diff --git a/backend/app/api/handlers/v1/v1_ctrl_integration_proxy.go b/backend/app/api/handlers/v1/v1_ctrl_integration_proxy.go
new file mode 100644
index 000000000..323782a7b
--- /dev/null
+++ b/backend/app/api/handlers/v1/v1_ctrl_integration_proxy.go
@@ -0,0 +1,257 @@
+package v1
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"net/url"
+	"path"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/hay-kot/httpkit/errchain"
+	"github.com/rs/zerolog/log"
+	"github.com/sysadminsmedia/homebox/backend/internal/core/services"
+	"github.com/sysadminsmedia/homebox/backend/internal/sys/validate"
+	"go.opentelemetry.io/otel/attribute"
+)
+
+// validIntegrationName restricts integration names to safe lower-case identifiers,
+// preventing settings-key injection (e.g. "../../evil").
+var validIntegrationName = regexp.MustCompile(`^[a-z][a-z0-9_-]{0,31}$`)
+
+// blockedCIDRs lists address ranges the proxy must never reach.
+// Prevents SSRF attacks against cloud metadata services (e.g. AWS IMDS at
+// 169.254.169.254), loopback services, and internal infrastructure.
+// Public hostnames are unrestricted; only private/reserved IPs are rejected.
+var blockedCIDRs = func() []*net.IPNet {
+	blocks := []string{
+		"127.0.0.0/8",    // IPv4 loopback
+		"::1/128",        // IPv6 loopback
+		"169.254.0.0/16", // IPv4 link-local (AWS/GCP/Azure IMDS)
+		"fe80::/10",      // IPv6 link-local
+		"10.0.0.0/8",     // RFC1918
+		"172.16.0.0/12",  // RFC1918
+		"192.168.0.0/16", // RFC1918
+		"0.0.0.0/8",      // Unspecified
+		"::/128",         // IPv6 unspecified
+		"100.64.0.0/10",  // Shared address space (RFC6598)
+		"fc00::/7",       // IPv6 unique-local (ULA)
+	}
+	nets := make([]*net.IPNet, 0, len(blocks))
+	for _, cidr := range blocks {
+		_, ipNet, _ := net.ParseCIDR(cidr)
+		nets = append(nets, ipNet)
+	}
+	return nets
+}()
+
+// checkBlockedIP returns an error if ip falls within any of the blocked ranges
+// (loopback, link-local, RFC1918, cloud metadata, etc.).
+func checkBlockedIP(ip net.IP) error {
+	for _, block := range blockedCIDRs {
+		if block.Contains(ip) {
+			return fmt.Errorf("integration proxy: address %s is in a blocked range", ip)
+		}
+	}
+	return nil
+}
+
+// ssrfSafeDialContext is a DialContext for proxyHTTPClient that rejects
+// connections to private, loopback, link-local and other reserved ranges.
+// Both literal-IP hosts and DNS-resolved hostnames are validated before dialing.
+func ssrfSafeDialContext(ctx context.Context, network, addr string) (net.Conn, error) {
+	host, port, err := net.SplitHostPort(addr)
+	if err != nil {
+		return nil, fmt.Errorf("integration proxy: invalid address %q: %w", addr, err)
+	}
+	d := &net.Dialer{}
+	// Fast path: literal IP — validate directly, no DNS lookup or rebinding window.
+	if ip := net.ParseIP(host); ip != nil {
+		if err := checkBlockedIP(ip); err != nil {
+			return nil, err
+		}
+		return d.DialContext(ctx, network, net.JoinHostPort(ip.String(), port))
+	}
+	// Hostname: resolve all addresses and validate each before dialing.
+	ips, lookupErr := net.DefaultResolver.LookupIPAddr(ctx, host)
+	if lookupErr != nil {
+		return nil, fmt.Errorf("integration proxy: DNS lookup failed: %w", lookupErr)
+	}
+	if len(ips) == 0 {
+		return nil, fmt.Errorf("integration proxy: no addresses resolved for %q", host)
+	}
+	var lastErr error
+	for _, ia := range ips {
+		if err := checkBlockedIP(ia.IP); err != nil {
+			lastErr = err
+			continue
+		}
+		conn, dialErr := d.DialContext(ctx, network, net.JoinHostPort(ia.IP.String(), port))
+		if dialErr == nil {
+			return conn, nil
+		}
+		lastErr = dialErr
+	}
+	return nil, lastErr
+}
+
+// proxyHTTPClient is a shared client with a hard timeout and bounded pool.
+// Using a dedicated client (not http.DefaultClient) prevents upstream services
+// from hanging the server indefinitely.
+var proxyHTTPClient = &http.Client{
+	Timeout: 30 * time.Second,
+	Transport: &http.Transport{
+		MaxIdleConns:    10,
+		IdleConnTimeout: 90 * time.Second,
+		DialContext:     ssrfSafeDialContext,
+	},
+}
+
+// HandleIntegrationProxy godoc
+//
+//	@Summary	Integration Reverse Proxy
+//	@Description	Proxies a single GET request to the configured external integration.
+//				The integration's credentials (base URL + API token) are read from
+//				user settings ({name}_url / {name}_token) and never exposed to the
+//				frontend.  This single generic endpoint replaces all per-integration
+//				proxy handlers: adding a new integration only requires a Vue component
+//				and a settings entry — no new Go code.
+//	@Tags		Integrations
+//	@Produce	*/*
+//	@Param		name	path	string	true	"Integration name, e.g. paperless"
+//	@Param		path	query	string	true	"Relative API path on the upstream service, must start with /"
+//	@Success	200
+//	@Failure	400	{object}	validate.ErrorResponse
+//	@Failure	502	{object}	validate.ErrorResponse
+//	@Router		/v1/integrations/{name}/proxy [GET]
+//	@Security	Bearer
+func (ctrl *V1Controller) HandleIntegrationProxy() errchain.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) error {
+		spanCtx, span := startEntityCtrlSpan(r.Context(), "controller.V1.HandleIntegrationProxy")
+		defer span.End()
+
+		name := chi.URLParam(r, "name")
+		if !validIntegrationName.MatchString(name) {
+			return validate.NewRequestError(fmt.Errorf("invalid integration name"), http.StatusBadRequest)
+		}
+
+		rawPath := r.URL.Query().Get("path")
+		if rawPath == "" {
+			return validate.NewRequestError(fmt.Errorf("path query parameter is required"), http.StatusBadRequest)
+		}
+		if !strings.HasPrefix(rawPath, "/") || strings.Contains(rawPath, "://") {
+			return validate.NewRequestError(fmt.Errorf("path must be a relative path starting with /"), http.StatusBadRequest)
+		}
+
+		// Normalise to prevent directory traversal while preserving trailing slash
+		// (many REST APIs treat /foo/1/ and /foo/1 differently).
+		cleanPath := path.Clean(rawPath)
+		if !strings.HasPrefix(cleanPath, "/") {
+			return validate.NewRequestError(fmt.Errorf("invalid path after normalisation"), http.StatusBadRequest)
+		}
+		if strings.HasSuffix(rawPath, "/") && !strings.HasSuffix(cleanPath, "/") {
+			cleanPath += "/"
+		}
+
+		span.SetAttributes(
+			attribute.String("integration.name", name),
+			attribute.String("integration.path", cleanPath),
+		)
+
+		ctx := services.NewContext(spanCtx)
+		settings, svcErr := ctrl.svc.User.GetSettings(ctx.Context, services.UseUserCtx(ctx.Context).ID)
+		if svcErr != nil {
+			return validate.NewRequestError(svcErr, http.StatusInternalServerError)
+		}
+
+		baseURL, _ := settings[name+"_url"].(string)
+		if baseURL == "" {
+			return validate.NewRequestError(
+				fmt.Errorf("%s_url not configured – add it in Settings", name),
+				http.StatusBadRequest,
+			)
+		}
+		if !strings.HasPrefix(baseURL, "http://") && !strings.HasPrefix(baseURL, "https://") {
+			return validate.NewRequestError(
+				fmt.Errorf("%s_url must use http:// or https:// scheme", name),
+				http.StatusBadRequest,
+			)
+		}
+
+		token, _ := settings[name+"_token"].(string)
+		if token == "" {
+			return validate.NewRequestError(
+				fmt.Errorf("%s_token not configured – add it in Settings", name),
+				http.StatusBadRequest,
+			)
+		}
+
+		upstream := strings.TrimRight(baseURL, "/") + cleanPath
+
+		req, err := http.NewRequestWithContext(r.Context(), http.MethodGet, upstream, nil)
+		if err != nil {
+			return validate.NewRequestError(err, http.StatusBadRequest)
+		}
+		req.Header.Set("Authorization", "Token "+token)
+
+		resp, err := proxyHTTPClient.Do(req)
+		if err != nil {
+			// Log only host+path to avoid leaking query strings or embedded credentials.
+			var safeURL string
+			if u, parseErr := url.Parse(upstream); parseErr == nil {
+				safeURL = u.Host + u.Path
+			}
+			log.Err(err).Str("integration", name).Str("upstream", safeURL).Msg("integration proxy: upstream request failed")
+			return validate.NewRequestError(err, http.StatusBadGateway)
+		}
+		defer func() { _ = resp.Body.Close() }()
+
+		if resp.StatusCode == http.StatusNotFound {
+			return validate.NewRequestError(fmt.Errorf("resource not found at upstream"), http.StatusNotFound)
+		}
+		if resp.StatusCode >= 400 {
+			return validate.NewRequestError(
+				fmt.Errorf("upstream returned %d", resp.StatusCode),
+				http.StatusBadGateway,
+			)
+		}
+
+		const maxResponseSize int64 = 10 * 1024 * 1024 // 10 MB
+
+		// Reject known-oversized responses before writing any bytes to the client.
+		if resp.ContentLength > maxResponseSize {
+			return validate.NewRequestError(
+				fmt.Errorf("upstream response too large (%d bytes)", resp.ContentLength),
+				http.StatusBadGateway,
+			)
+		}
+
+		// Buffer up to maxResponseSize+1 bytes so we can detect true truncation
+		// and return a clean 502 rather than a partial 200 with invalid JSON.
+		buf, readErr := io.ReadAll(io.LimitReader(resp.Body, maxResponseSize+1))
+		if readErr != nil {
+			log.Err(readErr).Str("integration", name).Msg("integration proxy: failed to read response")
+			return validate.NewRequestError(fmt.Errorf("failed to read upstream response"), http.StatusBadGateway)
+		}
+		if int64(len(buf)) > maxResponseSize {
+			log.Warn().Str("integration", name).Msg("integration proxy: upstream response exceeded 10 MB limit")
+			return validate.NewRequestError(
+				fmt.Errorf("upstream response exceeds 10 MB limit"),
+				http.StatusBadGateway,
+			)
+		}
+
+		if ct := resp.Header.Get("Content-Type"); ct != "" {
+			w.Header().Set("Content-Type", ct)
+		}
+		if _, writeErr := w.Write(buf); writeErr != nil {
+			log.Err(writeErr).Str("integration", name).Msg("integration proxy: failed to write response")
+		}
+		return nil
+	}
+}
diff --git a/backend/app/api/routes.go b/backend/app/api/routes.go
index 87ba33e4b..b6d8cb42b 100644
--- a/backend/app/api/routes.go
+++ b/backend/app/api/routes.go
@@ -208,6 +208,9 @@ func (a *app) mountRoutes(r *chi.Mux, chain *errchain.ErrChain, repos *repo.AllR
 		r.Delete("/notifiers/{id}", chain.ToHandlerFunc(v1Ctrl.HandleDeleteNotifier(), userMW...))
 		r.Post("/notifiers/test", chain.ToHandlerFunc(v1Ctrl.HandlerNotifierTest(), append(userMW, a.notifierTestLimiter.middleware)...))
 
+		// Integration proxy endpoints
+		r.Get("/integrations/{name}/proxy", chain.ToHandlerFunc(v1Ctrl.HandleIntegrationProxy(), userMW...))
+
 		// Asset-Like endpoints
 		assetMW := []errchain.Middleware{
 			a.mwAuthToken,
diff --git a/backend/go.sum b/backend/go.sum
index 6de471285..9f2cf58d3 100644
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -71,10 +71,6 @@ github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.54.0/go.mod h1:vB2GH9GAYYJTO3mEn8oYwzEdhlayZIdQz6zdzgUIRvA=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.54.0 h1:s0WlVbf9qpvkh1c/uDAPElam0WrL7fHRIidgZJ7UqZI=
 github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.54.0/go.mod h1:Mf6O40IAyB9zR/1J8nGDDPirZQQPbYJni8Yisy7NTMc=
-github.com/IBM/sarama v1.48.0 h1:9LJS0VNeg/boXxT/GLAMDKX6uSQ1mr/5F/j4v9gSeBQ=
-github.com/IBM/sarama v1.48.0/go.mod h1:UhvwPF8zilmLOSd6O+ENzdycCJYwMww1U9DJOZpoCro=
-github.com/IBM/sarama v1.48.1 h1:x1dSWebprjjE7Wr7n8RVAxwa4mt4O9JejRxnZrGIXk0=
-github.com/IBM/sarama v1.48.1/go.mod h1:m/Q1aFezH82/AglfTpJbw/fO0ZybYXhPgTmvajiZX50=
 github.com/IBM/sarama v1.48.2 h1:QKUXRaHF46aoRwagtvDR/imrOdbdV/qWzv0u6e5my+w=
 github.com/IBM/sarama v1.48.2/go.mod h1:m/Q1aFezH82/AglfTpJbw/fO0ZybYXhPgTmvajiZX50=
 github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc=
@@ -87,8 +83,6 @@ github.com/antithesishq/antithesis-sdk-go v0.5.0-default-no-op h1:Ucf+QxEKMbPogR
 github.com/antithesishq/antithesis-sdk-go v0.5.0-default-no-op/go.mod h1:IUpT2DPAKh6i/YhSbt6Gl3v2yvUZjmKncl7U91fup7E=
 github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
-github.com/ardanlabs/conf/v3 v3.11.0 h1:6un3ytWqf1wjgUw/NmL5q8C6u4epPVli1GdAXh72wzQ=
-github.com/ardanlabs/conf/v3 v3.11.0/go.mod h1:XlL9P0quWP4m1weOVFmlezabinbZLI05niDof/+Ochk=
 github.com/ardanlabs/conf/v3 v3.12.0 h1:8tdFT7WslYR4q9wOY/fwyYN20I+4JhMCcEgzWc73Hj0=
 github.com/ardanlabs/conf/v3 v3.12.0/go.mod h1:XlL9P0quWP4m1weOVFmlezabinbZLI05niDof/+Ochk=
 github.com/aws/aws-sdk-go-v2 v1.40.0 h1:/WMUA0kjhZExjOQN2z3oLALDREea1A7TobfuiBrKlwc=
@@ -141,14 +135,6 @@ github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1x
 github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/clipperhouse/displaywidth v0.6.2 h1:ZDpTkFfpHOKte4RG5O/BOyf3ysnvFswpyYrV7z2uAKo=
-github.com/clipperhouse/displaywidth v0.6.2/go.mod h1:R+kHuzaYWFkTm7xoMmK1lFydbci4X2CicfbGstSGg0o=
-github.com/clipperhouse/stringish v0.1.1 h1:+NSqMOr3GR6k1FdRhhnXrLfztGzuG+VuFDfatpWHKCs=
-github.com/clipperhouse/stringish v0.1.1/go.mod h1:v/WhFtE1q0ovMta2+m+UbpZ+2/HEXNWYXQgCt4hdOzA=
-github.com/clipperhouse/uax29/v2 v2.3.0 h1:SNdx9DVUqMoBuBoW3iLOj4FQv3dN5mDtuqwuhIGpJy4=
-github.com/clipperhouse/uax29/v2 v2.3.0/go.mod h1:Wn1g7MK6OoeDT0vL+Q0SQLDz/KpfsVRgg6W7ihQeh4g=
-github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5 h1:6xNmx7iTtyBRev0+D/Tv1FZd4SCg8axKApyNyRsAt/w=
-github.com/cncf/xds/go v0.0.0-20251210132809-ee656c7534f5/go.mod h1:KdCmV+x/BuvyMxRnYBlmVaq4OLiKW6iRQfvC62cvdkI=
 github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2 h1:aBangftG7EVZoUb69Os8IaYg++6uMOdKK83QtkkvJik=
 github.com/cncf/xds/go v0.0.0-20260202195803-dba9d589def2/go.mod h1:qwXFYgsP6T7XnJtbKlf1HP8AjxZZyzxMmc+Lq5GjlU4=
 github.com/coder/websocket v1.8.14 h1:9L0p0iKiNOibykf283eHkKUHHrpG7f65OE3BhhO7v9g=
@@ -172,20 +158,14 @@ github.com/ebitengine/purego v0.10.0 h1:QIw4xfpWT6GWTzaW5XEKy3HXoqrJGx1ijYHzTF0/
 github.com/ebitengine/purego v0.10.0/go.mod h1:iIjxzd6CiRiOG0UyXP+V1+jWqUXVjPKLAI0mRfJZTmQ=
 github.com/envoyproxy/go-control-plane v0.14.0 h1:hbG2kr4RuFj222B6+7T83thSPqLjwBIfQawTkC++2HA=
 github.com/envoyproxy/go-control-plane v0.14.0/go.mod h1:NcS5X47pLl/hfqxU70yPwL9ZMkUlwlKxtAohpi2wBEU=
-github.com/envoyproxy/go-control-plane/envoy v1.36.0 h1:yg/JjO5E7ubRyKX3m07GF3reDNEnfOboJ0QySbH736g=
-github.com/envoyproxy/go-control-plane/envoy v1.36.0/go.mod h1:ty89S1YCCVruQAm9OtKeEkQLTb+Lkz0k8v9W0Oxsv98=
 github.com/envoyproxy/go-control-plane/envoy v1.37.0 h1:u3riX6BoYRfF4Dr7dwSOroNfdSbEPe9Yyl09/B6wBrQ=
 github.com/envoyproxy/go-control-plane/envoy v1.37.0/go.mod h1:DReE9MMrmecPy+YvQOAOHNYMALuowAnbjjEMkkWOi6A=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0 h1:/G9QYbddjL25KvtKTv3an9lx6VBE2cnb8wp1vEGNYGI=
 github.com/envoyproxy/go-control-plane/ratelimit v0.1.0/go.mod h1:Wk+tMFAFbCXaJPzVVHnPgRKdUdwW/KdbRt94AzgRee4=
-github.com/envoyproxy/protoc-gen-validate v1.3.0 h1:TvGH1wof4H33rezVKWSpqKz5NXWg5VPuZ0uONDT6eb4=
-github.com/envoyproxy/protoc-gen-validate v1.3.0/go.mod h1:HvYl7zwPa5mffgyeTUHA9zHIH36nmrm7oCbo4YKoSWA=
 github.com/envoyproxy/protoc-gen-validate v1.3.3 h1:MVQghNeW+LZcmXe7SY1V36Z+WFMDjpqGAGacLe2T0ds=
 github.com/envoyproxy/protoc-gen-validate v1.3.3/go.mod h1:TsndJ/ngyIdQRhMcVVGDDHINPLWB7C82oDArY51KfB0=
 github.com/evanoberholster/imagemeta v0.3.1 h1:E4GUjXcvlVMjP9joN25+bBNf3Al3MTTfMqCrDOCW+LE=
 github.com/evanoberholster/imagemeta v0.3.1/go.mod h1:V0vtDJmjTqvwAYO8r+u33NRVIMXQb0qSqEfImoKEiXM=
-github.com/evanoberholster/imagemeta v1.0.0 h1:FlSihlsjkWIoS83wmgPOP3CbAxlRpxM8jQGZgLu+MWQ=
-github.com/evanoberholster/imagemeta v1.0.0/go.mod h1:2ITZJjD1ygzWIhepvn8coRvpaFcnDNk3E6hx6v7z8DU=
 github.com/fatih/color v1.19.0 h1:Zp3PiM21/9Ld6FzSKyL5c/BULoe/ONr9KlbYVOfG8+w=
 github.com/fatih/color v1.19.0/go.mod h1:zNk67I0ZUT1bEGsSGyCZYZNrHuTkJJB+r6Q9VuMi0LE=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -287,8 +267,6 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/wire v0.7.0 h1:JxUKI6+CVBgCO2WToKy/nQk0sS+amI9z9EjVmdaocj4=
 github.com/google/wire v0.7.0/go.mod h1:n6YbUQD9cPKTnHXEBN2DXlOp/mVADhVErcMFb0v3J18=
-github.com/googleapis/enterprise-certificate-proxy v0.3.14 h1:yh8ncqsbUY4shRD5dA6RlzjJaT4hi3kII+zYw8wmLb8=
-github.com/googleapis/enterprise-certificate-proxy v0.3.14/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
 github.com/googleapis/enterprise-certificate-proxy v0.3.15 h1:xolVQTEXusUcAA5UgtyRLjelpFFHWlPQ4XfWGc7MBas=
 github.com/googleapis/enterprise-certificate-proxy v0.3.15/go.mod h1:vqVt9yG9480NtzREnTlmGSBmFrA+bzb0yl0TxoBQXOg=
 github.com/googleapis/gax-go/v2 v2.22.0 h1:PjIWBpgGIVKGoCXuiCoP64altEJCj3/Ei+kSU5vlZD4=
@@ -336,8 +314,6 @@ github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/keybase/go-keychain v0.0.1 h1:way+bWYa6lDppZoZcgMbYsvC7GxljxrskdNInRtuthU=
 github.com/keybase/go-keychain v0.0.1/go.mod h1:PdEILRW3i9D8JcdM+FmY6RwkHGnhHxXwkPPMeUgOK1k=
-github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
-github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/compress v1.18.6 h1:2jupLlAwFm95+YDR+NwD2MEfFO9d4z4Prjl1XXDjuao=
 github.com/klauspost/compress v1.18.6/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
@@ -354,12 +330,8 @@ github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
-github.com/mattn/go-isatty v0.0.21 h1:xYae+lCNBP7QuW4PUnNG61ffM4hVIfm+zUzDuSzYLGs=
-github.com/mattn/go-isatty v0.0.21/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
 github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
-github.com/mattn/go-runewidth v0.0.19 h1:v++JhqYnZuu5jSKrk9RbgF5v4CGUjqRfBm05byFGLdw=
-github.com/mattn/go-runewidth v0.0.19/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
 github.com/mattn/go-sqlite3 v1.14.34 h1:3NtcvcUnFBPsuRcno8pUtupspG/GM+9nZ88zgJcp6Zk=
 github.com/mattn/go-sqlite3 v1.14.34/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mfridman/interpolate v0.0.2 h1:pnuTK7MQIxxFz1Gr+rjSIx9u7qVjf5VOoM/u6BbAxPY=
@@ -372,8 +344,6 @@ github.com/nats-io/jwt/v2 v2.8.0 h1:K7uzyz50+yGZDO5o772eRE7atlcSEENpL7P+b74JV1g=
 github.com/nats-io/jwt/v2 v2.8.0/go.mod h1:me11pOkwObtcBNR8AiMrUbtVOUGkqYjMQZ6jnSdVUIA=
 github.com/nats-io/nats-server/v2 v2.11.12 h1:jGDXTkcjqQ5fCRstwIxvv1K0RHfftFUoSCT/iIZcqOc=
 github.com/nats-io/nats-server/v2 v2.11.12/go.mod h1:5MCp/pqm5SEfsvVZ31ll1088ZTwEUdvRX1Hmh/mTTDg=
-github.com/nats-io/nats.go v1.51.0 h1:ByW84XTz6W03GSSsygsZcA+xgKK8vPGaa/FCAAEHnAI=
-github.com/nats-io/nats.go v1.51.0/go.mod h1:26HypzazeOkyO3/mqd1zZd53STJN0EjCYF9Uy2ZOBno=
 github.com/nats-io/nats.go v1.52.0 h1:n3avV4VBsCgsdwh71TppsTwtv+QdPs7ntSKM8qJLGsc=
 github.com/nats-io/nats.go v1.52.0/go.mod h1:26HypzazeOkyO3/mqd1zZd53STJN0EjCYF9Uy2ZOBno=
 github.com/nats-io/nkeys v0.4.15 h1:JACV5jRVO9V856KOapQ7x+EY8Jo3qw1vJt/9Jpwzkk4=
@@ -384,14 +354,6 @@ github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOF
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/olahol/melody v1.4.0 h1:Pa5SdeZL/zXPi1tJuMAPDbl4n3gQOThSL6G1p4qZ4SI=
 github.com/olahol/melody v1.4.0/go.mod h1:GgkTl6Y7yWj/HtfD48Q5vLKPVoZOH+Qqgfa7CvJgJM4=
-github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 h1:zrbMGy9YXpIeTnGj4EljqMiZsIcE09mmF8XsD5AYOJc=
-github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6/go.mod h1:rEKTHC9roVVicUIfZK7DYrdIoM0EOr8mK1Hj5s3JjH0=
-github.com/olekukonko/errors v1.1.0 h1:RNuGIh15QdDenh+hNvKrJkmxxjV4hcS50Db478Ou5sM=
-github.com/olekukonko/errors v1.1.0/go.mod h1:ppzxA5jBKcO1vIpCXQ9ZqgDh8iwODz6OXIGKU8r5m4Y=
-github.com/olekukonko/ll v0.1.4-0.20260115111900-9e59c2286df0 h1:jrYnow5+hy3WRDCBypUFvVKNSPPCdqgSXIE9eJDD8LM=
-github.com/olekukonko/ll v0.1.4-0.20260115111900-9e59c2286df0/go.mod h1:b52bVQRRPObe+yyBl0TxNfhesL0nedD4Cht0/zx55Ew=
-github.com/olekukonko/tablewriter v1.1.3 h1:VSHhghXxrP0JHl+0NnKid7WoEmd9/urKRJLysb70nnA=
-github.com/olekukonko/tablewriter v1.1.3/go.mod h1:9VU0knjhmMkXjnMKrZ3+L2JhhtsQ/L38BbL3CRNE8tM=
 github.com/onsi/ginkgo/v2 v2.9.2 h1:BA2GMJOtfGAfagzYtrAlufIP0lq6QERkFmHLMLPwFSU=
 github.com/onsi/ginkgo/v2 v2.9.2/go.mod h1:WHcJJG2dIlcCqVfBAwUCrJxSPFb6v4azBwgxeMeDuts=
 github.com/onsi/gomega v1.27.6 h1:ENqfyGeS5AX/rlXDd/ETokDz93u0YufY1Pgxuy/PvWE=
@@ -419,8 +381,6 @@ github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9 h1:bsUq1dX0N8A
 github.com/rcrowley/go-metrics v0.0.0-20250401214520-65e299d6c5c9/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
-github.com/riandyrn/otelchi v0.12.2 h1:6QhGv0LVw/dwjtPd12mnNrl0oEQF4ZAlmHcnlTYbeAg=
-github.com/riandyrn/otelchi v0.12.2/go.mod h1:weZZeUJURvtCcbWsdb7Y6F8KFZGedJlSrgUjq9VirV8=
 github.com/riandyrn/otelchi v0.12.3 h1:KW9gA+97d6mExk8vbh0FRwb2biUvpyYlc8YuxP1Oap0=
 github.com/riandyrn/otelchi v0.12.3/go.mod h1:weZZeUJURvtCcbWsdb7Y6F8KFZGedJlSrgUjq9VirV8=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
@@ -433,16 +393,10 @@ github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
 github.com/sethvargo/go-retry v0.3.0 h1:EEt31A35QhrcRZtrYFDTBg91cqZVnFL2navjDrah2SE=
 github.com/sethvargo/go-retry v0.3.0/go.mod h1:mNX17F0C/HguQMyMyJxcnU471gOZGxCLyYaFyAZraas=
-github.com/shirou/gopsutil/v4 v4.26.3 h1:2ESdQt90yU3oXF/CdOlRCJxrP+Am1aBYubTMTfxJ1qc=
-github.com/shirou/gopsutil/v4 v4.26.3/go.mod h1:LZ6ewCSkBqUpvSOf+LsTGnRinC6iaNUNMGBtDkJBaLQ=
 github.com/shirou/gopsutil/v4 v4.26.4 h1:B4SXVbcwTyrocPHEmWBC4uCYr4Xcu3MK1TXqbprAOWY=
 github.com/shirou/gopsutil/v4 v4.26.4/go.mod h1:LZ6ewCSkBqUpvSOf+LsTGnRinC6iaNUNMGBtDkJBaLQ=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e h1:MRM5ITcdelLK2j1vwZ3Je0FKVCfqOLp5zO6trqMLYs0=
 github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e/go.mod h1:XV66xRDqSt+GTGFMVlhk3ULuV0y9ZmzeVGR4mloJI3M=
-github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I=
-github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spiffe/go-spiffe/v2 v2.6.0 h1:l+DolpxNWYgruGQVV0xsfeya3CsC7m8iBzDnMpsbLuo=
 github.com/spiffe/go-spiffe/v2 v2.6.0/go.mod h1:gm2SeUoMZEtpnzPNs2Csc0D/gX33k1xIx7lEzqblHEs=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -494,8 +448,6 @@ go.balki.me/anyhttp v0.5.2 h1:et4tCDXLeXpWfMNvRKG7ojfrnlr3du7cEaG966MLSpA=
 go.balki.me/anyhttp v0.5.2/go.mod h1:JhfekOIjgVODoVqUCficjpIgmB3wwlB7jhN0eN2EZ/s=
 go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
 go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/contrib/detectors/gcp v1.39.0 h1:kWRNZMsfBHZ+uHjiH4y7Etn2FK26LAGkNFw7RHv1DhE=
-go.opentelemetry.io/contrib/detectors/gcp v1.39.0/go.mod h1:t/OGqzHBa5v6RHZwrDBJ2OirWc+4q/w2fTbLZwAKjTk=
 go.opentelemetry.io/contrib/detectors/gcp v1.42.0 h1:kpt2PEJuOuqYkPcktfJqWWDjTEd/FNgrxcniL7kQrXQ=
 go.opentelemetry.io/contrib/detectors/gcp v1.42.0/go.mod h1:W9zQ439utxymRrXsUOzZbFX4JhLxXU4+ZnCt8GG7yA8=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.67.0 h1:yI1/OhfEPy7J9eoa6Sj051C7n5dvpj0QX8g4sRchg04=
@@ -558,17 +510,11 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
 golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
 golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
-golang.org/x/image v0.39.0 h1:skVYidAEVKgn8lZ602XO75asgXBgLj9G/FE3RbuPFww=
-golang.org/x/image v0.39.0/go.mod h1:sIbmppfU+xFLPIG0FoVUTvyBMmgng1/XAMhQ2ft0hpA=
 golang.org/x/image v0.40.0 h1:Tw4GyDXMo+daZN1znreBRC3VayR1aLFUyUEOLUdW1a8=
 golang.org/x/image v0.40.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
 golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
 golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -578,8 +524,6 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
 golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
 golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
 golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
@@ -598,8 +542,6 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
 golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -609,8 +551,6 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
 golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
 golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
@@ -618,8 +558,6 @@ golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
-golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
 golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
 golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -628,26 +566,14 @@ golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhS
 golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
 gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
 gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
-google.golang.org/api v0.276.0 h1:nVArUtfLEihtW+b0DdcqRGK1xoEm2+ltAihyztq7MKY=
-google.golang.org/api v0.276.0/go.mod h1:Fnag/EWUPIcJXuIkP1pjoTgS5vdxlk3eeemL7Do6bvw=
-google.golang.org/api v0.278.0 h1:W7jiRvRi53VYFfZ/HoZjQBtJk7gOFbHD8ot1RzVZU6E=
-google.golang.org/api v0.278.0/go.mod h1:B9TqLBwJqVjp1mtt7WeoQwWRwvu/400y5lETOql+giQ=
 google.golang.org/api v0.279.0 h1:hsx2M2OaRcaKtVYK6vXEUnQvdjnend7ZYES+lYaot74=
 google.golang.org/api v0.279.0/go.mod h1:B9TqLBwJqVjp1mtt7WeoQwWRwvu/400y5lETOql+giQ=
 google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 h1:XzmzkmB14QhVhgnawEVsOn6OFsnpyxNPRY9QV01dNB0=
 google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:L43LFes82YgSonw6iTXTxXUX1OlULt4AQtkik4ULL/I=
-google.golang.org/genproto/googleapis/api v0.0.0-20260420184626-e10c466a9529 h1:zUWMZsvo/IJcD1t6MNCPO/azZTwz0TvwCBqr5aifoVY=
-google.golang.org/genproto/googleapis/api v0.0.0-20260420184626-e10c466a9529/go.mod h1:a5OGAgyRr4lqco7AG9hQM9Fwh0N2ZV4grR0eXFEsXQg=
 google.golang.org/genproto/googleapis/api v0.0.0-20260511170946-3700d4141b60 h1:3WsB1FAbiRIf2tOxscWKs3pQBD9he1NsrnbhMuWfekc=
 google.golang.org/genproto/googleapis/api v0.0.0-20260511170946-3700d4141b60/go.mod h1:7yoXV7RIh5gblj/xVYoogxAWvA9wUeVbpsK/M694l00=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260420184626-e10c466a9529 h1:XF8+t6QQiS0o9ArVan/HW8Q7cycNPGsJf6GA2nXxYAg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260420184626-e10c466a9529/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260511170946-3700d4141b60 h1:seT2EwLWM78plQ7wcDfuWBc/4FAEAXDDiaSol4ku4qo=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20260511170946-3700d4141b60/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
-google.golang.org/grpc v1.80.0 h1:Xr6m2WmWZLETvUNvIUmeD5OAagMw3FiKmMlTdViWsHM=
-google.golang.org/grpc v1.80.0/go.mod h1:ho/dLnxwi3EDJA4Zghp7k2Ec1+c2jqup0bFkw07bwF4=
-google.golang.org/grpc v1.81.0 h1:W3G9N3KQf3BU+YuCtGKJk0CmxQNbAISICD/9AORxLIw=
-google.golang.org/grpc v1.81.0/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
 google.golang.org/grpc v1.81.1 h1:VnnIIZ88UzOOKLukQi+ImGz8O1Wdp8nAGGnvOfEIWQQ=
 google.golang.org/grpc v1.81.1/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
 google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
@@ -659,12 +585,10 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-modernc.org/cc/v4 v4.28.1 h1:XpLbkYVQ24E8tX5u8+yWGvaxerxkR/S4zqxI8ZoSBuc=
-modernc.org/cc/v4 v4.28.1/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
 modernc.org/cc/v4 v4.28.2 h1:3tQ0lf2ADtoby2EtSP+J7IE2SHwEJdP8ioR59wx7XpY=
-modernc.org/ccgo/v4 v4.33.0 h1:dspBCm75jsj8Y/ufwAMVfe375L2iYdMyQ2QG/v3hL54=
-modernc.org/ccgo/v4 v4.33.0/go.mod h1:+RhXBoRYzRwaH21mV/aj6XvQRDtfjcZfAlPMsQo8CR0=
+modernc.org/cc/v4 v4.28.2/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
 modernc.org/ccgo/v4 v4.34.0 h1:yRLPFZieg532OT4rp4JFNIVcquwalMX26G95WQDqwCQ=
+modernc.org/ccgo/v4 v4.34.0/go.mod h1:AS5WYMyBakQ+fhsHhtP8mWB82KTGPkNNJDGfGQCe0/A=
 modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
 modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
@@ -673,8 +597,6 @@ modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
 modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.72.1 h1:db1xwJ6u1kE3KHTFTTbe2GCrczHPKzlURP0aDC4NGD0=
-modernc.org/libc v1.72.1/go.mod h1:HRMiC/PhPGLIPM7GzAFCbI+oSgE3dhZ8FWftmRrHVlY=
 modernc.org/libc v1.72.3 h1:ZnDF4tXn4NBXFutMMQC4vtbTFSXhhKzR73fv0beZEAU=
 modernc.org/libc v1.72.3/go.mod h1:dn0dZNnnn1clLyvRxLxYExxiKRZIRENOfqQ8XEeg4Qs=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
@@ -685,8 +607,6 @@ modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
 modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.49.1 h1:dYGHTKcX1sJ+EQDnUzvz4TJ5GbuvhNJa8Fg6ElGx73U=
-modernc.org/sqlite v1.49.1/go.mod h1:m0w8xhwYUVY3H6pSDwc3gkJ/irZT/0YEXwBlhaxQEew=
 modernc.org/sqlite v1.50.1 h1:l+cQvn0sd0zJJtfygGHuQJ5AjlrwXmWPw4KP3ZMwr9w=
 modernc.org/sqlite v1.50.1/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
diff --git a/backend/internal/core/services/service_items_attachments_external_test.go b/backend/internal/core/services/service_items_attachments_external_test.go
index 29e0aca5b..ff11b5ccc 100644
--- a/backend/internal/core/services/service_items_attachments_external_test.go
+++ b/backend/internal/core/services/service_items_attachments_external_test.go
@@ -30,103 +30,140 @@ func newExternalLinkEntity(t *testing.T) repo.EntityOut {
 	return entity
 }
 
-func TestEntityService_AttachmentAddExternalLink_DefaultType(t *testing.T) {
-	svc := &EntityService{repo: tRepos}
-	entity := newExternalLinkEntity(t)
-
-	out, err := svc.AttachmentAddExternalLink(tCtx, entity.ID, "link", "https://example.com/doc/42", "Example Doc", "")
-	require.NoError(t, err)
-	require.NotEmpty(t, out.Attachments)
-
-	var found bool
-	for _, att := range out.Attachments {
-		if att.Path == "https://example.com/doc/42" {
-			found = true
-			assert.Equal(t, repo.MimeTypeLinkURL, att.MimeType)
-			assert.Equal(t, "Example Doc", att.Title)
-			assert.Equal(t, string(attachment.TypeAttachment), att.Type)
-		}
-	}
-	assert.True(t, found)
+// knownSources lists every registered external-link source type together with a
+// representative external ID. To add or remove a service integration from the
+// test matrix, update this slice only — all table-driven tests pick up the
+// change automatically.
+var knownSources = []struct {
+	sourceType string
+	externalID string
+}{
+	{"paperless", "42"},
+	{"link", "https://example.com/doc"},
 }
 
-func TestEntityService_AttachmentAddExternalLink_ManualType(t *testing.T) {
+// TestEntityService_AttachmentAddExternalLink_SourceTypes verifies that every
+// known source type is accepted and that the stored mimeType and path match the
+// contract defined by repo.MimeTypeForSourceType.
+func TestEntityService_AttachmentAddExternalLink_SourceTypes(t *testing.T) {
 	svc := &EntityService{repo: tRepos}
-	entity := newExternalLinkEntity(t)
 
-	out, err := svc.AttachmentAddExternalLink(tCtx, entity.ID, "link", "https://example.com/manual", "Manual", attachment.TypeManual)
-	require.NoError(t, err)
-
-	var found bool
-	for _, att := range out.Attachments {
-		if att.Path == "https://example.com/manual" {
-			found = true
-			assert.Equal(t, string(attachment.TypeManual), att.Type)
-		}
+	for _, src := range knownSources {
+		t.Run(src.sourceType, func(t *testing.T) {
+			entity := newExternalLinkEntity(t)
+
+			expectedMime, ok := repo.MimeTypeForSourceType(src.sourceType)
+			require.True(t, ok, "knownSources entry %q has no registered mime type", src.sourceType)
+
+			out, err := svc.AttachmentAddExternalLink(tCtx, entity.ID, src.sourceType, src.externalID, "Test Doc", attachment.TypeAttachment)
+			require.NoError(t, err)
+			require.NotEmpty(t, out.Attachments)
+
+			var found bool
+			for _, att := range out.Attachments {
+				if att.Path == src.externalID {
+					found = true
+					assert.Equal(t, expectedMime, att.MimeType)
+					assert.Equal(t, "Test Doc", att.Title)
+					assert.Equal(t, string(attachment.TypeAttachment), att.Type)
+				}
+			}
+			assert.True(t, found, "expected attachment with path %q in entity output", src.externalID)
+		})
 	}
-	assert.True(t, found)
 }
 
-func TestEntityService_AttachmentAddExternalLink_WarrantyType(t *testing.T) {
-	svc := &EntityService{repo: tRepos}
-	entity := newExternalLinkEntity(t)
+// TestEntityService_AttachmentAddExternalLink_AttachmentTypes verifies that all
+// attachment type variants (Manual, Warranty, Receipt) are stored correctly.
+// The source-type matrix is already covered by
+// TestEntityService_AttachmentAddExternalLink_SourceTypes, so a single
+// representative source type is sufficient here.
+func TestEntityService_AttachmentAddExternalLink_AttachmentTypes(t *testing.T) {
+	src := knownSources[0]
+	expectedMime, _ := repo.MimeTypeForSourceType(src.sourceType)
+
+	cases := []struct {
+		attType attachment.Type
+		title   string
+	}{
+		{attachment.TypeManual, "Manual"},
+		{attachment.TypeWarranty, "Warranty"},
+		{attachment.TypeReceipt, "Receipt"},
+	}
 
-	out, err := svc.AttachmentAddExternalLink(tCtx, entity.ID, "link", "https://example.com/warranty", "Warranty", attachment.TypeWarranty)
-	require.NoError(t, err)
+	svc := &EntityService{repo: tRepos}
 
-	var found bool
-	for _, att := range out.Attachments {
-		if att.Path == "https://example.com/warranty" {
-			found = true
-			assert.Equal(t, string(attachment.TypeWarranty), att.Type)
-		}
+	for _, tc := range cases {
+		t.Run(string(tc.attType), func(t *testing.T) {
+			entity := newExternalLinkEntity(t)
+
+			out, err := svc.AttachmentAddExternalLink(tCtx, entity.ID, src.sourceType, src.externalID, tc.title, tc.attType)
+			require.NoError(t, err)
+
+			var found bool
+			for _, att := range out.Attachments {
+				if att.Path == src.externalID {
+					found = true
+					assert.Equal(t, string(tc.attType), att.Type)
+					assert.Equal(t, expectedMime, att.MimeType)
+				}
+			}
+			assert.True(t, found)
+		})
 	}
-	assert.True(t, found)
 }
 
-func TestEntityService_AttachmentAddExternalLink_ReceiptType(t *testing.T) {
+// TestEntityService_AttachmentAddExternalLink_MultipleAttachments verifies that
+// multiple external-link attachments (one per registered source type) can coexist
+// on a single entity.
+func TestEntityService_AttachmentAddExternalLink_MultipleAttachments(t *testing.T) {
 	svc := &EntityService{repo: tRepos}
 	entity := newExternalLinkEntity(t)
 
-	out, err := svc.AttachmentAddExternalLink(tCtx, entity.ID, "link", "https://example.com/receipt", "Receipt", attachment.TypeReceipt)
-	require.NoError(t, err)
-
-	var found bool
-	for _, att := range out.Attachments {
-		if att.Path == "https://example.com/receipt" {
-			found = true
-			assert.Equal(t, string(attachment.TypeReceipt), att.Type)
-		}
+	for _, src := range knownSources {
+		_, err := svc.AttachmentAddExternalLink(tCtx, entity.ID, src.sourceType, src.externalID, src.sourceType+" doc", attachment.TypeAttachment)
+		require.NoError(t, err, "failed for source type %q", src.sourceType)
 	}
-	assert.True(t, found)
+
+	latest, err := svc.repo.Entities.GetOneByGroup(tCtx, tCtx.GID, entity.ID)
+	require.NoError(t, err)
+	assert.Equal(t, len(knownSources), len(latest.Attachments))
 }
 
+// TestEntityService_AttachmentAddExternalLink_InvalidEntity verifies that
+// using a non-existent entity ID returns an error.
 func TestEntityService_AttachmentAddExternalLink_InvalidEntity(t *testing.T) {
 	svc := &EntityService{repo: tRepos}
+	src := knownSources[0]
 
-	_, err := svc.AttachmentAddExternalLink(tCtx, uuid.New(), "link", "https://example.com/missing", "Missing", attachment.TypeAttachment)
+	_, err := svc.AttachmentAddExternalLink(tCtx, uuid.New(), src.sourceType, src.externalID, "Missing", attachment.TypeAttachment)
 	assert.Error(t, err)
 }
 
+// TestEntityService_AttachmentAddExternalLink_UnknownSourceType verifies that
+// an unregistered source type is rejected before any DB write.
 func TestEntityService_AttachmentAddExternalLink_UnknownSourceType(t *testing.T) {
 	svc := &EntityService{repo: tRepos}
 	entity := newExternalLinkEntity(t)
 
-	_, err := svc.AttachmentAddExternalLink(tCtx, entity.ID, "paperless", "42", "Paperless", attachment.TypeAttachment)
+	_, err := svc.AttachmentAddExternalLink(tCtx, entity.ID, "unknown-source", "42", "Unknown", attachment.TypeAttachment)
 	assert.Error(t, err)
 }
 
+// TestEntityService_AttachmentDelete_ExternalLink verifies that an external-link
+// attachment can be deleted and is no longer retrievable afterwards.
 func TestEntityService_AttachmentDelete_ExternalLink(t *testing.T) {
 	svc := &EntityService{repo: tRepos}
 	entity := newExternalLinkEntity(t)
+	src := knownSources[0]
 
-	out, err := svc.AttachmentAddExternalLink(tCtx, entity.ID, "link", "https://example.com/delete", "Delete Me", attachment.TypeAttachment)
+	out, err := svc.AttachmentAddExternalLink(tCtx, entity.ID, src.sourceType, src.externalID, "Delete Me", attachment.TypeAttachment)
 	require.NoError(t, err)
 	require.NotEmpty(t, out.Attachments)
 
 	var createdID uuid.UUID
 	for _, att := range out.Attachments {
-		if att.Path == "https://example.com/delete" {
+		if att.Path == src.externalID {
 			createdID = att.ID
 			break
 		}
diff --git a/backend/internal/data/repo/repo_item_attachments.go b/backend/internal/data/repo/repo_item_attachments.go
index db8f5914d..f888be4c5 100644
--- a/backend/internal/data/repo/repo_item_attachments.go
+++ b/backend/internal/data/repo/repo_item_attachments.go
@@ -84,23 +84,32 @@ type (
 	}
 )
 
+// MimeTypeLinkURL is the MIME type for generic HTTP/HTTPS URL links.
 const MimeTypeLinkURL = "link/url"
 
-var externalLinkMimeTypes = []string{
-	MimeTypeLinkURL,
+// MimeTypePaperlessDocument is the MIME type for Paperless-ngx document links.
+const MimeTypePaperlessDocument = "paperless/document"
+
+// sourceTypeMIMEs maps user-facing source-type names to their internal MIME
+// discriminators. It is the single source of truth: both MimeTypeForSourceType
+// and isExternalLink derive from it.
+var sourceTypeMIMEs = map[string]string{
+	"link":      MimeTypeLinkURL,
+	"paperless": MimeTypePaperlessDocument,
 }
 
+// MimeTypeForSourceType maps a user-facing integration source-type name (e.g. "paperless")
+// to the internal MIME discriminator stored in the attachments table.
+// Returns ("", false) for unknown source types.
 func MimeTypeForSourceType(sourceType string) (string, bool) {
-	switch sourceType {
-	case "link":
-		return MimeTypeLinkURL, true
-	default:
-		return "", false
-	}
+	mime, ok := sourceTypeMIMEs[sourceType]
+	return mime, ok
 }
 
+// isExternalLink reports whether mimeType belongs to the set of registered
+// external-link MIME types (i.e. records stored by path reference, not blob).
 func isExternalLink(mimeType string) bool {
-	for _, m := range externalLinkMimeTypes {
+	for _, m := range sourceTypeMIMEs {
 		if m == mimeType {
 			return true
 		}
@@ -428,10 +437,17 @@ func (r *AttachmentRepo) Create(ctx context.Context, itemID uuid.UUID, doc ItemC
 	return attachmentDb, nil
 }
 
+// CreateExternalLink persists a new attachment that references an external
+// resource by externalID (e.g. a Paperless document ID or a URL) rather than
+// uploading a blob. mimeType must be a value registered in externalLinkMimeTypes.
 func (r *AttachmentRepo) CreateExternalLink(ctx context.Context, entityID uuid.UUID, externalID string, title string, mimeType string, attType attachment.Type) (*ent.Attachment, error) {
 	ctx, span := otel.Tracer("data").Start(ctx, "repo.AttachmentRepo.CreateExternalLink")
 	defer span.End()
 
+	if !isExternalLink(mimeType) {
+		return nil, fmt.Errorf("unsupported external-link MIME type %q", mimeType)
+	}
+
 	if attType == "" {
 		attType = attachment.TypeAttachment
 	}
diff --git a/backend/internal/data/repo/repo_item_attachments_test.go b/backend/internal/data/repo/repo_item_attachments_test.go
index 1bcfbfd61..32b61bd0c 100644
--- a/backend/internal/data/repo/repo_item_attachments_test.go
+++ b/backend/internal/data/repo/repo_item_attachments_test.go
@@ -16,13 +16,22 @@ import (
 )
 
 func TestMimeTypeForSourceType(t *testing.T) {
-	mime, ok := MimeTypeForSourceType("link")
-	assert.True(t, ok)
-	assert.Equal(t, MimeTypeLinkURL, mime)
-
-	mime, ok = MimeTypeForSourceType("unknown")
-	assert.False(t, ok)
-	assert.Empty(t, mime)
+	cases := []struct {
+		sourceType   string
+		expectedMime string
+		expectedOk   bool
+	}{
+		{"link", MimeTypeLinkURL, true},
+		{"paperless", MimeTypePaperlessDocument, true},
+		{"unknown", "", false},
+	}
+	for _, tc := range cases {
+		t.Run(tc.sourceType, func(t *testing.T) {
+			mime, ok := MimeTypeForSourceType(tc.sourceType)
+			assert.Equal(t, tc.expectedOk, ok)
+			assert.Equal(t, tc.expectedMime, mime)
+		})
+	}
 }
 
 func TestAttachmentRepo_Create(t *testing.T) {
@@ -138,44 +147,102 @@ func TestAttachmentRepo_Delete(t *testing.T) {
 	require.Error(t, err)
 }
 
-func TestAttachmentRepo_CreateExternalLink(t *testing.T) {
+// externalLinkMimeTypeCases covers every registered external-link MIME type.
+// Adding a new integration only requires a new entry here — all table-driven
+// tests below pick it up automatically.
+var externalLinkMimeTypeCases = []struct {
+	mimeType   string
+	externalID string
+}{
+	{MimeTypeLinkURL, "https://example.com/doc"},
+	{MimeTypePaperlessDocument, "42"},
+}
+
+// TestAttachmentRepo_CreateExternalLink_PerMimeType verifies that path, title,
+// and mimeType are stored and returned verbatim for every known external-link
+// MIME type.
+func TestAttachmentRepo_CreateExternalLink_PerMimeType(t *testing.T) {
 	ctx := context.Background()
-	entity := useEntities(t, 1)[0]
 
-	att, err := tRepos.Attachments.CreateExternalLink(
-		ctx,
-		entity.ID,
-		"https://example.com/manual",
-		"Example Manual",
-		MimeTypeLinkURL,
+	for _, tc := range externalLinkMimeTypeCases {
+		t.Run(tc.mimeType, func(t *testing.T) {
+			entity := useEntities(t, 1)[0]
+
+			att, err := tRepos.Attachments.CreateExternalLink(ctx, entity.ID, tc.externalID, "Test Doc", tc.mimeType, attachment.TypeAttachment)
+			require.NoError(t, err)
+			require.NotNil(t, att)
+
+			t.Cleanup(func() { _ = tRepos.Attachments.Delete(ctx, tGroup.ID, att.ID) })
+
+			assert.Equal(t, tc.externalID, att.Path)
+			assert.Equal(t, "Test Doc", att.Title)
+			assert.Equal(t, tc.mimeType, att.MimeType)
+			assert.Equal(t, attachment.TypeAttachment, att.Type)
+			assert.False(t, att.Primary)
+		})
+	}
+}
+
+// TestAttachmentRepo_CreateExternalLink_AttachmentTypes verifies that all
+// attachment type variants are stored correctly. A single representative MIME
+// type is sufficient since the MIME type coverage is handled above.
+func TestAttachmentRepo_CreateExternalLink_AttachmentTypes(t *testing.T) {
+	ctx := context.Background()
+	mimeType := externalLinkMimeTypeCases[0].mimeType
+	externalID := externalLinkMimeTypeCases[0].externalID
+
+	types := []attachment.Type{
+		attachment.TypeAttachment,
 		attachment.TypeManual,
-	)
+		attachment.TypeWarranty,
+		attachment.TypeReceipt,
+	}
+
+	for _, typ := range types {
+		t.Run(string(typ), func(t *testing.T) {
+			entity := useEntities(t, 1)[0]
+
+			att, err := tRepos.Attachments.CreateExternalLink(ctx, entity.ID, externalID, "Doc", mimeType, typ)
+			require.NoError(t, err)
+			t.Cleanup(func() { _ = tRepos.Attachments.Delete(ctx, tGroup.ID, att.ID) })
+
+			assert.Equal(t, typ, att.Type)
+			assert.Equal(t, mimeType, att.MimeType)
+		})
+	}
+}
+
+// TestAttachmentRepo_CreateExternalLink_EmptyTypeDefaultsToAttachment verifies
+// that passing an empty attachment type string results in TypeAttachment.
+func TestAttachmentRepo_CreateExternalLink_EmptyTypeDefaultsToAttachment(t *testing.T) {
+	ctx := context.Background()
+	tc := externalLinkMimeTypeCases[0]
+	entity := useEntities(t, 1)[0]
+
+	att, err := tRepos.Attachments.CreateExternalLink(ctx, entity.ID, tc.externalID, "Test", tc.mimeType, "")
 	require.NoError(t, err)
-	require.NotNil(t, att)
+	t.Cleanup(func() { _ = tRepos.Attachments.Delete(ctx, tGroup.ID, att.ID) })
 
-	t.Cleanup(func() {
-		_ = tRepos.Attachments.Delete(ctx, tGroup.ID, att.ID)
-	})
+	assert.Equal(t, attachment.TypeAttachment, att.Type)
+}
+
+// TestAttachmentRepo_CreateExternalLink_InvalidEntityID verifies that using a
+// non-existent entity ID returns an error.
+func TestAttachmentRepo_CreateExternalLink_InvalidEntityID(t *testing.T) {
+	tc := externalLinkMimeTypeCases[0]
 
-	assert.Equal(t, "https://example.com/manual", att.Path)
-	assert.Equal(t, "Example Manual", att.Title)
-	assert.Equal(t, MimeTypeLinkURL, att.MimeType)
-	assert.Equal(t, attachment.TypeManual, att.Type)
-	assert.False(t, att.Primary)
+	_, err := tRepos.Attachments.CreateExternalLink(context.Background(), uuid.New(), tc.externalID, "Orphan", tc.mimeType, attachment.TypeAttachment)
+	assert.Error(t, err)
 }
 
+// TestAttachmentRepo_DeleteExternalLink verifies that a created external-link
+// attachment can be deleted and is no longer retrievable.
 func TestAttachmentRepo_DeleteExternalLink(t *testing.T) {
 	ctx := context.Background()
 	entity := useEntities(t, 1)[0]
+	tc := externalLinkMimeTypeCases[0]
 
-	att, err := tRepos.Attachments.CreateExternalLink(
-		ctx,
-		entity.ID,
-		"https://example.com/receipt",
-		"Example Receipt",
-		MimeTypeLinkURL,
-		attachment.TypeReceipt,
-	)
+	att, err := tRepos.Attachments.CreateExternalLink(ctx, entity.ID, tc.externalID, "Delete Me", tc.mimeType, attachment.TypeAttachment)
 	require.NoError(t, err)
 
 	err = tRepos.Attachments.Delete(ctx, tGroup.ID, att.ID)
@@ -185,24 +252,22 @@ func TestAttachmentRepo_DeleteExternalLink(t *testing.T) {
 	require.Error(t, err)
 }
 
+// TestAttachmentRepo_DeleteExternalLink_DoesNotRequireBlobStorage verifies that
+// deleting an external-link attachment does not attempt blob-storage I/O.
 func TestAttachmentRepo_DeleteExternalLink_DoesNotRequireBlobStorage(t *testing.T) {
 	ctx := context.Background()
-
 	repos := New(tClient, tbus, config.Storage{PrefixPath: "/", ConnString: "mem://"}, "mem://{{ .Topic }}", config.Thumbnail{Enabled: false})
 	entity := useEntities(t, 1)[0]
+	tc := externalLinkMimeTypeCases[0]
 
-	att, err := repos.Attachments.CreateExternalLink(
-		ctx,
-		entity.ID,
-		"https://example.com/no-blob",
-		"No Blob",
-		MimeTypeLinkURL,
-		attachment.TypeAttachment,
-	)
+	att, err := repos.Attachments.CreateExternalLink(ctx, entity.ID, tc.externalID, "No Blob", tc.mimeType, attachment.TypeAttachment)
 	require.NoError(t, err)
 
 	err = repos.Attachments.Delete(ctx, tGroup.ID, att.ID)
 	require.NoError(t, err)
+
+	_, err = tRepos.Attachments.Get(ctx, tGroup.ID, att.ID)
+	assert.Error(t, err)
 }
 
 func TestAttachmentRepo_EnsureSinglePrimaryAttachment(t *testing.T) {
diff --git a/frontend/components/Item/AttachmentsList.vue b/frontend/components/Item/AttachmentsList.vue
index 5140821cc..74aa342a5 100644
--- a/frontend/components/Item/AttachmentsList.vue
+++ b/frontend/components/Item/AttachmentsList.vue
@@ -1,68 +1,181 @@
 <template>
   <ul role="list" class="divide-y rounded-md border">
-    <li
-      v-for="attachment in attachments"
-      :key="attachment.id"
-      class="flex items-center justify-between py-3 pl-3 pr-4 text-sm"
-    >
-      <template v-if="isExternalURLAttachment(attachment)">
-        <div class="flex w-0 flex-1 items-center">
-          <MdiLinkVariant class="size-5 shrink-0 text-gray-400" aria-hidden="true" />
-          <a
-            class="ml-2 w-0 flex-1 truncate text-primary underline"
-            :href="attachment.path"
-            target="_blank"
-            rel="noopener noreferrer"
-          >
-            {{ attachment.title }}
-          </a>
+    <li v-for="attachment in displayAttachments" :key="attachment.id" class="py-3 pl-3 pr-4 text-sm">
+      <!-- ================================================================ -->
+      <!-- Paperless document                                               -->
+      <!-- ================================================================ -->
+      <template v-if="attachment.mimeType === MIME_PAPERLESS">
+        <!-- Unconfigured: URL removed — render as plain unlinkable attachment, no service hints -->
+        <div v-if="!paperlessConfigured" class="flex items-center">
+          <MdiPaperclip class="size-5 shrink-0 text-gray-400" aria-hidden="true" />
+          <span class="ml-2 truncate">{{ attachment.title }}</span>
         </div>
-        <div class="ml-4 flex shrink-0 gap-2">
-          <TooltipProvider :delay-duration="0">
-            <Tooltip>
-              <TooltipTrigger as-child>
-                <a
-                  :class="buttonVariants({ size: 'icon' })"
-                  :href="attachment.path"
-                  target="_blank"
-                  rel="noopener noreferrer"
-                >
-                  <MdiOpenInNew />
-                </a>
-              </TooltipTrigger>
-              <TooltipContent> {{ $t("components.item.attachments_list.open_new_tab") }} </TooltipContent>
-            </Tooltip>
-          </TooltipProvider>
+
+        <!-- Configured: rich card with loading / ok / stale / error states -->
+        <div v-else class="flex w-full gap-3">
+          <!-- Thumbnail area -->
+          <div class="shrink-0">
+            <div
+              v-if="attachState(attachment) === 'loading' && !paperlessThumbUrls[attachment.path]"
+              class="flex size-14 items-center justify-center rounded border bg-muted"
+            >
+              <MdiLoading class="size-7 animate-spin text-muted-foreground" aria-hidden="true" />
+            </div>
+            <img
+              v-else-if="paperlessThumbUrls[attachment.path]"
+              :src="paperlessThumbUrls[attachment.path]"
+              class="size-14 rounded object-cover shadow"
+              alt=""
+            />
+            <div v-else class="flex size-14 items-center justify-center rounded border bg-muted">
+              <MdiFileDocument class="size-7 text-blue-500" aria-hidden="true" />
+            </div>
+          </div>
+
+          <!-- Content area -->
+          <div class="min-w-0 flex-1 space-y-1">
+            <p class="truncate font-medium leading-tight">
+              {{ paperlessDoc(attachment)?.title || attachment.title }}
+            </p>
+
+            <p
+              v-if="paperlessDoc(attachment)?.correspondent || paperlessDoc(attachment)?.document_type"
+              class="flex items-center gap-1.5 text-xs text-muted-foreground"
+            >
+              <MdiAccountOutline v-if="paperlessDoc(attachment)?.correspondent" class="size-3.5 shrink-0" />
+              <span v-if="paperlessDoc(attachment)?.correspondent" class="truncate">
+                {{ paperlessDoc(attachment)?.correspondent?.name }}
+              </span>
+              <span
+                v-if="paperlessDoc(attachment)?.correspondent && paperlessDoc(attachment)?.document_type"
+                class="text-muted-foreground/40"
+              >
+                ·
+              </span>
+              <MdiTagOutline v-if="paperlessDoc(attachment)?.document_type" class="size-3.5 shrink-0" />
+              <span v-if="paperlessDoc(attachment)?.document_type">
+                {{ paperlessDoc(attachment)?.document_type?.name }}
+              </span>
+            </p>
+
+            <div v-if="paperlessDoc(attachment)?.tags?.length" class="flex flex-wrap gap-1">
+              <span
+                v-for="tag in paperlessDoc(attachment)?.tags"
+                :key="tag.id"
+                class="inline-flex items-center rounded px-1.5 py-0.5 text-xs font-medium"
+                :style="{ backgroundColor: tag.color, color: tag.text_color }"
+              >
+                {{ tag.name }}
+              </span>
+            </div>
+
+            <p class="flex items-center gap-2 text-xs text-muted-foreground">
+              <span v-if="paperlessDoc(attachment)?.created_date">{{ paperlessDoc(attachment)?.created_date }}</span>
+              <span v-if="paperlessDoc(attachment)?.page_count" class="text-muted-foreground/40">·</span>
+              <span v-if="paperlessDoc(attachment)?.page_count"
+                >{{ paperlessDoc(attachment)?.page_count }} pages</span
+              >
+            </p>
+          </div>
+
+          <!-- Actions area -->
+          <div class="ml-2 flex shrink-0 items-start gap-1">
+            <!-- ⚠ unreachable badge -->
+            <TooltipProvider v-if="isUnreachable(attachment)" :delay-duration="0">
+              <Tooltip>
+                <TooltipTrigger>
+                  <MdiAlertCircleOutline class="size-4 text-amber-500" aria-label="Service unreachable" />
+                </TooltipTrigger>
+                <TooltipContent>{{ attachError(attachment) }}</TooltipContent>
+              </Tooltip>
+            </TooltipProvider>
+            <!-- Open in Paperless -->
+            <TooltipProvider :delay-duration="0">
+              <Tooltip>
+                <TooltipTrigger as-child>
+                  <a
+                    :class="buttonVariants({ size: 'icon', variant: 'outline' })"
+                    :href="paperlessOpenUrl(attachment)"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                  >
+                    <MdiOpenInNew />
+                  </a>
+                </TooltipTrigger>
+                <TooltipContent>
+                  {{ $t("components.item.attachments_list.open_in_service", { service: "Paperless" }) }}
+                </TooltipContent>
+              </Tooltip>
+            </TooltipProvider>
+          </div>
         </div>
       </template>
-      <template v-else>
-        <div class="flex w-0 flex-1 items-center">
-          <MdiPaperclip class="size-5 shrink-0 text-gray-400" aria-hidden="true" />
-          <span class="ml-2 w-0 flex-1 truncate"> {{ attachment.title }}</span>
+
+      <!-- Generic Link Attachment -->
+      <template v-else-if="isLink(attachment)">
+        <div class="flex items-center justify-between">
+          <div class="flex w-0 flex-1 items-center">
+            <MdiLinkVariant class="size-5 shrink-0 text-gray-400" aria-hidden="true" />
+            <a
+              class="ml-2 w-0 flex-1 truncate text-primary underline"
+              :href="attachment.path"
+              target="_blank"
+              rel="noopener noreferrer"
+            >
+              {{ attachment.title }}
+            </a>
+          </div>
+          <div class="ml-4 flex shrink-0 gap-2">
+            <TooltipProvider :delay-duration="0">
+              <Tooltip>
+                <TooltipTrigger as-child>
+                  <a
+                    :class="buttonVariants({ size: 'icon' })"
+                    :href="attachment.path"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                  >
+                    <MdiOpenInNew />
+                  </a>
+                </TooltipTrigger>
+                <TooltipContent> {{ $t("components.item.attachments_list.open_new_tab") }} </TooltipContent>
+              </Tooltip>
+            </TooltipProvider>
+          </div>
         </div>
-        <div class="ml-4 flex shrink-0 gap-2">
-          <TooltipProvider :delay-duration="0">
-            <Tooltip>
-              <TooltipTrigger as-child>
-                <a
-                  :class="buttonVariants({ size: 'icon' })"
-                  :href="attachmentURL(attachment.id)"
-                  :download="attachment.title"
-                >
-                  <MdiDownload />
-                </a>
-              </TooltipTrigger>
-              <TooltipContent> {{ $t("components.item.attachments_list.download") }} </TooltipContent>
-            </Tooltip>
-            <Tooltip>
-              <TooltipTrigger as-child>
-                <a :class="buttonVariants({ size: 'icon' })" :href="attachmentURL(attachment.id)" target="_blank">
-                  <MdiOpenInNew />
-                </a>
-              </TooltipTrigger>
-              <TooltipContent> {{ $t("components.item.attachments_list.open_new_tab") }} </TooltipContent>
-            </Tooltip>
-          </TooltipProvider>
+      </template>
+
+      <!-- File Attachment -->
+      <template v-else>
+        <div class="flex items-center justify-between">
+          <div class="flex w-0 flex-1 items-center">
+            <MdiPaperclip class="size-5 shrink-0 text-gray-400" aria-hidden="true" />
+            <span class="ml-2 w-0 flex-1 truncate"> {{ attachment.title }}</span>
+          </div>
+          <div class="ml-4 flex shrink-0 gap-2">
+            <TooltipProvider :delay-duration="0">
+              <Tooltip>
+                <TooltipTrigger as-child>
+                  <a
+                    :class="buttonVariants({ size: 'icon' })"
+                    :href="attachmentURL(attachment.id)"
+                    :download="attachment.title"
+                  >
+                    <MdiDownload />
+                  </a>
+                </TooltipTrigger>
+                <TooltipContent> {{ $t("components.item.attachments_list.download") }} </TooltipContent>
+              </Tooltip>
+              <Tooltip>
+                <TooltipTrigger as-child>
+                  <a :class="buttonVariants({ size: 'icon' })" :href="attachmentURL(attachment.id)" target="_blank">
+                    <MdiOpenInNew />
+                  </a>
+                </TooltipTrigger>
+                <TooltipContent> {{ $t("components.item.attachments_list.open_new_tab") }} </TooltipContent>
+              </Tooltip>
+            </TooltipProvider>
+          </div>
         </div>
       </template>
     </li>
@@ -70,14 +183,27 @@
 </template>
 
 <script setup lang="ts">
+  import { computed, onBeforeUnmount, onMounted, ref, watch } from "vue";
   import type { ItemAttachment } from "~~/lib/api/types/data-contracts";
+  import { useIntegrationCacheStore } from "~/stores/integration-cache";
+  import type { AttachmentFetchState } from "~/stores/integration-cache";
+  import { SERVICE_ADAPTERS, getAdapterByMimeType } from "~/lib/integration-adapters";
   import MdiPaperclip from "~icons/mdi/paperclip";
   import MdiLinkVariant from "~icons/mdi/link-variant";
   import MdiDownload from "~icons/mdi/download";
   import MdiOpenInNew from "~icons/mdi/open-in-new";
+  import MdiFileDocument from "~icons/mdi/file-document";
+  import MdiAccountOutline from "~icons/mdi/account-outline";
+  import MdiTagOutline from "~icons/mdi/tag-outline";
+  import MdiLoading from "~icons/mdi/loading";
+  import MdiAlertCircleOutline from "~icons/mdi/alert-circle-outline";
   import { buttonVariants } from "@/components/ui/button";
   import { Tooltip, TooltipContent, TooltipProvider, TooltipTrigger } from "@/components/ui/tooltip";
 
+  const MIME_LINK = "link/url";
+  /** MIME type for Paperless-ngx document links — sourced from the adapter registry. */
+  const MIME_PAPERLESS = getAdapterByMimeType("paperless/document")!.mimeType;
+
   const props = defineProps({
     attachments: {
       type: Object as () => ItemAttachment[],
@@ -90,17 +216,338 @@
   });
 
   const api = useUserApi();
+  const store = useIntegrationCacheStore();
+  const { t } = useI18n();
+
+  // ---------------------------------------------------------------------------
+  // Settings state (reactive, driven by store)
+  // ---------------------------------------------------------------------------
+
+  const paperlessConfigured = computed(() => !!store.serviceUrls["paperless"]?.trim());
+
+  // ---------------------------------------------------------------------------
+  // Runtime lift: treat link/url attachments as their service type when the
+  // URL matches.
+  //  - Configured service + host matches → lifted (full card + hydration)
+  //  - No configured service URL + pattern matches → lifted (demoted plain
+  //    paperclip, no hydration because service is unconfigured)
+  //  - Configured service + host doesn't match → NOT lifted (URL link, safe)
+  // ---------------------------------------------------------------------------
+
+  function liftAttachment(attachment: ItemAttachment): ItemAttachment {
+    if (attachment.mimeType !== MIME_LINK) return attachment;
+    for (const adapter of SERVICE_ADAPTERS) {
+      const configuredUrl = store.serviceUrls[adapter.name]?.trim();
+      if (!configuredUrl) continue; // service not configured → keep as plain link/url
+      const id = adapter.extractId(attachment.path, configuredUrl);
+      if (id !== null) return { ...attachment, mimeType: adapter.mimeType, path: id };
+    }
+    return attachment;
+  }
+
+  /**
+   * Attachments as the template sees them.  link/url entries that match a
+   * service URL are lifted to the correct mimeType/path so the existing
+   * Paperless card branch handles them automatically.
+   */
+  const displayAttachments = computed(() => props.attachments.map(liftAttachment));
+
+  // ---------------------------------------------------------------------------
+  // Thumbnail state (component-local — objectURLs must be revoked on unmount)
+  // ---------------------------------------------------------------------------
+
+  const paperlessThumbUrls = ref<Record<string, string>>({});
+  const objectUrls = new Set<string>();
+
+  function createObjectUrl(blob: Blob): string {
+    const url = URL.createObjectURL(blob);
+    objectUrls.add(url);
+    return url;
+  }
+
+  onBeforeUnmount(() => {
+    for (const url of objectUrls) URL.revokeObjectURL(url);
+    objectUrls.clear();
+  });
+
+  // ---------------------------------------------------------------------------
+  // Enriched-data types
+  // ---------------------------------------------------------------------------
+
+  interface PaperlessTag {
+    id: number;
+    name: string;
+    color: string;
+    text_color: string;
+  }
+
+  interface PaperlessRelated {
+    id: number;
+    name: string;
+  }
+
+  interface PaperlessEnrichedDoc {
+    id: number;
+    title: string;
+    created_date: string;
+    page_count: number;
+    correspondent: PaperlessRelated | null;
+    document_type: PaperlessRelated | null;
+    tags: PaperlessTag[];
+  }
+
+  // ---------------------------------------------------------------------------
+  // Store-backed typed getters
+  // ---------------------------------------------------------------------------
+
+  function paperlessDoc(attachment: ItemAttachment): PaperlessEnrichedDoc | null {
+    return (store.getEnrichedData("paperless", attachment.path) as PaperlessEnrichedDoc | undefined) ?? null;
+  }
+
+  function attachState(attachment: ItemAttachment): AttachmentFetchState | undefined {
+    return store.fetchStates[attachment.id];
+  }
+
+  function attachError(attachment: ItemAttachment): string | undefined {
+    return store.fetchErrors[attachment.id];
+  }
+
+  /** True when state is stale or error (server was unreachable). */
+  function isUnreachable(attachment: ItemAttachment): boolean {
+    const s = attachState(attachment);
+    return s === "stale" || s === "error";
+  }
+
+  // ---------------------------------------------------------------------------
+  // URL helpers
+  // ---------------------------------------------------------------------------
 
   function attachmentURL(attachmentId: string) {
     return api.authURL(`/entities/${props.itemId}/attachments/${attachmentId}`);
   }
 
-  function isExternalURLAttachment(attachment: ItemAttachment) {
-    if (attachment.mimeType === "link/url") {
-      return true;
+  function proxyUrl(serviceName: string, relativePath: string): string {
+    return `/api/v1/integrations/${serviceName}/proxy?path=${encodeURIComponent(relativePath)}`;
+  }
+
+  function paperlessOpenUrl(attachment: ItemAttachment): string {
+    const base = (store.serviceUrls["paperless"] ?? "").replace(/\/$/, "");
+    if (!base) return "#";
+    return `${base}/documents/${attachment.path}/details`;
+  }
+
+
+  function isLink(attachment: ItemAttachment): boolean {
+    return attachment.mimeType === MIME_LINK;
+  }
+
+  // ---------------------------------------------------------------------------
+  // Error classification
+  // ---------------------------------------------------------------------------
+
+  /**
+   * Turn a caught fetch error into a human-readable tooltip string.
+   * Errors thrown by fetchX functions carry the HTTP status in their message
+   * as "HTTP {status}" so we can show a precise reason.
+   */
+  function describeRequestError(err: unknown, baseUrl: string): string {
+    const msg = err instanceof Error ? err.message : "";
+    const statusMatch = msg.match(/^HTTP (\d+)$/);
+    if (statusMatch) {
+      const status = Number(statusMatch[1]);
+      if (status === 401 || status === 403) {
+        return t("components.item.attachments_list.errors.auth_failed");
+      }
+      return t("components.item.attachments_list.errors.request_failed", { status });
+    }
+    // No HTTP status → network-level failure (DNS, refused connection, etc.)
+    return t("components.item.attachments_list.errors.service_unreachable", { baseUrl });
+  }
+
+  // ---------------------------------------------------------------------------
+  // Paperless hydration
+  // ---------------------------------------------------------------------------
+
+  async function fetchPaperlessEnrichedDoc(docId: string): Promise<PaperlessEnrichedDoc> {
+    const rawRes = await fetch(proxyUrl("paperless", `/api/documents/${docId}/`));
+    if (!rawRes.ok) throw new Error(`HTTP ${rawRes.status}`);
+
+    const raw = (await rawRes.json()) as {
+      id: number;
+      title: string;
+      created_date: string;
+      page_count: number;
+      correspondent?: number;
+      document_type?: number;
+      tags?: number[];
+    };
+
+    const doc: PaperlessEnrichedDoc = {
+      id: raw.id,
+      title: raw.title,
+      created_date: raw.created_date,
+      page_count: raw.page_count,
+      correspondent: null,
+      document_type: null,
+      tags: [],
+    };
+
+    const jobs: Promise<void>[] = [];
+
+    if (raw.correspondent) {
+      jobs.push(
+        fetch(proxyUrl("paperless", `/api/correspondents/${raw.correspondent}/`))
+          .then(r => (r.ok ? r.json() : null))
+          .then(c => {
+            if (c) {
+              doc.correspondent = {
+                id: Number((c as { id?: number }).id),
+                name: String((c as { name?: string }).name || ""),
+              };
+            }
+          })
+          .catch(() => {})
+      );
+    }
+
+    if (raw.document_type) {
+      jobs.push(
+        fetch(proxyUrl("paperless", `/api/document_types/${raw.document_type}/`))
+          .then(r => (r.ok ? r.json() : null))
+          .then(d => {
+            if (d) {
+              doc.document_type = {
+                id: Number((d as { id?: number }).id),
+                name: String((d as { name?: string }).name || ""),
+              };
+            }
+          })
+          .catch(() => {})
+      );
+    }
+
+    const tagIds = Array.isArray(raw.tags) ? raw.tags : [];
+    const tagResults: Array<PaperlessTag | null> = new Array(tagIds.length).fill(null);
+    tagIds.forEach((tagId, idx) => {
+      jobs.push(
+        fetch(proxyUrl("paperless", `/api/tags/${tagId}/`))
+          .then(r => (r.ok ? r.json() : null))
+          .then(t => {
+            if (t) {
+              tagResults[idx] = {
+                id: Number((t as { id?: number }).id),
+                name: String((t as { name?: string }).name || ""),
+                color: String((t as { color?: string }).color || "#E5E7EB"),
+                text_color: String((t as { text_color?: string }).text_color || "#111827"),
+              };
+            }
+          })
+          .catch(() => {})
+      );
+    });
+
+    await Promise.all(jobs);
+    doc.tags = tagResults.filter((tag): tag is PaperlessTag => tag !== null);
+    return doc;
+  }
+
+  async function fetchPaperlessThumbnail(docId: string): Promise<void> {
+    if (paperlessThumbUrls.value[docId]) return;
+    const res = await fetch(proxyUrl("paperless", `/api/documents/${docId}/thumb/`));
+    if (!res.ok) return;
+    paperlessThumbUrls.value[docId] = createObjectUrl(await res.blob());
+  }
+
+  async function hydratePaperless(attachment: ItemAttachment): Promise<void> {
+    const docId = attachment.path;
+    const configuredUrl = store.serviceUrls["paperless"] ?? "";
+    const cached = store.getEnrichedData("paperless", docId);
+
+    // Show cached data immediately (stale state) while we try to refresh.
+    store.setState(attachment.id, cached ? "stale" : "loading");
+
+    try {
+      const doc = await fetchPaperlessEnrichedDoc(docId);
+      store.setEnrichedData("paperless", docId, doc);
+      store.setState(attachment.id, "ok");
+      // Thumbnail is best-effort after enriched data succeeds.
+      fetchPaperlessThumbnail(docId).catch(() => {});
+    } catch (err) {
+      store.setState(attachment.id, cached ? "stale" : "error", describeRequestError(err, configuredUrl));
     }
-    return attachment.path.startsWith("http://") || attachment.path.startsWith("https://");
   }
+
+  // ---------------------------------------------------------------------------
+  // Generic dispatch — add a new service by adding a new else-if branch here
+  // ---------------------------------------------------------------------------
+
+  async function hydrateAllAttachments(attachments: ItemAttachment[]): Promise<void> {
+    await Promise.all(
+      attachments.map(async attachment => {
+        const serviceName = mimeToServiceName(attachment.mimeType);
+        if (!serviceName) return; // not a service attachment
+        if (!store.serviceUrls[serviceName]?.trim()) return; // unconfigured — show degraded state
+        if (serviceName === "paperless") {
+          await hydratePaperless(attachment);
+        }
+      })
+    );
+  }
+
+  /** Maps a service MIME type to its service name, or null for non-service types. */
+  function mimeToServiceName(mimeType: string): string | null {
+    return getAdapterByMimeType(mimeType)?.name ?? null;
+  }
+
+  // ---------------------------------------------------------------------------
+  // Lifecycle
+  // ---------------------------------------------------------------------------
+
+  onMounted(async () => {
+    await store.loadSettings(api);
+    void hydrateAllAttachments(displayAttachments.value);
+  });
+
+  // React to new/removed attachments.
+  watch(
+    () => props.attachments,
+    async newAttachments => {
+      const lifted = newAttachments.map(liftAttachment);
+      const fresh = lifted.filter(a => !(a.id in store.fetchStates));
+      if (fresh.length > 0) {
+        void hydrateAllAttachments(fresh);
+      }
+    }
+  );
+
+  /**
+   * React to URL additions/removals in the store (e.g. user saves/clears the
+   * service URL in Profile Settings while this component is mounted).
+   * - URL added   → hydrate all attachments for that service (promote)
+   * - URL removed → clear fetch state so they fall back to the unconfigured card
+   */
+  watch(
+    () => ({ ...store.serviceUrls }),
+    (newUrls, oldUrls) => {
+      for (const [name, newUrl] of Object.entries(newUrls)) {
+        const oldUrl = oldUrls?.[name] ?? "";
+        if (newUrl === oldUrl) continue;
+
+        const affected = displayAttachments.value.filter(a => mimeToServiceName(a.mimeType) === name);
+        if (affected.length === 0) continue;
+
+        if (!newUrl.trim()) {
+          // URL removed → demote: clear state so template shows the unconfigured card.
+          for (const a of affected) store.clearAttachmentState(a.id);
+        } else {
+          // URL added/changed → promote: re-hydrate all affected attachments.
+          for (const a of affected) store.clearAttachmentState(a.id);
+          void hydrateAllAttachments(affected);
+        }
+      }
+    },
+    { deep: false }
+  );
 </script>
 
 <style scoped></style>
diff --git a/frontend/composables/preferences-utils.ts b/frontend/composables/preferences-utils.ts
new file mode 100644
index 000000000..b23395ede
--- /dev/null
+++ b/frontend/composables/preferences-utils.ts
@@ -0,0 +1,101 @@
+/**
+ * Pure, framework-free utilities for view-preference syncing.
+ * Extracted so they can be unit-tested without a Nuxt/Vue environment.
+ */
+import type { EntitySummary } from "~/lib/api/types/data-contracts";
+import type { DaisyTheme } from "~~/lib/data/themes";
+
+export type ViewType = "table" | "card";
+
+export type DuplicateSettings = {
+  copyMaintenance: boolean;
+  copyAttachments: boolean;
+  copyCustomFields: boolean;
+  copyPrefixOverride: string | null;
+};
+
+export type LocationViewPreferences = {
+  showDetails: boolean;
+  showEmpty: boolean;
+  editorAdvancedView: boolean;
+  itemDisplayView: ViewType;
+  theme: DaisyTheme;
+  itemsPerTablePage: number;
+  tableHeaders?: {
+    value: keyof EntitySummary;
+    enabled: boolean;
+  }[];
+  displayLegacyHeader: boolean;
+  legacyImageFit: boolean;
+  language?: string | null;
+  overrideFormatLocale?: string | null;
+  collectionId?: string | null;
+  duplicateSettings: DuplicateSettings;
+  shownMultiTabWarning: boolean;
+  quickActions: {
+    enabled: boolean;
+  };
+};
+
+export type PreferenceSyncConfig = Partial<Record<keyof LocationViewPreferences, boolean>>;
+
+export const DEFAULT_PREFERENCES: LocationViewPreferences = {
+  showDetails: true,
+  showEmpty: true,
+  editorAdvancedView: false,
+  itemDisplayView: "card",
+  theme: "homebox",
+  itemsPerTablePage: 10,
+  displayLegacyHeader: false,
+  legacyImageFit: false,
+  language: null,
+  overrideFormatLocale: null,
+  duplicateSettings: {
+    copyMaintenance: false,
+    copyAttachments: true,
+    copyCustomFields: true,
+    copyPrefixOverride: null,
+  },
+  shownMultiTabWarning: false,
+  quickActions: {
+    enabled: true,
+  },
+};
+
+const preferenceKeys = Object.keys(DEFAULT_PREFERENCES) as (keyof LocationViewPreferences)[];
+
+export function forEachSyncedPreference(
+  syncConfig: PreferenceSyncConfig,
+  callback: (key: keyof LocationViewPreferences) => void
+) {
+  for (const key of preferenceKeys) {
+    if (syncConfig[key] !== false) {
+      callback(key);
+    }
+  }
+}
+
+export function buildSyncedSettings(
+  preferences: LocationViewPreferences,
+  syncConfig: PreferenceSyncConfig
+): Record<string, unknown> {
+  const payload: Record<string, unknown> = {};
+  forEachSyncedPreference(syncConfig, key => {
+    payload[key] = preferences[key];
+  });
+  return payload;
+}
+
+export function mergeSyncedSettings(
+  settings: Record<string, unknown>,
+  preferences: LocationViewPreferences,
+  syncConfig: PreferenceSyncConfig
+): LocationViewPreferences {
+  const nextPreferences = { ...preferences };
+  forEachSyncedPreference(syncConfig, key => {
+    if (key in settings) {
+      nextPreferences[key] = settings[key] as never;
+    }
+  });
+  return nextPreferences;
+}
diff --git a/frontend/composables/use-preferences.test.ts b/frontend/composables/use-preferences.test.ts
new file mode 100644
index 000000000..01890a79e
--- /dev/null
+++ b/frontend/composables/use-preferences.test.ts
@@ -0,0 +1,109 @@
+/**
+ * Tests for the pure helper functions in preferences-utils.ts.
+ *
+ * These tests exist specifically to catch the class of bug where
+ * `saveToServer` would call `setSettings(buildSyncedSettings(...))` directly,
+ * wiping integration keys (paperless_url, paperless_token, etc.) that are
+ * stored alongside preference keys in the same settings object.
+ *
+ * Regression: the fix ensures `saveToServer` does GET → merge → PUT.
+ * The tests below verify the invariants that make the merge safe.
+ */
+import { describe, expect, it } from "vitest";
+import { DEFAULT_PREFERENCES, buildSyncedSettings, mergeSyncedSettings } from "./preferences-utils";
+import { SERVICE_ADAPTERS } from "../lib/integration-adapters";
+
+// Keys that live in the settings object but are NOT preferences and must never
+// be overwritten by a bare preferences save.
+const INTEGRATION_KEYS = SERVICE_ADAPTERS.flatMap(a => [a.settingsUrlKey, a.settingsTokenKey]);
+
+// Default sync config (all preference keys synced).
+const SYNC_ALL = {};
+
+describe("use-preferences pure helpers", () => {
+  describe("buildSyncedSettings", () => {
+    it("never includes integration keys", () => {
+      const payload = buildSyncedSettings(DEFAULT_PREFERENCES, SYNC_ALL);
+      for (const key of INTEGRATION_KEYS) {
+        expect(Object.prototype.hasOwnProperty.call(payload, key)).toBe(false);
+      }
+    });
+
+    it("includes known preference keys", () => {
+      const payload = buildSyncedSettings(DEFAULT_PREFERENCES, SYNC_ALL);
+      expect(payload).toHaveProperty("showDetails");
+      expect(payload).toHaveProperty("theme");
+      expect(payload).toHaveProperty("duplicateSettings");
+    });
+
+    it("reflects actual preference values", () => {
+      const prefs = { ...DEFAULT_PREFERENCES, showDetails: false, theme: "dark" as never };
+      const payload = buildSyncedSettings(prefs, SYNC_ALL);
+      expect(payload.showDetails).toBe(false);
+      expect(payload.theme).toBe("dark");
+    });
+
+    it("respects syncConfig exclusions", () => {
+      const payload = buildSyncedSettings(DEFAULT_PREFERENCES, { itemDisplayView: false });
+      expect(payload).not.toHaveProperty("itemDisplayView");
+      expect(payload).toHaveProperty("showDetails");
+    });
+  });
+
+  describe("mergeSyncedSettings – regression: integration keys are preserved", () => {
+    it("does NOT copy integration keys from server settings into preferences", () => {
+      const serverSettings = {
+        showDetails: false,
+        paperless_url: "http://localhost:8000",
+        paperless_token: "secret",
+      };
+      const result = mergeSyncedSettings(serverSettings, DEFAULT_PREFERENCES, SYNC_ALL);
+      // mergeSyncedSettings only touches known preference keys – integration keys
+      // must not appear on the preferences object.
+      expect((result as Record<string, unknown>).paperless_url).toBeUndefined();
+      expect((result as Record<string, unknown>).paperless_token).toBeUndefined();
+    });
+
+    it("merges known preference keys from server settings", () => {
+      const serverSettings = { showDetails: false, theme: "dark" };
+      const result = mergeSyncedSettings(serverSettings, DEFAULT_PREFERENCES, SYNC_ALL);
+      expect(result.showDetails).toBe(false);
+      expect(result.theme).toBe("dark");
+    });
+
+    it("preserves local preference values for keys absent from server", () => {
+      const result = mergeSyncedSettings({}, { ...DEFAULT_PREFERENCES, showDetails: false }, SYNC_ALL);
+      expect(result.showDetails).toBe(false);
+    });
+  });
+
+  describe("merge round-trip – the exact scenario that was broken", () => {
+    /**
+     * Simulates what saveToServer now does correctly:
+     *   existing = await getSettings()         ← includes paperless_url
+     *   merged   = { ...existing, ...buildSyncedSettings(prefs, syncConfig) }
+     *   await setSettings(merged)              ← must still contain paperless_url
+     *
+     * Previously: setSettings(buildSyncedSettings(prefs))  ← wiped paperless_url
+     */
+    it("merged payload preserves integration keys after preference save", () => {
+      const existingServerSettings: Record<string, unknown> = {
+        showDetails: true,
+        theme: "homebox",
+        paperless_url: "http://localhost:8000",
+        paperless_token: "secret-token",
+      };
+
+      const localPrefs = { ...DEFAULT_PREFERENCES, showDetails: false };
+      const prefPayload = buildSyncedSettings(localPrefs, SYNC_ALL);
+
+      // This is the fixed merge: existing settings first, preferences on top.
+      const merged = { ...existingServerSettings, ...prefPayload };
+
+      expect(merged.paperless_url).toBe("http://localhost:8000");
+      expect(merged.paperless_token).toBe("secret-token");
+      // And preferences are still updated:
+      expect(merged.showDetails).toBe(false);
+    });
+  });
+});
diff --git a/frontend/composables/use-preferences.ts b/frontend/composables/use-preferences.ts
index a090549cb..a123e3562 100644
--- a/frontend/composables/use-preferences.ts
+++ b/frontend/composables/use-preferences.ts
@@ -1,62 +1,15 @@
 import type { Ref } from "vue";
-import type { EntitySummary } from "~/lib/api/types/data-contracts";
-import type { DaisyTheme } from "~~/lib/data/themes";
+import {
+  type LocationViewPreferences,
+  type PreferenceSyncConfig,
+  DEFAULT_PREFERENCES,
+  buildSyncedSettings,
+  mergeSyncedSettings,
+} from "./preferences-utils";
 
-export type ViewType = "table" | "card";
+export type { ViewType, DuplicateSettings, LocationViewPreferences, PreferenceSyncConfig } from "./preferences-utils";
+export { DEFAULT_PREFERENCES, buildSyncedSettings, mergeSyncedSettings } from "./preferences-utils";
 
-export type DuplicateSettings = {
-  copyMaintenance: boolean;
-  copyAttachments: boolean;
-  copyCustomFields: boolean;
-  copyPrefixOverride: string | null;
-};
-
-export type LocationViewPreferences = {
-  showDetails: boolean;
-  showEmpty: boolean;
-  editorAdvancedView: boolean;
-  itemDisplayView: ViewType;
-  theme: DaisyTheme;
-  itemsPerTablePage: number;
-  tableHeaders?: {
-    value: keyof EntitySummary;
-    enabled: boolean;
-  }[];
-  displayLegacyHeader: boolean;
-  legacyImageFit: boolean;
-  language?: string | null;
-  overrideFormatLocale?: string | null;
-  collectionId?: string | null;
-  duplicateSettings: DuplicateSettings;
-  shownMultiTabWarning: boolean;
-  quickActions: {
-    enabled: boolean;
-  };
-};
-export type PreferenceSyncConfig = Partial<Record<keyof LocationViewPreferences, boolean>>;
-
-const DEFAULT_PREFERENCES: LocationViewPreferences = {
-  showDetails: true,
-  showEmpty: true,
-  editorAdvancedView: false,
-  itemDisplayView: "card",
-  theme: "homebox",
-  itemsPerTablePage: 10,
-  displayLegacyHeader: false,
-  legacyImageFit: false,
-  language: null,
-  overrideFormatLocale: null,
-  duplicateSettings: {
-    copyMaintenance: false,
-    copyAttachments: true,
-    copyCustomFields: true,
-    copyPrefixOverride: null,
-  },
-  shownMultiTabWarning: false,
-  quickActions: {
-    enabled: true,
-  },
-};
 let syncConfig: PreferenceSyncConfig = {
   itemDisplayView: false,
   shownMultiTabWarning: false,
@@ -64,41 +17,8 @@ let syncConfig: PreferenceSyncConfig = {
 
 let syncInitialized = false;
 
-const preferenceKeys = Object.keys(DEFAULT_PREFERENCES) as (keyof LocationViewPreferences)[];
-
 const results = useLocalStorage("homebox/preferences/location", DEFAULT_PREFERENCES, { mergeDefaults: true });
 
-function forEachSyncedPreference(callback: (key: keyof LocationViewPreferences) => void) {
-  for (const key of preferenceKeys) {
-    if (syncConfig[key] !== false) {
-      callback(key);
-    }
-  }
-}
-
-function buildSyncedSettings(preferences: LocationViewPreferences): Record<string, unknown> {
-  const payload: Record<string, unknown> = {};
-  forEachSyncedPreference(key => {
-    payload[key] = preferences[key];
-  });
-  return payload;
-}
-
-function mergeSyncedSettings(
-  settings: Record<string, unknown>,
-  preferences: LocationViewPreferences
-): LocationViewPreferences {
-  const nextPreferences = { ...preferences };
-
-  forEachSyncedPreference(key => {
-    if (key in settings) {
-      nextPreferences[key] = settings[key] as never;
-    }
-  });
-
-  return nextPreferences;
-}
-
 export function configureViewPreferenceSync(config: PreferenceSyncConfig) {
   syncConfig = {
     ...syncConfig,
@@ -118,7 +38,7 @@ async function refreshViewPreferencesFromServer(preferences: Ref<LocationViewPre
     return;
   }
 
-  preferences.value = mergeSyncedSettings(data.item, preferences.value);
+  preferences.value = mergeSyncedSettings(data.item, preferences.value, syncConfig);
 }
 export function useViewPreferencesSync() {
   if (syncInitialized || !import.meta.client) {
@@ -163,7 +83,9 @@ export function useViewPreferencesSync() {
     try {
       while (syncedRevision < localRevision && !pauseServerSaves && auth.isAuthorized()) {
         const targetRevision = localRevision;
-        const { error } = await api.user.setSettings(buildSyncedSettings(preferences.value));
+        const { data: current } = await api.user.getSettings();
+        const merged = { ...(current?.item ?? {}), ...buildSyncedSettings(preferences.value, syncConfig) };
+        const { error } = await api.user.setSettings(merged);
         if (error) {
           scheduleRetry();
           return;
diff --git a/frontend/lib/integration-adapters.test.ts b/frontend/lib/integration-adapters.test.ts
new file mode 100644
index 000000000..f0ec11bb5
--- /dev/null
+++ b/frontend/lib/integration-adapters.test.ts
@@ -0,0 +1,156 @@
+import { describe, expect, it } from "vitest";
+import {
+  SERVICE_ADAPTERS,
+  classifyDroppedUrl,
+  detectServiceFromUrl,
+  extractPaperlessDocId,
+  getAdapter,
+  getAdapterByMimeType,
+} from "./integration-adapters";
+
+describe("integration adapters", () => {
+  describe("extractPaperlessDocId", () => {
+    it("extracts doc id from /documents/{id}", () => {
+      expect(extractPaperlessDocId("https://paperless.local/documents/42", "https://paperless.local")).toBe("42");
+    });
+
+    it("extracts doc id from /documents/{id}/details", () => {
+      expect(extractPaperlessDocId("https://paperless.local/documents/42/details", "https://paperless.local")).toBe(
+        "42"
+      );
+    });
+
+    it("returns null for foreign host", () => {
+      expect(extractPaperlessDocId("https://paperless.local.evil/documents/42", "https://paperless.local")).toBeNull();
+    });
+
+    it("supports base path setups", () => {
+      expect(
+        extractPaperlessDocId(
+          "https://example.local/paperless/documents/500/details",
+          "https://example.local/paperless"
+        )
+      ).toBe("500");
+    });
+
+    it("extracts doc id without base URL", () => {
+      expect(extractPaperlessDocId("https://paperless.local/documents/77/details")).toBe("77");
+    });
+
+    it("extracts doc id when configured base URL is invalid", () => {
+      expect(extractPaperlessDocId("https://paperless.local/documents/99/details", "homebox")).toBe("99");
+    });
+
+    it("extracts doc id from bare-hostname URLs", () => {
+      expect(extractPaperlessDocId("localhost/documents/2/details")).toBe("2");
+    });
+
+    it("trims whitespace around URL and base URL", () => {
+      expect(extractPaperlessDocId("  http://localhost:8000/documents/7/  ", "  http://localhost:8000/  ")).toBe("7");
+    });
+  });
+
+  describe("detectServiceFromUrl", () => {
+    const settings = {
+      paperless_url: "https://paperless.local",
+    } as Record<string, string>;
+
+    it("detects paperless via configured base URL", () => {
+      expect(detectServiceFromUrl("https://paperless.local/documents/1", settings)?.name).toBe("paperless");
+    });
+
+    it("detects paperless with sub-path installation", () => {
+      const subPathSettings = { paperless_url: "https://example.local/paperless" } as Record<string, string>;
+      expect(detectServiceFromUrl("https://example.local/paperless/documents/1", subPathSettings)?.name).toBe(
+        "paperless"
+      );
+    });
+
+    it("returns null for paperless URL when settings are empty (no fallback)", () => {
+      expect(detectServiceFromUrl("https://any.host/documents/1/details", {})).toBeNull();
+    });
+
+    it("does not match host-prefix attacks", () => {
+      expect(detectServiceFromUrl("https://paperless.local.evil/documents/1", settings)).toBeNull();
+    });
+
+    it("returns null for unknown services", () => {
+      expect(detectServiceFromUrl("https://example.org/something", settings)).toBeNull();
+    });
+  });
+
+  describe("classifyDroppedUrl", () => {
+    const settings = {
+      paperless_url: "https://paperless.local",
+    } as Record<string, string>;
+
+    it("classifies paperless URL", () => {
+      const result = classifyDroppedUrl("https://paperless.local/documents/42/details", settings);
+      expect(result?.adapter.name).toBe("paperless");
+      expect(result?.id).toBe("42");
+    });
+
+    it("returns null for paperless URL with no settings configured (no fallback)", () => {
+      expect(classifyDroppedUrl("https://any.host/documents/7/details", {})).toBeNull();
+    });
+
+    it("returns null for unrecognised URL", () => {
+      expect(classifyDroppedUrl("https://example.org/something", settings)).toBeNull();
+    });
+
+    it("returns null when URL matches service host but id cannot be extracted", () => {
+      // URL host matches paperless but path has no document ID
+      expect(classifyDroppedUrl("https://paperless.local/dashboard", settings)).toBeNull();
+    });
+
+    it("classifies paperless URL with whitespace around value", () => {
+      const result = classifyDroppedUrl("  https://paperless.local/documents/42/details  ", settings);
+      expect(result?.adapter.name).toBe("paperless");
+      expect(result?.id).toBe("42");
+    });
+  });
+
+  describe("getAdapter", () => {
+    it("returns paperless adapter by name", () => {
+      expect(getAdapter("paperless")?.name).toBe("paperless");
+    });
+
+    it("returns undefined for unknown name", () => {
+      expect(getAdapter("unknown")).toBeUndefined();
+    });
+  });
+
+  describe("getAdapterByMimeType", () => {
+    it("returns paperless adapter for paperless/document", () => {
+      expect(getAdapterByMimeType("paperless/document")?.name).toBe("paperless");
+    });
+
+    it("returns undefined for unknown MIME type", () => {
+      expect(getAdapterByMimeType("application/pdf")).toBeUndefined();
+    });
+  });
+
+  describe("adapter buildTitle", () => {
+    it("paperless buildTitle includes the doc id", () => {
+      expect(getAdapter("paperless")?.buildTitle("42")).toBe("Paperless Document 42");
+    });
+  });
+
+  describe("SERVICE_ADAPTERS registry", () => {
+    it("contains paperless", () => {
+      const names = SERVICE_ADAPTERS.map(a => a.name);
+      expect(names).toContain("paperless");
+    });
+
+    it("each adapter has required fields", () => {
+      for (const adapter of SERVICE_ADAPTERS) {
+        expect(adapter.name).toBeTruthy();
+        expect(adapter.mimeType).toMatch(/^[a-z][a-z0-9_+-]*\/[a-z][a-z0-9_+-]*$/);
+        expect(adapter.settingsUrlKey).toContain("_url");
+        expect(adapter.settingsTokenKey).toContain("_token");
+        expect(typeof adapter.extractId).toBe("function");
+        expect(typeof adapter.buildTitle).toBe("function");
+      }
+    });
+  });
+});
diff --git a/frontend/lib/integration-adapters.ts b/frontend/lib/integration-adapters.ts
new file mode 100644
index 000000000..4db24a8b9
--- /dev/null
+++ b/frontend/lib/integration-adapters.ts
@@ -0,0 +1,170 @@
+/**
+ * Integration adapter registry for external link services (Paperless, …).
+ *
+ * To add a new service:
+ *  1. Add an `extractXyzId` function below using `extractWithPattern`.
+ *  2. Push a new `ServiceAdapter` entry to `SERVICE_ADAPTERS`.
+ *  That's it – drop detection, classification, and hydration are all registry-driven.
+ */
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export interface ServiceAdapter {
+  /** Unique service identifier. Also used as the MIME type prefix and settings key prefix. */
+  name: string;
+  /** Full MIME type stored on attachments, e.g. "paperless/document". */
+  mimeType: string;
+  /** User-settings key for the service base URL. */
+  settingsUrlKey: string;
+  /** User-settings key for the service API token. */
+  settingsTokenKey: string;
+  /** Extract the provider-specific ID from a URL. Returns null when not matched. */
+  extractId: (url: string, baseUrl?: string) => string | null;
+  /** Build a default human-readable title for a newly linked attachment. */
+  buildTitle: (id: string) => string;
+}
+
+// ---------------------------------------------------------------------------
+// Shared extraction helper
+// ---------------------------------------------------------------------------
+
+/**
+ * Try to extract a capture group from `url`'s path using `pattern`.
+ * If `baseUrl` is provided and parseable, the host must match and the path
+ * must start at the configured base path. If `baseUrl` is absent or invalid,
+ * the pattern is matched against the full pathname (heuristic fallback).
+ */
+function extractWithPattern(url: string, baseUrl: string | undefined, pattern: RegExp): string | null {
+  const trimmedUrl = url.trim();
+  if (!trimmedUrl) return null;
+
+  // Normalise bare hostnames (e.g. "localhost/documents/2") to a parseable URL.
+  const normalisedUrl = /^https?:\/\//i.test(trimmedUrl) ? trimmedUrl : `http://${trimmedUrl}`;
+  try {
+    const target = new URL(normalisedUrl);
+    let basePath = "";
+
+    if (baseUrl?.trim()) {
+      try {
+        const base = new URL(baseUrl.trim());
+        if (base.origin !== target.origin) return null;
+        basePath = base.pathname.replace(/\/$/, "");
+        if (basePath && !target.pathname.startsWith(basePath + "/") && target.pathname !== basePath) {
+          return null;
+        }
+      } catch (e) {
+        // Invalid configured base URL – fall through to pattern-only match.
+        console.warn("integration-adapters: invalid baseUrl, falling back to pattern-only match:", baseUrl, e);
+      }
+    }
+
+    const pathAfterBase = target.pathname.slice(basePath.length || 0);
+    return pathAfterBase.match(pattern)?.[1] ?? null;
+  } catch {
+    return null;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Per-service ID extractors (one function per service)
+// ---------------------------------------------------------------------------
+
+/** Extract Paperless document ID from patterns: /documents/{id} or /documents/{id}/details */
+export function extractPaperlessDocId(url: string, baseUrl?: string): string | null {
+  return extractWithPattern(url, baseUrl, /\/documents\/(\d+)(?:\/details)?\/?$/);
+}
+
+// ---------------------------------------------------------------------------
+// Service registry – the single source of truth for all integrations
+// ---------------------------------------------------------------------------
+
+export const SERVICE_ADAPTERS: ServiceAdapter[] = [
+  {
+    name: "paperless",
+    mimeType: "paperless/document",
+    settingsUrlKey: "paperless_url",
+    settingsTokenKey: "paperless_token",
+    extractId: extractPaperlessDocId,
+    buildTitle: id => `Paperless Document ${id}`,
+  },
+];
+
+// ---------------------------------------------------------------------------
+// Generic helpers consumed by the rest of the frontend
+// ---------------------------------------------------------------------------
+
+/** Look up an adapter by service name. */
+export function getAdapter(name: string): ServiceAdapter | undefined {
+  return SERVICE_ADAPTERS.find(a => a.name === name);
+}
+
+/** Look up an adapter by MIME type. */
+export function getAdapterByMimeType(mimeType: string): ServiceAdapter | undefined {
+  return SERVICE_ADAPTERS.find(a => a.mimeType === mimeType);
+}
+
+/**
+ * Detect which integration service a URL belongs to.
+ * Strategy:
+ *  1. Exact host+base-path match against each adapter's configured URL in settings.
+ *  2. Fallback: URL-pattern match across all adapters (works when settings are missing/invalid).
+ *
+ * @returns The matching `ServiceAdapter`, or `null` if none matched.
+ */
+export function detectServiceFromUrl(url: string, settings: Record<string, string>): ServiceAdapter | null {
+  const trimmedUrl = url.trim();
+  if (!trimmedUrl) return null;
+
+  const normUrl = /^https?:\/\//i.test(trimmedUrl) ? trimmedUrl : `http://${trimmedUrl}`;
+  try {
+    const target = new URL(normUrl);
+
+    // 1. Configured base URL match (most precise)
+    for (const adapter of SERVICE_ADAPTERS) {
+      const baseUrl = settings[adapter.settingsUrlKey]?.trim();
+      if (!baseUrl) continue;
+      try {
+        const base = new URL(baseUrl);
+        if (base.origin !== target.origin) continue;
+        const basePath = base.pathname.replace(/\/$/, "");
+        if (!basePath || target.pathname === basePath || target.pathname.startsWith(basePath + "/")) {
+          return adapter;
+        }
+      } catch {
+        // Unparseable configured URL – skip.
+      }
+    }
+  } catch {
+    return null;
+  }
+
+  // Pattern-only fallback intentionally removed: a URL is only classified as a service
+  // link when the service base URL is configured AND the URL matches that base.
+  // If no URL is configured for a service, dropped URLs are stored as plain link/url
+  // attachments instead of being silently classified as service links.
+  return null;
+}
+
+/**
+ * Classify a dropped URL into a `{ adapter, id }` pair.
+ * Tries the configured base URL first, then falls back to pattern-only extraction.
+ *
+ * @returns `{ adapter, id }` when recognised, `null` when the URL matches no known service.
+ */
+export function classifyDroppedUrl(
+  url: string,
+  settings: Record<string, string>
+): { adapter: ServiceAdapter; id: string } | null {
+  const adapter = detectServiceFromUrl(url, settings);
+  if (!adapter) return null;
+
+  const configuredBase = settings[adapter.settingsUrlKey];
+  const id = adapter.extractId(url, configuredBase);
+  if (!id) return null;
+
+  return { adapter, id };
+}
+
+
diff --git a/frontend/locales/en.json b/frontend/locales/en.json
index d2fb0ff41..e90abc4df 100644
--- a/frontend/locales/en.json
+++ b/frontend/locales/en.json
@@ -179,7 +179,16 @@
         "item": {
             "attachments_list": {
                 "download": "Download",
-                "open_new_tab": "Open in new tab"
+                "open_new_tab": "Open in new tab",
+                "configure_service": "Configure {service} URL in Profile Settings to access this attachment",
+                "request_failed": "Request to {url} failed",
+                "request_failed_stale": "Showing cached data — request to {url} failed",
+                "open_in_service": "Open in {service}",
+                "errors": {
+                    "auth_failed": "Authentication failed — check your API token in Profile Settings",
+                    "request_failed": "Request failed (HTTP {status}) — did you set an API token in Profile Settings?",
+                    "service_unreachable": "Service unreachable at {baseUrl}"
+                }
             },
             "create_modal": {
                 "clear_template": "Clear Template",
@@ -620,6 +629,7 @@
             "item_deleted": "Item deleted",
             "item_saved": "Item saved",
             "quantity_cannot_negative": "Quantity cannot be negative",
+            "service_linked": "{service} linked",
             "sync_child_location": "Selected parent syncs its children's locations to its own. The location has been updated."
         },
         "updated_at": "Updated At",
@@ -803,8 +813,17 @@
             "failed_update_notifier": "Failed to update notifier.",
             "group_updated": "Group updated",
             "notifier_test_success": "Notifier test successful.",
-            "password_changed": "Password changed successfully."
+            "password_changed": "Password changed successfully.",
+            "settings_saved": "Integration settings saved.",
+            "failed_settings_save": "Failed to save integration settings."
         },
+        "integrations": "Integrations",
+        "integrations_sub": "Connect external services like Paperless-ngx.",
+        "paperless_settings": "Paperless-ngx",
+        "paperless_url": "Paperless URL",
+        "paperless_url_placeholder": "http://localhost:8000",
+        "paperless_token": "API Token",
+        "paperless_token_placeholder": "Your Paperless API token",
         "update_group": "Update Group",
         "update_language": "Update Language",
         "url": "URL",
diff --git a/frontend/pages/item/[id]/index/edit.vue b/frontend/pages/item/[id]/index/edit.vue
index abb11e1c5..3e43782dc 100644
--- a/frontend/pages/item/[id]/index/edit.vue
+++ b/frontend/pages/item/[id]/index/edit.vue
@@ -5,7 +5,8 @@
   import type { ItemAttachment, EntityFieldData, EntityOut, EntityUpdate } from "~~/lib/api/types/data-contracts";
   import { AttachmentTypes } from "~~/lib/api/types/non-generated";
   import { useTagStore } from "~/stores/tags";
-  import { useLocationStore } from "~~/stores/locations";
+  import { classifyDroppedUrl, SERVICE_ADAPTERS } from "~/lib/integration-adapters";
+  import { useIntegrationCacheStore } from "~/stores/integration-cache";
   import MdiLoading from "~icons/mdi/loading";
   import MdiDelete from "~icons/mdi/delete";
   import MdiPencil from "~icons/mdi/pencil";
@@ -47,9 +48,6 @@
 
   const itemId = computed<string>(() => route.params.id as string);
 
-  const locationStore = useLocationStore();
-  const locations = computed(() => locationStore.allLocations);
-
   const tagStore = useTagStore();
   const tags = computed(() => tagStore.tags);
 
@@ -373,7 +371,14 @@
     const zoneEl = targetEl?.closest("[data-link-type]");
     const attachmentType = zoneEl?.getAttribute("data-link-type") || "attachment";
 
+    // Always use the URL-based title as fallback; the real document title is
+    // fetched from the service API at display time (hydration in AttachmentsList.vue).
     const title = fallbackLinkTitle(droppedURL);
+
+    const store = useIntegrationCacheStore();
+    const settingsForClassify = Object.fromEntries(SERVICE_ADAPTERS.map(a => [a.settingsUrlKey, store.serviceUrls[a.name] ?? ""]));
+    const classified = classifyDroppedUrl(droppedURL, settingsForClassify);
+
     const { data, error } = await api.items.attachments.addExternalLink(
       itemId.value,
       "link",
@@ -387,7 +392,12 @@
       return;
     }
 
-    toast.success(t("items.toast.attachment_uploaded"));
+    if (classified) {
+      const serviceName = classified.adapter.name.charAt(0).toUpperCase() + classified.adapter.name.slice(1);
+      toast.success(t("items.toast.service_linked", { service: serviceName }));
+    } else {
+      toast.success(t("items.toast.attachment_uploaded"));
+    }
     item.value.attachments = data.attachments;
   }
 
@@ -822,13 +832,7 @@
                     </TooltipTrigger>
                     <TooltipContent>{{ $t("items.edit.view_image") }}</TooltipContent>
                   </Tooltip>
-                  <Tooltip
-                    v-if="
-                      attachment.mimeType === 'link/url' ||
-                      (attachment.path ?? '').startsWith('http://') ||
-                      (attachment.path ?? '').startsWith('https://')
-                    "
-                  >
+                  <Tooltip v-if="(attachment.path ?? '').startsWith('http://') || (attachment.path ?? '').startsWith('https://')">
                     <TooltipTrigger as-child>
                       <a :href="attachment.path" target="_blank" rel="noopener noreferrer">
                         <Button variant="outline" size="icon">
diff --git a/frontend/pages/profile.vue b/frontend/pages/profile.vue
index b0c3e31f4..7d448ec92 100644
--- a/frontend/pages/profile.vue
+++ b/frontend/pages/profile.vue
@@ -20,12 +20,14 @@
   import FormCheckbox from "~/components/Form/Checkbox.vue";
   import BaseContainer from "@/components/Base/Container.vue";
   import BaseCard from "@/components/Base/Card.vue";
+  import { useIntegrationCacheStore } from "~/stores/integration-cache";
   import BaseSectionHeader from "@/components/Base/SectionHeader.vue";
   import DetailsSection from "@/components/global/DetailsSection/DetailsSection.vue";
   import DateTime from "@/components/global/DateTime.vue";
   import PasswordScore from "~/components/global/PasswordScore.vue";
   import { PASSWORD_MIN_LENGTH, PASSWORD_RULES } from "~/lib/passwords";
   import type { APIKeyOut } from "~~/lib/api/types/data-contracts";
+  import { SERVICE_ADAPTERS } from "~/lib/integration-adapters";
 
   const { t } = useI18n();
 
@@ -207,6 +209,71 @@
     toast.success(t("profile.toast.api_key_deleted"));
     await loadApiKeys();
   }
+
+  // ---------------------------------------------------------------------------
+  // Integration settings
+
+  const integrationSettings = reactive<Record<string, string> & { loading: boolean; saving: boolean }>({
+    loading: false,
+    saving: false,
+  });
+
+  async function loadIntegrationSettings() {
+    integrationSettings.loading = true;
+    const { data, error } = await api.user.getSettings();
+    integrationSettings.loading = false;
+
+    if (error || !data?.item) {
+      toast.error(t("errors.api_failure"));
+      return;
+    }
+
+    const settings = data.item as Record<string, unknown>;
+    for (const adapter of SERVICE_ADAPTERS) {
+      integrationSettings[adapter.settingsUrlKey] = (settings[adapter.settingsUrlKey] as string) || "";
+      integrationSettings[adapter.settingsTokenKey] = (settings[adapter.settingsTokenKey] as string) || "";
+    }
+  }
+
+  async function saveIntegrationSettings() {
+    integrationSettings.saving = true;
+    const { data: current, error: currentError } = await api.user.getSettings();
+    if (currentError) {
+      integrationSettings.saving = false;
+      toast.error(t("profile.toast.failed_settings_save"));
+      return;
+    }
+
+    const integrationPatch: Record<string, string> = {};
+    for (const adapter of SERVICE_ADAPTERS) {
+      integrationPatch[adapter.settingsUrlKey] = integrationSettings[adapter.settingsUrlKey] ?? "";
+      integrationPatch[adapter.settingsTokenKey] = integrationSettings[adapter.settingsTokenKey] ?? "";
+    }
+
+    const { error } = await api.user.setSettings({
+      ...(current?.item ?? {}),
+      ...integrationPatch,
+    });
+    integrationSettings.saving = false;
+
+    if (error) {
+      toast.error(t("profile.toast.failed_settings_save"));
+      return;
+    }
+
+    // Push new URLs into the shared store so mounted AttachmentsList components
+    // immediately promote or demote service attachments.
+    const integrationCacheStore = useIntegrationCacheStore();
+    for (const adapter of SERVICE_ADAPTERS) {
+      integrationCacheStore.setServiceUrl(adapter.name, integrationSettings[adapter.settingsUrlKey] ?? "");
+    }
+
+    toast.success(t("profile.toast.settings_saved"));
+  }
+
+  onMounted(() => {
+    void loadIntegrationSettings();
+  });
 </script>
 
 <template>
@@ -431,6 +498,48 @@
           </div>
         </div>
       </BaseCard>
+
+      <BaseCard>
+        <template #title>
+          <BaseSectionHeader>
+            <span> {{ $t("profile.integrations") }} </span>
+            <template #description>
+              {{ $t("profile.integrations_sub") }}
+            </template>
+          </BaseSectionHeader>
+        </template>
+
+        <div class="space-y-6 px-4 pb-4">
+          <!-- Paperless Settings -->
+          <div class="space-y-2">
+            <h4 class="font-semibold">{{ $t("profile.paperless_settings") }}</h4>
+            <FormTextField
+              v-model="integrationSettings['paperless_url']"
+              :label="$t('profile.paperless_url')"
+              :placeholder="$t('profile.paperless_url_placeholder')"
+              type="url"
+              class="mb-2"
+            />
+            <FormTextField
+              v-model="integrationSettings['paperless_token']"
+              :label="$t('profile.paperless_token')"
+              :placeholder="$t('profile.paperless_token_placeholder')"
+              type="password"
+            />
+          </div>
+
+          <div class="border-t pt-4">
+            <Button
+              :disabled="integrationSettings.saving || integrationSettings.loading"
+              @click="saveIntegrationSettings"
+            >
+              <MdiLoading v-if="integrationSettings.saving" class="animate-spin" />
+              {{ $t("global.save") }}
+            </Button>
+          </div>
+        </div>
+      </BaseCard>
+
       <BaseCard>
         <template #title>
           <BaseSectionHeader>
diff --git a/frontend/stores/integration-cache.ts b/frontend/stores/integration-cache.ts
new file mode 100644
index 000000000..175d1b9c2
--- /dev/null
+++ b/frontend/stores/integration-cache.ts
@@ -0,0 +1,168 @@
+import { defineStore } from "pinia";
+import { SERVICE_ADAPTERS, type ServiceAdapter } from "~/lib/integration-adapters";
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+/** Lifecycle state of a single service-typed attachment. */
+export type AttachmentFetchState = "loading" | "ok" | "stale" | "error";
+
+// ---------------------------------------------------------------------------
+// localStorage helpers (TTL-based, key-prefixed)
+// ---------------------------------------------------------------------------
+
+const CACHE_TTL_MS = 30 * 60 * 1000; // 30 minutes
+const LS_PREFIX = "homebox:integration:";
+
+interface StoredEntry {
+  data: unknown;
+  fetchedAt: number;
+}
+
+function lsRead(key: string): unknown | null {
+  if (typeof localStorage === "undefined") return null;
+  try {
+    const raw = localStorage.getItem(LS_PREFIX + key);
+    if (!raw) return null;
+    const entry = JSON.parse(raw) as StoredEntry;
+    if (Date.now() - entry.fetchedAt > CACHE_TTL_MS) {
+      localStorage.removeItem(LS_PREFIX + key);
+      return null;
+    }
+    return entry.data;
+  } catch {
+    return null;
+  }
+}
+
+function lsWrite(key: string, data: unknown): void {
+  if (typeof localStorage === "undefined") return;
+  try {
+    localStorage.setItem(LS_PREFIX + key, JSON.stringify({ data, fetchedAt: Date.now() } as StoredEntry));
+  } catch {
+    // localStorage quota exceeded or unavailable – ignore.
+  }
+}
+
+function lsDelete(key: string): void {
+  if (typeof localStorage === "undefined") return;
+  localStorage.removeItem(LS_PREFIX + key);
+}
+
+// ---------------------------------------------------------------------------
+// Store
+// ---------------------------------------------------------------------------
+
+export const useIntegrationCacheStore = defineStore("integrationCache", () => {
+  /**
+   * Configured base URL per service name (trailing slash stripped).
+   * Empty string = not configured.
+   */
+  const serviceUrls = reactive<Record<string, string>>({});
+
+  /**
+   * Resolved enriched metadata, keyed by `${serviceName}:${id}`.
+   * In-memory mirror of the localStorage cache; populated on first read.
+   */
+  const enrichedData = reactive<Record<string, unknown>>({});
+
+  /** Per-attachment-id fetch state. Key = attachment DB id. */
+  const fetchStates = reactive<Record<string, AttachmentFetchState>>({});
+
+  /** Per-attachment-id failure description. Key = attachment DB id. */
+  const fetchErrors = reactive<Record<string, string>>({});
+
+  /** Whether settings have been fetched this session (avoid duplicate API calls). */
+  const settingsLoaded = ref(false);
+
+  // -------------------------------------------------------------------------
+  // Settings
+  // -------------------------------------------------------------------------
+
+  /**
+   * Load service base URLs from user settings.
+   * No-ops on subsequent calls within the same page session.
+   */
+  async function loadSettings(api: ReturnType<typeof useUserApi>): Promise<void> {
+    if (settingsLoaded.value) return;
+    const { data, error } = await api.user.getSettings();
+    if (error || !data?.item) return;
+    const s = data.item as Record<string, unknown>;
+    for (const adapter of SERVICE_ADAPTERS) {
+      serviceUrls[adapter.name] = ((s[adapter.settingsUrlKey] as string) || "").replace(/\/$/, "");
+    }
+    settingsLoaded.value = true;
+  }
+
+  function isConfigured(adapter: ServiceAdapter): boolean {
+    return !!(serviceUrls[adapter.name]?.trim());
+  }
+
+  function getUrl(adapter: ServiceAdapter): string {
+    return serviceUrls[adapter.name] ?? "";
+  }
+
+  // -------------------------------------------------------------------------
+  // Enriched data cache
+  // -------------------------------------------------------------------------
+
+  function getEnrichedData(serviceName: string, id: string): unknown {
+    const key = `${serviceName}:${id}`;
+    if (key in enrichedData) return enrichedData[key];
+    const cached = lsRead(key);
+    if (cached !== null) enrichedData[key] = cached;
+    return cached;
+  }
+
+  function setEnrichedData(serviceName: string, id: string, data: unknown): void {
+    const key = `${serviceName}:${id}`;
+    enrichedData[key] = data;
+    lsWrite(key, data);
+  }
+
+  function invalidateEnrichedData(serviceName: string, id: string): void {
+    const key = `${serviceName}:${id}`;
+    delete enrichedData[key];
+    lsDelete(key);
+  }
+
+  // -------------------------------------------------------------------------
+  // Attachment fetch state
+  // -------------------------------------------------------------------------
+
+  function setState(attachmentId: string, state: AttachmentFetchState, errorMsg?: string): void {
+    fetchStates[attachmentId] = state;
+    if (errorMsg !== undefined) fetchErrors[attachmentId] = errorMsg;
+  }
+
+  function clearAttachmentState(attachmentId: string): void {
+    delete fetchStates[attachmentId];
+    delete fetchErrors[attachmentId];
+  }
+
+  /**
+   * Update a single service URL (e.g. after profile save).
+   * Resets settingsLoaded so loadSettings() will re-read on next call.
+   */
+  function setServiceUrl(name: string, url: string): void {
+    serviceUrls[name] = url.replace(/\/$/, "");
+    settingsLoaded.value = false;
+  }
+
+  return {
+    serviceUrls,
+    enrichedData,
+    fetchStates,
+    fetchErrors,
+    loadSettings,
+    isConfigured,
+    getUrl,
+    setServiceUrl,
+    getEnrichedData,
+    setEnrichedData,
+    invalidateEnrichedData,
+    setState,
+    clearAttachmentState,
+  };
+});