.yaml key service.grpcPort) and replace the literal 50051 in
gateway-api.yaml (the port entry and any backendRefs that reference the gRPC
port name) and in service.yml to use that value (templating the port with
.Values.service.grpcPort) so both templates reference the same centralized
setting.

In `@docker-jans-all-in-one/app/templates/nginx/jans-auth-location.conf`:
- Around line 201-210: Add gRPC-specific timeouts to the AuditService location
block to prevent long-lived streaming RPCs from being cut off: in the location
/io.jans.lock.audit.AuditService/ (the gRPC proxy block that sets
grpc_set_header and grpc_pass to jans_auth_grpc_backend) add grpc_read_timeout
(e.g. 1h or an appropriate long value) and grpc_send_timeout (matching read
timeout for long streams) and set grpc_connect_timeout to a short value (e.g.
30s) so connects fail fast; keep values configurable if needed.

In `@docker-jans-auth-server/Dockerfile`:
- Around line 95-99: The Dockerfile currently unconditionally unpacks the
jans-lock service-deps into ${JETTY_BASE}/jans-auth/custom/libs which exposes
lock dependencies even when CN_LOCK_ENABLED is false; change the Dockerfile to
only download/store the jans-lock-server-${CN_VERSION}-service-deps-pack.zip (or
place it into ${JETTY_BASE}/jans-auth/_libs) without unpacking it, and update
the bootstrap logic that implements copy_builtin_libs() in
docker-jans-auth-server/scripts/bootstrap.py to conditionally unpack or copy
that service-deps-pack into the runtime classpath only when CN_LOCK_ENABLED is
true (mirror how core lock JARs are handled), ensuring service-deps-pack is
referenced by its file name and paths (${CN_VERSION}, service-deps-pack,
${JETTY_BASE}/jans-auth/_libs, and copy_builtin_libs()) so the change is easy to
locate.

In `@docker-jans-auth-server/scripts/upgrade.py`:
- Around line 97-101: The current except block for converting grpc_port uses
int(jetty_port) directly and an f-string logger (Ruff G004); update it to first
log with lazy % formatting (use logger.warning with "%s" placeholders
referencing grpc_port and jetty_port), then attempt to convert jetty_port inside
its own try/except; if int(jetty_port) succeeds assign that to grpc_port,
otherwise log a second warning (again using % formatting) and set grpc_port to a
safe numeric fallback (e.g., 8080). Refer to the grpc_port and jetty_port
variables and the logger instance to find and modify the conversion and logging
logic in upgrade.py.
- Around line 111-115: The comparison loop uses a hardcoded 8080 for the
"grpcPort" old-default, which mismatches the create-path default derived from
jetty_port; update the tuple for ("grpcPort", 8080, grpc_port) to use the
computed default (grpc_port or jetty_port-derived value) instead of literal 8080
so the update path and create path share the same default; locate the tuple in
the for attr in [...] block and replace the 8080 literal with the grpc_port
variable (or the jetty_port-based default) to ensure consistent behavior.

In `@docker-jans-auth-server/Dockerfile`:
- Around line 70-73: Add explicit creation of the missing custom/_lock_libs
directory to the initial mkdir -p call so it cannot be missing at runtime;
update the mkdir invocation that currently lists ${JETTY_BASE}/jans-auth/_libs,
${JETTY_BASE}/jans-auth/_lock_libs and ${JETTY_BASE}/jans-auth/custom/libs to
also include ${JETTY_BASE}/jans-auth/custom/_lock_libs (referencing the
JETTY_BASE variable and the jans-auth/custom/_lock_libs path) to ensure the
folder exists even if the later unzip/download step produces no files.
- Around line 88-99: The copy_lock_libs() bootstrap.py logic only handles
_lock_libs JARs but ignores service dependencies staged at custom/_lock_libs by
the Dockerfile; update copy_lock_libs() to, when CN_LOCK_ENABLED=true, also copy
contents of ${JETTY_BASE}/jans-auth/custom/_lock_libs into the runtime classpath
destination (e.g., ${JETTY_BASE}/jans-auth/custom/libs/) or alternatively ensure
custom/_lock_libs is only added to the classpath conditionally — modify the
function to detect and copy files from custom/_lock_libs to custom/libs (or
conditionally include custom/_lock_libs in the classpath) and add a
unit/boot-time check so service deps are not loaded when CN_LOCK_ENABLED=false.

In `@docker-jans-auth-server/scripts/bootstrap.py`:
- Around line 86-90: Read the raw env var first and convert it to boolean in two
steps (avoid the walrus evaluating a default non-empty string): raw_lock =
os.environ.get("CN_LOCK_ENABLED") then lock_enabled = as_boolean(raw_lock) (or
lock_enabled = as_boolean(raw_lock) if raw_lock is not None else False); use
that lock_enabled in the if statement to guard copy_lock_libs() (function name:
copy_lock_libs) and change the logger call to use lazy %-style logging:
logger.info("The jans-lock plugin is enabled via CN_LOCK_ENABLED=%s",
lock_enabled) so the boolean value is meaningful and Ruff G004 is satisfied.

In `@docker-jans-auth-server/scripts/upgrade.py`:
- Line 41: The migration currently sets a default protectionMode of "oauth" but
only converts legacy "CEDARLING"→"cedarling" in the migration block, leaving
existing protectionMode="cedarling" unchanged; update the migration logic in
upgrade.py (the block handling CEDARLING → cedarling around the CEDARLING
symbol) to also transform "cedarling" → "oauth" (or replace the two-step
conversion by mapping "CEDARLING" directly to "oauth") so all existing installs
with either "CEDARLING" or "cedarling" end up as "oauth".

In `@charts/janssen/README.md`:
- Line 346: Update the README entry for the Helm value
global.auth-server.ingress.lockAuditEnabled to explicitly mention that
/io.jans.lock.audit.AuditService is a gRPC endpoint (e.g., "Enable gRPC endpoint
/io.jans.lock.audit.AuditService") so users know the ingress/bridge handles gRPC
traffic; locate the table row containing
global.auth-server.ingress.lockAuditEnabled and replace or augment the
description accordingly.