feat: sharing permissions

fix: improve form control focus visibility (#28512 )
* Improve form control focus visibility * fix: align form input focus styles
2026-05-21 07:06:31 -04:00 · 2026-05-21 11:16:25 +02:00 · 2026-05-20 15:33:56 -05:00 · 2026-05-20 17:20:50 +02:00 · 2026-05-20 16:56:27 +02:00 · 2026-05-20 14:43:30 +00:00
129 changed files with 7565 additions and 4638 deletions
@@ -30,25 +30,32 @@ jobs:
          filters: |
            i18n:
              - 'i18n/**'
+              - 'mise.toml'
            web:
              - 'web/**'
              - 'i18n/**'
              - 'packages/sdk/**'
              - 'pnpm-lock.yaml'
+              - 'mise.toml'
            server:
              - 'server/**'
              - 'pnpm-lock.yaml'
+              - 'mise.toml'
            cli:
              - 'packages/cli/**'
              - 'packages/sdk/**'
              - 'pnpm-lock.yaml'
+              - 'mise.toml'
            e2e:
              - 'e2e/**'
              - 'pnpm-lock.yaml'
+              - 'mise.toml'
            mobile:
              - 'mobile/**'
+              - 'mise.toml'
            machine-learning:
              - 'machine-learning/**'
+              - 'mise.toml'
            .github:
              - '.github/**'
          force-filters: |
@@ -0,0 +1,65 @@
+# @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
+
+[[tools.opentofu]]
+version = "1.11.6"
+backend = "aqua:opentofu/opentofu"
+
+[tools.opentofu."platforms.linux-arm64"]
+checksum = "sha256:d4f2ab15776925864b049bb329d69682851de6f5204f256e9fa86d07a0308850"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_linux_arm64.tar.gz"
+
+[tools.opentofu."platforms.linux-arm64-musl"]
+checksum = "sha256:d4f2ab15776925864b049bb329d69682851de6f5204f256e9fa86d07a0308850"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_linux_arm64.tar.gz"
+
+[tools.opentofu."platforms.linux-x64"]
+checksum = "sha256:02800fafa2753a9f50c38483e2fdf5bc353fd62895eb9e25eec9a5145df3a69e"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_linux_amd64.tar.gz"
+
+[tools.opentofu."platforms.linux-x64-musl"]
+checksum = "sha256:02800fafa2753a9f50c38483e2fdf5bc353fd62895eb9e25eec9a5145df3a69e"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_linux_amd64.tar.gz"
+
+[tools.opentofu."platforms.macos-arm64"]
+checksum = "sha256:62d7fa8539e13b444827aa0a3b90c5972da5c47e8f8882d9dcf2e430e78840c1"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_darwin_arm64.tar.gz"
+
+[tools.opentofu."platforms.macos-x64"]
+checksum = "sha256:1408cdef1c380f914565e6b4bb70794c6b163f195fcb233357f3d6c5745906b6"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_darwin_amd64.tar.gz"
+
+[tools.opentofu."platforms.windows-x64"]
+checksum = "sha256:27323f70c875b8251bfd7e61a4cffc3ebff4e56ed1e611b955016f0c7077367e"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_windows_amd64.tar.gz"
+
+[[tools.terragrunt]]
+version = "1.0.3"
+backend = "aqua:gruntwork-io/terragrunt"
+
+[tools.terragrunt."platforms.linux-arm64"]
+checksum = "sha256:e5b60ab05b5214db694e6bc215d8124fb626e277cdb56b86f6147ae110d510fe"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_linux_arm64.tar.gz"
+
+[tools.terragrunt."platforms.linux-arm64-musl"]
+checksum = "sha256:e5b60ab05b5214db694e6bc215d8124fb626e277cdb56b86f6147ae110d510fe"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_linux_arm64.tar.gz"
+
+[tools.terragrunt."platforms.linux-x64"]
+checksum = "sha256:6d48049baf82e0bf9c804368dc85cbfeadc10955e33777e9e8de3e020b94b073"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_linux_amd64.tar.gz"
+
+[tools.terragrunt."platforms.linux-x64-musl"]
+checksum = "sha256:6d48049baf82e0bf9c804368dc85cbfeadc10955e33777e9e8de3e020b94b073"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_linux_amd64.tar.gz"
+
+[tools.terragrunt."platforms.macos-arm64"]
+checksum = "sha256:aacb5be2ca5475300cbce246dfbd8a45eb47510fbaa70fab8561c49ef5db03aa"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_darwin_arm64.tar.gz"
+
+[tools.terragrunt."platforms.macos-x64"]
+checksum = "sha256:3133c2251e191aede8e3dd2a5b3aee2e91c5f08f88f117aee40eed9a24c8ef6b"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_darwin_amd64.tar.gz"
+
+[tools.terragrunt."platforms.windows-x64"]
+checksum = "sha256:183b2745b4e04980a6bfa4450ff81956a12596ca22d70f7aaa793980f5b036db"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_windows_amd64.exe.tar.gz"
@@ -5,7 +5,7 @@ After making any changes in the `server/src/schema`, a database migration need t
 1. Run the command

 ```bash
-mise //server:migrations generate <migration-name>
+pnpm run migrations:generate <migration-name>
 ```

 2. Check if the migration file makes sense.
@@ -18,7 +18,7 @@ The server will automatically detect `*.ts` file changes and restart. Part of th
 If you need to undo the most recently applied migration—for example, when developing or testing on schema changes—run:

 ```bash
-mise //server:migrations revert
+pnpm run migrations:revert
 ```

 This command rolls back the latest migration and brings the database schema back to its previous state.
@@ -252,33 +252,44 @@ To connect the mobile app to your Dev Container:

 The Dev Container supports multiple ways to run tests:

+#### Using Mise Commands (Recommended)
+
 ```bash
-# Server
-mise //server:test          # unit tests
-mise //server:test-medium   # medium / integration tests
-
-# Web
-mise //web:test             # unit tests
-
-# E2E
-mise //e2e:test             # API tests
-mise //e2e:test-web         # web UI tests (Playwright)
-
-# Run all checks for a component
-mise //server:checklist
-mise //web:checklist
+# Run tests for specific components
+mise run checklist      # in `server/`, `web/`, `packages/cli`
 ```

-### Additional Commands
+#### Using PNPM Directly
+
+```bash
+# Server tests
+cd /workspaces/immich/server
+pnpm test               # Run all tests
+pnpm run test:medium    # Medium tests (integration tests)
+pnpm run test:watch     # Watch mode
+pnpm run test:cov       # Coverage report
+
+# Web tests
+cd /workspaces/immich/web
+pnpm test               # Run all tests
+pnpm run test:watch     # Watch mode
+
+# E2E tests
+cd /workspaces/immich/e2e
+pnpm run test           # Run API tests
+pnpm run test:web       # Run web UI tests
+```
+
+### Additional Make Commands

 ```bash
 # API generation
-mise //:open-api             # Generate OpenAPI specs
-mise //:open-api-typescript  # Generate TypeScript SDK
-mise //:open-api-dart        # Generate Dart SDK
+make open-api           # Generate OpenAPI specs
+make open-api-typescript # Generate TypeScript SDK
+make open-api-dart      # Generate Dart SDK

 # Database
-mise //server:sql            # Sync database schema
+mise sql                # Sync database schema
 ```

 ### Debugging
@@ -8,42 +8,34 @@ When contributing code through a pull request, please check the following:

 ## Web Checks

- [ ] `mise //web:lint` (linting via ESLint)
- [ ] `mise //web:format` (formatting via Prettier)
- [ ] `mise //web:check-svelte` (type checking via SvelteKit)
- [ ] `mise //web:check-typescript` (type checking via `tsc`)
- [ ] `mise //web:test` (unit tests)
+- [ ] `pnpm run lint` (linting via ESLint)
+- [ ] `pnpm run format` (formatting via Prettier)
+- [ ] `pnpm run check:svelte` (Type checking via SvelteKit)
+- [ ] `pnpm run check:typescript` (check typescript)
+- [ ] `pnpm test` (unit tests)

 :::tip AIO
-Run all web checks with `mise //web:checklist`
-:::
-
-:::tip Auto Fix
-Use `mise //web:lint-fix` and `mise //web:format-fix` to automatically correct some issues.
+Run all web checks with `pnpm run check:all`
 :::

 ## Documentation

- [ ] `mise //docs:format` (formatting via Prettier)
+- [ ] `pnpm run format` (formatting via Prettier)
 - [ ] Update the `_redirects` file if you have renamed a page or removed it from the documentation.

-:::tip Auto Fix
-Use `mise //docs:format-fix` to automatically fix formatting.
-:::
-
 ## Server Checks

- [ ] `mise //server:lint` (linting via ESLint)
- [ ] `mise //server:format` (formatting via Prettier)
- [ ] `mise //server:check` (type checking via `tsc`)
- [ ] `mise //server:test` (unit tests)
+- [ ] `pnpm run lint` (linting via ESLint)
+- [ ] `pnpm run format` (formatting via Prettier)
+- [ ] `pnpm run check` (Type checking via `tsc`)
+- [ ] `pnpm test` (unit tests)

 :::tip AIO
-Run all server checks with `mise //server:checklist`
+Run all server checks with `pnpm run check:all`
 :::

 :::tip Auto Fix
-Use `mise //server:lint-fix` and `mise //server:format-fix` to automatically correct some issues.
+You can use `pnpm run __:fix` to potentially correct some issues automatically for `pnpm run format` and `lint`.
 :::

 ## Mobile Checklist
@@ -61,17 +53,6 @@ Run all these commands at once with `mise //mobile:checklist`
 You can use `mise //mobile:lint-fix` to potentially correct some issues automatically for `mise //mobile:lint`.
 :::

-## Machine Learning Checklist
-
- [ ] `mise //machine-learning:lint` (linting via ruff)
- [ ] `mise //machine-learning:format` (formatting via ruff)
- [ ] `mise //machine-learning:check` (type checking via mypy)
- [ ] `mise //machine-learning:test` (unit tests via pytest)
-
-:::tip AIO
-Run all machine learning checks with `mise //machine-learning:checklist`
-:::
-
 ## OpenAPI

 The OpenAPI client libraries need to be regenerated whenever there are changes to the `immich-openapi-specs.json` file. Note that you should not modify this file directly as it is auto-generated. See [OpenAPI](/api.md) for more details.
@@ -32,10 +32,6 @@ This environment includes the services below. Additional details are available i

 All the services are packaged to run as with single Docker Compose command.

-:::tip mise
-[mise](https://mise.jdx.dev) is used throughout the project to manage tool versions and run tasks. [Install mise](https://mise.jdx.dev/installing-mise.html), then from the repo root run `mise trust` and `mise install` to get all required tools. Tasks for each service can be run from the repo root using `mise //namespace:task` (e.g. `mise //server:lint`). To list all available tasks, run `mise tasks ls --all`.
-:::
-
 ### Server and web apps

 1. Clone the project repo.
@@ -60,23 +56,22 @@ You can access the web from `http://your-machine-ip:3000` or `http://localhost:3

 #### Connect web to a remote backend

-If you only want to do web development connected to an existing, remote backend, run from the repo root:
+If you only want to do web development connected to an existing, remote backend, follow these steps:
+
+1. Build the Immich SDK - `pnpm --filter @immich/sdk install && pnpm --filter @immich/sdk build`
+2. Enter the web directory - `cd web/`
+3. Install web dependencies - `pnpm i`
+4. Start the web development server

 ```bash
-IMMICH_SERVER_URL=https://demo.immich.app/ mise //web:start
-```
-
-This will install all dependencies (including the SDK) and start the dev server in one step. To connect to the hosted demo server specifically, use the shorthand:
-
-```bash
-mise //web:start-demo
+IMMICH_SERVER_URL=https://demo.immich.app/ pnpm run dev
 ```

 If you're using PowerShell on Windows you may need to set the env var separately like so:

 ```powershell
 $env:IMMICH_SERVER_URL = "https://demo.immich.app/"
-mise //web:start
+pnpm run dev
 ```

 #### `@immich/ui`
@@ -95,16 +90,20 @@ To see local changes to `@immich/ui` in Immich, do the following:

 #### Setup

-1. Run `mise //mobile:install` to install Flutter dependencies.
-2. Run `mise //mobile:translation` to generate the translation file.
-3. Change to the `mobile/` directory and run `flutter run` to start the app.
+1. [Install mise](https://mise.jdx.dev/installing-mise.html).
+2. Change to the immich (root) directory and trust the mise config with `mise trust`.
+3. Install tools with mise: `mise install`.
+4. Change to the `mobile/` directory.
+5. Run `flutter pub get` to install the dependencies.
+6. Run `make translation` to generate the translation file.
+7. Run `flutter run` to start the app.

 #### Translation

-To add a new translation text, enter the key-value pair in the `i18n/en.json` in the root of the immich project. Then run:
+To add a new translation text, enter the key-value pair in the `i18n/en.json` in the root of the immich project. Then, from the `mobile/` directory, run

 ```bash
-mise //mobile:translation
+make translation
 ```

 The mobile app asks you what backend to connect to. You can utilize the demo backend (https://demo.immich.app/) if you don't need to change server code or upload photos. Alternatively, you can run the server yourself per the instructions above.
@@ -4,8 +4,8 @@

 ### Unit tests

-Unit tests are run with `mise //server:test`.
-You need to run `mise //server:install` before _once_.
+Unit are run by calling `pnpm run test` from the `server/` directory.
+You need to run `pnpm install` (in `server/`) before _once_.

 ### End to end tests

@@ -17,7 +17,8 @@ make e2e

 Before you can run the tests, you need to run the following commands _once_:

- `mise //e2e:ci-setup` (installs e2e, SDK, and CLI dependencies)
+- `pnpm install`
+- `pnpm --filter @immich/sdk --filter @immich/cli build`
 - `mise //:open-api`

 Once the test environment is running, the e2e tests can be run via:
@@ -10,7 +10,6 @@ const config = {
  url: 'https://docs.immich.app',
  baseUrl: '/',
  onBrokenLinks: 'throw',
-  onBrokenMarkdownLinks: 'warn',
  favicon: 'img/favicon.png',

  // GitHub pages deployment config.
@@ -29,6 +28,9 @@ const config = {
  // Mermaid diagrams
  markdown: {
    mermaid: true,
+    hooks: {
+      onBrokenMarkdownLinks: 'warn',
+    },
  },
  themes: ['@docusaurus/theme-mermaid'],

@@ -0,0 +1,5 @@
+# @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
+
+[[tools.wrangler]]
+version = "4.66.0"
+backend = "npm:wrangler"
@@ -3,7 +3,7 @@ run = "pnpm install --filter documentation --frozen-lockfile"

 [tasks.start]
 env._.path = "./node_modules/.bin"
-run = "docusaurus start --port 3005"
+run = "docusaurus --port 3005"

 [tasks.build]
 env._.path = "./node_modules/.bin"
@@ -28,4 +28,4 @@ run = "prettier --write ."
 run = "wrangler pages deploy build --project-name=${PROJECT_NAME} --branch=${BRANCH_NAME}"

 [tools]
-wrangler = "4.66.0"
+wrangler = "4.91.0"
@@ -32,7 +32,7 @@
    "@playwright/test": "^1.44.1",
    "@socket.io/component-emitter": "^3.1.2",
    "@types/luxon": "^3.4.2",
-    "@types/node": "^24.12.2",
+    "@types/node": "^24.12.4",
    "@types/pg": "^8.15.1",
    "@types/pngjs": "^6.0.4",
    "@types/supertest": "^7.0.0",
@@ -0,0 +1,72 @@
+# @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
+
+[[tools.python]]
+version = "3.11.15"
+backend = "core:python"
+
+[tools.python."platforms.linux-arm64"]
+checksum = "sha256:243f794278eff6adba96ed3677ec6877175df84c25f140e17f09f9be82d0f12a"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260510/cpython-3.11.15+20260510-aarch64-unknown-linux-gnu-install_only_stripped.tar.gz"
+provenance = "github-attestations"
+
+[tools.python."platforms.linux-arm64-musl"]
+checksum = "sha256:52b4c52094ff8b383a45c694acf4c5c0e883152be6d5229a35a8186ce907c6eb"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260510/cpython-3.11.15+20260510-aarch64-unknown-linux-musl-install_only_stripped.tar.gz"
+provenance = "github-attestations"
+
+[tools.python."platforms.linux-x64"]
+checksum = "sha256:171dffd8c0f66e8a0725364a7428015b22fc18dd298b24f541392e17dd0e561f"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260510/cpython-3.11.15+20260510-x86_64-unknown-linux-gnu-install_only_stripped.tar.gz"
+provenance = "github-attestations"
+
+[tools.python."platforms.linux-x64-musl"]
+checksum = "sha256:2ac90fef8917ebd14826a6d667593a06cf0ae5f745ba9b1147dc086dd35f5284"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260510/cpython-3.11.15+20260510-x86_64-unknown-linux-musl-install_only_stripped.tar.gz"
+provenance = "github-attestations"
+
+[tools.python."platforms.macos-arm64"]
+checksum = "sha256:fdfc363b538662eb7441a14e06f72c4a992c56af7f401f5730ea5081f8f8ad6e"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260510/cpython-3.11.15+20260510-aarch64-apple-darwin-install_only_stripped.tar.gz"
+provenance = "github-attestations"
+
+[tools.python."platforms.macos-x64"]
+checksum = "sha256:5f1eb247cbca2c0ad5ccbf6d299a4f54b31b5c63b492d74c3531dc4344a42f88"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260510/cpython-3.11.15+20260510-x86_64-apple-darwin-install_only_stripped.tar.gz"
+provenance = "github-attestations"
+
+[tools.python."platforms.windows-x64"]
+checksum = "sha256:756d7f148498b8822f6aedf44a020613576f09983161f346ad36dcef6238cdc3"
+url = "https://github.com/astral-sh/python-build-standalone/releases/download/20260510/cpython-3.11.15+20260510-x86_64-pc-windows-msvc-install_only_stripped.tar.gz"
+provenance = "github-attestations"
+
+[[tools.uv]]
+version = "0.8.15"
+backend = "aqua:astral-sh/uv"
+
+[tools.uv."platforms.linux-arm64"]
+checksum = "sha256:23ea21a05c62c4c307ce691f29bff2f15c94c4f07f2b83d9b356f0664bc8b3a2"
+url = "https://github.com/astral-sh/uv/releases/download/0.8.15/uv-aarch64-unknown-linux-musl.tar.gz"
+
+[tools.uv."platforms.linux-arm64-musl"]
+checksum = "sha256:23ea21a05c62c4c307ce691f29bff2f15c94c4f07f2b83d9b356f0664bc8b3a2"
+url = "https://github.com/astral-sh/uv/releases/download/0.8.15/uv-aarch64-unknown-linux-musl.tar.gz"
+
+[tools.uv."platforms.linux-x64"]
+checksum = "sha256:d0fec58f3124e05e0a1af0f6541abfce4333253cdaf23c7b6bb2e6128bf138ea"
+url = "https://github.com/astral-sh/uv/releases/download/0.8.15/uv-x86_64-unknown-linux-musl.tar.gz"
+
+[tools.uv."platforms.linux-x64-musl"]
+checksum = "sha256:d0fec58f3124e05e0a1af0f6541abfce4333253cdaf23c7b6bb2e6128bf138ea"
+url = "https://github.com/astral-sh/uv/releases/download/0.8.15/uv-x86_64-unknown-linux-musl.tar.gz"
+
+[tools.uv."platforms.macos-arm64"]
+checksum = "sha256:103367962c5cb00bf7370d84cbaa3fec5a9807be9cc833ea9d8eea400c119fa2"
+url = "https://github.com/astral-sh/uv/releases/download/0.8.15/uv-aarch64-apple-darwin.tar.gz"
+
+[tools.uv."platforms.macos-x64"]
+checksum = "sha256:2bbef70982e97dfc36454de173f35ec1a5e83ae11e3885df6a50db3fd76171cb"
+url = "https://github.com/astral-sh/uv/releases/download/0.8.15/uv-x86_64-apple-darwin.tar.gz"
+
+[tools.uv."platforms.windows-x64"]
+checksum = "sha256:459d95892a5cc5c21779532f4f41b9238594b79e312a5142da2148ecfa10e705"
+url = "https://github.com/astral-sh/uv/releases/download/0.8.15/uv-x86_64-pc-windows-msvc.zip"
@@ -0,0 +1,391 @@
+# @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
+
+[[tools.flutter]]
+version = "3.41.9-stable"
+backend = "asdf:flutter"
+
+[[tools."github:CQLabs/homebrew-dcm"]]
+version = "1.37.0"
+backend = "github:CQLabs/homebrew-dcm"
+
+[tools."github:CQLabs/homebrew-dcm"."platforms.linux-arm64"]
+checksum = "sha256:253da2512b149913dfe345bf9a62a79acb2d730f66e71162ba4a92dfc4224b82"
+url = "https://github.com/CQLabs/homebrew-dcm/releases/download/1.37.0/dcm-linux-arm-release.zip"
+url_api = "https://api.github.com/repos/CQLabs/homebrew-dcm/releases/assets/404543838"
+github_attestations = "unavailable"
+
+[tools."github:CQLabs/homebrew-dcm"."platforms.linux-arm64-musl"]
+checksum = "sha256:253da2512b149913dfe345bf9a62a79acb2d730f66e71162ba4a92dfc4224b82"
+url = "https://github.com/CQLabs/homebrew-dcm/releases/download/1.37.0/dcm-linux-arm-release.zip"
+url_api = "https://api.github.com/repos/CQLabs/homebrew-dcm/releases/assets/404543838"
+github_attestations = "unavailable"
+
+[tools."github:CQLabs/homebrew-dcm"."platforms.linux-x64"]
+checksum = "sha256:477e086d4099c12f21e5ccd83b005d5fb945dd4cac4fd127fd9a08d7649af1cf"
+url = "https://github.com/CQLabs/homebrew-dcm/releases/download/1.37.0/dcm-linux-x64-release.zip"
+url_api = "https://api.github.com/repos/CQLabs/homebrew-dcm/releases/assets/404543797"
+github_attestations = "unavailable"
+
+[tools."github:CQLabs/homebrew-dcm"."platforms.linux-x64-musl"]
+checksum = "sha256:477e086d4099c12f21e5ccd83b005d5fb945dd4cac4fd127fd9a08d7649af1cf"
+url = "https://github.com/CQLabs/homebrew-dcm/releases/download/1.37.0/dcm-linux-x64-release.zip"
+url_api = "https://api.github.com/repos/CQLabs/homebrew-dcm/releases/assets/404543797"
+github_attestations = "unavailable"
+
+[tools."github:CQLabs/homebrew-dcm"."platforms.macos-arm64"]
+checksum = "sha256:30bede64367d09067093cc57af6ec9496d7717898138ded5cb98a16ac8dd9d93"
+url = "https://github.com/CQLabs/homebrew-dcm/releases/download/1.37.0/dcm-macos-arm-release.zip"
+url_api = "https://api.github.com/repos/CQLabs/homebrew-dcm/releases/assets/404543757"
+github_attestations = "unavailable"
+
+[tools."github:CQLabs/homebrew-dcm"."platforms.macos-x64"]
+checksum = "sha256:e56cb99872be7445a4de1d37e5438ca70e3bcd83be7a2b9b385e3538881f8068"
+url = "https://github.com/CQLabs/homebrew-dcm/releases/download/1.37.0/dcm-macos-x64-release.zip"
+url_api = "https://api.github.com/repos/CQLabs/homebrew-dcm/releases/assets/404543727"
+github_attestations = "unavailable"
+
+[tools."github:CQLabs/homebrew-dcm"."platforms.windows-x64"]
+checksum = "sha256:f133470daa3fb0427f039b424392af7e917d7e7db6b556aa2a968ab0e31587da"
+url = "https://github.com/CQLabs/homebrew-dcm/releases/download/1.37.0/dcm-windows-release.zip"
+url_api = "https://api.github.com/repos/CQLabs/homebrew-dcm/releases/assets/404543660"
+github_attestations = "unavailable"
+
+[[tools."github:extism/cli"]]
+version = "1.6.3"
+backend = "github:extism/cli"
+
+[tools."github:extism/cli"."platforms.linux-arm64"]
+checksum = "sha256:d92f830c9be39637569feacb04e9750c28848df6d9a219db94152a9b4eb9452b"
+url = "https://github.com/extism/cli/releases/download/v1.6.3/extism-v1.6.3-linux-arm64.tar.gz"
+url_api = "https://api.github.com/repos/extism/cli/releases/assets/275694030"
+github_attestations = "unavailable"
+
+[tools."github:extism/cli"."platforms.linux-arm64-musl"]
+checksum = "sha256:d92f830c9be39637569feacb04e9750c28848df6d9a219db94152a9b4eb9452b"
+url = "https://github.com/extism/cli/releases/download/v1.6.3/extism-v1.6.3-linux-arm64.tar.gz"
+url_api = "https://api.github.com/repos/extism/cli/releases/assets/275694030"
+github_attestations = "unavailable"
+
+[tools."github:extism/cli"."platforms.linux-x64"]
+checksum = "sha256:34e7ae9bfded6e2c32dee83f70a4e50d34f9d3e80d1762b09625fe82e214d02d"
+url = "https://github.com/extism/cli/releases/download/v1.6.3/extism-v1.6.3-linux-amd64.tar.gz"
+url_api = "https://api.github.com/repos/extism/cli/releases/assets/275694025"
+github_attestations = "unavailable"
+
+[tools."github:extism/cli"."platforms.linux-x64-musl"]
+checksum = "sha256:34e7ae9bfded6e2c32dee83f70a4e50d34f9d3e80d1762b09625fe82e214d02d"
+url = "https://github.com/extism/cli/releases/download/v1.6.3/extism-v1.6.3-linux-amd64.tar.gz"
+url_api = "https://api.github.com/repos/extism/cli/releases/assets/275694025"
+github_attestations = "unavailable"
+
+[tools."github:extism/cli"."platforms.macos-arm64"]
+checksum = "sha256:b4ddbc575b5ac000115247f781723f9b9f284ed87b29c600539d72161b5b29fc"
+url = "https://github.com/extism/cli/releases/download/v1.6.3/extism-v1.6.3-darwin-arm64.tar.gz"
+url_api = "https://api.github.com/repos/extism/cli/releases/assets/275694029"
+github_attestations = "unavailable"
+
+[tools."github:extism/cli"."platforms.macos-x64"]
+checksum = "sha256:9a2f71b6e6009685a622cc3084e52d2a1a8e23c98d29ffa72e666e9dc699855f"
+url = "https://github.com/extism/cli/releases/download/v1.6.3/extism-v1.6.3-darwin-amd64.tar.gz"
+url_api = "https://api.github.com/repos/extism/cli/releases/assets/275694026"
+github_attestations = "unavailable"
+
+[tools."github:extism/cli"."platforms.windows-x64"]
+checksum = "sha256:47e4ed2782445b2b08a4d1ac127211588f8b4d1fc25fd6481d4cb65151b5213c"
+url = "https://github.com/extism/cli/releases/download/v1.6.3/extism-v1.6.3-windows-amd64.zip"
+url_api = "https://api.github.com/repos/extism/cli/releases/assets/275694035"
+github_attestations = "unavailable"
+
+[[tools."github:extism/js-pdk"]]
+version = "1.6.0"
+backend = "github:extism/js-pdk"
+
+[tools."github:extism/js-pdk"."platforms.linux-arm64"]
+checksum = "sha256:15a186250e68d6bff4ec839fff275d45a90e383a69209dcc1239eb9e3aee6e1b"
+url = "https://github.com/extism/js-pdk/releases/download/v1.6.0/extism-js-aarch64-linux-v1.6.0.gz"
+url_api = "https://api.github.com/repos/extism/js-pdk/releases/assets/353223214"
+github_attestations = "unavailable"
+
+[tools."github:extism/js-pdk"."platforms.linux-arm64-musl"]
+checksum = "sha256:15a186250e68d6bff4ec839fff275d45a90e383a69209dcc1239eb9e3aee6e1b"
+url = "https://github.com/extism/js-pdk/releases/download/v1.6.0/extism-js-aarch64-linux-v1.6.0.gz"
+url_api = "https://api.github.com/repos/extism/js-pdk/releases/assets/353223214"
+github_attestations = "unavailable"
+
+[tools."github:extism/js-pdk"."platforms.linux-x64"]
+checksum = "sha256:4ded271ccf465031ccd0dc35e7a140e134d7f30721671cc4a8e1ff805d4aad68"
+url = "https://github.com/extism/js-pdk/releases/download/v1.6.0/extism-js-x86_64-linux-v1.6.0.gz"
+url_api = "https://api.github.com/repos/extism/js-pdk/releases/assets/353223119"
+github_attestations = "unavailable"
+
+[tools."github:extism/js-pdk"."platforms.linux-x64-musl"]
+checksum = "sha256:4ded271ccf465031ccd0dc35e7a140e134d7f30721671cc4a8e1ff805d4aad68"
+url = "https://github.com/extism/js-pdk/releases/download/v1.6.0/extism-js-x86_64-linux-v1.6.0.gz"
+url_api = "https://api.github.com/repos/extism/js-pdk/releases/assets/353223119"
+github_attestations = "unavailable"
+
+[tools."github:extism/js-pdk"."platforms.macos-arm64"]
+checksum = "sha256:548e25bda3971a07c32d78a249135cf8cb7b3eede101e878e06e53e01ac2e0ce"
+url = "https://github.com/extism/js-pdk/releases/download/v1.6.0/extism-js-aarch64-macos-v1.6.0.gz"
+url_api = "https://api.github.com/repos/extism/js-pdk/releases/assets/353223215"
+github_attestations = "unavailable"
+
+[tools."github:extism/js-pdk"."platforms.macos-x64"]
+checksum = "sha256:d85a875c2a071f0c29fe572764c52c3a499f157ab7f9efac8939a4364390e29b"
+url = "https://github.com/extism/js-pdk/releases/download/v1.6.0/extism-js-x86_64-macos-v1.6.0.gz"
+url_api = "https://api.github.com/repos/extism/js-pdk/releases/assets/353223239"
+github_attestations = "unavailable"
+
+[tools."github:extism/js-pdk"."platforms.windows-x64"]
+checksum = "sha256:97b7b746141e4777e1ca2b76febdeb16dc9d314ff6a4257df05a476b67228acc"
+url = "https://github.com/extism/js-pdk/releases/download/v1.6.0/extism-js-x86_64-windows-v1.6.0.gz"
+url_api = "https://api.github.com/repos/extism/js-pdk/releases/assets/353224133"
+github_attestations = "unavailable"
+
+[[tools."github:jellyfin/jellyfin-ffmpeg"]]
+version = "7.1.3-6"
+backend = "github:jellyfin/jellyfin-ffmpeg"
+
+[tools."github:jellyfin/jellyfin-ffmpeg"."platforms.linux-arm64"]
+checksum = "sha256:bea03c670e8cc5bfe9edc0c5d624d4735421610cef5e808db93e7d8596952886"
+url = "https://github.com/jellyfin/jellyfin-ffmpeg/releases/download/v7.1.3-6/jellyfin-ffmpeg_7.1.3-6_portable_linuxarm64-gpl.tar.xz"
+url_api = "https://api.github.com/repos/jellyfin/jellyfin-ffmpeg/releases/assets/409048876"
+github_attestations = "unavailable"
+
+[tools."github:jellyfin/jellyfin-ffmpeg"."platforms.linux-arm64-musl"]
+checksum = "sha256:bea03c670e8cc5bfe9edc0c5d624d4735421610cef5e808db93e7d8596952886"
+url = "https://github.com/jellyfin/jellyfin-ffmpeg/releases/download/v7.1.3-6/jellyfin-ffmpeg_7.1.3-6_portable_linuxarm64-gpl.tar.xz"
+url_api = "https://api.github.com/repos/jellyfin/jellyfin-ffmpeg/releases/assets/409048876"
+github_attestations = "unavailable"
+
+[tools."github:jellyfin/jellyfin-ffmpeg"."platforms.linux-x64"]
+checksum = "sha256:39e99a7927468a6abec5f65d00f55010e8ff2ae3c2605294f179c94f6ae21af2"
+url = "https://github.com/jellyfin/jellyfin-ffmpeg/releases/download/v7.1.3-6/jellyfin-ffmpeg_7.1.3-6_portable_linux64-gpl.tar.xz"
+url_api = "https://api.github.com/repos/jellyfin/jellyfin-ffmpeg/releases/assets/409048879"
+github_attestations = "unavailable"
+
+[tools."github:jellyfin/jellyfin-ffmpeg"."platforms.linux-x64-musl"]
+checksum = "sha256:39e99a7927468a6abec5f65d00f55010e8ff2ae3c2605294f179c94f6ae21af2"
+url = "https://github.com/jellyfin/jellyfin-ffmpeg/releases/download/v7.1.3-6/jellyfin-ffmpeg_7.1.3-6_portable_linux64-gpl.tar.xz"
+url_api = "https://api.github.com/repos/jellyfin/jellyfin-ffmpeg/releases/assets/409048879"
+github_attestations = "unavailable"
+
+[tools."github:jellyfin/jellyfin-ffmpeg"."platforms.macos-arm64"]
+checksum = "sha256:e024d5e78d5414e75f0181036cd21373fafb9270c72894dfd7dbda2572439820"
+url = "https://github.com/jellyfin/jellyfin-ffmpeg/releases/download/v7.1.3-6/jellyfin-ffmpeg_7.1.3-6_portable_macarm64-gpl.tar.xz"
+url_api = "https://api.github.com/repos/jellyfin/jellyfin-ffmpeg/releases/assets/408995838"
+github_attestations = "unavailable"
+
+[tools."github:jellyfin/jellyfin-ffmpeg"."platforms.macos-x64"]
+checksum = "sha256:066ede9774aaae97a18098aaeea8b7e0d286653eb8618f640476e99c59a536c2"
+url = "https://github.com/jellyfin/jellyfin-ffmpeg/releases/download/v7.1.3-6/jellyfin-ffmpeg_7.1.3-6_portable_mac64-gpl.tar.xz"
+url_api = "https://api.github.com/repos/jellyfin/jellyfin-ffmpeg/releases/assets/408995889"
+github_attestations = "unavailable"
+
+[tools."github:jellyfin/jellyfin-ffmpeg"."platforms.windows-x64"]
+checksum = "sha256:7b7168149689610296f3a187c717056ce0786cc125a31caf28056737e9ba1cc1"
+url = "https://github.com/jellyfin/jellyfin-ffmpeg/releases/download/v7.1.3-6/jellyfin-ffmpeg_7.1.3-6_portable_win64-clang-gpl.zip"
+url_api = "https://api.github.com/repos/jellyfin/jellyfin-ffmpeg/releases/assets/409036094"
+github_attestations = "unavailable"
+
+[[tools."github:webassembly/binaryen"]]
+version = "version_124"
+backend = "github:webassembly/binaryen"
+
+[tools."github:webassembly/binaryen"."platforms.linux-arm64"]
+checksum = "sha256:6291bd9a57d8e046f3bc099a4db386c147433a87f71c783a901c5b1792e38de3"
+url = "https://github.com/WebAssembly/binaryen/releases/download/version_124/binaryen-version_124-aarch64-linux.tar.gz"
+url_api = "https://api.github.com/repos/WebAssembly/binaryen/releases/assets/288927659"
+github_attestations = "unavailable"
+
+[tools."github:webassembly/binaryen"."platforms.linux-arm64-musl"]
+checksum = "sha256:6291bd9a57d8e046f3bc099a4db386c147433a87f71c783a901c5b1792e38de3"
+url = "https://github.com/WebAssembly/binaryen/releases/download/version_124/binaryen-version_124-aarch64-linux.tar.gz"
+url_api = "https://api.github.com/repos/WebAssembly/binaryen/releases/assets/288927659"
+github_attestations = "unavailable"
+
+[tools."github:webassembly/binaryen"."platforms.linux-x64"]
+checksum = "sha256:0290c3779fedf592b8da0ded3032ff55c41a2b7bfa2d6bf7b7bac6f0e6e28963"
+url = "https://github.com/WebAssembly/binaryen/releases/download/version_124/binaryen-version_124-x86_64-linux.tar.gz"
+url_api = "https://api.github.com/repos/WebAssembly/binaryen/releases/assets/288926769"
+github_attestations = "unavailable"
+
+[tools."github:webassembly/binaryen"."platforms.linux-x64-musl"]
+checksum = "sha256:0290c3779fedf592b8da0ded3032ff55c41a2b7bfa2d6bf7b7bac6f0e6e28963"
+url = "https://github.com/WebAssembly/binaryen/releases/download/version_124/binaryen-version_124-x86_64-linux.tar.gz"
+url_api = "https://api.github.com/repos/WebAssembly/binaryen/releases/assets/288926769"
+github_attestations = "unavailable"
+
+[tools."github:webassembly/binaryen"."platforms.macos-arm64"]
+checksum = "sha256:86a2c960ff62c6d2ea6009d1f89745c22c70100d394a095eab45eb941bdaa24c"
+url = "https://github.com/WebAssembly/binaryen/releases/download/version_124/binaryen-version_124-arm64-macos.tar.gz"
+url_api = "https://api.github.com/repos/WebAssembly/binaryen/releases/assets/288926134"
+github_attestations = "unavailable"
+
+[tools."github:webassembly/binaryen"."platforms.macos-x64"]
+checksum = "sha256:b389bb0731758d86c3cb266d01d28a12725c23bd3cabc3df34faa162af0887e9"
+url = "https://github.com/WebAssembly/binaryen/releases/download/version_124/binaryen-version_124-x86_64-macos.tar.gz"
+url_api = "https://api.github.com/repos/WebAssembly/binaryen/releases/assets/288926135"
+github_attestations = "unavailable"
+
+[tools."github:webassembly/binaryen"."platforms.windows-x64"]
+checksum = "sha256:b5e1d2a1ad3c03229ddc89823848f4a1c11f9c6402a51fa26f0aaa5f1d7a2203"
+url = "https://github.com/WebAssembly/binaryen/releases/download/version_124/binaryen-version_124-x86_64-windows.tar.gz"
+url_api = "https://api.github.com/repos/WebAssembly/binaryen/releases/assets/288925833"
+github_attestations = "unavailable"
+
+[[tools.java]]
+version = "21.0.2"
+backend = "core:java"
+
+[tools.java."platforms.linux-arm64"]
+checksum = "sha256:08db1392a48d4eb5ea5315cf8f18b89dbaf36cda663ba882cf03c704c9257ec2"
+url = "https://download.java.net/java/GA/jdk21.0.2/f2283984656d49d69e91c558476027ac/13/GPL/openjdk-21.0.2_linux-aarch64_bin.tar.gz"
+
+[tools.java."platforms.linux-x64"]
+checksum = "sha256:a2def047a73941e01a73739f92755f86b895811afb1f91243db214cff5bdac3f"
+url = "https://download.java.net/java/GA/jdk21.0.2/f2283984656d49d69e91c558476027ac/13/GPL/openjdk-21.0.2_linux-x64_bin.tar.gz"
+
+[tools.java."platforms.macos-arm64"]
+checksum = "sha256:b3d588e16ec1e0ef9805d8a696591bd518a5cea62567da8f53b5ce32d11d22e4"
+url = "https://download.java.net/java/GA/jdk21.0.2/f2283984656d49d69e91c558476027ac/13/GPL/openjdk-21.0.2_macos-aarch64_bin.tar.gz"
+
+[tools.java."platforms.macos-x64"]
+checksum = "sha256:8fd09e15dc406387a0aba70bf5d99692874e999bf9cd9208b452b5d76ac922d3"
+url = "https://download.java.net/java/GA/jdk21.0.2/f2283984656d49d69e91c558476027ac/13/GPL/openjdk-21.0.2_macos-x64_bin.tar.gz"
+
+[tools.java."platforms.windows-x64"]
+checksum = "sha256:b6c17e747ae78cdd6de4d7532b3164b277daee97c007d3eaa2b39cca99882664"
+url = "https://download.java.net/java/GA/jdk21.0.2/f2283984656d49d69e91c558476027ac/13/GPL/openjdk-21.0.2_windows-x64_bin.zip"
+
+[[tools.node]]
+version = "24.15.0"
+backend = "core:node"
+
+[tools.node."platforms.linux-arm64"]
+checksum = "sha256:73afc234d558c24919875f51c2d1ea002a2ada4ea6f83601a383869fefa64eed"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-linux-arm64.tar.gz"
+
+[tools.node."platforms.linux-arm64-musl"]
+checksum = "sha256:31e98aa960a067da91edffd5d93bc46657b5d2a8029612c359f5f2ac0060152a"
+url = "https://unofficial-builds.nodejs.org/download/release/v24.15.0/node-v24.15.0-linux-arm64-musl.tar.gz"
+
+[tools.node."platforms.linux-x64"]
+checksum = "sha256:44836872d9aec49f1e6b52a9a922872db9a2b02d235a616a5681b6a85fec8d89"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-linux-x64.tar.gz"
+
+[tools.node."platforms.linux-x64-musl"]
+checksum = "sha256:f55af5bd489c5347b113ca6594cae00a54b30ba57ac5875324311bfc6f4762e3"
+url = "https://unofficial-builds.nodejs.org/download/release/v24.15.0/node-v24.15.0-linux-x64-musl.tar.gz"
+
+[tools.node."platforms.macos-arm64"]
+checksum = "sha256:372331b969779ab5d15b949884fc6eaf88d5afe87bde8ba881d6400b9100ffc4"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-darwin-arm64.tar.gz"
+
+[tools.node."platforms.macos-x64"]
+checksum = "sha256:ffd5ee293467927f3ee731a553eb88fd1f48cf74eebc2d74a6babe4af228673b"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-darwin-x64.tar.gz"
+
+[tools.node."platforms.windows-x64"]
+checksum = "sha256:cc5149eabd53779ce1e7bdc5401643622d0c7e6800ade18928a767e940bb0e62"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-win-x64.zip"
+
+[[tools."npm:oazapfts"]]
+version = "7.5.0"
+backend = "npm:oazapfts"
+
+[[tools.opentofu]]
+version = "1.11.6"
+backend = "aqua:opentofu/opentofu"
+
+[tools.opentofu."platforms.linux-arm64"]
+checksum = "sha256:d4f2ab15776925864b049bb329d69682851de6f5204f256e9fa86d07a0308850"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_linux_arm64.tar.gz"
+
+[tools.opentofu."platforms.linux-arm64-musl"]
+checksum = "sha256:d4f2ab15776925864b049bb329d69682851de6f5204f256e9fa86d07a0308850"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_linux_arm64.tar.gz"
+
+[tools.opentofu."platforms.linux-x64"]
+checksum = "sha256:02800fafa2753a9f50c38483e2fdf5bc353fd62895eb9e25eec9a5145df3a69e"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_linux_amd64.tar.gz"
+
+[tools.opentofu."platforms.linux-x64-musl"]
+checksum = "sha256:02800fafa2753a9f50c38483e2fdf5bc353fd62895eb9e25eec9a5145df3a69e"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_linux_amd64.tar.gz"
+
+[tools.opentofu."platforms.macos-arm64"]
+checksum = "sha256:62d7fa8539e13b444827aa0a3b90c5972da5c47e8f8882d9dcf2e430e78840c1"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_darwin_arm64.tar.gz"
+
+[tools.opentofu."platforms.macos-x64"]
+checksum = "sha256:1408cdef1c380f914565e6b4bb70794c6b163f195fcb233357f3d6c5745906b6"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_darwin_amd64.tar.gz"
+
+[tools.opentofu."platforms.windows-x64"]
+checksum = "sha256:27323f70c875b8251bfd7e61a4cffc3ebff4e56ed1e611b955016f0c7077367e"
+url = "https://github.com/opentofu/opentofu/releases/download/v1.11.6/tofu_1.11.6_windows_amd64.tar.gz"
+
+[[tools.pnpm]]
+version = "10.33.1"
+backend = "aqua:pnpm/pnpm"
+
+[tools.pnpm."platforms.linux-arm64"]
+checksum = "sha256:ed8aa7901cf325f4cf5019405bdd6bf988426e4b23d08fe9b12ea4df7046f23e"
+url = "https://github.com/pnpm/pnpm/releases/download/v10.33.1/pnpm-linux-arm64"
+
+[tools.pnpm."platforms.linux-arm64-musl"]
+checksum = "sha256:ed8aa7901cf325f4cf5019405bdd6bf988426e4b23d08fe9b12ea4df7046f23e"
+url = "https://github.com/pnpm/pnpm/releases/download/v10.33.1/pnpm-linux-arm64"
+
+[tools.pnpm."platforms.linux-x64"]
+checksum = "sha256:fba950842532edd365e949b74643b64e6311089a45532dbe1e8f909a247fe3e9"
+url = "https://github.com/pnpm/pnpm/releases/download/v10.33.1/pnpm-linux-x64"
+
+[tools.pnpm."platforms.linux-x64-musl"]
+checksum = "sha256:fba950842532edd365e949b74643b64e6311089a45532dbe1e8f909a247fe3e9"
+url = "https://github.com/pnpm/pnpm/releases/download/v10.33.1/pnpm-linux-x64"
+
+[tools.pnpm."platforms.macos-arm64"]
+checksum = "sha256:909ced0038b00881d4d620ba2018c5d9691de373deea8e3c84b722b44324e47c"
+url = "https://github.com/pnpm/pnpm/releases/download/v10.33.1/pnpm-macos-arm64"
+
+[tools.pnpm."platforms.macos-x64"]
+checksum = "sha256:afdad60b83f4f482f4c95cc79325f29aef776d0922a324f023a312f40e0cc7d3"
+url = "https://github.com/pnpm/pnpm/releases/download/v10.33.1/pnpm-macos-x64"
+
+[tools.pnpm."platforms.windows-x64"]
+checksum = "sha256:67b23fd8c6800566b1cc04c446b170ff6e7977250084e4d8df9bfdbd8e6f4d02"
+url = "https://github.com/pnpm/pnpm/releases/download/v10.33.1/pnpm-win-x64.exe"
+
+[[tools.terragrunt]]
+version = "1.0.3"
+backend = "aqua:gruntwork-io/terragrunt"
+
+[tools.terragrunt."platforms.linux-arm64"]
+checksum = "sha256:e5b60ab05b5214db694e6bc215d8124fb626e277cdb56b86f6147ae110d510fe"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_linux_arm64.tar.gz"
+
+[tools.terragrunt."platforms.linux-arm64-musl"]
+checksum = "sha256:e5b60ab05b5214db694e6bc215d8124fb626e277cdb56b86f6147ae110d510fe"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_linux_arm64.tar.gz"
+
+[tools.terragrunt."platforms.linux-x64"]
+checksum = "sha256:6d48049baf82e0bf9c804368dc85cbfeadc10955e33777e9e8de3e020b94b073"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_linux_amd64.tar.gz"
+
+[tools.terragrunt."platforms.linux-x64-musl"]
+checksum = "sha256:6d48049baf82e0bf9c804368dc85cbfeadc10955e33777e9e8de3e020b94b073"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_linux_amd64.tar.gz"
+
+[tools.terragrunt."platforms.macos-arm64"]
+checksum = "sha256:aacb5be2ca5475300cbce246dfbd8a45eb47510fbaa70fab8561c49ef5db03aa"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_darwin_arm64.tar.gz"
+
+[tools.terragrunt."platforms.macos-x64"]
+checksum = "sha256:3133c2251e191aede8e3dd2a5b3aee2e91c5f08f88f117aee40eed9a24c8ef6b"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_darwin_amd64.tar.gz"
+
+[tools.terragrunt."platforms.windows-x64"]
+checksum = "sha256:183b2745b4e04980a6bfa4450ff81956a12596ca22d70f7aaa793980f5b036db"
+url = "https://github.com/gruntwork-io/terragrunt/releases/download/v1.0.3/terragrunt_windows_amd64.exe.tar.gz"
@@ -16,8 +16,8 @@ config_roots = [

 [tools]
 node = "24.15.0"
-flutter = "3.41.9"
-pnpm = "10.33.1"
+"aqua:flutter/flutter" = "3.41.9"
+pnpm = "10.33.4"
 terragrunt = "1.0.3"
 opentofu = "1.11.6"
 java = "21.0.2"
@@ -50,11 +50,12 @@ macos-arm64 = { asset_pattern = "jellyfin-ffmpeg_*_portable_macarm64-gpl.tar.xz"
 [settings]
 experimental = true
 pin = true
+lockfile = true

 [tasks.plugins]
 run = [
  "pnpm --filter @immich/plugin-sdk --filter @immich/plugin-core install --frozen-lockfile",
-  "pnpm --filter @immich/plugin-sdk --filter @immich/plugin-core build"
+  "pnpm --filter @immich/plugin-sdk --filter @immich/plugin-core build",
 ]

 [tasks.open-api-typescript]
@@ -76,8 +77,8 @@ run = [
  { task = "//server:install" },
  { task = "//server:build" },
  { task = "//server:sync-open-api" },
-  { task = ":open-api-typescript"},
-  { task = ":open-api-dart"},
+  { task = ":open-api-typescript" },
+  { task = ":open-api-dart" },
 ]

 [tasks.sql]
@@ -1,26 +1,26 @@
 .PHONY: build watch create_app_icon create_splash build_release_android pigeon test analyze format migration translation

 build:
-	@printf "This command has been removed. Please use:\n\n    mise codegen           # or mise //:mobile:codegen:dart from another directory\n\n" >&2 && exit 1
+	@printf "This command has been removed. Please use:\n\n    mise codegen           # or mise //mobile:codegen:dart from another directory\n\n" >&2 && exit 1

 pigeon:
-	@printf "This command has been removed. Please use:\n\n    mise pigeon            # or mise //:mobile:codegen:pigeon from another directory\n\n" >&2 && exit 1
+	@printf "This command has been removed. Please use:\n\n    mise pigeon            # or mise //mobile:codegen:pigeon from another directory\n\n" >&2 && exit 1


 build_release_android:
-	@printf "This command has been removed. Please use:\n\n    mise run build:android      # or mise //:mobile:build:android from another directory\n\n" >&2 && exit 1
+	@printf "This command has been removed. Please use:\n\n    mise run build:android      # or mise //mobile:build:android from another directory\n\n" >&2 && exit 1

 migration:
-	@printf "This command has been removed. Please use:\n\n    mise migration         # or mise //:mobile:drift:migration from another directory\n\n" >&2 && exit 1
+	@printf "This command has been removed. Please use:\n\n    mise migration         # or mise //mobile:drift:migration from another directory\n\n" >&2 && exit 1

 translation:
-	@printf "This command has been removed. Please use:\n\n    mise translation       # or mise //:mobile:codegen:translation from another directory\n\n" >&2 && exit 1
+	@printf "This command has been removed. Please use:\n\n    mise translation       # or mise //mobile:codegen:translation from another directory\n\n" >&2 && exit 1

 analyze:
-	@printf "This command has been removed. Please use:\n\n    mise analyze           # or mise //:mobile:lint from another directory\n\n" >&2 && exit 1
+	@printf "This command has been removed. Please use:\n\n    mise analyze           # or mise //mobile:lint from another directory\n\n" >&2 && exit 1

 format:
-	@printf "This command has been removed. Please use:\n\n    mise format            # or mise //:mobile:format from another directory\n\n" >&2 && exit 1
+	@printf "This command has been removed. Please use:\n\n    mise format            # or mise //mobile:format from another directory\n\n" >&2 && exit 1

 test:
-	@printf "This command has been removed. Please use:\n\n    mise test              # or mise //:mobile:test from another directory\n\n" >&2 && exit 1
+	@printf "This command has been removed. Please use:\n\n    mise test              # or mise //mobile:test from another directory\n\n" >&2 && exit 1
@@ -78,15 +78,6 @@ alias = "migration"
 description = "Generate database migrations"
 run = "dart run drift_dev make-migrations"

-[tasks.install]
-alias = "install"
-description = "Install flutter dependencies"
-run = "flutter pub get"
-
-[tasks.start]
-alias = "start"
-description = "Start flutter app"
-run = "flutter run"

 # Internal tasks
 [tasks."i18n:loader"]
@@ -92,10 +92,12 @@ Class | Method | HTTP request | Description
 *AlbumsApi* | [**getAlbumMapMarkers**](doc//AlbumsApi.md#getalbummapmarkers) | **GET** /albums/{id}/map-markers | Retrieve album map markers
 *AlbumsApi* | [**getAlbumStatistics**](doc//AlbumsApi.md#getalbumstatistics) | **GET** /albums/statistics | Retrieve album statistics
 *AlbumsApi* | [**getAllAlbums**](doc//AlbumsApi.md#getallalbums) | **GET** /albums | List all albums
+*AlbumsApi* | [**getOwnAlbumUser**](doc//AlbumsApi.md#getownalbumuser) | **GET** /albums/{id}/user/self | Get own sharing permissions
 *AlbumsApi* | [**removeAssetFromAlbum**](doc//AlbumsApi.md#removeassetfromalbum) | **DELETE** /albums/{id}/assets | Remove assets from an album
 *AlbumsApi* | [**removeUserFromAlbum**](doc//AlbumsApi.md#removeuserfromalbum) | **DELETE** /albums/{id}/user/{userId} | Remove user from album
 *AlbumsApi* | [**updateAlbumInfo**](doc//AlbumsApi.md#updatealbuminfo) | **PATCH** /albums/{id} | Update an album
 *AlbumsApi* | [**updateAlbumUser**](doc//AlbumsApi.md#updatealbumuser) | **PUT** /albums/{id}/user/{userId} | Update user role
+*AlbumsApi* | [**updateOwnAlbumUser**](doc//AlbumsApi.md#updateownalbumuser) | **PUT** /albums/{id}/user/self | Update own sharing permissions
 *AssetsApi* | [**checkBulkUpload**](doc//AssetsApi.md#checkbulkupload) | **POST** /assets/bulk-upload-check | Check bulk upload
 *AssetsApi* | [**copyAsset**](doc//AssetsApi.md#copyasset) | **PUT** /assets/copy | Copy asset
 *AssetsApi* | [**deleteAssetMetadata**](doc//AssetsApi.md#deleteassetmetadata) | **DELETE** /assets/{id}/metadata/{key} | Delete asset metadata by key
@@ -452,7 +454,7 @@ Class | Method | HTTP request | Description
 - [MemoryStatisticsResponseDto](doc//MemoryStatisticsResponseDto.md)
 - [MemoryType](doc//MemoryType.md)
 - [MemoryUpdateDto](doc//MemoryUpdateDto.md)
- - [MergePersonDto](doc//MergePersonDto.md)
+ - [MergeFaceClusterDto](doc//MergeFaceClusterDto.md)
 - [MetadataSearchDto](doc//MetadataSearchDto.md)
 - [MirrorAxis](doc//MirrorAxis.md)
 - [MirrorParameters](doc//MirrorParameters.md)
@@ -544,6 +546,8 @@ Class | Method | HTTP request | Description
 - [SharedLinkType](doc//SharedLinkType.md)
 - [SharedLinksResponse](doc//SharedLinksResponse.md)
 - [SharedLinksUpdate](doc//SharedLinksUpdate.md)
+ - [SharingOptionsResponseDto](doc//SharingOptionsResponseDto.md)
+ - [SharingPermission](doc//SharingPermission.md)
 - [SignUpDto](doc//SignUpDto.md)
 - [SmartSearchDto](doc//SmartSearchDto.md)
 - [SourceType](doc//SourceType.md)
@@ -643,6 +647,7 @@ Class | Method | HTTP request | Description
 - [UpdateAlbumUserDto](doc//UpdateAlbumUserDto.md)
 - [UpdateAssetDto](doc//UpdateAssetDto.md)
 - [UpdateLibraryDto](doc//UpdateLibraryDto.md)
+ - [UpdateSharingOptionsDto](doc//UpdateSharingOptionsDto.md)
 - [UsageByUserDto](doc//UsageByUserDto.md)
 - [UserAdminCreateDto](doc//UserAdminCreateDto.md)
 - [UserAdminDeleteDto](doc//UserAdminDeleteDto.md)
@@ -198,7 +198,7 @@ part 'model/memory_search_order.dart';
 part 'model/memory_statistics_response_dto.dart';
 part 'model/memory_type.dart';
 part 'model/memory_update_dto.dart';
-part 'model/merge_person_dto.dart';
+part 'model/merge_face_cluster_dto.dart';
 part 'model/metadata_search_dto.dart';
 part 'model/mirror_axis.dart';
 part 'model/mirror_parameters.dart';
@@ -290,6 +290,8 @@ part 'model/shared_link_response_dto.dart';
 part 'model/shared_link_type.dart';
 part 'model/shared_links_response.dart';
 part 'model/shared_links_update.dart';
+part 'model/sharing_options_response_dto.dart';
+part 'model/sharing_permission.dart';
 part 'model/sign_up_dto.dart';
 part 'model/smart_search_dto.dart';
 part 'model/source_type.dart';
@@ -389,6 +391,7 @@ part 'model/update_album_dto.dart';
 part 'model/update_album_user_dto.dart';
 part 'model/update_asset_dto.dart';
 part 'model/update_library_dto.dart';
+part 'model/update_sharing_options_dto.dart';
 part 'model/usage_by_user_dto.dart';
 part 'model/user_admin_create_dto.dart';
 part 'model/user_admin_delete_dto.dart';
@@ -580,6 +580,63 @@ class AlbumsApi {
    return null;
  }

+  /// Get own sharing permissions
+  ///
+  /// Get the own sharing permissions in a specific album.
+  ///
+  /// Note: This method returns the HTTP [Response].
+  ///
+  /// Parameters:
+  ///
+  /// * [String] id (required):
+  Future<Response> getOwnAlbumUserWithHttpInfo(String id,) async {
+    // ignore: prefer_const_declarations
+    final apiPath = r'/albums/{id}/user/self'
+      .replaceAll('{id}', id);
+
+    // ignore: prefer_final_locals
+    Object? postBody;
+
+    final queryParams = <QueryParam>[];
+    final headerParams = <String, String>{};
+    final formParams = <String, String>{};
+
+    const contentTypes = <String>[];
+
+
+    return apiClient.invokeAPI(
+      apiPath,
+      'GET',
+      queryParams,
+      postBody,
+      headerParams,
+      formParams,
+      contentTypes.isEmpty ? null : contentTypes.first,
+    );
+  }
+
+  /// Get own sharing permissions
+  ///
+  /// Get the own sharing permissions in a specific album.
+  ///
+  /// Parameters:
+  ///
+  /// * [String] id (required):
+  Future<SharingOptionsResponseDto?> getOwnAlbumUser(String id,) async {
+    final response = await getOwnAlbumUserWithHttpInfo(id,);
+    if (response.statusCode >= HttpStatus.badRequest) {
+      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
+    }
+    // When a remote server returns no body with a status of 204, we shall not decode it.
+    // At the time of writing this, `dart:convert` will throw an "Unexpected end of input"
+    // FormatException when trying to decode an empty string.
+    if (response.body.isNotEmpty && response.statusCode != HttpStatus.noContent) {
+      return await apiClient.deserializeAsync(await _decodeBodyBytes(response), 'SharingOptionsResponseDto',) as SharingOptionsResponseDto;
+    
+    }
+    return null;
+  }
+
  /// Remove assets from an album
  ///
  /// Remove multiple assets from a specific album by its ID.
@@ -816,4 +873,57 @@ class AlbumsApi {
      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
    }
  }
+
+  /// Update own sharing permissions
+  ///
+  /// Change the own sharing permissions in a specific album.
+  ///
+  /// Note: This method returns the HTTP [Response].
+  ///
+  /// Parameters:
+  ///
+  /// * [String] id (required):
+  ///
+  /// * [UpdateSharingOptionsDto] updateSharingOptionsDto (required):
+  Future<Response> updateOwnAlbumUserWithHttpInfo(String id, UpdateSharingOptionsDto updateSharingOptionsDto,) async {
+    // ignore: prefer_const_declarations
+    final apiPath = r'/albums/{id}/user/self'
+      .replaceAll('{id}', id);
+
+    // ignore: prefer_final_locals
+    Object? postBody = updateSharingOptionsDto;
+
+    final queryParams = <QueryParam>[];
+    final headerParams = <String, String>{};
+    final formParams = <String, String>{};
+
+    const contentTypes = <String>['application/json'];
+
+
+    return apiClient.invokeAPI(
+      apiPath,
+      'PUT',
+      queryParams,
+      postBody,
+      headerParams,
+      formParams,
+      contentTypes.isEmpty ? null : contentTypes.first,
+    );
+  }
+
+  /// Update own sharing permissions
+  ///
+  /// Change the own sharing permissions in a specific album.
+  ///
+  /// Parameters:
+  ///
+  /// * [String] id (required):
+  ///
+  /// * [UpdateSharingOptionsDto] updateSharingOptionsDto (required):
+  Future<void> updateOwnAlbumUser(String id, UpdateSharingOptionsDto updateSharingOptionsDto,) async {
+    final response = await updateOwnAlbumUserWithHttpInfo(id, updateSharingOptionsDto,);
+    if (response.statusCode >= HttpStatus.badRequest) {
+      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
+    }
+  }
 }
@@ -448,14 +448,14 @@ class PeopleApi {
  ///
  /// * [String] id (required):
  ///
-  /// * [MergePersonDto] mergePersonDto (required):
-  Future<Response> mergePersonWithHttpInfo(String id, MergePersonDto mergePersonDto,) async {
+  /// * [MergeFaceClusterDto] mergeFaceClusterDto (required):
+  Future<Response> mergePersonWithHttpInfo(String id, MergeFaceClusterDto mergeFaceClusterDto,) async {
    // ignore: prefer_const_declarations
    final apiPath = r'/people/{id}/merge'
      .replaceAll('{id}', id);

    // ignore: prefer_final_locals
-    Object? postBody = mergePersonDto;
+    Object? postBody = mergeFaceClusterDto;

    final queryParams = <QueryParam>[];
    final headerParams = <String, String>{};
@@ -483,9 +483,9 @@ class PeopleApi {
  ///
  /// * [String] id (required):
  ///
-  /// * [MergePersonDto] mergePersonDto (required):
-  Future<List<BulkIdResponseDto>?> mergePerson(String id, MergePersonDto mergePersonDto,) async {
-    final response = await mergePersonWithHttpInfo(id, mergePersonDto,);
+  /// * [MergeFaceClusterDto] mergeFaceClusterDto (required):
+  Future<List<BulkIdResponseDto>?> mergePerson(String id, MergeFaceClusterDto mergeFaceClusterDto,) async {
+    final response = await mergePersonWithHttpInfo(id, mergeFaceClusterDto,);
    if (response.statusCode >= HttpStatus.badRequest) {
      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
    }
@@ -442,8 +442,8 @@ class ApiClient {
          return MemoryTypeTypeTransformer().decode(value);
        case 'MemoryUpdateDto':
          return MemoryUpdateDto.fromJson(value);
-        case 'MergePersonDto':
-          return MergePersonDto.fromJson(value);
+        case 'MergeFaceClusterDto':
+          return MergeFaceClusterDto.fromJson(value);
        case 'MetadataSearchDto':
          return MetadataSearchDto.fromJson(value);
        case 'MirrorAxis':
@@ -626,6 +626,10 @@ class ApiClient {
          return SharedLinksResponse.fromJson(value);
        case 'SharedLinksUpdate':
          return SharedLinksUpdate.fromJson(value);
+        case 'SharingOptionsResponseDto':
+          return SharingOptionsResponseDto.fromJson(value);
+        case 'SharingPermission':
+          return SharingPermissionTypeTransformer().decode(value);
        case 'SignUpDto':
          return SignUpDto.fromJson(value);
        case 'SmartSearchDto':
@@ -824,6 +828,8 @@ class ApiClient {
          return UpdateAssetDto.fromJson(value);
        case 'UpdateLibraryDto':
          return UpdateLibraryDto.fromJson(value);
+        case 'UpdateSharingOptionsDto':
+          return UpdateSharingOptionsDto.fromJson(value);
        case 'UsageByUserDto':
          return UsageByUserDto.fromJson(value);
        case 'UserAdminCreateDto':
@@ -163,6 +163,9 @@ String parameterToString(dynamic value) {
  if (value is SharedLinkType) {
    return SharedLinkTypeTypeTransformer().encode(value).toString();
  }
+  if (value is SharingPermission) {
+    return SharingPermissionTypeTransformer().encode(value).toString();
+  }
  if (value is SourceType) {
    return SourceTypeTypeTransformer().encode(value).toString();
  }
@@ -37,6 +37,7 @@ class AssetResponseDto {
    this.owner,
    required this.ownerId,
    this.people = const [],
+    this.permissions = const [],
    this.resized,
    this.stack,
    this.tags = const [],
@@ -140,6 +141,8 @@ class AssetResponseDto {

  List<PersonResponseDto> people;

+  List<SharingPermission> permissions;
+
  /// Is resized
  ///
  /// Please note: This property should have been non-nullable! Since the specification file
@@ -195,6 +198,7 @@ class AssetResponseDto {
    other.owner == owner &&
    other.ownerId == ownerId &&
    _deepEquality.equals(other.people, people) &&
+    _deepEquality.equals(other.permissions, permissions) &&
    other.resized == resized &&
    other.stack == stack &&
    _deepEquality.equals(other.tags, tags) &&
@@ -231,6 +235,7 @@ class AssetResponseDto {
    (owner == null ? 0 : owner!.hashCode) +
    (ownerId.hashCode) +
    (people.hashCode) +
+    (permissions.hashCode) +
    (resized == null ? 0 : resized!.hashCode) +
    (stack == null ? 0 : stack!.hashCode) +
    (tags.hashCode) +
@@ -241,7 +246,7 @@ class AssetResponseDto {
    (width == null ? 0 : width!.hashCode);

  @override
-  String toString() => 'AssetResponseDto[checksum=$checksum, createdAt=$createdAt, duplicateId=$duplicateId, duration=$duration, exifInfo=$exifInfo, fileCreatedAt=$fileCreatedAt, fileModifiedAt=$fileModifiedAt, hasMetadata=$hasMetadata, height=$height, id=$id, isArchived=$isArchived, isEdited=$isEdited, isFavorite=$isFavorite, isOffline=$isOffline, isTrashed=$isTrashed, libraryId=$libraryId, livePhotoVideoId=$livePhotoVideoId, localDateTime=$localDateTime, originalFileName=$originalFileName, originalMimeType=$originalMimeType, originalPath=$originalPath, owner=$owner, ownerId=$ownerId, people=$people, resized=$resized, stack=$stack, tags=$tags, thumbhash=$thumbhash, type=$type, updatedAt=$updatedAt, visibility=$visibility, width=$width]';
+  String toString() => 'AssetResponseDto[checksum=$checksum, createdAt=$createdAt, duplicateId=$duplicateId, duration=$duration, exifInfo=$exifInfo, fileCreatedAt=$fileCreatedAt, fileModifiedAt=$fileModifiedAt, hasMetadata=$hasMetadata, height=$height, id=$id, isArchived=$isArchived, isEdited=$isEdited, isFavorite=$isFavorite, isOffline=$isOffline, isTrashed=$isTrashed, libraryId=$libraryId, livePhotoVideoId=$livePhotoVideoId, localDateTime=$localDateTime, originalFileName=$originalFileName, originalMimeType=$originalMimeType, originalPath=$originalPath, owner=$owner, ownerId=$ownerId, people=$people, permissions=$permissions, resized=$resized, stack=$stack, tags=$tags, thumbhash=$thumbhash, type=$type, updatedAt=$updatedAt, visibility=$visibility, width=$width]';

  Map<String, dynamic> toJson() {
    final json = <String, dynamic>{};
@@ -301,6 +306,7 @@ class AssetResponseDto {
    }
      json[r'ownerId'] = this.ownerId;
      json[r'people'] = this.people;
+      json[r'permissions'] = this.permissions;
    if (this.resized != null) {
      json[r'resized'] = this.resized;
    } else {
@@ -361,6 +367,7 @@ class AssetResponseDto {
        owner: UserResponseDto.fromJson(json[r'owner']),
        ownerId: mapValueOfType<String>(json, r'ownerId')!,
        people: PersonResponseDto.listFromJson(json[r'people']),
+        permissions: SharingPermission.listFromJson(json[r'permissions']),
        resized: mapValueOfType<bool>(json, r'resized'),
        stack: AssetStackResponseDto.fromJson(json[r'stack']),
        tags: TagResponseDto.listFromJson(json[r'tags']),
@@ -433,6 +440,7 @@ class AssetResponseDto {
    'originalFileName',
    'originalPath',
    'ownerId',
+    'permissions',
    'thumbhash',
    'type',
    'updatedAt',
@@ -42,6 +42,7 @@ class JobName {
  static const databaseBackup = JobName._(r'DatabaseBackup');
  static const facialRecognitionQueueAll = JobName._(r'FacialRecognitionQueueAll');
  static const facialRecognition = JobName._(r'FacialRecognition');
+  static const facialRecognitionMerge = JobName._(r'FacialRecognitionMerge');
  static const fileDelete = JobName._(r'FileDelete');
  static const fileMigrationQueueAll = JobName._(r'FileMigrationQueueAll');
  static const libraryDeleteCheck = JobName._(r'LibraryDeleteCheck');
@@ -100,6 +101,7 @@ class JobName {
    databaseBackup,
    facialRecognitionQueueAll,
    facialRecognition,
+    facialRecognitionMerge,
    fileDelete,
    fileMigrationQueueAll,
    libraryDeleteCheck,
@@ -193,6 +195,7 @@ class JobNameTypeTransformer {
        case r'DatabaseBackup': return JobName.databaseBackup;
        case r'FacialRecognitionQueueAll': return JobName.facialRecognitionQueueAll;
        case r'FacialRecognition': return JobName.facialRecognition;
+        case r'FacialRecognitionMerge': return JobName.facialRecognitionMerge;
        case r'FileDelete': return JobName.fileDelete;
        case r'FileMigrationQueueAll': return JobName.fileMigrationQueueAll;
        case r'LibraryDeleteCheck': return JobName.libraryDeleteCheck;
@@ -29,6 +29,7 @@ class ManualJobName {
  static const memoryCleanup = ManualJobName._(r'memory-cleanup');
  static const memoryCreate = ManualJobName._(r'memory-create');
  static const backupDatabase = ManualJobName._(r'backup-database');
+  static const personGroupMerge = ManualJobName._(r'person-group-merge');

  /// List of all possible values in this [enum][ManualJobName].
  static const values = <ManualJobName>[
@@ -38,6 +39,7 @@ class ManualJobName {
    memoryCleanup,
    memoryCreate,
    backupDatabase,
+    personGroupMerge,
  ];

  static ManualJobName? fromJson(dynamic value) => ManualJobNameTypeTransformer().decode(value);
@@ -82,6 +84,7 @@ class ManualJobNameTypeTransformer {
        case r'memory-cleanup': return ManualJobName.memoryCleanup;
        case r'memory-create': return ManualJobName.memoryCreate;
        case r'backup-database': return ManualJobName.backupDatabase;
+        case r'person-group-merge': return ManualJobName.personGroupMerge;
        default:
          if (!allowNull) {
            throw ArgumentError('Unknown enum value to decode: $data');
@@ -10,17 +10,17 @@

 part of openapi.api;

-class MergePersonDto {
-  /// Returns a new [MergePersonDto] instance.
-  MergePersonDto({
+class MergeFaceClusterDto {
+  /// Returns a new [MergeFaceClusterDto] instance.
+  MergeFaceClusterDto({
    this.ids = const [],
  });

-  /// Person IDs to merge
+  /// Face cluster IDs to merge
  List<String> ids;

  @override
-  bool operator ==(Object other) => identical(this, other) || other is MergePersonDto &&
+  bool operator ==(Object other) => identical(this, other) || other is MergeFaceClusterDto &&
    _deepEquality.equals(other.ids, ids);

  @override
@@ -29,7 +29,7 @@ class MergePersonDto {
    (ids.hashCode);

  @override
-  String toString() => 'MergePersonDto[ids=$ids]';
+  String toString() => 'MergeFaceClusterDto[ids=$ids]';

  Map<String, dynamic> toJson() {
    final json = <String, dynamic>{};
@@ -37,15 +37,15 @@ class MergePersonDto {
    return json;
  }

-  /// Returns a new [MergePersonDto] instance and imports its values from
+  /// Returns a new [MergeFaceClusterDto] instance and imports its values from
  /// [value] if it's a [Map], null otherwise.
  // ignore: prefer_constructors_over_static_methods
-  static MergePersonDto? fromJson(dynamic value) {
-    upgradeDto(value, "MergePersonDto");
+  static MergeFaceClusterDto? fromJson(dynamic value) {
+    upgradeDto(value, "MergeFaceClusterDto");
    if (value is Map) {
      final json = value.cast<String, dynamic>();

-      return MergePersonDto(
+      return MergeFaceClusterDto(
        ids: json[r'ids'] is Iterable
            ? (json[r'ids'] as Iterable).cast<String>().toList(growable: false)
            : const [],
@@ -54,11 +54,11 @@ class MergePersonDto {
    return null;
  }

-  static List<MergePersonDto> listFromJson(dynamic json, {bool growable = false,}) {
-    final result = <MergePersonDto>[];
+  static List<MergeFaceClusterDto> listFromJson(dynamic json, {bool growable = false,}) {
+    final result = <MergeFaceClusterDto>[];
    if (json is List && json.isNotEmpty) {
      for (final row in json) {
-        final value = MergePersonDto.fromJson(row);
+        final value = MergeFaceClusterDto.fromJson(row);
        if (value != null) {
          result.add(value);
        }
@@ -67,12 +67,12 @@ class MergePersonDto {
    return result.toList(growable: growable);
  }

-  static Map<String, MergePersonDto> mapFromJson(dynamic json) {
-    final map = <String, MergePersonDto>{};
+  static Map<String, MergeFaceClusterDto> mapFromJson(dynamic json) {
+    final map = <String, MergeFaceClusterDto>{};
    if (json is Map && json.isNotEmpty) {
      json = json.cast<String, dynamic>(); // ignore: parameter_assignments
      for (final entry in json.entries) {
-        final value = MergePersonDto.fromJson(entry.value);
+        final value = MergeFaceClusterDto.fromJson(entry.value);
        if (value != null) {
          map[entry.key] = value;
        }
@@ -81,14 +81,14 @@ class MergePersonDto {
    return map;
  }

-  // maps a json object with a list of MergePersonDto-objects as value to a dart map
-  static Map<String, List<MergePersonDto>> mapListFromJson(dynamic json, {bool growable = false,}) {
-    final map = <String, List<MergePersonDto>>{};
+  // maps a json object with a list of MergeFaceClusterDto-objects as value to a dart map
+  static Map<String, List<MergeFaceClusterDto>> mapListFromJson(dynamic json, {bool growable = false,}) {
+    final map = <String, List<MergeFaceClusterDto>>{};
    if (json is Map && json.isNotEmpty) {
      // ignore: parameter_assignments
      json = json.cast<String, dynamic>();
      for (final entry in json.entries) {
-        map[entry.key] = MergePersonDto.listFromJson(entry.value, growable: growable,);
+        map[entry.key] = MergeFaceClusterDto.listFromJson(entry.value, growable: growable,);
      }
    }
    return map;
@@ -15,6 +15,7 @@ class PersonResponseDto {
  PersonResponseDto({
    required this.birthDate,
    this.color,
+    required this.faceClusterId,
    required this.id,
    this.isFavorite,
    required this.isHidden,
@@ -35,6 +36,9 @@ class PersonResponseDto {
  ///
  String? color;

+  /// Face cluster ID
+  String? faceClusterId;
+
  /// Person ID
  String id;

@@ -69,6 +73,7 @@ class PersonResponseDto {
  bool operator ==(Object other) => identical(this, other) || other is PersonResponseDto &&
    other.birthDate == birthDate &&
    other.color == color &&
+    other.faceClusterId == faceClusterId &&
    other.id == id &&
    other.isFavorite == isFavorite &&
    other.isHidden == isHidden &&
@@ -81,6 +86,7 @@ class PersonResponseDto {
    // ignore: unnecessary_parenthesis
    (birthDate == null ? 0 : birthDate!.hashCode) +
    (color == null ? 0 : color!.hashCode) +
+    (faceClusterId == null ? 0 : faceClusterId!.hashCode) +
    (id.hashCode) +
    (isFavorite == null ? 0 : isFavorite!.hashCode) +
    (isHidden.hashCode) +
@@ -89,7 +95,7 @@ class PersonResponseDto {
    (updatedAt == null ? 0 : updatedAt!.hashCode);

  @override
-  String toString() => 'PersonResponseDto[birthDate=$birthDate, color=$color, id=$id, isFavorite=$isFavorite, isHidden=$isHidden, name=$name, thumbnailPath=$thumbnailPath, updatedAt=$updatedAt]';
+  String toString() => 'PersonResponseDto[birthDate=$birthDate, color=$color, faceClusterId=$faceClusterId, id=$id, isFavorite=$isFavorite, isHidden=$isHidden, name=$name, thumbnailPath=$thumbnailPath, updatedAt=$updatedAt]';

  Map<String, dynamic> toJson() {
    final json = <String, dynamic>{};
@@ -102,6 +108,11 @@ class PersonResponseDto {
      json[r'color'] = this.color;
    } else {
    //  json[r'color'] = null;
+    }
+    if (this.faceClusterId != null) {
+      json[r'faceClusterId'] = this.faceClusterId;
+    } else {
+    //  json[r'faceClusterId'] = null;
    }
      json[r'id'] = this.id;
    if (this.isFavorite != null) {
@@ -131,6 +142,7 @@ class PersonResponseDto {
      return PersonResponseDto(
        birthDate: mapDateTime(json, r'birthDate', r''),
        color: mapValueOfType<String>(json, r'color'),
+        faceClusterId: mapValueOfType<String>(json, r'faceClusterId'),
        id: mapValueOfType<String>(json, r'id')!,
        isFavorite: mapValueOfType<bool>(json, r'isFavorite'),
        isHidden: mapValueOfType<bool>(json, r'isHidden')!,
@@ -185,6 +197,7 @@ class PersonResponseDto {
  /// The list of required keys that must be present in a JSON.
  static const requiredKeys = <String>{
    'birthDate',
+    'faceClusterId',
    'id',
    'isHidden',
    'name',
@@ -0,0 +1,107 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.18
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+part of openapi.api;
+
+class SharingOptionsResponseDto {
+  /// Returns a new [SharingOptionsResponseDto] instance.
+  SharingOptionsResponseDto({
+    required this.inTimeline,
+    this.permissions = const [],
+  });
+
+  bool inTimeline;
+
+  List<SharingPermission> permissions;
+
+  @override
+  bool operator ==(Object other) => identical(this, other) || other is SharingOptionsResponseDto &&
+    other.inTimeline == inTimeline &&
+    _deepEquality.equals(other.permissions, permissions);
+
+  @override
+  int get hashCode =>
+    // ignore: unnecessary_parenthesis
+    (inTimeline.hashCode) +
+    (permissions.hashCode);
+
+  @override
+  String toString() => 'SharingOptionsResponseDto[inTimeline=$inTimeline, permissions=$permissions]';
+
+  Map<String, dynamic> toJson() {
+    final json = <String, dynamic>{};
+      json[r'inTimeline'] = this.inTimeline;
+      json[r'permissions'] = this.permissions;
+    return json;
+  }
+
+  /// Returns a new [SharingOptionsResponseDto] instance and imports its values from
+  /// [value] if it's a [Map], null otherwise.
+  // ignore: prefer_constructors_over_static_methods
+  static SharingOptionsResponseDto? fromJson(dynamic value) {
+    upgradeDto(value, "SharingOptionsResponseDto");
+    if (value is Map) {
+      final json = value.cast<String, dynamic>();
+
+      return SharingOptionsResponseDto(
+        inTimeline: mapValueOfType<bool>(json, r'inTimeline')!,
+        permissions: SharingPermission.listFromJson(json[r'permissions']),
+      );
+    }
+    return null;
+  }
+
+  static List<SharingOptionsResponseDto> listFromJson(dynamic json, {bool growable = false,}) {
+    final result = <SharingOptionsResponseDto>[];
+    if (json is List && json.isNotEmpty) {
+      for (final row in json) {
+        final value = SharingOptionsResponseDto.fromJson(row);
+        if (value != null) {
+          result.add(value);
+        }
+      }
+    }
+    return result.toList(growable: growable);
+  }
+
+  static Map<String, SharingOptionsResponseDto> mapFromJson(dynamic json) {
+    final map = <String, SharingOptionsResponseDto>{};
+    if (json is Map && json.isNotEmpty) {
+      json = json.cast<String, dynamic>(); // ignore: parameter_assignments
+      for (final entry in json.entries) {
+        final value = SharingOptionsResponseDto.fromJson(entry.value);
+        if (value != null) {
+          map[entry.key] = value;
+        }
+      }
+    }
+    return map;
+  }
+
+  // maps a json object with a list of SharingOptionsResponseDto-objects as value to a dart map
+  static Map<String, List<SharingOptionsResponseDto>> mapListFromJson(dynamic json, {bool growable = false,}) {
+    final map = <String, List<SharingOptionsResponseDto>>{};
+    if (json is Map && json.isNotEmpty) {
+      // ignore: parameter_assignments
+      json = json.cast<String, dynamic>();
+      for (final entry in json.entries) {
+        map[entry.key] = SharingOptionsResponseDto.listFromJson(entry.value, growable: growable,);
+      }
+    }
+    return map;
+  }
+
+  /// The list of required keys that must be present in a JSON.
+  static const requiredKeys = <String>{
+    'inTimeline',
+    'permissions',
+  };
+}
+
@@ -0,0 +1,112 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.18
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+part of openapi.api;
+
+/// Sharing permission schema
+class SharingPermission {
+  /// Instantiate a new enum with the provided [value].
+  const SharingPermission._(this.value);
+
+  /// The underlying value of this enum member.
+  final String value;
+
+  @override
+  String toString() => value;
+
+  String toJson() => value;
+
+  static const all = SharingPermission._(r'all');
+  static const assetPeriodRead = SharingPermission._(r'asset.read');
+  static const assetPeriodUpdate = SharingPermission._(r'asset.update');
+  static const assetPeriodEdit = SharingPermission._(r'asset.edit');
+  static const assetPeriodDelete = SharingPermission._(r'asset.delete');
+  static const assetPeriodShare = SharingPermission._(r'asset.share');
+  static const exifPeriodRead = SharingPermission._(r'exif.read');
+  static const personPeriodRead = SharingPermission._(r'person.read');
+  static const personPeriodUpdate = SharingPermission._(r'person.update');
+  static const personPeriodMerge = SharingPermission._(r'person.merge');
+  static const personPeriodDelete = SharingPermission._(r'person.delete');
+
+  /// List of all possible values in this [enum][SharingPermission].
+  static const values = <SharingPermission>[
+    all,
+    assetPeriodRead,
+    assetPeriodUpdate,
+    assetPeriodEdit,
+    assetPeriodDelete,
+    assetPeriodShare,
+    exifPeriodRead,
+    personPeriodRead,
+    personPeriodUpdate,
+    personPeriodMerge,
+    personPeriodDelete,
+  ];
+
+  static SharingPermission? fromJson(dynamic value) => SharingPermissionTypeTransformer().decode(value);
+
+  static List<SharingPermission> listFromJson(dynamic json, {bool growable = false,}) {
+    final result = <SharingPermission>[];
+    if (json is List && json.isNotEmpty) {
+      for (final row in json) {
+        final value = SharingPermission.fromJson(row);
+        if (value != null) {
+          result.add(value);
+        }
+      }
+    }
+    return result.toList(growable: growable);
+  }
+}
+
+/// Transformation class that can [encode] an instance of [SharingPermission] to String,
+/// and [decode] dynamic data back to [SharingPermission].
+class SharingPermissionTypeTransformer {
+  factory SharingPermissionTypeTransformer() => _instance ??= const SharingPermissionTypeTransformer._();
+
+  const SharingPermissionTypeTransformer._();
+
+  String encode(SharingPermission data) => data.value;
+
+  /// Decodes a [dynamic value][data] to a SharingPermission.
+  ///
+  /// If [allowNull] is true and the [dynamic value][data] cannot be decoded successfully,
+  /// then null is returned. However, if [allowNull] is false and the [dynamic value][data]
+  /// cannot be decoded successfully, then an [UnimplementedError] is thrown.
+  ///
+  /// The [allowNull] is very handy when an API changes and a new enum value is added or removed,
+  /// and users are still using an old app with the old code.
+  SharingPermission? decode(dynamic data, {bool allowNull = true}) {
+    if (data != null) {
+      switch (data) {
+        case r'all': return SharingPermission.all;
+        case r'asset.read': return SharingPermission.assetPeriodRead;
+        case r'asset.update': return SharingPermission.assetPeriodUpdate;
+        case r'asset.edit': return SharingPermission.assetPeriodEdit;
+        case r'asset.delete': return SharingPermission.assetPeriodDelete;
+        case r'asset.share': return SharingPermission.assetPeriodShare;
+        case r'exif.read': return SharingPermission.exifPeriodRead;
+        case r'person.read': return SharingPermission.personPeriodRead;
+        case r'person.update': return SharingPermission.personPeriodUpdate;
+        case r'person.merge': return SharingPermission.personPeriodMerge;
+        case r'person.delete': return SharingPermission.personPeriodDelete;
+        default:
+          if (!allowNull) {
+            throw ArgumentError('Unknown enum value to decode: $data');
+          }
+      }
+    }
+    return null;
+  }
+
+  /// Singleton [SharingPermissionTypeTransformer] instance.
+  static SharingPermissionTypeTransformer? _instance;
+}
+
@@ -19,11 +19,11 @@ class SyncAssetFaceV2 {
    required this.boundingBoxY1,
    required this.boundingBoxY2,
    required this.deletedAt,
+    required this.faceClusterId,
    required this.id,
    required this.imageHeight,
    required this.imageWidth,
    required this.isVisible,
-    required this.personId,
    required this.sourceType,
  });

@@ -57,6 +57,9 @@ class SyncAssetFaceV2 {
  /// Face deleted at
  DateTime? deletedAt;

+  /// Person ID
+  String? faceClusterId;
+
  /// Asset face ID
  String id;

@@ -75,9 +78,6 @@ class SyncAssetFaceV2 {
  /// Is the face visible in the asset
  bool isVisible;

-  /// Person ID
-  String? personId;
-
  /// Source type
  String sourceType;

@@ -89,11 +89,11 @@ class SyncAssetFaceV2 {
    other.boundingBoxY1 == boundingBoxY1 &&
    other.boundingBoxY2 == boundingBoxY2 &&
    other.deletedAt == deletedAt &&
+    other.faceClusterId == faceClusterId &&
    other.id == id &&
    other.imageHeight == imageHeight &&
    other.imageWidth == imageWidth &&
    other.isVisible == isVisible &&
-    other.personId == personId &&
    other.sourceType == sourceType;

  @override
@@ -105,15 +105,15 @@ class SyncAssetFaceV2 {
    (boundingBoxY1.hashCode) +
    (boundingBoxY2.hashCode) +
    (deletedAt == null ? 0 : deletedAt!.hashCode) +
+    (faceClusterId == null ? 0 : faceClusterId!.hashCode) +
    (id.hashCode) +
    (imageHeight.hashCode) +
    (imageWidth.hashCode) +
    (isVisible.hashCode) +
-    (personId == null ? 0 : personId!.hashCode) +
    (sourceType.hashCode);

  @override
-  String toString() => 'SyncAssetFaceV2[assetId=$assetId, boundingBoxX1=$boundingBoxX1, boundingBoxX2=$boundingBoxX2, boundingBoxY1=$boundingBoxY1, boundingBoxY2=$boundingBoxY2, deletedAt=$deletedAt, id=$id, imageHeight=$imageHeight, imageWidth=$imageWidth, isVisible=$isVisible, personId=$personId, sourceType=$sourceType]';
+  String toString() => 'SyncAssetFaceV2[assetId=$assetId, boundingBoxX1=$boundingBoxX1, boundingBoxX2=$boundingBoxX2, boundingBoxY1=$boundingBoxY1, boundingBoxY2=$boundingBoxY2, deletedAt=$deletedAt, faceClusterId=$faceClusterId, id=$id, imageHeight=$imageHeight, imageWidth=$imageWidth, isVisible=$isVisible, sourceType=$sourceType]';

  Map<String, dynamic> toJson() {
    final json = <String, dynamic>{};
@@ -128,16 +128,16 @@ class SyncAssetFaceV2 {
        : this.deletedAt!.toUtc().toIso8601String();
    } else {
    //  json[r'deletedAt'] = null;
+    }
+    if (this.faceClusterId != null) {
+      json[r'faceClusterId'] = this.faceClusterId;
+    } else {
+    //  json[r'faceClusterId'] = null;
    }
      json[r'id'] = this.id;
      json[r'imageHeight'] = this.imageHeight;
      json[r'imageWidth'] = this.imageWidth;
      json[r'isVisible'] = this.isVisible;
-    if (this.personId != null) {
-      json[r'personId'] = this.personId;
-    } else {
-    //  json[r'personId'] = null;
-    }
      json[r'sourceType'] = this.sourceType;
    return json;
  }
@@ -157,11 +157,11 @@ class SyncAssetFaceV2 {
        boundingBoxY1: mapValueOfType<int>(json, r'boundingBoxY1')!,
        boundingBoxY2: mapValueOfType<int>(json, r'boundingBoxY2')!,
        deletedAt: mapDateTime(json, r'deletedAt', r'/^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$/'),
+        faceClusterId: mapValueOfType<String>(json, r'faceClusterId'),
        id: mapValueOfType<String>(json, r'id')!,
        imageHeight: mapValueOfType<int>(json, r'imageHeight')!,
        imageWidth: mapValueOfType<int>(json, r'imageWidth')!,
        isVisible: mapValueOfType<bool>(json, r'isVisible')!,
-        personId: mapValueOfType<String>(json, r'personId'),
        sourceType: mapValueOfType<String>(json, r'sourceType')!,
      );
    }
@@ -216,11 +216,11 @@ class SyncAssetFaceV2 {
    'boundingBoxY1',
    'boundingBoxY2',
    'deletedAt',
+    'faceClusterId',
    'id',
    'imageHeight',
    'imageWidth',
    'isVisible',
-    'personId',
    'sourceType',
  };
 }
@@ -0,0 +1,107 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.18
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+part of openapi.api;
+
+class UpdateSharingOptionsDto {
+  /// Returns a new [UpdateSharingOptionsDto] instance.
+  UpdateSharingOptionsDto({
+    required this.inTimeline,
+    this.permissions = const [],
+  });
+
+  bool inTimeline;
+
+  List<SharingPermission> permissions;
+
+  @override
+  bool operator ==(Object other) => identical(this, other) || other is UpdateSharingOptionsDto &&
+    other.inTimeline == inTimeline &&
+    _deepEquality.equals(other.permissions, permissions);
+
+  @override
+  int get hashCode =>
+    // ignore: unnecessary_parenthesis
+    (inTimeline.hashCode) +
+    (permissions.hashCode);
+
+  @override
+  String toString() => 'UpdateSharingOptionsDto[inTimeline=$inTimeline, permissions=$permissions]';
+
+  Map<String, dynamic> toJson() {
+    final json = <String, dynamic>{};
+      json[r'inTimeline'] = this.inTimeline;
+      json[r'permissions'] = this.permissions;
+    return json;
+  }
+
+  /// Returns a new [UpdateSharingOptionsDto] instance and imports its values from
+  /// [value] if it's a [Map], null otherwise.
+  // ignore: prefer_constructors_over_static_methods
+  static UpdateSharingOptionsDto? fromJson(dynamic value) {
+    upgradeDto(value, "UpdateSharingOptionsDto");
+    if (value is Map) {
+      final json = value.cast<String, dynamic>();
+
+      return UpdateSharingOptionsDto(
+        inTimeline: mapValueOfType<bool>(json, r'inTimeline')!,
+        permissions: SharingPermission.listFromJson(json[r'permissions']),
+      );
+    }
+    return null;
+  }
+
+  static List<UpdateSharingOptionsDto> listFromJson(dynamic json, {bool growable = false,}) {
+    final result = <UpdateSharingOptionsDto>[];
+    if (json is List && json.isNotEmpty) {
+      for (final row in json) {
+        final value = UpdateSharingOptionsDto.fromJson(row);
+        if (value != null) {
+          result.add(value);
+        }
+      }
+    }
+    return result.toList(growable: growable);
+  }
+
+  static Map<String, UpdateSharingOptionsDto> mapFromJson(dynamic json) {
+    final map = <String, UpdateSharingOptionsDto>{};
+    if (json is Map && json.isNotEmpty) {
+      json = json.cast<String, dynamic>(); // ignore: parameter_assignments
+      for (final entry in json.entries) {
+        final value = UpdateSharingOptionsDto.fromJson(entry.value);
+        if (value != null) {
+          map[entry.key] = value;
+        }
+      }
+    }
+    return map;
+  }
+
+  // maps a json object with a list of UpdateSharingOptionsDto-objects as value to a dart map
+  static Map<String, List<UpdateSharingOptionsDto>> mapListFromJson(dynamic json, {bool growable = false,}) {
+    final map = <String, List<UpdateSharingOptionsDto>>{};
+    if (json is Map && json.isNotEmpty) {
+      // ignore: parameter_assignments
+      json = json.cast<String, dynamic>();
+      for (final entry in json.entries) {
+        map[entry.key] = UpdateSharingOptionsDto.listFromJson(entry.value, growable: growable,);
+      }
+    }
+    return map;
+  }
+
+  /// The list of required keys that must be present in a JSON.
+  static const requiredKeys = <String>{
+    'inTimeline',
+    'permissions',
+  };
+}
+
@@ -5,10 +5,10 @@ packages:
    dependency: transitive
    description:
      name: async
-      sha256: "758e6d74e971c3e5aceb4110bfd6698efc7f501675bcfe0c775459a8140750eb"
+      sha256: e2eb0491ba5ddb6177742d2da23904574082139b07c1e33b8503b9f46f3e1a37
      url: "https://pub.dev"
    source: hosted
-    version: "2.13.0"
+    version: "2.13.1"
  boolean_selector:
    dependency: transitive
    description:
@@ -103,10 +103,10 @@ packages:
    dependency: transitive
    description:
      name: meta
-      sha256: "23f08335362185a5ea2ad3a4e597f1375e78bce8a040df5c600c8d3552ef2394"
+      sha256: "1741988757a65eb6b36abe716829688cf01910bbf91c34354ff7ec1c3de2b349"
      url: "https://pub.dev"
    source: hosted
-    version: "1.17.0"
+    version: "1.18.0"
  path:
    dependency: transitive
    description:
@@ -124,10 +124,10 @@ packages:
    dependency: transitive
    description:
      name: source_span
-      sha256: "254ee5351d6cb365c859e20ee823c3bb479bf4a293c22d17a9f1bf144ce86f7c"
+      sha256: "56a02f1f4cd1a2d96303c0144c93bd6d909eea6bee6bf5a0e0b685edbd4c47ab"
      url: "https://pub.dev"
    source: hosted
-    version: "1.10.1"
+    version: "1.10.2"
  stack_trace:
    dependency: transitive
    description:
@@ -164,10 +164,10 @@ packages:
    dependency: transitive
    description:
      name: test_api
-      sha256: "8161c84903fd860b26bfdefb7963b3f0b68fee7adea0f59ef805ecca346f0c7a"
+      sha256: "949a932224383300f01be9221c39180316445ecb8e7547f70a41a35bf421fb9e"
      url: "https://pub.dev"
    source: hosted
-    version: "0.7.10"
+    version: "0.7.11"
  vector_math:
    dependency: transitive
    description:
@@ -180,10 +180,10 @@ packages:
    dependency: transitive
    description:
      name: vm_service
-      sha256: "45caa6c5917fa127b5dbcfbd1fa60b14e583afdc08bfc96dda38886ca252eb60"
+      sha256: "0016aef94fc66495ac78af5859181e3f3bf2026bd8eecc72b9565601e19ab360"
      url: "https://pub.dev"
    source: hosted
-    version: "15.0.2"
+    version: "15.2.0"
 sdks:
  dart: ">=3.11.0 <4.0.0"
  flutter: ">=3.18.0-18.0.pre.54"
@@ -5,10 +5,10 @@ packages:
    dependency: transitive
    description:
      name: async
-      sha256: "758e6d74e971c3e5aceb4110bfd6698efc7f501675bcfe0c775459a8140750eb"
+      sha256: e2eb0491ba5ddb6177742d2da23904574082139b07c1e33b8503b9f46f3e1a37
      url: "https://pub.dev"
    source: hosted
-    version: "2.13.0"
+    version: "2.13.1"
  boolean_selector:
    dependency: transitive
    description:
@@ -77,10 +77,10 @@ packages:
    dependency: transitive
    description:
      name: ffi
-      sha256: d07d37192dbf97461359c1518788f203b0c9102cfd2c35a716b823741219542c
+      sha256: "6d7fd89431262d8f3125e81b50d3847a091d846eafcd4fdb88dd06f36d705a45"
      url: "https://pub.dev"
    source: hosted
-    version: "2.1.5"
+    version: "2.2.0"
  file:
    dependency: transitive
    description:
@@ -124,10 +124,10 @@ packages:
    dependency: "direct main"
    description:
      name: go_router
-      sha256: "5540e4a3f416dd4a93458257b908eb88353cbd0fb5b0a3d1bd7d849ba1e88735"
+      sha256: "92d8cee7c57dff0a6c409c05597b460002434eccf7424a712283225b3962d03f"
      url: "https://pub.dev"
    source: hosted
-    version: "17.2.1"
+    version: "17.2.3"
  immich_ui:
    dependency: "direct main"
    description:
@@ -211,10 +211,10 @@ packages:
    dependency: transitive
    description:
      name: meta
-      sha256: "23f08335362185a5ea2ad3a4e597f1375e78bce8a040df5c600c8d3552ef2394"
+      sha256: "1741988757a65eb6b36abe716829688cf01910bbf91c34354ff7ec1c3de2b349"
      url: "https://pub.dev"
    source: hosted
-    version: "1.17.0"
+    version: "1.18.0"
  path:
    dependency: transitive
    description:
@@ -248,10 +248,10 @@ packages:
    dependency: transitive
    description:
      name: source_span
-      sha256: "254ee5351d6cb365c859e20ee823c3bb479bf4a293c22d17a9f1bf144ce86f7c"
+      sha256: "56a02f1f4cd1a2d96303c0144c93bd6d909eea6bee6bf5a0e0b685edbd4c47ab"
      url: "https://pub.dev"
    source: hosted
-    version: "1.10.1"
+    version: "1.10.2"
  stack_trace:
    dependency: transitive
    description:
@@ -312,10 +312,10 @@ packages:
    dependency: transitive
    description:
      name: test_api
-      sha256: "8161c84903fd860b26bfdefb7963b3f0b68fee7adea0f59ef805ecca346f0c7a"
+      sha256: "949a932224383300f01be9221c39180316445ecb8e7547f70a41a35bf421fb9e"
      url: "https://pub.dev"
    source: hosted
-    version: "0.7.10"
+    version: "0.7.11"
  typed_data:
    dependency: transitive
    description:
@@ -328,10 +328,10 @@ packages:
    dependency: transitive
    description:
      name: uuid
-      sha256: a11b666489b1954e01d992f3d601b1804a33937b5a8fe677bd26b8a9f96f96e8
+      sha256: "1fef9e8e11e2991bb773070d4656b7bd5d850967a2456cfc83cf47925ba79489"
      url: "https://pub.dev"
    source: hosted
-    version: "4.5.2"
+    version: "4.5.3"
  vector_math:
    dependency: transitive
    description:
@@ -344,10 +344,10 @@ packages:
    dependency: transitive
    description:
      name: vm_service
-      sha256: "45caa6c5917fa127b5dbcfbd1fa60b14e583afdc08bfc96dda38886ca252eb60"
+      sha256: "0016aef94fc66495ac78af5859181e3f3bf2026bd8eecc72b9565601e19ab360"
      url: "https://pub.dev"
    source: hosted
-    version: "15.0.2"
+    version: "15.2.0"
  web:
    dependency: transitive
    description:
@@ -133,10 +133,10 @@ packages:
    dependency: transitive
    description:
      name: build
-      sha256: aadd943f4f8cc946882c954c187e6115a84c98c81ad1d9c6cbf0895a8c85da9c
+      sha256: a156715e7cd728130c592f30552575908aae5b100005fbc1f0fb16b3c03a3d10
      url: "https://pub.dev"
    source: hosted
-    version: "4.0.5"
+    version: "4.0.6"
  build_config:
    dependency: transitive
    description:
@@ -157,10 +157,10 @@ packages:
    dependency: "direct dev"
    description:
      name: build_runner
-      sha256: "521daf8d189deb79ba474e43a696b41c49fb3987818dbacf3308f1e03673a75e"
+      sha256: "1523ce62448ebac2c15a8ba5fbad8acac169788658a7dd2a1c2d9c2a9318b9a6"
      url: "https://pub.dev"
    source: hosted
-    version: "2.13.1"
+    version: "2.15.0"
  built_collection:
    dependency: transitive
    description:
@@ -173,10 +173,10 @@ packages:
    dependency: transitive
    description:
      name: built_value
-      sha256: "0730c18c770d05636a8f945c32a4d7d81cb6e0f0148c8db4ad12e7748f7e49af"
+      sha256: "34e4067d30ce212937df995f03b69992eea683539ceeac7f679a1f1eba055b56"
      url: "https://pub.dev"
    source: hosted
-    version: "8.12.5"
+    version: "8.12.6"
  cast:
    dependency: "direct main"
    description:
@@ -358,18 +358,18 @@ packages:
    dependency: "direct main"
    description:
      name: drift
-      sha256: "055c249d1f91be5a47fe447f88afc24c4ca6f4cd6c5ed66767b4797d48acc2e5"
+      sha256: "8033500116b24398fba0cca0369cc31678cd627c01e41753a61186911cea743e"
      url: "https://pub.dev"
    source: hosted
-    version: "2.32.1"
+    version: "2.33.0"
  drift_dev:
    dependency: "direct dev"
    description:
      name: drift_dev
-      sha256: "88a9de3af8571518148a6d8a513b57779fd1e60a026d3ab8a481a878fba01d91"
+      sha256: b3dd5b75e30522a91da8abda9f5bb17230cb038097f6d15fa75d42bb563428aa
      url: "https://pub.dev"
    source: hosted
-    version: "2.32.1"
+    version: "2.33.0"
  drift_flutter:
    dependency: "direct main"
    description:
@@ -613,10 +613,10 @@ packages:
    dependency: "direct main"
    description:
      name: flutter_svg
-      sha256: "1ded017b39c8e15c8948ea855070a5ff8ff8b3d5e83f3446e02d6bb12add7ad9"
+      sha256: "35882981abcbfb8c15b286f0cd690ff25bac12d95eff3e25ee207f37d4c42e7f"
      url: "https://pub.dev"
    source: hosted
-    version: "2.2.4"
+    version: "2.3.0"
  flutter_test:
    dependency: "direct dev"
    description: flutter
@@ -772,10 +772,10 @@ packages:
    dependency: transitive
    description:
      name: hooks
-      sha256: e79ed1e8e1929bc6ecb6ec85f0cb519c887aa5b423705ded0d0f2d9226def388
+      sha256: "025f060e86d2d4c3c47b56e33caf7f93bf9283340f26d23424ebcfccf34f621e"
      url: "https://pub.dev"
    source: hosted
-    version: "1.0.2"
+    version: "1.0.3"
  hooks_riverpod:
    dependency: "direct main"
    description:
@@ -844,18 +844,18 @@ packages:
    dependency: "direct main"
    description:
      name: image_picker
-      sha256: "784210112be18ea55f69d7076e2c656a4e24949fa9e76429fe53af0c0f4fa320"
+      sha256: "91c025426c2881c551100bce834e201c835a170151545f58d17da5180ca7d9ac"
      url: "https://pub.dev"
    source: hosted
-    version: "1.2.1"
+    version: "1.2.2"
  image_picker_android:
    dependency: transitive
    description:
      name: image_picker_android
-      sha256: "66810af8e99b2657ee98e5c6f02064f69bb63f7a70e343937f70946c5f8c6622"
+      sha256: d5b3e1774af29c9ab00103afb0d4614070f924d2e0057ac867ec98800114793f
      url: "https://pub.dev"
    source: hosted
-    version: "0.8.13+16"
+    version: "0.8.13+17"
  image_picker_for_web:
    dependency: transitive
    description:
@@ -952,10 +952,10 @@ packages:
    dependency: transitive
    description:
      name: json_annotation
-      sha256: cb09e7dac6210041fad964ed7fbee004f14258b4eca4040f72d1234062ace4c8
+      sha256: "2a743920d81b7910627f68ee2c9ac1fc0bfee32b9fc3403587d7c6791ca12f80"
      url: "https://pub.dev"
    source: hosted
-    version: "4.11.0"
+    version: "4.12.0"
  leak_tracker:
    dependency: transitive
    description:
@@ -984,10 +984,10 @@ packages:
    dependency: transitive
    description:
      name: lean_builder
-      sha256: ee4117b03e93a4eb83e1a78c8e7a1dc22188d43bb142309982be48673a1b3a53
+      sha256: c16e95ddf7b2d49dd551357b7212fe2ce9f13ec7ad1b1e660c157184031e96c0
      url: "https://pub.dev"
    source: hosted
-    version: "0.1.7"
+    version: "0.1.10"
  lints:
    dependency: transitive
    description:
@@ -1429,6 +1429,14 @@ packages:
      url: "https://pub.dev"
    source: hosted
    version: "4.1.0"
+  record_use:
+    dependency: transitive
+    description:
+      name: record_use
+      sha256: "2551bd8eecfe95d14ae75f6021ad0248be5c27f138c2ec12fcb52b500b3ba1ed"
+      url: "https://pub.dev"
+    source: hosted
+    version: "0.6.0"
  riverpod:
    dependency: transitive
    description:
@@ -1607,10 +1615,10 @@ packages:
    dependency: transitive
    description:
      name: source_gen
-      sha256: "732792cfd197d2161a65bb029606a46e0a18ff30ef9e141a7a82172b05ea8ecd"
+      sha256: ec37cc0e6694374cbef59ed79685572c870a54ede6fa30a3e420feb3adffea02
      url: "https://pub.dev"
    source: hosted
-    version: "4.2.2"
+    version: "4.2.3"
  source_span:
    dependency: transitive
    description:
@@ -1647,10 +1655,10 @@ packages:
    dependency: transitive
    description:
      name: sqlparser
-      sha256: ab2b467425f1d4f3acfa5fd11a08226f7d6c26ff102c06be1807e1dff34e050b
+      sha256: ecdc06d4a7d79dcbc928d99afd2f7f5b0f98a637c46f89be83d911617f759978
      url: "https://pub.dev"
    source: hosted
-    version: "0.44.3"
+    version: "0.44.4"
  stack_trace:
    dependency: transitive
    description:
@@ -1807,10 +1815,10 @@ packages:
    dependency: transitive
    description:
      name: url_launcher_web
-      sha256: d0412fcf4c6b31ecfdb7762359b7206ffba3bbffd396c6d9f9c4616ece476c1f
+      sha256: "85c81589622fbc87c1c683aaea164d3604a7777495a79d91e39ffcdec39ddb34"
      url: "https://pub.dev"
    source: hosted
-    version: "2.4.2"
+    version: "2.4.3"
  url_launcher_windows:
    dependency: transitive
    description:
@@ -1831,10 +1839,10 @@ packages:
    dependency: transitive
    description:
      name: vector_graphics
-      sha256: "81da85e9ca8885ade47f9685b953cb098970d11be4821ac765580a6607ea4373"
+      sha256: "2306c03da2ba81724afeb589c351ebbc0aa7d86005925be8f8735856dbe5e42d"
      url: "https://pub.dev"
    source: hosted
-    version: "1.1.21"
+    version: "1.2.2"
  vector_graphics_codec:
    dependency: transitive
    description:
@@ -1847,10 +1855,10 @@ packages:
    dependency: transitive
    description:
      name: vector_graphics_compiler
-      sha256: "5a88dd14c0954a5398af544651c7fb51b457a2a556949bfb25369b210ef73a74"
+      sha256: b9b3f391857781aa96acacef96066f2f49b4cd03cf9fce3ca4d8da2ef5ea129e
      url: "https://pub.dev"
    source: hosted
-    version: "1.2.0"
+    version: "1.2.3"
  vector_math:
    dependency: transitive
    description:
@@ -1863,10 +1871,10 @@ packages:
    dependency: transitive
    description:
      name: vm_service
-      sha256: "046d3928e16fa4dc46e8350415661755ab759d9fc97fc21b5ab295f71e4f0499"
+      sha256: "0016aef94fc66495ac78af5859181e3f3bf2026bd8eecc72b9565601e19ab360"
      url: "https://pub.dev"
    source: hosted
-    version: "15.1.0"
+    version: "15.2.0"
  wakelock_plus:
    dependency: "direct main"
    description:
@@ -1879,10 +1887,10 @@ packages:
    dependency: transitive
    description:
      name: wakelock_plus_platform_interface
-      sha256: "14b2e5b9e35c2631e656913c47adecdd71633ae92896a27a64c8f1fcfabc21cc"
+      sha256: b13f99e992e7ae6a152e16c5559d3c07ff445b13330192662494e614ca3e7d7b
      url: "https://pub.dev"
    source: hosted
-    version: "1.5.0"
+    version: "1.5.1"
  watcher:
    dependency: transitive
    description:
@@ -2277,6 +2277,121 @@
        "x-immich-permission": "album.read"
      }
    },
+    "/albums/{id}/user/self": {
+      "get": {
+        "description": "Get the own sharing permissions in a specific album.",
+        "operationId": "getOwnAlbumUser",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "format": "uuid",
+              "pattern": "^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12})$",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/SharingOptionsResponseDto"
+                }
+              }
+            },
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          },
+          {
+            "cookie": []
+          },
+          {
+            "api_key": []
+          }
+        ],
+        "summary": "Get own sharing permissions",
+        "tags": [
+          "Albums"
+        ],
+        "x-immich-history": [
+          {
+            "version": "v3",
+            "state": "Added"
+          },
+          {
+            "version": "v3",
+            "state": "Stable"
+          }
+        ],
+        "x-immich-permission": "albumAsset.create",
+        "x-immich-state": "Stable"
+      },
+      "put": {
+        "description": "Change the own sharing permissions in a specific album.",
+        "operationId": "updateOwnAlbumUser",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "format": "uuid",
+              "pattern": "^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12})$",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdateSharingOptionsDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "204": {
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          },
+          {
+            "cookie": []
+          },
+          {
+            "api_key": []
+          }
+        ],
+        "summary": "Update own sharing permissions",
+        "tags": [
+          "Albums"
+        ],
+        "x-immich-history": [
+          {
+            "version": "v3",
+            "state": "Added"
+          },
+          {
+            "version": "v3",
+            "state": "Stable"
+          }
+        ],
+        "x-immich-permission": "albumAsset.create",
+        "x-immich-state": "Stable"
+      }
+    },
    "/albums/{id}/user/{userId}": {
      "delete": {
        "description": "Remove a user from an album. Use an ID of \"me\" to leave a shared album.",
@@ -8345,7 +8460,7 @@
          "content": {
            "application/json": {
              "schema": {
-                "$ref": "#/components/schemas/MergePersonDto"
+                "$ref": "#/components/schemas/MergeFaceClusterDto"
              }
            }
          },
@@ -16942,6 +17057,12 @@
            },
            "type": "array"
          },
+          "permissions": {
+            "items": {
+              "$ref": "#/components/schemas/SharingPermission"
+            },
+            "type": "array"
+          },
          "resized": {
            "description": "Is resized",
            "type": "boolean",
@@ -17013,6 +17134,7 @@
          "originalFileName",
          "originalPath",
          "ownerId",
+          "permissions",
          "thumbhash",
          "type",
          "updatedAt",
@@ -18072,6 +18194,7 @@
          "DatabaseBackup",
          "FacialRecognitionQueueAll",
          "FacialRecognition",
+          "FacialRecognitionMerge",
          "FileDelete",
          "FileMigrationQueueAll",
          "LibraryDeleteCheck",
@@ -18481,7 +18604,8 @@
          "user-cleanup",
          "memory-cleanup",
          "memory-create",
-          "backup-database"
+          "backup-database",
+          "person-group-merge"
        ],
        "type": "string"
      },
@@ -18807,10 +18931,10 @@
        },
        "type": "object"
      },
-      "MergePersonDto": {
+      "MergeFaceClusterDto": {
        "properties": {
          "ids": {
-            "description": "Person IDs to merge",
+            "description": "Face cluster IDs to merge",
            "items": {
              "format": "uuid",
              "pattern": "^([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-4[0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12})$",
@@ -19835,6 +19959,11 @@
            ],
            "x-immich-state": "Stable"
          },
+          "faceClusterId": {
+            "description": "Face cluster ID",
+            "nullable": true,
+            "type": "string"
+          },
          "id": {
            "description": "Person ID",
            "type": "string"
@@ -19885,6 +20014,7 @@
        },
        "required": [
          "birthDate",
+          "faceClusterId",
          "id",
          "isHidden",
          "name",
@@ -21797,6 +21927,41 @@
        },
        "type": "object"
      },
+      "SharingOptionsResponseDto": {
+        "properties": {
+          "inTimeline": {
+            "type": "boolean"
+          },
+          "permissions": {
+            "items": {
+              "$ref": "#/components/schemas/SharingPermission"
+            },
+            "type": "array"
+          }
+        },
+        "required": [
+          "inTimeline",
+          "permissions"
+        ],
+        "type": "object"
+      },
+      "SharingPermission": {
+        "description": "Sharing permission schema",
+        "enum": [
+          "all",
+          "asset.read",
+          "asset.update",
+          "asset.edit",
+          "asset.delete",
+          "asset.share",
+          "exif.read",
+          "person.read",
+          "person.update",
+          "person.merge",
+          "person.delete"
+        ],
+        "type": "string"
+      },
      "SignUpDto": {
        "properties": {
          "email": {
@@ -22893,6 +23058,11 @@
            "pattern": "^(?:(?:\\d\\d[2468][048]|\\d\\d[13579][26]|\\d\\d0[48]|[02468][048]00|[13579][26]00)-02-29|\\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\\d|30)|(?:02)-(?:0[1-9]|1\\d|2[0-8])))T(?:(?:[01]\\d|2[0-3]):[0-5]\\d(?::[0-5]\\d(?:\\.\\d+)?)?(?:Z))$",
            "type": "string"
          },
+          "faceClusterId": {
+            "description": "Person ID",
+            "nullable": true,
+            "type": "string"
+          },
          "id": {
            "description": "Asset face ID",
            "type": "string"
@@ -22913,11 +23083,6 @@
            "description": "Is the face visible in the asset",
            "type": "boolean"
          },
-          "personId": {
-            "description": "Person ID",
-            "nullable": true,
-            "type": "string"
-          },
          "sourceType": {
            "description": "Source type",
            "type": "string"
@@ -22930,11 +23095,11 @@
          "boundingBoxY1",
          "boundingBoxY2",
          "deletedAt",
+          "faceClusterId",
          "id",
          "imageHeight",
          "imageWidth",
          "isVisible",
-          "personId",
          "sourceType"
        ],
        "type": "object"
@@ -25426,6 +25591,24 @@
        },
        "type": "object"
      },
+      "UpdateSharingOptionsDto": {
+        "properties": {
+          "inTimeline": {
+            "type": "boolean"
+          },
+          "permissions": {
+            "items": {
+              "$ref": "#/components/schemas/SharingPermission"
+            },
+            "type": "array"
+          }
+        },
+        "required": [
+          "inTimeline",
+          "permissions"
+        ],
+        "type": "object"
+      },
      "UsageByUserDto": {
        "properties": {
          "photos": {
@@ -7,7 +7,7 @@
    "format": "prettier --cache --check i18n/",
    "format:fix": "prettier --cache --write --list-different i18n"
  },
-  "packageManager": "pnpm@10.33.1+sha512.05ba3c1d5d1c18f68df06470d74055e62d41fc110a0c660db1b2dfb2785327f04cf0f68345d4609bc52089e7fa0343c31593b2f9594e2c5d5da426230acc9820",
+  "packageManager": "pnpm@10.33.4+sha512.1c67b3b359b2d408119ba1ed289f34b8fc3c6873412bec6fd264fbdc82489e510fcbecb9ce9d22dae7f3b76269d8441046014bdca53b9979cd7a561ad631b800",
  "engines": {
    "pnpm": ">=10.0.0"
  },
@@ -25,7 +25,7 @@
    "@types/lodash-es": "^4.17.12",
    "@types/micromatch": "^4.0.9",
    "@types/mock-fs": "^4.13.1",
-    "@types/node": "^24.12.2",
+    "@types/node": "^24.12.4",
    "@vitest/coverage-v8": "^4.0.0",
    "byte-size": "^9.0.0",
    "cli-progress": "^3.12.0",
@@ -13,5 +13,5 @@
    "oidc-provider": "^9.0.0",
    "tsx": "^4.20.6"
  },
-  "packageManager": "pnpm@10.33.1"
+  "packageManager": "pnpm@10.33.4"
 }
@@ -24,11 +24,11 @@
  "keywords": [],
  "author": "",
  "license": "GNU Affero General Public License version 3",
-  "packageManager": "pnpm@10.30.3",
+  "packageManager": "pnpm@10.33.4",
  "devDependencies": {
    "@extism/js-pdk": "^1.1.1",
-    "@types/node": "^24.11.0",
-    "esbuild": "^0.27.3",
+    "@types/node": "^24.12.4",
+    "esbuild": "^0.28.0",
    "tsc-alias": "^1.8.16",
    "typescript": "^5.9.3"
  },
@@ -24,7 +24,7 @@
    "@oazapfts/runtime": "^1.0.2"
  },
  "devDependencies": {
-    "@types/node": "^24.12.2",
+    "@types/node": "^24.12.4",
    "typescript": "^6.0.0"
  }
 }
@@ -555,6 +555,14 @@ export type MapMarkerResponseDto = {
    /** State/Province name */
    state: string | null;
 };
+export type SharingOptionsResponseDto = {
+    inTimeline: boolean;
+    permissions: SharingPermission[];
+};
+export type UpdateSharingOptionsDto = {
+    inTimeline: boolean;
+    permissions: SharingPermission[];
+};
 export type UpdateAlbumUserDto = {
    role: AlbumUserRole;
 };
@@ -792,6 +800,8 @@ export type PersonResponseDto = {
    birthDate: string | null;
    /** Person color (hex) */
    color?: string;
+    /** Face cluster ID */
+    faceClusterId: string | null;
    /** Person ID */
    id: string;
    /** Is favorite */
@@ -875,6 +885,7 @@ export type AssetResponseDto = {
    /** Owner user ID */
    ownerId: string;
    people?: PersonResponseDto[];
+    permissions: SharingPermission[];
    /** Is resized */
    resized?: boolean;
    stack?: (AssetStackResponseDto) | null;
@@ -1460,8 +1471,8 @@ export type PersonUpdateDto = {
    /** Person name */
    name?: string;
 };
-export type MergePersonDto = {
-    /** Person IDs to merge */
+export type MergeFaceClusterDto = {
+    /** Face cluster IDs to merge */
    ids: string[];
 };
 export type AssetFaceUpdateItem = {
@@ -2922,6 +2933,8 @@ export type SyncAssetFaceV2 = {
    boundingBoxY2: number;
    /** Face deleted at */
    deletedAt: string | null;
+    /** Person ID */
+    faceClusterId: string | null;
    /** Asset face ID */
    id: string;
    /** Image height */
@@ -2930,8 +2943,6 @@ export type SyncAssetFaceV2 = {
    imageWidth: number;
    /** Is the face visible in the asset */
    isVisible: boolean;
-    /** Person ID */
-    personId: string | null;
    /** Source type */
    sourceType: string;
 };
@@ -3727,6 +3738,32 @@ export function getAlbumMapMarkers({ id, key, slug }: {
        ...opts
    }));
 }
+/**
+ * Get own sharing permissions
+ */
+export function getOwnAlbumUser({ id }: {
+    id: string;
+}, opts?: Oazapfts.RequestOpts) {
+    return oazapfts.ok(oazapfts.fetchJson<{
+        status: 200;
+        data: SharingOptionsResponseDto;
+    }>(`/albums/${encodeURIComponent(id)}/user/self`, {
+        ...opts
+    }));
+}
+/**
+ * Update own sharing permissions
+ */
+export function updateOwnAlbumUser({ id, updateSharingOptionsDto }: {
+    id: string;
+    updateSharingOptionsDto: UpdateSharingOptionsDto;
+}, opts?: Oazapfts.RequestOpts) {
+    return oazapfts.ok(oazapfts.fetchText(`/albums/${encodeURIComponent(id)}/user/self`, oazapfts.json({
+        ...opts,
+        method: "PUT",
+        body: updateSharingOptionsDto
+    })));
+}
 /**
 * Remove user from album
 */
@@ -5131,9 +5168,9 @@ export function updatePerson({ id, personUpdateDto }: {
 /**
 * Merge people
 */
-export function mergePerson({ id, mergePersonDto }: {
+export function mergePerson({ id, mergeFaceClusterDto }: {
    id: string;
-    mergePersonDto: MergePersonDto;
+    mergeFaceClusterDto: MergeFaceClusterDto;
 }, opts?: Oazapfts.RequestOpts) {
    return oazapfts.ok(oazapfts.fetchJson<{
        status: 200;
@@ -5141,7 +5178,7 @@ export function mergePerson({ id, mergePersonDto }: {
    }>(`/people/${encodeURIComponent(id)}/merge`, oazapfts.json({
        ...opts,
        method: "POST",
-        body: mergePersonDto
+        body: mergeFaceClusterDto
    })));
 }
 /**
@@ -6788,6 +6825,19 @@ export enum BulkIdErrorReason {
    Unknown = "unknown",
    Validation = "validation"
 }
+export enum SharingPermission {
+    All = "all",
+    AssetRead = "asset.read",
+    AssetUpdate = "asset.update",
+    AssetEdit = "asset.edit",
+    AssetDelete = "asset.delete",
+    AssetShare = "asset.share",
+    ExifRead = "exif.read",
+    PersonRead = "person.read",
+    PersonUpdate = "person.update",
+    PersonMerge = "person.merge",
+    PersonDelete = "person.delete"
+}
 export enum Permission {
    All = "all",
    ActivityCreate = "activity.create",
@@ -6995,7 +7045,8 @@ export enum ManualJobName {
    UserCleanup = "user-cleanup",
    MemoryCleanup = "memory-cleanup",
    MemoryCreate = "memory-create",
-    BackupDatabase = "backup-database"
+    BackupDatabase = "backup-database",
+    PersonGroupMerge = "person-group-merge"
 }
 export enum QueueName {
    ThumbnailGeneration = "thumbnailGeneration",
@@ -7072,6 +7123,7 @@ export enum JobName {
    DatabaseBackup = "DatabaseBackup",
    FacialRecognitionQueueAll = "FacialRecognitionQueueAll",
    FacialRecognition = "FacialRecognition",
+    FacialRecognitionMerge = "FacialRecognitionMerge",
    FileDelete = "FileDelete",
    FileMigrationQueueAll = "FileMigrationQueueAll",
    LibraryDeleteCheck = "LibraryDeleteCheck",
@@ -55,7 +55,7 @@ FROM builder AS plugins

 ARG TARGETPLATFORM

-COPY --from=ghcr.io/jdx/mise:2026.3.12@sha256:0210678cbf58413806531a27adb2c7daf1c37238e56e8f7ea381d73521571775 /usr/local/bin/mise /usr/local/bin/mise
+COPY --from=ghcr.io/jdx/mise:2026.5.11@sha256:2ba959e4827f845fe0c4cfb4814089e790dc513040ef74f9e14925f446412a51 /usr/local/bin/mise /usr/local/bin/mise

 WORKDIR /app
 COPY ./mise.toml ./mise.toml
@@ -49,14 +49,14 @@
    "@nestjs/websockets": "^11.0.4",
    "@opentelemetry/api": "^1.9.0",
    "@opentelemetry/context-async-hooks": "^2.0.0",
-    "@opentelemetry/exporter-prometheus": "^0.217.0",
-    "@opentelemetry/instrumentation-http": "^0.215.0",
-    "@opentelemetry/instrumentation-ioredis": "^0.63.0",
-    "@opentelemetry/instrumentation-nestjs-core": "^0.61.0",
-    "@opentelemetry/instrumentation-pg": "^0.67.0",
+    "@opentelemetry/exporter-prometheus": "^0.218.0",
+    "@opentelemetry/instrumentation-http": "^0.218.0",
+    "@opentelemetry/instrumentation-ioredis": "^0.66.0",
+    "@opentelemetry/instrumentation-nestjs-core": "^0.64.0",
+    "@opentelemetry/instrumentation-pg": "^0.70.0",
    "@opentelemetry/resources": "^2.0.1",
    "@opentelemetry/sdk-metrics": "^2.0.1",
-    "@opentelemetry/sdk-node": "^0.217.0",
+    "@opentelemetry/sdk-node": "^0.218.0",
    "@opentelemetry/semantic-conventions": "^1.34.0",
    "@react-email/components": "^1.0.0",
    "@react-email/render": "^2.0.0",
@@ -116,7 +116,7 @@
    "ua-parser-js": "^2.0.0",
    "uuid": "^14.0.0",
    "validator": "^13.12.0",
-    "zod": "^4.3.6"
+    "zod": "4.3.6"
  },
  "devDependencies": {
    "@eslint/js": "^10.0.0",
@@ -138,7 +138,7 @@
    "@types/luxon": "^3.6.2",
    "@types/mock-fs": "^4.13.1",
    "@types/multer": "^2.0.0",
-    "@types/node": "^24.12.2",
+    "@types/node": "^24.12.4",
    "@types/nodemailer": "^8.0.0",
    "@types/picomatch": "^4.0.0",
    "@types/pngjs": "^6.0.5",
@@ -11,6 +11,7 @@ import {
  GetAlbumsDto,
  UpdateAlbumDto,
  UpdateAlbumUserDto,
+  UpdateSharingPermissionsDto as UpdateSharingOptionsDto,
 } from 'src/dtos/album.dto';
 import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
@@ -165,6 +166,33 @@ export class AlbumController {
    return this.service.addUsers(auth, id, dto);
  }

+  @Get(':id/user/self')
+  @Authenticated({ permission: Permission.AlbumAssetCreate })
+  @Endpoint({
+    summary: 'Get own sharing permissions',
+    description: 'Get the own sharing permissions in a specific album.',
+    history: new HistoryBuilder().added('v3').stable('v3'),
+  })
+  getOwnAlbumUser(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto) {
+    return this.service.getSelf(auth, id);
+  }
+
+  @Put(':id/user/self')
+  @Authenticated({ permission: Permission.AlbumAssetCreate })
+  @HttpCode(HttpStatus.NO_CONTENT)
+  @Endpoint({
+    summary: 'Update own sharing permissions',
+    description: 'Change the own sharing permissions in a specific album.',
+    history: new HistoryBuilder().added('v3').stable('v3'),
+  })
+  updateOwnAlbumUser(
+    @Auth() auth: AuthDto,
+    @Param() { id }: UUIDParamDto,
+    @Body() dto: UpdateSharingOptionsDto,
+  ): Promise<void> {
+    return this.service.updateSelf(auth, id, dto);
+  }
+
  @Put(':id/user/:userId')
  @Authenticated({ permission: Permission.AlbumUserUpdate })
  @HttpCode(HttpStatus.NO_CONTENT)
@@ -19,7 +19,7 @@ import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
 import {
  AssetFaceUpdateDto,
-  MergePersonDto,
+  MergeFaceClusterDto,
  PeopleResponseDto,
  PeopleUpdateDto,
  PersonCreateDto,
@@ -182,7 +182,7 @@ export class PersonController {
  mergePerson(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
-    @Body() dto: MergePersonDto,
+    @Body() dto: MergeFaceClusterDto,
  ): Promise<BulkIdResponseDto[]> {
    return this.service.mergePerson(auth, id, dto);
  }
@@ -9,6 +9,7 @@ import {
  MemoryType,
  Permission,
  SharedLinkType,
+  SharingPermission,
  SourceType,
  UserAvatarColor,
  UserStatus,
@@ -209,6 +210,7 @@ export type Partner = {
  updatedAt: Date;
  updateId: string;
  inTimeline: boolean;
+  permissions: SharingPermission[];
 };

 export type Place = {
@@ -252,6 +254,7 @@ export type Person = {
  faceAssetId: string | null;
  isHidden: boolean;
  thumbnailPath: string;
+  faceClusterId: string | null;
 };

 export type AssetFace = {
@@ -264,7 +267,7 @@ export type AssetFace = {
  boundingBoxY2: number;
  imageHeight: number;
  imageWidth: number;
-  personId: string | null;
+  faceClusterId: string | null;
  sourceType: SourceType;
  person?: ShallowDehydrateObject<Person> | null;
  updatedAt: Date;
@@ -3,8 +3,8 @@ import { createZodDto } from 'nestjs-zod';
 import { AlbumUser, AuthSharedLink } from 'src/database';
 import { BulkIdErrorReasonSchema } from 'src/dtos/asset-ids.response.dto';
 import { MapAsset } from 'src/dtos/asset-response.dto';
-import { UserResponseSchema, mapUser } from 'src/dtos/user.dto';
-import { AlbumUserRole, AlbumUserRoleSchema, AssetOrder, AssetOrderSchema } from 'src/enum';
+import { mapUser, UserResponseSchema } from 'src/dtos/user.dto';
+import { AlbumUserRole, AlbumUserRoleSchema, AssetOrder, AssetOrderSchema, SharingPermissionSchema } from 'src/enum';
 import { MaybeDehydrated } from 'src/types';
 import { asDateString } from 'src/utils/date';
 import { stringToBool } from 'src/validation';
@@ -63,6 +63,14 @@ const UpdateAlbumSchema = z
  })
  .meta({ id: 'UpdateAlbumDto' });

+const UpdateSharingOptionsSchema = z
+  .object({ inTimeline: z.boolean(), permissions: z.array(SharingPermissionSchema) })
+  .meta({ id: 'UpdateSharingOptionsDto' });
+
+const SharingOptionsResponseSchema = z
+  .object({ inTimeline: z.boolean(), permissions: z.array(SharingPermissionSchema) })
+  .meta({ id: 'SharingOptionsResponseDto' });
+
 const GetAlbumsSchema = z
  .object({
    isOwned: stringToBool
@@ -147,6 +155,8 @@ export class UpdateAlbumDto extends createZodDto(UpdateAlbumSchema) {}
 export class GetAlbumsDto extends createZodDto(GetAlbumsSchema) {}
 export class AlbumStatisticsResponseDto extends createZodDto(AlbumStatisticsResponseSchema) {}
 export class UpdateAlbumUserDto extends createZodDto(UpdateAlbumUserSchema) {}
+export class UpdateSharingPermissionsDto extends createZodDto(UpdateSharingOptionsSchema) {}
+export class SharingPermissionsResponseDto extends createZodDto(SharingOptionsResponseSchema) {}
 export class AlbumResponseDto extends createZodDto(AlbumResponseSchema) {}
 class AlbumUserResponseDto extends createZodDto(AlbumUserResponseSchema) {}

@@ -15,6 +15,8 @@ import {
  AssetVisibility,
  AssetVisibilitySchema,
  ChecksumAlgorithm,
+  SharingPermission,
+  SharingPermissionSchema,
 } from 'src/enum';
 import { MaybeDehydrated } from 'src/types';
 import { hexOrBufferToBase64 } from 'src/utils/bytes';
@@ -45,6 +47,7 @@ const SanitizedAssetResponseSchema = z
    hasMetadata: z.boolean().describe('Whether asset has metadata'),
    width: z.int().min(0).nullable().describe('Asset width'),
    height: z.int().min(0).nullable().describe('Asset height'),
+    permissions: z.array(SharingPermissionSchema),
  })
  .meta({ id: 'SanitizedAssetResponseDto' });

@@ -113,6 +116,7 @@ export const AssetResponseSchema = SanitizedAssetResponseSchema.extend(
      .boolean()
      .describe('Is edited')
      .meta(new HistoryBuilder().added('v2.5.0').beta('v2.5.0').getExtensions()),
+    permissions: z.array(SharingPermissionSchema),
  }).shape,
 ).meta({ id: 'AssetResponseDto' });

@@ -154,6 +158,7 @@ export type MapAsset = {
  width: number | null;
  height: number | null;
  isEdited: boolean;
+  permissions?: { permission: SharingPermission }[];
 };

 export type AssetMapOptions = {
@@ -192,8 +197,16 @@ const mapStack = (entity: { stack?: Stack | null }) => {

 export function mapAsset(entity: MaybeDehydrated<MapAsset>, options: AssetMapOptions = {}): AssetResponseDto {
  const { stripMetadata = false, withStack = false } = options;
+  const permissions =
+    options.auth?.user.id === entity.ownerId
+      ? [SharingPermission.All]
+      : (entity.permissions?.map(({ permission }) => permission) ?? []);

-  if (stripMetadata) {
+  if (
+    stripMetadata ||
+    (entity.permissions &&
+      !(permissions.includes(SharingPermission.All) || permissions.includes(SharingPermission.ExifRead)))
+  ) {
    const sanitizedAssetResponse: SanitizedAssetResponseDto = {
      id: entity.id,
      type: entity.type,
@@ -205,6 +218,7 @@ export function mapAsset(entity: MaybeDehydrated<MapAsset>, options: AssetMapOpt
      hasMetadata: false,
      width: entity.width,
      height: entity.height,
+      permissions,
    };
    return sanitizedAssetResponse as AssetResponseDto;
  }
@@ -242,5 +256,6 @@ export function mapAsset(entity: MaybeDehydrated<MapAsset>, options: AssetMapOpt
    width: entity.width,
    height: entity.height,
    isEdited: entity.isEdited,
+    permissions,
  };
 }
@@ -40,11 +40,11 @@ const PeopleUpdateSchema = z
  })
  .meta({ id: 'PeopleUpdateDto' });

-const MergePersonSchema = z
+const MergeFaceClusterSchema = z
  .object({
-    ids: z.array(z.uuidv4()).describe('Person IDs to merge'),
+    ids: z.array(z.uuidv4()).describe('Face cluster IDs to merge'),
  })
-  .meta({ id: 'MergePersonDto' });
+  .meta({ id: 'MergeFaceClusterDto' });

 const PersonSearchSchema = z
  .object({
@@ -81,13 +81,14 @@ export const PersonResponseSchema = z
      .optional()
      .describe('Person color (hex)')
      .meta(new HistoryBuilder().added('v1.126.0').stable('v2').getExtensions()),
+    faceClusterId: z.string().nullable().describe('Face cluster ID'),
  })
  .meta({ id: 'PersonResponseDto' });

 export class PersonCreateDto extends createZodDto(PersonCreateSchema) {}
 export class PersonUpdateDto extends createZodDto(PersonUpdateSchema) {}
 export class PeopleUpdateDto extends createZodDto(PeopleUpdateSchema) {}
-export class MergePersonDto extends createZodDto(MergePersonSchema) {}
+export class MergeFaceClusterDto extends createZodDto(MergeFaceClusterSchema) {}
 export class PersonSearchDto extends createZodDto(PersonSearchSchema) {}
 export class PersonResponseDto extends createZodDto(PersonResponseSchema) {}

@@ -179,6 +180,7 @@ export function mapPerson(person: MaybeDehydrated<Person>): PersonResponseDto {
    isFavorite: person.isFavorite,
    color: person.color ?? undefined,
    updatedAt: asDateString(person.updatedAt),
+    faceClusterId: person.faceClusterId,
  };
 }

@@ -374,10 +374,13 @@ const SyncAssetFaceV1Schema = z
  })
  .meta({ id: 'SyncAssetFaceV1' });

-const SyncAssetFaceV2Schema = SyncAssetFaceV1Schema.extend({
-  deletedAt: isoDatetimeToDate.nullable().describe('Face deleted at'),
-  isVisible: z.boolean().describe('Is the face visible in the asset'),
-}).meta({ id: 'SyncAssetFaceV2' });
+const SyncAssetFaceV2Schema = SyncAssetFaceV1Schema.omit({ personId: true })
+  .extend({
+    deletedAt: isoDatetimeToDate.nullable().describe('Face deleted at'),
+    isVisible: z.boolean().describe('Is the face visible in the asset'),
+    faceClusterId: z.string().nullable().describe('Person ID'),
+  })
+  .meta({ id: 'SyncAssetFaceV2' });

 const SyncAssetFaceDeleteV1Schema = z
  .object({ assetFaceId: z.string().describe('Asset face ID') })
@@ -306,6 +306,28 @@ export enum Permission {
  AdminAuthUnlinkAll = 'adminAuth.unlinkAll',
 }

+export enum SharingPermission {
+  All = 'all',
+
+  AssetRead = 'asset.read',
+  AssetUpdate = 'asset.update',
+  AssetEdit = 'asset.edit',
+  AssetDelete = 'asset.delete',
+  AssetShare = 'asset.share',
+
+  ExifRead = 'exif.read',
+
+  PersonRead = 'person.read',
+  PersonUpdate = 'person.update',
+  PersonMerge = 'person.merge',
+  PersonDelete = 'person.delete',
+}
+
+export const SharingPermissionSchema = z
+  .enum(SharingPermission)
+  .describe('Sharing permission schema')
+  .meta({ id: 'SharingPermission' });
+
 export enum SharedLinkType {
  Album = 'ALBUM',

@@ -404,6 +426,7 @@ export enum ManualJobName {
  MemoryCleanup = 'memory-cleanup',
  MemoryCreate = 'memory-create',
  BackupDatabase = 'backup-database',
+  PersonGroupMerge = 'person-group-merge',
 }

 export const ManualJobNameSchema = z.enum(ManualJobName).describe('Manual job name').meta({ id: 'ManualJobName' });
@@ -813,6 +836,7 @@ export enum JobName {

  FacialRecognitionQueueAll = 'FacialRecognitionQueueAll',
  FacialRecognition = 'FacialRecognition',
+  FacialRecognitionMerge = 'FacialRecognitionMerge',

  FileDelete = 'FileDelete',
  FileMigrationQueueAll = 'FileMigrationQueueAll',
@@ -149,6 +149,40 @@ where
    "albumAssets"."livePhotoVideoId"
  ] && array[$2]::uuid[]

+-- AccessRepository.asset.checkSharedAccess
+select
+  "album_asset"."assetId"
+from
+  "album_asset"
+  inner join "album_user" on "album_asset"."albumId" = "album_user"."albumId"
+  and "album_user"."userId" = $1
+where
+  "album_asset"."assetId" in ($2)
+  and "album_asset"."albumId" in (
+    select
+      "album_user"."albumId"
+    from
+      "album_user"
+    where
+      (
+        "album_user"."permissions" @> $3::sharing_permission_enum[]
+        or $4 = any ("album_user"."permissions")
+      )
+  )
+union
+select
+  "asset"."id" as "assetId"
+from
+  "partner"
+  inner join "asset" on "asset"."ownerId" = "partner"."sharedById"
+  and "asset"."id" in ($5)
+where
+  "partner"."sharedWithId" = $6
+  and (
+    "partner"."permissions" @> $7::sharing_permission_enum[]
+    or $8 = any ("partner"."permissions")
+  )
+
 -- AccessRepository.authDevice.checkOwnerAccess
 select
  "session"."id"
@@ -182,18 +182,25 @@ select
    from
      (
        select
-          "asset_face".*,
-          "person" as "person"
+          (
+            select
+              to_json(obj)
+            from
+              (
+                select
+                  "person".*
+                from
+                  "face_cluster"
+                  inner join "person" on "person"."faceClusterId" = "face_cluster"."id"
+                where
+                  "face_cluster"."id" = "asset_face"."faceClusterId"
+                limit
+                  $1
+              ) as obj
+          ) as "person",
+          "asset_face".*
        from
          "asset_face"
-          left join lateral (
-            select
-              "person".*
-            from
-              "person"
-            where
-              "asset_face"."personId" = "person"."id"
-          ) as "person" on true
        where
          "asset_face"."assetId" = "asset"."id"
          and "asset_face"."deletedAt" is null
@@ -224,7 +231,7 @@ from
  "asset"
  left join "asset_exif" on "asset"."id" = "asset_exif"."assetId"
 where
-  "asset"."id" = any ($1::uuid[])
+  "asset"."id" = any ($2::uuid[])

 -- AssetRepository.deleteAll
 delete from "asset"
@@ -290,13 +297,44 @@ limit

 -- AssetRepository.getById
 select
-  "asset".*
+  "asset".*,
+  (
+    select
+      coalesce(json_agg(agg), '[]')
+    from
+      (
+        select distinct
+          unnest("album_user"."permissions") as "permission"
+        from
+          "album_user"
+          inner join "album_asset" on "album_user"."albumId" = "album_asset"."albumId"
+        where
+          "album_asset"."assetId" = "asset"."id"
+          and "album_user"."userId" = "asset"."ownerId"
+          and "album_user"."albumId" in (
+            select
+              "album_user"."albumId"
+            from
+              "album_user"
+            where
+              "album_user"."userId" = $1
+          )
+        union
+        select distinct
+          unnest("partner"."permissions") as "permission"
+        from
+          "partner"
+        where
+          "partner"."sharedById" = "asset"."ownerId"
+          and "partner"."sharedWithId" = $2
+      ) as agg
+  ) as "permissions"
 from
  "asset"
 where
-  "asset"."id" = $1::uuid
+  "asset"."id" = $3::uuid
 limit
-  $2
+  $4

 -- AssetRepository.updateAll
 update "asset"
@@ -47,7 +47,7 @@ select
              $1 as "one"
            from
              "asset_face"
-              inner join "person" on "person"."id" = "asset_face"."personId"
+              inner join "person" on "person"."faceClusterId" = "asset_face"."faceClusterId"
            where
              "asset_face"."assetId" = "asset"."id"
              and "person"."isHidden" = $2
@@ -86,7 +86,7 @@ select
              $1 as "one"
            from
              "asset_face"
-              inner join "person" on "person"."id" = "asset_face"."personId"
+              inner join "person" on "person"."faceClusterId" = "asset_face"."faceClusterId"
            where
              "asset_face"."assetId" = "asset"."id"
              and "person"."isHidden" = $2
@@ -3,9 +3,6 @@
 -- PersonRepository.reassignFaces
 update "asset_face"
 set
-  "personId" = $1
-where
-  "asset_face"."personId" = $2

 -- PersonRepository.delete
 delete from "person"
@@ -24,27 +21,64 @@ limit
  3

 -- PersonRepository.getAllForUser
-select
-  "person".*
+select distinct
+  on ("person"."faceClusterId") "person".*
 from
  "person"
-  inner join "asset_face" on "asset_face"."personId" = "person"."id"
+  inner join "asset_face" on "asset_face"."faceClusterId" = "person"."faceClusterId"
  inner join "asset" on "asset_face"."assetId" = "asset"."id"
  and "asset"."visibility" = 'timeline'
  and "asset"."deletedAt" is null
 where
-  "person"."ownerId" = $1
+  (
+    "person"."ownerId" = $1
+    or (
+      exists (
+        select
+        from
+          "partner"
+        where
+          "partner"."sharedById" = "person"."ownerId"
+          and "partner"."sharedWithId" = $2
+          and (
+            $3 = any ("partner"."permissions")
+            or "partner"."permissions" @> $4
+          )
+      )
+      or exists (
+        select
+        from
+          "album_user"
+        where
+          "album_user"."albumId" in (
+            select
+              "album_user"."albumId"
+            from
+              "album_user"
+            where
+              "album_user"."userId" = $5
+          )
+          and "album_user"."userId" = "person"."ownerId"
+          and (
+            $6 = any ("album_user"."permissions")
+            or "album_user"."permissions" @> $7
+          )
+      )
+    )
+  )
  and "asset_face"."deletedAt" is null
  and "asset_face"."isVisible" is true
-  and "person"."isHidden" = $2
+  and "person"."isHidden" = $8
 group by
  "person"."id"
 having
  (
-    "person"."name" != $3
-    or count("asset_face"."assetId") >= $4
+    "person"."name" != $9
+    or count("asset_face"."assetId") >= $10
  )
 order by
+  "person"."faceClusterId",
+  "person"."ownerId" = $11 desc,
  "person"."isHidden" asc,
  "person"."isFavorite" desc,
  NULLIF(person.name, '') is null asc,
@@ -52,16 +86,16 @@ order by
  NULLIF(person.name, '') asc nulls last,
  "person"."createdAt"
 limit
-  $5
+  $12
 offset
-  $6
+  $13

 -- PersonRepository.getAllWithoutFaces
 select
  "person".*
 from
  "person"
-  left join "asset_face" on "asset_face"."personId" = "person"."id"
+  left join "asset_face" on "asset_face"."faceClusterId" = "person"."faceClusterId"
 where
  "asset_face"."deletedAt" is null
  and "asset_face"."isVisible" is true
@@ -72,20 +106,7 @@ having

 -- PersonRepository.getFaces
 select
-  "asset_face".*,
-  (
-    select
-      to_json(obj)
-    from
-      (
-        select
-          "person".*
-        from
-          "person"
-        where
-          "person"."id" = "asset_face"."personId"
-      ) as obj
-  ) as "person"
+  "asset_face".*
 from
  "asset_face"
 where
@@ -108,19 +129,30 @@ select
        from
          "person"
        where
-          "person"."id" = "asset_face"."personId"
+          "person"."faceClusterId" = "asset_face"."faceClusterId"
+        order by
+          "person"."ownerId" = (
+            select
+              "asset"."ownerId"
+            from
+              "asset"
+            where
+              "asset"."id" = "asset_face"."assetId"
+          ) desc
+        limit
+          $1
      ) as obj
  ) as "person"
 from
  "asset_face"
 where
-  "asset_face"."id" = $1
+  "asset_face"."id" = $2
  and "asset_face"."deletedAt" is null

 -- PersonRepository.getFaceForFacialRecognitionJob
 select
  "asset_face"."id",
-  "asset_face"."personId",
+  "asset_face"."faceClusterId",
  "asset_face"."sourceType",
  (
    select
@@ -190,7 +222,7 @@ where
 -- PersonRepository.reassignFace
 update "asset_face"
 set
-  "personId" = $1
+  "faceClusterId" = $1
 where
  "asset_face"."id" = $2

@@ -209,9 +241,10 @@ where
  "person"."ownerId" = $1
  and f_unaccent ("person"."name") %> f_unaccent ($2)
 order by
-  f_unaccent ("person"."name") <->>> f_unaccent ($3)
+  f_unaccent ("person"."name") <->>> f_unaccent ($3),
+  "person"."ownerId" = $4 desc
 limit
-  $4
+  $5

 -- PersonRepository.getDistinctNames
 select distinct
@@ -234,9 +267,45 @@ from
  and "asset"."visibility" = 'timeline'
  and "asset"."deletedAt" is null
 where
-  "asset_face"."deletedAt" is null
+  (
+    "asset"."ownerId" = $1
+    or exists (
+      select
+      from
+        "partner"
+      where
+        "partner"."sharedById" = "asset"."ownerId"
+        and "partner"."sharedWithId" = $2
+        and (
+          $3 = any ("partner"."permissions")
+          or "partner"."permissions" @> $4
+        )
+    )
+    or exists (
+      select
+      from
+        "album_asset"
+        inner join "album_user" on "album_user"."albumId" = "album_asset"."albumId"
+        and "album_user"."userId" = $5
+      where
+        "album_asset"."assetId" = "asset"."id"
+        and "album_user"."albumId" in (
+          select
+            "album_user"."albumId"
+          from
+            "album_user"
+          where
+            "album_user"."userId" = "asset"."ownerId"
+            and (
+              $6 = any ("album_user"."permissions")
+              or "album_user"."permissions" @> $7
+            )
+        )
+    )
+  )
+  and "asset_face"."deletedAt" is null
  and "asset_face"."isVisible" is true
-  and "asset_face"."personId" = $1
+  and "asset_face"."faceClusterId" = $8

 -- PersonRepository.getNumberOfPeople
 select
@@ -256,7 +325,7 @@ where
    from
      "asset_face"
    where
-      "asset_face"."personId" = "person"."id"
+      "asset_face"."faceClusterId" = "person"."faceClusterId"
      and "asset_face"."deletedAt" is null
      and "asset_face"."isVisible" = $2
      and exists (
@@ -269,7 +338,42 @@ where
          and "asset"."deletedAt" is null
      )
  )
-  and "person"."ownerId" = $3
+  and (
+    "person"."ownerId" = $3
+    or (
+      exists (
+        select
+        from
+          "partner"
+        where
+          "partner"."sharedById" = "person"."ownerId"
+          and "partner"."sharedWithId" = $4
+          and (
+            $5 = any ("partner"."permissions")
+            or "partner"."permissions" @> $6
+          )
+      )
+      or exists (
+        select
+        from
+          "album_user"
+        where
+          "album_user"."albumId" in (
+            select
+              "album_user"."albumId"
+            from
+              "album_user"
+            where
+              "album_user"."userId" = $7
+          )
+          and "album_user"."userId" = "person"."ownerId"
+          and (
+            $8 = any ("album_user"."permissions")
+            or "album_user"."permissions" @> $9
+          )
+      )
+    )
+  )

 -- PersonRepository.refreshFaces
 with
@@ -299,14 +403,26 @@ select
        from
          "person"
        where
-          "person"."id" = "asset_face"."personId"
+          "person"."faceClusterId" = "asset_face"."faceClusterId"
+        order by
+          "person"."ownerId" = (
+            select
+              "asset"."ownerId"
+            from
+              "asset"
+            where
+              "asset"."id" = "asset_face"."assetId"
+          ) desc
+        limit
+          $1
      ) as obj
  ) as "person"
 from
  "asset_face"
+  inner join "person" on "person"."faceClusterId" = "asset_face"."faceClusterId"
 where
-  "asset_face"."assetId" in ($1)
-  and "asset_face"."personId" in ($2)
+  "person"."id" in ($2)
+  and "asset_face"."assetId" in ($3)
  and "asset_face"."deletedAt" is null

 -- PersonRepository.getRandomFace
@@ -315,7 +431,7 @@ select
 from
  "asset_face"
 where
-  "asset_face"."personId" = $1
+  "asset_face"."faceClusterId" = $1
  and "asset_face"."deletedAt" is null
  and "asset_face"."isVisible" is true

@@ -351,8 +467,9 @@ select
  "asset_face"."id"
 from
  "asset_face"
+  inner join "person" on "person"."faceClusterId" = "asset_face"."faceClusterId"
+  and "person"."id" = $1
  inner join "asset" on "asset"."id" = "asset_face"."assetId"
-  and "asset"."isOffline" = $1
+  and "asset"."isOffline" = $2
 where
-  "asset_face"."assetId" = $2
-  and "asset_face"."personId" = $3
+  "asset_face"."assetId" = $3
@@ -10,15 +10,52 @@ where
  "asset"."visibility" = $1
  and "asset"."fileCreatedAt" >= $2
  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  and (
+    "asset"."ownerId" = $4
+    or exists (
+      select
+      from
+        "partner"
+      where
+        "partner"."sharedById" = "asset"."ownerId"
+        and "partner"."sharedWithId" = $5
+        and (
+          $6 = any ("partner"."permissions")
+          or "partner"."permissions" @> $7
+        )
+        and "partner"."inTimeline" = $8
+    )
+    or exists (
+      select
+      from
+        "album_asset"
+        inner join "album_user" on "album_user"."albumId" = "album_asset"."albumId"
+        and "album_user"."userId" = $9
+      where
+        "album_asset"."assetId" = "asset"."id"
+        and "album_user"."inTimeline" = $10
+        and "album_user"."albumId" in (
+          select
+            "album_user"."albumId"
+          from
+            "album_user"
+          where
+            "album_user"."userId" = "asset"."ownerId"
+            and (
+              $11 = any ("album_user"."permissions")
+              or "album_user"."permissions" @> $12
+            )
+        )
+    )
+  )
+  and "asset"."isFavorite" = $13
  and "asset"."deletedAt" is null
 order by
  "asset"."fileCreatedAt" desc
 limit
-  $6
+  $14
 offset
-  $7
+  $15

 -- SearchRepository.searchStatistics
 select
@@ -30,8 +67,45 @@ where
  "asset"."visibility" = $1
  and "asset"."fileCreatedAt" >= $2
  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  and (
+    "asset"."ownerId" = $4
+    or exists (
+      select
+      from
+        "partner"
+      where
+        "partner"."sharedById" = "asset"."ownerId"
+        and "partner"."sharedWithId" = $5
+        and (
+          $6 = any ("partner"."permissions")
+          or "partner"."permissions" @> $7
+        )
+        and "partner"."inTimeline" = $8
+    )
+    or exists (
+      select
+      from
+        "album_asset"
+        inner join "album_user" on "album_user"."albumId" = "album_asset"."albumId"
+        and "album_user"."userId" = $9
+      where
+        "album_asset"."assetId" = "asset"."id"
+        and "album_user"."inTimeline" = $10
+        and "album_user"."albumId" in (
+          select
+            "album_user"."albumId"
+          from
+            "album_user"
+          where
+            "album_user"."userId" = "asset"."ownerId"
+            and (
+              $11 = any ("album_user"."permissions")
+              or "album_user"."permissions" @> $12
+            )
+        )
+    )
+  )
+  and "asset"."isFavorite" = $13
  and "asset"."deletedAt" is null

 -- SearchRepository.searchRandom
@@ -44,13 +118,50 @@ where
  "asset"."visibility" = $1
  and "asset"."fileCreatedAt" >= $2
  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  and (
+    "asset"."ownerId" = $4
+    or exists (
+      select
+      from
+        "partner"
+      where
+        "partner"."sharedById" = "asset"."ownerId"
+        and "partner"."sharedWithId" = $5
+        and (
+          $6 = any ("partner"."permissions")
+          or "partner"."permissions" @> $7
+        )
+        and "partner"."inTimeline" = $8
+    )
+    or exists (
+      select
+      from
+        "album_asset"
+        inner join "album_user" on "album_user"."albumId" = "album_asset"."albumId"
+        and "album_user"."userId" = $9
+      where
+        "album_asset"."assetId" = "asset"."id"
+        and "album_user"."inTimeline" = $10
+        and "album_user"."albumId" in (
+          select
+            "album_user"."albumId"
+          from
+            "album_user"
+          where
+            "album_user"."userId" = "asset"."ownerId"
+            and (
+              $11 = any ("album_user"."permissions")
+              or "album_user"."permissions" @> $12
+            )
+        )
+    )
+  )
+  and "asset"."isFavorite" = $13
  and "asset"."deletedAt" is null
 order by
  random()
 limit
-  $6
+  $14

 -- SearchRepository.searchLargeAssets
 select
@@ -63,14 +174,51 @@ where
  "asset"."visibility" = $1
  and "asset"."fileCreatedAt" >= $2
  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  and (
+    "asset"."ownerId" = $4
+    or exists (
+      select
+      from
+        "partner"
+      where
+        "partner"."sharedById" = "asset"."ownerId"
+        and "partner"."sharedWithId" = $5
+        and (
+          $6 = any ("partner"."permissions")
+          or "partner"."permissions" @> $7
+        )
+        and "partner"."inTimeline" = $8
+    )
+    or exists (
+      select
+      from
+        "album_asset"
+        inner join "album_user" on "album_user"."albumId" = "album_asset"."albumId"
+        and "album_user"."userId" = $9
+      where
+        "album_asset"."assetId" = "asset"."id"
+        and "album_user"."inTimeline" = $10
+        and "album_user"."albumId" in (
+          select
+            "album_user"."albumId"
+          from
+            "album_user"
+          where
+            "album_user"."userId" = "asset"."ownerId"
+            and (
+              $11 = any ("album_user"."permissions")
+              or "album_user"."permissions" @> $12
+            )
+        )
+    )
+  )
+  and "asset"."isFavorite" = $13
  and "asset"."deletedAt" is null
-  and "asset_exif"."fileSizeInByte" > $6
+  and "asset_exif"."fileSizeInByte" > $14
 order by
  "asset_exif"."fileSizeInByte" desc
 limit
-  $7
+  $15

 -- SearchRepository.searchSmart
 begin
@@ -86,15 +234,52 @@ where
  "asset"."visibility" = $1
  and "asset"."fileCreatedAt" >= $2
  and "asset_exif"."lensModel" = $3
-  and "asset"."ownerId" = any ($4::uuid[])
-  and "asset"."isFavorite" = $5
+  and (
+    "asset"."ownerId" = $4
+    or exists (
+      select
+      from
+        "partner"
+      where
+        "partner"."sharedById" = "asset"."ownerId"
+        and "partner"."sharedWithId" = $5
+        and (
+          $6 = any ("partner"."permissions")
+          or "partner"."permissions" @> $7
+        )
+        and "partner"."inTimeline" = $8
+    )
+    or exists (
+      select
+      from
+        "album_asset"
+        inner join "album_user" on "album_user"."albumId" = "album_asset"."albumId"
+        and "album_user"."userId" = $9
+      where
+        "album_asset"."assetId" = "asset"."id"
+        and "album_user"."inTimeline" = $10
+        and "album_user"."albumId" in (
+          select
+            "album_user"."albumId"
+          from
+            "album_user"
+          where
+            "album_user"."userId" = "asset"."ownerId"
+            and (
+              $11 = any ("album_user"."permissions")
+              or "album_user"."permissions" @> $12
+            )
+        )
+    )
+  )
+  and "asset"."isFavorite" = $13
  and "asset"."deletedAt" is null
 order by
-  smart_search.embedding <=> $6
+  smart_search.embedding <=> $14
 limit
-  $7
+  $15
 offset
-  $8
+  $16
 commit

 -- SearchRepository.getEmbedding
@@ -113,15 +298,30 @@ with
  "cte" as (
    select
      "asset_face"."id",
-      "asset_face"."personId",
-      face_search.embedding <=> $1 as "distance"
+      "asset_face"."faceClusterId",
+      face_search.embedding <=> $1 as "distance",
+      "asset"."ownerId"
    from
      "asset_face"
      inner join "asset" on "asset"."id" = "asset_face"."assetId"
      inner join "face_search" on "face_search"."faceId" = "asset_face"."id"
-      left join "person" on "person"."id" = "asset_face"."personId"
+      left join "person" on "person"."faceClusterId" = "asset_face"."faceClusterId"
    where
-      "asset"."ownerId" = any ($2::uuid[])
+      "asset"."ownerId" in (
+        select
+          "user"."id"
+        from
+          "user"
+        where
+          "user"."trustedGroupId" in (
+            select
+              "user"."trustedGroupId"
+            from
+              "user"
+            where
+              "user"."id" = any ($2::uuid[])
+          )
+      )
      and "asset"."deletedAt" is null
    order by
      "distance"
@@ -527,7 +527,7 @@ order by
 select
  "asset_face"."id",
  "assetId",
-  "personId",
+  "faceClusterId",
  "imageWidth",
  "imageHeight",
  "boundingBoxX1",
@@ -397,3 +397,73 @@ set
 where
  "user"."deletedAt" is null
  and "user"."id" = $2::uuid
+
+-- UserRepository.getInSameTrustedGroup
+select
+  "user"."id"
+from
+  "user"
+where
+  "user"."trustedGroupId" = (
+    select
+      "user"."trustedGroupId"
+    from
+      "user"
+    where
+      "user"."id" = $1
+  )
+
+-- UserRepository.mergeTrustedGroups
+update "user"
+set
+  "trustedGroupId" = "u"."trustedGroupId"
+from
+  "user" as "u"
+where
+  "u"."id" = $1
+  and "user"."trustedGroupId" = (
+    select
+      "user"."trustedGroupId"
+    from
+      "user"
+    where
+      "user"."id" = $2
+      and "user"."trustedGroupId" != "u"."trustedGroupId"
+  )
+
+-- UserRepository.updateTrustedGroups
+update "user"
+set
+  "trustedGroupId" = uuid_generate_v4 ()
+where
+  "user"."trustedGroupId" = (
+    select
+      "user"."trustedGroupId"
+    from
+      "user"
+    where
+      "user"."id" = $1
+  )
+  and "user"."id" != $2
+  and "user"."id" not in (
+    select
+      "partner"."sharedById" as "userId"
+    from
+      "partner"
+    where
+      "sharedWithId" = $3
+    union
+    select
+      "album_user"."userId"
+    from
+      "album_user"
+    where
+      "album_user"."albumId" in (
+        select
+          "album_user"."albumId"
+        from
+          "album_user"
+        where
+          "album_user"."userId" = $4
+      )
+  )
@@ -2,7 +2,9 @@ import { Injectable } from '@nestjs/common';
 import { Kysely, NotNull, sql } from 'kysely';
 import { InjectKysely } from 'nestjs-kysely';
 import { ChunkedSet, DummyValue, GenerateSql } from 'src/decorators';
-import { AlbumUserRole, AssetVisibility } from 'src/enum';
+import { AlbumUserRole, AssetVisibility, SharingPermission } from 'src/enum';
+import { hasAssetPermissions } from 'src/repositories/asset.repository';
+import { hasPermissions } from 'src/repositories/person.repository';
 import { DB } from 'src/schema';
 import { asUuid } from 'src/utils/database';

@@ -273,6 +275,46 @@ class AssetAccess {
        return allowedIds;
      });
  }
+
+  @GenerateSql({ params: [DummyValue.UUID, DummyValue.UUID_SET, [SharingPermission.All]] })
+  async checkSharedAccess(userId: string, assetIds: Set<string>, permissions: SharingPermission[]) {
+    const ids = await this.db
+      .selectFrom('album_asset')
+      .select('album_asset.assetId')
+      .where('album_asset.assetId', 'in', [...assetIds])
+      .where('album_asset.albumId', 'in', (eb) =>
+        eb
+          .selectFrom('album_user')
+          .select('album_user.albumId')
+          .where((eb) =>
+            eb.or([
+              eb('album_user.permissions', '@>', sql<SharingPermission[]>`${permissions}::sharing_permission_enum[]`),
+              eb(eb.val(SharingPermission.All), '=', eb.fn.any('album_user.permissions')),
+            ]),
+          ),
+      )
+      .innerJoin('album_user', (join) =>
+        join.onRef('album_asset.albumId', '=', 'album_user.albumId').on('album_user.userId', '=', userId),
+      )
+      .union((eb) =>
+        eb
+          .selectFrom('partner')
+          .where('partner.sharedWithId', '=', userId)
+          .where((eb) =>
+            eb.or([
+              eb('partner.permissions', '@>', sql<SharingPermission[]>`${permissions}::sharing_permission_enum[]`),
+              eb(eb.val(SharingPermission.All), '=', eb.fn.any('partner.permissions')),
+            ]),
+          )
+          .innerJoin('asset', (join) =>
+            join.onRef('asset.ownerId', '=', 'partner.sharedById').on('asset.id', 'in', [...assetIds]),
+          )
+          .select('asset.id as assetId'),
+      )
+      .execute();
+
+    return new Set(ids.map(({ assetId }) => assetId));
+  }
 }

 class AuthDeviceAccess {
@@ -452,6 +494,37 @@ class PersonAccess {
      .execute()
      .then((faces) => new Set(faces.map((face) => face.id)));
  }
+
+  async checkSharedAccess(userId: string, personIds: Set<string>, permissions: SharingPermission[]) {
+    if (personIds.size === 0) {
+      return new Set<string>();
+    }
+
+    const ids = await this.db
+      .selectFrom('person')
+      .select('person.id')
+      .where('person.id', 'in', [...personIds])
+      .where(hasPermissions(userId, permissions))
+      .execute();
+
+    return new Set(ids.map(({ id }) => id));
+  }
+
+  async checkSharedFaceAccess(userId: string, faceIds: Set<string>, permissions: SharingPermission[]) {
+    if (faceIds.size === 0) {
+      return new Set<string>();
+    }
+
+    const ids = await this.db
+      .selectFrom('asset_face')
+      .select('asset_face.id')
+      .leftJoin('asset', (join) => join.onRef('asset.id', '=', 'asset_face.assetId'))
+      .where('asset_face.id', 'in', [...faceIds])
+      .where(hasAssetPermissions(userId, permissions))
+      .execute();
+
+    return new Set(ids.map(({ id }) => id));
+  }
 }

 class PartnerAccess {
@@ -38,4 +38,13 @@ export class AlbumUserRepository {
  async delete({ userId, albumId }: AlbumPermissionId): Promise<void> {
    await this.db.deleteFrom('album_user').where('userId', '=', userId).where('albumId', '=', albumId).execute();
  }
+
+  get({ userId, albumId }: AlbumPermissionId) {
+    return this.db
+      .selectFrom('album_user')
+      .select(['permissions', 'inTimeline'])
+      .where('userId', '=', userId)
+      .where('albumId', '=', albumId)
+      .executeTakeFirstOrThrow();
+  }
 }
@@ -17,7 +17,15 @@ import { InjectKysely } from 'nestjs-kysely';
 import { LockableProperty, Stack } from 'src/database';
 import { Chunked, ChunkedArray, DummyValue, GenerateSql } from 'src/decorators';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { AssetFileType, AssetOrder, AssetOrderBy, AssetStatus, AssetType, AssetVisibility } from 'src/enum';
+import {
+  AssetFileType,
+  AssetOrder,
+  AssetOrderBy,
+  AssetStatus,
+  AssetType,
+  AssetVisibility,
+  SharingPermission,
+} from 'src/enum';
 import { DB } from 'src/schema';
 import { AssetAudioTable, AssetKeyframeTable, AssetVideoTable } from 'src/schema/tables/asset-av.table';
 import { AssetExifTable } from 'src/schema/tables/asset-exif.table';
@@ -41,6 +49,7 @@ import {
  withFiles,
  withLibrary,
  withOwner,
+  withPermissions,
  withSmartSearch,
  withTagId,
  withTags,
@@ -165,6 +174,47 @@ const withBoundingBox = <T>(qb: SelectQueryBuilder<DB, 'asset' | 'asset_exif', T
  );
 };

+export const hasAssetPermissions =
+  (userId: string, permissions: SharingPermission[], ignoreTimelineVisibility: boolean = false) =>
+  (eb: ExpressionBuilder<DB, 'asset'>) =>
+    eb.or([
+      eb('asset.ownerId', '=', userId),
+      eb.exists(
+        eb
+          .selectFrom('partner')
+          .whereRef('partner.sharedById', '=', 'asset.ownerId')
+          .where('partner.sharedWithId', '=', userId)
+          .where((eb) =>
+            eb.or([
+              eb(eb.val(SharingPermission.All), '=', eb.fn.any('partner.permissions')),
+              eb('partner.permissions', '@>', eb.val(permissions)),
+            ]),
+          )
+          .$if(!ignoreTimelineVisibility, (qb) => qb.where('partner.inTimeline', '=', true)),
+      ),
+      eb.exists(
+        eb
+          .selectFrom('album_asset')
+          .whereRef('album_asset.assetId', '=', 'asset.id')
+          .innerJoin('album_user', (join) =>
+            join.onRef('album_user.albumId', '=', 'album_asset.albumId').on('album_user.userId', '=', userId),
+          )
+          .$if(!ignoreTimelineVisibility, (qb) => qb.where('album_user.inTimeline', '=', true))
+          .where('album_user.albumId', 'in', (eb) =>
+            eb
+              .selectFrom('album_user')
+              .select('album_user.albumId')
+              .whereRef('album_user.userId', '=', 'asset.ownerId')
+              .where((eb) =>
+                eb.or([
+                  eb(eb.val(SharingPermission.All), '=', eb.fn.any('album_user.permissions')),
+                  eb('album_user.permissions', '@>', eb.val(permissions)),
+                ]),
+              ),
+          ),
+      ),
+    ]);
+
@Injectable()
 export class AssetRepository {
  constructor(@InjectKysely() private db: Kysely<DB>) {}
@@ -556,17 +606,22 @@ export class AssetRepository {
      .executeTakeFirst();
  }

-  @GenerateSql({ params: [DummyValue.UUID] })
+  @GenerateSql({ params: [DummyValue.UUID, {}, DummyValue.UUID] })
  getById(
    id: string,
    { exifInfo, faces, files, library, owner, smartSearch, stack, tags, edits }: GetByIdsRelations = {},
+    userId?: string,
  ) {
    return this.db
      .selectFrom('asset')
      .selectAll('asset')
      .where('asset.id', '=', asUuid(id))
      .$if(!!exifInfo, withExif)
-      .$if(!!faces, (qb) => qb.select(faces?.person ? withFacesAndPeople : withFaces).$narrowType<{ faces: NotNull }>())
+      .$if(!!faces, (qb) =>
+        qb
+          .select(faces?.person ? (eb) => withFacesAndPeople(eb, { userId }) : withFaces)
+          .$narrowType<{ faces: NotNull }>(),
+      )
      .$if(!!library, (qb) => qb.select(withLibrary))
      .$if(!!owner, (qb) => qb.select(withOwner))
      .$if(!!smartSearch, withSmartSearch)
@@ -602,6 +657,7 @@ export class AssetRepository {
      .$if(!!files, (qb) => qb.select(withFiles))
      .$if(!!tags, (qb) => qb.select(withTags))
      .$if(!!edits, (qb) => qb.select(withEdits))
+      .$if(!!userId, (qb) => qb.select(withPermissions(userId!)))
      .limit(1)
      .executeTakeFirst();
  }
@@ -744,7 +800,9 @@ export class AssetRepository {
              )
              .where((eb) => eb.or([eb('asset.stackId', 'is', null), eb(eb.table('stack'), 'is not', null)])),
          )
-          .$if(!!options.userIds, (qb) => qb.where('asset.ownerId', '=', anyUuid(options.userIds!)))
+          .$if(!!options.userIds, (qb) =>
+            qb.where(hasAssetPermissions(options.userIds![0], [SharingPermission.AssetRead], !!options.personId)),
+          )
          .$if(options.isFavorite !== undefined, (qb) => qb.where('asset.isFavorite', '=', options.isFavorite!))
          .$if(!!options.assetType, (qb) => qb.where('asset.type', '=', options.assetType!))
          .$if(options.isDuplicate !== undefined, (qb) =>
@@ -829,7 +887,9 @@ export class AssetRepository {
            ),
          )
          .$if(!!options.personId, (qb) => hasPeople(qb, [options.personId!]))
-          .$if(!!options.userIds, (qb) => qb.where('asset.ownerId', '=', anyUuid(options.userIds!)))
+          .$if(!!options.userIds, (qb) =>
+            qb.where(hasAssetPermissions(options.userIds![0], [SharingPermission.AssetRead], !!options.personId)),
+          )
          .$if(options.isFavorite !== undefined, (qb) => qb.where('asset.isFavorite', '=', options.isFavorite!))
          .$if(!!options.withStacked, (qb) =>
            qb
@@ -15,7 +15,7 @@ import { getKeyByValue, getMethodNames, ImmichStartupError } from 'src/utils/mis
 type JobMapItem = {
  jobName: JobName;
  queueName: QueueName;
-  handler: (job: JobOf<any>) => Promise<JobStatus>;
+  handler: (job?: JobOf<any>) => Promise<JobStatus>;
  label: string;
 };

@@ -95,14 +95,17 @@ export class JobRepository {
    }
  }

-  async run({ name, data }: JobItem) {
-    const item = this.handlers[name as JobName];
+  async run(job: JobItem) {
+    const item = this.handlers[job.name];
    if (!item) {
-      this.logger.warn(`Skipping unknown job: "${name}"`);
+      this.logger.warn(`Skipping unknown job: "${job.name}"`);
      return JobStatus.Skipped;
    }

-    return item.handler(data);
+    if ('data' in job) {
+      return item.handler(job.data);
+    }
+    return item.handler();
  }

  setConcurrency(queueName: QueueName, concurrency: number) {
@@ -167,7 +170,7 @@ export class JobRepository {
      const queueName = this.getQueueName(item.name);
      const job = {
        name: item.name,
-        data: item.data || {},
+        data: ('data' in item ? item.data : undefined) || {},
        options: this.getJobOptions(item) || undefined,
      } as JobItem & { data: any; options: JobsOptions | undefined };

@@ -73,7 +73,7 @@ export class MemoryRepository implements IBulkAsset {
                eb.exists(
                  eb
                    .selectFrom('asset_face')
-                    .innerJoin('person', 'person.id', 'asset_face.personId')
+                    .innerJoin('person', 'person.faceClusterId', 'asset_face.faceClusterId')
                    .select((eb) => eb.val(1).as('one'))
                    .whereRef('asset_face.assetId', '=', 'asset.id')
                    .where('person.isHidden', '=', true),
@@ -4,7 +4,8 @@ import { jsonObjectFrom } from 'kysely/helpers/postgres';
 import { InjectKysely } from 'nestjs-kysely';
 import { AssetFace } from 'src/database';
 import { Chunked, ChunkedArray, DummyValue, GenerateSql } from 'src/decorators';
-import { AssetFileType, AssetVisibility, SourceType } from 'src/enum';
+import { AssetFileType, AssetVisibility, SharingPermission, SourceType } from 'src/enum';
+import { hasAssetPermissions } from 'src/repositories/asset.repository';
 import { DB } from 'src/schema';
 import { AssetFaceTable } from 'src/schema/tables/asset-face.table';
 import { FaceSearchTable } from 'src/schema/tables/face-search.table';
@@ -33,9 +34,9 @@ export interface AssetFaceId {
 }

 export interface UpdateFacesData {
-  oldPersonId?: string;
+  oldFaceClusterId?: string;
  faceIds?: string[];
-  newPersonId: string;
+  newFaceClusterId: string;
 }

 export interface PersonStatistics {
@@ -54,7 +55,7 @@ export interface GetAllPeopleOptions {
 }

 export interface GetAllFacesOptions {
-  personId?: string | null;
+  faceClusterId?: string | null;
  assetId?: string;
  sourceType?: SourceType;
 }
@@ -65,7 +66,20 @@ export type SelectFaceOptions = (keyof Selectable<AssetFaceTable>)[];

 const withPerson = (eb: ExpressionBuilder<DB, 'asset_face'>) => {
  return jsonObjectFrom(
-    eb.selectFrom('person').selectAll('person').whereRef('person.id', '=', 'asset_face.personId'),
+    eb
+      .selectFrom('person')
+      .selectAll('person')
+      .whereRef('person.faceClusterId', '=', 'asset_face.faceClusterId')
+      .orderBy(
+        (eb) =>
+          eb(
+            'person.ownerId',
+            '=',
+            eb.selectFrom('asset').select('asset.ownerId').whereRef('asset.id', '=', 'asset_face.assetId'),
+          ),
+        'desc',
+      )
+      .limit(1),
  ).as('person');
 };

@@ -75,16 +89,47 @@ const withFaceSearch = (eb: ExpressionBuilder<DB, 'asset_face'>) => {
  ).as('faceSearch');
 };

+export const hasPermissions =
+  (userId: string, permissions: SharingPermission[]) => (eb: ExpressionBuilder<DB, 'person'>) =>
+    eb.or([
+      eb.exists((eb) =>
+        eb
+          .selectFrom('partner')
+          .whereRef('partner.sharedById', '=', 'person.ownerId')
+          .where('partner.sharedWithId', '=', userId)
+          .where((eb) =>
+            eb.or([
+              eb(eb.val(SharingPermission.All), '=', eb.fn.any('partner.permissions')),
+              eb('partner.permissions', '@>', eb.val(permissions)),
+            ]),
+          ),
+      ),
+      eb.exists((eb) =>
+        eb
+          .selectFrom('album_user')
+          .where('album_user.albumId', 'in', (eb) =>
+            eb.selectFrom('album_user').select('album_user.albumId').where('album_user.userId', '=', userId),
+          )
+          .whereRef('album_user.userId', '=', 'person.ownerId')
+          .where((eb) =>
+            eb.or([
+              eb(eb.val(SharingPermission.All), '=', eb.fn.any('album_user.permissions')),
+              eb('album_user.permissions', '@>', eb.val(permissions)),
+            ]),
+          ),
+      ),
+    ]);
+
@Injectable()
 export class PersonRepository {
  constructor(@InjectKysely() private db: Kysely<DB>) {}

  @GenerateSql({ params: [{ oldPersonId: DummyValue.UUID, newPersonId: DummyValue.UUID }] })
-  async reassignFaces({ oldPersonId, faceIds, newPersonId }: UpdateFacesData): Promise<number> {
+  async reassignFaces({ oldFaceClusterId, faceIds, newFaceClusterId }: UpdateFacesData): Promise<number> {
    const result = await this.db
      .updateTable('asset_face')
-      .set({ personId: newPersonId })
-      .$if(!!oldPersonId, (qb) => qb.where('asset_face.personId', '=', oldPersonId!))
+      .set({ faceClusterId: newFaceClusterId })
+      .$if(!!oldFaceClusterId, (qb) => qb.where('asset_face.faceClusterId', '=', oldFaceClusterId!))
      .$if(!!faceIds, (qb) => qb.where('asset_face.id', 'in', faceIds!))
      .executeTakeFirst();

@@ -94,7 +139,7 @@ export class PersonRepository {
  async unassignFaces({ sourceType }: UnassignFacesOptions): Promise<void> {
    await this.db
      .updateTable('asset_face')
-      .set({ personId: null })
+      .set({ faceClusterId: null })
      .where('asset_face.sourceType', '=', sourceType)
      .execute();
  }
@@ -117,8 +162,8 @@ export class PersonRepository {
    return this.db
      .selectFrom('asset_face')
      .selectAll('asset_face')
-      .$if(options.personId === null, (qb) => qb.where('asset_face.personId', 'is', null))
-      .$if(!!options.personId, (qb) => qb.where('asset_face.personId', '=', options.personId!))
+      .$if(options.faceClusterId === null, (qb) => qb.where('asset_face.faceClusterId', 'is', null))
+      .$if(!!options.faceClusterId, (qb) => qb.where('asset_face.faceClusterId', '=', options.faceClusterId!))
      .$if(!!options.sourceType, (qb) => qb.where('asset_face.sourceType', '=', options.sourceType!))
      .$if(!!options.assetId, (qb) => qb.where('asset_face.assetId', '=', options.assetId!))
      .where('asset_face.deletedAt', 'is', null)
@@ -153,16 +198,20 @@ export class PersonRepository {
    const items = await this.db
      .selectFrom('person')
      .selectAll('person')
-      .innerJoin('asset_face', 'asset_face.personId', 'person.id')
+      .innerJoin('asset_face', 'asset_face.faceClusterId', 'person.faceClusterId')
      .innerJoin('asset', (join) =>
        join
          .onRef('asset_face.assetId', '=', 'asset.id')
          .on('asset.visibility', '=', sql.lit(AssetVisibility.Timeline))
          .on('asset.deletedAt', 'is', null),
      )
-      .where('person.ownerId', '=', userId)
+      .where((eb) =>
+        eb.or([eb('person.ownerId', '=', userId), hasPermissions(userId, [SharingPermission.PersonRead])(eb)]),
+      )
      .where('asset_face.deletedAt', 'is', null)
      .where('asset_face.isVisible', 'is', true)
+      .orderBy('person.faceClusterId')
+      .orderBy((eb) => eb('person.ownerId', '=', userId), 'desc')
      .orderBy('person.isHidden', 'asc')
      .orderBy('person.isFavorite', 'desc')
      .having((eb) =>
@@ -171,6 +220,7 @@ export class PersonRepository {
          eb((innerEb) => innerEb.fn.count('asset_face.assetId'), '>=', options?.minimumFaceCount || 1),
        ]),
      )
+      .distinctOn('person.faceClusterId')
      .groupBy('person.id')
      .$if(!!options?.closestFaceAssetId, (qb) =>
        qb.orderBy((eb) =>
@@ -209,7 +259,7 @@ export class PersonRepository {
    return this.db
      .selectFrom('person')
      .selectAll('person')
-      .leftJoin('asset_face', 'asset_face.personId', 'person.id')
+      .leftJoin('asset_face', 'asset_face.faceClusterId', 'person.faceClusterId')
      .where('asset_face.deletedAt', 'is', null)
      .where('asset_face.isVisible', 'is', true)
      .having((eb) => eb.fn.count('asset_face.assetId'), '=', 0)
@@ -224,7 +274,6 @@ export class PersonRepository {
    return this.db
      .selectFrom('asset_face')
      .selectAll('asset_face')
-      .select(withPerson)
      .where('asset_face.assetId', '=', assetId)
      .where('asset_face.deletedAt', 'is', null)
      .$if(isVisible !== undefined, (qb) => qb.where('asset_face.isVisible', '=', isVisible!))
@@ -248,7 +297,7 @@ export class PersonRepository {
  getFaceForFacialRecognitionJob(id: string) {
    return this.db
      .selectFrom('asset_face')
-      .select(['asset_face.id', 'asset_face.personId', 'asset_face.sourceType'])
+      .select(['asset_face.id', 'asset_face.faceClusterId', 'asset_face.sourceType'])
      .select((eb) =>
        jsonObjectFrom(
          eb
@@ -289,10 +338,10 @@ export class PersonRepository {
  }

  @GenerateSql({ params: [DummyValue.UUID, DummyValue.UUID] })
-  async reassignFace(assetFaceId: string, newPersonId: string): Promise<number> {
+  async reassignFace(assetFaceId: string, newFaceClusterId: string): Promise<number> {
    const result = await this.db
      .updateTable('asset_face')
-      .set({ personId: newPersonId })
+      .set({ faceClusterId: newFaceClusterId })
      .where('asset_face.id', '=', assetFaceId)
      .executeTakeFirst();

@@ -318,6 +367,7 @@ export class PersonRepository {
      .where('person.ownerId', '=', userId)
      .where(() => sql`f_unaccent("person"."name") %> f_unaccent(${personName})`)
      .orderBy(sql`f_unaccent("person"."name") <->>> f_unaccent(${personName})`)
+      .orderBy((eb) => eb('person.ownerId', '=', userId), 'desc')
      .limit(100)
      .$if(!withHidden, (qb) => qb.where('person.isHidden', '=', false))
      .execute();
@@ -335,7 +385,7 @@ export class PersonRepository {
  }

  @GenerateSql({ params: [DummyValue.UUID] })
-  async getStatistics(personId: string): Promise<PersonStatistics> {
+  async getStatistics(userId: string, faceClusterId: string): Promise<PersonStatistics> {
    const result = await this.db
      .selectFrom('asset_face')
      .leftJoin('asset', (join) =>
@@ -344,10 +394,11 @@ export class PersonRepository {
          .on('asset.visibility', '=', sql.lit(AssetVisibility.Timeline))
          .on('asset.deletedAt', 'is', null),
      )
+      .where(hasAssetPermissions(userId, [SharingPermission.AssetRead], true))
      .select((eb) => eb.fn.count(eb.fn('distinct', ['asset.id'])).as('count'))
      .where('asset_face.deletedAt', 'is', null)
      .where('asset_face.isVisible', 'is', true)
-      .where('asset_face.personId', '=', personId)
+      .where('asset_face.faceClusterId', '=', faceClusterId)
      .executeTakeFirst();

    return {
@@ -364,7 +415,7 @@ export class PersonRepository {
        eb.exists((eb) =>
          eb
            .selectFrom('asset_face')
-            .whereRef('asset_face.personId', '=', 'person.id')
+            .whereRef('asset_face.faceClusterId', '=', 'person.faceClusterId')
            .where('asset_face.deletedAt', 'is', null)
            .where('asset_face.isVisible', '=', true)
            .where((eb) =>
@@ -378,13 +429,20 @@ export class PersonRepository {
            ),
        ),
      )
-      .where('person.ownerId', '=', userId)
+      .where((eb) =>
+        eb.or([eb('person.ownerId', '=', userId), hasPermissions(userId, [SharingPermission.PersonRead])(eb)]),
+      )
      .select((eb) => eb.fn.coalesce(eb.fn.countAll<number>(), zero).as('total'))
      .select((eb) => eb.fn.coalesce(eb.fn.countAll<number>().filterWhere('isHidden', '=', true), zero).as('hidden'))
      .executeTakeFirstOrThrow();
  }

-  create(person: Insertable<PersonTable>) {
+  async create(person: Insertable<PersonTable>) {
+    if (!person.faceClusterId) {
+      const { id } = await this.db.insertInto('face_cluster').defaultValues().returning('id').executeTakeFirstOrThrow();
+      person.faceClusterId = id;
+    }
+
    return this.db.insertInto('person').values(person).returningAll().executeTakeFirstOrThrow();
  }

@@ -475,18 +533,19 @@ export class PersonRepository {
      .selectFrom('asset_face')
      .selectAll('asset_face')
      .select(withPerson)
+      .innerJoin('person', (join) => join.onRef('person.faceClusterId', '=', 'asset_face.faceClusterId'))
+      .where('person.id', 'in', personIds)
      .where('asset_face.assetId', 'in', assetIds)
-      .where('asset_face.personId', 'in', personIds)
      .where('asset_face.deletedAt', 'is', null)
      .execute();
  }

  @GenerateSql({ params: [DummyValue.UUID] })
-  getRandomFace(personId: string) {
+  getRandomFace(faceClusterId: string) {
    return this.db
      .selectFrom('asset_face')
      .selectAll('asset_face')
-      .where('asset_face.personId', '=', personId)
+      .where('asset_face.faceClusterId', '=', faceClusterId)
      .where('asset_face.deletedAt', 'is', null)
      .where('asset_face.isVisible', 'is', true)
      .executeTakeFirst();
@@ -573,8 +632,14 @@ export class PersonRepository {
      .selectFrom('asset_face')
      .select('asset_face.id')
      .where('asset_face.assetId', '=', assetId)
-      .where('asset_face.personId', '=', personId)
+      .innerJoin('person', (join) =>
+        join.onRef('person.faceClusterId', '=', 'asset_face.faceClusterId').on('person.id', '=', personId),
+      )
      .innerJoin('asset', (join) => join.onRef('asset.id', '=', 'asset_face.assetId').on('asset.isOffline', '=', false))
      .executeTakeFirst();
  }
+
+  getByFaceClusterId(faceClusterId: string) {
+    return this.db.selectFrom('person').selectAll().where('person.faceClusterId', '=', faceClusterId).execute();
+  }
 }
@@ -325,15 +325,23 @@ export class SearchRepository {
            .selectFrom('asset_face')
            .select([
              'asset_face.id',
-              'asset_face.personId',
+              'asset_face.faceClusterId',
              sql<number>`face_search.embedding <=> ${embedding}`.as('distance'),
            ])
            .innerJoin('asset', 'asset.id', 'asset_face.assetId')
+            .select('asset.ownerId')
            .innerJoin('face_search', 'face_search.faceId', 'asset_face.id')
-            .leftJoin('person', 'person.id', 'asset_face.personId')
-            .where('asset.ownerId', '=', anyUuid(userIds))
+            .leftJoin('person', 'person.faceClusterId', 'asset_face.faceClusterId')
+            .where('asset.ownerId', 'in', (eb) =>
+              eb
+                .selectFrom('user')
+                .select('user.id')
+                .where('user.trustedGroupId', 'in', (eb) =>
+                  eb.selectFrom('user').select('user.trustedGroupId').where('user.id', '=', anyUuid(userIds)),
+                ),
+            )
            .where('asset.deletedAt', 'is', null)
-            .$if(!!hasPerson, (qb) => qb.where('asset_face.personId', 'is not', null))
+            .$if(!!hasPerson, (qb) => qb.where('asset_face.faceClusterId', 'is not', null))
            .$if(!!minBirthDate, (qb) =>
              qb.where((eb) =>
                eb.or([eb('person.birthDate', 'is', null), eb('person.birthDate', '<=', minBirthDate!)]),
@@ -443,7 +443,7 @@ class AssetFaceSync extends BaseSync {
      .select([
        'asset_face.id',
        'assetId',
-        'personId',
+        'faceClusterId',
        'imageWidth',
        'imageHeight',
        'boundingBoxX1',
@@ -325,4 +325,61 @@ export class UserRepository {

    await query.execute();
  }
+
+  @GenerateSql({ params: [DummyValue.UUID] })
+  async getInSameTrustedGroup(userId: string) {
+    return this.db
+      .selectFrom('user')
+      .select('user.id')
+      .where('user.trustedGroupId', '=', (eb) =>
+        eb.selectFrom('user').select('user.trustedGroupId').where('user.id', '=', userId),
+      )
+      .execute()
+      .then((result) => result.map(({ id }) => id));
+  }
+
+  @GenerateSql({ params: [{ userId: DummyValue.UUID, userIdToMerge: DummyValue.UUID }] })
+  async mergeTrustedGroups({ userId, userIdToMerge }: { userId: string; userIdToMerge: string }) {
+    return this.db
+      .updateTable('user')
+      .from('user as u')
+      .where('u.id', '=', userId)
+      .where('user.trustedGroupId', '=', (eb) =>
+        eb
+          .selectFrom('user')
+          .select('user.trustedGroupId')
+          .where('user.id', '=', userIdToMerge)
+          .whereRef('user.trustedGroupId', '!=', 'u.trustedGroupId'),
+      )
+      .set((eb) => ({
+        trustedGroupId: eb.ref('u.trustedGroupId'),
+      }))
+      .executeTakeFirst();
+  }
+
+  @GenerateSql({ params: [DummyValue.UUID] })
+  async updateTrustedGroups(userId: string) {
+    return this.db
+      .updateTable('user')
+      .set((eb) => ({ trustedGroupId: eb.fn('uuid_generate_v4') }))
+      .where('user.trustedGroupId', '=', (eb) =>
+        eb.selectFrom('user').select('user.trustedGroupId').where('user.id', '=', userId),
+      )
+      .where('user.id', '!=', userId)
+      .where('user.id', 'not in', (eb) =>
+        eb
+          .selectFrom('partner')
+          .select('partner.sharedById as userId')
+          .where('sharedWithId', '=', userId)
+          .union((eb) =>
+            eb
+              .selectFrom('album_user')
+              .select('album_user.userId')
+              .where('album_user.albumId', 'in', (eb) =>
+                eb.selectFrom('album_user').select('album_user.albumId').where('album_user.userId', '=', userId),
+              ),
+          ),
+      )
+      .executeTakeFirst();
+  }
 }
@@ -4,6 +4,7 @@ import {
  AssetStatus,
  AssetVisibility,
  ChecksumAlgorithm,
+  SharingPermission,
  SourceType,
  VideoSegmentCodec,
 } from 'src/enum';
@@ -37,3 +38,8 @@ export const video_stream_variant_codec_enum = registerEnum({
  name: 'video_stream_variant_codec_enum',
  values: Object.values(VideoSegmentCodec),
 });
+
+export const sharing_permission_enum = registerEnum({
+  name: 'sharing_permission_enum',
+  values: Object.values(SharingPermission),
+});
@@ -4,6 +4,7 @@ import {
  asset_face_source_type,
  asset_visibility_enum,
  assets_status_enum,
+  sharing_permission_enum,
 } from 'src/schema/enums';
 import {
  album_user_after_insert,
@@ -45,6 +46,7 @@ import { AssetMetadataAuditTable } from 'src/schema/tables/asset-metadata-audit.
 import { AssetMetadataTable } from 'src/schema/tables/asset-metadata.table';
 import { AssetOcrTable } from 'src/schema/tables/asset-ocr.table';
 import { AssetTable } from 'src/schema/tables/asset.table';
+import { FaceClusterTable } from 'src/schema/tables/face-cluster.table';
 import { FaceSearchTable } from 'src/schema/tables/face-search.table';
 import { GeodataPlacesTable } from 'src/schema/tables/geodata-places.table';
 import { LibraryTable } from 'src/schema/tables/library.table';
@@ -110,6 +112,7 @@ export class ImmichDatabase {
    AssetTable,
    AssetFileTable,
    AssetExifTable,
+    FaceClusterTable,
    FaceSearchTable,
    GeodataPlacesTable,
    LibraryTable,
@@ -170,7 +173,13 @@ export class ImmichDatabase {
    asset_face_audit,
  ];

-  enum = [album_user_role_enum, assets_status_enum, asset_face_source_type, asset_visibility_enum];
+  enum = [
+    album_user_role_enum,
+    assets_status_enum,
+    asset_face_source_type,
+    asset_visibility_enum,
+    sharing_permission_enum,
+  ];
 }

 export interface Migrations {
@@ -211,6 +220,7 @@ export interface DB {
  ocr_search: OcrSearchTable;

  face_search: FaceSearchTable;
+  face_cluster: FaceClusterTable;

  geodata_places: GeodataPlacesTable;

@@ -0,0 +1,17 @@
+import { Kysely, sql } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await sql`CREATE TYPE "sharing_permission_enum" AS ENUM ('all','asset.read','asset.update','asset.edit','asset.delete','asset.share','exif.read','person.read','person.update','person.merge','person.delete');`.execute(db);
+  await sql`ALTER TABLE "user" ADD "trustedGroupId" uuid NOT NULL DEFAULT uuid_generate_v4();`.execute(db);
+  await sql`ALTER TABLE "album_user" ADD "permissions" sharing_permission_enum[] NOT NULL DEFAULT '{asset.read,exif.read}';`.execute(db);
+  await sql`ALTER TABLE "album_user" ADD "inTimeline" boolean NOT NULL DEFAULT false;`.execute(db);
+  await sql`ALTER TABLE "partner" ADD "permissions" sharing_permission_enum[] NOT NULL DEFAULT '{all}';`.execute(db);
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await sql`DROP TYPE "sharing_permission_enum";`.execute(db);
+  await sql`ALTER TABLE "partner" DROP COLUMN "permissions";`.execute(db);
+  await sql`ALTER TABLE "user" DROP COLUMN "trustedGroupId";`.execute(db);
+  await sql`ALTER TABLE "album_user" DROP COLUMN "permissions";`.execute(db);
+  await sql`ALTER TABLE "album_user" DROP COLUMN "inTimeline";`.execute(db);
+}
@@ -0,0 +1,51 @@
+import { Kysely, sql } from 'kysely';
+
+export async function up(db: Kysely<any>): Promise<void> {
+  await sql`ALTER TABLE "asset_face" RENAME COLUMN "personId" TO "faceClusterId";`.execute(db);
+  await sql`CREATE INDEX "asset_face_faceClusterId_assetId_idx" ON "asset_face" ("faceClusterId", "assetId");`.execute(db);
+  await sql`CREATE INDEX "asset_face_faceClusterId_assetId_notDeleted_isVisible_idx" ON "asset_face" ("faceClusterId", "assetId") WHERE ("deletedAt" IS NULL AND "isVisible" IS TRUE);`.execute(db);
+  await sql`CREATE INDEX "asset_face_assetId_faceClusterId_idx" ON "asset_face" ("assetId", "faceClusterId");`.execute(db);
+  await sql`DROP INDEX "asset_face_personId_assetId_notDeleted_isVisible_idx";`.execute(db);
+  await sql`DROP INDEX "asset_face_assetId_personId_idx";`.execute(db);
+  await sql`DROP INDEX "asset_face_personId_assetId_idx";`.execute(db);
+  await sql`CREATE TABLE "face_cluster" (
+  "id" uuid NOT NULL DEFAULT uuid_generate_v4(),
+  "createdAt" timestamp with time zone NOT NULL DEFAULT now(),
+  "updatedAt" timestamp with time zone NOT NULL DEFAULT now(),
+  "updateId" uuid NOT NULL DEFAULT immich_uuid_v7(),
+  CONSTRAINT "face_cluster_pkey" PRIMARY KEY ("id")
+);`.execute(db);
+  await sql`ALTER TABLE "asset_face" ADD CONSTRAINT "asset_face_faceClusterId_fkey" FOREIGN KEY ("faceClusterId") REFERENCES "face_cluster" ("id") ON UPDATE CASCADE ON DELETE SET NULL;`.execute(db);
+  await sql`ALTER TABLE "asset_face" DROP CONSTRAINT "asset_face_personId_fkey";`.execute(db);
+  await sql`ALTER TABLE "person" ADD "faceClusterId" uuid;`.execute(db);
+  await sql`CREATE INDEX "person_faceClusterId_idx" ON "person" ("faceClusterId");`.execute(db);
+  await sql`ALTER TABLE "person" ADD CONSTRAINT "person_faceClusterId_fkey" FOREIGN KEY ("faceClusterId") REFERENCES "face_cluster" ("id") ON UPDATE CASCADE ON DELETE CASCADE;`.execute(db);
+  await sql`CREATE INDEX "face_cluster_updateId_idx" ON "face_cluster" ("updateId");`.execute(db);
+  await sql`CREATE OR REPLACE TRIGGER "face_cluster_updatedAt"
+  BEFORE UPDATE ON "face_cluster"
+  FOR EACH ROW
+  EXECUTE FUNCTION updated_at();`.execute(db);
+  await sql`INSERT INTO "migration_overrides" ("name", "value") VALUES ('trigger_face_cluster_updatedAt', '{"type":"trigger","name":"face_cluster_updatedAt","sql":"CREATE OR REPLACE TRIGGER \\"face_cluster_updatedAt\\"\\n  BEFORE UPDATE ON \\"face_cluster\\"\\n  FOR EACH ROW\\n  EXECUTE FUNCTION updated_at();"}'::jsonb);`.execute(db);
+  await sql`INSERT INTO "migration_overrides" ("name", "value") VALUES ('index_asset_face_faceClusterId_assetId_notDeleted_isVisible_idx', '{"type":"index","name":"asset_face_faceClusterId_assetId_notDeleted_isVisible_idx","sql":"CREATE INDEX \\"asset_face_faceClusterId_assetId_notDeleted_isVisible_idx\\" ON \\"asset_face\\" (\\"faceClusterId\\", \\"assetId\\") WHERE (\\"deletedAt\\" IS NULL AND \\"isVisible\\" IS TRUE);"}'::jsonb);`.execute(db);
+  await sql`DELETE FROM "migration_overrides" WHERE "name" = 'index_asset_face_personId_assetId_notDeleted_isVisible_idx';`.execute(db);
+}
+
+export async function down(db: Kysely<any>): Promise<void> {
+  await sql`ALTER TABLE "person" DROP COLUMN "faceClusterId";`.execute(db);
+  await sql`DROP INDEX "person_faceClusterId_idx";`.execute(db);
+  await sql`ALTER TABLE "person" DROP CONSTRAINT "person_faceClusterId_fkey";`.execute(db);
+  await sql`ALTER TABLE "asset_face" RENAME COLUMN "faceClusterId" TO "personId";`.execute(db);
+  await sql`CREATE INDEX "asset_face_personId_assetId_notDeleted_isVisible_idx" ON "asset_face" ("personId", "assetId") WHERE ((("deletedAt" IS NULL) AND ("isVisible" IS TRUE)));`.execute(db);
+  await sql`CREATE INDEX "asset_face_assetId_personId_idx" ON "asset_face" ("assetId", "personId");`.execute(db);
+  await sql`CREATE INDEX "asset_face_personId_assetId_idx" ON "asset_face" ("personId", "assetId");`.execute(db);
+  await sql`DROP INDEX "asset_face_faceClusterId_assetId_idx";`.execute(db);
+  await sql`DROP INDEX "asset_face_faceClusterId_assetId_notDeleted_isVisible_idx";`.execute(db);
+  await sql`DROP INDEX "asset_face_assetId_faceClusterId_idx";`.execute(db);
+  await sql`ALTER TABLE "asset_face" ADD CONSTRAINT "asset_face_personId_fkey" FOREIGN KEY ("personId") REFERENCES "person" ("id") ON UPDATE CASCADE ON DELETE SET NULL;`.execute(db);
+  await sql`ALTER TABLE "asset_face" DROP CONSTRAINT "asset_face_faceClusterId_fkey";`.execute(db);
+  await sql`DROP TABLE "face_cluster";`.execute(db);
+  await sql`DROP TRIGGER "face_cluster_updatedAt" ON "face_cluster";`.execute(db);
+  await sql`INSERT INTO "migration_overrides" ("name", "value") VALUES ('index_asset_face_personId_assetId_notDeleted_isVisible_idx', '{"sql":"CREATE INDEX \\"asset_face_personId_assetId_notDeleted_isVisible_idx\\" ON \\"asset_face\\" (\\"personId\\", \\"assetId\\") WHERE (\\"deletedAt\\" IS NULL AND \\"isVisible\\" IS TRUE);","name":"asset_face_personId_assetId_notDeleted_isVisible_idx","type":"index"}'::jsonb);`.execute(db);
+  await sql`DELETE FROM "migration_overrides" WHERE "name" = 'trigger_face_cluster_updatedAt';`.execute(db);
+  await sql`DELETE FROM "migration_overrides" WHERE "name" = 'index_asset_face_faceClusterId_assetId_notDeleted_isVisible_idx';`.execute(db);
+}
@@ -11,8 +11,8 @@ import {
  UpdateDateColumn,
 } from '@immich/sql-tools';
 import { CreateIdColumn, UpdatedAtTrigger, UpdateIdColumn } from 'src/decorators';
-import { AlbumUserRole } from 'src/enum';
-import { album_user_role_enum } from 'src/schema/enums';
+import { AlbumUserRole, SharingPermission } from 'src/enum';
+import { album_user_role_enum, sharing_permission_enum } from 'src/schema/enums';
 import { album_user_after_insert, album_user_delete_audit } from 'src/schema/functions';
 import { AlbumTable } from 'src/schema/tables/album.table';
 import { UserTable } from 'src/schema/tables/user.table';
@@ -69,4 +69,14 @@ export class AlbumUserTable {

  @UpdateDateColumn()
  updatedAt!: Generated<Timestamp>;
+
+  @Column({
+    array: true,
+    enum: sharing_permission_enum,
+    default: [SharingPermission.AssetRead, SharingPermission.ExifRead],
+  })
+  permissions!: Generated<SharingPermission[]>;
+
+  @Column({ type: 'boolean', default: false })
+  inTimeline!: Generated<boolean>;
 }
@@ -15,7 +15,7 @@ import { SourceType } from 'src/enum';
 import { asset_face_source_type } from 'src/schema/enums';
 import { asset_face_audit } from 'src/schema/functions';
 import { AssetTable } from 'src/schema/tables/asset.table';
-import { PersonTable } from 'src/schema/tables/person.table';
+import { FaceClusterTable } from 'src/schema/tables/face-cluster.table';

@Table({ name: 'asset_face' })
@UpdatedAtTrigger('asset_face_updatedAt')
@@ -26,13 +26,13 @@ import { PersonTable } from 'src/schema/tables/person.table';
  when: 'pg_trigger_depth() = 0',
 })
 // schemaFromDatabase does not preserve column order
-@Index({ name: 'asset_face_assetId_personId_idx', columns: ['assetId', 'personId'] })
+@Index({ name: 'asset_face_assetId_faceClusterId_idx', columns: ['assetId', 'faceClusterId'] })
@Index({
-  name: 'asset_face_personId_assetId_notDeleted_isVisible_idx',
-  columns: ['personId', 'assetId'],
+  name: 'asset_face_faceClusterId_assetId_notDeleted_isVisible_idx',
+  columns: ['faceClusterId', 'assetId'],
  where: '"deletedAt" IS NULL AND "isVisible" IS TRUE',
 })
-@Index({ columns: ['personId', 'assetId'] })
+@Index({ columns: ['faceClusterId', 'assetId'] })
 export class AssetFaceTable {
  @PrimaryGeneratedColumn()
  id!: Generated<string>;
@@ -45,14 +45,14 @@ export class AssetFaceTable {
  })
  assetId!: string;

-  @ForeignKeyColumn(() => PersonTable, {
+  @ForeignKeyColumn(() => FaceClusterTable, {
    onDelete: 'SET NULL',
    onUpdate: 'CASCADE',
    nullable: true,
-    // [personId, assetId] makes this redundant
+    // [faceClusterId, assetId] makes this redundant
    index: false,
  })
-  personId!: string | null;
+  faceClusterId!: string | null;

  @Column({ default: 0, type: 'integer' })
  imageWidth!: Generated<number>;
@@ -0,0 +1,25 @@
+import {
+  CreateDateColumn,
+  Generated,
+  PrimaryGeneratedColumn,
+  Table,
+  Timestamp,
+  UpdateDateColumn,
+} from '@immich/sql-tools';
+import { UpdatedAtTrigger, UpdateIdColumn } from 'src/decorators';
+
+@Table('face_cluster')
+@UpdatedAtTrigger('face_cluster_updatedAt')
+export class FaceClusterTable {
+  @PrimaryGeneratedColumn('uuid')
+  id!: Generated<string>;
+
+  @CreateDateColumn()
+  createdAt!: Generated<Timestamp>;
+
+  @UpdateDateColumn()
+  updatedAt!: Generated<Timestamp>;
+
+  @UpdateIdColumn({ index: true })
+  updateId!: Generated<string>;
+}
@@ -41,7 +41,7 @@ export class NotificationTable {
  type!: Generated<NotificationType>;

  @Column({ type: 'jsonb', nullable: true })
-  data!: any | null;
+  data!: unknown | null;

  @Column()
  title!: string;
@@ -9,6 +9,8 @@ import {
  UpdateDateColumn,
 } from '@immich/sql-tools';
 import { CreateIdColumn, UpdatedAtTrigger, UpdateIdColumn } from 'src/decorators';
+import { SharingPermission } from 'src/enum';
+import { sharing_permission_enum } from 'src/schema/enums';
 import { partner_delete_audit } from 'src/schema/functions';
 import { UserTable } from 'src/schema/tables/user.table';

@@ -46,4 +48,7 @@ export class PartnerTable {

  @UpdateIdColumn({ index: true })
  updateId!: Generated<string>;
+
+  @Column({ array: true, enum: sharing_permission_enum, default: [SharingPermission.All] })
+  permissions!: Generated<SharingPermission[]>;
 }
@@ -14,6 +14,7 @@ import {
 import { UpdatedAtTrigger, UpdateIdColumn } from 'src/decorators';
 import { person_delete_audit } from 'src/schema/functions';
 import { AssetFaceTable } from 'src/schema/tables/asset-face.table';
+import { FaceClusterTable } from 'src/schema/tables/face-cluster.table';
 import { UserTable } from 'src/schema/tables/user.table';

@Table('person')
@@ -43,9 +44,6 @@ export class PersonTable {
  @ForeignKeyColumn(() => UserTable, { onDelete: 'CASCADE', onUpdate: 'CASCADE', nullable: false })
  ownerId!: string;

-  @Column({ default: '' })
-  name!: Generated<string>;
-
  @Column({ default: '' })
  thumbnailPath!: Generated<string>;

@@ -55,6 +53,9 @@ export class PersonTable {
  @Column({ type: 'date', nullable: true })
  birthDate!: Timestamp | null;

+  @Column({ default: '' })
+  name!: Generated<string>;
+
  @ForeignKeyColumn(() => AssetFaceTable, { onDelete: 'SET NULL', nullable: true })
  faceAssetId!: string | null;

@@ -66,4 +67,7 @@ export class PersonTable {

  @UpdateIdColumn({ index: true })
  updateId!: Generated<string>;
+
+  @ForeignKeyColumn(() => FaceClusterTable, { onDelete: 'CASCADE', onUpdate: 'CASCADE', nullable: true, index: true })
+  faceClusterId!: string | null;
 }
@@ -4,6 +4,7 @@ import {
  CreateDateColumn,
  DeleteDateColumn,
  Generated,
+  GeneratedColumn,
  Index,
  PrimaryGeneratedColumn,
  Table,
@@ -82,4 +83,7 @@ export class UserTable {

  @UpdateIdColumn({ index: true })
  updateId!: Generated<string>;
+
+  @GeneratedColumn('uuid')
+  trustedGroupId!: Generated<string>;
 }
@@ -8,13 +8,15 @@ import {
  CreateAlbumDto,
  GetAlbumsDto,
  mapAlbum,
+  SharingPermissionsResponseDto,
  UpdateAlbumDto,
  UpdateAlbumUserDto,
+  UpdateSharingPermissionsDto,
 } from 'src/dtos/album.dto';
 import { BulkIdErrorReason, BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
 import { MapMarkerResponseDto } from 'src/dtos/map.dto';
-import { AlbumUserRole, Permission } from 'src/enum';
+import { AlbumUserRole, Permission, SharingPermission } from 'src/enum';
 import { AlbumAssetCount, AlbumInfoOptions } from 'src/repositories/album.repository';
 import { BaseService } from 'src/services/base.service';
 import { addAssets, removeAssets } from 'src/utils/asset.util';
@@ -137,6 +139,11 @@ export class AlbumService extends BaseService {
    );

    for (const { userId } of albumUsers) {
+      await this.userRepository.mergeTrustedGroups({
+        userId: auth.user.id,
+        userIdToMerge: userId,
+      });
+
      await this.eventRepository.emit('AlbumInvite', { id: album.id, userId, senderName: auth.user.name });
    }

@@ -306,7 +313,17 @@ export class AlbumService extends BaseService {
        throw new BadRequestException('Invalid user');
      }

-      await this.albumUserRepository.create({ userId, albumId: id, role });
+      await this.userRepository.mergeTrustedGroups({
+        userId: auth.user.id,
+        userIdToMerge: userId,
+      });
+      await this.albumUserRepository.create({
+        userId,
+        albumId: id,
+        role,
+        permissions: [SharingPermission.AssetRead, SharingPermission.ExifRead],
+      });
+
      await this.eventRepository.emit('AlbumInvite', { id, userId, senderName: auth.user.name });
    }

@@ -345,6 +362,19 @@ export class AlbumService extends BaseService {
    await this.albumUserRepository.update({ albumId: id, userId }, { role: dto.role });
  }

+  async updateSelf(auth: AuthDto, albumId: string, dto: UpdateSharingPermissionsDto): Promise<void> {
+    await this.requireAccess({ auth, permission: Permission.AlbumAssetCreate, ids: [albumId] });
+    await this.albumUserRepository.update(
+      { albumId, userId: auth.user.id },
+      { permissions: dto.permissions, inTimeline: dto.inTimeline },
+    );
+  }
+
+  async getSelf(auth: AuthDto, albumId: string): Promise<SharingPermissionsResponseDto> {
+    await this.requireAccess({ auth, permission: Permission.AlbumAssetCreate, ids: [albumId] });
+    return this.albumUserRepository.get({ userId: auth.user.id, albumId });
+  }
+
  private async findOrFail(id: string, authUserId: string, options: AlbumInfoOptions) {
    const album = await this.albumRepository.getById(id, options, authUserId);
    if (!album) {
@@ -32,10 +32,11 @@ import {
  JobStatus,
  Permission,
  QueueName,
+  SharingPermission,
 } from 'src/enum';
 import { BaseService } from 'src/services/base.service';
 import { JobItem, JobOf } from 'src/types';
-import { requireElevatedPermission } from 'src/utils/access';
+import { hasPermissions, requireElevatedPermission } from 'src/utils/access';
 import {
  getAssetFiles,
  getDimensions,
@@ -62,14 +63,18 @@ export class AssetService extends BaseService {
  async get(auth: AuthDto, id: string): Promise<AssetResponseDto | SanitizedAssetResponseDto> {
    await this.requireAccess({ auth, permission: Permission.AssetRead, ids: [id] });

-    const asset = await this.assetRepository.getById(id, {
-      exifInfo: true,
-      owner: true,
-      faces: { person: true },
-      stack: { assets: true },
-      edits: true,
-      tags: true,
-    });
+    const asset = await this.assetRepository.getById(
+      id,
+      {
+        exifInfo: true,
+        owner: true,
+        faces: { person: true },
+        stack: { assets: true },
+        edits: true,
+        tags: true,
+      },
+      auth.user.id,
+    );

    if (!asset) {
      throw new BadRequestException('Asset not found');
@@ -85,7 +90,7 @@ export class AssetService extends BaseService {
      delete data.owner;
    }

-    if (data.ownerId !== auth.user.id || auth.sharedLink) {
+    if (!hasPermissions(data, SharingPermission.PersonRead)) {
      data.people = [];
    }

@@ -85,7 +85,11 @@ export class NotificationService extends BaseService {
      return;
    }

-    this.logger.error(`Unable to run job handler (${job.name}): ${error}`, error?.stack, JSON.stringify(job.data));
+    this.logger.error(
+      `Unable to run job handler (${job.name}): ${error}`,
+      error?.stack,
+      'data' in job ? JSON.stringify(job.data) : {},
+    );

    switch (job.name) {
      case JobName.DatabaseBackup: {
@@ -3,7 +3,7 @@ import { Partner } from 'src/database';
 import { AuthDto } from 'src/dtos/auth.dto';
 import { PartnerCreateDto, PartnerResponseDto, PartnerSearchDto, PartnerUpdateDto } from 'src/dtos/partner.dto';
 import { mapUser } from 'src/dtos/user.dto';
-import { Permission } from 'src/enum';
+import { JobName, Permission, SharingPermission } from 'src/enum';
 import { PartnerDirection, PartnerIds } from 'src/repositories/partner.repository';
 import { BaseService } from 'src/services/base.service';

@@ -16,7 +16,15 @@ export class PartnerService extends BaseService {
      throw new BadRequestException(`Partner already exists`);
    }

-    const partner = await this.partnerRepository.create(partnerId);
+    const { numUpdatedRows } = await this.userRepository.mergeTrustedGroups({
+      userId: auth.user.id,
+      userIdToMerge: sharedWithId,
+    });
+    const partner = await this.partnerRepository.create({ ...partnerId, permissions: [SharingPermission.All] });
+    if (numUpdatedRows > 0) {
+      await this.jobRepository.queue({ name: JobName.FacialRecognitionMerge, data: { id: sharedWithId } });
+    }
+
    return this.mapPartner(partner, PartnerDirection.SharedBy);
  }

@@ -28,6 +36,10 @@ export class PartnerService extends BaseService {
    }

    await this.partnerRepository.remove(partnerId);
+    const { numUpdatedRows } = await this.userRepository.updateTrustedGroups(auth.user.id);
+    if (numUpdatedRows > 0) {
+      await this.jobRepository.queue({ name: JobName.FacialRecognitionQueueAll, data: { force: true } });
+    }
  }

  async search(auth: AuthDto, { direction }: PartnerSearchDto): Promise<PartnerResponseDto[]> {
@@ -13,7 +13,7 @@ import {
  FaceDto,
  mapFaces,
  mapPerson,
-  MergePersonDto,
+  MergeFaceClusterDto,
  PeopleResponseDto,
  PeopleUpdateDto,
  PersonCreateDto,
@@ -159,7 +159,7 @@ export class PersonService extends BaseService {

  async getStatistics(auth: AuthDto, id: string): Promise<PersonStatisticsResponseDto> {
    await this.requireAccess({ auth, permission: Permission.PersonRead, ids: [id] });
-    return this.personRepository.getStatistics(id);
+    return this.personRepository.getStatistics(auth.user.id, id);
  }

  async getThumbnail(auth: AuthDto, id: string): Promise<ImmichFileResponse> {
@@ -438,7 +438,7 @@ export class PersonService extends BaseService {

    const lastRun = new Date().toISOString();
    const facePagination = this.personRepository.getAllFaces(
-      force ? undefined : { personId: null, sourceType: SourceType.MachineLearning },
+      force ? undefined : { faceClusterId: null, sourceType: SourceType.MachineLearning },
    );

    let jobs: { name: JobName.FacialRecognition; data: { id: string; deferred: false } }[] = [];
@@ -481,8 +481,8 @@ export class PersonService extends BaseService {
      return JobStatus.Failed;
    }

-    if (face.personId) {
-      this.logger.debug(`Face ${id} already has a person assigned`);
+    if (face.faceClusterId) {
+      this.logger.debug(`Face ${id} already belongs to a face cluster`);
      return JobStatus.Skipped;
    }

@@ -511,8 +511,8 @@ export class PersonService extends BaseService {
      return JobStatus.Skipped;
    }

-    let personId = matches.find((match) => match.personId)?.personId;
-    if (!personId) {
+    let faceClusterId = matches.find((match) => match.faceClusterId)?.faceClusterId;
+    if (!faceClusterId) {
      const matchWithPerson = await this.searchRepository.searchFaces({
        userIds: [face.asset.ownerId],
        embedding: face.faceSearch.embedding,
@@ -523,20 +523,100 @@ export class PersonService extends BaseService {
      });

      if (matchWithPerson.length > 0) {
-        personId = matchWithPerson[0].personId;
+        faceClusterId = matchWithPerson[0].faceClusterId;
      }
    }

-    if (isCore && !personId) {
+    if (isCore && !faceClusterId) {
      this.logger.log(`Creating new person for face ${id}`);
      const newPerson = await this.personRepository.create({ ownerId: face.asset.ownerId, faceAssetId: face.id });
      await this.jobRepository.queue({ name: JobName.PersonGenerateThumbnail, data: { id: newPerson.id } });
-      personId = newPerson.id;
+      faceClusterId = newPerson.faceClusterId;
    }

-    if (personId) {
-      this.logger.debug(`Assigning face ${id} to person ${personId}`);
-      await this.personRepository.reassignFaces({ faceIds: [id], newPersonId: personId });
+    if (faceClusterId) {
+      this.logger.debug(`Assigning face ${id} to face cluster ${faceClusterId}`);
+      await this.personRepository.reassignFaces({ faceIds: [id], newFaceClusterId: faceClusterId });
+    }
+
+    return JobStatus.Success;
+  }
+
+  @OnJob({ name: JobName.FacialRecognitionMerge, queue: QueueName.FacialRecognition })
+  async mergeClusters({ id: userId }: JobOf<JobName.FacialRecognitionMerge>): Promise<JobStatus> {
+    const { machineLearning } = await this.getConfig({ withCache: true });
+    if (!isFacialRecognitionEnabled(machineLearning)) {
+      return JobStatus.Skipped;
+    }
+
+    const faces = this.personRepository.getAllFaces({ sourceType: SourceType.MachineLearning });
+    for await (const { id } of faces) {
+      const face = await this.personRepository.getFaceForFacialRecognitionJob(id);
+      if (!face?.faceSearch || !face.asset) {
+        this.logger.warn(`Face ${id} does not have an embedding`);
+        return JobStatus.Failed;
+      }
+
+      let faceClusterId: string | null = null;
+      const matchWithPerson = await this.searchRepository.searchFaces({
+        userIds: [face.asset.ownerId],
+        embedding: face.faceSearch.embedding,
+        maxDistance: machineLearning.facialRecognition.maxDistance,
+        numResults: 10,
+        hasPerson: true,
+        minBirthDate: new Date(face.asset.fileCreatedAt),
+      });
+
+      if (matchWithPerson.length > 0) {
+        // favor a person that's not owned by us to merge people with a newly shared with user
+        // probably do smarter stuff here like pick the person with a name, if both have a name set aliases or whatever
+        const match = matchWithPerson.find((match) => match.ownerId !== userId) ?? matchWithPerson[0];
+        if (match.faceClusterId && face.asset.ownerId !== match.ownerId) {
+          // TODO should probably be a DB constraint?
+          const people = await this.personRepository.getByFaceClusterId(match.faceClusterId);
+
+          if (!people.some((person) => person.ownerId === face.asset?.ownerId)) {
+            const person = await this.personRepository.create({
+              ownerId: face.asset.ownerId,
+              faceClusterId: match.faceClusterId,
+            });
+            await this.jobRepository.queue({ name: JobName.PersonGenerateThumbnail, data: { id: person.id } });
+          }
+        }
+
+        faceClusterId = match.faceClusterId;
+      }
+
+      if (!faceClusterId) {
+        const matches = await this.searchRepository.searchFaces({
+          userIds: [userId],
+          embedding: face.faceSearch.embedding,
+          maxDistance: machineLearning.facialRecognition.maxDistance,
+          numResults: machineLearning.facialRecognition.minFaces,
+          minBirthDate: new Date(face.asset.fileCreatedAt),
+        });
+
+        const match = matches.find((match) => match.faceClusterId);
+        if (match && match.faceClusterId && face.asset.ownerId !== match.ownerId) {
+          // TODO should probably be a DB constraint?
+          const people = await this.personRepository.getByFaceClusterId(match.faceClusterId);
+
+          if (!people.some((person) => person.ownerId === face.asset?.ownerId)) {
+            const person = await this.personRepository.create({
+              ownerId: face.asset.ownerId,
+              faceClusterId: match.faceClusterId,
+            });
+            await this.jobRepository.queue({ name: JobName.PersonGenerateThumbnail, data: { id: person.id } });
+          }
+        }
+
+        faceClusterId = match?.faceClusterId ?? null;
+      }
+
+      if (faceClusterId) {
+        this.logger.log(`Assigning face ${id} to face cluster ${faceClusterId}`);
+        await this.personRepository.reassignFaces({ faceIds: [id], newFaceClusterId: faceClusterId });
+      }
    }

    return JobStatus.Success;
@@ -554,7 +634,7 @@ export class PersonService extends BaseService {
    return JobStatus.Success;
  }

-  async mergePerson(auth: AuthDto, id: string, dto: MergePersonDto): Promise<BulkIdResponseDto[]> {
+  async mergePerson(auth: AuthDto, id: string, dto: MergeFaceClusterDto): Promise<BulkIdResponseDto[]> {
    const mergeIds = dto.ids;
    if (mergeIds.includes(id)) {
      throw new BadRequestException('Cannot merge a person into themselves');
@@ -600,7 +680,7 @@ export class PersonService extends BaseService {
        }

        const mergeName = mergePerson.name || mergePerson.id;
-        const mergeData: UpdateFacesData = { oldPersonId: mergeId, newPersonId: id };
+        const mergeData: UpdateFacesData = { oldFaceClusterId: mergeId, newFaceClusterId: id };
        this.logger.log(`Merging ${mergeName} into ${primaryName}`);

        await this.personRepository.reassignFaces(mergeData);
@@ -613,6 +693,7 @@ export class PersonService extends BaseService {
        results.push({ id: mergeId, success: false, error: BulkIdErrorReason.UNKNOWN });
      }
    }
+
    return results;
  }

@@ -682,8 +763,12 @@ export class PersonService extends BaseService {
      dto.imageHeight = originalDimensions.height;
    }

+    if (!person?.faceClusterId) {
+      throw new Error('Person must already have some recognized faces and belong to a face cluster');
+    }
+
    await this.personRepository.createAssetFace({
-      personId: dto.personId,
+      faceClusterId: person.faceClusterId,
      assetId: dto.assetId,
      imageHeight: dto.imageHeight,
      imageWidth: dto.imageWidth,
@@ -208,6 +208,7 @@ export class SearchService extends BaseService {
      repository: this.partnerRepository,
      timelineEnabled: true,
    });
+    console.log(auth.user.id, partnerIds);
    return [auth.user.id, ...partnerIds];
  }

@@ -204,7 +204,9 @@ export type ConcurrentQueueName = Exclude<
  | QueueName.BackupDatabase
 >;

-export type Jobs = { [K in JobItem['name']]: (JobItem & { name: K })['data'] };
+export type Jobs = {
+  [K in JobItem['name']]: 'data' extends keyof (JobItem & { name: K }) ? (JobItem & { name: K })['data'] : never;
+};
 export type JobOf<T extends JobName> = Jobs[T];

 export interface IBaseJob {
@@ -351,6 +353,7 @@ export type JobItem =
  | { name: JobName.AssetDetectFaces; data: IEntityJob }
  | { name: JobName.FacialRecognitionQueueAll; data: INightlyJob }
  | { name: JobName.FacialRecognition; data: IDeferrableJob }
+  | { name: JobName.FacialRecognitionMerge; data: IEntityJob }
  | { name: JobName.PersonGenerateThumbnail; data: IEntityJob }

  // Smart Search
@@ -1,7 +1,7 @@
 import { BadRequestException, UnauthorizedException } from '@nestjs/common';
 import { AuthSharedLink } from 'src/database';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { AlbumUserRole, Permission } from 'src/enum';
+import { AlbumUserRole, Permission, SharingPermission } from 'src/enum';
 import { AccessRepository } from 'src/repositories/access.repository';
 import { setDifference, setIsEqual, setIsSuperset, setUnion } from 'src/utils/set';

@@ -115,37 +115,41 @@ const checkOtherAccess = async (access: AccessRepository, request: OtherAccessRe

    case Permission.AssetRead: {
      const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
-      const isAlbum = await access.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner));
-      const isPartner = await access.asset.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner, isAlbum));
-      return setUnion(isOwner, isAlbum, isPartner);
+      const isShared = await access.asset.checkSharedAccess(auth.user.id, ids, [SharingPermission.AssetRead]);
+      return setUnion(isOwner, isShared);
    }

    case Permission.AssetShare: {
      const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids, false);
-      const isPartner = await access.asset.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner));
-      return setUnion(isOwner, isPartner);
+      const isShared = await access.asset.checkSharedAccess(auth.user.id, ids, [SharingPermission.AssetShare]);
+      return setUnion(isOwner, isShared);
    }

    case Permission.AssetView: {
      const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
-      const isAlbum = await access.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner));
-      const isPartner = await access.asset.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner, isAlbum));
-      return setUnion(isOwner, isAlbum, isPartner);
+      const isShared = await access.asset.checkSharedAccess(auth.user.id, ids, [SharingPermission.AssetRead]);
+      return setUnion(isOwner, isShared);
    }

    case Permission.AssetDownload: {
      const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
-      const isAlbum = await access.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner));
-      const isPartner = await access.asset.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner, isAlbum));
-      return setUnion(isOwner, isAlbum, isPartner);
+      const isShared = await access.asset.checkSharedAccess(auth.user.id, ids, [
+        SharingPermission.AssetRead,
+        SharingPermission.ExifRead,
+      ]);
+      return setUnion(isOwner, isShared);
    }

    case Permission.AssetUpdate: {
-      return await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
+      const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
+      const isShared = await access.asset.checkSharedAccess(auth.user.id, ids, [SharingPermission.AssetUpdate]);
+      return setUnion(isOwner, isShared);
    }

    case Permission.AssetDelete: {
-      return await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
+      const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
+      const isShared = await access.asset.checkSharedAccess(auth.user.id, ids, [SharingPermission.AssetDelete]);
+      return setUnion(isOwner, isShared);
    }

    case Permission.AssetCopy: {
@@ -153,15 +157,21 @@ const checkOtherAccess = async (access: AccessRepository, request: OtherAccessRe
    }

    case Permission.AssetEditGet: {
-      return await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
+      const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
+      const isShared = await access.asset.checkSharedAccess(auth.user.id, ids, [SharingPermission.AssetEdit]);
+      return setUnion(isOwner, isShared);
    }

    case Permission.AssetEditCreate: {
-      return await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
+      const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
+      const isShared = await access.asset.checkSharedAccess(auth.user.id, ids, [SharingPermission.AssetEdit]);
+      return setUnion(isOwner, isShared);
    }

    case Permission.AssetEditDelete: {
-      return await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
+      const isOwner = await access.asset.checkOwnerAccess(auth.user.id, ids, auth.session?.hasElevatedPermission);
+      const isShared = await access.asset.checkSharedAccess(auth.user.id, ids, [SharingPermission.AssetEdit]);
+      return setUnion(isOwner, isShared);
    }

    case Permission.AlbumRead: {
@@ -246,7 +256,11 @@ const checkOtherAccess = async (access: AccessRepository, request: OtherAccessRe
    }

    case Permission.FaceDelete: {
-      return access.person.checkFaceOwnerAccess(auth.user.id, ids);
+      const isOwner = await access.person.checkFaceOwnerAccess(auth.user.id, ids);
+      const isShared = await access.person.checkSharedFaceAccess(auth.user.id, setDifference(ids, isOwner), [
+        SharingPermission.AssetUpdate,
+      ]);
+      return setUnion(isOwner, isShared);
    }

    case Permission.NotificationRead:
@@ -288,11 +302,40 @@ const checkOtherAccess = async (access: AccessRepository, request: OtherAccessRe
      return access.person.checkFaceOwnerAccess(auth.user.id, ids);
    }

-    case Permission.PersonRead:
-    case Permission.PersonUpdate:
-    case Permission.PersonDelete:
+    case Permission.PersonRead: {
+      const isOwner = await access.person.checkOwnerAccess(auth.user.id, ids);
+      const isShared = await access.person.checkSharedAccess(auth.user.id, setDifference(ids, isOwner), [
+        SharingPermission.PersonRead,
+      ]);
+
+      return setUnion(isOwner, isShared);
+    }
+
    case Permission.PersonMerge: {
-      return await access.person.checkOwnerAccess(auth.user.id, ids);
+      const isOwner = await access.person.checkOwnerAccess(auth.user.id, ids);
+      const isShared = await access.person.checkSharedAccess(auth.user.id, setDifference(ids, isOwner), [
+        SharingPermission.PersonMerge,
+      ]);
+
+      return setUnion(isOwner, isShared);
+    }
+
+    case Permission.PersonUpdate: {
+      const isOwner = await access.person.checkOwnerAccess(auth.user.id, ids);
+      const isShared = await access.person.checkSharedAccess(auth.user.id, setDifference(ids, isOwner), [
+        SharingPermission.PersonUpdate,
+      ]);
+
+      return setUnion(isOwner, isShared);
+    }
+
+    case Permission.PersonDelete: {
+      const isOwner = await access.person.checkOwnerAccess(auth.user.id, ids);
+      const isShared = await access.person.checkSharedAccess(auth.user.id, setDifference(ids, isOwner), [
+        SharingPermission.PersonDelete,
+      ]);
+
+      return setUnion(isOwner, isShared);
    }

    case Permission.PersonReassign: {
@@ -339,3 +382,20 @@ export const requireElevatedPermission = (auth: AuthDto) => {
    throw new UnauthorizedException('Elevated permission is required');
  }
 };
+
+export const hasPermissions = (
+  assetLike: { permissions: SharingPermission[] },
+  ...permissions: SharingPermission[]
+) => {
+  if (assetLike.permissions.includes(SharingPermission.All)) {
+    return true;
+  }
+
+  for (const permission of permissions) {
+    if (!assetLike.permissions.includes(permission)) {
+      return false;
+    }
+  }
+
+  return true;
+};
@@ -4,7 +4,7 @@ import { AssetFile } from 'src/database';
 import { BulkIdErrorReason, BulkIdResponseDto } from 'src/dtos/asset-ids.response.dto';
 import { UploadFieldName } from 'src/dtos/asset-media.dto';
 import { AuthDto } from 'src/dtos/auth.dto';
-import { AssetFileType, AssetType, AssetVisibility, Permission } from 'src/enum';
+import { AssetFileType, AssetType, AssetVisibility, Permission, SharingPermission } from 'src/enum';
 import { AuthRequest } from 'src/middleware/auth.guard';
 import { AccessRepository } from 'src/repositories/access.repository';
 import { AssetRepository } from 'src/repositories/asset.repository';
@@ -134,6 +134,11 @@ export const getMyPartnerIds = async ({ userId, repository, timelineEnabled }: P
      continue;
    }

+    const permissions = [SharingPermission.All, SharingPermission.AssetRead];
+    if (!permissions.some((permission) => partner.permissions.includes(permission))) {
+      continue;
+    }
+
    partnerIds.add(partner.sharedById);
  }

@@ -15,9 +15,17 @@ import {
 import { PostgresJSDialect } from 'kysely-postgres-js';
 import { jsonArrayFrom, jsonObjectFrom } from 'kysely/helpers/postgres';
 import { Notice, PostgresError } from 'postgres';
-import { columns, lockableProperties, LockableProperty, Person } from 'src/database';
+import { columns, lockableProperties, LockableProperty } from 'src/database';
 import { AssetEditActionItem } from 'src/dtos/editing.dto';
-import { AssetFileType, AssetOrderBy, AssetVisibility, DatabaseExtension, ExifOrientation } from 'src/enum';
+import {
+  AssetFileType,
+  AssetOrderBy,
+  AssetVisibility,
+  DatabaseExtension,
+  ExifOrientation,
+  SharingPermission,
+} from 'src/enum';
+import { hasAssetPermissions } from 'src/repositories/asset.repository';
 import { AssetSearchBuilderOptions } from 'src/repositories/search.repository';
 import { DB } from 'src/schema';
 import { AssetExifTable } from 'src/schema/tables/asset-exif.table';
@@ -212,19 +220,22 @@ export function withFilePath(eb: ExpressionBuilder<DB, 'asset'>, type: AssetFile

 export function withFacesAndPeople(
  eb: ExpressionBuilder<DB, 'asset'>,
-  withHidden?: boolean,
-  withDeletedFace?: boolean,
+  { withHidden, withDeletedFace, userId: _ }: { withHidden?: boolean; withDeletedFace?: boolean; userId?: string } = {},
 ) {
  return jsonArrayFrom(
    eb
      .selectFrom('asset_face')
-      .leftJoinLateral(
-        (eb) =>
-          eb.selectFrom('person').selectAll('person').whereRef('asset_face.personId', '=', 'person.id').as('person'),
-        (join) => join.onTrue(),
+      .select((eb) =>
+        jsonObjectFrom(
+          eb
+            .selectFrom('face_cluster')
+            .whereRef('face_cluster.id', '=', 'asset_face.faceClusterId')
+            .innerJoin('person', 'person.faceClusterId', 'face_cluster.id')
+            .selectAll('person')
+            .limit(1),
+        ).as('person'),
      )
      .selectAll('asset_face')
-      .select((eb) => eb.table('person').$castTo<ShallowDehydrateObject<Person>>().as('person'))
      .whereRef('asset_face.assetId', '=', 'asset.id')
      .$if(!withDeletedFace, (qb) => qb.where('asset_face.deletedAt', 'is', null))
      .$if(!withHidden, (qb) => qb.where('asset_face.isVisible', 'is', true)),
@@ -237,11 +248,12 @@ export function hasPeople<O>(qb: SelectQueryBuilder<DB, 'asset', O>, personIds:
      eb
        .selectFrom('asset_face')
        .select('assetId')
-        .where('personId', '=', anyUuid(personIds!))
+        .innerJoin('person', 'person.faceClusterId', 'asset_face.faceClusterId')
+        .where('person.id', '=', anyUuid(personIds!))
        .where('deletedAt', 'is', null)
        .where('isVisible', 'is', true)
        .groupBy('assetId')
-        .having((eb) => eb.fn.count('personId').distinct(), '=', personIds.length)
+        .having((eb) => eb.fn.count('person.id').distinct(), '=', personIds.length)
        .as('has_people'),
    (join) => join.onRef('has_people.assetId', '=', 'asset.id'),
  );
@@ -302,6 +314,30 @@ export function truncatedDate<O>(order: AssetOrderBy = AssetOrderBy.TakenAt) {
  return sql<O>`date_trunc(${sql.lit('MONTH')}, ${sql.ref(order === AssetOrderBy.CreatedAt ? 'asset.createdAt' : 'localDateTime')} AT TIME ZONE 'UTC') AT TIME ZONE 'UTC'`;
 }

+export function withPermissions(userId: string) {
+  return (eb: ExpressionBuilder<DB, 'asset'>) =>
+    jsonArrayFrom(
+      eb
+        .selectFrom('album_user')
+        .select((eb) => eb.fn<SharingPermission>('unnest', ['album_user.permissions']).as('permission'))
+        .distinct()
+        .innerJoin('album_asset', 'album_user.albumId', 'album_asset.albumId')
+        .whereRef('album_asset.assetId', '=', 'asset.id')
+        .whereRef('album_user.userId', '=', 'asset.ownerId')
+        .where('album_user.albumId', 'in', (eb) =>
+          eb.selectFrom('album_user').select('album_user.albumId').where('album_user.userId', '=', userId),
+        )
+        .union(
+          eb
+            .selectFrom('partner')
+            .select((eb) => eb.fn<SharingPermission>('unnest', ['partner.permissions']).as('permission'))
+            .distinct()
+            .whereRef('partner.sharedById', '=', 'asset.ownerId')
+            .where('partner.sharedWithId', '=', userId),
+        ),
+    ).as('permissions');
+}
+
 export function withTagId<O>(qb: SelectQueryBuilder<DB, 'asset', O>, tagId: string) {
  return qb.where((eb) =>
    eb.exists(
@@ -428,7 +464,7 @@ export function searchAssetBuilder(kysely: Kysely<DB>, options: AssetSearchBuild
    .$if(!!options.checksum, (qb) => qb.where('asset.checksum', '=', options.checksum!))
    .$if(!!options.id, (qb) => qb.where('asset.id', '=', asUuid(options.id!)))
    .$if(!!options.libraryId, (qb) => qb.where('asset.libraryId', '=', asUuid(options.libraryId!)))
-    .$if(!!options.userIds, (qb) => qb.where('asset.ownerId', '=', anyUuid(options.userIds!)))
+    .$if(!!options.userIds, (qb) => qb.where(hasAssetPermissions(options.userIds![0], [SharingPermission.AssetRead])))
    .$if(!!options.encodedVideoPath, (qb) =>
      qb
        .innerJoin('asset_file', (join) =>
@@ -38,6 +38,7 @@ const createAsset = (
    fileSizeInByte !== null || Object.keys(exifFields).length > 0
      ? ExifResponseSchema.parse({ fileSizeInByte, ...exifFields })
      : undefined,
+  permissions: [],
 });

 describe('duplicate utils', () => {
@@ -1,4 +1,3 @@
-import { AssetFace } from 'src/database';
 import { AssetOcrResponseDto } from 'src/dtos/ocr.dto';
 import { ImageDimensions } from 'src/types';

@@ -31,11 +30,21 @@ const scale = (box: BoundingBox, target: ImageDimensions, source?: ImageDimensio
  };
 };

-export const checkFaceVisibility = (
-  faces: AssetFace[],
+export const checkFaceVisibility = <
+  T extends {
+    isVisible: boolean;
+    boundingBoxX1: number;
+    boundingBoxX2: number;
+    boundingBoxY1: number;
+    boundingBoxY2: number;
+    imageHeight: number;
+    imageWidth: number;
+  },
+>(
+  faces: T[],
  originalAssetDimensions: ImageDimensions,
  crop?: BoundingBox,
-): { visible: AssetFace[]; hidden: AssetFace[] } => {
+): { visible: T[]; hidden: T[] } => {
  if (!crop) {
    return {
      visible: faces.filter((face) => !face.isVisible),
@@ -1,16 +1,12 @@
 import { INestApplication } from '@nestjs/common';
 import {
+  ApiBodyOptions,
  DocumentBuilder,
  OpenAPIObject,
  SwaggerCustomOptions,
  SwaggerDocumentOptions,
  SwaggerModule,
 } from '@nestjs/swagger';
-import {
-  OperationObject,
-  ReferenceObject,
-  SchemaObject,
-} from '@nestjs/swagger/dist/interfaces/open-api-spec.interface';
 import _ from 'lodash';
 import { cleanupOpenApiDoc } from 'nestjs-zod';
 import { writeFileSync } from 'node:fs';
@@ -23,6 +19,11 @@ import { extraSyncModels } from 'src/dtos/sync.dto';
 import { ApiCustomExtension, ImmichCookie, ImmichHeader, MetadataKey } from 'src/enum';
 import { LoggingRepository } from 'src/repositories/logging.repository';

+type OperationObject = NonNullable<OpenAPIObject['paths'][string]['get']>;
+type ReferenceOrSchemaObject = Extract<ApiBodyOptions, { schema: unknown }>['schema'];
+type ReferenceObject = Extract<ReferenceOrSchemaObject, { $ref: unknown }>;
+type SchemaObject = Exclude<ReferenceOrSchemaObject, ReferenceObject>;
+
 export class ImmichStartupError extends Error {}
 export const isStartUpError = (error: unknown): error is ImmichStartupError => error instanceof ImmichStartupError;

@@ -28,6 +28,8 @@ export class AlbumUserFactory {
      createdAt: newDate(),
      updateId: newUuidV7(),
      updatedAt: newDate(),
+      permissions: [],
+      inTimeline: false,
      ...dto,
    });
  }
@@ -26,6 +26,7 @@ export class PartnerFactory {
      sharedWithId,
      updatedAt: newDate(),
      updateId: newUuidV7(),
+      permissions: [],
      ...dto,
    })
      .sharedBy({ id: sharedById })
@@ -35,6 +35,7 @@ export class UserFactory {
      status: UserStatus.Active,
      profileChangedAt: newDate(),
      updateId: newUuidV7(),
+      trustedGroupId: newUuid(),
      ...dto,
    });
  }
@@ -21,6 +21,7 @@ export const newAccessRepositoryMock = (): IAccessRepositoryMock => {
      checkAlbumAccess: vitest.fn().mockResolvedValue(new Set()),
      checkPartnerAccess: vitest.fn().mockResolvedValue(new Set()),
      checkSharedLinkAccess: vitest.fn().mockResolvedValue(new Set()),
+      checkSharedAccess: vitest.fn().mockResolvedValue(new Set()),
    },

    album: {
@@ -48,6 +49,8 @@ export const newAccessRepositoryMock = (): IAccessRepositoryMock => {
    person: {
      checkFaceOwnerAccess: vitest.fn().mockResolvedValue(new Set()),
      checkOwnerAccess: vitest.fn().mockResolvedValue(new Set()),
+      checkSharedAccess: vitest.fn().mockResolvedValue(new Set()),
+      checkSharedFaceAccess: vitest.fn().mockResolvedValue(new Set()),
    },

    partner: {
@@ -76,7 +76,7 @@
    "@sveltejs/adapter-static": "^3.0.8",
    "@sveltejs/enhanced-img": "^0.10.4",
    "@sveltejs/kit": "^2.56.1",
-    "@sveltejs/vite-plugin-svelte": "7.0.0",
+    "@sveltejs/vite-plugin-svelte": "7.1.2",
    "@tailwindcss/vite": "^4.2.4",
    "@testing-library/jest-dom": "^6.4.2",
    "@testing-library/svelte": "^5.2.8",
@@ -34,7 +34,7 @@
 }

@utility immich-form-input {
-  @apply bg-gray-100 ring-1 ring-gray-200 transition outline-none focus-within:ring-1 disabled:cursor-not-allowed dark:bg-gray-800 dark:ring-neutral-900 flex w-full items-center rounded-lg disabled:bg-gray-300 disabled:text-dark dark:disabled:bg-gray-900 dark:disabled:text-gray-200 flex-1 py-2.5 text-base pl-4 pr-4;
+  @apply bg-gray-100 ring-1 ring-gray-200 transition outline-none focus-within:ring-primary focus-within:ring-1 disabled:cursor-not-allowed dark:bg-gray-800 dark:ring-neutral-900 dark:focus-within:ring-primary flex w-full items-center rounded-lg disabled:bg-gray-300 disabled:text-dark dark:disabled:bg-gray-900 dark:disabled:text-gray-200 flex-1 py-2.5 text-base pl-4 pr-4;
 }

@utility immich-form-label {
@@ -128,7 +128,7 @@
    </div>
    {#if innerHeight}
      <div
-        class="relative w-full overflow-y-auto px-2 immich-scrollbar"
+        class="relative w-full immich-scrollbar overflow-y-auto px-2"
        style="height: {divHeight}px;padding-bottom: {chatHeight}px"
      >
        {#each activityManager.activities as reaction, index (reaction.id)}
@@ -26,12 +26,13 @@
  import { Route } from '$lib/route';
  import { getGlobalActions } from '$lib/services/app.service';
  import { getAssetActions } from '$lib/services/asset.service';
-  import { getSharedLink, withoutIcons } from '$lib/utils';
+  import { getSharedLink, hasPermissions, withoutIcons } from '$lib/utils';
  import type { OnUndoDelete } from '$lib/utils/actions';
  import { toTimelineAsset } from '$lib/utils/timeline-util';
  import {
    AssetTypeEnum,
    AssetVisibility,
+    SharingPermission,
    type AlbumResponseDto,
    type AssetResponseDto,
    type PersonResponseDto,
@@ -141,7 +142,7 @@

    <ActionButton action={Actions.Edit} />

-    {#if isOwner}
+    {#if hasPermissions(asset, SharingPermission.AssetDelete)}
      <DeleteAction {asset} {onAction} {preAction} {onUndoDelete} />
    {/if}

@@ -159,7 +160,7 @@
        {/if}

        <ActionMenuItem action={Actions.AddToAlbum} />
-        {#if album && (isOwner || isAlbumOwner)}
+        {#if album && (hasPermissions(asset, SharingPermission.AssetShare) || isAlbumOwner)}
          <RemoveFromAlbumAction {album} onRemove={onRemoveFromAlbum} assetIds={[asset.id]} menuItem />
        {/if}

@@ -187,7 +188,7 @@
        {/if}

        {#if !isLocked}
-          {#if isOwner}
+          {#if hasPermissions(asset, SharingPermission.AssetUpdate)}
            <ArchiveAction {asset} {onAction} {preAction} />
            {#if !asset.isArchived && !asset.isTrashed}
              <MenuOption
@@ -217,7 +218,7 @@
            text={playOriginalVideo ? $t('play_transcoded_video') : $t('play_original_video')}
          />
        {/if}
-        {#if isOwner}
+        {#if hasPermissions(asset, SharingPermission.AssetUpdate)}
          <hr />
          <ActionMenuItem action={Actions.RefreshFacesJob} />
          <ActionMenuItem action={Actions.RefreshMetadataJob} />
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Daniel Dietzler	c57cd1eb41	feat: sharing permissions	2026-05-21 11:16:25 +02:00
Caltsic	b414b3d32b	fix: improve form control focus visibility (#28512 ) * Improve form control focus visibility * fix: align form input focus styles	2026-05-20 15:33:56 -05:00
renovate[bot]	20da7c4267	chore(deps): lock file maintenance (terragrunt) (#28488 )	2026-05-20 17:20:50 +02:00
renovate[bot]	92b6778d2d	fix(deps): update typescript-projects (#28371 ) Co-authored-by: Daniel Dietzler <mail@ddietzler.dev>	2026-05-20 16:56:27 +02:00
Daniel Dietzler	5a61e589e8	chore: always run ci when mise.toml changes and install flutter from aqua (#28521 )	2026-05-20 14:43:30 +00:00
renovate[bot]	85192bb110	chore(deps): update ghcr.io/jdx/mise docker tag to v2026.5.11 (#28522 )	2026-05-20 14:29:17 +00:00
Timon	c7ae97fa2b	chore: handle docusaurus deprecation warning (#28516 )	2026-05-20 15:27:33 +02:00
Timon	8d02f3625d	chore: update mobile makefile command usage instructions (#28514 )	2026-05-20 15:26:24 +02:00
bo0tzz	a5a7380a26	feat: use lockfile for mise tools (#28503 )	2026-05-20 11:37:33 +00:00
renovate[bot]	d9ce3d2046	chore(deps): update dependency @types/node to ^24.12.4 (#28490 )	2026-05-20 12:41:17 +02:00