Merge remote-tracking branch 'origin/main' into issues/reload

Author: Haarolean

.github/CODEOWNERS

@@ -2,6 +2,7 @@
 
 
 # BACKEND
+gradle/libs.versions.toml   @kafbat/backend
 /build.gradle               @kafbat/backend
 /gradle.properties          @kafbat/backend
 /settings.gradle            @kafbat/backend

.github/dependabot.yml

@@ -7,14 +7,23 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/backend"
   open-pull-requests-limit: 10
   labels:
     - "type/dependencies"
     - "scope/backend"
   groups:
-    gradle-dependencies:
+    spring-boot-dependencies:
+      patterns:
+        - "org.springframework.boot:*"
+        - "io.spring.dependency-management"
+      # We will handle major upgrades manually
+      update-types:
+        - "patch"
+        - "minor"
+    other-dependencies:
+      exclude-patterns:
+        - "org.springframework.boot:*"
+        - "io.spring.dependency-management"
       patterns:
         - "*"
       update-types:
@@ -27,8 +36,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/backend"
   open-pull-requests-limit: 10
   ignore:
   - dependency-name: "azul/zulu-openjdk-alpine"
@@ -43,8 +50,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/frontend"
   open-pull-requests-limit: 10
   versioning-strategy: increase-if-necessary
   labels:
@@ -64,8 +69,6 @@ updates:
     interval: weekly
     time: "10:00"
     timezone: Europe/London
-  reviewers:
-    - "kafbat/devops"
   open-pull-requests-limit: 10
   labels:
     - "type/dependencies"

.github/workflows/cve_checks.yml

@@ -68,7 +68,7 @@ jobs:
           cache-to: type=local,dest=/tmp/.buildx-cache
 
       - name: Run CVE checks
-        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # infered from @v0.29.0
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # infered from @v0.32.0
         with:
           image-ref: "ghcr.io/kafbat/kafka-ui:latest"
           format: "table"

.gitignore

@@ -51,3 +51,4 @@ node_modules/
 .gradle
 @rerun.txt
 test-results
+frontend/test-report.xml

README.md

@@ -43,17 +43,23 @@ We extend our gratitude to Provectus for their past support in groundbreaking wo
 ![Interface](https://raw.githubusercontent.com/kafbat/kafka-ui/images/overview.gif)
 
 # Features
-* **Multi-Cluster Management** — monitor and manage all your clusters in one place
-* **Performance Monitoring with Metrics Dashboard** —  track key Kafka metrics with a lightweight dashboard
-* **View Kafka Brokers** — view topic and partition assignments, controller status
-* **View Kafka Topics** — view partition count, replication status, and custom configuration
-* **View Consumer Groups** — view per-partition parked offsets, combined and per-partition lag
-* **Browse Messages** — browse messages with JSON, plain text, and Avro encoding
-* **Dynamic Topic Configuration** — create and configure new topics with dynamic configuration
-* **Configurable Authentication** — [secure](https://ui.docs.kafbat.io/configuration/authentication) your installation with optional Github/Gitlab/Google OAuth 2.0
-* **Custom serialization/deserialization plugins** - [use](https://ui.docs.kafbat.io/configuration/serialization-serde) a ready-to-go serde for your data like AWS Glue or Smile, or code your own!
-* **Role based access control** - [manage permissions](https://ui.docs.kafbat.io/configuration/rbac-role-based-access-control) to access the UI with granular precision
-* **Data masking** - [obfuscate](https://ui.docs.kafbat.io/configuration/data-masking) sensitive data in topic messages
+
+* **Topic Insights** – View essential topic details including partition count, replication status, and custom configurations.
+* **Configuration Wizard** – Set up and configure your Kafka clusters directly through the UI.
+* **Multi-Cluster Management** – Monitor and manage all your Kafka clusters in one unified interface.
+* **Metrics Dashboard** – Track key Kafka metrics in real time with a streamlined, lightweight dashboard.
+* **Kafka Brokers Overview** – Inspect brokers, including partition assignments and controller status.
+* **Consumer Group Details** – Analyze parked offsets per partition, and monitor both combined and partition-specific lag.
+* **Message Browser** – Explore messages in JSON, plain text, or Avro encoding formats. Live view is supported, enriched with user-defined CEL message filters.
+* **Dynamic Topic Management** – Create and configure new topics with flexible, real-time settings.
+* **Pluggable Authentication** – Secure your UI using OAuth 2.0 (GitHub, GitLab, Google), LDAP, or basic authentication.
+* **Cloud IAM Support** – Integrate with **GCP IAM**, **Azure IAM**, and **AWS IAM** for cloud-native identity and access management.
+* **Managed Kafka Service Support** – Full support for **Azure EventHub**, **Google Cloud Managed Service for Apache Kafka**, and **AWS Managed Streaming for Apache Kafka (MSK)**—both server-based and serverless.
+* **Custom SerDe Plugin Support** – Use built-in serializers/deserializers like AWS Glue and Smile, or create your own custom plugins.
+* **Role-Based Access Control** – [Manage granular UI permissions](https://ui.docs.kafbat.io/configuration/rbac-role-based-access-control) with RBAC.
+* **Data Masking** – [Obfuscate sensitive data](https://ui.docs.kafbat.io/configuration/data-masking) in topic messages to enhance privacy and compliance.
+* **MCP Server** - [Model Context Protocol](https://ui.docs.kafbat.io/faq/mcp) Server
+
 
 ## Feature overview
 

api/Dockerfile

@@ -1,7 +1,7 @@
 # The tag is ignored when a sha is included but the reason to add it are:
 # 1. Self Documentation: It is difficult to find out what the expected tag is given a sha alone
 # 2. Helps dependabot during discovery of upgrades
-FROM azul/zulu-openjdk-alpine:21.0.6-jre-headless@sha256:75c5cc1ca1429513b56e9cbe3121bce86476cdec18b5b74b6842ab0af4b5a57f
+FROM azul/zulu-openjdk-alpine:21.0.8-jre-headless@sha256:9c7b4b7850bd4cdd78f91b369accc5b55beffa9a073b9a2bb94caa42606b9444
 
 RUN apk add --no-cache \
     # snappy codec

api/build.gradle

@@ -14,12 +14,18 @@ dependencies {
     implementation project(":contract")
     implementation project(":serde-api")
     implementation libs.spring.starter.webflux
-    implementation libs.spring.starter.security
+    implementation(libs.spring.starter.security){
+        exclude group: 'com.nimbusds', module: 'nimbus-jose-jwt' because("Temporary overwrite to fix CVE-2025-53864. See https://avd.aquasec.com/nvd/2025/cve-2025-53864/")
+    }
+    implementation(libs.nimbus.jose.jwt){
+        because("Fixes CVE-2025-5386. See https://avd.aquasec.com/nvd/2025/cve-2025-53864/")
+    }
     implementation libs.spring.starter.actuator
     implementation libs.spring.starter.logging
     implementation libs.spring.starter.oauth2.client
     implementation libs.spring.security.oauth2.resource.server
     implementation libs.spring.boot.actuator
+
     compileOnly libs.spring.boot.devtools
 
     implementation libs.spring.security.ldap
@@ -28,6 +34,7 @@ dependencies {
 
     implementation libs.apache.avro
     implementation libs.apache.commons
+    implementation libs.apache.commons.text
     implementation libs.apache.commons.pool2
     implementation libs.apache.datasketches
 
@@ -43,6 +50,7 @@ dependencies {
 
     implementation libs.jackson.databind.nullable
     implementation libs.cel
+    implementation libs.caffeine
     antlr libs.antlr
     implementation libs.antlr.runtime
 
@@ -53,15 +61,14 @@ dependencies {
         exclude group: 'io.projectreactor.ipc', module: 'reactor-netty'
     }
 
-    runtimeOnly libs.micrometer.registry.prometheus
+    runtimeOnly(libs.micrometer.registry.prometheus) {
+        exclude group: 'com.google.protobuf', module: 'protobuf-java' because("Micrometer uses protobuf-java 4.x, which is incompatible with protobuf-java 3.x used by various dependencies of this project. See https://github.com/prometheus/client_java/issues/1431")
+    }
 
     // CVE Fixes
     implementation libs.apache.commons.compress
     implementation libs.okhttp3.logging.intercepter
-    implementation libs.json.smart
-    implementation libs.netty.common
-    implementation libs.netty.handler
-    implementation libs.spring.context
+    // CVE Fixes End
 
     implementation libs.modelcontextprotocol.spring.webflux
     implementation libs.victools.jsonschema.generator
@@ -74,6 +81,13 @@ dependencies {
         because("CVE Fix: It is excluded above because of a vulnerability")
     }
 
+    implementation libs.prometheus.metrics.core
+    implementation libs.prometheus.metrics.textformats
+    implementation (libs.prometheus.metrics.exporter.pushgateway) {
+        exclude group: 'com.google.protobuf', module: 'protobuf-java' because("PushGW lib pulls protobuf-java 4.x, which is incompatible with protobuf-java 3.x used by various dependencies of this project.")
+    }
+    implementation libs.snappy
+
     // Annotation processors
     implementation libs.lombok
     implementation libs.mapstruct
@@ -100,11 +114,11 @@ dependencies {
 
     testImplementation libs.okhttp3
     testImplementation libs.okhttp3.mockwebserver
+    testImplementation libs.prometheus.metrics.core
 }
 
 generateGrammarSource {
     maxHeapSize = "64m"
-    arguments += ["-package", "ksql"]
 }
 
 tasks.withType(JavaCompile) {
@@ -126,6 +140,7 @@ sourceSets {
 
 tasks.withType(Checkstyle).configureEach {
     exclude '**/ksql/**'
+    exclude '**/promql/**'
 }
 
 checkstyle {

api/src/main/antlr/ksql/KsqlGrammar.g4

@@ -1,5 +1,8 @@
 grammar KsqlGrammar;
 
+@header {package ksql;}
+
+
 tokens {
     DELIMITER
 }