fix(deps): update dependency permission_handler to v12

fix: indentation and typo (#28349 )
* fix: indentation and typo * neline
2026-05-14 11:32:15 -04:00 · 2026-05-11 14:28:27 +00:00 · 2026-05-11 09:17:39 -05:00 · 2026-05-11 09:40:19 -04:00 · 2026-05-11 08:02:57 -04:00 · 2026-05-11 08:02:26 -04:00
1514 changed files with 66308 additions and 71817 deletions
@@ -6,6 +6,12 @@ mobile/openapi/**/*.dart linguist-generated=true
 mobile/lib/**/*.g.dart -diff -merge
 mobile/lib/**/*.g.dart linguist-generated=true

+mobile/android/**/*.g.kt -diff -merge
+mobile/android/**/*.g.kt linguist-generated=true
+
+mobile/ios/**/*.g.swift -diff -merge
+mobile/ios/**/*.g.swift linguist-generated=true
+
 mobile/lib/**/*.drift.dart -diff -merge
 mobile/lib/**/*.drift.dart linguist-generated=true

@@ -1 +0,0 @@
-24.14.1
@@ -51,7 +51,7 @@ jobs:
        run: |
          gh api graphql \
            -f prId="$NODE_ID" \
-            -f body="This PR has been automatically closed as the description doesn't follow our template. After you edit it to match the template, the PR will automatically be reopened." \
+            -f body="This PR has been automatically closed as the description doesn't follow [our template](https://github.com/immich-app/immich/blob/main/.github/pull_request_template.md). After you edit it to match the template, the PR will automatically be reopened." \
            -f query='
              mutation CommentAndClosePR($prId: ID!, $body: String!) {
                addComment(input: {
@@ -51,14 +51,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
+        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -73,24 +73,25 @@ jobs:
    needs: pre-job
    permissions:
      contents: read
-    # Skip when PR from a fork
-    if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && fromJSON(needs.pre-job.outputs.should_run).mobile == true }}
+      pull-requests: write
+    if: ${{ github.actor != 'dependabot[bot]' && fromJSON(needs.pre-job.outputs.should_run).mobile == true }}
    runs-on: mich

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          ref: ${{ inputs.ref || github.sha }}
+          ref: ${{ inputs.ref }}
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

      - name: Create the Keystore
+        if: ${{ !github.event.pull_request.head.repo.fork }}
        env:
          KEY_JKS: ${{ secrets.KEY_JKS }}
        working-directory: ./mobile
@@ -103,7 +104,7 @@ jobs:

      - name: Restore Gradle Cache
        id: cache-gradle-restore
-        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        with:
          path: |
            ~/.gradle/caches
@@ -121,7 +122,7 @@ jobs:
          cache: true

      - name: Setup Android SDK
-        uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3.2.2
+        uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1
        with:
          packages: ''

@@ -144,23 +145,46 @@ jobs:
          ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
          ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
          IS_MAIN: ${{ github.ref == 'refs/heads/main' }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
          if [[ $IS_MAIN == 'true' ]]; then
            flutter build apk --release
            flutter build apk --release --split-per-abi --target-platform android-arm,android-arm64,android-x64
          else
-            flutter build apk --debug --split-per-abi --target-platform android-arm64
+            flutter build apk --release
          fi

      - name: Publish Android Artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        id: upload-apk
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: release-apk-signed
          path: mobile/build/app/outputs/flutter-apk/*.apk

+      - name: Comment APK download link on PR
+        if: ${{ github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork }}
+        uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+        env:
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          APK_URL: ${{ steps.upload-apk.outputs.artifact-url }}
+        with:
+          github-token: ${{ steps.token.outputs.token }}
+          message-id: 'mobile-android-apk'
+          message: |
+            📱 **Android release APK (universal)** — `${{ env.HEAD_SHA }}`
+
+            Download: ${{ env.APK_URL }}
+
+            <details>
+              <summary>QR code</summary>
+              <img src="https://api.qrserver.com/v1/create-qr-code/?size=240x240&data=${{ env.APK_URL }}" alt="QR code" />
+            </details>
+
+            Installs as a separate app (applicationId `app.alextran.immich.pr${{ github.event.pull_request.number }}`), so it coexists with the Play Store version and any other PR builds.
+
      - name: Save Gradle Cache
        id: cache-gradle-save
-        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
        if: github.ref == 'refs/heads/main'
        with:
          path: |
@@ -210,7 +234,7 @@ jobs:
        working-directory: ./mobile

      - name: Setup Ruby
-        uses: ruby/setup-ruby@3ff19f5e2baf30647122352b96108b1fbe250c64 # v1.299.0
+        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
        with:
          ruby-version: '3.3'
          bundler-cache: true
@@ -291,7 +315,7 @@ jobs:
          security delete-keychain build.keychain || true

      - name: Upload IPA artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: ios-release-ipa
          path: mobile/ios/Runner.ipa
@@ -19,9 +19,9 @@ jobs:
      actions: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check out code
@@ -24,7 +24,7 @@ jobs:
          persist-credentials: false

      - name: Check for breaking API changes
-        uses: oasdiff/oasdiff-action/breaking@1f38ea5ea0b4a2e4e49901c3bcdf4386a05e9ea1 # v0.0.37
+        uses: oasdiff/oasdiff-action/breaking@37bf9ff785c7315df88216660826e71be4cc03da # v0.0.44
        with:
          base: https://raw.githubusercontent.com/${{ github.repository }}/main/open-api/immich-openapi-specs.json
          revision: open-api/immich-openapi-specs.json
@@ -31,35 +31,25 @@ jobs:
        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './cli/.nvmrc'
-          registry-url: 'https://registry.npmjs.org'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
+          github_token: ${{ steps.token.outputs.token }}

-      - name: Setup typescript-sdk
-        run: pnpm install && pnpm run build
-        working-directory: ./open-api/typescript-sdk
-
-      - run: pnpm install --frozen-lockfile
-      - run: pnpm build
-      - run: pnpm publish --provenance --no-git-checks
+      - name: Publish
        if: ${{ github.event_name == 'release' }}
+        run: mise run ci-publish

  docker:
    name: Docker
@@ -71,9 +61,9 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
@@ -115,7 +105,7 @@ jobs:
            type=raw,value=latest,enable=${{ github.event_name == 'release' }}

      - name: Build and push image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          file: cli/Dockerfile
          platforms: linux/amd64,linux/arm64
@@ -35,7 +35,7 @@ jobs:
    needs: [get_body, should_run]
    if: ${{ needs.should_run.outputs.should_run == 'true' }}
    container:
-      image: ghcr.io/immich-app/mdq:main@sha256:557cca601891b8b7d78b940071d35aaf7aaeb9b327d19b22cf282118edbc5272
+      image: ghcr.io/immich-app/mdq:main@sha256:32abe582452b12dff55055e1d6bc24508a8f17164f9d1831db7bb70953c014c6
    outputs:
      checked: ${{ steps.get_checkbox.outputs.checked }}
    steps:
@@ -44,9 +44,9 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout repository
@@ -57,7 +57,7 @@ jobs:

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -70,7 +70,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
-        uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -83,6 +83,6 @@ jobs:
      #   ./location_of_script_within_repo/buildscript.sh

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          category: '/language:${{matrix.language}}'
@@ -23,14 +23,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
+        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -132,7 +132,7 @@ jobs:
            suffixes: '-rocm'
            platforms: linux/amd64
            runner-mapping: '{"linux/amd64": "pokedex-large"}'
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@61a0fc2b41524edcc7c9fffb8bb178e6b0ccf21d # multi-runner-build-workflow-v2.3.0
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@5813c7c4f7016c748ae7ac5d5f684846649d4d20 # multi-runner-build-workflow-v2.4.0
    permissions:
      contents: read
      actions: read
@@ -155,7 +155,7 @@ jobs:
    name: Build and Push Server
    needs: pre-job
    if: ${{ fromJSON(needs.pre-job.outputs.should_run).server == true }}
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@61a0fc2b41524edcc7c9fffb8bb178e6b0ccf21d # multi-runner-build-workflow-v2.3.0
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@5813c7c4f7016c748ae7ac5d5f684846649d4d20 # multi-runner-build-workflow-v2.4.0
    permissions:
      contents: read
      actions: read
@@ -178,7 +178,7 @@ jobs:
    runs-on: ubuntu-latest
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
+      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
        with:
          needs: ${{ toJSON(needs) }}

@@ -189,6 +189,6 @@ jobs:
    runs-on: ubuntu-latest
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
+      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
        with:
          needs: ${{ toJSON(needs) }}
@@ -21,14 +21,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
+        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -54,9 +54,9 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -64,17 +64,11 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-          fetch-depth: 0

-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './docs/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
+          github_token: ${{ steps.token.outputs.token }}

      - name: Run install
        run: pnpm install
@@ -86,7 +80,7 @@ jobs:
        run: pnpm build

      - name: Upload build output
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: docs-build-output
          path: docs/build/
@@ -20,16 +20,16 @@ jobs:
      artifact: ${{ steps.get-artifact.outputs.result }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - if: ${{ github.event.workflow_run.conclusion != 'success' }}
        run: echo 'The triggering workflow did not succeed' && exit 1
      - name: Get artifact
        id: get-artifact
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          script: |
@@ -48,7 +48,7 @@ jobs:
            return { found: true, id: matchArtifact.id };
      - name: Determine deploy parameters
        id: parameters
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
        with:
@@ -119,9 +119,9 @@ jobs:
    if: ${{ fromJson(needs.checks.outputs.artifact).found && fromJson(needs.checks.outputs.parameters).shouldDeploy }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -131,11 +131,13 @@ jobs:
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@035e80a7d4355d5f087ffb95db9e4a0944c04e56 # use-mise-action-v1.1.3
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
+        with:
+          github_token: ${{ steps.token.outputs.token }}

      - name: Load parameters
        id: parameters
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          PARAM_JSON: ${{ needs.checks.outputs.parameters }}
        with:
@@ -147,7 +149,7 @@ jobs:
            core.setOutput("shouldDeploy", parameters.shouldDeploy);

      - name: Download artifact
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        env:
          ARTIFACT_JSON: ${{ needs.checks.outputs.artifact }}
        with:
@@ -211,7 +213,7 @@ jobs:
        run: 'mise run //deployment:tf apply'

      - name: Comment
-        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
+        uses: actions-cool/maintain-one-comment@909842216bc8e8658364c572ec52100f4c2cc50a # v3.3.0
        if: ${{ steps.parameters.outputs.event == 'pr' }}
        with:
          token: ${{ steps.token.outputs.token }}
@@ -17,9 +17,9 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -29,7 +29,9 @@ jobs:
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@035e80a7d4355d5f087ffb95db9e4a0944c04e56 # use-mise-action-v1.1.3
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
+        with:
+          github_token: ${{ steps.token.outputs.token }}

      - name: Destroy Docs Subdomain
        env:
@@ -42,7 +44,7 @@ jobs:
        run: 'mise run //deployment:tf destroy -- -refresh=false'

      - name: Comment
-        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
+        uses: actions-cool/maintain-one-comment@909842216bc8e8658364c572ec52100f4c2cc50a # v3.3.0
        with:
          token: ${{ steps.token.outputs.token }}
          number: ${{ github.event.number }}
@@ -14,41 +14,35 @@ jobs:
      contents: write
      pull-requests: write
    steps:
-      - name: Generate a token
-        id: generate-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+      - id: token
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - name: 'Checkout'
+      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.ref }}
-          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
+          token: ${{ steps.token.outputs.token }}

-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './server/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
+          github_token: ${{ steps.token.outputs.token }}

      - name: Fix formatting
        run: pnpm --recursive install && pnpm run --recursive --if-present --parallel format:fix

      - name: Commit and push
-        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
+        uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10.0.0
        with:
          default_author: github_actions
          message: 'chore: fix formatting'

      - name: Remove label
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        if: always()
        with:
          github-token: ${{ steps.generate-token.outputs.token }}
@@ -4,7 +4,7 @@ on:
  workflow_dispatch:
  workflow_call:
    secrets:
-      PUSH_O_MATIC_APP_ID:
+      PUSH_O_MATIC_APP_CLIENT_ID:
        required: true
      PUSH_O_MATIC_APP_KEY:
        required: true
@@ -31,9 +31,9 @@ jobs:
      - name: Generate a token
        id: generate_token
        if: ${{ inputs.skip != true }}
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Find translation PR
@@ -14,9 +14,9 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Require PR to have a changelog label
@@ -12,9 +12,9 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
@@ -36,7 +36,7 @@ jobs:
    permissions:
      pull-requests: write
    secrets:
-      PUSH_O_MATIC_APP_ID: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+      PUSH_O_MATIC_APP_CLIENT_ID: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
      PUSH_O_MATIC_APP_KEY: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      WEBLATE_TOKEN: ${{ secrets.WEBLATE_TOKEN }}

@@ -48,32 +48,27 @@ jobs:
      version: ${{ steps.output.outputs.version }}
    permissions: {} # No job-level permissions are needed because it uses the app-token
    steps:
-      - name: Generate a token
-        id: generate-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+      - id: token
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - name: Checkout
+      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          token: ${{ steps.generate-token.outputs.token }}
+          token: ${{ steps.token.outputs.token }}
          persist-credentials: true
          ref: main

-      - name: Install uv
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
-
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './server/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
+          github_token: ${{ steps.token.outputs.token }}
+
+      # TODO move to mise
+      - name: Install uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0

      - name: Bump version
        env:
@@ -86,7 +81,7 @@ jobs:

      - name: Commit and tag
        id: push-tag
-        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
+        uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10.0.0
        with:
          default_author: github_actions
          message: 'chore: version ${{ steps.output.outputs.version }}'
@@ -124,9 +119,9 @@ jobs:
    steps:
      - name: Generate a token
        id: generate-token
-        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
@@ -142,7 +137,7 @@ jobs:
          github-token: ${{ steps.generate-token.outputs.token }}

      - name: Create draft release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
        with:
          draft: true
          tag_name: ${{ needs.bump_version.outputs.version }}
@@ -14,12 +14,12 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: mshick/add-pr-comment@64b8e914979889d746c99dea15a76e77ef64580a # v3.10.0
+      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          message-id: 'preview-status'
@@ -32,12 +32,12 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          script: |
@@ -48,14 +48,14 @@ jobs:
              name: 'preview'
            })

-      - uses: mshick/add-pr-comment@64b8e914979889d746c99dea15a76e77ef64580a # v3.10.0
+      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
        if: ${{ github.event.pull_request.head.repo.fork }}
        with:
          github-token: ${{ steps.token.outputs.token }}
          message-id: 'preview-status'
          message: 'PRs from forks cannot have preview environments.'

-      - uses: mshick/add-pr-comment@64b8e914979889d746c99dea15a76e77ef64580a # v3.10.0
+      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          github-token: ${{ steps.token.outputs.token }}
@@ -19,29 +19,27 @@ jobs:
        working-directory: ./open-api/typescript-sdk
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-
-      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './open-api/typescript-sdk/.nvmrc'
-          registry-url: 'https://registry.npmjs.org'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
+          github_token: ${{ steps.token.outputs.token }}
+
      - name: Install deps
        run: pnpm install --frozen-lockfile
+
      - name: Build
        run: pnpm build
+
      - name: Publish
        run: pnpm publish --provenance --no-git-checks
@@ -20,14 +20,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
+        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -49,9 +49,9 @@ jobs:
        working-directory: ./mobile
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -17,14 +17,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
+        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -34,13 +34,17 @@ jobs:
              - 'web/**'
              - 'i18n/**'
              - 'open-api/typescript-sdk/**'
+              - 'pnpm-lock.yaml'
            server:
              - 'server/**'
+              - 'pnpm-lock.yaml'
            cli:
              - 'cli/**'
              - 'open-api/typescript-sdk/**'
+              - 'pnpm-lock.yaml'
            e2e:
              - 'e2e/**'
+              - 'pnpm-lock.yaml'
            mobile:
              - 'mobile/**'
            machine-learning:
@@ -63,9 +67,9 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -74,28 +78,14 @@ jobs:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './server/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
-      - name: Run package manager install
-        run: pnpm install
-      - name: Run linter
-        run: pnpm lint
-        if: ${{ !cancelled() }}
-      - name: Run formatter
-        run: pnpm format
-        if: ${{ !cancelled() }}
-      - name: Run tsc
-        run: pnpm check
-        if: ${{ !cancelled() }}
-      - name: Run small tests & coverage
-        run: pnpm test
-        if: ${{ !cancelled() }}
+          github_token: ${{ steps.token.outputs.token }}
+
+      - name: Run ci-unit
+        run: mise run ci-unit
+
  cli-unit-tests:
    name: Unit Test CLI
    needs: pre-job
@@ -108,9 +98,9 @@ jobs:
        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -118,31 +108,15 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './cli/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
-      - name: Setup typescript-sdk
-        run: pnpm install && pnpm run build
-        working-directory: ./open-api/typescript-sdk
-      - name: Install deps
-        run: pnpm install
-      - name: Run linter
-        run: pnpm lint
-        if: ${{ !cancelled() }}
-      - name: Run formatter
-        run: pnpm format
-        if: ${{ !cancelled() }}
-      - name: Run tsc
-        run: pnpm check
-        if: ${{ !cancelled() }}
-      - name: Run unit tests & coverage
-        run: pnpm test
-        if: ${{ !cancelled() }}
+          github_token: ${{ steps.token.outputs.token }}
+
+      - name: Run ci-unit
+        run: mise run ci-unit
+
  cli-unit-tests-win:
    name: Unit Test CLI (Windows)
    needs: pre-job
@@ -155,9 +129,9 @@ jobs:
        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -165,26 +139,33 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
+
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+
      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
-          node-version-file: './cli/.nvmrc'
+          node-version-file: '.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Setup typescript-sdk
        run: pnpm install --frozen-lockfile && pnpm build
        working-directory: ./open-api/typescript-sdk
+
      - name: Install deps
        run: pnpm install --frozen-lockfile
+
      # Skip linter & formatter in Windows test.
+
      - name: Run tsc
        run: pnpm check
        if: ${{ !cancelled() }}
+
      - name: Run unit tests & coverage
        run: pnpm test
        if: ${{ !cancelled() }}
+
  web-lint:
    name: Lint Web
    needs: pre-job
@@ -197,9 +178,9 @@ jobs:
        working-directory: ./web
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -207,28 +188,22 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './web/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
+          github_token: ${{ steps.token.outputs.token }}
+
      - name: Run setup typescript-sdk
-        run: pnpm install --frozen-lockfile && pnpm build
-        working-directory: ./open-api/typescript-sdk
+        run: mise run //:sdk:install && mise run //:sdk:build
+
      - name: Run pnpm install
-        run: pnpm rebuild && pnpm install --frozen-lockfile
+        run: pnpm install --frozen-lockfile
+
      - name: Run linter
        run: pnpm lint
        if: ${{ !cancelled() }}
-      - name: Run formatter
-        run: pnpm format
-        if: ${{ !cancelled() }}
-      - name: Run svelte checks
-        run: pnpm check:svelte
-        if: ${{ !cancelled() }}
+
  web-unit-tests:
    name: Test Web
    needs: pre-job
@@ -241,9 +216,9 @@ jobs:
        working-directory: ./web
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -251,25 +226,15 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './web/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
-      - name: Run setup typescript-sdk
-        run: pnpm install --frozen-lockfile && pnpm build
-        working-directory: ./open-api/typescript-sdk
-      - name: Run npm install
-        run: pnpm install --frozen-lockfile
-      - name: Run tsc
-        run: pnpm check:typescript
-        if: ${{ !cancelled() }}
-      - name: Run unit tests & coverage
-        run: pnpm test
-        if: ${{ !cancelled() }}
+          github_token: ${{ steps.token.outputs.token }}
+
+      - name: Run ci-unit
+        run: mise run ci-unit
+
  i18n-tests:
    name: Test i18n
    needs: pre-job
@@ -279,9 +244,9 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -289,24 +254,25 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './web/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
+          github_token: ${{ steps.token.outputs.token }}
+
      - name: Install dependencies
        run: pnpm --filter=immich-i18n install --frozen-lockfile
+
      - name: Format
        run: pnpm --filter=immich-i18n format:fix
+
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
        with:
          files: |
            i18n/**
+
      - name: Verify files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
        env:
@@ -315,6 +281,7 @@ jobs:
          echo "ERROR: i18n files not up to date!"
          echo "Changed files: ${CHANGED_FILES}"
          exit 1
+
  e2e-tests-lint:
    name: End-to-End Lint
    needs: pre-job
@@ -327,9 +294,9 @@ jobs:
        working-directory: ./e2e
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -337,30 +304,16 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './e2e/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
-      - name: Run setup typescript-sdk
-        run: pnpm install --frozen-lockfile && pnpm build
-        working-directory: ./open-api/typescript-sdk
-        if: ${{ !cancelled() }}
-      - name: Install dependencies
-        run: pnpm install --frozen-lockfile
-        if: ${{ !cancelled() }}
-      - name: Run linter
-        run: pnpm lint
-        if: ${{ !cancelled() }}
-      - name: Run formatter
-        run: pnpm format
-        if: ${{ !cancelled() }}
-      - name: Run tsc
-        run: pnpm check
+          github_token: ${{ steps.token.outputs.token }}
+
+      - name: Run ci-unit
+        run: mise run ci-unit
        if: ${{ !cancelled() }}
+
  server-medium-tests:
    name: Medium Tests (Server)
    needs: pre-job
@@ -373,9 +326,9 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -384,19 +337,16 @@ jobs:
          persist-credentials: false
          submodules: 'recursive'
          token: ${{ steps.token.outputs.token }}
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './server/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
-      - name: Run pnpm install
-        run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm install --frozen-lockfile
-      - name: Run medium tests
-        run: pnpm test:medium
+          github_token: ${{ steps.token.outputs.token }}
+
+      - name: Run ci-medium
+        run: mise run ci-medium
        if: ${{ !cancelled() }}
+
  e2e-tests-server-cli:
    name: End-to-End Tests (Server & CLI)
    needs: pre-job
@@ -412,9 +362,9 @@ jobs:
        runner: [ubuntu-latest, ubuntu-24.04-arm]
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -423,52 +373,63 @@ jobs:
          persist-credentials: false
          submodules: 'recursive'
          token: ${{ steps.token.outputs.token }}
+
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+
      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
-          node-version-file: './e2e/.nvmrc'
+          node-version-file: '.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
-      - name: Run setup typescript-sdk
+
+      - name: Setup typescript-sdk
        run: pnpm install --frozen-lockfile && pnpm build
        working-directory: ./open-api/typescript-sdk
-        if: ${{ !cancelled() }}
+
      - name: Run setup web
        run: pnpm install --frozen-lockfile && pnpm exec svelte-kit sync
        working-directory: ./web
        if: ${{ !cancelled() }}
+
      - name: Run setup cli
        run: pnpm install --frozen-lockfile && pnpm build
        working-directory: ./cli
        if: ${{ !cancelled() }}
+
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
        if: ${{ !cancelled() }}
+
      - name: Start Docker Compose
        run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
        if: ${{ !cancelled() }}
+
      - name: Run e2e tests (api & cli)
        env:
          VITEST_DISABLE_DOCKER_SETUP: true
        run: pnpm test
        if: ${{ !cancelled() }}
+
      - name: Run e2e tests (maintenance)
        env:
          VITEST_DISABLE_DOCKER_SETUP: true
        run: pnpm test:maintenance
        if: ${{ !cancelled() }}
+
      - name: Capture Docker logs
        if: always()
        run: docker compose logs --no-color > docker-compose-logs.txt
        working-directory: ./e2e
+
      - name: Archive Docker logs
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: always()
        with:
          name: e2e-server-docker-logs-${{ matrix.runner }}
          path: e2e/docker-compose-logs.txt
+
  e2e-tests-web:
    name: End-to-End Tests (Web)
    needs: pre-job
@@ -484,9 +445,9 @@ jobs:
        runner: [ubuntu-latest, ubuntu-24.04-arm]
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -495,70 +456,85 @@ jobs:
          persist-credentials: false
          submodules: 'recursive'
          token: ${{ steps.token.outputs.token }}
+
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+
      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
-          node-version-file: './e2e/.nvmrc'
+          node-version-file: '.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
+
      - name: Run setup typescript-sdk
        run: pnpm install --frozen-lockfile && pnpm build
        working-directory: ./open-api/typescript-sdk
+
        if: ${{ !cancelled() }}
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
        if: ${{ !cancelled() }}
+
      - name: Install Playwright Browsers
        run: pnpm exec playwright install chromium --only-shell
        if: ${{ !cancelled() }}
+
      - name: Docker build
        run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
        if: ${{ !cancelled() }}
+
      - name: Run e2e tests (web)
        env:
          PLAYWRIGHT_DISABLE_WEBSERVER: true
        run: pnpm test:web
        if: ${{ !cancelled() }}
+
      - name: Archive e2e test (web) results
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: success() || failure()
        with:
          name: e2e-web-test-results-${{ matrix.runner }}
          path: e2e/playwright-report/
+
      - name: Run ui tests (web)
        env:
          PLAYWRIGHT_DISABLE_WEBSERVER: true
        run: pnpm test:web:ui
        if: ${{ !cancelled() }}
+
      - name: Archive ui test (web) results
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: success() || failure()
        with:
          name: e2e-ui-test-results-${{ matrix.runner }}
          path: e2e/playwright-report/
+
      - name: Run maintenance tests
        env:
          PLAYWRIGHT_DISABLE_WEBSERVER: true
        run: pnpm test:web:maintenance
        if: ${{ !cancelled() }}
+
      - name: Archive maintenance tests (web) results
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: success() || failure()
        with:
          name: e2e-maintenance-isolated-test-results-${{ matrix.runner }}
          path: e2e/playwright-report/
+
      - name: Capture Docker logs
        if: always()
        run: docker compose logs --no-color > docker-compose-logs.txt
        working-directory: ./e2e
+
      - name: Archive Docker logs
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: always()
        with:
          name: e2e-web-docker-logs-${{ matrix.runner }}
          path: e2e/docker-compose-logs.txt
+
  success-check-e2e:
    name: End-to-End Tests Success
    needs: [e2e-tests-server-cli, e2e-tests-web]
@@ -566,7 +542,7 @@ jobs:
    runs-on: ubuntu-latest
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
+      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
        with:
          needs: ${{ toJSON(needs) }}
  mobile-unit-tests:
@@ -578,9 +554,9 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -610,34 +586,24 @@ jobs:
        working-directory: ./machine-learning
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Install uv
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          python-version: 3.11
-      - name: Install dependencies
-        run: |
-          uv sync --extra cpu
-      - name: Lint with ruff
-        run: |
-          uv run ruff check --output-format=github immich_ml
-      - name: Format with ruff
-        run: |
-          uv run ruff format --check immich_ml
-      - name: Run mypy type checking
-        run: |
-          uv run mypy --strict immich_ml/
-      - name: Run tests and coverage
-        run: |
-          uv run pytest --cov=immich_ml --cov-report term-missing
+          github_token: ${{ steps.token.outputs.token }}
+
+      - name: Run ci-unit
+        run: mise run ci-unit
+
  github-files-formatting:
    name: .github Files Formatting
    needs: pre-job
@@ -650,9 +616,9 @@ jobs:
        working-directory: ./.github
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -660,19 +626,19 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './.github/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
+          github_token: ${{ steps.token.outputs.token }}
+
      - name: Run pnpm install
        run: pnpm install --frozen-lockfile
+
      - name: Run formatter
        run: pnpm format
        if: ${{ !cancelled() }}
+
  shellcheck:
    name: ShellCheck
    runs-on: ubuntu-latest
@@ -680,9 +646,9 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -701,9 +667,9 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -711,21 +677,22 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './server/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
+          github_token: ${{ steps.token.outputs.token }}
+
      - name: Install server dependencies
        run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm --filter immich install --frozen-lockfile
+
      - name: Build the app
        run: pnpm --filter immich build
+
      - name: Run API generation
        run: ./bin/generate-open-api.sh
        working-directory: open-api
+
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
@@ -734,6 +701,7 @@ jobs:
            mobile/openapi
            open-api/typescript-sdk
            open-api/immich-openapi-specs.json
+
      - name: Verify files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
        env:
@@ -742,6 +710,7 @@ jobs:
          echo "ERROR: Generated files not up to date!"
          echo "Changed files: ${CHANGED_FILES}"
          exit 1
+
  sql-schema-up-to-date:
    name: SQL Schema Checks
    runs-on: ubuntu-latest
@@ -763,9 +732,9 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -773,31 +742,35 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-      - name: Setup pnpm
-        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      - name: Setup Node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+
+      - name: Setup Mise
+        uses: immich-app/devtools/actions/use-mise@01a4d354b70f99a6baf4a1b72827f6d4922e4978 # use-mise-action-v2.0.0
        with:
-          node-version-file: './server/.nvmrc'
-          cache: 'pnpm'
-          cache-dependency-path: '**/pnpm-lock.yaml'
+          github_token: ${{ steps.token.outputs.token }}
+
      - name: Install server dependencies
        run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm install --frozen-lockfile
+
      - name: Build the app
        run: pnpm build
+
      - name: Run existing migrations
        run: pnpm migrations:run
+
      - name: Test npm run schema:reset command works
        run: pnpm schema:reset
+
      - name: Generate new migrations
        continue-on-error: true
        run: pnpm migrations:generate src/TestMigration
+
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
        with:
          files: |
            server/src
+
      - name: Verify migration files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
        env:
@@ -807,16 +780,19 @@ jobs:
          echo "Changed files: ${CHANGED_FILES}"
          cat ./src/*-TestMigration.ts
          exit 1
+
      - name: Run SQL generation
        run: pnpm sync:sql
        env:
          DB_URL: postgres://postgres:postgres@localhost:5432/immich
+
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-sql-files
        with:
          files: |
            server/src/queries
+
      - name: Verify SQL files have not changed
        if: steps.verify-changed-sql-files.outputs.files_changed == 'true'
        env:
@@ -24,14 +24,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
+        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -47,9 +47,9 @@ jobs:
    if: ${{ fromJSON(needs.pre-job.outputs.should_run).i18n == true }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
+        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
        with:
-          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Bot review status
@@ -68,6 +68,6 @@ jobs:
    permissions: {}
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
+      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
        with:
          needs: ${{ toJSON(needs) }}
@@ -1,6 +1,3 @@
-[submodule "mobile/.isar"]
-	path = mobile/.isar
-	url = https://github.com/isar/isar
 [submodule "e2e/test-assets"]
 	path = e2e/test-assets
 	url = https://github.com/immich-app/test-assets
@@ -0,0 +1 @@
+24.15.0
@@ -13,10 +13,6 @@
    "editor.wordBasedSuggestions": "off"
  },
  "[javascript]": {
-    "editor.codeActionsOnSave": {
-      "source.organizeImports": "explicit",
-      "source.removeUnusedImports": "explicit"
-    },
    "editor.defaultFormatter": "esbenp.prettier-vscode",
    "editor.formatOnSave": true
  },
@@ -29,18 +25,14 @@
    "editor.formatOnSave": true
  },
  "[svelte]": {
-    "editor.codeActionsOnSave": {
-      "source.organizeImports": "explicit",
-      "source.removeUnusedImports": "explicit"
-    },
    "editor.defaultFormatter": "svelte.svelte-vscode",
-    "editor.formatOnSave": true
+    "editor.formatOnSave": true,
+    "tailwindCSS.lint.suggestCanonicalClasses": "ignore"
+  },
+  "svelte.plugin.svelte.compilerWarnings": {
+    "state_referenced_locally": "ignore"
  },
  "[typescript]": {
-    "editor.codeActionsOnSave": {
-      "source.organizeImports": "explicit",
-      "source.removeUnusedImports": "explicit"
-    },
    "editor.defaultFormatter": "esbenp.prettier-vscode",
    "editor.formatOnSave": true
  },
@@ -1 +0,0 @@
-24.14.1
@@ -7,7 +7,7 @@ run = "vite build"

 [tasks.test]
 env._.path = "./node_modules/.bin"
-run = "vite"
+run = "vitest"

 [tasks.lint]
 env._.path = "./node_modules/.bin"
@@ -27,3 +27,26 @@ run = "prettier --write ."
 [tasks.check]
 env._.path = "./node_modules/.bin"
 run = "tsc --noEmit"
+
+[tasks.ci-publish]
+depends = ["//:sdk:install", "//:sdk:build"]
+run = [
+  { task = ":install" },
+  { task = ":build" },
+  "pnpm publish --provenance --no-git-checks",
+]
+
+[tasks.ci-unit]
+depends = ["//:sdk:install", "//:sdk:build"]
+run = [
+  { task = ":install" },
+  { task = ":format" },
+  { task = ":lint" },
+  { task = ":check" },
+  { task = ":test --run" },
+]
+
+[tasks.checklist]
+run = [
+ { task = ":ci-unit" },
+]
@@ -20,7 +20,7 @@
    "@types/lodash-es": "^4.17.12",
    "@types/micromatch": "^4.0.9",
    "@types/mock-fs": "^4.13.1",
-    "@types/node": "^24.12.0",
+    "@types/node": "^24.12.2",
    "@vitest/coverage-v8": "^4.0.0",
    "byte-size": "^9.0.0",
    "cli-progress": "^3.12.0",
@@ -66,8 +66,5 @@
    "fastq": "^1.17.1",
    "lodash-es": "^4.17.21",
    "micromatch": "^4.0.8"
-  },
-  "volta": {
-    "node": "24.14.1"
  }
 }
@@ -404,8 +404,6 @@ const uploadFile = async (input: string, stats: Stats): Promise<AssetMediaRespon
  const { baseUrl, headers } = defaults;

  const formData = new FormData();
-  formData.append('deviceAssetId', `${basename(input)}-${stats.size}`.replaceAll(/\s+/g, ''));
-  formData.append('deviceId', 'CLI');
  formData.append('fileCreatedAt', stats.mtime.toISOString());
  formData.append('fileModifiedAt', stats.mtime.toISOString());
  formData.append('fileSize', String(stats.size));
@@ -1,6 +1,6 @@
 [tools]
-terragrunt = "0.99.5"
-opentofu = "1.11.5"
+terragrunt = "1.0.3"
+opentofu = "1.11.6"

 [tasks."tg:fmt"]
 run = "terragrunt hclfmt"
@@ -20,6 +20,7 @@ services:
      - /tmp
    volumes:
      - ..:/usr/src/app
+      # - ../../ui:/usr/src/ui
      - pnpm_cache:/buildcache/pnpm_cache
      - server_node_modules:/usr/src/app/server/node_modules
      - web_node_modules:/usr/src/app/web/node_modules
@@ -85,7 +85,7 @@ services:
    container_name: immich_prometheus
    ports:
      - 9090:9090
-    image: prom/prometheus@sha256:dda13e28bf95a5e5ca5b8ed56852006094c1c8e8871d9c9dbeed30aa6e55271f
+    image: prom/prometheus@sha256:e4254400b85610324913f0dc4acf92603d9984e7519414c5a12811aa6146acc3
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus-data:/prometheus
@@ -97,7 +97,7 @@ services:
    command: ['./run.sh', '-disable-reporting']
    ports:
      - 3000:3000
-    image: grafana/grafana:12.4.2-ubuntu@sha256:78839fe49e1425c02416fa8072591533a72bd9598e563b54a07d78f9e27fb5d3
+    image: grafana/grafana:12.4.3-ubuntu@sha256:ca3f764fdc48cebdf22dd206f33ecb0795a9a7210eacd1b5c02204aebd78b223
    volumes:
      - grafana-data:/var/lib/grafana

@@ -95,6 +95,3 @@ services:
    restart: always
    healthcheck:
      disable: false
-
-volumes:
-  model-cache:
@@ -1 +0,0 @@
-24.14.1
@@ -210,7 +210,7 @@ The provided restore process ensures your database is never in a broken state by

 ## Filesystem

-Immich stores two types of content in the filesystem: (a) original, unmodified assets (photos and videos), and (b) generated content. We recommend backing up the entire contents of `UPLOAD_LOCATION`, but only the original content is critical, which is stored in the following folders:
+Immich does not handle filesystem backups for you. You have to arrange these yourself! Immich stores two types of content in the filesystem: (a) original, unmodified assets (photos and videos), and (b) generated content. We recommend backing up the entire contents of `UPLOAD_LOCATION`, but only the original content is critical, which is stored in the following folders:

 1. `UPLOAD_LOCATION/library`
 2. `UPLOAD_LOCATION/upload`
@@ -50,6 +50,10 @@ Before enabling OAuth in Immich, a new client application needs to be configured
   - `https://immich.example.com/auth/login`
   - `https://immich.example.com/user-settings`

+3. Configure Backchannel logout URL
+
+   If the authentication server supports it, the **Backchannel logout URL** can be specified, and it is of the form: `http://DOMAIN:PORT/api/oauth/backchannel-logout`.
+
 ## Enable OAuth

 Once you have a new OAuth client application configured, Immich can be configured using the Administration Settings page, available on the web (Administration -> Settings).
@@ -63,6 +67,8 @@ Once you have a new OAuth client application configured, Immich can be configure
 | `scope`                                              | string  | openid email profile | Full list of scopes to send with the request (space delimited)                      |
 | `id_token_signed_response_alg`                       | string  | RS256                | The algorithm used to sign the id token (examples: RS256, HS256)                    |
 | `userinfo_signed_response_alg`                       | string  | none                 | The algorithm used to sign the userinfo response (examples: RS256, HS256)           |
+| `prompt`                                             | string  | (empty)              | Prompt parameter for authorization url (examples: select_account, login, consent)   |
+| `end_session_endpoint`                               | URL     | (empty)              | Http(s) alternative end session endpoint (logout URI)                               |
 | Request timeout                                      | string  | 30,000 (30 seconds)  | Number of milliseconds to wait for http requests to complete before giving up       |
 | Storage Label Claim                                  | string  | preferred_username   | Claim mapping for the user's storage label**¹**                                     |
 | Role Claim                                           | string  | immich_role          | Claim mapping for the user's role. (should return "user" or "admin")**¹**           |
@@ -181,6 +187,7 @@ Configuration of OAuth in Immich System Settings
 | Scope                              | openid email profile immich_scope                                   |
 | ID Token Signed Response Algorithm | RS256                                                               |
 | Userinfo Signed Response Algorithm | RS256                                                               |
+| End Session Endpoint               | https://auth.example.com/logout?rd=https://immich.example.com/      |
 | Storage Label Claim                | uid                                                                 |
 | Storage Quota Claim                | immich_quota                                                        |
 | Default Storage Quota (GiB)        | 0 (empty for unlimited quota)                                       |
@@ -81,7 +81,7 @@ VectorChord is the successor extension to pgvecto.rs, allowing for higher perfor

 ### Migrating from pgvecto.rs

-Support for pgvecto.rs will be dropped in a later release, hence we recommend all users currently using pgvecto.rs to migrate to VectorChord at their convenience. There are two primary approaches to do so.
+Support for pgvecto.rs has been dropped as of 3.0, hence all users currently using pgvecto.rs should migrate to VectorChord. There are two primary approaches to do so.

 The easiest option is to have both extensions installed during the migration:

@@ -80,9 +80,9 @@ To see local changes to `@immich/ui` in Immich, do the following:

 1. Install `@immich/ui` as a sibling to `immich/`, for example `/home/user/immich` and `/home/user/ui`
 2. Build the `@immich/ui` project via `pnpm run build`
-3. Uncomment the corresponding volume in web service of the `docker/docker-compose.dev.yaml` file (`../../ui:/usr/ui`)
-4. Uncomment the corresponding alias in the `web/vite.config.js` file (`'@immich/ui': path.resolve(\_\_dirname, '../../ui')`)
-5. Uncomment the import statement in `web/src/app.css` file `@import '/usr/ui/dist/theme/default.css';` and comment out `@import '@immich/ui/theme/default.css';`
+3. Uncomment the corresponding volume in web service of the `docker/docker-compose.dev.yml` file (`../../ui:/usr/src/ui`)
+4. Uncomment the corresponding alias in the `web/vite.config.ts` file (`'@immich/ui': path.resolve(\_\_dirname, '../../ui/packages/ui')`)
+5. Uncomment the import statement in `web/src/app.css` file `@import '../../../ui/packages/ui/dist/theme/default.css';` and comment out `@import '@immich/ui/theme/default.css';`
 6. Start up the stack via `make dev`
 7. After making changes in `@immich/ui`, rebuild it (`pnpm run build`)

@@ -50,6 +50,8 @@ Some basic examples:
 - `**/Raw/**` will exclude all files in any directory named `Raw`
 - `**/*.{tif,jpg}` will exclude all files with the extension `.tif` or `.jpg`

+Note that `*` is a wildcard matching zero or more characters (i.e., withinin a filename or single directory name). `**` matches zero or more subdirectories, recursively. It also includes any/all files within a subdirectory, i.e., when used at the end of a pattern. For example, `**/exclude_me/**` will exclude all files in any directory named `exclude_me`, as well as all files in any subdirectories of `exclude_me`, recursively.
+
 Special characters such as @ should be escaped, for instance:

 - `**/\@eaDir/**` will exclude all files in any directory named `@eaDir`
@@ -47,6 +47,7 @@ You do not need to redo any machine learning jobs after enabling hardware accele

 #### ROCm

+- On Linux, The [AMDGPU driver module](https://rocm.docs.amd.com/projects/install-on-linux/en/latest/how-to/docker.html) needs to be installed on the server and, if secure boot is used, the signing key of DKMS [needs to be enrolled in UEFI BIOS](https://wiki.debian.org/SecureBoot)
 - The GPU must be supported by ROCm. If it isn't officially supported, you can attempt to use the `HSA_OVERRIDE_GFX_VERSION` environmental variable: `HSA_OVERRIDE_GFX_VERSION=<a supported version, e.g. 10.3.0>`. If this doesn't work, you might need to also set `HSA_USE_SVM=0`.
 - The ROCm image is quite large and requires at least 35GiB of free disk space. However, pulling later updates to the service through Docker will generally only amount to a few hundred megabytes as the rest will be cached.
 - This backend is new and may experience some issues. For example, GPU power consumption can be higher than usual after running inference, even if the machine learning service is idle. In this case, it will only go back to normal after being idle for 5 minutes (configurable with the [MACHINE_LEARNING_MODEL_TTL](/install/environment-variables) setting).
@@ -18,6 +18,7 @@ You can search the following types of content:
 | People                              | Faces that are recognized in your photos/videos.      |
 | Contextual                          | Content of the photos and videos.                     |
 | File name or extension              | Full or partial file's name, or file's extension      |
+| Full path or folder                 | Full or partial folder names from the original path.  |
 | Description                         | Description added to assets.                          |
 | Optical Character Recognition (OCR) | Text in images                                        |
 | Locations                           | Cities, states, and countries from reverse geocoding. |
@@ -30,6 +31,12 @@ You can search the following types of content:

 <img src={require('./img/advanced-search-filters.webp').default} width="70%" title='Advanced search filters' />

+### Full path or folder
+
+Use this mode when you know a folder name or part of the original asset path.
+
+Example: for /John/Projects/3D_Printing/2026-07-01/IMG_0001.jpg, searches like Projects, 3D, Printing, or 2026 match the asset.
+
 ## Configuration

 Navigating to `Administration > Settings > Machine Learning Settings > Smart Search` will show the options available.
@@ -18,6 +18,7 @@ For the full list, refer to the [Immich source code](https://github.com/immich-a
 | `JPEG 2000` | `.jp2`                        | :white_check_mark: |                 |
 | `JPEG`      | `.jpeg` `.jpg` `.jpe` `.insp` | :white_check_mark: |                 |
 | `JPEG XL`   | `.jxl`                        | :white_check_mark: |                 |
+| `MPO`       | `.mpo`                        | :white_check_mark: | Multi-Picture   |
 | `PNG`       | `.png`                        | :white_check_mark: |                 |
 | `PSD`       | `.psd`                        | :white_check_mark: | Adobe Photoshop |
 | `RAW`       | `.raw`                        | :white_check_mark: |                 |
@@ -20,8 +20,6 @@ def upload(file):
    }

    data = {
-        'deviceAssetId': f'{file}-{stats.st_mtime}',
-        'deviceId': 'python',
        'fileCreatedAt': datetime.fromtimestamp(stats.st_mtime),
        'fileModifiedAt': datetime.fromtimestamp(stats.st_mtime),
        'isFavorite': 'false',
@@ -39,7 +39,7 @@ You can learn how to set up Tailscale together with Immich with the [tutorial vi
 ### Cons

 - The Tailscale client usually needs to run as root on your devices and it increases the attack surface slightly compared to a minimal Wireguard server. e.g., an [RCE vulnerability](https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp) was discovered in the Windows Tailscale client in November 2022.
- Tailscale is a paid service. However, there is a generous [free tier](https://tailscale.com/pricing/) that permits up to 3 users and up to 100 devices.
+- Tailscale is a paid service. However, there is a generous [free tier](https://tailscale.com/pricing/) suitable for personal use.
 - Tailscale needs to be installed and running on both server-side and client-side.

 ## Option 3: Reverse Proxy
@@ -26,7 +26,7 @@ The default configuration looks like this:
  },
  "ffmpeg": {
    "accel": "disabled",
-    "accelDecode": false,
+    "accelDecode": true,
    "acceptedAudioCodecs": ["aac", "mp3", "opus"],
    "acceptedContainers": ["mov", "ogg", "webm"],
    "acceptedVideoCodecs": ["h264"],
@@ -193,6 +193,7 @@ The default configuration looks like this:
    "defaultStorageQuota": null,
    "enabled": false,
    "issuerUrl": "",
+    "endSessionEndpoint": "",
    "mobileOverrideEnabled": false,
    "mobileRedirectUri": "",
    "profileSigningAlgorithm": "none",
@@ -263,4 +264,4 @@ volumes:
  - ./configuration.yml:${IMMICH_CONFIG_FILE}
 ```

-::
+:::
@@ -29,29 +29,31 @@ These environment variables are used by the `docker-compose.yml` file and do **N

 ## General

-| Variable                            | Description                                                                                                                                            |           Default            | Containers               | Workers            |
-| :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------: | :----------------------- | :----------------- |
-| `TZ`                                | Timezone                                                                                                                                               |        <sup>\*1</sup>        | server                   | microservices      |
-| `IMMICH_ENV`                        | Environment (production, development)                                                                                                                  |         `production`         | server, machine learning | api, microservices |
-| `IMMICH_LOG_LEVEL`                  | Log level (verbose, debug, log, warn, error)                                                                                                           |            `log`             | server, machine learning | api, microservices |
-| `IMMICH_LOG_FORMAT`                 | Log output format (`console`, `json`)                                                                                                                  |          `console`           | server                   | api, microservices |
-| `IMMICH_MEDIA_LOCATION`             | Media location inside the container ⚠️**You probably shouldn't set this**<sup>\*2</sup>⚠️                                                              |           `/data`            | server                   | api, microservices |
-| `IMMICH_CONFIG_FILE`                | Path to config file                                                                                                                                    |                              | server                   | api, microservices |
-| `IMMICH_HELMET_FILE`                | Path to a json file with [helmet](https://www.npmjs.com/package/helmet) options. Set to `false` to disable. Set to `true` to use `server/helmet.json`. |           `false`            | server                   | api, microservices |
-| `NO_COLOR`                          | Set to `true` to disable color-coded log output                                                                                                        |           `false`            | server, machine learning |                    |
-| `CPU_CORES`                         | Number of cores available to the Immich server                                                                                                         | auto-detected CPU core count | server                   |                    |
-| `IMMICH_API_METRICS_PORT`           | Port for the OTEL metrics                                                                                                                              |            `8081`            | server                   | api                |
-| `IMMICH_MICROSERVICES_METRICS_PORT` | Port for the OTEL metrics                                                                                                                              |            `8082`            | server                   | microservices      |
-| `IMMICH_PROCESS_INVALID_IMAGES`     | When `true`, generate thumbnails for invalid images                                                                                                    |                              | server                   | microservices      |
-| `IMMICH_TRUSTED_PROXIES`            | List of comma-separated IPs set as trusted proxies                                                                                                     |                              | server                   | api                |
-| `IMMICH_IGNORE_MOUNT_CHECK_ERRORS`  | See [System Integrity](/administration/system-integrity)                                                                                               |                              | server                   | api, microservices |
-| `IMMICH_ALLOW_SETUP`                | When `false` disables the `/auth/admin-sign-up` endpoint                                                                                               |            `true`            | server                   | api                |
+| Variable                            | Description                                                                                                                                                          |           Default            | Containers               | Workers            |
+| :---------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------: | :----------------------- | :----------------- |
+| `TZ`                                | Timezone                                                                                                                                                             |        <sup>\*1</sup>        | server                   | microservices      |
+| `IMMICH_ENV`                        | Environment (production, development)                                                                                                                                |         `production`         | server, machine learning | api, microservices |
+| `IMMICH_LOG_LEVEL`                  | Log level (verbose, debug, log, warn, error)                                                                                                                         |            `log`             | server, machine learning | api, microservices |
+| `IMMICH_LOG_FORMAT`                 | Log output format (`console`, `json`)                                                                                                                                |          `console`           | server                   | api, microservices |
+| `IMMICH_MEDIA_LOCATION`             | Media location inside the container ⚠️**You probably shouldn't set this**<sup>\*2</sup>⚠️                                                                            |           `/data`            | server                   | api, microservices |
+| `IMMICH_CONFIG_FILE`                | Path to config file                                                                                                                                                  |                              | server                   | api, microservices |
+| `IMMICH_HELMET_FILE`                | Path to a json file with [helmet](https://www.npmjs.com/package/helmet) options. Set to `false` to disable. Set to `true` to use `server/helmet.json`<sup>\*3</sup>. |           `false`            | server                   | api                |
+| `NO_COLOR`                          | Set to `true` to disable color-coded log output                                                                                                                      |           `false`            | server, machine learning |                    |
+| `CPU_CORES`                         | Number of cores available to the Immich server                                                                                                                       | auto-detected CPU core count | server                   |                    |
+| `IMMICH_API_METRICS_PORT`           | Port for the OTEL metrics                                                                                                                                            |            `8081`            | server                   | api                |
+| `IMMICH_MICROSERVICES_METRICS_PORT` | Port for the OTEL metrics                                                                                                                                            |            `8082`            | server                   | microservices      |
+| `IMMICH_PROCESS_INVALID_IMAGES`     | When `true`, generate thumbnails for invalid images                                                                                                                  |                              | server                   | microservices      |
+| `IMMICH_TRUSTED_PROXIES`            | List of comma-separated IPs set as trusted proxies                                                                                                                   |                              | server                   | api                |
+| `IMMICH_IGNORE_MOUNT_CHECK_ERRORS`  | See [System Integrity](/administration/system-integrity)                                                                                                             |                              | server                   | api, microservices |
+| `IMMICH_ALLOW_SETUP`                | When `false` disables the `/auth/admin-sign-up` endpoint                                                                                                             |            `true`            | server                   | api                |

 \*1: `TZ` should be set to a `TZ identifier` from [this list][tz-list]. For example, `TZ="Etc/UTC"`.
 `TZ` is used by `exiftool` as a fallback in case the timezone cannot be determined from the image metadata. It is also used for logfile timestamps and cron job execution.

 \*2: This path is where the Immich code looks for the files, which is internal to the docker container. Setting it to a path on your host will certainly break things, you should use the `UPLOAD_LOCATION` variable instead.

+\*3: The [default configuration](https://helmetjs.github.io/#content-security-policy) sets `upgrade-insecure-requests`, which tells the browser to upgrade all requests to HTTPS. This breaks on HTTP-only deployments. If you cannot use HTTPS, you should use a custom helmet config file with `"upgrade-insecure-requests": null`.
+
 ## Workers

 | Variable                 | Description                                                                                          | Default | Containers |
@@ -81,7 +83,7 @@ Information on the current workers can be found [here](/administration/jobs-work
 | `DB_PASSWORD`                       | Database password                                                                      | `postgres` | server, database<sup>\*1</sup> |
 | `DB_DATABASE_NAME`                  | Database name                                                                          |  `immich`  | server, database<sup>\*1</sup> |
 | `DB_SSL_MODE`                       | Database SSL mode                                                                      |            | server                         |
-| `DB_VECTOR_EXTENSION`<sup>\*2</sup> | Database vector extension (one of [`vectorchord`, `pgvector`, `pgvecto.rs`])           |            | server                         |
+| `DB_VECTOR_EXTENSION`<sup>\*2</sup> | Database vector extension (one of [`vectorchord`, `pgvector`])                         |            | server                         |
 | `DB_SKIP_MIGRATIONS`                | Whether to skip running migrations on startup (one of [`true`, `false`])               |  `false`   | server                         |
 | `DB_STORAGE_TYPE`                   | Optimize concurrent IO on SSDs or sequential IO on HDDs ([`SSD`, `HDD`])<sup>\*3</sup> |   `SSD`    | database                       |

@@ -130,7 +130,3 @@ These storage mediums have different performance characteristics. As a result, t
 #### Can I use the new database image as a general PostgreSQL image outside of Immich?

 It’s a standard PostgreSQL container image that additionally contains the VectorChord, pgvector, and (optionally) pgvecto.rs extensions. If you were using the previous pgvecto.rs image for other purposes, you can similarly do so with this image.
-
-#### If pgvecto.rs and pgvector still work, why should I switch to VectorChord?
-
-VectorChord is faster, more stable, uses less RAM, and (with the settings Immich uses) offers higher-quality results than pgvector and pgvecto.rs. This translates to better search and facial recognition experiences. In addition, pgvecto.rs support will be dropped in the future, so changing it sooner will avoid disruption.
@@ -17,10 +17,10 @@
    "write-heading-ids": "docusaurus write-heading-ids"
  },
  "dependencies": {
-    "@docusaurus/core": "~3.9.0",
-    "@docusaurus/preset-classic": "~3.9.0",
-    "@docusaurus/theme-common": "~3.9.0",
-    "@docusaurus/theme-mermaid": "~3.9.0",
+    "@docusaurus/core": "~3.10.0",
+    "@docusaurus/preset-classic": "~3.10.0",
+    "@docusaurus/theme-common": "~3.10.0",
+    "@docusaurus/theme-mermaid": "~3.10.0",
    "@mdi/js": "^7.3.67",
    "@mdi/react": "^1.6.1",
    "@mdx-js/react": "^3.0.0",
@@ -36,9 +36,9 @@
    "url": "^0.11.0"
  },
  "devDependencies": {
-    "@docusaurus/module-type-aliases": "~3.9.0",
+    "@docusaurus/module-type-aliases": "~3.10.0",
    "@docusaurus/tsconfig": "^3.10.0",
-    "@docusaurus/types": "^3.7.0",
+    "@docusaurus/types": "^3.10.0",
    "prettier": "^3.7.4",
    "typescript": "^6.0.0"
  },
@@ -56,8 +56,5 @@
  },
  "engines": {
    "node": ">=20"
-  },
-  "volta": {
-    "node": "24.14.1"
  }
 }
@@ -1,5 +1,12 @@
-import { exportJWK, generateKeyPair } from 'jose';
+import {
+  calculateJwkThumbprint,
+  exportJWK,
+  importPKCS8,
+  importSPKI,
+  SignJWT,
+} from 'jose';
 import Provider from 'oidc-provider';
+import { PRIVATE_KEY_PEM, PUBLIC_KEY_PEM } from './test-keys';

 export enum OAuthClient {
  DEFAULT = 'client-default',
@@ -44,6 +51,29 @@ const claims = [
  },
 ];

+const privateKey = await importPKCS8(PRIVATE_KEY_PEM, 'RS256', {
+  extractable: true,
+});
+const publicKey = await importSPKI(PUBLIC_KEY_PEM, 'RS256', {
+  extractable: true,
+});
+const kid = await calculateJwkThumbprint(await exportJWK(publicKey));
+
+export async function generateLogoutToken(iss: string, sub: string) {
+  return await new SignJWT({
+    iss: iss,
+    aud: OAuthClient.DEFAULT,
+    iat: Math.floor(Date.now() / 1000),
+    jti: crypto.randomUUID(),
+    sub: sub,
+    events: {
+      'http://schemas.openid.net/event/backchannel-logout': {},
+    },
+  })
+    .setProtectedHeader({ alg: 'RS256', typ: 'logout+jwt', kid: kid })
+    .sign(privateKey);
+}
+
 const withDefaultClaims = (sub: string) => ({
  sub,
  email: `${sub}@immich.app`,
@@ -66,8 +96,6 @@ const getClaims = (sub: string, use?: string) => {
 };

 const setup = async () => {
-  const { privateKey, publicKey } = await generateKeyPair('RS256');
-
  const redirectUris = [
    'http://127.0.0.1:2285/auth/login',
    'https://photos.immich.app/oauth/mobile-redirect',
@@ -7,9 +7,10 @@
    "start": "tsx startup.ts"
  },
  "devDependencies": {
-    "jose": "^5.6.3",
+    "jose": "^6.0.0",
    "@types/oidc-provider": "^9.0.0",
    "oidc-provider": "^9.0.0",
    "tsx": "^4.20.6"
-  }
+  },
+  "packageManager": "pnpm@10.33.1"
 }
@@ -0,0 +1,38 @@
+export const PRIVATE_KEY_PEM = `-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCVj5C7hzN3E2HO
+TcJ+DN/e2NSTQFj4rPylz4J8xjm8Es7l0k2kK5EEGvUNVGZbw7s055c+6kwP9eqg
+B5XFE7+26Fcq1sou6Tbm310kU4dnMW5l2CgwrhaGyb1pNysao0AMLT60dFYqtUwn
+ha9ceCsa+ZU1JrknVf3rONtppBvhWoI7CO9XX1keVQ0unHPzCWUjpXTzC8OGEbmB
+2w7ZIUf8OfJkd5RZ4OtIpML71W9n13aDxT50x2/EW/pFLFtQ/oaleOKHpvlRXDRX
+W86G4moUJym3gHMXMUj2aOcFG2UJnpLruKz3i5qZwYiTRlBP6O9EIQNCVtYxchuN
+V1CCcBU1AgMBAAECggEAJLfXMu8Nx89ynPVyyUMMaFfoEpHC9iR0L5obQVpiPMYK
+VRqVVLecdftPS9s7eQ58BNBRzdC0ZVu841aRYs3HLNbsZZhPkYZQpAxU//Dg5okY
+fzj7Hv5yidt4HN9+Pd8z/3lRMnj4WapifLaBt8xJ2ujJBMBRxzJBsXDnT0+Kx7+y
+bYDeuVfyUTEikaK3QZTbuRF3D3eiuN16GG+hv8UqTF2eYbPxdiLjYpTSHa4mH88C
+qfJz2Xt4SEzmyeo3G+MO17wDFOwtEe8ojlJfULHnHJSFdUwTfYIFM1bg5/fJ9MOS
+/fO3TSG+wkQqjQa6eoGssAzP87fL2XNLzlDtGY/7uQKBgQDHuJHOtf1EjOvNYiP7
+EN+8QGs41ghzt9CQRQxWbHpusR3IW3P83KMXwYmrlG70oOUXBRGSB/ESXUofXc5W
+pu5+Y55S44aUnu/a9yOBttYW0dtHZSL0zFT+PlVASwUzFZ2zcH1KXlUkSpfL5OAD
+PyDDTnBZ2AWh45fRO9wLo6PPuQKBgQC/tI03RqU3mOjqukKbquYeIpXHfRU5Z0DM
+u9ru1THYEl6fmkMXycxo/mvW3awyFuyKy/VodqIgKnFgumEqCHZh6OAMm/LC7TfA
+l9tjFSs/MyOqQVD4kbX+z6Oq4c4GccDoXfsQ3gzECoBapegi/F+6/25y+/C8ghXb
+J/Jg1GQXXQKBgQDFgWbfzuVZZyrBfu4qGLPJDMN7/114YizknwPma3xf/tN/EcGQ
+K/k1QvWMMkvPq1UiAKcxjJ0AFjV482FcG9T6NDWbrtmmG88C8Sex3Ue2ZW2+GuwI
+vhDHJIlV/Vp0/Elp7DJa2xLDwuh+gCZvz3vs6KL+ljxrrhCyn8mp0PfsMQKBgFFZ
+KnuETOO0zVGdzFoGQTQUdP58A5+iQwsdxB+I9Ge+E80iRso3ZbhADj7VPhbbR3D2
+b6LuhImluQrUzBpsEOAnU7vGCVPSGdBuIDiBaSKebsn2gYeZPWNtdQQ0YZq2dqek
+Cb/0mfIuipzsvf7qnSza62F7q4IyqVegMegI+Jg5AoGATM3NMy7JZeKzSkm+3ohU
+3xZOwgqKV9SH+0OeYWpuBxT7D7FlrKKI4NJ3XN3hg2f/DJAF6dH11CPe7pk94yol
+HMbh+PQUQ6GYvAzxIOvagWboQ3lzeyubNMpyFjfOrIE/WOQCUBZ9tIwCHIarIuyi
+QRuNOj3+U8T/n1Ww352HBdw=
+-----END PRIVATE KEY-----`;
+
+export const PUBLIC_KEY_PEM = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlY+Qu4czdxNhzk3Cfgzf
+3tjUk0BY+Kz8pc+CfMY5vBLO5dJNpCuRBBr1DVRmW8O7NOeXPupMD/XqoAeVxRO/
+tuhXKtbKLuk25t9dJFOHZzFuZdgoMK4Whsm9aTcrGqNADC0+tHRWKrVMJ4WvXHgr
+GvmVNSa5J1X96zjbaaQb4VqCOwjvV19ZHlUNLpxz8wllI6V08wvDhhG5gdsO2SFH
+/DnyZHeUWeDrSKTC+9VvZ9d2g8U+dMdvxFv6RSxbUP6GpXjih6b5UVw0V1vOhuJq
+FCcpt4BzFzFI9mjnBRtlCZ6S67is94uamcGIk0ZQT+jvRCEDQlbWMXIbjVdQgnAV
+NQIDAQAB
+-----END PUBLIC KEY-----`;
@@ -1 +0,0 @@
-24.14.1
@@ -27,3 +27,18 @@ run = { task = "lint --fix" }
 [tasks.check]
 env._.path = "./node_modules/.bin"
 run = "tsc --noEmit"
+
+
+[tasks.ci-setup]
+depends = ["//:sdk:install", "//:sdk:build", "//cli:install", "//cli:build"]
+run = { task = ":install" }
+
+
+[tasks.ci-unit]
+depends = ["//:sdk:install", "//:sdk:build"]
+run = [
+  { task = ":install" },
+  { task = ":format" },
+  { task = ":lint" },
+  { task = ":check" },
+]
@@ -32,7 +32,7 @@
    "@playwright/test": "^1.44.1",
    "@socket.io/component-emitter": "^3.1.2",
    "@types/luxon": "^3.4.2",
-    "@types/node": "^24.12.0",
+    "@types/node": "^24.12.2",
    "@types/pg": "^8.15.1",
    "@types/pngjs": "^6.0.4",
    "@types/supertest": "^7.0.0",
@@ -56,8 +56,5 @@
    "utimes": "^5.2.1",
    "vite-tsconfig-paths": "^6.1.1",
    "vitest": "^4.0.0"
-  },
-  "volta": {
-    "node": "24.14.1"
  }
 }
@@ -2,82 +2,44 @@ import { expect } from 'vitest';

 export const errorDto = {
  unauthorized: {
-    error: 'Unauthorized',
-    statusCode: 401,
    message: 'Authentication required',
-    correlationId: expect.any(String),
  },
  unauthorizedWithMessage: (message: string) => ({
-    error: 'Unauthorized',
-    statusCode: 401,
    message,
-    correlationId: expect.any(String),
  }),
  forbidden: {
-    error: 'Forbidden',
-    statusCode: 403,
    message: expect.any(String),
-    correlationId: expect.any(String),
  },
  missingPermission: (permission: string) => ({
-    error: 'Forbidden',
-    statusCode: 403,
    message: `Missing required permission: ${permission}`,
-    correlationId: expect.any(String),
  }),
  wrongPassword: {
-    error: 'Bad Request',
-    statusCode: 400,
    message: 'Wrong password',
-    correlationId: expect.any(String),
  },
  invalidToken: {
-    error: 'Unauthorized',
-    statusCode: 401,
    message: 'Invalid user token',
-    correlationId: expect.any(String),
  },
  invalidShareKey: {
-    error: 'Unauthorized',
-    statusCode: 401,
    message: 'Invalid share key',
-    correlationId: expect.any(String),
  },
  passwordRequired: {
-    error: 'Unauthorized',
-    statusCode: 401,
    message: 'Password required',
-    correlationId: expect.any(String),
  },
  badRequest: (message: any = null) => ({
-    error: 'Bad Request',
-    statusCode: 400,
    message: message ?? expect.anything(),
-    correlationId: expect.any(String),
+  }),
+  validationError: (errors?: ReadonlyArray<{ path: ReadonlyArray<string | number>; message: string }>) => ({
+    message: 'Validation failed',
+    errors: errors ? expect.arrayContaining(errors.map((e) => expect.objectContaining(e))) : expect.any(Array),
  }),
  noPermission: {
-    error: 'Bad Request',
-    statusCode: 400,
    message: expect.stringContaining('Not found or no'),
-    correlationId: expect.any(String),
  },
  incorrectLogin: {
-    error: 'Unauthorized',
-    statusCode: 401,
    message: 'Incorrect email or password',
-    correlationId: expect.any(String),
  },
  alreadyHasAdmin: {
-    error: 'Bad Request',
-    statusCode: 400,
    message: 'The server already has an admin',
-    correlationId: expect.any(String),
-  },
-  invalidEmail: {
-    error: 'Bad Request',
-    statusCode: 400,
-    message: ['email must be an email'],
-    correlationId: expect.any(String),
  },
 };

@@ -130,12 +130,11 @@ describe('/albums', () => {
  describe('GET /albums', () => {
    it("should not show other users' favorites", async () => {
      const { status, body } = await request(app)
-        .get(`/albums/${user1Albums[0].id}?withoutAssets=false`)
+        .get(`/albums/${user1Albums[0].id}`)
        .set('Authorization', `Bearer ${user2.accessToken}`);
      expect(status).toEqual(200);
      expect(body).toEqual({
        ...user1Albums[0],
-        assets: [expect.objectContaining({ isFavorite: false })],
        contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
        lastModifiedAssetTimestamp: expect.any(String),
        startDate: expect.any(String),
@@ -147,7 +146,7 @@ describe('/albums', () => {

    it('should not return shared albums with a deleted owner', async () => {
      const { status, body } = await request(app)
-        .get('/albums?shared=true')
+        .get('/albums?isShared=true')
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(200);
@@ -155,23 +154,31 @@ describe('/albums', () => {
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
-            ownerId: user1.userId,
            albumName: user1SharedLink,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
+            ]),
            shared: true,
          }),
          expect.objectContaining({
-            ownerId: user1.userId,
            albumName: user1SharedEditorUser,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
+            ]),
            shared: true,
          }),
          expect.objectContaining({
-            ownerId: user1.userId,
            albumName: user1SharedViewerUser,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
+            ]),
            shared: true,
          }),
          expect.objectContaining({
-            ownerId: user2.userId,
            albumName: user2SharedUser,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user2.userId }) },
+            ]),
            shared: true,
          }),
        ]),
@@ -181,82 +188,164 @@ describe('/albums', () => {
    it('should return the album collection including owned and shared', async () => {
      const { status, body } = await request(app).get('/albums').set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
-      expect(body).toHaveLength(4);
+      expect(body).toHaveLength(5);
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
-            ownerId: user1.userId,
            albumName: user1SharedEditorUser,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
+            ]),
            shared: true,
          }),
          expect.objectContaining({
-            ownerId: user1.userId,
            albumName: user1SharedViewerUser,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
+            ]),
            shared: true,
          }),
          expect.objectContaining({
-            ownerId: user1.userId,
            albumName: user1SharedLink,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
+            ]),
            shared: true,
          }),
          expect.objectContaining({
-            ownerId: user1.userId,
            albumName: user1NotShared,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
+            ]),
            shared: false,
          }),
+          expect.objectContaining({
+            albumName: user2SharedUser,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user2.userId }) },
+            ]),
+            shared: true,
+          }),
        ]),
      );
    });

-    it('should return the album collection filtered by shared', async () => {
+    it('should return the album collection filtered by isShared', async () => {
      const { status, body } = await request(app)
-        .get('/albums?shared=true')
+        .get('/albums?isShared=true')
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
      expect(body).toHaveLength(4);
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
-            ownerId: user1.userId,
            albumName: user1SharedEditorUser,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
+            ]),
            shared: true,
          }),
          expect.objectContaining({
-            ownerId: user1.userId,
            albumName: user1SharedViewerUser,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
+            ]),
            shared: true,
          }),
          expect.objectContaining({
-            ownerId: user1.userId,
            albumName: user1SharedLink,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
+            ]),
            shared: true,
          }),
          expect.objectContaining({
-            ownerId: user2.userId,
            albumName: user2SharedUser,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user2.userId }) },
+            ]),
            shared: true,
          }),
        ]),
      );
    });

-    it('should return the album collection filtered by NOT shared', async () => {
+    it('should return the album collection filtered by NOT isShared', async () => {
      const { status, body } = await request(app)
-        .get('/albums?shared=false')
+        .get('/albums?isShared=false')
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
      expect(body).toHaveLength(1);
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
-            ownerId: user1.userId,
            albumName: user1NotShared,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
+            ]),
            shared: false,
          }),
        ]),
      );
    });

+    it('should return only owned albums when filtered by isOwned=true', async () => {
+      const { status, body } = await request(app)
+        .get('/albums?isOwned=true')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+      expect(status).toBe(200);
+      expect(body).toHaveLength(4);
+      expect(body).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({ albumName: user1SharedEditorUser }),
+          expect.objectContaining({ albumName: user1SharedViewerUser }),
+          expect.objectContaining({ albumName: user1SharedLink }),
+          expect.objectContaining({ albumName: user1NotShared }),
+        ]),
+      );
+    });
+
+    it('should return only shared-with-me albums when filtered by isOwned=false', async () => {
+      const { status, body } = await request(app)
+        .get('/albums?isOwned=false')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+      expect(status).toBe(200);
+      expect(body).toHaveLength(1);
+      expect(body).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({
+            albumName: user2SharedUser,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user2.userId }) },
+            ]),
+          }),
+        ]),
+      );
+    });
+
+    it('should return owned shared-out albums when filtered by isOwned=true&ishared=true', async () => {
+      const { status, body } = await request(app)
+        .get('/albums?isOwned=true&isShared=true')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+      expect(status).toBe(200);
+      expect(body).toHaveLength(3);
+      expect(body).toEqual(
+        expect.arrayContaining([
+          expect.objectContaining({ albumName: user1SharedEditorUser }),
+          expect.objectContaining({ albumName: user1SharedViewerUser }),
+          expect.objectContaining({ albumName: user1SharedLink }),
+        ]),
+      );
+    });
+
+    it('should return empty list when filtered by isOwned=false&isShared=false', async () => {
+      const { status, body } = await request(app)
+        .get('/albums?isOwned=false&isShared=false')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+      expect(status).toBe(200);
+      expect(body).toHaveLength(0);
+    });
+
    it('should return the album collection filtered by assetId', async () => {
      const { status, body } = await request(app)
        .get(`/albums?assetId=${user1Asset2.id}`)
@@ -265,17 +354,17 @@ describe('/albums', () => {
      expect(body).toHaveLength(2);
    });

-    it('should return the album collection filtered by assetId and ignores shared=true', async () => {
+    it('should return the album collection filtered by assetId and ignores isShared=true', async () => {
      const { status, body } = await request(app)
-        .get(`/albums?shared=true&assetId=${user1Asset1.id}`)
+        .get(`/albums?isShared=true&assetId=${user1Asset1.id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
      expect(body).toHaveLength(5);
    });

-    it('should return the album collection filtered by assetId and ignores shared=false', async () => {
+    it('should return the album collection filtered by assetId and ignores isShared=false', async () => {
      const { status, body } = await request(app)
-        .get(`/albums?shared=false&assetId=${user1Asset1.id}`)
+        .get(`/albums?isShared=false&assetId=${user1Asset1.id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
      expect(body).toHaveLength(5);
@@ -287,13 +376,17 @@ describe('/albums', () => {
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
-            ownerId: user4.userId,
            albumName: user4DeletedAsset,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user4.userId }) },
+            ]),
            shared: false,
          }),
          expect.objectContaining({
-            ownerId: user4.userId,
            albumName: user4Empty,
+            albumUsers: expect.arrayContaining([
+              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user4.userId }) },
+            ]),
            shared: false,
          }),
        ]),
@@ -304,13 +397,12 @@ describe('/albums', () => {
  describe('GET /albums/:id', () => {
    it('should return album info for own album', async () => {
      const { status, body } = await request(app)
-        .get(`/albums/${user1Albums[0].id}?withoutAssets=false`)
+        .get(`/albums/${user1Albums[0].id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(200);
      expect(body).toEqual({
        ...user1Albums[0],
-        assets: [expect.objectContaining({ id: user1Albums[0].assets[0].id })],
        contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
        lastModifiedAssetTimestamp: expect.any(String),
        startDate: expect.any(String),
@@ -322,7 +414,7 @@ describe('/albums', () => {

    it('should return album info for shared album (editor)', async () => {
      const { status, body } = await request(app)
-        .get(`/albums/${user2Albums[0].id}?withoutAssets=false`)
+        .get(`/albums/${user2Albums[0].id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(200);
@@ -331,14 +423,14 @@ describe('/albums', () => {

    it('should return album info for shared album (viewer)', async () => {
      const { status, body } = await request(app)
-        .get(`/albums/${user1Albums[3].id}?withoutAssets=false`)
+        .get(`/albums/${user1Albums[3].id}`)
        .set('Authorization', `Bearer ${user2.accessToken}`);

      expect(status).toBe(200);
      expect(body).toMatchObject({ id: user1Albums[3].id });
    });

-    it('should return album info with assets when withoutAssets is undefined', async () => {
+    it('should return album info', async () => {
      const { status, body } = await request(app)
        .get(`/albums/${user1Albums[0].id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`);
@@ -346,25 +438,6 @@ describe('/albums', () => {
      expect(status).toBe(200);
      expect(body).toEqual({
        ...user1Albums[0],
-        assets: [expect.objectContaining({ id: user1Albums[0].assets[0].id })],
-        contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
-        lastModifiedAssetTimestamp: expect.any(String),
-        startDate: expect.any(String),
-        endDate: expect.any(String),
-        albumUsers: expect.any(Array),
-        shared: true,
-      });
-    });
-
-    it('should return album info without assets when withoutAssets is true', async () => {
-      const { status, body } = await request(app)
-        .get(`/albums/${user1Albums[0].id}?withoutAssets=true`)
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-
-      expect(status).toBe(200);
-      expect(body).toEqual({
-        ...user1Albums[0],
-        assets: [],
        contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
        assetCount: 1,
        lastModifiedAssetTimestamp: expect.any(String),
@@ -379,21 +452,21 @@ describe('/albums', () => {
      await utils.deleteAssets(user1.accessToken, [user1Asset2.id]);

      const { status, body } = await request(app)
-        .get(`/albums/${user2Albums[0].id}?withoutAssets=true`)
+        .get(`/albums/${user2Albums[0].id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(200);
-      expect(body).toEqual({
-        ...user2Albums[0],
-        assets: [],
-        contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
-        assetCount: 1,
-        lastModifiedAssetTimestamp: expect.any(String),
-        endDate: expect.any(String),
-        startDate: expect.any(String),
-        albumUsers: expect.any(Array),
-        shared: true,
-      });
+      expect(body).toEqual(
+        expect.objectContaining({
+          contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
+          assetCount: 1,
+          lastModifiedAssetTimestamp: expect.any(String),
+          endDate: expect.any(String),
+          startDate: expect.any(String),
+          albumUsers: expect.any(Array),
+          shared: true,
+        }),
+      );
    });
  });

@@ -419,16 +492,13 @@ describe('/albums', () => {
        id: expect.any(String),
        createdAt: expect.any(String),
        updatedAt: expect.any(String),
-        ownerId: user1.userId,
        albumName: 'New album',
        description: '',
        albumThumbnailAssetId: null,
        shared: false,
-        albumUsers: [],
+        albumUsers: [{ role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) }],
        hasSharedLink: false,
-        assets: [],
        assetCount: 0,
-        owner: expect.objectContaining({ email: user1.userEmail }),
        isActivityEnabled: true,
        order: AssetOrder.Desc,
      });
@@ -644,11 +714,11 @@ describe('/albums', () => {
      expect(status).toBe(200);
      expect(body).toEqual(
        expect.objectContaining({
-          albumUsers: [
+          albumUsers: expect.arrayContaining([
            expect.objectContaining({
              user: expect.objectContaining({ id: user2.userId }),
            }),
-          ],
+          ]),
        }),
      );
    });
@@ -660,7 +730,7 @@ describe('/albums', () => {
        .send({ albumUsers: [{ userId: user1.userId, role: AlbumUserRole.Editor }] });

      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest('Cannot be shared with owner'));
+      expect(body).toEqual(errorDto.badRequest('User already added'));
    });

    it('should not be able to add existing user to shared album', async () => {
@@ -686,7 +756,7 @@ describe('/albums', () => {
        albumUsers: [{ userId: user2.userId, role: AlbumUserRole.Viewer }],
      });

-      expect(album.albumUsers[0].role).toEqual(AlbumUserRole.Viewer);
+      expect(album.albumUsers[1].role).toEqual(AlbumUserRole.Viewer);

      const { status } = await request(app)
        .put(`/albums/${album.id}/user/${user2.userId}`)
@@ -701,7 +771,10 @@ describe('/albums', () => {
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(body).toEqual(
        expect.objectContaining({
-          albumUsers: [expect.objectContaining({ role: AlbumUserRole.Editor })],
+          albumUsers: [
+            expect.objectContaining({ role: AlbumUserRole.Owner }),
+            expect.objectContaining({ role: AlbumUserRole.Editor }),
+          ],
        }),
      );
    });
@@ -712,7 +785,7 @@ describe('/albums', () => {
        albumUsers: [{ userId: user2.userId, role: AlbumUserRole.Viewer }],
      });

-      expect(album.albumUsers[0].role).toEqual(AlbumUserRole.Viewer);
+      expect(album.albumUsers[1].role).toEqual(AlbumUserRole.Viewer);

      const { status, body } = await request(app)
        .put(`/albums/${album.id}/user/${user2.userId}`)
@@ -1091,8 +1091,6 @@ describe('/asset', () => {
      const { body, status } = await request(app)
        .post('/assets')
        .set('Authorization', `Bearer ${quotaUser.accessToken}`)
-        .field('deviceAssetId', 'example-image')
-        .field('deviceId', 'e2e')
        .field('fileCreatedAt', new Date().toISOString())
        .field('fileModifiedAt', new Date().toISOString())
        .attach('assetData', makeRandomImage(), 'example.jpg');
@@ -1109,8 +1107,6 @@ describe('/asset', () => {
      const { body, status } = await request(app)
        .post('/assets')
        .set('Authorization', `Bearer ${quotaUser.accessToken}`)
-        .field('deviceAssetId', 'example-image')
-        .field('deviceId', 'e2e')
        .field('fileCreatedAt', new Date().toISOString())
        .field('fileModifiedAt', new Date().toISOString())
        .attach('assetData', randomBytes(2014), 'example.jpg');
@@ -1164,29 +1160,4 @@ describe('/asset', () => {
      expect(video.checksum).toStrictEqual(checksum);
    });
  });
-
-  describe('POST /assets/exist', () => {
-    it('ignores invalid deviceAssetIds', async () => {
-      const response = await utils.checkExistingAssets(user1.accessToken, {
-        deviceId: 'test-assets-exist',
-        deviceAssetIds: ['invalid', 'INVALID'],
-      });
-
-      expect(response.existingIds).toHaveLength(0);
-    });
-
-    it('returns the IDs of existing assets', async () => {
-      await utils.createAsset(user1.accessToken, {
-        deviceId: 'test-assets-exist',
-        deviceAssetId: 'test-asset-0',
-      });
-
-      const response = await utils.checkExistingAssets(user1.accessToken, {
-        deviceId: 'test-assets-exist',
-        deviceAssetIds: ['test-asset-0'],
-      });
-
-      expect(response.existingIds).toEqual(['test-asset-0']);
-    });
-  });
 });
@@ -110,7 +110,9 @@ describe('/libraries', () => {
        });

      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[importPaths] Array must have unique items']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['importPaths'], message: 'Array must have unique items' }]),
+      );
    });

    it('should not create an external library with duplicate exclusion patterns', async () => {
@@ -125,7 +127,9 @@ describe('/libraries', () => {
        });

      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[exclusionPatterns] Array must have unique items']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['exclusionPatterns'], message: 'Array must have unique items' }]),
+      );
    });
  });

@@ -157,7 +161,9 @@ describe('/libraries', () => {
        .send({ name: '' });

      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[name] Too small: expected string to have >=1 characters']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['name'], message: 'Too small: expected string to have >=1 characters' }]),
+      );
    });

    it('should change the import paths', async () => {
@@ -181,7 +187,9 @@ describe('/libraries', () => {
        .send({ importPaths: [''] });

      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[importPaths] Array items must not be empty']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['importPaths'], message: 'Array items must not be empty' }]),
+      );
    });

    it('should reject duplicate import paths', async () => {
@@ -191,7 +199,9 @@ describe('/libraries', () => {
        .send({ importPaths: ['/path', '/path'] });

      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[importPaths] Array must have unique items']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['importPaths'], message: 'Array must have unique items' }]),
+      );
    });

    it('should change the exclusion pattern', async () => {
@@ -215,7 +225,9 @@ describe('/libraries', () => {
        .send({ exclusionPatterns: ['**/*.jpg', '**/*.jpg'] });

      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[exclusionPatterns] Array must have unique items']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['exclusionPatterns'], message: 'Array must have unique items' }]),
+      );
    });

    it('should reject an empty exclusion pattern', async () => {
@@ -225,7 +237,9 @@ describe('/libraries', () => {
        .send({ exclusionPatterns: [''] });

      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[exclusionPatterns] Array items must not be empty']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['exclusionPatterns'], message: 'Array items must not be empty' }]),
+      );
    });
  });

@@ -109,7 +109,9 @@ describe('/map', () => {
        .get('/map/reverse-geocode?lon=123')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[lat] Invalid input: expected number, received NaN']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['lat'], message: 'Invalid input: expected number, received NaN' }]),
+      );
    });

    it('should throw an error if a lat is not a number', async () => {
@@ -117,7 +119,9 @@ describe('/map', () => {
        .get('/map/reverse-geocode?lat=abc&lon=123.456')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[lat] Invalid input: expected number, received NaN']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['lat'], message: 'Invalid input: expected number, received NaN' }]),
+      );
    });

    it('should throw an error if a lat is out of range', async () => {
@@ -125,7 +129,9 @@ describe('/map', () => {
        .get('/map/reverse-geocode?lat=91&lon=123.456')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[lat] Too big: expected number to be <=90']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['lat'], message: 'Too big: expected number to be <=90' }]),
+      );
    });

    it('should throw an error if a lon is not provided', async () => {
@@ -133,7 +139,9 @@ describe('/map', () => {
        .get('/map/reverse-geocode?lat=75')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[lon] Invalid input: expected number, received NaN']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['lon'], message: 'Invalid input: expected number, received NaN' }]),
+      );
    });

    const reverseGeocodeTestCases = [
@@ -1,9 +1,10 @@
-import { OAuthClient, OAuthUser } from '@immich/e2e-auth-server';
+import { OAuthClient, OAuthUser, generateLogoutToken } from '@immich/e2e-auth-server';
 import {
  LoginResponseDto,
  SystemConfigOAuthDto,
  getConfigDefaults,
  getMyUser,
+  getSessions,
  startOAuth,
  updateConfig,
 } from '@immich/sdk';
@@ -76,6 +77,7 @@ const setupOAuth = async (token: string, dto: Partial<SystemConfigOAuthDto>) =>
    ...defaults.oauth,
    buttonText: 'Login with Immich',
    issuerUrl: `${authServer.internal}/.well-known/openid-configuration`,
+    allowInsecureRequests: true,
    ...dto,
  };
  await updateConfig({ systemConfigDto: { ...defaults, oauth: merged } }, options);
@@ -87,21 +89,27 @@ describe(`/oauth`, () => {
  beforeAll(async () => {
    await utils.resetDatabase();
    admin = await utils.adminSetup();
-
-    await setupOAuth(admin.accessToken, {
-      enabled: true,
-      clientId: OAuthClient.DEFAULT,
-      clientSecret: OAuthClient.DEFAULT,
-      buttonText: 'Login with Immich',
-      storageLabelClaim: 'immich_username',
-    });
  });

  describe('POST /oauth/authorize', () => {
+    beforeAll(async () => {
+      await setupOAuth(admin.accessToken, {
+        enabled: true,
+        clientId: OAuthClient.DEFAULT,
+        clientSecret: OAuthClient.DEFAULT,
+        buttonText: 'Login with Immich',
+        storageLabelClaim: 'immich_username',
+      });
+    });
+
    it(`should throw an error if a redirect uri is not provided`, async () => {
      const { status, body } = await request(app).post('/oauth/authorize').send({});
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[redirectUri] Invalid input: expected string, received undefined']));
+      expect(body).toEqual(
+        errorDto.validationError([
+          { path: ['redirectUri'], message: 'Invalid input: expected string, received undefined' },
+        ]),
+      );
    });

    it('should return a redirect uri', async () => {
@@ -117,19 +125,60 @@ describe(`/oauth`, () => {
      expect(params.get('redirect_uri')).toBe('http://127.0.0.1:2285/auth/login');
      expect(params.get('state')).toBeDefined();
    });
+
+    it('should not include the prompt parameter when not configured', async () => {
+      const { status, body } = await request(app)
+        .post('/oauth/authorize')
+        .send({ redirectUri: 'http://127.0.0.1:2285/auth/login' });
+      expect(status).toBe(201);
+
+      const params = new URL(body.url).searchParams;
+      expect(params.get('prompt')).toBeNull();
+    });
+
+    it('should include the prompt parameter when configured', async () => {
+      await setupOAuth(admin.accessToken, {
+        enabled: true,
+        clientId: OAuthClient.DEFAULT,
+        clientSecret: OAuthClient.DEFAULT,
+        prompt: 'select_account',
+      });
+
+      const { status, body } = await request(app)
+        .post('/oauth/authorize')
+        .send({ redirectUri: 'http://127.0.0.1:2285/auth/login' });
+      expect(status).toBe(201);
+
+      const params = new URL(body.url).searchParams;
+      expect(params.get('prompt')).toBe('select_account');
+    });
  });

  describe('POST /oauth/callback', () => {
+    beforeAll(async () => {
+      await setupOAuth(admin.accessToken, {
+        enabled: true,
+        clientId: OAuthClient.DEFAULT,
+        clientSecret: OAuthClient.DEFAULT,
+        buttonText: 'Login with Immich',
+        storageLabelClaim: 'immich_username',
+      });
+    });
+
    it(`should throw an error if a url is not provided`, async () => {
      const { status, body } = await request(app).post('/oauth/callback').send({});
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[url] Invalid input: expected string, received undefined']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['url'], message: 'Invalid input: expected string, received undefined' }]),
+      );
    });

    it(`should throw an error if the url is empty`, async () => {
      const { status, body } = await request(app).post('/oauth/callback').send({ url: '' });
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[url] Too small: expected string to have >=1 characters']));
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['url'], message: 'Too small: expected string to have >=1 characters' }]),
+      );
    });

    it(`should throw an error if the state is not provided`, async () => {
@@ -158,10 +207,9 @@ describe(`/oauth`, () => {
    it(`should throw an error if the codeVerifier doesn't match the challenge`, async () => {
      const callbackParams = await loginWithOAuth('oauth-auto-register');
      const { codeVerifier } = await loginWithOAuth('oauth-auto-register');
-      const { status, body } = await request(app)
+      const { status } = await request(app)
        .post('/oauth/callback')
        .send({ ...callbackParams, codeVerifier });
-      console.log(body);
      expect(status).toBeGreaterThanOrEqual(400);
    });

@@ -258,7 +306,7 @@ describe(`/oauth`, () => {
        accessToken: expect.any(String),
        isAdmin: false,
        name: 'OAuth User',
-        userEmail: 'oauth-RS256-token@immich.app',
+        userEmail: 'oauth-rs256-token@immich.app',
        userId: expect.any(String),
      });
    });
@@ -292,9 +340,7 @@ describe(`/oauth`, () => {
      const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
      expect(status).toBe(500);
      expect(body).toMatchObject({
-        error: 'Internal Server Error',
        message: 'Failed to finish oauth',
-        statusCode: 500,
      });
    });

@@ -313,7 +359,7 @@ describe(`/oauth`, () => {
        const callbackParams = await loginWithOAuth('oauth-no-auto-register');
        const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest('User does not exist and auto registering is disabled.'));
+        expect(body).toEqual(errorDto.badRequest('OAuth authentication failed'));
      });

      it('should link to an existing user by email', async () => {
@@ -333,6 +379,54 @@ describe(`/oauth`, () => {
    });
  });

+  describe(`POST /oauth/backchannel-logout`, () => {
+    it(`should throw an error if the logout_token is not provided`, async () => {
+      const { status, body } = await request(app).post('/oauth/backchannel-logout').send({});
+      expect(status).toBe(400);
+      expect(body).toEqual(
+        errorDto.validationError([
+          { path: ['logout_token'], message: 'Invalid input: expected string, received undefined' },
+        ]),
+      );
+    });
+
+    it(`should throw an error if an invalid logout token is provided`, async () => {
+      const { status, body } = await request(app)
+        .post('/oauth/backchannel-logout')
+        .send({ logout_token: 'invalid token' });
+      expect(status).toBe(400);
+      expect(body).toEqual(errorDto.badRequest('Error backchannel logout: token validation failed'));
+    });
+
+    it(`should logout user if a valid logout token is provided`, async () => {
+      await setupOAuth(admin.accessToken, {
+        enabled: true,
+        clientId: OAuthClient.DEFAULT,
+        clientSecret: OAuthClient.DEFAULT,
+        autoRegister: true,
+        signingAlgorithm: 'RS256',
+        buttonText: 'Login with Immich',
+      });
+
+      const callbackParams = await loginWithOAuth('backchannel-logout-user');
+      const { status: callbackStatus, body: callbackBody } = await request(app)
+        .post('/oauth/callback')
+        .send(callbackParams);
+      expect(callbackStatus).toBe(201);
+
+      await expect(getSessions({ headers: asBearerAuth(callbackBody.accessToken) })).resolves.toHaveLength(1);
+
+      const logoutToken = await generateLogoutToken('http://0.0.0.0:2286', 'backchannel-logout-user');
+      const { status, body } = await request(app).post('/oauth/backchannel-logout').send({ logout_token: logoutToken });
+      expect(status).toBe(200);
+      expect(body).toMatchObject({});
+
+      await expect(getSessions({ headers: asBearerAuth(callbackBody.accessToken) })).rejects.toMatchObject({
+        status: 401,
+      });
+    });
+  });
+
  describe('mobile redirect override', () => {
    beforeAll(async () => {
      await setupOAuth(admin.accessToken, {
@@ -399,4 +493,22 @@ describe(`/oauth`, () => {
      });
    });
  });
+
+  describe('allowInsecureRequests: false', () => {
+    beforeAll(async () => {
+      await setupOAuth(admin.accessToken, {
+        enabled: true,
+        clientId: OAuthClient.DEFAULT,
+        clientSecret: OAuthClient.DEFAULT,
+        allowInsecureRequests: false,
+      });
+    });
+
+    it('should reject OAuth discovery over HTTP', async () => {
+      const { status } = await request(app)
+        .post('/oauth/authorize')
+        .send({ redirectUri: 'http://127.0.0.1:2285/auth/login' });
+      expect(status).toBe(500);
+    });
+  });
 });
@@ -74,7 +74,6 @@ describe('/search', () => {
      const bytes = await readFile(join(testAssetDir, filename));
      assets.push(
        await utils.createAsset(admin.accessToken, {
-          deviceAssetId: `test-${filename}`,
          assetData: { bytes, filename },
          ...dto,
        }),
@@ -458,7 +457,7 @@ describe('/search', () => {
      expect(Array.isArray(body)).toBe(true);
      if (Array.isArray(body)) {
        expect(body.length).toBeGreaterThan(10);
-        expect(body[0].name).toEqual(name);
+        expect(body[0].name).toEqual(expect.stringContaining(name));
        expect(body[0].admin2name).toEqual(name);
      }
    });
@@ -207,16 +207,6 @@ describe('/server', () => {
    });
  });

-  describe('GET /server/theme', () => {
-    it('should respond with the server theme', async () => {
-      const { status, body } = await request(app).get('/server/theme');
-      expect(status).toBe(200);
-      expect(body).toEqual({
-        customCss: '',
-      });
-    });
-  });
-
  describe('GET /server/license', () => {
    it('should require authentication', async () => {
      const { status, body } = await request(app).get('/server/license');
@@ -341,7 +341,9 @@ describe('/shared-links', () => {
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest());
+      expect(body).toEqual(
+        errorDto.validationError([{ path: [], message: 'Invalid input: expected object, received undefined' }]),
+      );
    });

    it('should require an asset/album id', async () => {
@@ -41,7 +41,9 @@ describe('/stacks', () => {
        .send({ assetIds: [asset.id] });

      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest());
+      expect(body).toEqual(
+        errorDto.validationError([{ path: ['assetIds'], message: 'Too small: expected array to have >=2 items' }]),
+      );
    });

    it('should require a valid id', async () => {
@@ -51,7 +53,12 @@ describe('/stacks', () => {
        .send({ assetIds: [uuidDto.invalid, uuidDto.invalid] });

      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest());
+      expect(body).toEqual(
+        errorDto.validationError([
+          { path: ['assetIds', 0], message: 'Invalid UUID' },
+          { path: ['assetIds', 1], message: 'Invalid UUID' },
+        ]),
+      );
    });

    it('should require access', async () => {
@@ -309,7 +309,7 @@ describe('/tags', () => {
        .get(`/tags/${uuidDto.invalid}`)
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[id] Invalid UUID']));
+      expect(body).toEqual(errorDto.validationError([{ path: ['id'], message: 'Invalid UUID' }]));
    });

    it('should get tag details', async () => {
@@ -427,7 +427,7 @@ describe('/tags', () => {
        .delete(`/tags/${uuidDto.invalid}`)
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest(['[id] Invalid UUID']));
+      expect(body).toEqual(errorDto.validationError([{ path: ['id'], message: 'Invalid UUID' }]));
    });

    it('should delete a tag', async () => {
@@ -108,14 +108,20 @@ describe('/admin/users', () => {
      expect(body).toEqual(errorDto.forbidden);
    });

-    for (const key of ['password', 'email', 'name', 'quotaSizeInBytes', 'shouldChangePassword', 'notify']) {
+    for (const [key, message] of [
+      ['password', 'Invalid input: expected string, received null'],
+      ['email', 'Invalid input: expected email, received object'],
+      ['name', 'Invalid input: expected string, received null'],
+      ['shouldChangePassword', 'Invalid input: expected boolean, received null'],
+      ['notify', 'Invalid input: expected boolean, received null'],
+    ] as const) {
      it(`should not allow null ${key}`, async () => {
        const { status, body } = await request(app)
          .post(`/admin/users`)
          .set('Authorization', `Bearer ${admin.accessToken}`)
          .send({ ...createUserDto.user1, [key]: null });
        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest());
+        expect(body).toEqual(errorDto.validationError([{ path: [key], message }]));
      });
    }

@@ -153,14 +159,19 @@ describe('/admin/users', () => {
      expect(body).toEqual(errorDto.forbidden);
    });

-    for (const key of ['password', 'email', 'name', 'shouldChangePassword']) {
+    for (const [key, message] of [
+      ['password', 'Invalid input: expected string, received null'],
+      ['email', 'Invalid input: expected email, received object'],
+      ['name', 'Invalid input: expected string, received null'],
+      ['shouldChangePassword', 'Invalid input: expected boolean, received null'],
+    ] as const) {
      it(`should not allow null ${key}`, async () => {
        const { status, body } = await request(app)
          .put(`/admin/users/${uuidDto.notFound}`)
          .set('Authorization', `Bearer ${admin.accessToken}`)
          .send({ [key]: null });
        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest());
+        expect(body).toEqual(errorDto.validationError([{ path: [key], message }]));
      });
    }

@@ -120,7 +120,7 @@ describe('/users', () => {
        .set('Authorization', `Bearer ${nonAdmin.accessToken}`);

      expect(status).toBe(400);
-      expect(body).toMatchObject(errorDto.badRequest('Email already in use by another account'));
+      expect(body).toMatchObject(errorDto.badRequest('Email is not available'));
    });

    it('should update my email', async () => {
@@ -179,7 +179,9 @@ describe('/users', () => {

      expect(status).toBe(400);
      expect(body).toEqual(
-        errorDto.badRequest(['[download.archiveSize] Invalid input: expected int, received number']),
+        errorDto.validationError([
+          { path: ['download', 'archiveSize'], message: 'Invalid input: expected int, received number' },
+        ]),
      );
    });

@@ -207,7 +209,9 @@ describe('/users', () => {

      expect(status).toBe(400);
      expect(body).toEqual(
-        errorDto.badRequest(['[download.includeEmbeddedVideos] Invalid input: expected boolean, received number']),
+        errorDto.validationError([
+          { path: ['download', 'includeEmbeddedVideos'], message: 'Invalid input: expected boolean, received number' },
+        ]),
      );
    });

@@ -1,7 +1,9 @@
 import { AssetMediaResponseDto, LoginResponseDto, SharedLinkType } from '@immich/sdk';
 import { expect, test } from '@playwright/test';
+import { readFile } from 'node:fs/promises';
+import { basename, join } from 'node:path';
 import type { Socket } from 'socket.io-client';
-import { utils } from 'src/utils';
+import { testAssetDir, utils } from 'src/utils';

 test.describe('Detail Panel', () => {
  let admin: LoginResponseDto;
@@ -83,4 +85,42 @@ test.describe('Detail Panel', () => {
    await utils.waitForWebsocketEvent({ event: 'assetUpdate', id: asset.id });
    await expect(textarea).toHaveValue('new description');
  });
+
+  test.describe('Date editor', () => {
+    test('displays inferred asset timezone', async ({ context, page }) => {
+      const test = {
+        filepath: 'metadata/dates/datetimeoriginal-gps.jpg',
+        expected: {
+          dateTime: '2025-12-01T11:30',
+          // Test with a timezone which is NOT the first among timezones with the same offset
+          // This is to check that the editor does not simply fall back to the first available timezone with that offset
+          // America/Denver (-07:00) is not the first among timezones with offset -07:00
+          timeZoneWithOffset: 'America/Denver (-07:00)',
+        },
+      };
+
+      const asset = await utils.createAsset(admin.accessToken, {
+        assetData: {
+          bytes: await readFile(join(testAssetDir, test.filepath)),
+          filename: basename(test.filepath),
+        },
+      });
+
+      await utils.waitForWebsocketEvent({ event: 'assetUpload', id: asset.id });
+
+      // asset viewer -> detail panel -> date editor
+      await utils.setAuthCookies(context, admin.accessToken);
+      await page.goto(`/photos/${asset.id}`);
+      await page.waitForSelector('#immich-asset-viewer');
+
+      await page.getByRole('button', { name: 'Info' }).click();
+      await page.getByTestId('detail-panel-edit-date-button').click();
+      await page.waitForSelector('[role="dialog"]');
+
+      const datetime = page.locator('#datetime');
+      await expect(datetime).toHaveValue(test.expected.dateTime);
+      const timezone = page.getByRole('combobox', { name: 'Timezone' });
+      await expect(timezone).toHaveValue(test.expected.timeZoneWithOffset);
+    });
+  });
 });
@@ -16,8 +16,8 @@ test.describe('Duplicates Utility', () => {

  test.beforeEach(async ({ context }) => {
    [firstAsset, secondAsset] = await Promise.all([
-      utils.createAsset(admin.accessToken, { deviceAssetId: 'duplicate-a' }),
-      utils.createAsset(admin.accessToken, { deviceAssetId: 'duplicate-b' }),
+      utils.createAsset(admin.accessToken, {}),
+      utils.createAsset(admin.accessToken, {}),
    ]);

    await updateAssets(
@@ -32,8 +32,12 @@ export function generateThumbhash(rng: SeededRandom): string {
  return Array.from({ length: 10 }, () => rng.nextInt(0, 256).toString(16).padStart(2, '0')).join('');
 }

-export function generateDuration(rng: SeededRandom): string {
-  return `${rng.nextInt(GENERATION_CONSTANTS.MIN_VIDEO_DURATION_SECONDS, GENERATION_CONSTANTS.MAX_VIDEO_DURATION_SECONDS)}.${rng.nextInt(0, 1000).toString().padStart(3, '0')}`;
+export function generateDuration(rng: SeededRandom): number {
+  return (
+    rng.nextInt(GENERATION_CONSTANTS.MIN_VIDEO_DURATION_SECONDS, GENERATION_CONSTANTS.MAX_VIDEO_DURATION_SECONDS) *
+      1000 +
+    rng.nextInt(0, 1000)
+  );
 }

 export function generateUUID(): string {
@@ -3,6 +3,7 @@
 */

 import {
+  AlbumUserRole,
  AssetTypeEnum,
  AssetVisibility,
  UserAvatarColor,
@@ -315,11 +316,9 @@ export function toAssetResponseDto(asset: MockTimelineAsset, owner?: UserRespons

  return {
    id: asset.id,
-    deviceAssetId: `device-${asset.id}`,
    ownerId: asset.ownerId,
    owner: owner || defaultOwner,
    libraryId: `library-${asset.ownerId}`,
-    deviceId: `device-${asset.ownerId}`,
    type: asset.isVideo ? AssetTypeEnum.Video : AssetTypeEnum.Image,
    originalPath: `/original/${asset.id}.${asset.isVideo ? 'mp4' : 'jpg'}`,
    originalFileName: `${asset.id}.${asset.isVideo ? 'mp4' : 'jpg'}`,
@@ -334,7 +333,7 @@ export function toAssetResponseDto(asset: MockTimelineAsset, owner?: UserRespons
    isArchived: false,
    isTrashed: asset.isTrashed,
    visibility: asset.visibility,
-    duration: asset.duration || '0:00:00.00000',
+    duration: asset.duration,
    exifInfo,
    livePhotoVideoId: asset.livePhotoVideoId,
    tags: [],
@@ -422,14 +421,11 @@ export function getAlbum(
    albumThumbnailAssetId: album.thumbnailAssetId,
    createdAt: album.createdAt,
    updatedAt: album.updatedAt,
-    ownerId: albumOwner.id,
-    owner: albumOwner,
-    albumUsers: [], // Empty array for non-shared album
+    albumUsers: [{ user: albumOwner, role: AlbumUserRole.Owner }],
    shared: false,
    hasSharedLink: false,
    isActivityEnabled: true,
    assetCount: albumAssets.length,
-    assets: albumAssets,
    startDate: albumAssets.length > 0 ? albumAssets.at(-1)?.fileCreatedAt : undefined,
    endDate: albumAssets.length > 0 ? albumAssets[0].fileCreatedAt : undefined,
    lastModifiedAssetTimestamp: albumAssets.length > 0 ? albumAssets[0].fileCreatedAt : undefined,
@@ -43,7 +43,7 @@ export type MockTimelineAsset = {
  isTrashed: boolean;
  isVideo: boolean;
  isImage: boolean;
-  duration: string | null;
+  duration: number | null;
  projectionType: string | null;
  livePhotoVideoId: string | null;
  city: string | null;
@@ -223,6 +223,7 @@ export const setupBaseMockApiRoutes = async (context: BrowserContext, adminUserI
          '.jp2',
          '.jpe',
          '.jxl',
+          '.mpo',
          '.svg',
          '.tif',
          '.tiff',
@@ -239,7 +240,8 @@ export const setupBaseMockApiRoutes = async (context: BrowserContext, adminUserI
    });
  });
  await context.route('**/api/albums*', async (route, request) => {
-    if (request.url().endsWith('albums?shared=true') || request.url().endsWith('albums')) {
+    const url = request.url();
+    if (url.endsWith('albums?isShared=true') || url.endsWith('albums?isOwned=true') || url.endsWith('albums')) {
      return route.fulfill({
        status: 200,
        contentType: 'application/json',
@@ -16,7 +16,6 @@ export const createMockStackAsset = (ownerId: string): AssetResponseDto => {
  const now = new Date().toISOString();
  return {
    id: assetId,
-    deviceAssetId: `device-${assetId}`,
    ownerId,
    owner: {
      id: ownerId,
@@ -27,7 +26,6 @@ export const createMockStackAsset = (ownerId: string): AssetResponseDto => {
      avatarColor: 'blue' as never,
    },
    libraryId: `library-${ownerId}`,
-    deviceId: `device-${ownerId}`,
    type: AssetTypeEnum.Image,
    originalPath: `/original/${assetId}.jpg`,
    originalFileName: `${assetId}.jpg`,
@@ -42,7 +40,7 @@ export const createMockStackAsset = (ownerId: string): AssetResponseDto => {
    isArchived: false,
    isTrashed: false,
    visibility: AssetVisibility.Timeline,
-    duration: '0:00:00.00000',
+    duration: null,
    exifInfo: {
      make: null,
      model: null,
@@ -304,7 +304,7 @@ test.describe('Timeline', () => {
      await page.keyboard.down('Shift');
      await thumbnailUtils.withAssetId(page, assets[2].id).hover();
      await expect(
-        thumbnailUtils.locator(page).locator('.absolute.top-0.h-full.w-full.bg-immich-primary.opacity-40'),
+        thumbnailUtils.locator(page).locator('.absolute.top-0.size-full.bg-immich-primary.opacity-40'),
      ).toHaveCount(3);
      await thumbnailUtils.selectButton(page, assets[2].id).click();
      await page.keyboard.up('Shift');
@@ -349,7 +349,7 @@ test.describe('Timeline', () => {
        expect(visibleMockAssetsYearMonths).toContain(month);
      }
    });
-    test('Deep link to last photo, scroll up', async ({ page }) => {
+    test.skip('Deep link to last photo, scroll up', async ({ page }) => {
      const lastAsset = assets.at(-1)!;
      await pageUtils.deepLinkPhotosPage(page, lastAsset.id);

@@ -361,7 +361,7 @@ test.describe('Timeline', () => {

      await thumbnailUtils.expectInViewport(page, '14e5901f-fd7f-40c0-b186-4d7e7fc67968');
    });
-    test('Deep link to first bucket, scroll down', async ({ page }) => {
+    test.skip('Deep link to first bucket, scroll down', async ({ page }) => {
      const lastAsset = assets.at(0)!;
      await pageUtils.deepLinkPhotosPage(page, lastAsset.id);
      await timelineUtils.locator(page).hover();
@@ -440,7 +440,7 @@ test.describe('Timeline', () => {
      await thumbnailUtils.expectInViewport(page, asset.id);
      await thumbnailUtils.expectSelectedDisabled(page, asset.id);
    });
-    test('Add photos to album', async ({ page }) => {
+    test.skip('Add photos to album', async ({ page }) => {
      const album = timelineRestData.album;
      await pageUtils.openAlbumPage(page, album.id);
      await page.locator('nav button[aria-label="Add photos"]').click();
@@ -752,7 +752,7 @@ test.describe('Timeline', () => {
      await page.getByText('Photos', { exact: true }).click();
      await thumbnailUtils.expectInViewport(page, assetToFavorite.id);
    });
-    test('open /favorites, archive photo, unarchive photo', async ({ page }) => {
+    test.skip('open /favorites, archive photo, unarchive photo', async ({ page }) => {
      await pageUtils.openFavorites(page);
      const assetToArchive = getAsset(timelineRestData, 'ad31e29f-2069-4574-b9a9-ad86523c92cb')!;
      await thumbnailUtils.withAssetId(page, assetToArchive.id).hover();
@@ -3,7 +3,6 @@ import {
  AssetMediaResponseDto,
  AssetResponseDto,
  AssetVisibility,
-  CheckExistingAssetsDto,
  CreateAlbumDto,
  CreateLibraryDto,
  JobCreateDto,
@@ -20,7 +19,6 @@ import {
  UserAdminCreateDto,
  UserPreferencesUpdateDto,
  ValidateLibraryDto,
-  checkExistingAssets,
  createAlbum,
  createApiKey,
  createJob,
@@ -343,8 +341,6 @@ export const utils = {
    },
  ) => {
    const _dto = {
-      deviceAssetId: 'test-1',
-      deviceId: 'test',
      fileCreatedAt: new Date().toISOString(),
      fileModifiedAt: new Date().toISOString(),
      ...dto,
@@ -416,9 +412,6 @@ export const utils = {

  getAssetInfo: (accessToken: string, id: string) => getAssetInfo({ id }, { headers: asBearerAuth(accessToken) }),

-  checkExistingAssets: (accessToken: string, checkExistingAssetsDto: CheckExistingAssetsDto) =>
-    checkExistingAssets({ checkExistingAssetsDto }, { headers: asBearerAuth(accessToken) }),
-
  searchAssets: async (accessToken: string, dto: MetadataSearchDto) => {
    return searchAssets({ metadataSearchDto: dto }, { headers: asBearerAuth(accessToken) });
  },
@@ -267,6 +267,8 @@
    "notification_enable_email_notifications": "Enable email notifications",
    "notification_settings": "Notification Settings",
    "notification_settings_description": "Manage notification settings, including email",
+    "oauth_allow_insecure_requests": "Allow insecure requests",
+    "oauth_allow_insecure_requests_description": "WARNING: This disables TLS certificate validation for OAuth requests and may expose you to MITM attacks.",
    "oauth_auto_launch": "Auto launch",
    "oauth_auto_launch_description": "Start the OAuth login flow automatically upon navigating to the login page",
    "oauth_auto_register": "Auto register",
@@ -274,9 +276,11 @@
    "oauth_button_text": "Button text",
    "oauth_client_secret_description": "Required for confidential client, or if PKCE (Proof Key for Code Exchange) is not supported for public client.",
    "oauth_enable_description": "Login with OAuth",
+    "oauth_end_session_url_description": "Redirect the user to this URI when they log out.",
    "oauth_mobile_redirect_uri": "Mobile redirect URI",
    "oauth_mobile_redirect_uri_override": "Mobile redirect URI override",
    "oauth_mobile_redirect_uri_override_description": "Enable when OAuth provider does not allow a mobile URI, like ''{callback}''",
+    "oauth_prompt_description": "Prompt parameter (e.g. select_account, login, consent)",
    "oauth_role_claim": "Role Claim",
    "oauth_role_claim_description": "Automatically grant admin access based on the presence of this claim. The claim may have either 'user' or 'admin'.",
    "oauth_settings": "OAuth",
@@ -1236,6 +1240,7 @@
  "free_up_space_description": "Move backed-up photos and videos to your device's trash to free up space. Your copies on the server remain safe.",
  "free_up_space_settings_subtitle": "Free up device storage",
  "full_path": "Full path: {path}",
+  "full_path_or_folder": "Full path or folder",
  "gcast_enabled": "Google Cast",
  "gcast_enabled_description": "This feature loads external resources from Google in order to work.",
  "general": "General",
@@ -1519,6 +1524,38 @@
  "marked_all_as_read": "Marked all as read",
  "matches": "Matches",
  "matching_assets": "Matching Assets",
+  "media_chrome": {
+    "auto": "Auto",
+    "captions": "Captions",
+    "captions_off": "Off",
+    "closed_captions": "closed captions",
+    "decode_error": "Decode error",
+    "disable_captions": "Disable captions",
+    "enable_captions": "Enable captions",
+    "enter_fullscreen_mode": "Enter fullscreen mode",
+    "exit_fullscreen_mode": "Exit fullscreen mode",
+    "loop": "Loop",
+    "media_error_description": "A media error caused playback to be aborted. The media could be corrupt or your browser does not support this format.",
+    "media_loading": "media loading",
+    "mute": "Mute",
+    "network_error": "Network error",
+    "network_error_description": "A network error caused the media download to fail.",
+    "not_supported_error": "Source Not Supported",
+    "playback_rate": "Playback rate",
+    "playback_rate_current": "current playback rate",
+    "playback_rate_value": "Playback rate {playbackRate}",
+    "playback_time": "playback time",
+    "quality": "Quality",
+    "second": "second",
+    "seconds": "seconds",
+    "time_value_of_total_time": "{currentTime} of {totalTime}",
+    "time_value_remaining": "{time} remaining",
+    "unmute": "Unmute",
+    "unsupported_error_description": "An unsupported error occurred. The server or network failed, or your browser does not support this format.",
+    "video_not_loaded_unknown_time": "video not loaded, unknown time.",
+    "video_player": "video player",
+    "volume": "volume"
+  },
  "media_type": "Media type",
  "memories": "Memories",
  "memories_all_caught_up": "All caught up",
@@ -1938,6 +1975,8 @@
  "search_by_description_example": "Hiking day in Sapa",
  "search_by_filename": "Search by file name or extension",
  "search_by_filename_example": "i.e. IMG_1234.JPG or PNG",
+  "search_by_full_path": "Search by full path or folder",
+  "search_by_full_path_example": "/John/Projects/3D_Printing/2026-07-01 - you can search for Projects, 3D, Printing, 2026 etc.",
  "search_by_ocr": "Search by OCR",
  "search_by_ocr_example": "Latte",
  "search_camera_lens_model": "Search lens model...",
@@ -2153,6 +2192,7 @@
  "show_schema": "Show schema",
  "show_search_options": "Show search options",
  "show_shared_links": "Show shared links",
+  "show_slideshow_metadata_overlay": "Show image info overlay",
  "show_slideshow_transition": "Show slideshow transition",
  "show_supporter_badge": "Supporter badge",
  "show_supporter_badge_description": "Show a supporter badge",
@@ -2168,6 +2208,9 @@
  "skip_to_folders": "Skip to folders",
  "skip_to_tags": "Skip to tags",
  "slideshow": "Slideshow",
+  "slideshow_metadata_overlay_mode": "Overlay content",
+  "slideshow_metadata_overlay_mode_description_only": "Description only",
+  "slideshow_metadata_overlay_mode_full": "Full",
  "slideshow_repeat": "Repeat slideshow",
  "slideshow_repeat_description": "Loop back to beginning when slideshow ends",
  "slideshow_settings": "Slideshow settings",
@@ -2432,6 +2475,7 @@
  "workflows": "Workflows",
  "workflows_help_text": "Workflows automate actions on your assets based on triggers and filters",
  "wrong_pin_code": "Wrong PIN code",
+  "x_of_total": "{x}/{total}",
  "year": "Year",
  "years_ago": "{years, plural, one {# year} other {# years}} ago",
  "yes": "Yes",
@@ -1,8 +1,8 @@
 ARG DEVICE=cpu

-FROM python:3.11-bookworm@sha256:aa23850b91cb4c7faedac8ca9aa74ddc6eb03529a519145a589a7f35df4c5927 AS builder-cpu
+FROM python:3.11-bookworm@sha256:970c99f886b839fc8829289040c1845dadaf2cae46b37acc7710333158ec29b4 AS builder-cpu

-FROM python:3.13-slim-trixie@sha256:3de9a8d7aedbb7984dc18f2dff178a7850f16c1ae7c34ba9d7ecc23d0755e35f AS builder-openvino
+FROM python:3.13-slim-trixie@sha256:d168b8d9eb761f4d3fe305ebd04aeb7e7f2de0297cec5fb2f8f6403244621664 AS builder-openvino

 FROM builder-cpu AS builder-cuda

@@ -39,23 +39,23 @@ RUN --mount=type=cache,target=/root/.cache/uv \
    --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
    uv sync --frozen --extra ${DEVICE} --no-dev --no-editable --no-install-project --compile-bytecode --no-progress --active --link-mode copy

-FROM python:3.11-slim-bookworm@sha256:04cd27899595a99dfe77709d96f08876bf2ee99139ee2f0fe9ac948005034e5b AS prod-cpu
+FROM python:3.11-slim-bookworm@sha256:9c6f90801e6b68e772b7c0ca74260cbf7af9f320acec894e26fccdaccfbe3b47 AS prod-cpu

 ENV LD_PRELOAD=/usr/lib/libmimalloc.so.2 \
    MACHINE_LEARNING_MODEL_ARENA=false

-FROM python:3.13-slim-trixie@sha256:3de9a8d7aedbb7984dc18f2dff178a7850f16c1ae7c34ba9d7ecc23d0755e35f AS prod-openvino
+FROM python:3.13-slim-trixie@sha256:d168b8d9eb761f4d3fe305ebd04aeb7e7f2de0297cec5fb2f8f6403244621664 AS prod-openvino

 RUN apt-get update && \
    apt-get install --no-install-recommends -yqq ocl-icd-libopencl1 wget && \
-    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.28.4/intel-igc-core-2_2.28.4+20760_amd64.deb && \
-    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.28.4/intel-igc-opencl-2_2.28.4+20760_amd64.deb && \
-    wget -nv https://github.com/intel/compute-runtime/releases/download/26.05.37020.3/intel-opencl-icd_26.05.37020.3-0_amd64.deb &&  \
+    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.32.7/intel-igc-core-2_2.32.7+21184_amd64.deb && \
+    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/v2.32.7/intel-igc-opencl-2_2.32.7+21184_amd64.deb && \
+    wget -nv https://github.com/intel/compute-runtime/releases/download/26.14.37833.4/intel-opencl-icd_26.14.37833.4-0_amd64.deb &&  \
    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/igc-1.0.17537.24/intel-igc-core_1.0.17537.24_amd64.deb && \
    wget -nv https://github.com/intel/intel-graphics-compiler/releases/download/igc-1.0.17537.24/intel-igc-opencl_1.0.17537.24_amd64.deb && \
    wget -nv https://github.com/intel/compute-runtime/releases/download/24.35.30872.36/intel-opencl-icd-legacy1_24.35.30872.36_amd64.deb && \
    # TODO: Figure out how to get renovate to manage this differently versioned libigdgmm file
-    wget -nv https://github.com/intel/compute-runtime/releases/download/26.05.37020.3/libigdgmm12_22.9.0_amd64.deb && \
+    wget -nv https://github.com/intel/compute-runtime/releases/download/26.14.37833.4/libigdgmm12_22.9.0_amd64.deb && \
    dpkg -i *.deb && \
    rm *.deb && \
    apt-get remove wget -yqq && \
@@ -68,7 +68,7 @@ ENV LD_PRELOAD=/usr/lib/libmimalloc.so.2 \

 RUN apt-get update && \
    # Pascal support was dropped in 9.11
-    apt-get install --no-install-recommends -yqq libcudnn9-cuda-12=9.10.2.21-1 && \
+    apt-get install --no-install-recommends -yqq libcudnn9-cuda-12=9.10.2.21-1 tzdata && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

@@ -112,7 +112,7 @@ ARG RKNN_TOOLKIT_VERSION="v2.3.0"
 ENV LD_PRELOAD=/usr/lib/libmimalloc.so.2 \
    MACHINE_LEARNING_MODEL_ARENA=false

-ADD --checksum=sha256:73993ed4b440460825f21611731564503cc1d5a0c123746477da6cd574f34885 "https://github.com/airockchip/rknn-toolkit2/raw/refs/tags/${RKNN_TOOLKIT_VERSION}/rknpu2/runtime/Linux/librknn_api/aarch64/librknnrt.so" /usr/lib/
+ADD --chmod=644 --checksum=sha256:73993ed4b440460825f21611731564503cc1d5a0c123746477da6cd574f34885 "https://github.com/airockchip/rknn-toolkit2/raw/refs/tags/${RKNN_TOOLKIT_VERSION}/rknpu2/runtime/Linux/librknn_api/aarch64/librknnrt.so" /usr/lib/

 FROM prod-${DEVICE} AS prod

@@ -32,25 +32,12 @@ class OcrSettings(BaseModel):


 class PreloadModelData(BaseModel):
-    clip_fallback: str | None = os.getenv("MACHINE_LEARNING_PRELOAD__CLIP", None)
-    facial_recognition_fallback: str | None = os.getenv("MACHINE_LEARNING_PRELOAD__FACIAL_RECOGNITION", None)
-    if clip_fallback is not None:
-        os.environ["MACHINE_LEARNING_PRELOAD__CLIP__TEXTUAL"] = clip_fallback
-        os.environ["MACHINE_LEARNING_PRELOAD__CLIP__VISUAL"] = clip_fallback
-        del os.environ["MACHINE_LEARNING_PRELOAD__CLIP"]
-    if facial_recognition_fallback is not None:
-        os.environ["MACHINE_LEARNING_PRELOAD__FACIAL_RECOGNITION__RECOGNITION"] = facial_recognition_fallback
-        os.environ["MACHINE_LEARNING_PRELOAD__FACIAL_RECOGNITION__DETECTION"] = facial_recognition_fallback
-        del os.environ["MACHINE_LEARNING_PRELOAD__FACIAL_RECOGNITION"]
    clip: ClipSettings = ClipSettings()
    facial_recognition: FacialRecognitionSettings = FacialRecognitionSettings()
    ocr: OcrSettings = OcrSettings()


 class MaxBatchSize(BaseModel):
-    ocr_fallback: str | None = os.getenv("MACHINE_LEARNING_MAX_BATCH_SIZE__TEXT_RECOGNITION", None)
-    if ocr_fallback is not None:
-        os.environ["MACHINE_LEARNING_MAX_BATCH_SIZE__OCR"] = ocr_fallback
    facial_recognition: int | None = None
    ocr: int | None = None

@@ -117,20 +117,6 @@ async def preload_models(preload: PreloadModelData) -> None:
            ModelTask.OCR,
        )

-    if preload.clip_fallback is not None:
-        log.warning(
-            "Deprecated env variable: 'MACHINE_LEARNING_PRELOAD__CLIP'. "
-            "Use 'MACHINE_LEARNING_PRELOAD__CLIP__TEXTUAL' and "
-            "'MACHINE_LEARNING_PRELOAD__CLIP__VISUAL' instead."
-        )
-
-    if preload.facial_recognition_fallback is not None:
-        log.warning(
-            "Deprecated env variable: 'MACHINE_LEARNING_PRELOAD__FACIAL_RECOGNITION'. "
-            "Use 'MACHINE_LEARNING_PRELOAD__FACIAL_RECOGNITION__DETECTION' and "
-            "'MACHINE_LEARNING_PRELOAD__FACIAL_RECOGNITION__RECOGNITION' instead."
-        )
-

 def update_state() -> Iterator[None]:
    global active_requests, last_called
@@ -183,7 +169,10 @@ async def predict(
    text: str | None = Form(default=None),
 ) -> Any:
    if image is not None:
-        inputs: Image | str = await run(lambda: decode_pil(image))
+        decoded = await run(lambda: decode_pil(image))
+        if decoded.width == 0 or decoded.height == 0:
+            raise HTTPException(400, "Image has zero width or height")
+        inputs: Image | str = decoded
    elif text is not None:
        inputs = text
    else:
@@ -0,0 +1,36 @@
+[tools]
+python = "3.11"
+uv = "0.8.15"
+
+[tasks.install]
+run = "uv sync --locked"
+
+[tasks.lint]
+run = "uv run ruff check immich_ml"
+
+[tasks.test]
+run = "uv run pytest --cov=immich_ml --cov-report term-missing"
+
+[tasks.format]
+run = "uv run ruff format immich_ml"
+
+[tasks.check]
+run = "uv run mypy --strict immich_ml/"
+
+[tasks.ci-unit]
+run = [
+  { task = ":install --extra cpu" },
+  { task = ":format" },
+  { task = ":lint --output-format=github" },
+  { task = ":check" },
+  { task = ":test" },
+]
+
+[tasks.checklist]
+run = [
+  { task = ":install" },
+  { task = ":format" },
+  { task = ":lint" },
+  { task = ":check" },
+  { task = ":test" },
+]
@@ -9,12 +9,12 @@ dependencies = [
    "aiocache>=0.12.1,<1.0",
    "fastapi>=0.95.2,<1.0",
    "gunicorn>=21.1.0",
-    "huggingface-hub>=0.20.1,<1.0",
+    "huggingface-hub>=1.0,<2.0",
    "insightface>=0.7.3,<1.0",
-    "numpy<2.4.0",
+    "numpy>=2.4.0,<3.0",
    "opencv-python-headless>=4.7.0.72,<5.0",
    "orjson>=3.9.5",
-    "pillow>=12.1.1,<12.2",
+    "pillow>=12.2,<13",
    "pydantic>=2.0.0,<3",
    "pydantic-settings>=2.5.2,<3",
    "python-multipart>=0.0.6,<1.0",
@@ -1198,6 +1198,19 @@ class TestLoad:
        mock_model.model_format = ModelFormat.ONNX


+@pytest.mark.parametrize("size", [(0, 100), (100, 0), (0, 0)])
+def test_predict_rejects_empty_image(size: tuple[int, int], deployed_app: TestClient) -> None:
+    with mock.patch("immich_ml.main.decode_pil", return_value=Image.new("RGB", size)):
+        response = deployed_app.post(
+            "http://localhost:3003/predict",
+            data={"entries": json.dumps({"clip": {"visual": {"modelName": "ViT-B-32__openai"}}})},
+            files={"image": b"fake image bytes"},
+        )
+
+    assert response.status_code == 400
+    assert "zero" in response.json()["detail"].lower()
+
+
 def test_root_endpoint(deployed_app: TestClient) -> None:
    response = deployed_app.get("http://localhost:3003")

@@ -11,21 +11,31 @@ config_roots = [
  "web",
  "docs",
  ".github",
+  "machine-learning",
 ]

 [tools]
-node = "24.14.1"
-flutter = "3.35.7"
-pnpm = "10.33.0"
-terragrunt = "0.99.5"
-opentofu = "1.11.5"
+node = "24.15.0"
+flutter = "3.41.9"
+pnpm = "10.33.1"
+terragrunt = "1.0.3"
+opentofu = "1.11.6"
 java = "21.0.2"

 [tools."github:CQLabs/homebrew-dcm"]
-version = "1.35.1"
+version = "1.37.0"
 bin = "dcm"
 postinstall = "chmod +x $MISE_TOOL_INSTALL_PATH/dcm"

+[tools."github:jellyfin/jellyfin-ffmpeg"]
+version = "7.1.3-6"
+
+[tools."github:jellyfin/jellyfin-ffmpeg".platforms]
+linux-x64 = { asset_pattern = "jellyfin-ffmpeg_*_portable_linux64-gpl.tar.xz" }
+linux-arm64 = { asset_pattern = "jellyfin-ffmpeg_*_portable_linuxarm64-gpl.tar.xz" }
+macos-x64 = { asset_pattern = "jellyfin-ffmpeg_*_portable_mac64-gpl.tar.xz" }
+macos-arm64 = { asset_pattern = "jellyfin-ffmpeg_*_portable_macarm64-gpl.tar.xz" }
+
 [settings]
 experimental = true
 pin = true
@@ -1,859 +0,0 @@
-# This file is automatically @generated by Cargo.
-# It is not intended for manual editing.
-version = 3
-
-[[package]]
-name = "aho-corasick"
-version = "1.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e60d3430d3a69478ad0993f19238d2df97c507009a52b3c10addcd7f6bcb916"
-dependencies = [
- "memchr",
-]
-
-[[package]]
-name = "autocfg"
-version = "1.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0"
-
-[[package]]
-name = "bindgen"
-version = "0.63.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "36d860121800b2a9a94f9b5604b332d5cffb234ce17609ea479d723dbc9d3885"
-dependencies = [
- "bitflags 1.3.2",
- "cexpr",
- "clang-sys",
- "lazy_static",
- "lazycell",
- "peeking_take_while",
- "proc-macro2",
- "quote",
- "regex",
- "rustc-hash",
- "shlex",
- "syn 1.0.109",
-]
-
-[[package]]
-name = "bitflags"
-version = "1.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
-
-[[package]]
-name = "bitflags"
-version = "2.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
-
-[[package]]
-name = "block"
-version = "0.1.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d8c1fef690941d3e7788d328517591fecc684c084084702d6ff1641e993699a"
-
-[[package]]
-name = "byteorder"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
-
-[[package]]
-name = "bytes"
-version = "1.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8318a53db07bb3f8dca91a600466bdb3f2eaadeedfdbcf02e1accbad9271ba50"
-
-[[package]]
-name = "cc"
-version = "1.1.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d74707dde2ba56f86ae90effb3b43ddd369504387e718014de010cec7959800"
-dependencies = [
- "shlex",
-]
-
-[[package]]
-name = "cesu8"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6d43a04d8753f35258c91f8ec639f792891f748a1edbd759cf1dcea3382ad83c"
-
-[[package]]
-name = "cexpr"
-version = "0.6.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
-dependencies = [
- "nom",
-]
-
-[[package]]
-name = "cfg-if"
-version = "1.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
-
-[[package]]
-name = "clang-sys"
-version = "1.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4"
-dependencies = [
- "glob",
- "libc",
- "libloading",
-]
-
-[[package]]
-name = "cmake"
-version = "0.1.51"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fb1e43aa7fd152b1f968787f7dbcdeb306d1867ff373c69955211876c053f91a"
-dependencies = [
- "cc",
-]
-
-[[package]]
-name = "combine"
-version = "4.6.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ba5a308b75df32fe02788e748662718f03fde005016435c444eea572398219fd"
-dependencies = [
- "bytes",
- "memchr",
-]
-
-[[package]]
-name = "crossbeam-channel"
-version = "0.5.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "33480d6946193aa8033910124896ca395333cae7e2d1113d1fef6c3272217df2"
-dependencies = [
- "crossbeam-utils",
-]
-
-[[package]]
-name = "crossbeam-utils"
-version = "0.8.20"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80"
-
-[[package]]
-name = "dirs"
-version = "4.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ca3aa72a6f96ea37bbc5aa912f6788242832f75369bdfdadcb0e38423f100059"
-dependencies = [
- "dirs-sys",
-]
-
-[[package]]
-name = "dirs-sys"
-version = "0.3.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b1d1d91c932ef41c0f2663aa8b0ca0342d444d842c06914aa0a7e352d0bada6"
-dependencies = [
- "libc",
- "redox_users",
- "winapi",
-]
-
-[[package]]
-name = "doc-comment"
-version = "0.3.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fea41bba32d969b513997752735605054bc0dfa92b4c56bf1189f2e174be7a10"
-
-[[package]]
-name = "either"
-version = "1.13.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0"
-
-[[package]]
-name = "enum_dispatch"
-version = "0.3.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "aa18ce2bc66555b3218614519ac839ddb759a7d6720732f979ef8d13be147ecd"
-dependencies = [
- "once_cell",
- "proc-macro2",
- "quote",
- "syn 2.0.77",
-]
-
-[[package]]
-name = "float_next_after"
-version = "0.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4fc612c5837986b7104a87a0df74a5460931f1c5274be12f8d0f40aa2f30d632"
-dependencies = [
- "num-traits",
-]
-
-[[package]]
-name = "getrandom"
-version = "0.2.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
-dependencies = [
- "cfg-if",
- "libc",
- "wasi",
-]
-
-[[package]]
-name = "glob"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b"
-
-[[package]]
-name = "heck"
-version = "0.4.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
-
-[[package]]
-name = "hermit-abi"
-version = "0.3.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d231dfb89cfffdbc30e7fc41579ed6066ad03abda9e567ccafae602b97ec5024"
-
-[[package]]
-name = "intmap"
-version = "2.0.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ee87fd093563344074bacf24faa0bb0227fb6969fb223e922db798516de924d6"
-
-[[package]]
-name = "isar"
-version = "0.0.0"
-dependencies = [
- "dirs",
- "intmap",
- "isar-core",
- "itertools",
- "jni",
- "ndk-context",
- "objc",
- "objc-foundation",
- "once_cell",
- "paste",
- "serde_json",
- "threadpool",
- "unicode-segmentation",
-]
-
-[[package]]
-name = "isar-core"
-version = "0.0.0"
-dependencies = [
- "byteorder",
- "cfg-if",
- "crossbeam-channel",
- "enum_dispatch",
- "float_next_after",
- "intmap",
- "itertools",
- "libc",
- "mdbx-sys",
- "once_cell",
- "paste",
- "rand",
- "serde",
- "serde_json",
- "snafu",
- "widestring",
- "xxhash-rust",
-]
-
-[[package]]
-name = "itertools"
-version = "0.10.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b0fd2260e829bddf4cb6ea802289de2f86d6a7a690192fbe91b3f46e0f2c8473"
-dependencies = [
- "either",
-]
-
-[[package]]
-name = "itoa"
-version = "1.0.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b"
-
-[[package]]
-name = "jni"
-version = "0.20.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "039022cdf4d7b1cf548d31f60ae783138e5fd42013f6271049d7df7afadef96c"
-dependencies = [
- "cesu8",
- "combine",
- "jni-sys",
- "log",
- "thiserror",
- "walkdir",
-]
-
-[[package]]
-name = "jni-sys"
-version = "0.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8eaf4bc02d17cbdd7ff4c7438cafcdf7fb9a4613313ad11b4f8fefe7d3fa0130"
-
-[[package]]
-name = "lazy_static"
-version = "1.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
-
-[[package]]
-name = "lazycell"
-version = "1.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "830d08ce1d1d941e6b30645f1a0eb5643013d835ce3779a5fc208261dbe10f55"
-
-[[package]]
-name = "libc"
-version = "0.2.158"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439"
-
-[[package]]
-name = "libloading"
-version = "0.8.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4"
-dependencies = [
- "cfg-if",
- "windows-targets",
-]
-
-[[package]]
-name = "libredox"
-version = "0.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
-dependencies = [
- "bitflags 2.6.0",
- "libc",
-]
-
-[[package]]
-name = "log"
-version = "0.4.22"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
-
-[[package]]
-name = "malloc_buf"
-version = "0.0.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62bb907fe88d54d8d9ce32a3cceab4218ed2f6b7d35617cafe9adf84e43919cb"
-dependencies = [
- "libc",
-]
-
-[[package]]
-name = "mdbx-sys"
-version = "0.0.0"
-dependencies = [
- "bindgen",
- "cc",
- "cmake",
- "libc",
-]
-
-[[package]]
-name = "memchr"
-version = "2.7.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
-
-[[package]]
-name = "minimal-lexical"
-version = "0.2.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
-
-[[package]]
-name = "ndk-context"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "27b02d87554356db9e9a873add8782d4ea6e3e58ea071a9adb9a2e8ddb884a8b"
-
-[[package]]
-name = "nom"
-version = "7.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
-dependencies = [
- "memchr",
- "minimal-lexical",
-]
-
-[[package]]
-name = "num-traits"
-version = "0.2.19"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841"
-dependencies = [
- "autocfg",
-]
-
-[[package]]
-name = "num_cpus"
-version = "1.16.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4161fcb6d602d4d2081af7c3a45852d875a03dd337a6bfdd6e06407b61342a43"
-dependencies = [
- "hermit-abi",
- "libc",
-]
-
-[[package]]
-name = "objc"
-version = "0.2.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "915b1b472bc21c53464d6c8461c9d3af805ba1ef837e1cac254428f4a77177b1"
-dependencies = [
- "malloc_buf",
-]
-
-[[package]]
-name = "objc-foundation"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1add1b659e36c9607c7aab864a76c7a4c2760cd0cd2e120f3fb8b952c7e22bf9"
-dependencies = [
- "block",
- "objc",
- "objc_id",
-]
-
-[[package]]
-name = "objc_id"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c92d4ddb4bd7b50d730c215ff871754d0da6b2178849f8a2a2ab69712d0c073b"
-dependencies = [
- "objc",
-]
-
-[[package]]
-name = "once_cell"
-version = "1.20.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "33ea5043e58958ee56f3e15a90aee535795cd7dfd319846288d93c5b57d85cbe"
-
-[[package]]
-name = "paste"
-version = "1.0.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "57c0d7b74b563b49d38dae00a0c37d4d6de9b432382b2892f0574ddcae73fd0a"
-
-[[package]]
-name = "peeking_take_while"
-version = "0.1.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "19b17cddbe7ec3f8bc800887bab5e717348c95ea2ca0b1bf0837fb964dc67099"
-
-[[package]]
-name = "ppv-lite86"
-version = "0.2.20"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "77957b295656769bb8ad2b6a6b09d897d94f05c41b069aede1fcdaa675eaea04"
-dependencies = [
- "zerocopy",
-]
-
-[[package]]
-name = "proc-macro2"
-version = "1.0.86"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77"
-dependencies = [
- "unicode-ident",
-]
-
-[[package]]
-name = "quote"
-version = "1.0.37"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af"
-dependencies = [
- "proc-macro2",
-]
-
-[[package]]
-name = "rand"
-version = "0.8.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
-dependencies = [
- "libc",
- "rand_chacha",
- "rand_core",
-]
-
-[[package]]
-name = "rand_chacha"
-version = "0.3.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
-dependencies = [
- "ppv-lite86",
- "rand_core",
-]
-
-[[package]]
-name = "rand_core"
-version = "0.6.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
-dependencies = [
- "getrandom",
-]
-
-[[package]]
-name = "redox_users"
-version = "0.4.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ba009ff324d1fc1b900bd1fdb31564febe58a8ccc8a6fdbb93b543d33b13ca43"
-dependencies = [
- "getrandom",
- "libredox",
- "thiserror",
-]
-
-[[package]]
-name = "regex"
-version = "1.10.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4219d74c6b67a3654a9fbebc4b419e22126d13d2f3c4a07ee0cb61ff79a79619"
-dependencies = [
- "aho-corasick",
- "memchr",
- "regex-automata",
- "regex-syntax",
-]
-
-[[package]]
-name = "regex-automata"
-version = "0.4.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "38caf58cc5ef2fed281f89292ef23f6365465ed9a41b7a7754eb4e26496c92df"
-dependencies = [
- "aho-corasick",
- "memchr",
- "regex-syntax",
-]
-
-[[package]]
-name = "regex-syntax"
-version = "0.8.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a66a03ae7c801facd77a29370b4faec201768915ac14a721ba36f20bc9c209b"
-
-[[package]]
-name = "rustc-hash"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "08d43f7aa6b08d49f382cde6a7982047c3426db949b1424bc4b7ec9ae12c6ce2"
-
-[[package]]
-name = "ryu"
-version = "1.0.18"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f"
-
-[[package]]
-name = "same-file"
-version = "1.0.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502"
-dependencies = [
- "winapi-util",
-]
-
-[[package]]
-name = "serde"
-version = "1.0.210"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a"
-dependencies = [
- "serde_derive",
-]
-
-[[package]]
-name = "serde_derive"
-version = "1.0.210"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.77",
-]
-
-[[package]]
-name = "serde_json"
-version = "1.0.128"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ff5456707a1de34e7e37f2a6fd3d3f808c318259cbd01ab6377795054b483d8"
-dependencies = [
- "itoa",
- "memchr",
- "ryu",
- "serde",
-]
-
-[[package]]
-name = "shlex"
-version = "1.3.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
-
-[[package]]
-name = "snafu"
-version = "0.7.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e4de37ad025c587a29e8f3f5605c00f70b98715ef90b9061a815b9e59e9042d6"
-dependencies = [
- "doc-comment",
- "snafu-derive",
-]
-
-[[package]]
-name = "snafu-derive"
-version = "0.7.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "990079665f075b699031e9c08fd3ab99be5029b96f3b78dc0709e8f77e4efebf"
-dependencies = [
- "heck",
- "proc-macro2",
- "quote",
- "syn 1.0.109",
-]
-
-[[package]]
-name = "syn"
-version = "1.0.109"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237"
-dependencies = [
- "proc-macro2",
- "quote",
- "unicode-ident",
-]
-
-[[package]]
-name = "syn"
-version = "2.0.77"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9f35bcdf61fd8e7be6caf75f429fdca8beb3ed76584befb503b1569faee373ed"
-dependencies = [
- "proc-macro2",
- "quote",
- "unicode-ident",
-]
-
-[[package]]
-name = "thiserror"
-version = "1.0.63"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c0342370b38b6a11b6cc11d6a805569958d54cfa061a29969c3b5ce2ea405724"
-dependencies = [
- "thiserror-impl",
-]
-
-[[package]]
-name = "thiserror-impl"
-version = "1.0.63"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a4558b58466b9ad7ca0f102865eccc95938dca1a74a856f2b57b6629050da261"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.77",
-]
-
-[[package]]
-name = "threadpool"
-version = "1.8.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d050e60b33d41c19108b32cea32164033a9013fe3b46cbd4457559bfbf77afaa"
-dependencies = [
- "num_cpus",
-]
-
-[[package]]
-name = "unicode-ident"
-version = "1.0.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e91b56cd4cadaeb79bbf1a5645f6b4f8dc5bde8834ad5894a8db35fda9efa1fe"
-
-[[package]]
-name = "unicode-segmentation"
-version = "1.12.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6ccf251212114b54433ec949fd6a7841275f9ada20dddd2f29e9ceea4501493"
-
-[[package]]
-name = "walkdir"
-version = "2.5.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b"
-dependencies = [
- "same-file",
- "winapi-util",
-]
-
-[[package]]
-name = "wasi"
-version = "0.11.0+wasi-snapshot-preview1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
-
-[[package]]
-name = "widestring"
-version = "1.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7219d36b6eac893fa81e84ebe06485e7dcbb616177469b142df14f1f4deb1311"
-
-[[package]]
-name = "winapi"
-version = "0.3.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
-dependencies = [
- "winapi-i686-pc-windows-gnu",
- "winapi-x86_64-pc-windows-gnu",
-]
-
-[[package]]
-name = "winapi-i686-pc-windows-gnu"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
-
-[[package]]
-name = "winapi-util"
-version = "0.1.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
-dependencies = [
- "windows-sys",
-]
-
-[[package]]
-name = "winapi-x86_64-pc-windows-gnu"
-version = "0.4.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
-
-[[package]]
-name = "windows-sys"
-version = "0.59.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
-dependencies = [
- "windows-targets",
-]
-
-[[package]]
-name = "windows-targets"
-version = "0.52.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
-dependencies = [
- "windows_aarch64_gnullvm",
- "windows_aarch64_msvc",
- "windows_i686_gnu",
- "windows_i686_gnullvm",
- "windows_i686_msvc",
- "windows_x86_64_gnu",
- "windows_x86_64_gnullvm",
- "windows_x86_64_msvc",
-]
-
-[[package]]
-name = "windows_aarch64_gnullvm"
-version = "0.52.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
-
-[[package]]
-name = "windows_aarch64_msvc"
-version = "0.52.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
-
-[[package]]
-name = "windows_i686_gnu"
-version = "0.52.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
-
-[[package]]
-name = "windows_i686_gnullvm"
-version = "0.52.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
-
-[[package]]
-name = "windows_i686_msvc"
-version = "0.52.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
-
-[[package]]
-name = "windows_x86_64_gnu"
-version = "0.52.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
-
-[[package]]
-name = "windows_x86_64_gnullvm"
-version = "0.52.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
-
-[[package]]
-name = "windows_x86_64_msvc"
-version = "0.52.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
-
-[[package]]
-name = "xxhash-rust"
-version = "0.8.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a5cbf750400958819fb6178eaa83bee5cd9c29a26a40cc241df8c70fdd46984"
-
-[[package]]
-name = "zerocopy"
-version = "0.7.35"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1b9b4fd18abc82b8136838da5d50bae7bdea537c574d8dc1a34ed098d6c166f0"
-dependencies = [
- "byteorder",
- "zerocopy-derive",
-]
-
-[[package]]
-name = "zerocopy-derive"
-version = "0.7.35"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.77",
-]
@@ -1,5 +1,5 @@
 {
-  "dart.flutterSdkPath": ".fvm/versions/3.35.7",
+  "dart.flutterSdkPath": ".fvm/versions/3.41.9",
  "dart.lineLength": 120,
  "[dart]": {
    "editor.rulers": [
@@ -52,90 +52,11 @@ analyzer:
    unawaited_futures: warning

 custom_lint:
-  debug: true
  rules:
    - avoid_build_context_in_providers: false
    - avoid_public_notifier_properties: false
    - avoid_manual_providers_as_generated_provider_dependency: false
    - unsupported_provider_value: false
-    - import_rule_photo_manager:
-      message: photo_manager must only be used in MediaRepositories
-      restrict: package:photo_manager
-      allowed:
-        # required / wanted
-        - 'lib/infrastructure/repositories/album_media.repository.dart'
-        - 'lib/infrastructure/repositories/{storage,asset_media}.repository.dart'
-        - 'lib/repositories/{album,asset,file}_media.repository.dart'
-        # acceptable exceptions for the time being
-        - lib/entities/asset.entity.dart # to provide local AssetEntity for now
-        - lib/providers/image/immich_local_{image,thumbnail}_provider.dart # accesses thumbnails via PhotoManager
-        # refactor to make the providers and services testable
-        - lib/providers/backup/{backup,manual_upload}.provider.dart # uses only PMProgressHandler
-        - lib/services/{background,backup}.service.dart # uses only PMProgressHandler
-        - test/**.dart
-    - import_rule_isar:
-      message: isar must only be used in entities and repositories
-      restrict: package:isar
-      allowed:
-        # required / wanted
-        - lib/entities/*.entity.dart
-        - lib/repositories/{album,asset,backup,database,etag,exif_info,user,timeline,partner}.repository.dart
-        - lib/infrastructure/entities/*.entity.dart
-        - lib/infrastructure/repositories/*.repository.dart
-        - lib/providers/infrastructure/db.provider.dart
-        # acceptable exceptions for the time being (until Isar is fully replaced)
-        - lib/providers/app_life_cycle.provider.dart
-        - integration_test/test_utils/general_helper.dart
-        - lib/domain/services/background_worker.service.dart
-        - lib/main.dart
-        - lib/pages/album/album_asset_selection.page.dart
-        - lib/routing/router.dart
-        - lib/services/immich_logger.service.dart # not really a service... more a util
-        - lib/utils/{db,migration}.dart
-        - lib/utils/bootstrap.dart
-        - lib/widgets/asset_grid/asset_grid_data_structure.dart
-        - test/**.dart
-        # refactor the remaining providers
-        - lib/providers/db.provider.dart
-
-    - import_rule_openapi:
-      message: openapi must only be used through ApiRepositories
-      restrict: package:openapi
-      allowed:
-        # required / wanted
-        - lib/repositories/*_api.repository.dart
-        - lib/domain/models/sync_event.model.dart
-        - lib/{domain,infrastructure}/**/sync_stream.*
-        - lib/{domain,infrastructure}/**/sync_api.*
-        - lib/infrastructure/repositories/*_api.repository.dart
-        - lib/infrastructure/utils/*.converter.dart
-        # acceptable exceptions for the time being
-        - lib/entities/{album,asset,exif_info,user}.entity.dart # to convert DTOs to entities
-        - lib/infrastructure/utils/*.converter.dart
-        - lib/utils/{image_url_builder,openapi_patching}.dart # utils are fine
-        - test/modules/utils/openapi_patching_test.dart # filename is self-explanatory...
-        - lib/domain/services/sync_stream.service.dart # Making sure to comply with the type from database
-        - lib/domain/services/search.service.dart
-
-        # refactor
-        - lib/models/map/map_marker.model.dart
-        - lib/models/server_info/server_{config,disk_info,features,version}.model.dart
-        - lib/models/shared_link/shared_link.model.dart
-        - lib/providers/asset_viewer/asset_people.provider.dart
-        - lib/providers/auth.provider.dart
-        - lib/providers/image/immich_remote_{image,thumbnail}_provider.dart
-        - lib/providers/map/map_state.provider.dart
-        - lib/providers/search/{search,search_filter}.provider.dart
-        - lib/providers/websocket.provider.dart
-        - lib/routing/auth_guard.dart
-        - lib/services/{api,asset,backup,memory,oauth,search,shared_link,stack,trash}.service.dart
-        - lib/widgets/album/album_thumbnail_listtile.dart
-        - lib/widgets/forms/login/login_form.dart
-        - lib/widgets/search/search_filter/{camera_picker,location_picker,people_picker}.dart
-        - lib/services/auth.service.dart # on ApiException
-        - test/services/auth.service_test.dart # on ApiException
-        # allow import from test
-        - test/**.dart

 dart_code_metrics:
  rules:
@@ -1,27 +1,10 @@
 plugins {
-  id "com.android.application"
-  id "kotlin-android"
+  alias(libs.plugins.android.application)
+  alias(libs.plugins.kotlin.android)
  id "dev.flutter.flutter-gradle-plugin"
-  id 'com.google.devtools.ksp'
-  id 'org.jetbrains.kotlin.plugin.serialization'
-  id 'org.jetbrains.kotlin.plugin.compose' version '2.0.20' // this version matches your Kotlin version
-
-}
-
-def localProperties = new Properties()
-def localPropertiesFile = rootProject.file('local.properties')
-if (localPropertiesFile.exists()) {
-  localPropertiesFile.withInputStream { localProperties.load(it) }
-}
-
-def flutterVersionCode = localProperties.getProperty('flutter.versionCode')
-if (flutterVersionCode == null) {
-  flutterVersionCode = '1'
-}
-
-def flutterVersionName = localProperties.getProperty('flutter.versionName')
-if (flutterVersionName == null) {
-  flutterVersionName = '1.0'
+  alias(libs.plugins.ksp)
+  alias(libs.plugins.kotlin.serialization)
+  alias(libs.plugins.kotlin.compose)
 }

 def keystoreProperties = new Properties()
@@ -31,8 +14,8 @@ if (keystorePropertiesFile.exists()) {
 }

 android {
-  compileSdkVersion 35
-  ndkVersion = "28.2.13676358"
+  compileSdk = flutter.compileSdkVersion
+  ndkVersion = flutter.ndkVersion

  compileOptions {
    sourceCompatibility JavaVersion.VERSION_17
@@ -55,10 +38,10 @@ android {

  defaultConfig {
    applicationId "app.alextran.immich"
-    minSdkVersion 26
-    targetSdkVersion 35
-    versionCode flutterVersionCode.toInteger()
-    versionName flutterVersionName
+    minSdk = 26
+    targetSdk = flutter.targetSdkVersion
+    versionCode flutter.versionCode
+    versionName flutter.versionName
  }

  signingConfigs {
@@ -67,10 +50,10 @@ android {
      def keyPasswordVal = System.getenv("ANDROID_KEY_PASSWORD")
      def storePasswordVal = System.getenv("ANDROID_STORE_PASSWORD")

-      keyAlias keyAliasVal ? keyAliasVal : keystoreProperties['keyAlias']
-      keyPassword keyPasswordVal ? keyPasswordVal : keystoreProperties['keyPassword']
-      storeFile file("../key.jks") ? file("../key.jks") : file(keystoreProperties['storeFile'])
-      storePassword storePasswordVal ? storePasswordVal : keystoreProperties['storePassword']
+      keyAlias keyAliasVal ?: keystoreProperties['keyAlias']
+      keyPassword keyPasswordVal ?: keystoreProperties['keyPassword']
+      storeFile file("../key.jks").exists() ? file("../key.jks") : file(keystoreProperties['storeFile'] ?: '../key.jks')
+      storePassword storePasswordVal ?: keystoreProperties['storePassword']
    }
  }

@@ -81,8 +64,15 @@ android {
    }

    release {
-      signingConfig signingConfigs.release
+      def hasKeystore = file("../key.jks").exists() && file("../key.jks").length() > 0
+      signingConfig hasKeystore ? signingConfigs.release : signingConfigs.debug
      proguardFiles getDefaultProguardFile('proguard-android-optimize.txt'), 'proguard-rules.pro'
+
+      def prNumber = System.getenv("PR_NUMBER")
+      if (prNumber) {
+        applicationIdSuffix ".pr${prNumber}"
+        versionNameSuffix "-pr${prNumber}"
+      }
    }
  }
  namespace 'app.alextran.immich'
@@ -99,43 +89,31 @@ flutter {
 }

 dependencies {
-  def kotlin_version = '2.0.20'
-  def kotlin_coroutines_version = '1.9.0'
-  def work_version = '2.9.1'
-  def concurrent_version = '1.2.0'
-  def guava_version = '33.3.1-android'
-  def glide_version = '4.16.0'
-  def serialization_version = '1.8.1'
-  def compose_version = '1.1.1'
-  def gson_version = '2.10.1'
-  def okhttp_version = '4.12.0'
+  implementation libs.okhttp
+  implementation libs.cronet.embedded
+  implementation libs.media3.datasource.okhttp
+  implementation libs.media3.datasource.cronet
+  implementation libs.kotlinx.coroutines.android
+  implementation libs.work.runtime.ktx
+  implementation libs.concurrent.futures
+  implementation libs.guava
+  implementation libs.glide
+  implementation libs.kotlinx.serialization.json

-  implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
-  implementation "com.squareup.okhttp3:okhttp:$okhttp_version"
-  implementation 'org.chromium.net:cronet-embedded:143.7445.0'
-  implementation("androidx.media3:media3-datasource-okhttp:1.10.0")
-  implementation("androidx.media3:media3-datasource-cronet:1.10.0")
-  implementation "org.jetbrains.kotlinx:kotlinx-coroutines-android:$kotlin_coroutines_version"
-  implementation "androidx.work:work-runtime-ktx:$work_version"
-  implementation "androidx.concurrent:concurrent-futures:$concurrent_version"
-  implementation "com.google.guava:guava:$guava_version"
-  implementation "com.github.bumptech.glide:glide:$glide_version"
-  implementation "org.jetbrains.kotlinx:kotlinx-serialization-json:$serialization_version"
-
-  ksp "com.github.bumptech.glide:ksp:$glide_version"
-  coreLibraryDesugaring 'com.android.tools:desugar_jdk_libs:2.1.2'
+  ksp libs.glide.ksp
+  coreLibraryDesugaring libs.desugar.jdk.libs

  //Glance Widget
-  implementation "androidx.glance:glance-appwidget:$compose_version"
-  implementation "com.google.code.gson:gson:$gson_version"
+  implementation libs.glance.appwidget
+  implementation libs.gson

  // Glance Configure
-  implementation "androidx.activity:activity-compose:1.8.2"
-  implementation "androidx.compose.ui:ui:$compose_version"
-  implementation "androidx.compose.ui:ui-tooling:$compose_version"
-  implementation "androidx.compose.material3:material3:1.2.1"
-  implementation "androidx.lifecycle:lifecycle-runtime-ktx:2.6.2"
-  implementation "com.google.android.material:material:1.12.0"
+  implementation libs.activity.compose
+  implementation libs.compose.ui
+  implementation libs.compose.ui.tooling
+  implementation libs.compose.material3
+  implementation libs.lifecycle.runtime.ktx
+  implementation libs.material
 }

 // This is uncommented in F-Droid build script
@@ -39,10 +39,6 @@
      android:exported="false"
      android:foregroundServiceType="dataSync|shortService" />

-    <meta-data
-      android:name="io.flutter.embedding.android.EnableImpeller"
-      android:value="false" />
-
    <meta-data
      android:name="com.google.firebase.messaging.default_notification_icon"
      android:resource="@drawable/notification_icon" />
@@ -1,389 +0,0 @@
-package app.alextran.immich
-
-import android.app.Activity
-import android.content.ContentResolver
-import android.content.ContentUris
-import android.content.Context
-import android.content.Intent
-import android.net.Uri
-import android.os.Build
-import android.os.Bundle
-import android.provider.MediaStore
-import android.provider.Settings
-import android.util.Log
-import androidx.annotation.RequiresApi
-import io.flutter.embedding.engine.plugins.FlutterPlugin
-import io.flutter.embedding.engine.plugins.activity.ActivityAware
-import io.flutter.embedding.engine.plugins.activity.ActivityPluginBinding
-import io.flutter.plugin.common.BinaryMessenger
-import io.flutter.plugin.common.MethodCall
-import io.flutter.plugin.common.MethodChannel
-import io.flutter.plugin.common.MethodChannel.Result
-import io.flutter.plugin.common.PluginRegistry
-import java.security.MessageDigest
-import java.io.FileInputStream
-import kotlinx.coroutines.*
-import androidx.core.net.toUri
-
-/**
- * Android plugin for Dart `BackgroundService` and file trash operations
- */
-class BackgroundServicePlugin : FlutterPlugin, MethodChannel.MethodCallHandler, ActivityAware, PluginRegistry.ActivityResultListener {
-
-  private var methodChannel: MethodChannel? = null
-  private var fileTrashChannel: MethodChannel? = null
-  private var context: Context? = null
-  private var pendingResult: Result? = null
-  private val permissionRequestCode = 1001
-  private val trashRequestCode = 1002
-  private var activityBinding: ActivityPluginBinding? = null
-
-  override fun onAttachedToEngine(binding: FlutterPlugin.FlutterPluginBinding) {
-    onAttachedToEngine(binding.applicationContext, binding.binaryMessenger)
-  }
-
-  private fun onAttachedToEngine(ctx: Context, messenger: BinaryMessenger) {
-    context = ctx
-    methodChannel = MethodChannel(messenger, "immich/foregroundChannel")
-    methodChannel?.setMethodCallHandler(this)
-
-    // Add file trash channel
-    fileTrashChannel = MethodChannel(messenger, "file_trash")
-    fileTrashChannel?.setMethodCallHandler(this)
-  }
-
-  override fun onDetachedFromEngine(binding: FlutterPlugin.FlutterPluginBinding) {
-    onDetachedFromEngine()
-  }
-
-  private fun onDetachedFromEngine() {
-    methodChannel?.setMethodCallHandler(null)
-    methodChannel = null
-    fileTrashChannel?.setMethodCallHandler(null)
-    fileTrashChannel = null
-  }
-
-  override fun onMethodCall(call: MethodCall, result: Result) {
-    val ctx = context!!
-    when (call.method) {
-      // Existing BackgroundService methods
-      "enable" -> {
-        val args = call.arguments<ArrayList<*>>()!!
-        ctx.getSharedPreferences(BackupWorker.SHARED_PREF_NAME, Context.MODE_PRIVATE)
-          .edit()
-          .putBoolean(ContentObserverWorker.SHARED_PREF_SERVICE_ENABLED, true)
-          .putLong(BackupWorker.SHARED_PREF_CALLBACK_KEY, args[0] as Long)
-          .putString(BackupWorker.SHARED_PREF_NOTIFICATION_TITLE, args[1] as String)
-          .apply()
-        ContentObserverWorker.enable(ctx, immediate = args[2] as Boolean)
-        result.success(true)
-      }
-
-      "configure" -> {
-        val args = call.arguments<ArrayList<*>>()!!
-        val requireUnmeteredNetwork = args[0] as Boolean
-        val requireCharging = args[1] as Boolean
-        val triggerUpdateDelay = (args[2] as Number).toLong()
-        val triggerMaxDelay = (args[3] as Number).toLong()
-        ContentObserverWorker.configureWork(
-          ctx,
-          requireUnmeteredNetwork,
-          requireCharging,
-          triggerUpdateDelay,
-          triggerMaxDelay
-        )
-        result.success(true)
-      }
-
-      "disable" -> {
-        ContentObserverWorker.disable(ctx)
-        BackupWorker.stopWork(ctx)
-        result.success(true)
-      }
-
-      "isEnabled" -> {
-        result.success(ContentObserverWorker.isEnabled(ctx))
-      }
-
-      "isIgnoringBatteryOptimizations" -> {
-        result.success(BackupWorker.isIgnoringBatteryOptimizations(ctx))
-      }
-
-      "digestFiles" -> {
-        val args = call.arguments<ArrayList<String>>()!!
-        GlobalScope.launch(Dispatchers.IO) {
-          val buf = ByteArray(BUFFER_SIZE)
-          val digest: MessageDigest = MessageDigest.getInstance("SHA-1")
-          val hashes = arrayOfNulls<ByteArray>(args.size)
-          for (i in args.indices) {
-            val path = args[i]
-            var len = 0
-            try {
-              val file = FileInputStream(path)
-              file.use { assetFile ->
-                while (true) {
-                  len = assetFile.read(buf)
-                  if (len != BUFFER_SIZE) break
-                  digest.update(buf)
-                }
-              }
-              digest.update(buf, 0, len)
-              hashes[i] = digest.digest()
-            } catch (e: Exception) {
-              // skip this file
-              Log.w(TAG, "Failed to hash file ${args[i]}: $e")
-            }
-          }
-          result.success(hashes.asList())
-        }
-      }
-
-      // File Trash methods moved from MainActivity
-      "moveToTrash" -> {
-        val mediaUrls = call.argument<List<String>>("mediaUrls")
-        if (mediaUrls != null) {
-          if ((Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) && hasManageMediaPermission()) {
-            moveToTrash(mediaUrls, result)
-          } else {
-            result.error("PERMISSION_DENIED", "Media permission required", null)
-          }
-        } else {
-          result.error("INVALID_NAME", "The mediaUrls is not specified.", null)
-        }
-      }
-
-      "restoreFromTrash" -> {
-        val fileName = call.argument<String>("fileName")
-        val type = call.argument<Int>("type")
-        val mediaId = call.argument<String>("mediaId")
-        if (fileName != null && type != null) {
-          if ((Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) && hasManageMediaPermission()) {
-            restoreFromTrash(fileName, type, result)
-          } else {
-            result.error("PERMISSION_DENIED", "Media permission required", null)
-          }
-        } else
-          if (mediaId != null && type != null) {
-            if ((Build.VERSION.SDK_INT >= Build.VERSION_CODES.R) && hasManageMediaPermission()) {
-              restoreFromTrashById(mediaId, type, result)
-            } else {
-              result.error("PERMISSION_DENIED", "Media permission required", null)
-            }
-          } else {
-            result.error("INVALID_PARAMS", "Required params are not specified.", null)
-          }
-      }
-
-      "requestManageMediaPermission" -> {
-        if (!hasManageMediaPermission()) {
-          requestManageMediaPermission(result)
-        } else {
-          Log.e("Manage storage permission", "Permission already granted")
-          result.success(true)
-        }
-      }
-
-      "hasManageMediaPermission" -> {
-        if (hasManageMediaPermission()) {
-          Log.i("Manage storage permission", "Permission already granted")
-          result.success(true)
-        } else {
-          result.success(false)
-        }
-      }
-
-      "manageMediaPermission" -> requestManageMediaPermission(result)
-
-      else -> result.notImplemented()
-    }
-  }
-
-  private fun hasManageMediaPermission(): Boolean {
-    return if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.S) {
-      MediaStore.canManageMedia(context!!);
-    } else  {
-      false
-    }
-  }
-
-  private fun requestManageMediaPermission(result: Result) {
-    if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.S) {
-      pendingResult = result // Store the result callback
-      val activity = activityBinding?.activity ?: return
-
-      val intent = Intent(Settings.ACTION_REQUEST_MANAGE_MEDIA)
-      intent.data = "package:${activity.packageName}".toUri()
-      activity.startActivityForResult(intent, permissionRequestCode)
-    } else {
-      result.success(false)
-    }
-  }
-
-  @RequiresApi(Build.VERSION_CODES.R)
-  private fun moveToTrash(mediaUrls: List<String>, result: Result) {
-    val urisToTrash = mediaUrls.map { it.toUri() }
-    if (urisToTrash.isEmpty()) {
-      result.error("INVALID_ARGS", "No valid URIs provided", null)
-      return
-    }
-
-    toggleTrash(urisToTrash, true, result);
-  }
-
-  @RequiresApi(Build.VERSION_CODES.R)
-  private fun restoreFromTrash(name: String, type: Int, result: Result) {
-    val uri = getTrashedFileUri(name, type)
-    if (uri == null) {
-      Log.e("TrashError", "Asset Uri cannot be found obtained")
-      result.error("TrashError", "Asset Uri cannot be found obtained", null)
-      return
-    }
-    Log.e("FILE_URI", uri.toString())
-    uri.let { toggleTrash(listOf(it), false, result) }
-  }
-
-  @RequiresApi(Build.VERSION_CODES.R)
-  private fun restoreFromTrashById(mediaId: String, type: Int, result: Result) {
-    val id = mediaId.toLongOrNull()
-    if (id == null) {
-      result.error("INVALID_ID", "The file id is not a valid number: $mediaId", null)
-      return
-    }
-    if (!isInTrash(id)) {
-      result.error("TrashNotFound", "Item with id=$id not found in trash", null)
-      return
-    }
-
-    val uri = ContentUris.withAppendedId(contentUriForType(type), id)
-
-    try {
-      Log.i(TAG, "restoreFromTrashById: uri=$uri (type=$type,id=$id)")
-      restoreUris(listOf(uri), result)
-    } catch (e: Exception) {
-      Log.w(TAG, "restoreFromTrashById failed", e)
-    }
-  }
-
-  @RequiresApi(Build.VERSION_CODES.R)
-  private fun toggleTrash(contentUris: List<Uri>, isTrashed: Boolean, result: Result) {
-    val activity = activityBinding?.activity
-    val contentResolver = context?.contentResolver
-    if (activity == null || contentResolver == null) {
-      result.error("TrashError", "Activity or ContentResolver not available", null)
-      return
-    }
-
-    try {
-      val pendingIntent = MediaStore.createTrashRequest(contentResolver, contentUris, isTrashed)
-      pendingResult = result // Store for onActivityResult
-      activity.startIntentSenderForResult(
-        pendingIntent.intentSender,
-        trashRequestCode,
-        null, 0, 0, 0
-      )
-    } catch (e: Exception) {
-      Log.e("TrashError", "Error creating or starting trash request", e)
-      result.error("TrashError", "Error creating or starting trash request", null)
-    }
-  }
-
-  @RequiresApi(Build.VERSION_CODES.R)
-  private fun getTrashedFileUri(fileName: String, type: Int): Uri? {
-    val contentResolver = context?.contentResolver ?: return null
-    val queryUri = MediaStore.Files.getContentUri(MediaStore.VOLUME_EXTERNAL)
-    val projection = arrayOf(MediaStore.Files.FileColumns._ID)
-
-    val queryArgs = Bundle().apply {
-      putString(
-        ContentResolver.QUERY_ARG_SQL_SELECTION,
-        "${MediaStore.Files.FileColumns.DISPLAY_NAME} = ?"
-      )
-      putStringArray(ContentResolver.QUERY_ARG_SQL_SELECTION_ARGS, arrayOf(fileName))
-      putInt(MediaStore.QUERY_ARG_MATCH_TRASHED, MediaStore.MATCH_ONLY)
-    }
-
-    contentResolver.query(queryUri, projection, queryArgs, null)?.use { cursor ->
-      if (cursor.moveToFirst()) {
-        val id = cursor.getLong(cursor.getColumnIndexOrThrow(MediaStore.Files.FileColumns._ID))
-        return ContentUris.withAppendedId(contentUriForType(type), id)
-      }
-    }
-    return null
-  }
-
-  // ActivityAware implementation
-  override fun onAttachedToActivity(binding: ActivityPluginBinding) {
-    activityBinding = binding
-    binding.addActivityResultListener(this)
-  }
-
-  override fun onDetachedFromActivityForConfigChanges() {
-    activityBinding?.removeActivityResultListener(this)
-    activityBinding = null
-  }
-
-  override fun onReattachedToActivityForConfigChanges(binding: ActivityPluginBinding) {
-    activityBinding = binding
-    binding.addActivityResultListener(this)
-  }
-
-  override fun onDetachedFromActivity() {
-    activityBinding?.removeActivityResultListener(this)
-    activityBinding = null
-  }
-
-  // ActivityResultListener implementation
-  override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?): Boolean {
-    if (requestCode == permissionRequestCode) {
-      val granted = hasManageMediaPermission()
-      pendingResult?.success(granted)
-      pendingResult = null
-      return true
-    }
-
-    if (requestCode == trashRequestCode) {
-      val approved = resultCode == Activity.RESULT_OK
-      pendingResult?.success(approved)
-      pendingResult = null
-      return true
-    }
-    return false
-  }
-
-  @RequiresApi(Build.VERSION_CODES.R)
-  private fun isInTrash(id: Long): Boolean {
-    val contentResolver = context?.contentResolver ?: return false
-    val filesUri = MediaStore.Files.getContentUri(MediaStore.VOLUME_EXTERNAL)
-    val args = Bundle().apply {
-      putString(ContentResolver.QUERY_ARG_SQL_SELECTION, "${MediaStore.Files.FileColumns._ID}=?")
-      putStringArray(ContentResolver.QUERY_ARG_SQL_SELECTION_ARGS, arrayOf(id.toString()))
-      putInt(MediaStore.QUERY_ARG_MATCH_TRASHED, MediaStore.MATCH_ONLY)
-      putInt(ContentResolver.QUERY_ARG_LIMIT, 1)
-    }
-    return contentResolver.query(filesUri, arrayOf(MediaStore.Files.FileColumns._ID), args, null)
-      ?.use { it.moveToFirst() } == true
-  }
-
-  @RequiresApi(Build.VERSION_CODES.R)
-  private fun restoreUris(uris: List<Uri>, result: Result) {
-    if (uris.isEmpty()) {
-      result.error("TrashError", "No URIs to restore", null)
-      return
-    }
-    Log.i(TAG, "restoreUris: count=${uris.size}, first=${uris.first()}")
-    toggleTrash(uris, false, result)
-  }
-
-  @RequiresApi(Build.VERSION_CODES.Q)
-  private fun contentUriForType(type: Int): Uri =
-    when (type) {
-      // same order as AssetType from dart
-      1 -> MediaStore.Images.Media.EXTERNAL_CONTENT_URI
-      2 -> MediaStore.Video.Media.EXTERNAL_CONTENT_URI
-      3 -> MediaStore.Audio.Media.EXTERNAL_CONTENT_URI
-      else -> MediaStore.Files.getContentUri(MediaStore.VOLUME_EXTERNAL)
-    }
-}
-
-private const val TAG = "BackgroundServicePlugin"
-private const val BUFFER_SIZE = 2 * 1024 * 1024
@@ -1,394 +0,0 @@
-package app.alextran.immich
-
-import android.app.Notification
-import android.app.NotificationChannel
-import android.app.NotificationManager
-import android.content.Context
-import android.content.pm.ServiceInfo.FOREGROUND_SERVICE_TYPE_SHORT_SERVICE
-import android.os.Build
-import android.os.Handler
-import android.os.Looper
-import android.os.PowerManager
-import android.os.SystemClock
-import android.util.Log
-import androidx.annotation.RequiresApi
-import androidx.core.app.NotificationCompat
-import androidx.concurrent.futures.ResolvableFuture
-import androidx.work.BackoffPolicy
-import androidx.work.Constraints
-import androidx.work.ForegroundInfo
-import androidx.work.ListenableWorker
-import androidx.work.NetworkType
-import androidx.work.WorkerParameters
-import androidx.work.ExistingWorkPolicy
-import androidx.work.OneTimeWorkRequest
-import androidx.work.WorkManager
-import androidx.work.WorkInfo
-import com.google.common.util.concurrent.ListenableFuture
-import io.flutter.embedding.engine.FlutterEngine
-import io.flutter.embedding.engine.dart.DartExecutor
-import io.flutter.embedding.engine.loader.FlutterLoader
-import io.flutter.plugin.common.MethodCall
-import io.flutter.plugin.common.MethodChannel
-import io.flutter.view.FlutterCallbackInformation
-import java.util.concurrent.TimeUnit
-
-/**
- * Worker executed by Android WorkManager to perform backup in background
- *
- * Starts the Dart runtime/engine and calls `_nativeEntry` function in
- * `background.service.dart` to run the actual backup logic.
- * Called by Android WorkManager when all constraints for the work are met,
- * i.e. battery is not low and optionally Wifi and charging are active.
- */
-class BackupWorker(ctx: Context, params: WorkerParameters) : ListenableWorker(ctx, params),
-  MethodChannel.MethodCallHandler {
-
-  private val resolvableFuture = ResolvableFuture.create<Result>()
-  private var engine: FlutterEngine? = null
-  private lateinit var backgroundChannel: MethodChannel
-  private val notificationManager =
-    ctx.getSystemService(Context.NOTIFICATION_SERVICE) as NotificationManager
-  private val isIgnoringBatteryOptimizations = isIgnoringBatteryOptimizations(applicationContext)
-  private var timeBackupStarted: Long = 0L
-  private var notificationBuilder: NotificationCompat.Builder? = null
-  private var notificationDetailBuilder: NotificationCompat.Builder? = null
-  private var fgFuture: ListenableFuture<Void>? = null
-
-  override fun startWork(): ListenableFuture<ListenableWorker.Result> {
-
-    Log.d(TAG, "startWork")
-
-    val ctx = applicationContext
-
-    if (!flutterLoader.initialized()) {
-      flutterLoader.startInitialization(ctx)
-    }
-
-    // Create a Notification channel
-    createChannel()
-
-    Log.d(TAG, "isIgnoringBatteryOptimizations $isIgnoringBatteryOptimizations")
-    if (isIgnoringBatteryOptimizations) {
-      // normal background services can only up to 10 minutes
-      // foreground services are allowed to run indefinitely
-      // requires battery optimizations to be disabled (either manually by the user
-      // or by the system learning that immich is important to the user)
-      val title = ctx.getSharedPreferences(SHARED_PREF_NAME, Context.MODE_PRIVATE)
-        .getString(SHARED_PREF_NOTIFICATION_TITLE, NOTIFICATION_DEFAULT_TITLE)!!
-      showInfo(getInfoBuilder(title, indeterminate = true).build())
-    }
-
-    engine = FlutterEngine(ctx)
-
-    flutterLoader.ensureInitializationCompleteAsync(ctx, null, Handler(Looper.getMainLooper())) {
-      runDart()
-
-    }
-
-    return resolvableFuture
-  }
-
-  /**
-   * Starts the Dart runtime/engine and calls `_nativeEntry` function in
-   * `background.service.dart` to run the actual backup logic.
-   */
-  private fun runDart() {
-    val callbackDispatcherHandle = applicationContext.getSharedPreferences(
-      SHARED_PREF_NAME, Context.MODE_PRIVATE
-    ).getLong(SHARED_PREF_CALLBACK_KEY, 0L)
-    val callbackInformation =
-      FlutterCallbackInformation.lookupCallbackInformation(callbackDispatcherHandle)
-    val appBundlePath = flutterLoader.findAppBundlePath()
-
-    engine?.let { engine ->
-      backgroundChannel = MethodChannel(engine.dartExecutor, "immich/backgroundChannel")
-      backgroundChannel.setMethodCallHandler(this@BackupWorker)
-      engine.dartExecutor.executeDartCallback(
-        DartExecutor.DartCallback(
-          applicationContext.assets,
-          appBundlePath,
-          callbackInformation
-        )
-      )
-    }
-  }
-
-  override fun onStopped() {
-    Log.d(TAG, "onStopped")
-    // called when the system has to stop this worker because constraints are
-    // no longer met or the system needs resources for more important tasks
-    Handler(Looper.getMainLooper()).postAtFrontOfQueue {
-      if (::backgroundChannel.isInitialized) {
-        backgroundChannel.invokeMethod("systemStop", null)
-      }
-    }
-    waitOnSetForegroundAsync()
-    // cannot await/get(block) on resolvableFuture as its already cancelled (would throw CancellationException)
-    // instead, wait for 5 seconds until forcefully stopping backup work
-    Handler(Looper.getMainLooper()).postDelayed({
-      stopEngine(null)
-    }, 5000)
-  }
-
-  private fun waitOnSetForegroundAsync() {
-    val fgFuture = this.fgFuture
-    if (fgFuture != null && !fgFuture.isCancelled && !fgFuture.isDone) {
-      try {
-        fgFuture.get(500, TimeUnit.MILLISECONDS)
-      } catch (e: Exception) {
-        // ignored, there is nothing to be done
-      }
-    }
-  }
-
-  private fun stopEngine(result: Result?) {
-    clearBackgroundNotification()
-    engine?.destroy()
-    engine = null
-    if (result != null) {
-      Log.d(TAG, "stopEngine result=${result}")
-      resolvableFuture.set(result)
-    }
-    waitOnSetForegroundAsync()
-  }
-
-  @RequiresApi(Build.VERSION_CODES.UPSIDE_DOWN_CAKE)
-  override fun onMethodCall(call: MethodCall, r: MethodChannel.Result) {
-    when (call.method) {
-      "initialized" -> {
-        timeBackupStarted = SystemClock.uptimeMillis()
-        backgroundChannel.invokeMethod(
-          "onAssetsChanged",
-          null,
-          object : MethodChannel.Result {
-            override fun notImplemented() {
-              stopEngine(Result.failure())
-            }
-
-            override fun error(errorCode: String, errorMessage: String?, errorDetails: Any?) {
-              stopEngine(Result.failure())
-            }
-
-            override fun success(receivedResult: Any?) {
-              val success = receivedResult as Boolean
-              stopEngine(if (success) Result.success() else Result.retry())
-            }
-          }
-        )
-      }
-
-      "updateNotification" -> {
-        val args = call.arguments<ArrayList<*>>()!!
-        val title = args[0] as String?
-        val content = args[1] as String?
-        val progress = args[2] as Int
-        val max = args[3] as Int
-        val indeterminate = args[4] as Boolean
-        val isDetail = args[5] as Boolean
-        val onlyIfFG = args[6] as Boolean
-        if (!onlyIfFG || isIgnoringBatteryOptimizations) {
-          showInfo(
-            getInfoBuilder(title, content, isDetail, progress, max, indeterminate).build(),
-            isDetail
-          )
-        }
-      }
-
-      "showError" -> {
-        val args = call.arguments<ArrayList<*>>()!!
-        val title = args[0] as String
-        val content = args[1] as String?
-        val individualTag = args[2] as String?
-        showError(title, content, individualTag)
-      }
-
-      "clearErrorNotifications" -> clearErrorNotifications()
-      "hasContentChanged" -> {
-        val lastChange = applicationContext
-          .getSharedPreferences(SHARED_PREF_NAME, Context.MODE_PRIVATE)
-          .getLong(SHARED_PREF_LAST_CHANGE, timeBackupStarted)
-        val hasContentChanged = lastChange > timeBackupStarted;
-        timeBackupStarted = SystemClock.uptimeMillis()
-        r.success(hasContentChanged)
-      }
-
-      else -> r.notImplemented()
-    }
-  }
-
-  private fun showError(title: String, content: String?, individualTag: String?) {
-    val notification = NotificationCompat.Builder(applicationContext, NOTIFICATION_CHANNEL_ERROR_ID)
-      .setContentTitle(title)
-      .setTicker(title)
-      .setContentText(content)
-      .setSmallIcon(R.drawable.notification_icon)
-      .build()
-    notificationManager.notify(individualTag, NOTIFICATION_ERROR_ID, notification)
-  }
-
-  private fun clearErrorNotifications() {
-    notificationManager.cancel(NOTIFICATION_ERROR_ID)
-  }
-
-  private fun clearBackgroundNotification() {
-    notificationManager.cancel(NOTIFICATION_ID)
-    notificationManager.cancel(NOTIFICATION_DETAIL_ID)
-  }
-
-  private fun showInfo(notification: Notification, isDetail: Boolean = false) {
-    val id = if (isDetail) NOTIFICATION_DETAIL_ID else NOTIFICATION_ID
-
-    if (isIgnoringBatteryOptimizations && !isDetail) {
-      fgFuture = if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.UPSIDE_DOWN_CAKE) {
-        setForegroundAsync(ForegroundInfo(id, notification, FOREGROUND_SERVICE_TYPE_SHORT_SERVICE))
-      } else {
-        setForegroundAsync(ForegroundInfo(id, notification))
-      }
-    } else {
-      notificationManager.notify(id, notification)
-    }
-  }
-
-  private fun getInfoBuilder(
-    title: String? = null,
-    content: String? = null,
-    isDetail: Boolean = false,
-    progress: Int = 0,
-    max: Int = 0,
-    indeterminate: Boolean = false,
-  ): NotificationCompat.Builder {
-    var builder = if (isDetail) notificationDetailBuilder else notificationBuilder
-    if (builder == null) {
-      builder = NotificationCompat.Builder(applicationContext, NOTIFICATION_CHANNEL_ID)
-        .setSmallIcon(R.drawable.notification_icon)
-        .setOnlyAlertOnce(true)
-        .setOngoing(true)
-      if (isDetail) {
-        notificationDetailBuilder = builder
-      } else {
-        notificationBuilder = builder
-      }
-    }
-    if (title != null) {
-      builder.setTicker(title).setContentTitle(title)
-    }
-    if (content != null) {
-      builder.setContentText(content)
-    }
-    return builder.setProgress(max, progress, indeterminate)
-  }
-
-  private fun createChannel() {
-    val foreground = NotificationChannel(
-      NOTIFICATION_CHANNEL_ID,
-      NOTIFICATION_CHANNEL_ID,
-      NotificationManager.IMPORTANCE_LOW
-    )
-    notificationManager.createNotificationChannel(foreground)
-    val error = NotificationChannel(
-      NOTIFICATION_CHANNEL_ERROR_ID,
-      NOTIFICATION_CHANNEL_ERROR_ID,
-      NotificationManager.IMPORTANCE_HIGH
-    )
-    notificationManager.createNotificationChannel(error)
-  }
-
-  companion object {
-    const val SHARED_PREF_NAME = "immichBackgroundService"
-    const val SHARED_PREF_CALLBACK_KEY = "callbackDispatcherHandle"
-    const val SHARED_PREF_NOTIFICATION_TITLE = "notificationTitle"
-    const val SHARED_PREF_LAST_CHANGE = "lastChange"
-
-    private const val TASK_NAME_BACKUP = "immich/BackupWorker"
-    private const val NOTIFICATION_CHANNEL_ID = "immich/backgroundService"
-    private const val NOTIFICATION_CHANNEL_ERROR_ID = "immich/backgroundServiceError"
-    private const val NOTIFICATION_DEFAULT_TITLE = "Immich"
-    private const val NOTIFICATION_ID = 1
-    private const val NOTIFICATION_ERROR_ID = 2
-    private const val NOTIFICATION_DETAIL_ID = 3
-    private const val ONE_MINUTE = 60000L
-
-    /**
-     * Enqueues the BackupWorker to run once the constraints are met
-     */
-    fun enqueueBackupWorker(
-      context: Context,
-      requireWifi: Boolean = false,
-      requireCharging: Boolean = false,
-      delayMilliseconds: Long = 0L
-    ) {
-      val workRequest = buildWorkRequest(requireWifi, requireCharging, delayMilliseconds)
-      WorkManager.getInstance(context)
-        .enqueueUniqueWork(TASK_NAME_BACKUP, ExistingWorkPolicy.KEEP, workRequest)
-      Log.d(TAG, "enqueueBackupWorker: BackupWorker enqueued")
-    }
-
-    /**
-     * Updates the constraints of an already enqueued BackupWorker
-     */
-    fun updateBackupWorker(
-      context: Context,
-      requireWifi: Boolean = false,
-      requireCharging: Boolean = false
-    ) {
-      try {
-        val wm = WorkManager.getInstance(context)
-        val workInfoFuture = wm.getWorkInfosForUniqueWork(TASK_NAME_BACKUP)
-        val workInfoList = workInfoFuture.get(1000, TimeUnit.MILLISECONDS)
-        if (workInfoList != null) {
-          for (workInfo in workInfoList) {
-            if (workInfo.state == WorkInfo.State.ENQUEUED) {
-              val workRequest = buildWorkRequest(requireWifi, requireCharging)
-              wm.enqueueUniqueWork(TASK_NAME_BACKUP, ExistingWorkPolicy.REPLACE, workRequest)
-              Log.d(TAG, "updateBackupWorker updated BackupWorker constraints")
-              return
-            }
-          }
-        }
-        Log.d(TAG, "updateBackupWorker: BackupWorker not enqueued")
-      } catch (e: Exception) {
-        Log.d(TAG, "updateBackupWorker failed: $e")
-      }
-    }
-
-    /**
-     * Stops the currently running worker (if any) and removes it from the work queue
-     */
-    fun stopWork(context: Context) {
-      WorkManager.getInstance(context).cancelUniqueWork(TASK_NAME_BACKUP)
-      Log.d(TAG, "stopWork: BackupWorker cancelled")
-    }
-
-    /**
-     * Returns `true` if the app is ignoring battery optimizations
-     */
-    fun isIgnoringBatteryOptimizations(ctx: Context): Boolean {
-      val powerManager = ctx.getSystemService(Context.POWER_SERVICE) as PowerManager
-      return powerManager.isIgnoringBatteryOptimizations(ctx.packageName)
-    }
-
-    private fun buildWorkRequest(
-      requireWifi: Boolean = false,
-      requireCharging: Boolean = false,
-      delayMilliseconds: Long = 0L
-    ): OneTimeWorkRequest {
-      val constraints = Constraints.Builder()
-        .setRequiredNetworkType(if (requireWifi) NetworkType.UNMETERED else NetworkType.CONNECTED)
-        .setRequiresBatteryNotLow(true)
-        .setRequiresCharging(requireCharging)
-        .build();
-
-      val work = OneTimeWorkRequest.Builder(BackupWorker::class.java)
-        .setConstraints(constraints)
-        .setBackoffCriteria(BackoffPolicy.EXPONENTIAL, ONE_MINUTE, TimeUnit.MILLISECONDS)
-        .setInitialDelay(delayMilliseconds, TimeUnit.MILLISECONDS)
-        .build()
-      return work
-    }
-
-    private val flutterLoader = FlutterLoader()
-  }
-}
-
-private const val TAG = "BackupWorker"
@@ -1,144 +0,0 @@
-package app.alextran.immich
-
-import android.content.Context
-import android.os.SystemClock
-import android.provider.MediaStore
-import android.util.Log
-import androidx.work.Constraints
-import androidx.work.Worker
-import androidx.work.WorkerParameters
-import androidx.work.ExistingWorkPolicy
-import androidx.work.OneTimeWorkRequest
-import androidx.work.WorkManager
-import androidx.work.Operation
-import java.util.concurrent.TimeUnit
-
-/**
- * Worker executed by Android WorkManager observing content changes (new photos/videos)
- *
- * Immediately enqueues the BackupWorker when running.
- * As this work is not triggered periodically, but on content change, the
- * worker enqueues itself again after each run.
- */
-class ContentObserverWorker(ctx: Context, params: WorkerParameters) : Worker(ctx, params) {
-
-    override fun doWork(): Result {
-        if (!isEnabled(applicationContext)) {
-            return Result.failure()
-        }
-        if (triggeredContentUris.size > 0) {
-            startBackupWorker(applicationContext, delayMilliseconds = 0)
-        }
-        enqueueObserverWorker(applicationContext, ExistingWorkPolicy.REPLACE)
-        return Result.success()
-    }
-
-    companion object {
-        const val SHARED_PREF_SERVICE_ENABLED = "serviceEnabled"
-        private const val SHARED_PREF_REQUIRE_WIFI = "requireWifi"
-        private const val SHARED_PREF_REQUIRE_CHARGING = "requireCharging"
-        private const val SHARED_PREF_TRIGGER_UPDATE_DELAY = "triggerUpdateDelay"
-        private const val SHARED_PREF_TRIGGER_MAX_DELAY = "triggerMaxDelay"
-
-        private const val TASK_NAME_OBSERVER = "immich/ContentObserver"
-
-        /**
-         * Enqueues the `ContentObserverWorker`.
-         *
-         * @param context Android Context
-         */
-        fun enable(context: Context, immediate: Boolean = false) {
-            enqueueObserverWorker(context, ExistingWorkPolicy.KEEP)
-            Log.d(TAG, "enabled ContentObserverWorker")
-            if (immediate) {
-                startBackupWorker(context, delayMilliseconds = 5000)
-            }
-        }
-
-        /**
-         * Configures the `BackupWorker` to run when all constraints are met.
-         *
-         * @param context Android Context
-         * @param requireWifi if true, task only runs if connected to wifi
-         * @param requireCharging if true, task only runs if device is charging
-         */
-        fun configureWork(context: Context,
-                          requireWifi: Boolean = false,
-                          requireCharging: Boolean = false,
-                          triggerUpdateDelay: Long = 5000,
-                          triggerMaxDelay: Long = 50000) {
-            context.getSharedPreferences(BackupWorker.SHARED_PREF_NAME, Context.MODE_PRIVATE)
-                .edit()
-                .putBoolean(SHARED_PREF_SERVICE_ENABLED, true)
-                .putBoolean(SHARED_PREF_REQUIRE_WIFI, requireWifi)
-                .putBoolean(SHARED_PREF_REQUIRE_CHARGING, requireCharging)
-                .putLong(SHARED_PREF_TRIGGER_UPDATE_DELAY, triggerUpdateDelay)
-                .putLong(SHARED_PREF_TRIGGER_MAX_DELAY, triggerMaxDelay)
-                .apply()
-            BackupWorker.updateBackupWorker(context, requireWifi, requireCharging)
-        }
-
-        /**
-         * Stops the currently running worker (if any) and removes it from the work queue
-         */
-        fun disable(context: Context) {
-            context.getSharedPreferences(BackupWorker.SHARED_PREF_NAME, Context.MODE_PRIVATE)
-                    .edit().putBoolean(SHARED_PREF_SERVICE_ENABLED, false).apply()
-            WorkManager.getInstance(context).cancelUniqueWork(TASK_NAME_OBSERVER)
-            Log.d(TAG, "disabled ContentObserverWorker")
-        }
-
-        /**
-         * Return true if the user has enabled the background backup service
-         */
-        fun isEnabled(ctx: Context): Boolean {
-            return ctx.getSharedPreferences(BackupWorker.SHARED_PREF_NAME, Context.MODE_PRIVATE)
-                    .getBoolean(SHARED_PREF_SERVICE_ENABLED, false)
-        }
-
-        /**
-         * Enqueue and replace the worker without the content trigger but with a short delay
-         */
-        fun workManagerAppClearedWorkaround(context: Context) {
-            val work = OneTimeWorkRequest.Builder(ContentObserverWorker::class.java)
-                .setInitialDelay(500, TimeUnit.MILLISECONDS)
-                .build()
-            WorkManager
-                .getInstance(context)
-                .enqueueUniqueWork(TASK_NAME_OBSERVER, ExistingWorkPolicy.REPLACE, work)
-                .result
-                .get()
-            Log.d(TAG, "workManagerAppClearedWorkaround")
-        }
-
-        private fun enqueueObserverWorker(context: Context, policy: ExistingWorkPolicy) {
-            val sp = context.getSharedPreferences(BackupWorker.SHARED_PREF_NAME, Context.MODE_PRIVATE)
-            val constraints = Constraints.Builder()
-                .addContentUriTrigger(MediaStore.Images.Media.INTERNAL_CONTENT_URI, true)
-                .addContentUriTrigger(MediaStore.Images.Media.EXTERNAL_CONTENT_URI, true)
-                .addContentUriTrigger(MediaStore.Video.Media.INTERNAL_CONTENT_URI, true)
-                .addContentUriTrigger(MediaStore.Video.Media.EXTERNAL_CONTENT_URI, true)
-                .setTriggerContentUpdateDelay(sp.getLong(SHARED_PREF_TRIGGER_UPDATE_DELAY, 5000), TimeUnit.MILLISECONDS)
-                .setTriggerContentMaxDelay(sp.getLong(SHARED_PREF_TRIGGER_MAX_DELAY, 50000), TimeUnit.MILLISECONDS)
-                .build()
-
-            val work = OneTimeWorkRequest.Builder(ContentObserverWorker::class.java)
-                .setConstraints(constraints)
-                .build()
-            WorkManager.getInstance(context).enqueueUniqueWork(TASK_NAME_OBSERVER, policy, work)
-        }
-
-        fun startBackupWorker(context: Context, delayMilliseconds: Long) {
-            val sp = context.getSharedPreferences(BackupWorker.SHARED_PREF_NAME, Context.MODE_PRIVATE)
-            if (!sp.getBoolean(SHARED_PREF_SERVICE_ENABLED, false))
-                return
-            val requireWifi = sp.getBoolean(SHARED_PREF_REQUIRE_WIFI, true)
-            val requireCharging = sp.getBoolean(SHARED_PREF_REQUIRE_CHARGING, false)
-            BackupWorker.enqueueBackupWorker(context, requireWifi, requireCharging, delayMilliseconds)
-            sp.edit().putLong(BackupWorker.SHARED_PREF_LAST_CHANGE, SystemClock.uptimeMillis()).apply()
-        }
-
-    }
-}
-
-private const val TAG = "ContentObserverWorker"
@@ -18,8 +18,6 @@ class ImmichApp : Application() {
    // Thus, the BackupWorker is not started. If the system kills the process after each initialization
    // (because of low memory etc.), the backup is never performed.
    // As a workaround, we also run a backup check when initializing the application
-
-    ContentObserverWorker.startBackupWorker(context = this, delayMilliseconds = 0)
    Handler(Looper.getMainLooper()).postDelayed({
      // We can only check the engine count and not the status of the lock here,
      // as the previous start might have been killed without unlocking.
@@ -51,7 +51,6 @@ class MainActivity : FlutterFragmentActivity() {
      BackgroundWorkerFgHostApi.setUp(messenger, BackgroundWorkerApiImpl(ctx))
      ConnectivityApi.setUp(messenger, ConnectivityApiImpl(ctx))

-      flutterEngine.plugins.add(BackgroundServicePlugin())
      flutterEngine.plugins.add(backgroundEngineLockImpl)
      flutterEngine.plugins.add(nativeSyncApiImpl)
    }
@@ -43,8 +43,8 @@ class BackgroundEngineLock(context: Context) : BackgroundWorkerLockApi, ImmichPl

  override fun onAttachedToEngine(binding: FlutterPlugin.FlutterPluginBinding) {
    super.onAttachedToEngine(binding)
-    checkAndEnforceBackgroundLock(binding.applicationContext)
    engineCount.incrementAndGet()
+    checkAndEnforceBackgroundLock(binding.applicationContext)
    Log.i(TAG, "Flutter engine attached. Attached Engines count: $engineCount")
  }

@@ -1,4 +1,4 @@
-// Autogenerated from Pigeon (v26.0.2), do not edit directly.
+// Autogenerated from Pigeon (v26.3.4), do not edit directly.
 // See also: https://pub.dev/packages/pigeon
@file:Suppress("UNCHECKED_CAST", "ArrayInDataClass")

@@ -37,36 +37,150 @@ private object BackgroundWorkerPigeonUtils {
      )
    }
  }
+  fun doubleEquals(a: Double, b: Double): Boolean {
+    // Normalize -0.0 to 0.0 and handle NaN equality.
+    return (if (a == 0.0) 0.0 else a) == (if (b == 0.0) 0.0 else b) || (a.isNaN() && b.isNaN())
+  }
+
+  fun floatEquals(a: Float, b: Float): Boolean {
+    // Normalize -0.0 to 0.0 and handle NaN equality.
+    return (if (a == 0.0f) 0.0f else a) == (if (b == 0.0f) 0.0f else b) || (a.isNaN() && b.isNaN())
+  }
+
+  fun doubleHash(d: Double): Int {
+    // Normalize -0.0 to 0.0 and handle NaN to ensure consistent hash codes.
+    val normalized = if (d == 0.0) 0.0 else d
+    val bits = java.lang.Double.doubleToLongBits(normalized)
+    return (bits xor (bits ushr 32)).toInt()
+  }
+
+  fun floatHash(f: Float): Int {
+    // Normalize -0.0 to 0.0 and handle NaN to ensure consistent hash codes.
+    val normalized = if (f == 0.0f) 0.0f else f
+    return java.lang.Float.floatToIntBits(normalized)
+  }
+
  fun deepEquals(a: Any?, b: Any?): Boolean {
+    if (a === b) {
+      return true
+    }
+    if (a == null || b == null) {
+      return false
+    }
    if (a is ByteArray && b is ByteArray) {
-        return a.contentEquals(b)
+      return a.contentEquals(b)
    }
    if (a is IntArray && b is IntArray) {
-        return a.contentEquals(b)
+      return a.contentEquals(b)
    }
    if (a is LongArray && b is LongArray) {
-        return a.contentEquals(b)
+      return a.contentEquals(b)
    }
    if (a is DoubleArray && b is DoubleArray) {
-        return a.contentEquals(b)
+      if (a.size != b.size) return false
+      for (i in a.indices) {
+        if (!doubleEquals(a[i], b[i])) return false
+      }
+      return true
+    }
+    if (a is FloatArray && b is FloatArray) {
+      if (a.size != b.size) return false
+      for (i in a.indices) {
+        if (!floatEquals(a[i], b[i])) return false
+      }
+      return true
    }
    if (a is Array<*> && b is Array<*>) {
-      return a.size == b.size &&
-          a.indices.all{ deepEquals(a[it], b[it]) }
+      if (a.size != b.size) return false
+      for (i in a.indices) {
+        if (!deepEquals(a[i], b[i])) return false
+      }
+      return true
    }
    if (a is List<*> && b is List<*>) {
-      return a.size == b.size &&
-          a.indices.all{ deepEquals(a[it], b[it]) }
+      if (a.size != b.size) return false
+      val iterA = a.iterator()
+      val iterB = b.iterator()
+      while (iterA.hasNext() && iterB.hasNext()) {
+        if (!deepEquals(iterA.next(), iterB.next())) return false
+      }
+      return true
    }
    if (a is Map<*, *> && b is Map<*, *>) {
-      return a.size == b.size && a.all {
-          (b as Map<Any?, Any?>).containsKey(it.key) &&
-          deepEquals(it.value, b[it.key])
+      if (a.size != b.size) return false
+      for (entry in a) {
+        val key = entry.key
+        var found = false
+        for (bEntry in b) {
+          if (deepEquals(key, bEntry.key)) {
+            if (deepEquals(entry.value, bEntry.value)) {
+              found = true
+              break
+            } else {
+              return false
+            }
+          }
+        }
+        if (!found) return false
      }
+      return true
+    }
+    if (a is Double && b is Double) {
+      return doubleEquals(a, b)
+    }
+    if (a is Float && b is Float) {
+      return floatEquals(a, b)
    }
    return a == b
  }
-      
+
+  fun deepHash(value: Any?): Int {
+    return when (value) {
+      null -> 0
+      is ByteArray -> value.contentHashCode()
+      is IntArray -> value.contentHashCode()
+      is LongArray -> value.contentHashCode()
+      is DoubleArray -> {
+        var result = 1
+        for (item in value) {
+          result = 31 * result + doubleHash(item)
+        }
+        result
+      }
+      is FloatArray -> {
+        var result = 1
+        for (item in value) {
+          result = 31 * result + floatHash(item)
+        }
+        result
+      }
+      is Array<*> -> {
+        var result = 1
+        for (item in value) {
+          result = 31 * result + deepHash(item)
+        }
+        result
+      }
+      is List<*> -> {
+        var result = 1
+        for (item in value) {
+          result = 31 * result + deepHash(item)
+        }
+        result
+      }
+      is Map<*, *> -> {
+        var result = 0
+        for (entry in value) {
+          result += ((deepHash(entry.key) * 31) xor deepHash(entry.value))
+        }
+        result
+      }
+      is Double -> doubleHash(value)
+      is Float -> floatHash(value)
+      else -> value.hashCode()
+    }
+  }
+
 }

 /**
@@ -79,7 +193,7 @@ class FlutterError (
  val code: String,
  override val message: String? = null,
  val details: Any? = null
-) : Throwable()
+) : RuntimeException()

 /** Generated class from Pigeon that represents data sent in messages. */
 data class BackgroundWorkerSettings (
@@ -101,15 +215,22 @@ data class BackgroundWorkerSettings (
    )
  }
  override fun equals(other: Any?): Boolean {
-    if (other !is BackgroundWorkerSettings) {
+    if (other == null || other.javaClass != javaClass) {
      return false
    }
    if (this === other) {
      return true
    }
-    return BackgroundWorkerPigeonUtils.deepEquals(toList(), other.toList())  }
+    val other = other as BackgroundWorkerSettings
+    return BackgroundWorkerPigeonUtils.deepEquals(this.requiresCharging, other.requiresCharging) && BackgroundWorkerPigeonUtils.deepEquals(this.minimumDelaySeconds, other.minimumDelaySeconds)
+  }

-  override fun hashCode(): Int = toList().hashCode()
+  override fun hashCode(): Int {
+    var result = javaClass.hashCode()
+    result = 31 * result + BackgroundWorkerPigeonUtils.deepHash(this.requiresCharging)
+    result = 31 * result + BackgroundWorkerPigeonUtils.deepHash(this.minimumDelaySeconds)
+    return result
+  }
 }
 private open class BackgroundWorkerPigeonCodec : StandardMessageCodec() {
  override fun readValueOfType(type: Byte, buffer: ByteBuffer): Any? {
--- a/Show More
+++ b/Show More