diff --git a/.github/workflows/continuous.yml b/.github/workflows/continuous.yml
index c854d325ba..9e0d91d56c 100644
--- a/.github/workflows/continuous.yml
+++ b/.github/workflows/continuous.yml
@@ -46,6 +46,18 @@ jobs:
       - name: Test
         run: npm run test
 
+      - name: Generate SBOM
+        if: github.event_name == 'push'
+        run: npx cyclonedx-npm --output-format JSON --output-file sbom.cdx.json
+
+      - name: Upload SBOM artifact
+        if: github.event_name == 'push'
+        uses: actions/upload-artifact@v7
+        with:
+          name: sbom
+          path: sbom.cdx.json
+          retention-days: 30
+
       - uses: ./.github/workflows/actions/upload-distribution-archives
 
   assembleInformation:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7f4acca257..f211c604bb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,6 +41,9 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
+      - name: Audit dependencies
+        run: npm audit --audit-level=high
+
       - name: Build
         run: npx turbo run build
 
diff --git a/SECURITY.md b/SECURITY.md
index 054a75e702..940cd1e8a1 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -10,22 +10,27 @@
   - [Dependency Vulnerability Scanning (SCA)](#dependency-vulnerability-scanning-sca)
   - [Software Bill of Materials (SBOM)](#software-bill-of-materials-sbom)
   - [Secure Supply Chain Practices](#secure-supply-chain-practices)
+- [Consumer Notifications](#consumer-notifications)
 - [EU Cyber Resilience Act (CRA) Compliance](#eu-cyber-resilience-act-cra-compliance)
   - [Security Measures](#security-measures-1)
+  - [Authority Reporting (Article 14)](#authority-reporting-article-14)
   - [Version Support Policy](#version-support-policy)
+  - [Security by Default](#security-by-default)
   - [Secure Release Process](#secure-release-process)
   - [Contact for Security Issues](#contact-for-security-issues)
 - [Further Reading](#further-reading)
 
 ## Supported Versions
 
-Only the latest major version receives security patches.
-Older major versions are unsupported.
+Two major versions receive security patches at any given time:
 
-| Version      | Supported |
-| ------------ | --------- |
-| Latest major | ✅        |
-| Older majors | ❌        |
+| Branch | Version              | Support type                          | Supported |
+| ------ | -------------------- | ------------------------------------- | --------- |
+| `next` | Latest major         | Active development + security patches | ✅        |
+| `main` | Previous major (LTS) | Security patches only                 | ✅        |
+| —      | Older majors         | No patches                            | ❌        |
+
+The previous major enters **Long-Term Support (LTS)** the moment the next major is released and receives security patches for a minimum of **24 months** from that date. After 24 months, EOL is announced at least **6 months in advance** via a GitHub release note and a pinned repository issue before support is dropped.
 
 ## Reporting a Vulnerability
 
@@ -37,6 +42,8 @@ We will acknowledge your report within **72 hours** and aim to release a fix or
 
 ## Disclosure Policy
 
+### To the reporter (Coordinated Vulnerability Disclosure)
+
 | Milestone         | Commitment            |
 | ----------------- | --------------------- |
 | Acknowledgement   | Within 72 hours       |
@@ -45,6 +52,56 @@ We will acknowledge your report within **72 hours** and aim to release a fix or
 
 This project follows the [Coordinated Vulnerability Disclosure](https://www.cisa.gov/coordinated-vulnerability-disclosure-process) model.
 
+### To authorities (CRA Article 14)
+
+When a vulnerability is confirmed as **actively exploited** in the wild, we are additionally required to notify the relevant authority:
+
+| Milestone             | Deadline                          |
+| --------------------- | --------------------------------- |
+| Early warning         | Within 24 hours of becoming aware |
+| Detailed notification | Within 72 hours                   |
+| Final report          | Within 14 days                    |
+
+See [Authority Reporting (Article 14)](#authority-reporting-article-14) for the full process.
+
+## Consumer Notifications
+
+When a security advisory is published, consumers are notified through the following channels:
+
+### How to subscribe
+
+**GitHub watch notifications (recommended):**
+
+1. Click **Watch** at the top of this repository
+2. Select **Custom**
+3. Enable **Security alerts**
+
+GitHub will email you whenever a new [Security Advisory](../../security/advisories) is published for this repository.
+
+**npm release feed:**
+
+Every security fix is released as a new npm version. Subscribe to release notifications on GitHub (Watch → Releases) or monitor the package on [npmjs.com](https://www.npmjs.com/package/@baloise/ds-core).
+
+### What each advisory contains
+
+Every published GitHub Security Advisory for this project will include:
+
+| Field             | Content                                                  |
+| ----------------- | -------------------------------------------------------- |
+| CVE ID            | Assigned identifier (or "pending" if not yet issued)     |
+| Affected versions | Exact semver range of vulnerable releases                |
+| Patched version   | First version containing the fix                         |
+| npm packages      | All `@baloise/ds-*` packages affected                    |
+| Severity          | CVSS score and vector                                    |
+| Description       | What the vulnerability is and what an attacker can do    |
+| Workaround        | Mitigation steps if available before a patch is released |
+
+This information is sufficient to assess impact and plan an upgrade without reading source code.
+
+### For large consumers
+
+If your organisation integrates the Baloise Design System into a regulated product, consider enabling [Dependabot alerts](https://docs.github.com/en/code-security/dependabot) in your own repository. GitHub will automatically raise an alert in your project when a CVE is published for any version of `@baloise/ds-core` you depend on.
+
 ## Security Measures
 
 We maintain security through automated scanning, dependency management, and secure development practices.
@@ -128,31 +185,107 @@ This project follows practices required by the EU Cyber Resilience Act for mediu
 
 ### Security Measures
 
-| Requirement              | Implementation                                                     |
-| ------------------------ | ------------------------------------------------------------------ |
-| Vulnerability management | Private disclosure via GitHub Security Advisories (72h response)   |
-| Dependency scanning      | Dependabot with weekly scans and automated patch PRs               |
-| Code analysis            | CodeQL SAST on every push/PR and weekly schedule                   |
-| Secure development       | Branch protection, code review, CI/CD gates (lint, test, build)    |
-| Incident response        | 72h acknowledgement, 90d fix timeline for reported vulnerabilities |
-| SBOM / Transparency      | `package.json` + `package-lock.json` document all dependencies     |
+| Requirement              | Implementation                                                                                       |
+| ------------------------ | ---------------------------------------------------------------------------------------------------- |
+| Vulnerability management | Private disclosure via GitHub Security Advisories (72h response)                                     |
+| Dependency scanning      | Dependabot with weekly scans and automated patch PRs                                                 |
+| Code analysis            | CodeQL SAST on every push/PR and weekly schedule                                                     |
+| Secure development       | Branch protection, code review, CI/CD gates (lint, test, build)                                      |
+| Incident response        | 72h acknowledgement, 90d fix timeline; 24h/72h/14d authority reporting for exploited vulnerabilities |
+| Authority reporting      | ENISA EUVDB (EU consumers) + Swiss NCSC; runbook in `docs/security/incident-response-runbook.md`     |
+| Consumer notification    | GitHub Security Advisories with CVE, affected versions, patched version, and workaround              |
+| SBOM / Transparency      | CycloneDX JSON SBOM bundled in every published npm package                                           |
+
+### Authority Reporting (Article 14)
+
+CRA Article 14 requires notifying the relevant authority when a vulnerability in this product is **confirmed as actively exploited** in the wild. This obligation has been in force since September 2026.
+
+**Who reports:** The on-call maintainer or security lead (not the individual who discovered the issue — escalate immediately if you are not the lead).
+
+**Which authority to notify:**
+
+| Audience        | Authority  | Platform                                                                                   |
+| --------------- | ---------- | ------------------------------------------------------------------------------------------ |
+| EU consumers    | ENISA      | [ENISA EUVDB](https://euvdb.europa.eu)                                                     |
+| Swiss consumers | Swiss NCSC | [ncsc.admin.ch/report](https://www.ncsc.admin.ch/ncsc/en/home/meldungen/meldung-ncsc.html) |
+
+When in doubt, report to both. Duplicate reports are explicitly allowed under the regulation.
+
+**Reporting timeline:**
+
+1. **T+0 — Discovery:** Vulnerability is confirmed exploited (via Dependabot alert, CodeQL finding, external report, or incident)
+2. **T+24h — Early warning:** File a brief early warning on ENISA EUVDB and Swiss NCSC. Minimum required fields: product name, affected versions, short description, whether a fix is available.
+3. **T+72h — Detailed notification:** Submit a full notification including CVE ID (request one via [cveform.mitre.org](https://cveform.mitre.org) if not yet assigned), CVSS score, affected components, root cause summary, and mitigation steps.
+4. **T+14d — Final report:** Submit the final report once a fix is released or a mitigation is confirmed. Include patch version, timeline of events, and steps taken to prevent recurrence.
+
+**What to include in each report:**
+
+```
+Product:          Baloise Design System (@baloise/ds-core)
+Affected version: <semver range>
+CVE ID:           CVE-YYYY-XXXXX (or "pending" if not yet assigned)
+CVSS score:       <score and vector>
+Description:      <one paragraph — what the vulnerability is>
+Impact:           <what an attacker can do>
+Mitigation:       <workaround or fix version>
+Fix available:    Yes / No / In progress
+```
+
+**Full step-by-step runbook:** `docs/security/incident-response-runbook.md`
 
 ### Version Support Policy
 
-| Aspect               | Policy                                         |
-| -------------------- | ---------------------------------------------- |
-| **Supported range**  | Only the latest major version receives patches |
-| **Patch frequency**  | Security patches released within 90 days       |
-| **EOL status**       | Older major versions no longer receive updates |
-| **Breaking changes** | Communicated via changelog and release notes   |
+| Aspect                 | Policy                                                                                             |
+| ---------------------- | -------------------------------------------------------------------------------------------------- |
+| **Supported versions** | Latest major (`next` branch) + previous major in LTS (`main` branch)                               |
+| **LTS duration**       | Minimum 24 months of security patches from the date the next major is released                     |
+| **Patch frequency**    | Security patches released within 90 days of a confirmed vulnerability                              |
+| **EOL announcement**   | At least 6 months' notice via GitHub release note and pinned repository issue                      |
+| **EOL behaviour**      | EOL versions receive no patches, even for critical CVEs — consumers must upgrade                   |
+| **Breaking changes**   | Only in new major versions; communicated via CHANGELOG.md and release notes                        |
+| **LTS workflow**       | Automated via `.github/workflows/lts-continuous.yml`, `lts-prepare-release.yml`, `lts-release.yml` |
+
+### Security by Default
+
+The Baloise Design System is a client-side component library. Its attack surface and default security posture are as follows:
+
+| Property                              | State                                                                                                           |
+| ------------------------------------- | --------------------------------------------------------------------------------------------------------------- |
+| Server-side code                      | None — pure client-side Web Components                                                                          |
+| Authentication / authorisation logic  | None — components carry no identity or session state                                                            |
+| Data persistence                      | Minimal — one `localStorage` key stores an animation preference boolean (`DS_ANIMATION_KEY`); no PII, no tokens |
+| Default network requests              | None at startup — `ds-icon` fetches a SVG only when the consumer explicitly sets a `src` prop                   |
+| User-supplied HTML rendered as markup | Sanitized via DOMPurify before any `innerHTML` assignment (`src/utils/svg.ts`)                                  |
+| `eval` / `new Function`               | Not used anywhere in the component source                                                                       |
+| Inline event handler attributes       | Not used — all listeners are attached via `addEventListener`                                                    |
+| CSP compatibility                     | Compatible with strict `script-src` policies; no `unsafe-eval`, no `unsafe-inline` required                     |
+
+**How these properties are enforced:**
+
+- **Code rules** — documented in [STYLE_GUIDE.md — Security](STYLE_GUIDE.md#security); violations are flagged during code review
+- **Static analysis** — CodeQL runs on every push and PR and weekly; catches `innerHTML` misuse, unvalidated network data, and injection patterns
+- **Dependency auditing** — `npm audit --audit-level=high` blocks CI and both release workflows if a high or critical CVE is present in a dependency
+- **DOMPurify** — pinned as a runtime dependency of `@baloise/ds-core`; all external HTML content passes through it before rendering
 
 ### Secure Release Process
 
 1. **Pre-release scanning:** CodeQL and Dependabot checks on all incoming PRs
-2. **Changeset review:** Core team reviews all proposed version changes
-3. **Build verification:** Automated build, lint, and test suite runs before release
-4. **Release publication:** GitHub Actions publishes with provenance attestation
-5. **Disclosure:** Release notes and CHANGELOG.md updated with all changes
+2. **Dependency audit:** `npm audit --audit-level=high` blocks the release workflow if high or critical CVEs are present
+3. **Changeset review:** Core team reviews all proposed version changes
+4. **Build verification:** Automated build, lint, and test suite runs before release
+5. **Release publication:** GitHub Actions publishes with provenance attestation and SBOM
+6. **Consumer notification:** GitHub Security Advisory published with CVE, affected versions, patched version, and workaround
+7. **Disclosure:** Release notes and CHANGELOG.md updated with all changes
+
+**Security self-assessment checklist** — confirm before each release containing security fixes:
+
+- [ ] No `innerHTML` assignments without DOMPurify sanitization introduced in this release
+- [ ] No `eval`, `new Function`, or string-argument `setTimeout`/`setInterval` introduced
+- [ ] No new default network requests added to components
+- [ ] No PII or tokens written to `localStorage`/`sessionStorage`
+- [ ] `npm audit --audit-level=high` passes cleanly (enforced automatically by CI)
+- [ ] DOMPurify version is up to date (check Dependabot alerts)
+- [ ] If a new external dependency was added: its license and security posture have been reviewed
 
 ### Contact for Security Issues
 
@@ -162,6 +295,7 @@ For security concerns not covered by this policy, email the maintainers (see [CO
 
 For more information on secure development in this project:
 
+- **[docs/security/incident-response-runbook.md](docs/security/incident-response-runbook.md)** — Step-by-step runbook for responding to exploited vulnerabilities and filing authority reports
 - **[CONTRIBUTING.md](CONTRIBUTING.md)** — Vulnerability reporting and responsible disclosure
 - **[ARCHITECTURE.md — CI/CD Pipeline](ARCHITECTURE.md#cicd-pipeline)** — Security scanning workflows and automation
 - **[DEVELOPMENT.md](DEVELOPMENT.md)** — Development setup and local testing
diff --git a/STYLE_GUIDE.md b/STYLE_GUIDE.md
index 82e0fd331c..fed65e2ab6 100644
--- a/STYLE_GUIDE.md
+++ b/STYLE_GUIDE.md
@@ -9,6 +9,7 @@ This is a quick reference for component code standards. For comprehensive detail
 - [Prop Validation](#prop-validation)
 - [Quick Reference Table](#quick-reference-table)
 - [Full Documentation](#full-documentation)
+- [Security](#security)
 - [Enforcement](#enforcement)
 
 ## Key Rules at a Glance
@@ -387,6 +388,31 @@ For detailed explanations, examples, and comprehensive guidelines, see:
 - **[CONTRIBUTING.md](CONTRIBUTING.md)** — Contribution workflow and testing requirements
 - **[ARCHITECTURE.md](ARCHITECTURE.md)** — System design, component patterns, and testing strategy
 
+## Security
+
+These rules enforce the component library's secure-by-default posture and are verified during code review and CodeQL analysis.
+
+**Never use `innerHTML` with unsanitized input.** Any HTML that originates from outside the component (consumer props, fetched content) must be passed through DOMPurify before rendering. The existing `sanitizeSvg` utility in `src/utils/svg.ts` is the pattern to follow.
+
+```ts
+// ✅ Correct — sanitize before setting innerHTML
+import DOMPurify from 'dompurify'
+element.innerHTML = DOMPurify.sanitize(externalHtml)
+
+// ❌ Wrong — direct assignment from untrusted source
+element.innerHTML = props.htmlContent
+```
+
+**Never use `eval`, `new Function`, or `setTimeout`/`setInterval` with a string argument.** These bypass CSP and open script injection paths. Use typed callbacks instead.
+
+**Never make default network requests.** Components must not initiate `fetch` or `XMLHttpRequest` calls on their own. The only exception is `ds-icon`, which fetches a consumer-provided SVG URL and immediately sanitizes the response with DOMPurify. New network calls require explicit justification and the same sanitization treatment.
+
+**Never write sensitive data to `localStorage` or `sessionStorage`.** The only permitted `localStorage` use is the animation preference flag (`DS_ANIMATION_KEY`), which stores a non-sensitive boolean. Authentication tokens, user identifiers, and PII must never be stored in web storage by design system components.
+
+**Never use inline event handler attributes.** Use `addEventListener` in `connectedCallback` / `disconnectedCallback` pairs. Inline handlers (`onclick="..."`) break CSP `script-src` policies.
+
+**Prefer semantic HTML over ARIA overrides.** A correct element (`<button>`, `<a>`, `<input>`) provides accessibility for free and reduces attack surface compared to a `<div>` with ARIA roles.
+
 ## Enforcement
 
 Style violations are caught by:
diff --git a/TODOS.md b/TODOS.md
index 443f5e1b7f..730a65a373 100644
--- a/TODOS.md
+++ b/TODOS.md
@@ -85,7 +85,7 @@ These improvements help our components work seamlessly across all supported fram
 | footer           | WC     | ✅     | ✅   | ✅     | ✅   | ✅     | ✅        |
 | file-upload      | WC     | ✅     | ✅   | ✅     | ✅   | ✅     | ✅        |
 | select           | CSS    | ✅     | ✅   | ✅     | ✅   | ✅     | ✅        |
-| navbar           | Hybrid | ⬜     | ⬜   | ⬜     | ⬜   | ⬜     | ⬜        |
+| navbar           | Hybrid | ✅     | ✅   | ✅     | ✅   | ✅     | ✅        |
 | time-input       | CSS    | ✅     | ✅   | ✅     | ✅   | ✅     | ✅        |
 | date             | WC     | ⬜     | ⬜   | ⬜     | ⬜   | ⬜     | ⬜        |
 | dropdown         | WC     | ⬜     | ⬜   | ⬜     | ⬜   | ⬜     | ⬜        |
diff --git a/docs/plan/001-navbar-mobile-drawer.md b/docs/plan/001-navbar-mobile-drawer.md
deleted file mode 100644
index ec07862ef4..0000000000
--- a/docs/plan/001-navbar-mobile-drawer.md
+++ /dev/null
@@ -1,268 +0,0 @@
-# Navbar Mobile Drawer — Implementation Plan
-
-**Status:** Approved  
-**Date:** 2026-06-10  
-**Component:** `ds-navbar`  
-**Feature:** Right-side drawer menu for mobile/tablet viewports
-
----
-
-## Overview
-
-Add accessible right-side drawer menu to `ds-navbar` for mobile/tablet (≤desktop). Drawer uses semantic `<aside role="dialog">` with focus trapping, backdrop close, keyboard escape, and slide-in animation. Menu content provided via slots; state controlled internally and externally.
-
-**Scope:** Feature addition to existing navbar component  
-**Complexity:** Medium (new props, state management, focus-trap integration, animation)  
-**Estimated Effort:** 3–4 phases
-
----
-
-## Design Decisions
-
-1. **Drawer Pattern:** Semantic `<aside role="dialog" aria-modal="true">` (accessible, search-engine friendly)
-2. **Content via Slots:** Two `<slot>` elements for menu content (light DOM → WCAG AA + SEO)
-3. **State Binding:** Internal `isDrawerOpen` state + external `@Prop() drawerOpen` + custom events
-4. **Focus Management:** `focus-trap` library for keyboard safety (trap focus, Escape key, restore trigger focus)
-5. **Close Triggers:** Backdrop click, Escape key, burger button click (all delegate to close handler)
-6. **Animation:** Slide-in from right (400px max) using CSS transitions + `--ds-` tokens
-7. **Inert Background:** `aria-hidden="true"` on main content when drawer open; prevent body scroll
-
----
-
-## Technical Decisions
-
-| Aspect                    | Decision                                                                                                   |
-| ------------------------- | ---------------------------------------------------------------------------------------------------------- |
-| **State Hook**            | `@State() isDrawerOpen: boolean = false` + `@Prop({ mutable: true }) drawerOpen?: boolean` with `@Watch()` |
-| **Focus Container**       | `ref` on `drawer-panel` div; pass to `focus-trap` on open                                                  |
-| **Animations**            | CSS `transition: transform` on `drawer-panel`; `--_drawer-slide-in: translate(0)` / `translate(100%)`      |
-| **Responsive Breakpoint** | Leverage existing `isTouch` pattern; show drawer on mobile/tablet, hide ≥desktop                           |
-| **Event Dispatch**        | Custom event: `drawer-state-changed` with `{ isOpen: boolean }` detail                                     |
-| **Dependencies**          | Add `focus-trap` npm package (if not already in deps)                                                      |
-
----
-
-## Accessibility Compliance (WCAG 2.2 AA)
-
-| Requirement             | Implementation                                                                                                              |
-| ----------------------- | --------------------------------------------------------------------------------------------------------------------------- |
-| **Keyboard Navigation** | ESC closes drawer; focus trapped within; burger button restores focus on close                                              |
-| **Screen Reader**       | `aria-modal="true"` + `aria-labelledby="drawer-title"` on `<aside>`; `aria-expanded` on burger; `aria-controls="drawer-id"` |
-| **Focus Management**    | focus-trap library ensures focus stays in drawer while open; restore on close                                               |
-| **Semantic HTML**       | Native `<aside>`, `<button>`, `<nav>` in slots; `role="dialog"` explicit                                                    |
-| **Color Contrast**      | Backdrop + drawer panel use `--ds-color-*` tokens; verify 4.5:1 WCAG AA                                                     |
-| **Touch Targets**       | Close button ≥44×44px; burger button ≥44×44px per WCAG 2.1 Level AAA (mobile best practice)                                 |
-
----
-
-## Responsive Behavior
-
-| Viewport                                | Behavior                                                                                         |
-| --------------------------------------- | ------------------------------------------------------------------------------------------------ |
-| **Mobile/Tablet** (≤768px or `isTouch`) | Burger button visible; drawer hidden (off-screen); drawer opens on-demand                        |
-| **Desktop** (>768px)                    | Burger button + drawer hidden; horizontal nav shown (existing behavior)                          |
-| **Animation**                           | Slide-in from right edge over 300ms (CSS variable: `--_drawer-slide-duration`); backdrop fade-in |
-
----
-
-## SEO Considerations
-
-- **Light DOM Slots:** Menu content is in light DOM → search engines crawl links naturally
-- **Semantic HTML:** `<nav aria-label="Main menu">` in slots is SEO-friendly
-- **No JavaScript Walls:** Content not hidden behind JS-only rendering ✓
-
----
-
-## Browser Support
-
-- All modern browsers supporting: ES2020, CSS Grid, CSS Custom Properties, Shadow DOM, `focus-trap`
-- Fallback: Drawer always visible on unsupported (graceful degradation)
-
----
-
-## Style Guide Alignment
-
-- **CSS Variables:** All colors/spacing use `--ds-*` tokens from `packages/tokens`
-- **Mobile-First:** Base styles for 320px; `@include media(desktop)` to hide on desktop
-- **Private Variables:** Drawer-specific vars use `--_drawer-*` prefix (non-public)
-- **Naming:** Follow `listenTo*`, `*Changed`, `handle*` conventions for methods
-- **Slots:** Light DOM content in `<slot name="menu">` and `<slot name="menu-footer">` (to be finalized in Phase 1)
-
----
-
-## Risks & Mitigations
-
-| Risk                                    | Mitigation                                                                                            |
-| --------------------------------------- | ----------------------------------------------------------------------------------------------------- |
-| **Focus-trap + Shadow DOM slots**       | Test keyboard nav through slotted content; use `ref` on panel; focus-trap works with passed container |
-| **Background scroll while drawer open** | Set `document.body.style.overflow = 'hidden'` on open; restore on close                               |
-| **Backdrop click outside drawer**       | Ensure backdrop `<div>` is direct child of `<aside>`; add click handler to backdrop only              |
-| **aria-hidden propagation**             | Add `aria-hidden="true"` to main nav/content wrapper when drawer open; remove on close                |
-| **Mobile Safari focus behavior**        | Test on iOS; may need explicit focus() call + iOS-specific focus management                           |
-
----
-
-## Related Documentation
-
-- **ARCHITECTURE.md** → Web component patterns, slot usage, Shadow DOM best practices
-- **STYLE_GUIDE.md** → CSS variable naming, mobile-first SCSS, component conventions
-- **CONTRIBUTING.md** → Accessibility requirements, testing checklist
-- **packages/core/CONTEXT.md** → Navbar component scope, existing patterns
-
----
-
-## Phases
-
-### Phase 1: Design Review & Props Setup
-
-**Goal:** Finalize API, slot names, and focus-trap integration approach
-
-**Tasks:**
-
-- [ ] Finalize `@Prop()` names: `drawerOpen?`, `drawerPlacement='right'`?
-- [ ] Confirm slot names: `menu`, `menu-footer` or `drawer-nav`, `drawer-actions`?
-- [ ] Create lightweight ADR if focus-trap + slots integration differs from standard pattern
-- [ ] Update navbar `CONTEXT.md` with drawer feature scope
-
-**Dependencies:** None
-
-**Acceptance Criteria:**
-
-- [ ] Prop API documented in interfaces
-- [ ] Slot structure defined and agreed
-- [ ] ADR (if needed) checked into `docs/adrs/`
-
----
-
-### Phase 2: Component State & Markup
-
-**Goal:** Implement drawer DOM structure, props, state, and open/close handlers
-
-**Tasks:**
-
-- [ ] Add `@Prop() drawerOpen?: boolean` and `@State() isDrawerOpen: boolean` to navbar.tsx
-- [ ] Add `@Watch()` on `drawerOpen` to sync with internal state
-- [ ] Render drawer markup (aside, backdrop, panel, close button, slots) in render function
-- [ ] Implement `openDrawer()`, `closeDrawer()`, `toggleDrawer()` methods
-- [ ] Add event emission: `drawer-state-changed` on state change
-- [ ] Add keyboard listener: ESC key closes drawer
-- [ ] Add backdrop click listener: closes drawer
-
-**Dependencies:** Phase 1
-
-**Acceptance Criteria:**
-
-- [ ] Drawer markup renders in Shadow DOM with slots for content
-- [ ] Props/state sync correctly (internal + external)
-- [ ] ESC key closes drawer
-- [ ] Backdrop click closes drawer
-- [ ] Burger button click opens/closes drawer
-- [ ] Custom event fires on state change
-
----
-
-### Phase 3: Accessibility & Focus Management
-
-**Goal:** Wire focus-trap library, ARIA attributes, and background inertness
-
-**Tasks:**
-
-- [ ] Install `focus-trap` npm package (if not already present)
-- [ ] Import focus-trap in navbar.tsx
-- [ ] Add ARIA attributes: `aria-modal="true"`, `aria-labelledby="drawer-title"`, `aria-controls="drawer-id"` on aside
-- [ ] Update burger button: `aria-expanded`, `aria-controls`
-- [ ] On drawer open: initialize focus-trap on panel div; move focus to close button or panel
-- [ ] On drawer close: deactivate focus-trap; restore focus to burger button
-- [ ] Add `aria-hidden="true"` to main nav/content when drawer open (coordinate with navbar structure)
-- [ ] Prevent background scroll: `document.body.style.overflow` management
-- [ ] Test keyboard nav: Tab, Shift+Tab, ESC, focus restore
-
-**Dependencies:** Phase 2
-
-**Acceptance Criteria:**
-
-- [ ] Focus-trap active while drawer open; inactive when closed
-- [ ] ESC closes drawer + restores focus to burger
-- [ ] Tab/Shift+Tab navigate within drawer only while open
-- [ ] Screen reader announces drawer as modal dialog
-- [ ] Background page is inert (aria-hidden + focus trapped)
-- [ ] Touch devices: focus behavior tested on iOS/Android
-
----
-
-### Phase 4: Animation & Styling
-
-**Goal:** Implement slide-in animation, backdrop fade, and responsive visibility
-
-**Tasks:**
-
-- [ ] Add SCSS to navbar.host.scss: drawer positioning (fixed, right: 0, z-index)
-- [ ] Add SCSS: drawer-panel translate animation (100% → 0% on open)
-- [ ] Add SCSS: backdrop fade-in/out (opacity 0 → var(--\_backdrop-opacity))
-- [ ] Add SCSS: max-width 400px, responsive height (100vh or content-aware)
-- [ ] Add CSS variables: `--_drawer-slide-duration` (300ms default), `--_backdrop-color`, `--_backdrop-opacity`
-- [ ] Add `@include media(desktop)` rule: hide burger + drawer when ≥desktop
-- [ ] Leverage existing `isTouch` pattern for mobile-first visibility
-- [ ] Test animations: smooth, no jank, accessible (prefers-reduced-motion respected)
-
-**Dependencies:** Phase 3
-
-**Acceptance Criteria:**
-
-- [ ] Drawer slides in from right edge (400px max width)
-- [ ] Backdrop fades in behind drawer
-- [ ] Animation duration is customizable via CSS variable
-- [ ] Desktop (≥desktop breakpoint): drawer hidden, burger hidden
-- [ ] Mobile-first: drawer visible by default (in markup), hidden via CSS on desktop
-- [ ] Animations respect `prefers-reduced-motion` (no animation if user prefers)
-
----
-
-### Phase 5: Manual Testing & Documentation
-
-**Goal:** Verify implementation with manual testing and update documentation
-
-**Manual Testing Checklist:**
-
-- [ ] **Mobile (375px width):** Open/close drawer via burger button
-- [ ] **Mobile:** Close drawer via backdrop click
-- [ ] **Mobile:** Close drawer via ESC key
-- [ ] **Mobile:** Close drawer via close button (×)
-- [ ] **Mobile:** Click menu link → drawer closes
-- [ ] **Mobile:** Verify animation slides in from right (smooth, no jank)
-- [ ] **Mobile:** Verify backdrop fades in/out with drawer
-- [ ] **Keyboard:** Tab/Shift+Tab navigate within drawer only while open
-- [ ] **Keyboard:** Focus moves to close button when drawer opens
-- [ ] **Keyboard:** Focus returns to burger button when drawer closes
-- [ ] **Accessibility:** Screen reader announces drawer as modal dialog
-- [ ] **Accessibility:** All ARIA attributes correct (aria-modal, aria-expanded, aria-controls, aria-labelledby)
-- [ ] **Desktop (1024px+ width):** Burger button hidden
-- [ ] **Desktop:** Drawer hidden
-- [ ] **Desktop:** Menu shows inline (existing behavior preserved)
-- [ ] **Motion:** Users with prefers-reduced-motion see instant transitions (0.01s)
-- [ ] **Touch targets:** Burger button ≥44×44px, close button ≥44×44px
-
-**Documentation Tasks:**
-
-- [x] Update navbar `CONTEXT.md` with drawer feature scope
-- [x] Document drawer CSS variables and animation timing
-- [x] Document ARIA attributes and accessibility approach
-
-**Dependencies:** Phase 4
-
-**Acceptance Criteria:**
-
-- [ ] All manual tests pass (user verification)
-- [ ] No regressions in existing navbar features
-- [ ] CONTEXT.md updated with drawer implementation details
-
----
-
-## Next Steps
-
-1. **Phase 1 Review** → Finalize prop API and slot names
-2. **Phases 2–5 Sequential** → Each phase gates the next; test incrementally
-3. **Post-Completion:**
-   - Run `/ds-test-component` to auto-generate test files (unit, visual, a11y, e2e)
-   - Run `/ds-document-component` to create Storybook documentation
-   - Update root `CONTRIBUTING.md` with drawer feature in component checklist
diff --git a/docs/public/.well-known/security.txt b/docs/public/.well-known/security.txt
new file mode 100644
index 0000000000..e6f3e39b22
--- /dev/null
+++ b/docs/public/.well-known/security.txt
@@ -0,0 +1,4 @@
+Contact: https://github.com/baloise/design-system/security/advisories/new
+Policy: https://github.com/baloise/design-system/blob/next/SECURITY.md
+Preferred-Languages: en, de
+Expires: 2027-12-31T00:00:00.000Z
diff --git a/docs/security/incident-response-runbook.md b/docs/security/incident-response-runbook.md
new file mode 100644
index 0000000000..5316d69aa5
--- /dev/null
+++ b/docs/security/incident-response-runbook.md
@@ -0,0 +1,191 @@
+# Incident Response Runbook — Exploited Vulnerability
+
+**Audience:** On-call maintainer / security lead  
+**Trigger:** A vulnerability in a published version of the Baloise Design System is confirmed actively exploited in the wild  
+**Legal basis:** EU Cyber Resilience Act, Article 14 (active since September 2026)
+
+---
+
+## Quick Reference
+
+| Step | What                                        | Deadline               |
+| ---- | ------------------------------------------- | ---------------------- |
+| 1    | Confirm exploitation and assess severity    | Immediately            |
+| 2    | Notify team lead and open private advisory  | T+1h                   |
+| 3    | File early warning with authorities         | T+24h                  |
+| 4    | File detailed notification with authorities | T+72h                  |
+| 5    | Release fix or mitigation                   | T+90d (target: sooner) |
+| 6    | File final report with authorities          | T+14d after fix        |
+| 7    | Publish GitHub Security Advisory            | After fix is released  |
+| 8    | Post-incident review                        | Within 30 days         |
+
+---
+
+## Step 1 — Confirm and Assess (Immediately)
+
+Before any reporting, confirm that the vulnerability is:
+
+- [ ] Present in a **published** version of `@baloise/ds-core` or another published package
+- [ ] **Actively exploited** (not just theoretically possible) — exploitation evidence may come from:
+  - A Dependabot alert flagging a CVE marked "exploited in wild"
+  - An external security researcher's report with a proof of concept
+  - A consumer reporting an active incident involving this library
+  - A public threat intelligence feed (NVD, OSV, GitHub Advisory Database)
+
+If exploitation is not confirmed, follow the standard [CVD process](../../SECURITY.md#disclosure-policy) instead — authority reporting is only triggered for actively exploited vulnerabilities.
+
+**Assess:**
+
+- Which package(s) and version range(s) are affected?
+- What is the CVSS score and attack vector?
+- Is a fix or workaround already available?
+- How many consumers are likely affected? (Check npm download stats)
+
+---
+
+## Step 2 — Notify Team and Open Private Advisory (T+1h)
+
+- [ ] Notify the security lead and one other maintainer immediately (do not handle alone)
+- [ ] Open a private [GitHub Security Advisory](https://github.com/baloise/design-system/security/advisories/new):
+  - Title: `[CVE-YYYY-XXXXX] Short description`
+  - Ecosystem: npm
+  - Package name: `@baloise/ds-core` (and any other affected packages)
+  - Affected versions: semver range
+  - Patched version: leave blank until fix is ready
+- [ ] Request a CVE ID via [cveform.mitre.org](https://cveform.mitre.org) if one has not been assigned yet — reference the GitHub advisory URL in the request
+- [ ] Do **not** publish the advisory yet — keep it private until a fix is ready
+
+---
+
+## Step 3 — Early Warning to Authorities (T+24h)
+
+File an early warning with both authorities if EU consumers are affected. Duplicate reports are explicitly permitted.
+
+### ENISA EUVDB (EU)
+
+1. Go to [euvdb.europa.eu](https://euvdb.europa.eu)
+2. Log in or register an account for the organisation
+3. Submit an early warning with the minimum required fields:
+
+```
+Product name:     Baloise Design System
+Package:          @baloise/ds-core (and affected packages)
+Affected version: <semver range>
+CVE ID:           <CVE-YYYY-XXXXX or "pending">
+Short description: <1–2 sentences — what the vulnerability is>
+Exploitation:     Actively exploited in the wild
+Fix available:    Yes / No / In progress
+```
+
+4. Save the submission reference number — you need it for the follow-up reports in Steps 4 and 6.
+
+### Swiss NCSC (Switzerland)
+
+1. Go to [ncsc.admin.ch — Report a vulnerability](https://www.ncsc.admin.ch/ncsc/en/home/meldungen/meldung-ncsc.html)
+2. Select "Vulnerability in a product"
+3. Fill in the same fields as above
+4. Note the confirmation email and ticket number
+
+---
+
+## Step 4 — Detailed Notification (T+72h)
+
+Update both authority submissions (reference the ticket numbers from Step 3) with full details:
+
+```
+Product:           Baloise Design System
+Package(s):        @baloise/ds-core <semver>
+CVE ID:            CVE-YYYY-XXXXX
+CVSS score:        <score> (<vector string>)
+CWE:               CWE-XXXX — <name>
+Description:       <paragraph — root cause, attack vector, what an attacker can do>
+Impact:            <what is at risk for consumers — XSS, data exposure, etc.>
+Affected users:    ~<N> weekly npm downloads (see npmjs.com/package/@baloise/ds-core)
+Mitigation:        <workaround if available; or "update to vX.Y.Z once released">
+Fix status:        In progress — expected release: <date>
+Timeline:
+  <ISO date> — Vulnerability reported / discovered
+  <ISO date> — Exploitation confirmed
+  <ISO date> — Early warning filed
+  <ISO date> — This detailed notification
+```
+
+---
+
+## Step 5 — Develop and Release Fix (Target: As Fast As Possible, Hard Limit T+90d)
+
+- [ ] Develop the fix on a private branch (do not push to a public branch until the advisory is ready to publish)
+- [ ] Run the full test suite: `npm test && npm run play`
+- [ ] Run `npm audit --audit-level=high` to confirm no remaining critical/high CVEs
+- [ ] Create a changeset entry: `npm run changeset` — mark as `patch`
+- [ ] Trigger the release workflow (this generates the SBOM, provenance attestation, and publishes to npm)
+- [ ] For LTS branches: apply the same fix via the `lts-release` workflow
+
+---
+
+## Step 6 — Final Report to Authorities (Within 14 Days of Fix Release)
+
+Update both authority submissions with the final report:
+
+```
+Fix released:      Yes — version <X.Y.Z>, released <ISO date>
+npm package:       https://www.npmjs.com/package/@baloise/ds-core/v/X.Y.Z
+GitHub release:    https://github.com/baloise/design-system/releases/tag/vX.Y.Z
+SBOM:              Bundled in npm package as sbom.cdx.json
+Provenance:        GitHub Actions provenance attestation (see npm package page)
+Root cause:        <1 paragraph>
+Prevention:        <what was changed to prevent recurrence>
+Timeline:
+  <ISO date> — Discovered
+  <ISO date> — Early warning filed
+  <ISO date> — Detailed notification filed
+  <ISO date> — Fix released
+  <ISO date> — This final report
+```
+
+---
+
+## Step 7 — Publish GitHub Security Advisory (After Fix Is Released)
+
+- [ ] Return to the private GitHub Security Advisory created in Step 2
+- [ ] Set "Patched version" to the released version
+- [ ] Write the public advisory text (consumers will see this):
+  - What the vulnerability is
+  - Which versions are affected
+  - How to update
+  - Workaround if applicable
+- [ ] Publish the advisory — this creates the CVE entry and notifies repository watchers
+- [ ] Post a notice in the release notes and CHANGELOG entry for the patched version
+
+---
+
+## Step 8 — Post-Incident Review (Within 30 Days)
+
+- [ ] Document what happened in a brief post-mortem (internal, not public)
+- [ ] Answer: How was this introduced? How was it detected? What slowed down the response?
+- [ ] Update this runbook or `SECURITY.md` if any step was unclear or missing
+- [ ] File a follow-up item if a process gap needs a long-term fix (e.g., a new CodeQL query, a new Dependabot rule)
+
+---
+
+## Contacts
+
+| Role               | Responsibility                                                                                  |
+| ------------------ | ----------------------------------------------------------------------------------------------- |
+| Security lead      | Owns the authority report filings and advisory publication                                      |
+| On-call maintainer | First responder — escalates to security lead within 1 hour                                      |
+| Legal / compliance | Notified if the vulnerability affects a regulated system or triggers data breach considerations |
+
+For maintainer contact details, see [CONTRIBUTING.md](../../CONTRIBUTING.md).
+
+---
+
+## Reference Links
+
+- [ENISA EUVDB reporting platform](https://euvdb.europa.eu)
+- [Swiss NCSC vulnerability report form](https://www.ncsc.admin.ch/ncsc/en/home/meldungen/meldung-ncsc.html)
+- [Request a CVE ID (MITRE)](https://cveform.mitre.org)
+- [GitHub Security Advisories — this repo](https://github.com/baloise/design-system/security/advisories)
+- [NVD — National Vulnerability Database](https://nvd.nist.gov)
+- [CRA Article 14 full text](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402847#art_14)
+- [SECURITY.md](../../SECURITY.md)
diff --git a/packages/assets/package.json b/packages/assets/package.json
index 54d1f9fa90..742f84d4ae 100644
--- a/packages/assets/package.json
+++ b/packages/assets/package.json
@@ -10,6 +10,7 @@
     "access": "public"
   },
   "homepage": "https://design.baloise.dev",
+  "security": "https://github.com/baloise/design-system/security/advisories/new",
   "license": "Apache-2.0",
   "type": "module",
   "types": "./dist/src/index.d.ts",
diff --git a/packages/core/package.json b/packages/core/package.json
index 5149b5107a..c783c3a723 100644
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -10,6 +10,7 @@
     "access": "public"
   },
   "homepage": "https://design.baloise.dev",
+  "security": "https://github.com/baloise/design-system/security/advisories/new",
   "license": "Apache-2.0",
   "main": "dist/index.cjs.js",
   "module": "dist/index.js",
diff --git a/packages/core/src/components.d.ts b/packages/core/src/components.d.ts
index 77b8a1f723..b413291799 100644
--- a/packages/core/src/components.d.ts
+++ b/packages/core/src/components.d.ts
@@ -21,7 +21,7 @@ import { ContentAlignment, ContentSpace, ContentTextAlignment } from "./componen
 import { DividerColor, DividerLayout, DividerSpace } from "./components/divider/divider.interfaces";
 import { DrawerContainer, DrawerDismissDetail, DrawerPresentDetail } from "./components/drawer/drawer.interfaces";
 import { FileUploadBlurDetail, FileUploadChangeDetail, FileUploadFilesAddedDetail, FileUploadFilesRemovedDetail, FileUploadFocusDetail, FileUploadInputClickDetail, FileUploadRejectedFileDetail } from "./components/file-upload/file-upload.interfaces";
-import { FooterLanguageChangeDetail } from "./components/footer/footer.interfaces";
+import { FooterContainer, FooterLanguageChangeDetail } from "./components/footer/footer.interfaces";
 import { PopupDismissDetail, PopupPlacement, PopupPresentDetail, PopupRole } from "./components/popup/popup.interfaces";
 import { IconColor, IconShape, IconSize, IconTileColor } from "./components/icon/icon.interfaces";
 import { ItemActionIcon, ItemLabelLevel, ItemLabelSize, ItemVariant } from "./components/list/item/item.interfaces";
@@ -62,7 +62,7 @@ export { ContentAlignment, ContentSpace, ContentTextAlignment } from "./componen
 export { DividerColor, DividerLayout, DividerSpace } from "./components/divider/divider.interfaces";
 export { DrawerContainer, DrawerDismissDetail, DrawerPresentDetail } from "./components/drawer/drawer.interfaces";
 export { FileUploadBlurDetail, FileUploadChangeDetail, FileUploadFilesAddedDetail, FileUploadFilesRemovedDetail, FileUploadFocusDetail, FileUploadInputClickDetail, FileUploadRejectedFileDetail } from "./components/file-upload/file-upload.interfaces";
-export { FooterLanguageChangeDetail } from "./components/footer/footer.interfaces";
+export { FooterContainer, FooterLanguageChangeDetail } from "./components/footer/footer.interfaces";
 export { PopupDismissDetail, PopupPlacement, PopupPresentDetail, PopupRole } from "./components/popup/popup.interfaces";
 export { IconColor, IconShape, IconSize, IconTileColor } from "./components/icon/icon.interfaces";
 export { ItemActionIcon, ItemLabelLevel, ItemLabelSize, ItemVariant } from "./components/list/item/item.interfaces";
@@ -1105,6 +1105,11 @@ export namespace Components {
      */
     interface DsFooter {
         "configChanged": (state: DsConfigState) => Promise<void>;
+        /**
+          * Sets the inner content container width. Accepts `'default'`, `'fluid'`, or `'compact'`. Matches the `ds-container` sizing variants.
+          * @default ''
+         */
+        "container": FooterContainer;
         /**
           * If `true` the default legal links from config will not be rendered. User must provide links via the `links` slot.
           * @default false
@@ -1959,6 +1964,11 @@ export namespace Components {
      *   Declarative  — add `data-popup="<id>"` to any trigger element and set matching `id` on popup.
      */
     interface DsPopup {
+        /**
+          * If `true`, renders a small arrow indicator pointing from the panel toward the trigger.
+          * @default false
+         */
+        "arrow": boolean;
         /**
           * If `true`, a full-screen backdrop overlay is rendered behind the popup panel.
           * @default false
@@ -2018,7 +2028,7 @@ export namespace Components {
          */
         "toggle": () => Promise<void>;
         /**
-          * Override the automatic focus-trap behaviour. When undefined, trapping is enabled for role="dialog" and disabled for all other roles.
+          * Override the automatic focus-trap behaviour. When undefined, trapping is enabled when `backdrop` is `true` and disabled otherwise.
           * @default undefined
          */
         "trapFocus": boolean | undefined;
@@ -5515,6 +5525,11 @@ declare namespace LocalJSX {
      * Links and social media are shown by default unless disabled.
      */
     interface DsFooter {
+        /**
+          * Sets the inner content container width. Accepts `'default'`, `'fluid'`, or `'compact'`. Matches the `ds-container` sizing variants.
+          * @default ''
+         */
+        "container"?: FooterContainer;
         /**
           * If `true` the default legal links from config will not be rendered. User must provide links via the `links` slot.
           * @default false
@@ -6411,6 +6426,11 @@ declare namespace LocalJSX {
      *   Declarative  — add `data-popup="<id>"` to any trigger element and set matching `id` on popup.
      */
     interface DsPopup {
+        /**
+          * If `true`, renders a small arrow indicator pointing from the panel toward the trigger.
+          * @default false
+         */
+        "arrow"?: boolean;
         /**
           * If `true`, a full-screen backdrop overlay is rendered behind the popup panel.
           * @default false
@@ -6473,7 +6493,7 @@ declare namespace LocalJSX {
          */
         "role"?: PopupRole;
         /**
-          * Override the automatic focus-trap behaviour. When undefined, trapping is enabled for role="dialog" and disabled for all other roles.
+          * Override the automatic focus-trap behaviour. When undefined, trapping is enabled when `backdrop` is `true` and disabled otherwise.
           * @default undefined
          */
         "trapFocus"?: boolean | undefined;
@@ -7956,6 +7976,7 @@ declare namespace LocalJSX {
         "autoInvalidOff": boolean;
     }
     interface DsFooterAttributes {
+        "container": FooterContainer;
         "hideLanguageSelection": boolean;
         "disableDefaultLinks": boolean;
         "disableDefaultSocialLinks": boolean;
@@ -8129,6 +8150,7 @@ declare namespace LocalJSX {
         "backdrop": boolean;
         "group": string | undefined;
         "label": string;
+        "arrow": boolean;
         "trapFocus": boolean | undefined;
     }
     interface DsProgressBarAttributes {
diff --git a/packages/core/src/components/footer/footer.host.scss b/packages/core/src/components/footer/footer.host.scss
index 598399d500..8ff6be48d6 100644
--- a/packages/core/src/components/footer/footer.host.scss
+++ b/packages/core/src/components/footer/footer.host.scss
@@ -42,7 +42,6 @@
   @include vars.local(footer-divider-color, var(--ds-footer-color-divider));
   @include vars.local(footer-content-max-width, var(--ds-footer-space-content-max-width));
   @include vars.local(footer-padding, var(--ds-footer-space-padding-base));
-  @include vars.local(footer-padding-tablet, var(--ds-footer-space-padding-tablet));
   @include vars.local(footer-content-padding-top, var(--ds-footer-space-content-padding-top));
   @include vars.local(footer-gap-row, var(--ds-footer-space-gap-row));
   @include vars.local(footer-gap-column, var(--ds-footer-space-gap-column));
@@ -67,8 +66,18 @@
 
 footer {
   margin: 0 auto;
-  max-width: var(--_footer-content-max-width);
-  padding: var(--_footer-padding);
+  padding-block: var(--_footer-padding);
+  padding-inline: var(--ds-alias-container-space-device);
+  width: 100%;
+  max-width: var(--ds-alias-container-width-base);
+
+  &.is-fluid {
+    max-width: var(--ds-alias-container-width-fluid);
+  }
+
+  &.is-compact {
+    max-width: var(--ds-alias-container-width-compact);
+  }
 }
 
 .top-row {
@@ -209,10 +218,6 @@ footer {
 }
 
 @include tablet {
-  footer {
-    padding: var(--_footer-padding-tablet);
-  }
-
   .bottom-row {
     align-items: start;
     grid-template-columns: 1fr;
diff --git a/packages/core/src/components/footer/footer.interfaces.ts b/packages/core/src/components/footer/footer.interfaces.ts
index 26834b17ee..aa9b56558c 100644
--- a/packages/core/src/components/footer/footer.interfaces.ts
+++ b/packages/core/src/components/footer/footer.interfaces.ts
@@ -1,3 +1,6 @@
+export const FOOTER_CONTAINERS = ['default', 'fluid', 'compact', ''] as const
+export type FooterContainer = (typeof FOOTER_CONTAINERS)[number]
+
 export interface FooterLink {
   label: string
   href: string
diff --git a/packages/core/src/components/footer/footer.tsx b/packages/core/src/components/footer/footer.tsx
index 3d85051822..3c55c4f544 100644
--- a/packages/core/src/components/footer/footer.tsx
+++ b/packages/core/src/components/footer/footer.tsx
@@ -1,6 +1,6 @@
 import { Component, Element, Event, EventEmitter, Method, Prop, State, h, Host } from '@stencil/core'
 import { HTMLStencilElement } from '@stencil/core/internal'
-import { Logger, type LogInstance, ValidateEmptyOrType, setupValidation } from '@utils'
+import { Logger, type LogInstance, ValidateEmptyOrType, setupValidation, ValidateEmptyOrOneOf } from '@utils'
 import {
   DsComponentInterface,
   DsConfigObserver,
@@ -11,7 +11,13 @@ import {
   ListenToConfig,
   defaultConfig,
 } from '@global'
-import { FooterLanguageChangeDetail, FooterLink, FooterSocialLink } from './footer.interfaces'
+import {
+  FOOTER_CONTAINERS,
+  FooterContainer,
+  FooterLanguageChangeDetail,
+  FooterLink,
+  FooterSocialLink,
+} from './footer.interfaces'
 import { i18nDsFooter } from './footer.i18n'
 
 /**
@@ -51,6 +57,14 @@ export class Footer implements DsComponentInterface, DsConfigObserver {
   @State() legalTextConfig: string | undefined
   @State() socialLinksConfig: FooterSocialLink[] | undefined
 
+  /**
+   * Sets the inner content container width. Accepts `'default'`, `'fluid'`, or `'compact'`.
+   * Matches the `ds-container` sizing variants.
+   */
+  @Prop()
+  @ValidateEmptyOrOneOf(FOOTER_CONTAINERS)
+  readonly container: FooterContainer = ''
+
   /**
    * If `true` the language selection will be hidden.
    */
@@ -205,7 +219,12 @@ export class Footer implements DsComponentInterface, DsConfigObserver {
 
     return (
       <Host>
-        <footer>
+        <footer
+          class={{
+            'is-fluid': this.container === 'fluid',
+            'is-compact': this.container === 'compact',
+          }}
+        >
           <div class="top-row">
             <div class="logo-area">{this.renderLogo()}</div>
 
diff --git a/packages/core/src/components/footer/test/footer.visual.html b/packages/core/src/components/footer/test/footer.visual.html
index 68e7a6e2fb..dbeb212cac 100644
--- a/packages/core/src/components/footer/test/footer.visual.html
+++ b/packages/core/src/components/footer/test/footer.visual.html
@@ -45,5 +45,6 @@
         </ds-footer>
       </section>
     </main>
+    <ds-footer></ds-footer>
   </body>
 </html>
diff --git "a/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-basic-\360\237\226\274\357\270\217-Visual-\360\237\222\273-Desktop-Chrome-linux.png" "b/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-basic-\360\237\226\274\357\270\217-Visual-\360\237\222\273-Desktop-Chrome-linux.png"
index dab240ef85..edad3896b6 100644
Binary files "a/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-basic-\360\237\226\274\357\270\217-Visual-\360\237\222\273-Desktop-Chrome-linux.png" and "b/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-basic-\360\237\226\274\357\270\217-Visual-\360\237\222\273-Desktop-Chrome-linux.png" differ
diff --git "a/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-basic-\360\237\226\274\357\270\217-Visual-\360\237\223\261-Mobile-Chrome-linux.png" "b/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-basic-\360\237\226\274\357\270\217-Visual-\360\237\223\261-Mobile-Chrome-linux.png"
index 4b81565e94..ce5e926c20 100644
Binary files "a/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-basic-\360\237\226\274\357\270\217-Visual-\360\237\223\261-Mobile-Chrome-linux.png" and "b/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-basic-\360\237\226\274\357\270\217-Visual-\360\237\223\261-Mobile-Chrome-linux.png" differ
diff --git "a/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-custom-\360\237\226\274\357\270\217-Visual-\360\237\222\273-Desktop-Chrome-linux.png" "b/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-custom-\360\237\226\274\357\270\217-Visual-\360\237\222\273-Desktop-Chrome-linux.png"
index e2b6a9a984..27667770bc 100644
Binary files "a/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-custom-\360\237\226\274\357\270\217-Visual-\360\237\222\273-Desktop-Chrome-linux.png" and "b/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-custom-\360\237\226\274\357\270\217-Visual-\360\237\222\273-Desktop-Chrome-linux.png" differ
diff --git "a/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-custom-\360\237\226\274\357\270\217-Visual-\360\237\223\261-Mobile-Chrome-linux.png" "b/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-custom-\360\237\226\274\357\270\217-Visual-\360\237\223\261-Mobile-Chrome-linux.png"
index 43f2b86c2e..92a06db9a9 100644
Binary files "a/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-custom-\360\237\226\274\357\270\217-Visual-\360\237\223\261-Mobile-Chrome-linux.png" and "b/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-custom-\360\237\226\274\357\270\217-Visual-\360\237\223\261-Mobile-Chrome-linux.png" differ
diff --git "a/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-slotted-logo-\360\237\226\274\357\270\217-Visual-\360\237\222\273-Desktop-Chrome-linux.png" "b/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-slotted-logo-\360\237\226\274\357\270\217-Visual-\360\237\222\273-Desktop-Chrome-linux.png"
index 4825fc4e03..0d62cf9caf 100644
Binary files "a/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-slotted-logo-\360\237\226\274\357\270\217-Visual-\360\237\222\273-Desktop-Chrome-linux.png" and "b/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-slotted-logo-\360\237\226\274\357\270\217-Visual-\360\237\222\273-Desktop-Chrome-linux.png" differ
diff --git "a/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-slotted-logo-\360\237\226\274\357\270\217-Visual-\360\237\223\261-Mobile-Chrome-linux.png" "b/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-slotted-logo-\360\237\226\274\357\270\217-Visual-\360\237\223\261-Mobile-Chrome-linux.png"
index 7096d60583..dabcc6038d 100644
Binary files "a/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-slotted-logo-\360\237\226\274\357\270\217-Visual-\360\237\223\261-Mobile-Chrome-linux.png" and "b/packages/core/src/components/footer/test/footer.visual.play.ts-snapshots/footer-slotted-logo-\360\237\226\274\357\270\217-Visual-\360\237\223\261-Mobile-Chrome-linux.png" differ
diff --git a/packages/core/src/components/list/item/item.host.scss b/packages/core/src/components/list/item/item.host.scss
index 221b0172a8..fdacf92469 100644
--- a/packages/core/src/components/list/item/item.host.scss
+++ b/packages/core/src/components/list/item/item.host.scss
@@ -39,20 +39,26 @@
   @include vars.local(list-item-content-gap, 1px);
 
   @include vars.local(list-item-color, inherit);
-  @include vars.local(list-item-border-color, var(--ds-list-item-border-color));
+  @include vars.local(list-item-border-color-base, var(--ds-list-item-border-color));
+  @include vars.local(list-item-border-color-hover, var(--ds-link-color-base));
+  @include vars.local(list-item-border-color-active, var(--ds-link-color-base-active));
   @include vars.local(list-item-border-width, var(--ds-list-item-border-width, 2px));
   @include vars.local(list-item-border-radius, 12px);
 
+  @include vars.local(list-item-background-base, transparent);
+  @include vars.local(list-item-background-hover, var(--ds-global-color-primary-1));
+  @include vars.local(list-item-background-active, var(--ds-global-color-primary-1));
+
   @include vars.local(list-item-accordion-py, var(--ds-alias-space-base-device));
 
   @include vars.local(list-item-action-icon-size, var(--ds-icon-size-xs));
 
   @include vars.local(list-item-title-size, var(--ds-heading-5-size-device));
-  @include vars.local(list-item-title-weight, var(--ds-text-weight-bold));
+  @include vars.local(list-item-title-weight, var(--ds-alias-text-weight-bold));
   @include vars.local(list-item-title-family, var(--ds-global-font-family-heading));
 
   @include vars.local(list-item-text-family, var(--ds-global-font-family-body));
-  @include vars.local(list-item-text-weight, var(--ds-text-weight-regular));
+  @include vars.local(list-item-text-weight, var(--ds-alias-text-weight-regular));
   @include vars.local(list-item-text-size, var(--ds-text-size-sm-device));
 }
 
@@ -103,7 +109,7 @@
 
   @include font-smoothing();
   font-family: var(--_list-item-title-family);
-  padding: var(--_list-item-space) 0;
+  padding: var(--_list-item-space) 0.25rem;
   padding-bottom: calc(var(--_list-item-space) + 2px);
   min-height: var(--_list-item-min-height);
 
@@ -149,7 +155,7 @@
   &:after {
     @include border();
     height: var(--_list-item-border-width);
-    background: var(--_list-item-border-color);
+    background: var(--_list-item-border-color-base);
   }
 }
 
@@ -184,6 +190,7 @@ $size-aliases: (
     text-decoration: none;
     outline: none;
     cursor: pointer;
+    background: var(--_list-item-background-base);
 
     &::-moz-focus-inner {
       border: 0;
@@ -201,28 +208,13 @@ $size-aliases: (
     @include hover {
       &:hover,
       &.is-hovered {
-        &:after {
-          background: var(--ds-link-color-base-hover);
-        }
-
-        color: var(--ds-link-color-base-hover);
-        #content {
-          color: var(--ds-link-color-base-hover);
-        }
-        ds-icon,
-        ::slotted(ds-icon),
-        ::slotted(ds-badge) {
-          --icon-color: var(--ds-link-color-base-hover);
-        }
+        background: var(--_list-item-background-hover);
       }
     }
 
     &:active,
     &.is-pressed {
-      &:after {
-        background: var(--ds-link-color-base-active);
-      }
-
+      background: var(--_list-item-background-active);
       color: var(--ds-link-color-base-active);
       #content {
         color: var(--ds-link-color-base-active);
@@ -234,23 +226,40 @@ $size-aliases: (
       }
     }
 
+    &:before {
+      @include vars.focus-basic(list-item);
+    }
+
     &:focus-visible,
     &.is-focused {
       &:not(:active) {
         &:before {
           @include vars.focus-styles(list-item);
+        }
+      }
+    }
+  }
+}
 
-          content: '';
-          position: absolute;
-          top: 0;
-          left: 0;
-          right: 0;
-          bottom: 0;
-          z-index: 1;
-          border-radius: var(--ds-alias-radius-base);
+:host(.is-link),
+:host(.is-button),
+:host(.is-accordion) {
+  #item {
+    @include hover {
+      &:hover,
+      &.is-hovered {
+        &:after {
+          background: var(--_list-item-border-color-hover);
         }
       }
     }
+
+    &:active,
+    &.is-pressed {
+      &:after {
+        background: var(--_list-item-border-color-active);
+      }
+    }
   }
 }
 
@@ -262,13 +271,33 @@ $size-aliases: (
     padding-block: var(--_list-item-accordion-py);
   }
 
+  ds-accordion {
+    --accordion-summary-color-hover: var(--ds-link-color-base);
+  }
+
+  ds-accordion::part(header) {
+    background: var(--_list-item-background-base);
+  }
+
+  ds-accordion::part(summary) {
+    padding-right: 0.25rem;
+  }
+
+  ds-accordion::part(summary):hover {
+    background: var(--_list-item-background-hover);
+  }
+
+  ds-accordion::part(summary):active {
+    background: var(--_list-item-background-active);
+  }
+
   #accordion-content {
     //
     // Border
     &:after {
       @include border();
       height: var(--_list-item-border-width);
-      background: var(--_list-item-border-color);
+      background: var(--_list-item-border-color-base);
     }
   }
 }
diff --git a/packages/core/src/components/list/test/list.visual.play.ts b/packages/core/src/components/list/test/list.visual.play.ts
new file mode 100644
index 0000000000..6368a0e1d1
--- /dev/null
+++ b/packages/core/src/components/list/test/list.visual.play.ts
@@ -0,0 +1,34 @@
+import { expectScreenshot, screenshot, test } from '@baloise/ds-playwright'
+
+const TAG = 'list'
+const VARIANTS = ['basic', 'ordered', 'linked', 'download', 'accordion', 'nested-accordion']
+
+const image = screenshot(TAG)
+
+test.describe('style', () => {
+  test.beforeEach('Setup', async ({ page }) => {
+    await page.setupVisualTest(`/components/${TAG}/test/${TAG}.style.html`)
+  })
+
+  VARIANTS.forEach(variant => {
+    test(variant, async ({ page }) => {
+      const el = page.getByTestId(variant)
+      await expectScreenshot(el, image(`style-${variant}`))
+    })
+  })
+})
+
+const VARIANTS_HOST = ['basic', 'ordered', 'linked', 'download', 'accordion', 'nested-accordion']
+
+test.describe('host', () => {
+  test.beforeEach('Setup', async ({ page }) => {
+    await page.setupVisualTest(`/components/${TAG}/test/${TAG}.visual.html`)
+  })
+
+  VARIANTS_HOST.forEach(variant => {
+    test(variant, async ({ page }) => {
+      const el = page.getByTestId(variant)
+      await expectScreenshot(el, image(variant))
+    })
+  })
+})
diff --git a/packages/core/src/components/popup/popup.host.scss b/packages/core/src/components/popup/popup.host.scss
index ffb7ab8812..23eacb99a5 100644
--- a/packages/core/src/components/popup/popup.host.scss
+++ b/packages/core/src/components/popup/popup.host.scss
@@ -10,6 +10,7 @@
  * @prop --popup-max-width: Maximum width of the popup panel.
  * @prop --popup-z-index: Z-index stacking level of the popup layer.
  * @prop --popup-backdrop-opacity: Opacity of the optional full-screen backdrop.
+ * @prop --popup-arrow-size: Size (width and height) of the arrow indicator.
  */
 
 // ─── Variables ────────────────────────────────────────────────────────────────
@@ -23,6 +24,7 @@
   @include vars.local(popup-max-width, none);
   @include vars.local(popup-z-index, var(--ds-popup-z-index));
   @include vars.local(popup-backdrop-opacity, var(--ds-backdrop-opacity));
+  @include vars.local(popup-arrow-size, var(--ds-popup-arrow-size, 8px));
 
   display: contents;
 }
@@ -64,6 +66,11 @@
   opacity: 0;
   visibility: hidden;
   pointer-events: none;
+
+  outline: none !important;
+  &::-moz-focus-inner {
+    border: 0;
+  }
 }
 
 :host(.is-open) [part='panel'] {
@@ -86,6 +93,34 @@
   right: 0.5rem;
 }
 
+:host(.is-closable) [part='panel'] {
+  padding-right: calc(var(--_popup-padding) + var(--_popup-padding));
+}
+
+// ─── Arrow ────────────────────────────────────────────────────────────────────
+
+[part='arrow'] {
+  position: absolute;
+  width: var(--_popup-arrow-size);
+  height: var(--_popup-arrow-size);
+  background: var(--_popup-background);
+  transform: rotate(45deg);
+  pointer-events: none;
+}
+
+[part='panel'][data-placement='bottom'] [part='arrow'] {
+  top: calc(var(--_popup-arrow-size) / -2);
+}
+[part='panel'][data-placement='top'] [part='arrow'] {
+  bottom: calc(var(--_popup-arrow-size) / -2);
+}
+[part='panel'][data-placement='right'] [part='arrow'] {
+  left: calc(var(--_popup-arrow-size) / -2);
+}
+[part='panel'][data-placement='left'] [part='arrow'] {
+  right: calc(var(--_popup-arrow-size) / -2);
+}
+
 // ─── Reduced motion ───────────────────────────────────────────────────────────
 
 @media (prefers-reduced-motion: reduce) {
diff --git a/packages/core/src/components/popup/popup.tsx b/packages/core/src/components/popup/popup.tsx
index 37630a8612..1340296f9c 100644
--- a/packages/core/src/components/popup/popup.tsx
+++ b/packages/core/src/components/popup/popup.tsx
@@ -1,15 +1,15 @@
-import { autoUpdate, computePosition, flip, offset, shift } from '@floating-ui/dom'
+import { arrow, autoUpdate, computePosition, flip, offset, shift } from '@floating-ui/dom'
 import { Component, Element, Event, EventEmitter, h, Host, Listen, Method, Prop, State, Watch } from '@stencil/core'
 import { HTMLStencilElement } from '@stencil/core/internal'
 import { DsComponentInterface, DsConfigObserver, DsConfigState, ListenToConfig } from '@global'
 import {
+  FocusHandler,
   Logger,
   type LogInstance,
   ValidateEmptyOrOneOf,
   ValidateEmptyOrType,
   dsBrowser,
   isEscapeKey,
-  isTabKey,
   setupValidation,
   wait,
 } from '@utils'
@@ -22,15 +22,6 @@ import {
   type PopupDismissDetail,
 } from './popup.interfaces'
 
-const FOCUSABLE_QUERY = [
-  'button:not([disabled]):not([tabindex^="-"])',
-  'input:not([type=hidden]):not([disabled]):not([tabindex^="-"])',
-  'select:not([disabled]):not([tabindex^="-"])',
-  'textarea:not([disabled]):not([tabindex^="-"])',
-  'a[href]:not([tabindex^="-"])',
-  '[tabindex]:not([tabindex^="-"])',
-].join(', ')
-
 // ─── Group registry ───────────────────────────────────────────────────────────
 // Module-level map so same-group popups can dismiss each other.
 const popupGroups = new Map<string, Set<HTMLDsPopupElement>>()
@@ -54,8 +45,10 @@ const popupGroups = new Map<string, Set<HTMLDsPopupElement>>()
   shadow: true,
 })
 export class Popup implements DsComponentInterface, DsConfigObserver {
+  private arrowEl: HTMLDivElement | undefined
   private cleanupPositioner?: () => void
   private currentTrigger: HTMLElement | undefined = undefined
+  private focusHandler = new FocusHandler()
   private transitionQueue: Promise<void> = Promise.resolve()
 
   log!: LogInstance
@@ -165,9 +158,16 @@ export class Popup implements DsComponentInterface, DsConfigObserver {
   @ValidateEmptyOrType('string')
   readonly label: string = ''
 
+  /**
+   * If `true`, renders a small arrow indicator pointing from the panel toward the trigger.
+   */
+  @Prop()
+  @ValidateEmptyOrType('boolean')
+  readonly arrow: boolean = false
+
   /**
    * Override the automatic focus-trap behaviour.
-   * When undefined, trapping is enabled for role="dialog" and disabled for all other roles.
+   * When undefined, trapping is enabled when `backdrop` is `true` and disabled otherwise.
    */
   @Prop()
   @ValidateEmptyOrType('boolean')
@@ -216,6 +216,7 @@ export class Popup implements DsComponentInterface, DsConfigObserver {
 
   disconnectedCallback(): void {
     this.cleanupPositioner?.()
+    this.focusHandler.disconnect()
     if (this.trigger) {
       this.trigger.removeAttribute('aria-haspopup')
       this.trigger.removeAttribute('aria-expanded')
@@ -291,11 +292,6 @@ export class Popup implements DsComponentInterface, DsConfigObserver {
     if (this.closable && isEscapeKey(ev)) {
       ev.stopPropagation()
       this.dismiss()
-      return
-    }
-
-    if (isTabKey(ev) && this.shouldTrapFocus) {
-      this.handleFocusTrap(ev)
     }
   }
 
@@ -306,7 +302,7 @@ export class Popup implements DsComponentInterface, DsConfigObserver {
 
   private get shouldTrapFocus(): boolean {
     if (this.trapFocus !== undefined) return this.trapFocus
-    return this.role === 'dialog'
+    return this.backdrop
   }
 
   private runPresent(): void {
@@ -335,7 +331,11 @@ export class Popup implements DsComponentInterface, DsConfigObserver {
 
     if (this.animated) await wait(300)
 
-    this.focusPanel()
+    if (this.shouldTrapFocus) {
+      this.focusHandler.enable({ target: this.panelEl, restoreElement: trigger ?? null })
+    } else {
+      this.focusPanel()
+    }
     this.dsDidPresent.emit({ trigger })
   }
 
@@ -356,7 +356,12 @@ export class Popup implements DsComponentInterface, DsConfigObserver {
 
     if (this.animated) await wait(300)
 
-    trigger?.focus()
+    if (this.shouldTrapFocus) {
+      this.focusHandler.disable()
+      this.focusHandler.restoreFocus()
+    } else {
+      trigger?.focus()
+    }
     this.dsDidDismiss.emit({ trigger })
   }
 
@@ -373,22 +378,35 @@ export class Popup implements DsComponentInterface, DsConfigObserver {
 
   private async updatePosition(trigger: HTMLElement): Promise<void> {
     if (!this.panelEl) return
-    const { x, y, placement } = await computePosition(trigger, this.panelEl, {
+    const { x, y, placement, middlewareData } = await computePosition(trigger, this.panelEl, {
       placement: this.placement,
       strategy: 'fixed',
       middleware: [
         dsBrowser.hasWindow && !window.frameElement ? shift() : undefined,
         flip(),
         offset(this.offset),
+        this.arrow && this.arrowEl ? arrow({ element: this.arrowEl }) : undefined,
       ].filter(Boolean) as NonNullable<Parameters<typeof computePosition>[2]>['middleware'],
     })
     Object.assign(this.panelEl.style, { left: `${x}px`, top: `${y}px` })
     this.panelEl.dataset['placement'] = placement.split('-')[0]
+
+    if (this.arrow && this.arrowEl && middlewareData.arrow) {
+      const { x: ax, y: ay } = middlewareData.arrow
+      Object.assign(this.arrowEl.style, {
+        left: ax != null ? `${ax}px` : '',
+        top: ay != null ? `${ay}px` : '',
+      })
+    }
   }
 
   private focusPanel(): void {
     if (!this.panelEl) return
-    const focusable = this.getFocusableElements()
+    const focusable = Array.from(
+      this.panelEl.querySelectorAll<HTMLElement>(
+        'button:not([disabled]):not([tabindex^="-"]),input:not([type=hidden]):not([disabled]):not([tabindex^="-"]),select:not([disabled]):not([tabindex^="-"]),textarea:not([disabled]):not([tabindex^="-"]),a[href]:not([tabindex^="-"]),[tabindex]:not([tabindex^="-"])',
+      ),
+    )
     if (focusable.length > 0) {
       focusable[0].focus({ preventScroll: true })
     } else {
@@ -396,41 +414,6 @@ export class Popup implements DsComponentInterface, DsConfigObserver {
     }
   }
 
-  private handleFocusTrap(ev: KeyboardEvent): void {
-    const focusable = this.getFocusableElements()
-    if (focusable.length === 0) return
-
-    const first = focusable[0]
-    const last = focusable[focusable.length - 1]
-    const active = this.getDeepActiveElement()
-
-    if (ev.shiftKey) {
-      if (active === first || active === this.panelEl) {
-        ev.preventDefault()
-        last.focus()
-      }
-    } else {
-      if (active === last) {
-        ev.preventDefault()
-        first.focus()
-      }
-    }
-  }
-
-  /** Walks shadow roots to find the truly focused element. */
-  private getDeepActiveElement(): Element | null {
-    let el: Element | null = document.activeElement
-    while (el?.shadowRoot?.activeElement) {
-      el = el.shadowRoot.activeElement
-    }
-    return el
-  }
-
-  private getFocusableElements(): HTMLElement[] {
-    if (!this.panelEl) return []
-    return Array.from(this.panelEl.querySelectorAll<HTMLElement>(FOCUSABLE_QUERY))
-  }
-
   private registerGroup(): void {
     if (!this.group) return
     if (!popupGroups.has(this.group)) popupGroups.set(this.group, new Set())
@@ -469,7 +452,7 @@ export class Popup implements DsComponentInterface, DsConfigObserver {
 
   render() {
     return (
-      <Host class={{ 'is-open': this.isOpen, 'is-animated': this.animated }}>
+      <Host class={{ 'is-open': this.isOpen, 'is-animated': this.animated, 'is-closable': this.closable }}>
         {this.backdrop && <div part="backdrop" />}
         <div
           part="panel"
@@ -480,6 +463,7 @@ export class Popup implements DsComponentInterface, DsConfigObserver {
           tabindex="-1"
           data-testid="ds-popup-panel"
         >
+          {this.arrow && <div part="arrow" ref={el => (this.arrowEl = el as HTMLDivElement)} />}
           {this.closable && <ds-close part="close" onClick={this.handleCloseClick} />}
           <slot />
         </div>
diff --git a/packages/core/src/components/popup/test/popup.visual.html b/packages/core/src/components/popup/test/popup.visual.html
index dc08a02291..95dcc9ce8e 100644
--- a/packages/core/src/components/popup/test/popup.visual.html
+++ b/packages/core/src/components/popup/test/popup.visual.html
@@ -63,7 +63,7 @@
         <section data-testid="backdrop-overlay">
           <span>Backdrop overlay</span>
           <ds-button data-popup="popup-overlay">Open with backdrop</ds-button>
-          <ds-popup id="popup-overlay" label="Backdrop overlay" backdrop backdrop-dismiss closable>
+          <ds-popup id="popup-overlay" label="Backdrop overlay" backdrop backdrop-dismiss closable arrow>
             <p>Full-screen backdrop is visible behind the panel.</p>
           </ds-popup>
         </section>
diff --git a/packages/core/src/vars.scss b/packages/core/src/vars.scss
index a3671b7d16..fcd1ea151f 100644
--- a/packages/core/src/vars.scss
+++ b/packages/core/src/vars.scss
@@ -109,6 +109,21 @@
   @include local(#{$name}-focus, var(--ds-alias-interaction-focus-color-base));
 }
 
+@mixin focus-basic($name) {
+  content: '';
+  position: absolute;
+  top: 0;
+  left: 0;
+  right: 0;
+  bottom: 0;
+  z-index: 1;
+  border-radius: var(--ds-alias-radius-base);
+  touch-action: manipulation;
+  transition-property: box-shadow;
+  transition-duration: 0.2s;
+  transition-timing-function: cubic-bezier(0, 0, 0.2, 1);
+}
+
 @mixin focus-styles($name) {
   box-shadow:
     var(--ds-alias-interaction-focus-color-border) 0 0 0 2px,
diff --git a/packages/css/package.json b/packages/css/package.json
index 34aa00e55c..b041befce5 100644
--- a/packages/css/package.json
+++ b/packages/css/package.json
@@ -10,6 +10,7 @@
     "access": "public"
   },
   "homepage": "https://baloise-design-system.vercel.app",
+  "security": "https://github.com/baloise/design-system/security/advisories/new",
   "license": "Apache-2.0",
   "type": "module",
   "exports": {
diff --git a/packages/playwright/package.json b/packages/playwright/package.json
index f4f67c411d..d53458a32a 100644
--- a/packages/playwright/package.json
+++ b/packages/playwright/package.json
@@ -10,6 +10,7 @@
     "access": "public"
   },
   "homepage": "https://design.baloise.dev",
+  "security": "https://github.com/baloise/design-system/security/advisories/new",
   "license": "Apache-2.0",
   "type": "module",
   "main": "dist/src/index.js",
diff --git a/packages/tokens/package.json b/packages/tokens/package.json
index 9ffe5d31ab..065c2d0f1f 100644
--- a/packages/tokens/package.json
+++ b/packages/tokens/package.json
@@ -19,6 +19,7 @@
     "lint": "eslint ."
   },
   "homepage": "https://design.baloise.dev",
+  "security": "https://github.com/baloise/design-system/security/advisories/new",
   "license": "Apache-2.0",
   "files": [
     "dist/"
diff --git a/packages/tokens/tokens/Base.tokens.json b/packages/tokens/tokens/Base.tokens.json
index 881d780360..b073927d3d 100644
--- a/packages/tokens/tokens/Base.tokens.json
+++ b/packages/tokens/tokens/Base.tokens.json
@@ -5172,15 +5172,7 @@
         "Padding": {
           "Base": {
             "$type": "string",
-            "$value": "2rem 1rem 1.5rem",
-            "$extensions": {
-              "com.figma.type": "string",
-              "com.figma.isOverride": true
-            }
-          },
-          "Tablet": {
-            "$type": "string",
-            "$value": "2.5rem 2rem 1.75rem",
+            "$value": "2rem",
             "$extensions": {
               "com.figma.type": "string",
               "com.figma.isOverride": true