fix(web): scrubber drag handles mouseup outside window

Change-Id: Ida12f972e012df8cb3470135e62394d26a6a6964

.devcontainer/devcontainer.json

@@ -75,7 +75,7 @@
             {
               "label": "Build Immich CLI",
               "type": "shell",
-              "command": "pnpm --filter @immich/cli build:dev"
+              "command": "pnpm --filter cli build:dev"
             }
           ]
         }

.devcontainer/server/container-compose-overrides.yml

@@ -16,7 +16,7 @@ services:
       - ${UPLOAD_LOCATION:-upload-devcontainer-volume}${UPLOAD_LOCATION:+/photos}:/data
       - /etc/localtime:/etc/localtime:ro
       - pnpm_store_server:/buildcache/pnpm-store
-      - ../packages/plugins:/build/corePlugin
+      - ../plugins:/build/corePlugin
   immich-web:
     env_file: !reset []
   immich-machine-learning:

.dockerignore

@@ -30,7 +30,9 @@ machine-learning/
 misc/
 mobile/
 
-packages/sdk/build/
+open-api/typescript-sdk/build/
+!open-api/typescript-sdk/package.json
+!open-api/typescript-sdk/package-lock.json
 
 server/upload/
 server/src/queries

.gitattributes

@@ -6,12 +6,6 @@ mobile/openapi/**/*.dart linguist-generated=true
 mobile/lib/**/*.g.dart -diff -merge
 mobile/lib/**/*.g.dart linguist-generated=true
 
-mobile/android/**/*.g.kt -diff -merge
-mobile/android/**/*.g.kt linguist-generated=true
-
-mobile/ios/**/*.g.swift -diff -merge
-mobile/ios/**/*.g.swift linguist-generated=true
-
 mobile/lib/**/*.drift.dart -diff -merge
 mobile/lib/**/*.drift.dart linguist-generated=true
 
@@ -24,7 +18,7 @@ mobile/lib/infrastructure/repositories/db.repository.steps.dart linguist-generat
 mobile/test/drift/main/generated/** -diff -merge
 mobile/test/drift/main/generated/** linguist-generated=true
 
-packages/sdk/fetch-client.ts -diff -merge
-packages/sdk/fetch-client.ts linguist-generated=true
+open-api/typescript-sdk/fetch-client.ts -diff -merge
+open-api/typescript-sdk/fetch-client.ts linguist-generated=true
 
 *.sh text eol=lf

.github/.nvmrc

@@ -0,0 +1 @@
+24.14.1

.github/labeler.yml

@@ -1,7 +1,7 @@
 cli:
   - changed-files:
       - any-glob-to-any-file:
-          - packages/cli/src/**
+          - cli/src/**
 
 documentation:
   - changed-files:

.github/workflows/auto-close.yml

@@ -51,7 +51,7 @@ jobs:
         run: |
           gh api graphql \
             -f prId="$NODE_ID" \
-            -f body="This PR has been automatically closed as the description doesn't follow [our template](https://github.com/immich-app/immich/blob/main/.github/pull_request_template.md). After you edit it to match the template, the PR will automatically be reopened." \
+            -f body="This PR has been automatically closed as the description doesn't follow our template. After you edit it to match the template, the PR will automatically be reopened." \
             -f query='
               mutation CommentAndClosePR($prId: ID!, $body: String!) {
                 addComment(input: {

.github/workflows/build-mobile.yml

@@ -51,14 +51,14 @@ jobs:
       should_run: ${{ steps.check.outputs.should_run }}
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Check what should run
         id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
         with:
           github-token: ${{ steps.token.outputs.token }}
           filters: |
@@ -73,30 +73,24 @@ jobs:
     needs: pre-job
     permissions:
       contents: read
-      pull-requests: write
-    if: ${{ github.actor != 'dependabot[bot]' && fromJSON(needs.pre-job.outputs.should_run).mobile == true }}
+    # Skip when PR from a fork
+    if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && fromJSON(needs.pre-job.outputs.should_run).mobile == true }}
     runs-on: mich
 
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          ref: ${{ inputs.ref }}
+          ref: ${{ inputs.ref || github.sha }}
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
 
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
-        with:
-          github_token: ${{ steps.token.outputs.token }}
-
       - name: Create the Keystore
-        if: ${{ !github.event.pull_request.head.repo.fork }}
         env:
           KEY_JKS: ${{ secrets.KEY_JKS }}
         working-directory: ./mobile
@@ -109,7 +103,7 @@ jobs:
 
       - name: Restore Gradle Cache
         id: cache-gradle-restore
-        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ~/.gradle/caches
@@ -119,8 +113,15 @@ jobs:
             mobile/.dart_tool
           key: build-mobile-gradle-${{ runner.os }}-main
 
+      - name: Setup Flutter SDK
+        uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
+        with:
+          channel: 'stable'
+          flutter-version-file: ./mobile/pubspec.yaml
+          cache: true
+
       - name: Setup Android SDK
-        uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1
+        uses: android-actions/setup-android@9fc6c4e9069bf8d3d10b2204b1fb8f6ef7065407 # v3.2.2
         with:
           packages: ''
 
@@ -129,10 +130,11 @@ jobs:
         run: flutter pub get
 
       - name: Generate translation file
-        run: mise //mobile:codegen:translation
+        run: dart run easy_localization:generate -S ../i18n && dart run bin/generate_keys.dart
+        working-directory: ./mobile
 
       - name: Generate platform APIs
-        run: mise //mobile:codegen:pigeon
+        run: make pigeon
         working-directory: ./mobile
 
       - name: Build Android App Bundle
@@ -142,46 +144,23 @@ jobs:
           ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
           ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
           IS_MAIN: ${{ github.ref == 'refs/heads/main' }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
         run: |
           if [[ $IS_MAIN == 'true' ]]; then
             flutter build apk --release
             flutter build apk --release --split-per-abi --target-platform android-arm,android-arm64,android-x64
           else
-            flutter build apk --release
+            flutter build apk --debug --split-per-abi --target-platform android-arm64
           fi
 
       - name: Publish Android Artifact
-        id: upload-apk
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: release-apk-signed
           path: mobile/build/app/outputs/flutter-apk/*.apk
 
-      - name: Comment APK download link on PR
-        if: ${{ github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork }}
-        uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
-        env:
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          APK_URL: ${{ steps.upload-apk.outputs.artifact-url }}
-        with:
-          github-token: ${{ steps.token.outputs.token }}
-          message-id: 'mobile-android-apk'
-          message: |
-            📱 **Android release APK (universal)** — `${{ env.HEAD_SHA }}`
-
-            Download: ${{ env.APK_URL }}
-
-            <details>
-              <summary>QR code</summary>
-              <img src="https://api.qrserver.com/v1/create-qr-code/?size=240x240&data=${{ env.APK_URL }}" alt="QR code" />
-            </details>
-
-            Installs as a separate app (applicationId `app.alextran.immich.pr${{ github.event.pull_request.number }}`), so it coexists with the Play Store version and any other PR builds.
-
       - name: Save Gradle Cache
         id: cache-gradle-save
-        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         if: github.ref == 'refs/heads/main'
         with:
           path: |
@@ -202,12 +181,6 @@ jobs:
     runs-on: macos-15
 
     steps:
-      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
-        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
-          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
-
       - name: Select Xcode 26
         run: sudo xcode-select -s /Applications/Xcode_26.2.app/Contents/Developer
 
@@ -217,23 +190,27 @@ jobs:
           ref: ${{ inputs.ref || github.sha }}
           persist-credentials: false
 
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Flutter SDK
+        uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
+          channel: 'stable'
+          flutter-version-file: ./mobile/pubspec.yaml
+          cache: true
 
       - name: Install Flutter dependencies
         working-directory: ./mobile
         run: flutter pub get
 
       - name: Generate translation files
-        run: mise //mobile:codegen:translation
+        run: dart run easy_localization:generate -S ../i18n && dart run bin/generate_keys.dart
+        working-directory: ./mobile
 
       - name: Generate platform APIs
-        run: mise //mobile:codegen:pigeon
+        run: make pigeon
+        working-directory: ./mobile
 
       - name: Setup Ruby
-        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+        uses: ruby/setup-ruby@c515ec17f69368147deb311832da000dd229d338 # v1.297.0
         with:
           ruby-version: '3.3'
           bundler-cache: true
@@ -314,7 +291,7 @@ jobs:
           security delete-keychain build.keychain || true
 
       - name: Upload IPA artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: ios-release-ipa
           path: mobile/ios/Runner.ipa

.github/workflows/cache-cleanup.yml

@@ -19,9 +19,9 @@ jobs:
       actions: write
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Check out code

.github/workflows/check-openapi.yml

@@ -24,7 +24,7 @@ jobs:
           persist-credentials: false
 
       - name: Check for breaking API changes
-        uses: oasdiff/oasdiff-action/breaking@26ccb332c67a45ca649de9faf60552ef1b8260d9 # v0.0.46
+        uses: oasdiff/oasdiff-action/breaking@1f38ea5ea0b4a2e4e49901c3bcdf4386a05e9ea1 # v0.0.37
         with:
           base: https://raw.githubusercontent.com/${{ github.repository }}/main/open-api/immich-openapi-specs.json
           revision: open-api/immich-openapi-specs.json

.github/workflows/cli.yml

@@ -3,11 +3,11 @@ on:
   push:
     branches: [main]
     paths:
-      - 'packages/cli/**'
+      - 'cli/**'
       - '.github/workflows/cli.yml'
   pull_request:
     paths:
-      - 'packages/cli/**'
+      - 'cli/**'
       - '.github/workflows/cli.yml'
   release:
     types: [published]
@@ -28,28 +28,38 @@ jobs:
       packages: write
     defaults:
       run:
-        working-directory: ./packages/cli
+        working-directory: ./cli
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
 
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
-        with:
-          github_token: ${{ steps.token.outputs.token }}
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
 
-      - name: Publish
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version-file: './cli/.nvmrc'
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+
+      - name: Setup typescript-sdk
+        run: pnpm install && pnpm run build
+        working-directory: ./open-api/typescript-sdk
+
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm build
+      - run: pnpm publish --provenance --no-git-checks
         if: ${{ github.event_name == 'release' }}
-        run: mise run ci-publish
 
   docker:
     name: Docker
@@ -61,9 +71,9 @@ jobs:
 
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout
@@ -79,7 +89,7 @@ jobs:
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         if: ${{ !github.event.pull_request.head.repo.fork }}
         with:
           registry: ghcr.io
@@ -89,7 +99,7 @@ jobs:
       - name: Get package version
         id: package-version
         run: |
-          version=$(jq -r '.version' packages/cli/package.json)
+          version=$(jq -r '.version' cli/package.json)
           echo "version=$version" >> "$GITHUB_OUTPUT"
 
       - name: Generate docker image tags
@@ -105,9 +115,9 @@ jobs:
             type=raw,value=latest,enable=${{ github.event_name == 'release' }}
 
       - name: Build and push image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
-          file: packages/cli/Dockerfile
+          file: cli/Dockerfile
           platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name == 'release' }}
           cache-from: type=gha

.github/workflows/close-duplicates.yml

@@ -35,7 +35,7 @@ jobs:
     needs: [get_body, should_run]
     if: ${{ needs.should_run.outputs.should_run == 'true' }}
     container:
-      image: ghcr.io/immich-app/mdq:main@sha256:0a8b8867773a0f8368061f47578603f438349f8f1f28b0e16105f481e5c794e0
+      image: ghcr.io/immich-app/mdq:main@sha256:df7188ba88abb0800d73cc97d3633280f0c0c3d4c441d678225067bf154150fb
     outputs:
       checked: ${{ steps.get_checkbox.outputs.checked }}
     steps:

.github/workflows/codeql-analysis.yml

@@ -44,9 +44,9 @@ jobs:
 
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout repository
@@ -57,7 +57,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -70,7 +70,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -83,6 +83,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           category: '/language:${{matrix.language}}'

.github/workflows/docker.yml

@@ -23,14 +23,14 @@ jobs:
       should_run: ${{ steps.check.outputs.should_run }}
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Check what should run
         id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
         with:
           github-token: ${{ steps.token.outputs.token }}
           filters: |
@@ -60,7 +60,7 @@ jobs:
         suffix: ['', '-cuda', '-rocm', '-openvino', '-armnn', '-rknn']
     steps:
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -90,7 +90,7 @@ jobs:
         suffix: ['']
     steps:
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -132,7 +132,7 @@ jobs:
             suffixes: '-rocm'
             platforms: linux/amd64
             runner-mapping: '{"linux/amd64": "pokedex-large"}'
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@5813c7c4f7016c748ae7ac5d5f684846649d4d20 # multi-runner-build-workflow-v2.4.0
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@61a0fc2b41524edcc7c9fffb8bb178e6b0ccf21d # multi-runner-build-workflow-v2.3.0
     permissions:
       contents: read
       actions: read
@@ -155,7 +155,7 @@ jobs:
     name: Build and Push Server
     needs: pre-job
     if: ${{ fromJSON(needs.pre-job.outputs.should_run).server == true }}
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@5813c7c4f7016c748ae7ac5d5f684846649d4d20 # multi-runner-build-workflow-v2.4.0
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@61a0fc2b41524edcc7c9fffb8bb178e6b0ccf21d # multi-runner-build-workflow-v2.3.0
     permissions:
       contents: read
       actions: read
@@ -178,7 +178,7 @@ jobs:
     runs-on: ubuntu-latest
     if: always()
     steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
         with:
           needs: ${{ toJSON(needs) }}
 
@@ -189,6 +189,6 @@ jobs:
     runs-on: ubuntu-latest
     if: always()
     steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
         with:
           needs: ${{ toJSON(needs) }}

.github/workflows/docs-build.yml

@@ -21,14 +21,14 @@ jobs:
       should_run: ${{ steps.check.outputs.should_run }}
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Check what should run
         id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
         with:
           github-token: ${{ steps.token.outputs.token }}
           filters: |
@@ -54,9 +54,9 @@ jobs:
 
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -64,11 +64,17 @@ jobs:
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
+          fetch-depth: 0
 
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './docs/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
 
       - name: Run install
         run: pnpm install
@@ -80,7 +86,7 @@ jobs:
         run: pnpm build
 
       - name: Upload build output
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: docs-build-output
           path: docs/build/

.github/workflows/docs-deploy.yml

@@ -20,16 +20,16 @@ jobs:
       artifact: ${{ steps.get-artifact.outputs.result }}
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - if: ${{ github.event.workflow_run.conclusion != 'success' }}
         run: echo 'The triggering workflow did not succeed' && exit 1
       - name: Get artifact
         id: get-artifact
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.token.outputs.token }}
           script: |
@@ -48,7 +48,7 @@ jobs:
             return { found: true, id: matchArtifact.id };
       - name: Determine deploy parameters
         id: parameters
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
         with:
@@ -119,9 +119,9 @@ jobs:
     if: ${{ fromJson(needs.checks.outputs.artifact).found && fromJson(needs.checks.outputs.parameters).shouldDeploy }}
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -131,13 +131,11 @@ jobs:
           token: ${{ steps.token.outputs.token }}
 
       - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
-        with:
-          github_token: ${{ steps.token.outputs.token }}
+        uses: immich-app/devtools/actions/use-mise@035e80a7d4355d5f087ffb95db9e4a0944c04e56 # use-mise-action-v1.1.3
 
       - name: Load parameters
         id: parameters
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           PARAM_JSON: ${{ needs.checks.outputs.parameters }}
         with:
@@ -149,7 +147,7 @@ jobs:
             core.setOutput("shouldDeploy", parameters.shouldDeploy);
 
       - name: Download artifact
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           ARTIFACT_JSON: ${{ needs.checks.outputs.artifact }}
         with:
@@ -213,7 +211,7 @@ jobs:
         run: 'mise run //deployment:tf apply'
 
       - name: Comment
-        uses: actions-cool/maintain-one-comment@909842216bc8e8658364c572ec52100f4c2cc50a # v3.3.0
+        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
         if: ${{ steps.parameters.outputs.event == 'pr' }}
         with:
           token: ${{ steps.token.outputs.token }}

.github/workflows/docs-destroy.yml

@@ -17,9 +17,9 @@ jobs:
       pull-requests: write
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -29,9 +29,7 @@ jobs:
           token: ${{ steps.token.outputs.token }}
 
       - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
-        with:
-          github_token: ${{ steps.token.outputs.token }}
+        uses: immich-app/devtools/actions/use-mise@035e80a7d4355d5f087ffb95db9e4a0944c04e56 # use-mise-action-v1.1.3
 
       - name: Destroy Docs Subdomain
         env:
@@ -44,7 +42,7 @@ jobs:
         run: 'mise run //deployment:tf destroy -- -refresh=false'
 
       - name: Comment
-        uses: actions-cool/maintain-one-comment@909842216bc8e8658364c572ec52100f4c2cc50a # v3.3.0
+        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
         with:
           token: ${{ steps.token.outputs.token }}
           number: ${{ github.event.number }}

.github/workflows/fix-format.yml

@@ -14,35 +14,41 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - name: Checkout code
+      - name: 'Checkout'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.pull_request.head.ref }}
+          token: ${{ steps.generate-token.outputs.token }}
           persist-credentials: true
-          token: ${{ steps.token.outputs.token }}
 
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './server/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
 
       - name: Fix formatting
         run: pnpm --recursive install && pnpm run --recursive --if-present --parallel format:fix
 
       - name: Commit and push
-        uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10.0.0
+        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
         with:
           default_author: github_actions
           message: 'chore: fix formatting'
 
       - name: Remove label
-        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         if: always()
         with:
           github-token: ${{ steps.generate-token.outputs.token }}

.github/workflows/merge-translations.yml

@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
   workflow_call:
     secrets:
-      PUSH_O_MATIC_APP_CLIENT_ID:
+      PUSH_O_MATIC_APP_ID:
         required: true
       PUSH_O_MATIC_APP_KEY:
         required: true
@@ -31,9 +31,9 @@ jobs:
       - name: Generate a token
         id: generate_token
         if: ${{ inputs.skip != true }}
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Find translation PR

.github/workflows/pr-label-validation.yml

@@ -14,9 +14,9 @@ jobs:
       pull-requests: write
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Require PR to have a changelog label

.github/workflows/pr-labeler.yml

@@ -12,11 +12,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
           repo-token: ${{ steps.token.outputs.token }}

.github/workflows/prepare-release.yml

@@ -36,7 +36,7 @@ jobs:
     permissions:
       pull-requests: write
     secrets:
-      PUSH_O_MATIC_APP_CLIENT_ID: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+      PUSH_O_MATIC_APP_ID: ${{ secrets.PUSH_O_MATIC_APP_ID }}
       PUSH_O_MATIC_APP_KEY: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
       WEBLATE_TOKEN: ${{ secrets.WEBLATE_TOKEN }}
 
@@ -48,27 +48,32 @@ jobs:
       version: ${{ steps.output.outputs.version }}
     permissions: {} # No job-level permissions are needed because it uses the app-token
     steps:
-      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - name: Checkout code
+      - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-          token: ${{ steps.token.outputs.token }}
+          token: ${{ steps.generate-token.outputs.token }}
           persist-credentials: true
           ref: main
 
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
-        with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      # TODO move to mise
       - name: Install uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version-file: './server/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
 
       - name: Bump version
         env:
@@ -81,7 +86,7 @@ jobs:
 
       - name: Commit and tag
         id: push-tag
-        uses: EndBug/add-and-commit@290ea2c423ad77ca9c62ae0f5b224379612c0321 # v10.0.0
+        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
         with:
           default_author: github_actions
           message: 'chore: version ${{ steps.output.outputs.version }}'
@@ -119,9 +124,9 @@ jobs:
     steps:
       - name: Generate a token
         id: generate-token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout
@@ -137,7 +142,7 @@ jobs:
           github-token: ${{ steps.generate-token.outputs.token }}
 
       - name: Create draft release
-        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           draft: true
           tag_name: ${{ needs.bump_version.outputs.version }}

.github/workflows/preview-label.yaml

@@ -14,12 +14,12 @@ jobs:
       pull-requests: write
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+      - uses: mshick/add-pr-comment@ffd016c7e151d97d69d21a843022fd4cd5b96fe5 # v3.9.0
         with:
           github-token: ${{ steps.token.outputs.token }}
           message-id: 'preview-status'
@@ -32,12 +32,12 @@ jobs:
       pull-requests: write
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
+      - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.token.outputs.token }}
           script: |
@@ -48,14 +48,14 @@ jobs:
               name: 'preview'
             })
 
-      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+      - uses: mshick/add-pr-comment@ffd016c7e151d97d69d21a843022fd4cd5b96fe5 # v3.9.0
         if: ${{ github.event.pull_request.head.repo.fork }}
         with:
           github-token: ${{ steps.token.outputs.token }}
           message-id: 'preview-status'
           message: 'PRs from forks cannot have preview environments.'
 
-      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+      - uses: mshick/add-pr-comment@ffd016c7e151d97d69d21a843022fd4cd5b96fe5 # v3.9.0
         if: ${{ !github.event.pull_request.head.repo.fork }}
         with:
           github-token: ${{ steps.token.outputs.token }}

.github/workflows/sdk.yml

@@ -14,29 +14,34 @@ jobs:
       contents: read
       id-token: write
       packages: write
+    defaults:
+      run:
+        working-directory: ./open-api/typescript-sdk
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
 
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+
+      # Setup .npmrc file to publish to npm
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
+          node-version-file: './open-api/typescript-sdk/.nvmrc'
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
       - name: Install deps
-        run: pnpm --filter @immich/sdk install --frozen-lockfile
-
+        run: pnpm install --frozen-lockfile
       - name: Build
-        run: pnpm --filter @immich/sdk build
-
+        run: pnpm build
       - name: Publish
-        run: pnpm --filter @immich/sdk publish --provenance --no-git-checks
+        run: pnpm publish --provenance --no-git-checks

.github/workflows/static_analysis.yml

@@ -20,14 +20,14 @@ jobs:
       should_run: ${{ steps.check.outputs.should_run }}
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Check what should run
         id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
         with:
           github-token: ${{ steps.token.outputs.token }}
           filters: |
@@ -49,9 +49,9 @@ jobs:
         working-directory: ./mobile
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -60,30 +60,38 @@ jobs:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
 
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Flutter SDK
+        uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
+          channel: 'stable'
+          flutter-version-file: ./mobile/pubspec.yaml
 
       - name: Install dependencies
-        run: flutter pub get
+        run: dart pub get
 
       - name: Install dependencies for UI package
-        run: flutter pub get
+        run: dart pub get
         working-directory: ./mobile/packages/ui
 
       - name: Install dependencies for UI Showcase
-        run: flutter pub get
+        run: dart pub get
         working-directory: ./mobile/packages/ui/showcase
 
-      - name: Generate translation files
-        run: mise //mobile:codegen:translation
+      - name: Install DCM
+        uses: CQLabs/setup-dcm@8697ae0790c0852e964a6ef1d768d62a6675481a # v2.0.1
+        with:
+          github-token: ${{ steps.token.outputs.token }}
+          version: auto
+          working-directory: ./mobile
+
+      - name: Generate translation file
+        run: dart run easy_localization:generate -S ../i18n && dart run bin/generate_keys.dart
 
       - name: Run Build Runner
-        run: mise //mobile:codegen:dart
+        run: make build
 
       - name: Generate platform API
-        run: mise //mobile:codegen:pigeon
+        run: make pigeon
 
       - name: Find file changes
         uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
@@ -99,16 +107,20 @@ jobs:
         env:
           CHANGED_FILES: ${{ steps.verify-changed-files.outputs.changed_files }}
         run: |
-          echo "ERROR: Generated files not up to date! Run 'mise //mobile:codegen:dart' and 'mise //mobile:codegen:pigeon'"
+          echo "ERROR: Generated files not up to date! Run 'make build' and 'make pigeon' inside the mobile directory"
           echo "Changed files: ${CHANGED_FILES}"
           exit 1
 
-      - name: Run analyze
-        run: mise //mobile:analyze
+      - name: Run dart analyze
+        run: dart analyze --fatal-infos
 
-      - name: Run format
-        run: mise //mobile:format
+      - name: Run dart format
+        run: make format
 
       # TODO: Re-enable after upgrading custom_lint
       # - name: Run dart custom_lint
       #   run: dart run custom_lint
+
+      # TODO: Use https://github.com/CQLabs/dcm-action
+      - name: Run DCM
+        run: dcm analyze lib --fatal-style --fatal-warnings

.github/workflows/test.yml

@@ -17,14 +17,14 @@ jobs:
       should_run: ${{ steps.check.outputs.should_run }}
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Check what should run
         id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
         with:
           github-token: ${{ steps.token.outputs.token }}
           filters: |
@@ -33,18 +33,14 @@ jobs:
             web:
               - 'web/**'
               - 'i18n/**'
-              - 'packages/sdk/**'
-              - 'pnpm-lock.yaml'
+              - 'open-api/typescript-sdk/**'
             server:
               - 'server/**'
-              - 'pnpm-lock.yaml'
             cli:
-              - 'packages/cli/**'
-              - 'packages/sdk/**'
-              - 'pnpm-lock.yaml'
+              - 'cli/**'
+              - 'open-api/typescript-sdk/**'
             e2e:
               - 'e2e/**'
-              - 'pnpm-lock.yaml'
             mobile:
               - 'mobile/**'
             machine-learning:
@@ -67,9 +63,9 @@ jobs:
         working-directory: ./server
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -78,14 +74,28 @@ jobs:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
 
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run ci-unit
-        run: mise run ci-unit
-
+          node-version-file: './server/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Run package manager install
+        run: pnpm install
+      - name: Run linter
+        run: pnpm lint
+        if: ${{ !cancelled() }}
+      - name: Run formatter
+        run: pnpm format
+        if: ${{ !cancelled() }}
+      - name: Run tsc
+        run: pnpm check
+        if: ${{ !cancelled() }}
+      - name: Run small tests & coverage
+        run: pnpm test
+        if: ${{ !cancelled() }}
   cli-unit-tests:
     name: Unit Test CLI
     needs: pre-job
@@ -95,12 +105,12 @@ jobs:
       contents: read
     defaults:
       run:
-        working-directory: ./packages/cli
+        working-directory: ./cli
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -108,15 +118,31 @@ jobs:
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run ci-unit
-        run: mise run ci-unit
-
+          node-version-file: './cli/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Setup typescript-sdk
+        run: pnpm install && pnpm run build
+        working-directory: ./open-api/typescript-sdk
+      - name: Install deps
+        run: pnpm install
+      - name: Run linter
+        run: pnpm lint
+        if: ${{ !cancelled() }}
+      - name: Run formatter
+        run: pnpm format
+        if: ${{ !cancelled() }}
+      - name: Run tsc
+        run: pnpm check
+        if: ${{ !cancelled() }}
+      - name: Run unit tests & coverage
+        run: pnpm test
+        if: ${{ !cancelled() }}
   cli-unit-tests-win:
     name: Unit Test CLI (Windows)
     needs: pre-job
@@ -126,12 +152,12 @@ jobs:
       contents: read
     defaults:
       run:
-        working-directory: ./packages/cli
+        working-directory: ./cli
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -139,28 +165,26 @@ jobs:
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run setup @immich/sdk
-        run: mise run //:sdk:install && mise run //:sdk:build
-
-      - name: Run pnpm install
+          node-version-file: './cli/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Setup typescript-sdk
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./open-api/typescript-sdk
+      - name: Install deps
         run: pnpm install --frozen-lockfile
-
       # Skip linter & formatter in Windows test.
-
       - name: Run tsc
         run: pnpm check
         if: ${{ !cancelled() }}
-
       - name: Run unit tests & coverage
         run: pnpm test
         if: ${{ !cancelled() }}
-
   web-lint:
     name: Lint Web
     needs: pre-job
@@ -173,9 +197,9 @@ jobs:
         working-directory: ./web
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -183,22 +207,28 @@ jobs:
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run setup @immich/sdk
-        run: mise run //:sdk:install && mise run //:sdk:build
-
+          node-version-file: './web/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Run setup typescript-sdk
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./open-api/typescript-sdk
       - name: Run pnpm install
-        run: pnpm install --frozen-lockfile
-
+        run: pnpm rebuild && pnpm install --frozen-lockfile
       - name: Run linter
         run: pnpm lint
         if: ${{ !cancelled() }}
-
+      - name: Run formatter
+        run: pnpm format
+        if: ${{ !cancelled() }}
+      - name: Run svelte checks
+        run: pnpm check:svelte
+        if: ${{ !cancelled() }}
   web-unit-tests:
     name: Test Web
     needs: pre-job
@@ -211,9 +241,9 @@ jobs:
         working-directory: ./web
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -221,15 +251,25 @@ jobs:
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run ci-unit
-        run: mise run ci-unit
-
+          node-version-file: './web/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Run setup typescript-sdk
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./open-api/typescript-sdk
+      - name: Run npm install
+        run: pnpm install --frozen-lockfile
+      - name: Run tsc
+        run: pnpm check:typescript
+        if: ${{ !cancelled() }}
+      - name: Run unit tests & coverage
+        run: pnpm test
+        if: ${{ !cancelled() }}
   i18n-tests:
     name: Test i18n
     needs: pre-job
@@ -239,9 +279,9 @@ jobs:
       contents: read
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -249,25 +289,24 @@ jobs:
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
+          node-version-file: './web/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
       - name: Install dependencies
-        run: pnpm -w install --frozen-lockfile
-
+        run: pnpm --filter=immich-i18n install --frozen-lockfile
       - name: Format
-        run: pnpm format:fix
-
+        run: pnpm --filter=immich-i18n format:fix
       - name: Find file changes
         uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
         id: verify-changed-files
         with:
           files: |
             i18n/**
-
       - name: Verify files have not changed
         if: steps.verify-changed-files.outputs.files_changed == 'true'
         env:
@@ -276,7 +315,6 @@ jobs:
           echo "ERROR: i18n files not up to date!"
           echo "Changed files: ${CHANGED_FILES}"
           exit 1
-
   e2e-tests-lint:
     name: End-to-End Lint
     needs: pre-job
@@ -289,9 +327,9 @@ jobs:
         working-directory: ./e2e
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -299,16 +337,30 @@ jobs:
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run ci-unit
-        run: mise run ci-unit
+          node-version-file: './e2e/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Run setup typescript-sdk
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./open-api/typescript-sdk
+        if: ${{ !cancelled() }}
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+        if: ${{ !cancelled() }}
+      - name: Run linter
+        run: pnpm lint
+        if: ${{ !cancelled() }}
+      - name: Run formatter
+        run: pnpm format
+        if: ${{ !cancelled() }}
+      - name: Run tsc
+        run: pnpm check
         if: ${{ !cancelled() }}
-
   server-medium-tests:
     name: Medium Tests (Server)
     needs: pre-job
@@ -321,9 +373,9 @@ jobs:
         working-directory: ./server
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -332,16 +384,19 @@ jobs:
           persist-credentials: false
           submodules: 'recursive'
           token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run ci-medium
-        run: mise run ci-medium
+          node-version-file: './server/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Run pnpm install
+        run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm install --frozen-lockfile
+      - name: Run medium tests
+        run: pnpm test:medium
         if: ${{ !cancelled() }}
-
   e2e-tests-server-cli:
     name: End-to-End Tests (Server & CLI)
     needs: pre-job
@@ -357,9 +412,9 @@ jobs:
         runner: [ubuntu-latest, ubuntu-24.04-arm]
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -368,57 +423,52 @@ jobs:
           persist-credentials: false
           submodules: 'recursive'
           token: ${{ steps.token.outputs.token }}
-
       - name: Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-
       - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version-file: '.nvmrc'
+          node-version-file: './e2e/.nvmrc'
           cache: 'pnpm'
           cache-dependency-path: '**/pnpm-lock.yaml'
-
-      - name: Setup packages
-        run: pnpm --filter "@immich/*" install --frozen-lockfile && pnpm --filter "@immich/*" build
-
+      - name: Run setup typescript-sdk
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./open-api/typescript-sdk
+        if: ${{ !cancelled() }}
       - name: Run setup web
         run: pnpm install --frozen-lockfile && pnpm exec svelte-kit sync
         working-directory: ./web
         if: ${{ !cancelled() }}
-
+      - name: Run setup cli
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./cli
+        if: ${{ !cancelled() }}
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
         if: ${{ !cancelled() }}
-
       - name: Start Docker Compose
         run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
         if: ${{ !cancelled() }}
-
       - name: Run e2e tests (api & cli)
         env:
           VITEST_DISABLE_DOCKER_SETUP: true
         run: pnpm test
         if: ${{ !cancelled() }}
-
       - name: Run e2e tests (maintenance)
         env:
           VITEST_DISABLE_DOCKER_SETUP: true
         run: pnpm test:maintenance
         if: ${{ !cancelled() }}
-
       - name: Capture Docker logs
         if: always()
         run: docker compose logs --no-color > docker-compose-logs.txt
         working-directory: ./e2e
-
       - name: Archive Docker logs
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: always()
         with:
           name: e2e-server-docker-logs-${{ matrix.runner }}
           path: e2e/docker-compose-logs.txt
-
   e2e-tests-web:
     name: End-to-End Tests (Web)
     needs: pre-job
@@ -434,9 +484,9 @@ jobs:
         runner: [ubuntu-latest, ubuntu-24.04-arm]
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -445,84 +495,70 @@ jobs:
           persist-credentials: false
           submodules: 'recursive'
           token: ${{ steps.token.outputs.token }}
-
       - name: Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-
       - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version-file: '.nvmrc'
+          node-version-file: './e2e/.nvmrc'
           cache: 'pnpm'
           cache-dependency-path: '**/pnpm-lock.yaml'
-
-      - name: Run setup @immich/sdk
-        run: pnpm --filter @immich/sdk install --frozen-lockfile && pnpm --filter @immich/sdk build
-
+      - name: Run setup typescript-sdk
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./open-api/typescript-sdk
         if: ${{ !cancelled() }}
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
         if: ${{ !cancelled() }}
-
       - name: Install Playwright Browsers
         run: pnpm exec playwright install chromium --only-shell
         if: ${{ !cancelled() }}
-
       - name: Docker build
         run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
         if: ${{ !cancelled() }}
-
       - name: Run e2e tests (web)
         env:
           PLAYWRIGHT_DISABLE_WEBSERVER: true
         run: pnpm test:web
         if: ${{ !cancelled() }}
-
       - name: Archive e2e test (web) results
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: success() || failure()
         with:
           name: e2e-web-test-results-${{ matrix.runner }}
           path: e2e/playwright-report/
-
       - name: Run ui tests (web)
         env:
           PLAYWRIGHT_DISABLE_WEBSERVER: true
         run: pnpm test:web:ui
         if: ${{ !cancelled() }}
-
       - name: Archive ui test (web) results
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: success() || failure()
         with:
           name: e2e-ui-test-results-${{ matrix.runner }}
           path: e2e/playwright-report/
-
       - name: Run maintenance tests
         env:
           PLAYWRIGHT_DISABLE_WEBSERVER: true
         run: pnpm test:web:maintenance
         if: ${{ !cancelled() }}
-
       - name: Archive maintenance tests (web) results
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: success() || failure()
         with:
           name: e2e-maintenance-isolated-test-results-${{ matrix.runner }}
           path: e2e/playwright-report/
-
       - name: Capture Docker logs
         if: always()
         run: docker compose logs --no-color > docker-compose-logs.txt
         working-directory: ./e2e
-
       - name: Archive Docker logs
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: always()
         with:
           name: e2e-web-docker-logs-${{ matrix.runner }}
           path: e2e/docker-compose-logs.txt
-
   success-check-e2e:
     name: End-to-End Tests Success
     needs: [e2e-tests-server-cli, e2e-tests-web]
@@ -530,7 +566,7 @@ jobs:
     runs-on: ubuntu-latest
     if: always()
     steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
         with:
           needs: ${{ toJSON(needs) }}
   mobile-unit-tests:
@@ -542,31 +578,26 @@ jobs:
       contents: read
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup Flutter SDK
+        uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Install dependencies
-        run: flutter pub get
+          channel: 'stable'
+          flutter-version-file: ./mobile/pubspec.yaml
+      - name: Generate translation file
+        run: dart run easy_localization:generate -S ../i18n && dart run bin/generate_keys.dart
         working-directory: ./mobile
-
-      - name: Generate translation files
-        run: mise //mobile:codegen:translation
-
       - name: Run tests
-        run: mise //mobile:test -j 1
-
+        working-directory: ./mobile
+        run: flutter test -j 1
   ml-unit-tests:
     name: Unit Test ML
     needs: pre-job
@@ -579,24 +610,34 @@ jobs:
         working-directory: ./machine-learning
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Install uv
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run ci-unit
-        run: mise run ci-unit
-
+          python-version: 3.11
+      - name: Install dependencies
+        run: |
+          uv sync --extra cpu
+      - name: Lint with ruff
+        run: |
+          uv run ruff check --output-format=github immich_ml
+      - name: Format with ruff
+        run: |
+          uv run ruff format --check immich_ml
+      - name: Run mypy type checking
+        run: |
+          uv run mypy --strict immich_ml/
+      - name: Run tests and coverage
+        run: |
+          uv run pytest --cov=immich_ml --cov-report term-missing
   github-files-formatting:
     name: .github Files Formatting
     needs: pre-job
@@ -609,9 +650,9 @@ jobs:
         working-directory: ./.github
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -619,19 +660,19 @@ jobs:
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
+          node-version-file: './.github/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
       - name: Run pnpm install
         run: pnpm install --frozen-lockfile
-
       - name: Run formatter
         run: pnpm format
         if: ${{ !cancelled() }}
-
   shellcheck:
     name: ShellCheck
     runs-on: ubuntu-latest
@@ -639,9 +680,9 @@ jobs:
       contents: read
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -660,9 +701,9 @@ jobs:
       contents: read
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -670,28 +711,29 @@ jobs:
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
+          node-version-file: './server/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
       - name: Install server dependencies
         run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm --filter immich install --frozen-lockfile
-
+      - name: Build the app
+        run: pnpm --filter immich build
       - name: Run API generation
-        run: mise //:open-api
+        run: ./bin/generate-open-api.sh
         working-directory: open-api
-
       - name: Find file changes
         uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
         id: verify-changed-files
         with:
           files: |
             mobile/openapi
-            packages/sdk
+            open-api/typescript-sdk
             open-api/immich-openapi-specs.json
-
       - name: Verify files have not changed
         if: steps.verify-changed-files.outputs.files_changed == 'true'
         env:
@@ -700,7 +742,6 @@ jobs:
           echo "ERROR: Generated files not up to date!"
           echo "Changed files: ${CHANGED_FILES}"
           exit 1
-
   sql-schema-up-to-date:
     name: SQL Schema Checks
     runs-on: ubuntu-latest
@@ -722,9 +763,9 @@ jobs:
         working-directory: ./server
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Checkout code
@@ -732,35 +773,31 @@ jobs:
         with:
           persist-credentials: false
           token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          github_token: ${{ steps.token.outputs.token }}
-
+          node-version-file: './server/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
       - name: Install server dependencies
         run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm install --frozen-lockfile
-
       - name: Build the app
         run: pnpm build
-
       - name: Run existing migrations
         run: pnpm migrations:run
-
       - name: Test npm run schema:reset command works
         run: pnpm schema:reset
-
       - name: Generate new migrations
         continue-on-error: true
         run: pnpm migrations:generate src/TestMigration
-
       - name: Find file changes
         uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
         id: verify-changed-files
         with:
           files: |
             server/src
-
       - name: Verify migration files have not changed
         if: steps.verify-changed-files.outputs.files_changed == 'true'
         env:
@@ -770,19 +807,16 @@ jobs:
           echo "Changed files: ${CHANGED_FILES}"
           cat ./src/*-TestMigration.ts
           exit 1
-
       - name: Run SQL generation
-        run: mise //:sql
+        run: pnpm sync:sql
         env:
           DB_URL: postgres://postgres:postgres@localhost:5432/immich
-
       - name: Find file changes
         uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
         id: verify-changed-sql-files
         with:
           files: |
             server/src/queries
-
       - name: Verify SQL files have not changed
         if: steps.verify-changed-sql-files.outputs.files_changed == 'true'
         env:

.github/workflows/weblate-lock.yml

@@ -24,19 +24,19 @@ jobs:
       should_run: ${{ steps.check.outputs.should_run }}
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Check what should run
         id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
         with:
           github-token: ${{ steps.token.outputs.token }}
           filters: |
             i18n:
-              - modified: 'i18n/!(en)**\.json'
+              - modified: 'i18n/!(en|package)**\.json'
           skip-force-logic: 'true'
 
   enforce-lock:
@@ -47,9 +47,9 @@ jobs:
     if: ${{ fromJSON(needs.pre-job.outputs.should_run).i18n == true }}
     steps:
       - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
         with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
           private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
 
       - name: Bot review status
@@ -68,6 +68,6 @@ jobs:
     permissions: {}
     if: always()
     steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
         with:
           needs: ${{ toJSON(needs) }}

.gitignore

@@ -20,7 +20,7 @@ mobile/openapi/doc
 mobile/openapi/.openapi-generator/FILES
 mobile/ios/build
 
-packages/**/build
+open-api/typescript-sdk/build
 mobile/android/fastlane/report.xml
 mobile/ios/fastlane/report.xml
 
@@ -28,5 +28,3 @@ vite.config.js.timestamp-*
 .pnpm-store
 .devcontainer/library
 .devcontainer/.env*
-*.tsbuildinfo
-*.tsbuildInfo

.gitmodules

@@ -1,3 +1,6 @@
+[submodule "mobile/.isar"]
+	path = mobile/.isar
+	url = https://github.com/isar/isar
 [submodule "e2e/test-assets"]
 	path = e2e/test-assets
 	url = https://github.com/immich-app/test-assets

.nvmrc

@@ -1 +0,0 @@
-24.15.0

.vscode/launch.json

@@ -23,17 +23,15 @@
       "type": "node",
       "request": "launch",
       "name": "Immich CLI",
-      "program": "${workspaceFolder}/packages/cli/dist/index.js",
+      "program": "${workspaceFolder}/cli/dist/index.js",
       "args": ["upload", "--help"],
       "runtimeArgs": ["--enable-source-maps"],
       "console": "integratedTerminal",
-      "resolveSourceMapLocations": [
-        "${workspaceFolder}/packages/cli/dist/**/*.js.map"
-      ],
+      "resolveSourceMapLocations": ["${workspaceFolder}/cli/dist/**/*.js.map"],
       "sourceMaps": true,
-      "outFiles": ["${workspaceFolder}/packages/cli/dist/**/*.js"],
+      "outFiles": ["${workspaceFolder}/cli/dist/**/*.js"],
       "skipFiles": ["<node_internals>/**"],
-      "preLaunchTask": "Build @immich/cli"
+      "preLaunchTask": "Build Immich CLI"
     }
   ]
 }

.vscode/settings.json

@@ -13,6 +13,10 @@
     "editor.wordBasedSuggestions": "off"
   },
   "[javascript]": {
+    "editor.codeActionsOnSave": {
+      "source.organizeImports": "explicit",
+      "source.removeUnusedImports": "explicit"
+    },
     "editor.defaultFormatter": "esbenp.prettier-vscode",
     "editor.formatOnSave": true
   },
@@ -25,14 +29,18 @@
     "editor.formatOnSave": true
   },
   "[svelte]": {
+    "editor.codeActionsOnSave": {
+      "source.organizeImports": "explicit",
+      "source.removeUnusedImports": "explicit"
+    },
     "editor.defaultFormatter": "svelte.svelte-vscode",
-    "editor.formatOnSave": true,
-    "tailwindCSS.lint.suggestCanonicalClasses": "ignore"
-  },
-  "svelte.plugin.svelte.compilerWarnings": {
-    "state_referenced_locally": "ignore"
+    "editor.formatOnSave": true
   },
   "[typescript]": {
+    "editor.codeActionsOnSave": {
+      "source.organizeImports": "explicit",
+      "source.removeUnusedImports": "explicit"
+    },
     "editor.defaultFormatter": "esbenp.prettier-vscode",
     "editor.formatOnSave": true
   },

Makefile

@@ -37,24 +37,105 @@ prod-scale:
 
 .PHONY: open-api
 open-api:
-	@printf "This command has been removed. Please use:\n\n    mise open-api          # or mise //:open-api from another directory\n\n"\n\n >&2 && exit 1
+	cd ./open-api && bash ./bin/generate-open-api.sh
+
+open-api-dart:
+	cd ./open-api && bash ./bin/generate-open-api.sh dart
+
+open-api-typescript:
+	cd ./open-api && bash ./bin/generate-open-api.sh typescript
 
 sql:
-	@printf "This command has been removed. Please use:\n\n    mise sql               # or mise //:sql from another directory\n\n"\n\n >&2 && exit 1
+	pnpm --filter immich run sync:sql
 
+attach-server:
+	docker exec -it docker_immich-server_1 sh
 
 renovate:
   LOG_LEVEL=debug pnpm exec renovate --platform=local --repository-cache=reset
 
+# Directories that need to be created for volumes or build output
+VOLUME_DIRS = \
+	./.pnpm-store \
+	./web/.svelte-kit \
+	./web/node_modules \
+	./web/coverage \
+	./e2e/node_modules \
+	./docs/node_modules \
+	./server/node_modules \
+	./open-api/typescript-sdk/node_modules \
+	./.github/node_modules \
+	./node_modules \
+	./cli/node_modules
+
 # Include .env file if it exists
 -include docker/.env
 
 MODULES = e2e server web cli sdk docs .github
 
+# directory to package name mapping function
+#   cli     = @immich/cli
+#   docs    = documentation
+#   e2e     = immich-e2e
+#   open-api/typescript-sdk = @immich/sdk
+#   server  = immich
+#   web     = immich-web
+map-package = $(subst sdk,@immich/sdk,$(subst cli,@immich/cli,$(subst docs,documentation,$(subst e2e,immich-e2e,$(subst server,immich,$(subst web,immich-web,$1))))))
+
+audit-%:
+	pnpm --filter $(call map-package,$*) audit fix
+install-%:
+	pnpm --filter $(call map-package,$*) install $(if $(FROZEN),--frozen-lockfile) $(if $(OFFLINE),--offline)
+build-cli: build-sdk
+build-web: build-sdk
+build-%: install-%
+	pnpm --filter $(call map-package,$*) run build
+format-%:
+	pnpm --filter $(call map-package,$*) run format:fix
+lint-%:
+	pnpm --filter $(call map-package,$*) run lint:fix
+check-%:
+	pnpm --filter $(call map-package,$*) run check
+check-web:
+	pnpm --filter immich-web run check:typescript
+	pnpm --filter immich-web run check:svelte
+test-%:
+	pnpm --filter $(call map-package,$*) run test
 test-e2e:
 	docker compose -f ./e2e/docker-compose.yml build
 	pnpm --filter immich-e2e run test
 	pnpm --filter immich-e2e run test:web
+test-medium:
+	docker run \
+    --rm \
+    -v ./server/src:/usr/src/app/src \
+    -v ./server/test:/usr/src/app/test \
+    -v ./server/vitest.config.medium.mjs:/usr/src/app/vitest.config.medium.mjs \
+    -v ./server/tsconfig.json:/usr/src/app/tsconfig.json \
+    -e NODE_ENV=development \
+    immich-server:latest \
+    -c "pnpm test:medium -- --run"
+test-medium-dev:
+	docker exec -it immich_server /bin/sh -c "pnpm run test:medium"
+
+install-all:
+	pnpm -r --filter '!documentation' install
+
+build-all: $(foreach M,$(filter-out e2e docs .github,$(MODULES)),build-$M) ;
+
+check-all:
+	pnpm -r --filter '!documentation' run "/^(check|check\:svelte|check\:typescript)$/"
+lint-all:
+	pnpm -r --filter '!documentation' run lint:fix
+format-all:
+	pnpm -r --filter '!documentation' run format:fix
+audit-all:
+	pnpm -r --filter '!documentation' audit fix
+hygiene-all: audit-all
+	pnpm -r --filter '!documentation' run "/(format:fix|check|check:svelte|check:typescript|sql)/"
+
+test-all:
+	pnpm -r --filter '!documentation' run "/^test/"
 
 clean:
 	find . -name "node_modules" -type d -prune -exec rm -rf {} +
@@ -65,3 +146,7 @@ clean:
 	find . -name ".pnpm-store" -type d -prune -exec rm -rf '{}' +
 	command -v docker >/dev/null 2>&1 && docker compose -f ./docker/docker-compose.dev.yml down -v --remove-orphans || true
 	command -v docker >/dev/null 2>&1 && docker compose -f ./e2e/docker-compose.yml down -v --remove-orphans || true
+
+
+setup-server-dev: install-server
+setup-web-dev: install-sdk build-sdk install-web

cli/.nvmrc

@@ -0,0 +1 @@
+24.14.1

cli/Dockerfile

@@ -0,0 +1,14 @@
+FROM node:24.1.0-alpine3.20@sha256:8fe019e0d57dbdce5f5c27c0b63d2775cf34b00e3755a7dea969802d7e0c2b25 AS core
+
+WORKDIR /usr/src/app
+COPY package* pnpm* .pnpmfile.cjs ./
+COPY ./cli ./cli/
+COPY ./open-api/typescript-sdk ./open-api/typescript-sdk/
+RUN corepack enable pnpm && \
+  pnpm install --filter @immich/sdk --filter @immich/cli --frozen-lockfile && \
+  pnpm --filter @immich/sdk build && \
+  pnpm --filter @immich/cli build
+
+WORKDIR /import
+
+ENTRYPOINT ["node", "/usr/src/app/cli/dist"]

cli/README.md

@@ -4,9 +4,14 @@ Please see the [Immich CLI documentation](https://docs.immich.app/features/comma
 
 # For developers
 
-Before building the CLI, you must build the immich server and the open-api client. You can use the following command:
+Before building the CLI, you must build the immich server and the open-api client. To build the server run the following in the server folder:
 
-    $ mise //:open-api
+    $ pnpm install
+    $ pnpm run build
+
+Then, to build the open-api client run the following in the open-api folder:
+
+    $ ./bin/generate-open-api.sh
 
 ## Run from build
 

cli/mise.toml

@@ -7,7 +7,7 @@ run = "vite build"
 
 [tasks.test]
 env._.path = "./node_modules/.bin"
-run = "vitest"
+run = "vite"
 
 [tasks.lint]
 env._.path = "./node_modules/.bin"
@@ -27,26 +27,3 @@ run = "prettier --write ."
 [tasks.check]
 env._.path = "./node_modules/.bin"
 run = "tsc --noEmit"
-
-[tasks.ci-publish]
-depends = ["//:sdk:install", "//:sdk:build"]
-run = [
-  { task = ":install" },
-  { task = ":build" },
-  "pnpm publish --provenance --no-git-checks",
-]
-
-[tasks.ci-unit]
-depends = ["//:sdk:install", "//:sdk:build"]
-run = [
-  { task = ":install" },
-  { task = ":format" },
-  { task = ":lint" },
-  { task = ":check" },
-  { task = ":test --run" },
-]
-
-[tasks.checklist]
-run = [
- { task = ":ci-unit" },
-]

cli/package.json

@@ -1,12 +1,7 @@
 {
   "name": "@immich/cli",
-  "version": "2.7.5",
+  "version": "2.6.3",
   "description": "Command Line Interface (CLI) for Immich",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/immich-app/immich.git",
-    "directory": "packages/cli"
-  },
   "type": "module",
   "exports": "./dist/index.js",
   "bin": {
@@ -25,7 +20,7 @@
     "@types/lodash-es": "^4.17.12",
     "@types/micromatch": "^4.0.9",
     "@types/mock-fs": "^4.13.1",
-    "@types/node": "^24.12.2",
+    "@types/node": "^24.12.0",
     "@vitest/coverage-v8": "^4.0.0",
     "byte-size": "^9.0.0",
     "cli-progress": "^3.12.0",
@@ -33,13 +28,13 @@
     "eslint": "^10.0.0",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-prettier": "^5.1.3",
-    "eslint-plugin-unicorn": "^64.0.0",
+    "eslint-plugin-unicorn": "^63.0.0",
     "globals": "^17.0.0",
     "mock-fs": "^5.2.0",
     "prettier": "^3.7.4",
     "prettier-plugin-organize-imports": "^4.0.0",
-    "typescript": "^6.0.0",
-    "typescript-eslint": "^8.58.0",
+    "typescript": "^5.3.3",
+    "typescript-eslint": "^8.28.0",
     "vite": "^8.0.0",
     "vitest": "^4.0.0",
     "vitest-fetch-mock": "^0.4.0",
@@ -57,6 +52,11 @@
     "format:fix": "prettier --cache --write --list-different .",
     "check": "tsc --noEmit"
   },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/immich-app/immich.git",
+    "directory": "cli"
+  },
   "engines": {
     "node": ">=20.0.0"
   },
@@ -66,5 +66,8 @@
     "fastq": "^1.17.1",
     "lodash-es": "^4.17.21",
     "micromatch": "^4.0.8"
+  },
+  "volta": {
+    "node": "24.14.1"
   }
 }

cli/src/commands/asset.spec.ts

@@ -4,7 +4,7 @@ import path from 'node:path';
 import { setTimeout as sleep } from 'node:timers/promises';
 import { describe, expect, it, MockedFunction, vi } from 'vitest';
 
-import { AssetRejectReason, AssetUploadAction, checkBulkUpload, defaults, getSupportedMediaTypes } from '@immich/sdk';
+import { Action, checkBulkUpload, defaults, getSupportedMediaTypes, Reason } from '@immich/sdk';
 import createFetchMock from 'vitest-fetch-mock';
 
 import {
@@ -120,7 +120,7 @@ describe('checkForDuplicates', () => {
     vi.mocked(checkBulkUpload).mockResolvedValue({
       results: [
         {
-          action: AssetUploadAction.Accept,
+          action: Action.Accept,
           id: testFilePath,
         },
       ],
@@ -144,10 +144,10 @@ describe('checkForDuplicates', () => {
     vi.mocked(checkBulkUpload).mockResolvedValue({
       results: [
         {
-          action: AssetUploadAction.Reject,
+          action: Action.Reject,
           id: testFilePath,
           assetId: 'fc5621b1-86f6-44a1-9905-403e607df9f5',
-          reason: AssetRejectReason.Duplicate,
+          reason: Reason.Duplicate,
         },
       ],
     });
@@ -167,7 +167,7 @@ describe('checkForDuplicates', () => {
     vi.mocked(checkBulkUpload).mockResolvedValue({
       results: [
         {
-          action: AssetUploadAction.Accept,
+          action: Action.Accept,
           id: testFilePath,
         },
       ],
@@ -187,7 +187,7 @@ describe('checkForDuplicates', () => {
     mocked.mockResolvedValue({
       results: [
         {
-          action: AssetUploadAction.Accept,
+          action: Action.Accept,
           id: testFilePath,
         },
       ],

cli/src/commands/asset.ts

@@ -1,9 +1,9 @@
 import {
+  Action,
   AssetBulkUploadCheckItem,
   AssetBulkUploadCheckResult,
   AssetMediaResponseDto,
   AssetMediaStatus,
-  AssetUploadAction,
   Permission,
   addAssetsToAlbum,
   checkBulkUpload,
@@ -234,7 +234,7 @@ export const checkForDuplicates = async (files: string[], { concurrency, skipHas
       const results = response.results as AssetBulkUploadCheckResults;
 
       for (const { id: filepath, assetId, action } of results) {
-        if (action === AssetUploadAction.Accept) {
+        if (action === Action.Accept) {
           newFiles.push(filepath);
         } else {
           // rejects are always duplicates
@@ -404,6 +404,8 @@ const uploadFile = async (input: string, stats: Stats): Promise<AssetMediaRespon
   const { baseUrl, headers } = defaults;
 
   const formData = new FormData();
+  formData.append('deviceAssetId', `${basename(input)}-${stats.size}`.replaceAll(/\s+/g, ''));
+  formData.append('deviceId', 'CLI');
   formData.append('fileCreatedAt', stats.mtime.toISOString());
   formData.append('fileModifiedAt', stats.mtime.toISOString());
   formData.append('fileSize', String(stats.size));

cli/tsconfig.json

@@ -15,12 +15,8 @@
     "incremental": true,
     "skipLibCheck": true,
     "esModuleInterop": true,
-    "rootDir": "./src",
-    "paths": {
-      "src/*": ["./src/*"],
-    },
-    "tsBuildInfoFile": "./dist/tsconfig.tsbuildinfo",
+    "baseUrl": "./",
     "types": ["vitest/globals"]
   },
-  "exclude": ["dist", "node_modules", "vite.config.ts"]
+  "exclude": ["dist", "node_modules"]
 }

deployment/mise.toml

@@ -1,6 +1,6 @@
 [tools]
-terragrunt = "1.0.3"
-opentofu = "1.11.6"
+terragrunt = "0.99.4"
+opentofu = "1.11.5"
 
 [tasks."tg:fmt"]
 run = "terragrunt hclfmt"

docker/docker-compose.dev.yml

@@ -20,15 +20,14 @@ services:
       - /tmp
     volumes:
       - ..:/usr/src/app
-      # - ../../ui:/usr/src/ui
       - pnpm_cache:/buildcache/pnpm_cache
       - server_node_modules:/usr/src/app/server/node_modules
       - web_node_modules:/usr/src/app/web/node_modules
       - github_node_modules:/usr/src/app/.github/node_modules
-      - cli_node_modules:/usr/src/app/packages/cli/node_modules
+      - cli_node_modules:/usr/src/app/cli/node_modules
       - docs_node_modules:/usr/src/app/docs/node_modules
       - e2e_node_modules:/usr/src/app/e2e/node_modules
-      - sdk_node_modules:/usr/src/app/packages/sdk/node_modules
+      - sdk_node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
       - app_node_modules:/usr/src/app/node_modules
       - sveltekit:/usr/src/app/web/.svelte-kit
       - coverage:/usr/src/app/web/coverage
@@ -74,7 +73,7 @@ services:
       - ${UPLOAD_LOCATION}/photos:/data
       - /etc/localtime:/etc/localtime:ro
       - pnpm_store_server:/buildcache/pnpm-store
-      - ../packages/plugins:/build/corePlugin
+      - ../plugins:/build/corePlugin
     env_file:
       - .env
     environment:
@@ -157,7 +156,7 @@ services:
 
   redis:
     container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:3eeb09785cd61ec8e3be35f8804c8892080f3ca21934d628abc24ee4ed1698f6
     healthcheck:
       test: redis-cli ping || exit 1
 

docker/docker-compose.prod.yml

@@ -56,7 +56,7 @@ services:
 
   redis:
     container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:3eeb09785cd61ec8e3be35f8804c8892080f3ca21934d628abc24ee4ed1698f6
     healthcheck:
       test: redis-cli ping || exit 1
     restart: always
@@ -85,7 +85,7 @@ services:
     container_name: immich_prometheus
     ports:
       - 9090:9090
-    image: prom/prometheus@sha256:e4254400b85610324913f0dc4acf92603d9984e7519414c5a12811aa6146acc3
+    image: prom/prometheus@sha256:4a61322ac1103a0e3aea2a61ef1718422a48fa046441f299d71e660a3bc71ae9
     volumes:
       - ./prometheus.yml:/etc/prometheus/prometheus.yml
       - prometheus-data:/prometheus
@@ -97,7 +97,7 @@ services:
     command: ['./run.sh', '-disable-reporting']
     ports:
       - 3000:3000
-    image: grafana/grafana:12.4.3-ubuntu@sha256:ca3f764fdc48cebdf22dd206f33ecb0795a9a7210eacd1b5c02204aebd78b223
+    image: grafana/grafana:12.4.2-ubuntu@sha256:78839fe49e1425c02416fa8072591533a72bd9598e563b54a07d78f9e27fb5d3
     volumes:
       - grafana-data:/var/lib/grafana
 

docker/docker-compose.rootless.yml

@@ -61,7 +61,7 @@ services:
 
   redis:
     container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:3eeb09785cd61ec8e3be35f8804c8892080f3ca21934d628abc24ee4ed1698f6
     user: '1000:1000'
     security_opt:
       - no-new-privileges:true
@@ -95,3 +95,6 @@ services:
     restart: always
     healthcheck:
       disable: false
+
+volumes:
+  model-cache:

docker/docker-compose.yml

@@ -49,7 +49,7 @@ services:
 
   redis:
     container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:3eeb09785cd61ec8e3be35f8804c8892080f3ca21934d628abc24ee4ed1698f6
     healthcheck:
       test: redis-cli ping || exit 1
     restart: always

docs/.nvmrc

@@ -0,0 +1 @@
+24.14.1

docs/docs/administration/backup-and-restore.md

@@ -210,7 +210,7 @@ The provided restore process ensures your database is never in a broken state by
 
 ## Filesystem
 
-Immich does not handle filesystem backups for you. You have to arrange these yourself! Immich stores two types of content in the filesystem: (a) original, unmodified assets (photos and videos), and (b) generated content. We recommend backing up the entire contents of `UPLOAD_LOCATION`, but only the original content is critical, which is stored in the following folders:
+Immich stores two types of content in the filesystem: (a) original, unmodified assets (photos and videos), and (b) generated content. We recommend backing up the entire contents of `UPLOAD_LOCATION`, but only the original content is critical, which is stored in the following folders:
 
 1. `UPLOAD_LOCATION/library`
 2. `UPLOAD_LOCATION/upload`

docs/docs/administration/oauth.md

@@ -50,10 +50,6 @@ Before enabling OAuth in Immich, a new client application needs to be configured
    - `https://immich.example.com/auth/login`
    - `https://immich.example.com/user-settings`
 
-3. Configure Backchannel logout URL
-
-   If the authentication server supports it, the **Backchannel logout URL** can be specified, and it is of the form: `http://DOMAIN:PORT/api/oauth/backchannel-logout`.
-
 ## Enable OAuth
 
 Once you have a new OAuth client application configured, Immich can be configured using the Administration Settings page, available on the web (Administration -> Settings).
@@ -67,8 +63,6 @@ Once you have a new OAuth client application configured, Immich can be configure
 | `scope`                                              | string  | openid email profile | Full list of scopes to send with the request (space delimited)                      |
 | `id_token_signed_response_alg`                       | string  | RS256                | The algorithm used to sign the id token (examples: RS256, HS256)                    |
 | `userinfo_signed_response_alg`                       | string  | none                 | The algorithm used to sign the userinfo response (examples: RS256, HS256)           |
-| `prompt`                                             | string  | (empty)              | Prompt parameter for authorization url (examples: select_account, login, consent)   |
-| `end_session_endpoint`                               | URL     | (empty)              | Http(s) alternative end session endpoint (logout URI)                               |
 | Request timeout                                      | string  | 30,000 (30 seconds)  | Number of milliseconds to wait for http requests to complete before giving up       |
 | Storage Label Claim                                  | string  | preferred_username   | Claim mapping for the user's storage label**¹**                                     |
 | Role Claim                                           | string  | immich_role          | Claim mapping for the user's role. (should return "user" or "admin")**¹**           |
@@ -187,7 +181,6 @@ Configuration of OAuth in Immich System Settings
 | Scope                              | openid email profile immich_scope                                   |
 | ID Token Signed Response Algorithm | RS256                                                               |
 | Userinfo Signed Response Algorithm | RS256                                                               |
-| End Session Endpoint               | https://auth.example.com/logout?rd=https://immich.example.com/      |
 | Storage Label Claim                | uid                                                                 |
 | Storage Quota Claim                | immich_quota                                                        |
 | Default Storage Quota (GiB)        | 0 (empty for unlimited quota)                                       |

docs/docs/administration/postgres-standalone.md

@@ -81,7 +81,7 @@ VectorChord is the successor extension to pgvecto.rs, allowing for higher perfor
 
 ### Migrating from pgvecto.rs
 
-Support for pgvecto.rs has been dropped as of 3.0, hence all users currently using pgvecto.rs should migrate to VectorChord. There are two primary approaches to do so.
+Support for pgvecto.rs will be dropped in a later release, hence we recommend all users currently using pgvecto.rs to migrate to VectorChord at their convenience. There are two primary approaches to do so.
 
 The easiest option is to have both extensions installed during the migration:
 

docs/docs/api.md

@@ -10,4 +10,4 @@ OpenAPI is used to generate the client (Typescript, Dart) SDK. `openapi-generato
 make open-api
 ```
 
-You can find the generated client SDK in the `packages/sdk/client` for Typescript SDK and `mobile/openapi` for Dart SDK.
+You can find the generated client SDK in the `open-api/typescript-sdk/client` for Typescript SDK and `mobile/openapi` for Dart SDK.

docs/docs/developer/devcontainers.md

@@ -205,7 +205,7 @@ When the Dev Container starts, it automatically:
 1. **Runs post-create script** (`container-server-post-create.sh`):
    - Adjusts file permissions for the `node` user
    - Installs dependencies: `pnpm install` in all packages
-   - Builds TypeScript SDK: `pnpm --filter @immich/sdk build`
+   - Builds TypeScript SDK: `pnpm run build` in `open-api/typescript-sdk`
 
 2. **Starts development servers** via VS Code tasks:
    - `Immich API Server (Nest)` - API server with hot-reloading on port 2283
@@ -243,8 +243,8 @@ To connect the mobile app to your Dev Container:
 
 - **Server code** (`/server`): Changes trigger automatic restart
 - **Web code** (`/web`): Changes trigger hot module replacement
-- **Database migrations**: Run `mise //:sql`
-- **API changes**: Regenerate TypeScript SDK with `mise //:open-api`
+- **Database migrations**: Run `pnpm run sync:sql` in the server directory
+- **API changes**: Regenerate TypeScript SDK with `make open-api`
 
 ## Testing
 
@@ -252,11 +252,20 @@ To connect the mobile app to your Dev Container:
 
 The Dev Container supports multiple ways to run tests:
 
-#### Using Mise Commands (Recommended)
+#### Using Make Commands (Recommended)
 
 ```bash
 # Run tests for specific components
-mise run checklist      # in `server/`, `web/`, `packages/cli`
+make test-server        # Server unit tests
+make test-web           # Web unit tests
+make test-e2e           # End-to-end tests
+make test-cli           # CLI tests
+
+# Run all tests
+make test-all           # Runs tests for all components
+
+# Medium tests (integration tests)
+make test-medium-dev    # End-to-end tests
 ```
 
 #### Using PNPM Directly
@@ -280,16 +289,48 @@ pnpm run test           # Run API tests
 pnpm run test:web       # Run web UI tests
 ```
 
+### Code Quality Commands
+
+```bash
+# Linting
+make lint-server        # Lint server code
+make lint-web           # Lint web code
+make lint-all           # Lint all components
+
+# Formatting
+make format-server      # Format server code
+make format-web         # Format web code
+make format-all         # Format all code
+
+# Type checking
+make check-server       # Type check server
+make check-web          # Type check web
+make check-all          # Check all components
+
+# Complete hygiene check
+make hygiene-all        # Run lint, format, check, SQL sync, and audit
+```
+
 ### Additional Make Commands
 
 ```bash
+# Build commands
+make build-server       # Build server
+make build-web          # Build web app
+make build-all          # Build everything
+
 # API generation
 make open-api           # Generate OpenAPI specs
 make open-api-typescript # Generate TypeScript SDK
 make open-api-dart      # Generate Dart SDK
 
 # Database
-mise sql                # Sync database schema
+make sql                # Sync database schema
+
+# Dependencies
+make install-server     # Install server dependencies
+make install-web        # Install web dependencies
+make install-all        # Install all dependencies
 ```
 
 ### Debugging

docs/docs/developer/directories.md

@@ -10,8 +10,7 @@ Our [GitHub Repository](https://github.com/immich-app/immich) is a [monorepo](ht
 | :------------------ | :------------------------------------------------------------------- |
 | `.github/`          | Github templates and action workflows                                |
 | `.vscode/`          | VSCode debug launch profiles                                         |
-| `packages/cli`      | Source code for the CLI                                              |
-| `packages/sdk`      | Source code for the generated OpenAPI SDK                            |
+| `cli/`              | Source code for the work-in-progress CLI rewrite                     |
 | `docker/`           | Docker compose resources for dev, test, production                   |
 | `design/`           | Screenshots and logos for the README                                 |
 | `docs/`             | Source code for the [https://immich.app](https://immich.app) website |

docs/docs/developer/pr-checklist.md

@@ -34,23 +34,21 @@ Run all web checks with `pnpm run check:all`
 Run all server checks with `pnpm run check:all`
 :::
 
-:::tip Auto Fix
+:::info Auto Fix
 You can use `pnpm run __:fix` to potentially correct some issues automatically for `pnpm run format` and `lint`.
 :::
 
-## Mobile Checklist
+## Mobile Checks
 
-- [ ] `mise //mobile:codegen` (auto-generate files using build_runner)
-- [ ] `mise //mobile:lint` (static analysis via Dart Analyzer and DCM)
-- [ ] `mise //mobile:format` (formatting via Dart Formatter)
-- [ ] `mise //mobile:test` (unit tests)
+The following commands must be executed from within the mobile app directory of the codebase.
 
-:::tip
-Run all these commands at once with `mise //mobile:checklist`
-:::
+- [ ] `make build` (auto-generate files using build_runner)
+- [ ] `make analyze` (static analysis via Dart Analyzer and DCM)
+- [ ] `make format` (formatting via Dart Formatter)
+- [ ] `make test` (unit tests)
 
-:::tip Auto Fix
-You can use `mise //mobile:lint-fix` to potentially correct some issues automatically for `mise //mobile:lint`.
+:::info Auto Fix
+You can use `dart fix --apply` and `dcm fix lib` to potentially correct some issues automatically for `make analyze`.
 :::
 
 ## OpenAPI

docs/docs/developer/setup.md

@@ -58,7 +58,7 @@ You can access the web from `http://your-machine-ip:3000` or `http://localhost:3
 
 If you only want to do web development connected to an existing, remote backend, follow these steps:
 
-1. Build the Immich SDK - `pnpm --filter @immich/sdk install && pnpm --filter @immich/sdk build`
+1. Build the Immich SDK - `cd open-api/typescript-sdk && pnpm i && pnpm run build && cd -`
 2. Enter the web directory - `cd web/`
 3. Install web dependencies - `pnpm i`
 4. Start the web development server
@@ -80,9 +80,9 @@ To see local changes to `@immich/ui` in Immich, do the following:
 
 1. Install `@immich/ui` as a sibling to `immich/`, for example `/home/user/immich` and `/home/user/ui`
 2. Build the `@immich/ui` project via `pnpm run build`
-3. Uncomment the corresponding volume in web service of the `docker/docker-compose.dev.yml` file (`../../ui:/usr/src/ui`)
-4. Uncomment the corresponding alias in the `web/vite.config.ts` file (`'@immich/ui': path.resolve(\_\_dirname, '../../ui/packages/ui')`)
-5. Uncomment the import statement in `web/src/app.css` file `@import '../../../ui/packages/ui/dist/theme/default.css';` and comment out `@import '@immich/ui/theme/default.css';`
+3. Uncomment the corresponding volume in web service of the `docker/docker-compose.dev.yaml` file (`../../ui:/usr/ui`)
+4. Uncomment the corresponding alias in the `web/vite.config.js` file (`'@immich/ui': path.resolve(\_\_dirname, '../../ui')`)
+5. Uncomment the import statement in `web/src/app.css` file `@import '/usr/ui/dist/theme/default.css';` and comment out `@import '@immich/ui/theme/default.css';`
 6. Start up the stack via `make dev`
 7. After making changes in `@immich/ui`, rebuild it (`pnpm run build`)
 

docs/docs/developer/testing.md

@@ -17,14 +17,15 @@ make e2e
 
 Before you can run the tests, you need to run the following commands _once_:
 
-- `pnpm install`
-- `pnpm --filter "@immich/*" build`
-- `mise //:open-api`
+- `pnpm install` (in `e2e/`)
+- `pnpm run build` (in `cli/`)
+- `make open-api` (in the project root `/`)
 
 Once the test environment is running, the e2e tests can be run via:
 
 ```bash
-mise //e2e:test
+cd e2e/
+pnpm test
 ```
 
 The tests check various things including:

docs/docs/features/libraries.md

@@ -50,8 +50,6 @@ Some basic examples:
 - `**/Raw/**` will exclude all files in any directory named `Raw`
 - `**/*.{tif,jpg}` will exclude all files with the extension `.tif` or `.jpg`
 
-Note that `*` is a wildcard matching zero or more characters (i.e., withinin a filename or single directory name). `**` matches zero or more subdirectories, recursively. It also includes any/all files within a subdirectory, i.e., when used at the end of a pattern. For example, `**/exclude_me/**` will exclude all files in any directory named `exclude_me`, as well as all files in any subdirectories of `exclude_me`, recursively.
-
 Special characters such as @ should be escaped, for instance:
 
 - `**/\@eaDir/**` will exclude all files in any directory named `@eaDir`

docs/docs/features/ml-hardware-acceleration.md

@@ -47,7 +47,6 @@ You do not need to redo any machine learning jobs after enabling hardware accele
 
 #### ROCm
 
-- On Linux, The [AMDGPU driver module](https://rocm.docs.amd.com/projects/install-on-linux/en/latest/how-to/docker.html) needs to be installed on the server and, if secure boot is used, the signing key of DKMS [needs to be enrolled in UEFI BIOS](https://wiki.debian.org/SecureBoot)
 - The GPU must be supported by ROCm. If it isn't officially supported, you can attempt to use the `HSA_OVERRIDE_GFX_VERSION` environmental variable: `HSA_OVERRIDE_GFX_VERSION=<a supported version, e.g. 10.3.0>`. If this doesn't work, you might need to also set `HSA_USE_SVM=0`.
 - The ROCm image is quite large and requires at least 35GiB of free disk space. However, pulling later updates to the service through Docker will generally only amount to a few hundred megabytes as the rest will be cached.
 - This backend is new and may experience some issues. For example, GPU power consumption can be higher than usual after running inference, even if the machine learning service is idle. In this case, it will only go back to normal after being idle for 5 minutes (configurable with the [MACHINE_LEARNING_MODEL_TTL](/install/environment-variables) setting).

docs/docs/features/searching.md

@@ -18,7 +18,6 @@ You can search the following types of content:
 | People                              | Faces that are recognized in your photos/videos.      |
 | Contextual                          | Content of the photos and videos.                     |
 | File name or extension              | Full or partial file's name, or file's extension      |
-| Full path or folder                 | Full or partial folder names from the original path.  |
 | Description                         | Description added to assets.                          |
 | Optical Character Recognition (OCR) | Text in images                                        |
 | Locations                           | Cities, states, and countries from reverse geocoding. |
@@ -27,16 +26,10 @@ You can search the following types of content:
 | Time frame                          | Start and end date of a specific time bucket          |
 | Media type                          | Image or video or both                                |
 | Display options                     | In Archive, in Favorites or Not in any album          |
-| Star rating                         | User-assigned star rating                             |
+| Start rating                        | User-assigned start rating                            |
 
 <img src={require('./img/advanced-search-filters.webp').default} width="70%" title='Advanced search filters' />
 
-### Full path or folder
-
-Use this mode when you know a folder name or part of the original asset path.
-
-Example: for /John/Projects/3D_Printing/2026-07-01/IMG_0001.jpg, searches like Projects, 3D, Printing, or 2026 match the asset.
-
 ## Configuration
 
 Navigating to `Administration > Settings > Machine Learning Settings > Smart Search` will show the options available.

docs/docs/features/supported-formats.md

@@ -18,7 +18,6 @@ For the full list, refer to the [Immich source code](https://github.com/immich-a
 | `JPEG 2000` | `.jp2`                        | :white_check_mark: |                 |
 | `JPEG`      | `.jpeg` `.jpg` `.jpe` `.insp` | :white_check_mark: |                 |
 | `JPEG XL`   | `.jxl`                        | :white_check_mark: |                 |
-| `MPO`       | `.mpo`                        | :white_check_mark: | Multi-Picture   |
 | `PNG`       | `.png`                        | :white_check_mark: |                 |
 | `PSD`       | `.psd`                        | :white_check_mark: | Adobe Photoshop |
 | `RAW`       | `.raw`                        | :white_check_mark: |                 |

docs/docs/guides/python-file-upload.md

@@ -20,6 +20,8 @@ def upload(file):
     }
 
     data = {
+        'deviceAssetId': f'{file}-{stats.st_mtime}',
+        'deviceId': 'python',
         'fileCreatedAt': datetime.fromtimestamp(stats.st_mtime),
         'fileModifiedAt': datetime.fromtimestamp(stats.st_mtime),
         'isFavorite': 'false',

docs/docs/guides/remote-access.md

@@ -39,7 +39,7 @@ You can learn how to set up Tailscale together with Immich with the [tutorial vi
 ### Cons
 
 - The Tailscale client usually needs to run as root on your devices and it increases the attack surface slightly compared to a minimal Wireguard server. e.g., an [RCE vulnerability](https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp) was discovered in the Windows Tailscale client in November 2022.
-- Tailscale is a paid service. However, there is a generous [free tier](https://tailscale.com/pricing/) suitable for personal use.
+- Tailscale is a paid service. However, there is a generous [free tier](https://tailscale.com/pricing/) that permits up to 3 users and up to 100 devices.
 - Tailscale needs to be installed and running on both server-side and client-side.
 
 ## Option 3: Reverse Proxy

docs/docs/install/config-file.md

@@ -26,7 +26,7 @@ The default configuration looks like this:
   },
   "ffmpeg": {
     "accel": "disabled",
-    "accelDecode": true,
+    "accelDecode": false,
     "acceptedAudioCodecs": ["aac", "mp3", "opus"],
     "acceptedContainers": ["mov", "ogg", "webm"],
     "acceptedVideoCodecs": ["h264"],
@@ -193,7 +193,6 @@ The default configuration looks like this:
     "defaultStorageQuota": null,
     "enabled": false,
     "issuerUrl": "",
-    "endSessionEndpoint": "",
     "mobileOverrideEnabled": false,
     "mobileRedirectUri": "",
     "profileSigningAlgorithm": "none",
@@ -264,4 +263,4 @@ volumes:
   - ./configuration.yml:${IMMICH_CONFIG_FILE}
 ```
 
-:::
+::

docs/docs/install/environment-variables.md

@@ -29,31 +29,29 @@ These environment variables are used by the `docker-compose.yml` file and do **N
 
 ## General
 
-| Variable                            | Description                                                                                                                                                          |           Default            | Containers               | Workers            |
-| :---------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------: | :----------------------- | :----------------- |
-| `TZ`                                | Timezone                                                                                                                                                             |        <sup>\*1</sup>        | server                   | microservices      |
-| `IMMICH_ENV`                        | Environment (production, development)                                                                                                                                |         `production`         | server, machine learning | api, microservices |
-| `IMMICH_LOG_LEVEL`                  | Log level (verbose, debug, log, warn, error)                                                                                                                         |            `log`             | server, machine learning | api, microservices |
-| `IMMICH_LOG_FORMAT`                 | Log output format (`console`, `json`)                                                                                                                                |          `console`           | server                   | api, microservices |
-| `IMMICH_MEDIA_LOCATION`             | Media location inside the container ⚠️**You probably shouldn't set this**<sup>\*2</sup>⚠️                                                                            |           `/data`            | server                   | api, microservices |
-| `IMMICH_CONFIG_FILE`                | Path to config file                                                                                                                                                  |                              | server                   | api, microservices |
-| `IMMICH_HELMET_FILE`                | Path to a json file with [helmet](https://www.npmjs.com/package/helmet) options. Set to `false` to disable. Set to `true` to use `server/helmet.json`<sup>\*3</sup>. |           `false`            | server                   | api                |
-| `NO_COLOR`                          | Set to `true` to disable color-coded log output                                                                                                                      |           `false`            | server, machine learning |                    |
-| `CPU_CORES`                         | Number of cores available to the Immich server                                                                                                                       | auto-detected CPU core count | server                   |                    |
-| `IMMICH_API_METRICS_PORT`           | Port for the OTEL metrics                                                                                                                                            |            `8081`            | server                   | api                |
-| `IMMICH_MICROSERVICES_METRICS_PORT` | Port for the OTEL metrics                                                                                                                                            |            `8082`            | server                   | microservices      |
-| `IMMICH_PROCESS_INVALID_IMAGES`     | When `true`, generate thumbnails for invalid images                                                                                                                  |                              | server                   | microservices      |
-| `IMMICH_TRUSTED_PROXIES`            | List of comma-separated IPs set as trusted proxies                                                                                                                   |                              | server                   | api                |
-| `IMMICH_IGNORE_MOUNT_CHECK_ERRORS`  | See [System Integrity](/administration/system-integrity)                                                                                                             |                              | server                   | api, microservices |
-| `IMMICH_ALLOW_SETUP`                | When `false` disables the `/auth/admin-sign-up` endpoint                                                                                                             |            `true`            | server                   | api                |
+| Variable                            | Description                                                                                                                                            |           Default            | Containers               | Workers            |
+| :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------: | :----------------------- | :----------------- |
+| `TZ`                                | Timezone                                                                                                                                               |        <sup>\*1</sup>        | server                   | microservices      |
+| `IMMICH_ENV`                        | Environment (production, development)                                                                                                                  |         `production`         | server, machine learning | api, microservices |
+| `IMMICH_LOG_LEVEL`                  | Log level (verbose, debug, log, warn, error)                                                                                                           |            `log`             | server, machine learning | api, microservices |
+| `IMMICH_LOG_FORMAT`                 | Log output format (`console`, `json`)                                                                                                                  |          `console`           | server                   | api, microservices |
+| `IMMICH_MEDIA_LOCATION`             | Media location inside the container ⚠️**You probably shouldn't set this**<sup>\*2</sup>⚠️                                                              |           `/data`            | server                   | api, microservices |
+| `IMMICH_CONFIG_FILE`                | Path to config file                                                                                                                                    |                              | server                   | api, microservices |
+| `IMMICH_HELMET_FILE`                | Path to a json file with [helmet](https://www.npmjs.com/package/helmet) options. Set to `false` to disable. Set to `true` to use `server/helmet.json`. |           `false`            | server                   | api, microservices |
+| `NO_COLOR`                          | Set to `true` to disable color-coded log output                                                                                                        |           `false`            | server, machine learning |                    |
+| `CPU_CORES`                         | Number of cores available to the Immich server                                                                                                         | auto-detected CPU core count | server                   |                    |
+| `IMMICH_API_METRICS_PORT`           | Port for the OTEL metrics                                                                                                                              |            `8081`            | server                   | api                |
+| `IMMICH_MICROSERVICES_METRICS_PORT` | Port for the OTEL metrics                                                                                                                              |            `8082`            | server                   | microservices      |
+| `IMMICH_PROCESS_INVALID_IMAGES`     | When `true`, generate thumbnails for invalid images                                                                                                    |                              | server                   | microservices      |
+| `IMMICH_TRUSTED_PROXIES`            | List of comma-separated IPs set as trusted proxies                                                                                                     |                              | server                   | api                |
+| `IMMICH_IGNORE_MOUNT_CHECK_ERRORS`  | See [System Integrity](/administration/system-integrity)                                                                                               |                              | server                   | api, microservices |
+| `IMMICH_ALLOW_SETUP`                | When `false` disables the `/auth/admin-sign-up` endpoint                                                                                               |            `true`            | server                   | api                |
 
 \*1: `TZ` should be set to a `TZ identifier` from [this list][tz-list]. For example, `TZ="Etc/UTC"`.
 `TZ` is used by `exiftool` as a fallback in case the timezone cannot be determined from the image metadata. It is also used for logfile timestamps and cron job execution.
 
 \*2: This path is where the Immich code looks for the files, which is internal to the docker container. Setting it to a path on your host will certainly break things, you should use the `UPLOAD_LOCATION` variable instead.
 
-\*3: The [default configuration](https://helmetjs.github.io/#content-security-policy) sets `upgrade-insecure-requests`, which tells the browser to upgrade all requests to HTTPS. This breaks on HTTP-only deployments. If you cannot use HTTPS, you should use a custom helmet config file with `"upgrade-insecure-requests": null`.
-
 ## Workers
 
 | Variable                 | Description                                                                                          | Default | Containers |
@@ -83,7 +81,7 @@ Information on the current workers can be found [here](/administration/jobs-work
 | `DB_PASSWORD`                       | Database password                                                                      | `postgres` | server, database<sup>\*1</sup> |
 | `DB_DATABASE_NAME`                  | Database name                                                                          |  `immich`  | server, database<sup>\*1</sup> |
 | `DB_SSL_MODE`                       | Database SSL mode                                                                      |            | server                         |
-| `DB_VECTOR_EXTENSION`<sup>\*2</sup> | Database vector extension (one of [`vectorchord`, `pgvector`])                         |            | server                         |
+| `DB_VECTOR_EXTENSION`<sup>\*2</sup> | Database vector extension (one of [`vectorchord`, `pgvector`, `pgvecto.rs`])           |            | server                         |
 | `DB_SKIP_MIGRATIONS`                | Whether to skip running migrations on startup (one of [`true`, `false`])               |  `false`   | server                         |
 | `DB_STORAGE_TYPE`                   | Optimize concurrent IO on SSDs or sequential IO on HDDs ([`SSD`, `HDD`])<sup>\*3</sup> |   `SSD`    | database                       |
 

docs/docs/install/requirements.md

@@ -49,7 +49,7 @@ Immich requires [**Docker**](https://docs.docker.com/get-started/get-docker/) wi
 The Compose plugin will be installed by both Docker Engine and Desktop by following the linked installation guides; it can also be [separately installed](https://docs.docker.com/compose/install/).
 
 :::note
-Immich requires the command `docker compose`; the similarly named `docker-compose` is [deprecated](https://docs.docker.com/retired/#docker-compose-v1-replaced-by-compose-v2) and is no longer supported by Immich.
+Immich requires the command `docker compose`; the similarly named `docker-compose` is [deprecated](https://docs.docker.com/compose/migrate/) and is no longer supported by Immich.
 :::
 
 ### Special requirements for Windows users

docs/docs/install/upgrading.md

@@ -130,3 +130,7 @@ These storage mediums have different performance characteristics. As a result, t
 #### Can I use the new database image as a general PostgreSQL image outside of Immich?
 
 It’s a standard PostgreSQL container image that additionally contains the VectorChord, pgvector, and (optionally) pgvecto.rs extensions. If you were using the previous pgvecto.rs image for other purposes, you can similarly do so with this image.
+
+#### If pgvecto.rs and pgvector still work, why should I switch to VectorChord?
+
+VectorChord is faster, more stable, uses less RAM, and (with the settings Immich uses) offers higher-quality results than pgvector and pgvecto.rs. This translates to better search and facial recognition experiences. In addition, pgvecto.rs support will be dropped in the future, so changing it sooner will avoid disruption.

docs/docs/partials/_storage-template.md

@@ -6,8 +6,6 @@ You can read more about the differences between storage template engine on and o
 
 The admin user can set the template by using the template builder in the `Administration -> Settings -> Storage Template`. Immich provides a set of variables that you can use in constructing the template, along with additional custom text. If the template produces [multiple files with the same filename, they won't be overwritten](https://github.com/immich-app/immich/discussions/3324) as a sequence number is appended to the filename.
 
-Date and time variables in storage templates are rendered in the server's local timezone.
-
 ```bash title="Default template"
 Year/Year-Month-Day/Filename.Extension
 ```

docs/package.json

@@ -17,10 +17,10 @@
     "write-heading-ids": "docusaurus write-heading-ids"
   },
   "dependencies": {
-    "@docusaurus/core": "~3.10.0",
-    "@docusaurus/preset-classic": "~3.10.0",
-    "@docusaurus/theme-common": "~3.10.0",
-    "@docusaurus/theme-mermaid": "~3.10.0",
+    "@docusaurus/core": "~3.9.0",
+    "@docusaurus/preset-classic": "~3.9.0",
+    "@docusaurus/theme-common": "~3.9.0",
+    "@docusaurus/theme-mermaid": "~3.9.0",
     "@mdi/js": "^7.3.67",
     "@mdi/react": "^1.6.1",
     "@mdx-js/react": "^3.0.0",
@@ -30,17 +30,17 @@
     "postcss": "^8.4.25",
     "prism-react-renderer": "^2.3.1",
     "raw-loader": "^4.0.2",
-    "react": "^19.0.0",
-    "react-dom": "^19.0.0",
+    "react": "^18.0.0",
+    "react-dom": "^18.0.0",
     "tailwindcss": "^3.2.4",
     "url": "^0.11.0"
   },
   "devDependencies": {
-    "@docusaurus/module-type-aliases": "~3.10.0",
-    "@docusaurus/tsconfig": "^3.10.0",
-    "@docusaurus/types": "^3.10.0",
+    "@docusaurus/module-type-aliases": "~3.9.0",
+    "@docusaurus/tsconfig": "^3.7.0",
+    "@docusaurus/types": "^3.7.0",
     "prettier": "^3.7.4",
-    "typescript": "^6.0.0"
+    "typescript": "^5.1.6"
   },
   "browserslist": {
     "production": [
@@ -56,5 +56,8 @@
   },
   "engines": {
     "node": ">=20"
+  },
+  "volta": {
+    "node": "24.14.1"
   }
 }

docs/static/archived-versions.json

@@ -1,8 +1,4 @@
 [
-  {
-    "label": "v2.7.5",
-    "url": "https://docs.v2.7.5.archive.immich.app"
-  },
   {
     "label": "v2.6.3",
     "url": "https://docs.v2.6.3.archive.immich.app"

docs/tsconfig.json

@@ -1,4 +1,8 @@
 {
   // This file is not used in compilation. It is here just for a nice editor experience.
-  "extends": "@docusaurus/tsconfig"
+  "extends": "@docusaurus/tsconfig",
+
+  "compilerOptions": {
+    "baseUrl": "."
+  }
 }

e2e-auth-server/auth-server.ts

@@ -1,12 +1,5 @@
-import {
-  calculateJwkThumbprint,
-  exportJWK,
-  importPKCS8,
-  importSPKI,
-  SignJWT,
-} from 'jose';
+import { exportJWK, generateKeyPair } from 'jose';
 import Provider from 'oidc-provider';
-import { PRIVATE_KEY_PEM, PUBLIC_KEY_PEM } from './test-keys';
 
 export enum OAuthClient {
   DEFAULT = 'client-default',
@@ -51,29 +44,6 @@ const claims = [
   },
 ];
 
-const privateKey = await importPKCS8(PRIVATE_KEY_PEM, 'RS256', {
-  extractable: true,
-});
-const publicKey = await importSPKI(PUBLIC_KEY_PEM, 'RS256', {
-  extractable: true,
-});
-const kid = await calculateJwkThumbprint(await exportJWK(publicKey));
-
-export async function generateLogoutToken(iss: string, sub: string) {
-  return await new SignJWT({
-    iss: iss,
-    aud: OAuthClient.DEFAULT,
-    iat: Math.floor(Date.now() / 1000),
-    jti: crypto.randomUUID(),
-    sub: sub,
-    events: {
-      'http://schemas.openid.net/event/backchannel-logout': {},
-    },
-  })
-    .setProtectedHeader({ alg: 'RS256', typ: 'logout+jwt', kid: kid })
-    .sign(privateKey);
-}
-
 const withDefaultClaims = (sub: string) => ({
   sub,
   email: `${sub}@immich.app`,
@@ -96,6 +66,8 @@ const getClaims = (sub: string, use?: string) => {
 };
 
 const setup = async () => {
+  const { privateKey, publicKey } = await generateKeyPair('RS256');
+
   const redirectUris = [
     'http://127.0.0.1:2285/auth/login',
     'https://photos.immich.app/oauth/mobile-redirect',

e2e-auth-server/package.json

@@ -1,17 +1,15 @@
 {
   "name": "@immich/e2e-auth-server",
   "version": "0.1.0",
-  "private": true,
   "type": "module",
   "main": "auth-server.ts",
   "scripts": {
     "start": "tsx startup.ts"
   },
   "devDependencies": {
-    "jose": "^6.0.0",
+    "jose": "^5.6.3",
     "@types/oidc-provider": "^9.0.0",
     "oidc-provider": "^9.0.0",
     "tsx": "^4.20.6"
-  },
-  "packageManager": "pnpm@10.33.1"
+  }
 }

e2e/.nvmrc

@@ -0,0 +1 @@
+24.14.1

e2e/docker-compose.yml

@@ -4,7 +4,7 @@ services:
   e2e-auth-server:
     container_name: immich-e2e-auth-server
     build:
-      context: ../packages/e2e-auth-server
+      context: ../e2e-auth-server
     ports:
       - 2286:2286
 
@@ -44,7 +44,7 @@ services:
 
   redis:
     container_name: immich-e2e-redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:3eeb09785cd61ec8e3be35f8804c8892080f3ca21934d628abc24ee4ed1698f6
     healthcheck:
       test: redis-cli ping || exit 1
 

e2e/mise.toml

@@ -27,18 +27,3 @@ run = { task = "lint --fix" }
 [tasks.check]
 env._.path = "./node_modules/.bin"
 run = "tsc --noEmit"
-
-
-[tasks.ci-setup]
-depends = ["//:sdk:install", "//:sdk:build", "//cli:install", "//cli:build"]
-run = { task = ":install" }
-
-
-[tasks.ci-unit]
-depends = ["//:sdk:install", "//:sdk:build"]
-run = [
-  { task = ":install" },
-  { task = ":format" },
-  { task = ":lint" },
-  { task = ":check" },
-]

e2e/package.json

@@ -1,6 +1,6 @@
 {
   "name": "immich-e2e",
-  "version": "2.7.5",
+  "version": "2.6.3",
   "description": "",
   "main": "index.js",
   "type": "module",
@@ -32,15 +32,15 @@
     "@playwright/test": "^1.44.1",
     "@socket.io/component-emitter": "^3.1.2",
     "@types/luxon": "^3.4.2",
-    "@types/node": "^24.12.2",
+    "@types/node": "^24.12.0",
     "@types/pg": "^8.15.1",
     "@types/pngjs": "^6.0.4",
-    "@types/supertest": "^7.0.0",
+    "@types/supertest": "^6.0.2",
     "dotenv": "^17.2.3",
     "eslint": "^10.0.0",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-prettier": "^5.1.3",
-    "eslint-plugin-unicorn": "^64.0.0",
+    "eslint-plugin-unicorn": "^63.0.0",
     "exiftool-vendored": "^35.0.0",
     "globals": "^17.0.0",
     "luxon": "^3.4.4",
@@ -51,10 +51,13 @@
     "sharp": "^0.34.5",
     "socket.io-client": "^4.7.4",
     "supertest": "^7.0.0",
-    "typescript": "^6.0.0",
+    "typescript": "^5.3.3",
     "typescript-eslint": "^8.28.0",
     "utimes": "^5.2.1",
     "vite-tsconfig-paths": "^6.1.1",
     "vitest": "^4.0.0"
+  },
+  "volta": {
+    "node": "24.14.1"
   }
 }

e2e/src/responses.ts

@@ -2,44 +2,82 @@ import { expect } from 'vitest';
 
 export const errorDto = {
   unauthorized: {
+    error: 'Unauthorized',
+    statusCode: 401,
     message: 'Authentication required',
+    correlationId: expect.any(String),
   },
   unauthorizedWithMessage: (message: string) => ({
+    error: 'Unauthorized',
+    statusCode: 401,
     message,
+    correlationId: expect.any(String),
   }),
   forbidden: {
+    error: 'Forbidden',
+    statusCode: 403,
     message: expect.any(String),
+    correlationId: expect.any(String),
   },
   missingPermission: (permission: string) => ({
+    error: 'Forbidden',
+    statusCode: 403,
     message: `Missing required permission: ${permission}`,
+    correlationId: expect.any(String),
   }),
   wrongPassword: {
+    error: 'Bad Request',
+    statusCode: 400,
     message: 'Wrong password',
+    correlationId: expect.any(String),
   },
   invalidToken: {
+    error: 'Unauthorized',
+    statusCode: 401,
     message: 'Invalid user token',
+    correlationId: expect.any(String),
   },
   invalidShareKey: {
+    error: 'Unauthorized',
+    statusCode: 401,
     message: 'Invalid share key',
+    correlationId: expect.any(String),
   },
   passwordRequired: {
+    error: 'Unauthorized',
+    statusCode: 401,
     message: 'Password required',
+    correlationId: expect.any(String),
   },
   badRequest: (message: any = null) => ({
+    error: 'Bad Request',
+    statusCode: 400,
     message: message ?? expect.anything(),
-  }),
-  validationError: (errors?: ReadonlyArray<{ path: ReadonlyArray<string | number>; message: string }>) => ({
-    message: 'Validation failed',
-    errors: errors ? expect.arrayContaining(errors.map((e) => expect.objectContaining(e))) : expect.any(Array),
+    correlationId: expect.any(String),
   }),
   noPermission: {
+    error: 'Bad Request',
+    statusCode: 400,
     message: expect.stringContaining('Not found or no'),
+    correlationId: expect.any(String),
   },
   incorrectLogin: {
+    error: 'Unauthorized',
+    statusCode: 401,
     message: 'Incorrect email or password',
+    correlationId: expect.any(String),
   },
   alreadyHasAdmin: {
+    error: 'Bad Request',
+    statusCode: 400,
     message: 'The server already has an admin',
+    correlationId: expect.any(String),
+  },
+  invalidEmail: {
+    error: 'Bad Request',
+    statusCode: 400,
+    message: ['email must be an email'],
+    correlationId: expect.any(String),
   },
 };
 

e2e/src/specs/server/api/album.e2e-spec.ts

@@ -130,11 +130,12 @@ describe('/albums', () => {
   describe('GET /albums', () => {
     it("should not show other users' favorites", async () => {
       const { status, body } = await request(app)
-        .get(`/albums/${user1Albums[0].id}`)
+        .get(`/albums/${user1Albums[0].id}?withoutAssets=false`)
         .set('Authorization', `Bearer ${user2.accessToken}`);
       expect(status).toEqual(200);
       expect(body).toEqual({
         ...user1Albums[0],
+        assets: [expect.objectContaining({ isFavorite: false })],
         contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
         lastModifiedAssetTimestamp: expect.any(String),
         startDate: expect.any(String),
@@ -146,7 +147,7 @@ describe('/albums', () => {
 
     it('should not return shared albums with a deleted owner', async () => {
       const { status, body } = await request(app)
-        .get('/albums?isShared=true')
+        .get('/albums?shared=true')
         .set('Authorization', `Bearer ${user1.accessToken}`);
 
       expect(status).toBe(200);
@@ -154,31 +155,23 @@ describe('/albums', () => {
       expect(body).toEqual(
         expect.arrayContaining([
           expect.objectContaining({
+            ownerId: user1.userId,
             albumName: user1SharedLink,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
             shared: true,
           }),
           expect.objectContaining({
+            ownerId: user1.userId,
             albumName: user1SharedEditorUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
             shared: true,
           }),
           expect.objectContaining({
+            ownerId: user1.userId,
             albumName: user1SharedViewerUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
             shared: true,
           }),
           expect.objectContaining({
+            ownerId: user2.userId,
             albumName: user2SharedUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user2.userId }) },
-            ]),
             shared: true,
           }),
         ]),
@@ -188,164 +181,82 @@ describe('/albums', () => {
     it('should return the album collection including owned and shared', async () => {
       const { status, body } = await request(app).get('/albums').set('Authorization', `Bearer ${user1.accessToken}`);
       expect(status).toBe(200);
-      expect(body).toHaveLength(5);
-      expect(body).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            albumName: user1SharedEditorUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
-            shared: true,
-          }),
-          expect.objectContaining({
-            albumName: user1SharedViewerUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
-            shared: true,
-          }),
-          expect.objectContaining({
-            albumName: user1SharedLink,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
-            shared: true,
-          }),
-          expect.objectContaining({
-            albumName: user1NotShared,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
-            shared: false,
-          }),
-          expect.objectContaining({
-            albumName: user2SharedUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user2.userId }) },
-            ]),
-            shared: true,
-          }),
-        ]),
-      );
-    });
-
-    it('should return the album collection filtered by isShared', async () => {
-      const { status, body } = await request(app)
-        .get('/albums?isShared=true')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      expect(status).toBe(200);
       expect(body).toHaveLength(4);
       expect(body).toEqual(
         expect.arrayContaining([
           expect.objectContaining({
+            ownerId: user1.userId,
             albumName: user1SharedEditorUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
             shared: true,
           }),
           expect.objectContaining({
+            ownerId: user1.userId,
             albumName: user1SharedViewerUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
             shared: true,
           }),
           expect.objectContaining({
+            ownerId: user1.userId,
             albumName: user1SharedLink,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
             shared: true,
           }),
           expect.objectContaining({
-            albumName: user2SharedUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user2.userId }) },
-            ]),
-            shared: true,
-          }),
-        ]),
-      );
-    });
-
-    it('should return the album collection filtered by NOT isShared', async () => {
-      const { status, body } = await request(app)
-        .get('/albums?isShared=false')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      expect(status).toBe(200);
-      expect(body).toHaveLength(1);
-      expect(body).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
+            ownerId: user1.userId,
             albumName: user1NotShared,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) },
-            ]),
             shared: false,
           }),
         ]),
       );
     });
 
-    it('should return only owned albums when filtered by isOwned=true', async () => {
+    it('should return the album collection filtered by shared', async () => {
       const { status, body } = await request(app)
-        .get('/albums?isOwned=true')
+        .get('/albums?shared=true')
         .set('Authorization', `Bearer ${user1.accessToken}`);
       expect(status).toBe(200);
       expect(body).toHaveLength(4);
       expect(body).toEqual(
         expect.arrayContaining([
-          expect.objectContaining({ albumName: user1SharedEditorUser }),
-          expect.objectContaining({ albumName: user1SharedViewerUser }),
-          expect.objectContaining({ albumName: user1SharedLink }),
-          expect.objectContaining({ albumName: user1NotShared }),
+          expect.objectContaining({
+            ownerId: user1.userId,
+            albumName: user1SharedEditorUser,
+            shared: true,
+          }),
+          expect.objectContaining({
+            ownerId: user1.userId,
+            albumName: user1SharedViewerUser,
+            shared: true,
+          }),
+          expect.objectContaining({
+            ownerId: user1.userId,
+            albumName: user1SharedLink,
+            shared: true,
+          }),
+          expect.objectContaining({
+            ownerId: user2.userId,
+            albumName: user2SharedUser,
+            shared: true,
+          }),
         ]),
       );
     });
 
-    it('should return only shared-with-me albums when filtered by isOwned=false', async () => {
+    it('should return the album collection filtered by NOT shared', async () => {
       const { status, body } = await request(app)
-        .get('/albums?isOwned=false')
+        .get('/albums?shared=false')
         .set('Authorization', `Bearer ${user1.accessToken}`);
       expect(status).toBe(200);
       expect(body).toHaveLength(1);
       expect(body).toEqual(
         expect.arrayContaining([
           expect.objectContaining({
-            albumName: user2SharedUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user2.userId }) },
-            ]),
+            ownerId: user1.userId,
+            albumName: user1NotShared,
+            shared: false,
           }),
         ]),
       );
     });
 
-    it('should return owned shared-out albums when filtered by isOwned=true&ishared=true', async () => {
-      const { status, body } = await request(app)
-        .get('/albums?isOwned=true&isShared=true')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      expect(status).toBe(200);
-      expect(body).toHaveLength(3);
-      expect(body).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({ albumName: user1SharedEditorUser }),
-          expect.objectContaining({ albumName: user1SharedViewerUser }),
-          expect.objectContaining({ albumName: user1SharedLink }),
-        ]),
-      );
-    });
-
-    it('should return empty list when filtered by isOwned=false&isShared=false', async () => {
-      const { status, body } = await request(app)
-        .get('/albums?isOwned=false&isShared=false')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      expect(status).toBe(200);
-      expect(body).toHaveLength(0);
-    });
-
     it('should return the album collection filtered by assetId', async () => {
       const { status, body } = await request(app)
         .get(`/albums?assetId=${user1Asset2.id}`)
@@ -354,17 +265,17 @@ describe('/albums', () => {
       expect(body).toHaveLength(2);
     });
 
-    it('should return the album collection filtered by assetId and ignores isShared=true', async () => {
+    it('should return the album collection filtered by assetId and ignores shared=true', async () => {
       const { status, body } = await request(app)
-        .get(`/albums?isShared=true&assetId=${user1Asset1.id}`)
+        .get(`/albums?shared=true&assetId=${user1Asset1.id}`)
         .set('Authorization', `Bearer ${user1.accessToken}`);
       expect(status).toBe(200);
       expect(body).toHaveLength(5);
     });
 
-    it('should return the album collection filtered by assetId and ignores isShared=false', async () => {
+    it('should return the album collection filtered by assetId and ignores shared=false', async () => {
       const { status, body } = await request(app)
-        .get(`/albums?isShared=false&assetId=${user1Asset1.id}`)
+        .get(`/albums?shared=false&assetId=${user1Asset1.id}`)
         .set('Authorization', `Bearer ${user1.accessToken}`);
       expect(status).toBe(200);
       expect(body).toHaveLength(5);
@@ -376,17 +287,13 @@ describe('/albums', () => {
       expect(body).toEqual(
         expect.arrayContaining([
           expect.objectContaining({
+            ownerId: user4.userId,
             albumName: user4DeletedAsset,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user4.userId }) },
-            ]),
             shared: false,
           }),
           expect.objectContaining({
+            ownerId: user4.userId,
             albumName: user4Empty,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user4.userId }) },
-            ]),
             shared: false,
           }),
         ]),
@@ -397,12 +304,13 @@ describe('/albums', () => {
   describe('GET /albums/:id', () => {
     it('should return album info for own album', async () => {
       const { status, body } = await request(app)
-        .get(`/albums/${user1Albums[0].id}`)
+        .get(`/albums/${user1Albums[0].id}?withoutAssets=false`)
         .set('Authorization', `Bearer ${user1.accessToken}`);
 
       expect(status).toBe(200);
       expect(body).toEqual({
         ...user1Albums[0],
+        assets: [expect.objectContaining({ id: user1Albums[0].assets[0].id })],
         contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
         lastModifiedAssetTimestamp: expect.any(String),
         startDate: expect.any(String),
@@ -414,7 +322,7 @@ describe('/albums', () => {
 
     it('should return album info for shared album (editor)', async () => {
       const { status, body } = await request(app)
-        .get(`/albums/${user2Albums[0].id}`)
+        .get(`/albums/${user2Albums[0].id}?withoutAssets=false`)
         .set('Authorization', `Bearer ${user1.accessToken}`);
 
       expect(status).toBe(200);
@@ -423,14 +331,14 @@ describe('/albums', () => {
 
     it('should return album info for shared album (viewer)', async () => {
       const { status, body } = await request(app)
-        .get(`/albums/${user1Albums[3].id}`)
+        .get(`/albums/${user1Albums[3].id}?withoutAssets=false`)
         .set('Authorization', `Bearer ${user2.accessToken}`);
 
       expect(status).toBe(200);
       expect(body).toMatchObject({ id: user1Albums[3].id });
     });
 
-    it('should return album info', async () => {
+    it('should return album info with assets when withoutAssets is undefined', async () => {
       const { status, body } = await request(app)
         .get(`/albums/${user1Albums[0].id}`)
         .set('Authorization', `Bearer ${user1.accessToken}`);
@@ -438,6 +346,25 @@ describe('/albums', () => {
       expect(status).toBe(200);
       expect(body).toEqual({
         ...user1Albums[0],
+        assets: [expect.objectContaining({ id: user1Albums[0].assets[0].id })],
+        contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
+        lastModifiedAssetTimestamp: expect.any(String),
+        startDate: expect.any(String),
+        endDate: expect.any(String),
+        albumUsers: expect.any(Array),
+        shared: true,
+      });
+    });
+
+    it('should return album info without assets when withoutAssets is true', async () => {
+      const { status, body } = await request(app)
+        .get(`/albums/${user1Albums[0].id}?withoutAssets=true`)
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+
+      expect(status).toBe(200);
+      expect(body).toEqual({
+        ...user1Albums[0],
+        assets: [],
         contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
         assetCount: 1,
         lastModifiedAssetTimestamp: expect.any(String),
@@ -452,21 +379,21 @@ describe('/albums', () => {
       await utils.deleteAssets(user1.accessToken, [user1Asset2.id]);
 
       const { status, body } = await request(app)
-        .get(`/albums/${user2Albums[0].id}`)
+        .get(`/albums/${user2Albums[0].id}?withoutAssets=true`)
         .set('Authorization', `Bearer ${user1.accessToken}`);
 
       expect(status).toBe(200);
-      expect(body).toEqual(
-        expect.objectContaining({
-          contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
-          assetCount: 1,
-          lastModifiedAssetTimestamp: expect.any(String),
-          endDate: expect.any(String),
-          startDate: expect.any(String),
-          albumUsers: expect.any(Array),
-          shared: true,
-        }),
-      );
+      expect(body).toEqual({
+        ...user2Albums[0],
+        assets: [],
+        contributorCounts: [{ userId: user1.userId, assetCount: 1 }],
+        assetCount: 1,
+        lastModifiedAssetTimestamp: expect.any(String),
+        endDate: expect.any(String),
+        startDate: expect.any(String),
+        albumUsers: expect.any(Array),
+        shared: true,
+      });
     });
   });
 
@@ -492,13 +419,16 @@ describe('/albums', () => {
         id: expect.any(String),
         createdAt: expect.any(String),
         updatedAt: expect.any(String),
+        ownerId: user1.userId,
         albumName: 'New album',
         description: '',
         albumThumbnailAssetId: null,
         shared: false,
-        albumUsers: [{ role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user1.userId }) }],
+        albumUsers: [],
         hasSharedLink: false,
+        assets: [],
         assetCount: 0,
+        owner: expect.objectContaining({ email: user1.userEmail }),
         isActivityEnabled: true,
         order: AssetOrder.Desc,
       });
@@ -714,11 +644,11 @@ describe('/albums', () => {
       expect(status).toBe(200);
       expect(body).toEqual(
         expect.objectContaining({
-          albumUsers: expect.arrayContaining([
+          albumUsers: [
             expect.objectContaining({
               user: expect.objectContaining({ id: user2.userId }),
             }),
-          ]),
+          ],
         }),
       );
     });
@@ -730,7 +660,7 @@ describe('/albums', () => {
         .send({ albumUsers: [{ userId: user1.userId, role: AlbumUserRole.Editor }] });
 
       expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest('User already added'));
+      expect(body).toEqual(errorDto.badRequest('Cannot be shared with owner'));
     });
 
     it('should not be able to add existing user to shared album', async () => {
@@ -756,7 +686,7 @@ describe('/albums', () => {
         albumUsers: [{ userId: user2.userId, role: AlbumUserRole.Viewer }],
       });
 
-      expect(album.albumUsers[1].role).toEqual(AlbumUserRole.Viewer);
+      expect(album.albumUsers[0].role).toEqual(AlbumUserRole.Viewer);
 
       const { status } = await request(app)
         .put(`/albums/${album.id}/user/${user2.userId}`)
@@ -771,10 +701,7 @@ describe('/albums', () => {
         .set('Authorization', `Bearer ${user1.accessToken}`);
       expect(body).toEqual(
         expect.objectContaining({
-          albumUsers: [
-            expect.objectContaining({ role: AlbumUserRole.Owner }),
-            expect.objectContaining({ role: AlbumUserRole.Editor }),
-          ],
+          albumUsers: [expect.objectContaining({ role: AlbumUserRole.Editor })],
         }),
       );
     });
@@ -785,7 +712,7 @@ describe('/albums', () => {
         albumUsers: [{ userId: user2.userId, role: AlbumUserRole.Viewer }],
       });
 
-      expect(album.albumUsers[1].role).toEqual(AlbumUserRole.Viewer);
+      expect(album.albumUsers[0].role).toEqual(AlbumUserRole.Viewer);
 
       const { status, body } = await request(app)
         .put(`/albums/${album.id}/user/${user2.userId}`)

e2e/src/specs/server/api/asset.e2e-spec.ts

@@ -1,12 +1,14 @@
 import {
   AssetMediaResponseDto,
   AssetMediaStatus,
+  AssetResponseDto,
   AssetTypeEnum,
   AssetVisibility,
   getAssetInfo,
   getMyUser,
   LoginResponseDto,
   SharedLinkType,
+  updateConfig,
 } from '@immich/sdk';
 import { exiftool } from 'exiftool-vendored';
 import { DateTime } from 'luxon';
@@ -17,12 +19,13 @@ import { Socket } from 'socket.io-client';
 import { createUserDto, uuidDto } from 'src/fixtures';
 import { makeRandomImage } from 'src/generators';
 import { errorDto } from 'src/responses';
-import { app, asBearerAuth, tempDir, testAssetDir, utils } from 'src/utils';
+import { app, asBearerAuth, tempDir, TEN_TIMES, testAssetDir, utils } from 'src/utils';
 import request from 'supertest';
 import { afterAll, beforeAll, describe, expect, it } from 'vitest';
 
 const locationAssetFilepath = `${testAssetDir}/metadata/gps-position/thompson-springs.jpg`;
 const ratingAssetFilepath = `${testAssetDir}/metadata/rating/mongolels.jpg`;
+const facesAssetDir = `${testAssetDir}/metadata/faces`;
 
 const readTags = async (bytes: Buffer, filename: string) => {
   const filepath = join(tempDir, filename);
@@ -92,8 +95,8 @@ describe('/asset', () => {
       utils.createAsset(user1.accessToken),
       utils.createAsset(user1.accessToken, {
         isFavorite: true,
-        fileCreatedAt: yesterday.toUTC().toISO(),
-        fileModifiedAt: yesterday.toUTC().toISO(),
+        fileCreatedAt: yesterday.toISO(),
+        fileModifiedAt: yesterday.toISO(),
         assetData: { filename: 'example.mp4' },
       }),
       utils.createAsset(user1.accessToken),
@@ -183,6 +186,78 @@ describe('/asset', () => {
       });
     });
 
+    describe('faces', () => {
+      const metadataFaceTests = [
+        {
+          description: 'without orientation',
+          filename: 'portrait.jpg',
+        },
+        {
+          description: 'adjusting face regions to orientation',
+          filename: 'portrait-orientation-6.jpg',
+        },
+      ];
+      // should produce same resulting face region coordinates for any orientation
+      const expectedFaces = [
+        {
+          name: 'Marie Curie',
+          birthDate: null,
+          isHidden: false,
+          faces: [
+            {
+              imageHeight: 700,
+              imageWidth: 840,
+              boundingBoxX1: 261,
+              boundingBoxX2: 356,
+              boundingBoxY1: 146,
+              boundingBoxY2: 284,
+              sourceType: 'exif',
+            },
+          ],
+        },
+        {
+          name: 'Pierre Curie',
+          birthDate: null,
+          isHidden: false,
+          faces: [
+            {
+              imageHeight: 700,
+              imageWidth: 840,
+              boundingBoxX1: 536,
+              boundingBoxX2: 618,
+              boundingBoxY1: 83,
+              boundingBoxY2: 252,
+              sourceType: 'exif',
+            },
+          ],
+        },
+      ];
+
+      it.each(metadataFaceTests)('should get the asset faces from $filename $description', async ({ filename }) => {
+        const config = await utils.getSystemConfig(admin.accessToken);
+        config.metadata.faces.import = true;
+        await updateConfig({ systemConfigDto: config }, { headers: asBearerAuth(admin.accessToken) });
+
+        const facesAsset = await utils.createAsset(admin.accessToken, {
+          assetData: {
+            filename,
+            bytes: await readFile(`${facesAssetDir}/${filename}`),
+          },
+        });
+
+        await utils.waitForWebsocketEvent({ event: 'assetUpload', id: facesAsset.id });
+
+        const { status, body } = await request(app)
+          .get(`/assets/${facesAsset.id}`)
+          .set('Authorization', `Bearer ${admin.accessToken}`);
+
+        expect(status).toBe(200);
+        expect(body.id).toEqual(facesAsset.id);
+        const sortedPeople = body.people.toSorted((a: any, b: any) => a.name.localeCompare(b.name));
+        expect(sortedPeople).toMatchObject(expectedFaces);
+      });
+    });
+
     it('should work with a shared link', async () => {
       const sharedLink = await utils.createSharedLink(user1.accessToken, {
         type: SharedLinkType.Individual,
@@ -305,12 +380,62 @@ describe('/asset', () => {
     });
   });
 
+  describe('GET /assets/random', () => {
+    beforeAll(async () => {
+      await Promise.all([
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+        utils.createAsset(user1.accessToken),
+      ]);
+
+      await utils.waitForQueueFinish(admin.accessToken, 'thumbnailGeneration');
+    });
+
+    it.each(TEN_TIMES)('should return 1 random assets', async () => {
+      const { status, body } = await request(app)
+        .get('/assets/random')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+
+      expect(status).toBe(200);
+
+      const assets: AssetResponseDto[] = body;
+      expect(assets.length).toBe(1);
+      expect(assets[0].ownerId).toBe(user1.userId);
+    });
+
+    it.each(TEN_TIMES)('should return 2 random assets', async () => {
+      const { status, body } = await request(app)
+        .get('/assets/random?count=2')
+        .set('Authorization', `Bearer ${user1.accessToken}`);
+
+      expect(status).toBe(200);
+
+      const assets: AssetResponseDto[] = body;
+      expect(assets.length).toBe(2);
+
+      for (const asset of assets) {
+        expect(asset.ownerId).toBe(user1.userId);
+      }
+    });
+
+    it.skip('should return 1 asset if there are 10 assets in the database but user 2 only has 1', async () => {
+      const { status, body } = await request(app)
+        .get('/assets/random')
+        .set('Authorization', `Bearer ${user2.accessToken}`);
+
+      expect(status).toBe(200);
+      expect(body).toEqual([expect.objectContaining({ id: user2Assets[0].id })]);
+    });
+  });
+
   describe('PUT /assets/:id', () => {
     it('should require access', async () => {
       const { status, body } = await request(app)
         .put(`/assets/${user2Assets[0].id}`)
-        .set('Authorization', `Bearer ${user1.accessToken}`)
-        .send({});
+        .set('Authorization', `Bearer ${user1.accessToken}`);
       expect(status).toBe(400);
       expect(body).toEqual(errorDto.noPermission);
     });
@@ -1017,6 +1142,8 @@ describe('/asset', () => {
       const { body, status } = await request(app)
         .post('/assets')
         .set('Authorization', `Bearer ${quotaUser.accessToken}`)
+        .field('deviceAssetId', 'example-image')
+        .field('deviceId', 'e2e')
         .field('fileCreatedAt', new Date().toISOString())
         .field('fileModifiedAt', new Date().toISOString())
         .attach('assetData', makeRandomImage(), 'example.jpg');
@@ -1033,6 +1160,8 @@ describe('/asset', () => {
       const { body, status } = await request(app)
         .post('/assets')
         .set('Authorization', `Bearer ${quotaUser.accessToken}`)
+        .field('deviceAssetId', 'example-image')
+        .field('deviceId', 'e2e')
         .field('fileCreatedAt', new Date().toISOString())
         .field('fileModifiedAt', new Date().toISOString())
         .attach('assetData', randomBytes(2014), 'example.jpg');
@@ -1086,4 +1215,29 @@ describe('/asset', () => {
       expect(video.checksum).toStrictEqual(checksum);
     });
   });
+
+  describe('POST /assets/exist', () => {
+    it('ignores invalid deviceAssetIds', async () => {
+      const response = await utils.checkExistingAssets(user1.accessToken, {
+        deviceId: 'test-assets-exist',
+        deviceAssetIds: ['invalid', 'INVALID'],
+      });
+
+      expect(response.existingIds).toHaveLength(0);
+    });
+
+    it('returns the IDs of existing assets', async () => {
+      await utils.createAsset(user1.accessToken, {
+        deviceId: 'test-assets-exist',
+        deviceAssetId: 'test-asset-0',
+      });
+
+      const response = await utils.checkExistingAssets(user1.accessToken, {
+        deviceId: 'test-assets-exist',
+        deviceAssetIds: ['test-asset-0'],
+      });
+
+      expect(response.existingIds).toEqual(['test-asset-0']);
+    });
+  });
 });

e2e/src/specs/server/api/library.e2e-spec.ts

@@ -110,9 +110,7 @@ describe('/libraries', () => {
         });
 
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['importPaths'], message: 'Array must have unique items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(["All importPaths's elements must be unique"]));
     });
 
     it('should not create an external library with duplicate exclusion patterns', async () => {
@@ -127,9 +125,7 @@ describe('/libraries', () => {
         });
 
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['exclusionPatterns'], message: 'Array must have unique items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(["All exclusionPatterns's elements must be unique"]));
     });
   });
 
@@ -161,9 +157,7 @@ describe('/libraries', () => {
         .send({ name: '' });
 
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['name'], message: 'Too small: expected string to have >=1 characters' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['name should not be empty']));
     });
 
     it('should change the import paths', async () => {
@@ -187,9 +181,7 @@ describe('/libraries', () => {
         .send({ importPaths: [''] });
 
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['importPaths'], message: 'Array items must not be empty' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['each value in importPaths should not be empty']));
     });
 
     it('should reject duplicate import paths', async () => {
@@ -199,9 +191,7 @@ describe('/libraries', () => {
         .send({ importPaths: ['/path', '/path'] });
 
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['importPaths'], message: 'Array must have unique items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(["All importPaths's elements must be unique"]));
     });
 
     it('should change the exclusion pattern', async () => {
@@ -225,9 +215,7 @@ describe('/libraries', () => {
         .send({ exclusionPatterns: ['**/*.jpg', '**/*.jpg'] });
 
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['exclusionPatterns'], message: 'Array must have unique items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(["All exclusionPatterns's elements must be unique"]));
     });
 
     it('should reject an empty exclusion pattern', async () => {
@@ -237,9 +225,7 @@ describe('/libraries', () => {
         .send({ exclusionPatterns: [''] });
 
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['exclusionPatterns'], message: 'Array items must not be empty' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['each value in exclusionPatterns should not be empty']));
     });
   });
 

e2e/src/specs/server/api/map.e2e-spec.ts

@@ -109,9 +109,7 @@ describe('/map', () => {
         .get('/map/reverse-geocode?lon=123')
         .set('Authorization', `Bearer ${admin.accessToken}`);
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['lat'], message: 'Invalid input: expected number, received NaN' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['lat must be a number between -90 and 90']));
     });
 
     it('should throw an error if a lat is not a number', async () => {
@@ -119,9 +117,7 @@ describe('/map', () => {
         .get('/map/reverse-geocode?lat=abc&lon=123.456')
         .set('Authorization', `Bearer ${admin.accessToken}`);
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['lat'], message: 'Invalid input: expected number, received NaN' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['lat must be a number between -90 and 90']));
     });
 
     it('should throw an error if a lat is out of range', async () => {
@@ -129,9 +125,7 @@ describe('/map', () => {
         .get('/map/reverse-geocode?lat=91&lon=123.456')
         .set('Authorization', `Bearer ${admin.accessToken}`);
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['lat'], message: 'Too big: expected number to be <=90' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['lat must be a number between -90 and 90']));
     });
 
     it('should throw an error if a lon is not provided', async () => {
@@ -139,9 +133,7 @@ describe('/map', () => {
         .get('/map/reverse-geocode?lat=75')
         .set('Authorization', `Bearer ${admin.accessToken}`);
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['lon'], message: 'Invalid input: expected number, received NaN' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['lon must be a number between -180 and 180']));
     });
 
     const reverseGeocodeTestCases = [

e2e/src/specs/server/api/oauth.e2e-spec.ts

@@ -1,10 +1,9 @@
-import { OAuthClient, OAuthUser, generateLogoutToken } from '@immich/e2e-auth-server';
+import { OAuthClient, OAuthUser } from '@immich/e2e-auth-server';
 import {
   LoginResponseDto,
   SystemConfigOAuthDto,
   getConfigDefaults,
   getMyUser,
-  getSessions,
   startOAuth,
   updateConfig,
 } from '@immich/sdk';
@@ -77,7 +76,6 @@ const setupOAuth = async (token: string, dto: Partial<SystemConfigOAuthDto>) =>
     ...defaults.oauth,
     buttonText: 'Login with Immich',
     issuerUrl: `${authServer.internal}/.well-known/openid-configuration`,
-    allowInsecureRequests: true,
     ...dto,
   };
   await updateConfig({ systemConfigDto: { ...defaults, oauth: merged } }, options);
@@ -89,27 +87,21 @@ describe(`/oauth`, () => {
   beforeAll(async () => {
     await utils.resetDatabase();
     admin = await utils.adminSetup();
+
+    await setupOAuth(admin.accessToken, {
+      enabled: true,
+      clientId: OAuthClient.DEFAULT,
+      clientSecret: OAuthClient.DEFAULT,
+      buttonText: 'Login with Immich',
+      storageLabelClaim: 'immich_username',
+    });
   });
 
   describe('POST /oauth/authorize', () => {
-    beforeAll(async () => {
-      await setupOAuth(admin.accessToken, {
-        enabled: true,
-        clientId: OAuthClient.DEFAULT,
-        clientSecret: OAuthClient.DEFAULT,
-        buttonText: 'Login with Immich',
-        storageLabelClaim: 'immich_username',
-      });
-    });
-
     it(`should throw an error if a redirect uri is not provided`, async () => {
       const { status, body } = await request(app).post('/oauth/authorize').send({});
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([
-          { path: ['redirectUri'], message: 'Invalid input: expected string, received undefined' },
-        ]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['redirectUri must be a string', 'redirectUri should not be empty']));
     });
 
     it('should return a redirect uri', async () => {
@@ -125,60 +117,19 @@ describe(`/oauth`, () => {
       expect(params.get('redirect_uri')).toBe('http://127.0.0.1:2285/auth/login');
       expect(params.get('state')).toBeDefined();
     });
-
-    it('should not include the prompt parameter when not configured', async () => {
-      const { status, body } = await request(app)
-        .post('/oauth/authorize')
-        .send({ redirectUri: 'http://127.0.0.1:2285/auth/login' });
-      expect(status).toBe(201);
-
-      const params = new URL(body.url).searchParams;
-      expect(params.get('prompt')).toBeNull();
-    });
-
-    it('should include the prompt parameter when configured', async () => {
-      await setupOAuth(admin.accessToken, {
-        enabled: true,
-        clientId: OAuthClient.DEFAULT,
-        clientSecret: OAuthClient.DEFAULT,
-        prompt: 'select_account',
-      });
-
-      const { status, body } = await request(app)
-        .post('/oauth/authorize')
-        .send({ redirectUri: 'http://127.0.0.1:2285/auth/login' });
-      expect(status).toBe(201);
-
-      const params = new URL(body.url).searchParams;
-      expect(params.get('prompt')).toBe('select_account');
-    });
   });
 
   describe('POST /oauth/callback', () => {
-    beforeAll(async () => {
-      await setupOAuth(admin.accessToken, {
-        enabled: true,
-        clientId: OAuthClient.DEFAULT,
-        clientSecret: OAuthClient.DEFAULT,
-        buttonText: 'Login with Immich',
-        storageLabelClaim: 'immich_username',
-      });
-    });
-
     it(`should throw an error if a url is not provided`, async () => {
       const { status, body } = await request(app).post('/oauth/callback').send({});
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['url'], message: 'Invalid input: expected string, received undefined' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['url must be a string', 'url should not be empty']));
     });
 
     it(`should throw an error if the url is empty`, async () => {
       const { status, body } = await request(app).post('/oauth/callback').send({ url: '' });
       expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['url'], message: 'Too small: expected string to have >=1 characters' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['url should not be empty']));
     });
 
     it(`should throw an error if the state is not provided`, async () => {
@@ -207,9 +158,10 @@ describe(`/oauth`, () => {
     it(`should throw an error if the codeVerifier doesn't match the challenge`, async () => {
       const callbackParams = await loginWithOAuth('oauth-auto-register');
       const { codeVerifier } = await loginWithOAuth('oauth-auto-register');
-      const { status } = await request(app)
+      const { status, body } = await request(app)
         .post('/oauth/callback')
         .send({ ...callbackParams, codeVerifier });
+      console.log(body);
       expect(status).toBeGreaterThanOrEqual(400);
     });
 
@@ -306,7 +258,7 @@ describe(`/oauth`, () => {
         accessToken: expect.any(String),
         isAdmin: false,
         name: 'OAuth User',
-        userEmail: 'oauth-rs256-token@immich.app',
+        userEmail: 'oauth-RS256-token@immich.app',
         userId: expect.any(String),
       });
     });
@@ -340,7 +292,9 @@ describe(`/oauth`, () => {
       const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
       expect(status).toBe(500);
       expect(body).toMatchObject({
+        error: 'Internal Server Error',
         message: 'Failed to finish oauth',
+        statusCode: 500,
       });
     });
 
@@ -359,7 +313,7 @@ describe(`/oauth`, () => {
         const callbackParams = await loginWithOAuth('oauth-no-auto-register');
         const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
         expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest('OAuth authentication failed'));
+        expect(body).toEqual(errorDto.badRequest('User does not exist and auto registering is disabled.'));
       });
 
       it('should link to an existing user by email', async () => {
@@ -379,54 +333,6 @@ describe(`/oauth`, () => {
     });
   });
 
-  describe(`POST /oauth/backchannel-logout`, () => {
-    it(`should throw an error if the logout_token is not provided`, async () => {
-      const { status, body } = await request(app).post('/oauth/backchannel-logout').send({});
-      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([
-          { path: ['logout_token'], message: 'Invalid input: expected string, received undefined' },
-        ]),
-      );
-    });
-
-    it(`should throw an error if an invalid logout token is provided`, async () => {
-      const { status, body } = await request(app)
-        .post('/oauth/backchannel-logout')
-        .send({ logout_token: 'invalid token' });
-      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.badRequest('Error backchannel logout: token validation failed'));
-    });
-
-    it(`should logout user if a valid logout token is provided`, async () => {
-      await setupOAuth(admin.accessToken, {
-        enabled: true,
-        clientId: OAuthClient.DEFAULT,
-        clientSecret: OAuthClient.DEFAULT,
-        autoRegister: true,
-        signingAlgorithm: 'RS256',
-        buttonText: 'Login with Immich',
-      });
-
-      const callbackParams = await loginWithOAuth('backchannel-logout-user');
-      const { status: callbackStatus, body: callbackBody } = await request(app)
-        .post('/oauth/callback')
-        .send(callbackParams);
-      expect(callbackStatus).toBe(201);
-
-      await expect(getSessions({ headers: asBearerAuth(callbackBody.accessToken) })).resolves.toHaveLength(1);
-
-      const logoutToken = await generateLogoutToken('http://0.0.0.0:2286', 'backchannel-logout-user');
-      const { status, body } = await request(app).post('/oauth/backchannel-logout').send({ logout_token: logoutToken });
-      expect(status).toBe(200);
-      expect(body).toMatchObject({});
-
-      await expect(getSessions({ headers: asBearerAuth(callbackBody.accessToken) })).rejects.toMatchObject({
-        status: 401,
-      });
-    });
-  });
-
   describe('mobile redirect override', () => {
     beforeAll(async () => {
       await setupOAuth(admin.accessToken, {
@@ -493,22 +399,4 @@ describe(`/oauth`, () => {
       });
     });
   });
-
-  describe('allowInsecureRequests: false', () => {
-    beforeAll(async () => {
-      await setupOAuth(admin.accessToken, {
-        enabled: true,
-        clientId: OAuthClient.DEFAULT,
-        clientSecret: OAuthClient.DEFAULT,
-        allowInsecureRequests: false,
-      });
-    });
-
-    it('should reject OAuth discovery over HTTP', async () => {
-      const { status } = await request(app)
-        .post('/oauth/authorize')
-        .send({ redirectUri: 'http://127.0.0.1:2285/auth/login' });
-      expect(status).toBe(500);
-    });
-  });
 });

e2e/src/specs/server/api/search.e2e-spec.ts

@@ -74,6 +74,7 @@ describe('/search', () => {
       const bytes = await readFile(join(testAssetDir, filename));
       assets.push(
         await utils.createAsset(admin.accessToken, {
+          deviceAssetId: `test-${filename}`,
           assetData: { bytes, filename },
           ...dto,
         }),
@@ -441,18 +442,7 @@ describe('/search', () => {
         .get('/search/explore')
         .set('Authorization', `Bearer ${admin.accessToken}`);
       expect(status).toBe(200);
-      expect(Array.isArray(body)).toBe(true);
-      expect(body).toEqual(expect.arrayContaining([{ fieldName: 'exifInfo.city', items: [] }]));
-      expect(body).toEqual(
-        expect.arrayContaining([
-          {
-            fieldName: 'createdAt',
-            items: expect.arrayContaining([
-              expect.objectContaining({ data: expect.objectContaining({ id: assetLast.id }) }),
-            ]),
-          },
-        ]),
-      );
+      expect(body).toEqual([{ fieldName: 'exifInfo.city', items: [] }]);
     });
   });
 
@@ -468,7 +458,7 @@ describe('/search', () => {
       expect(Array.isArray(body)).toBe(true);
       if (Array.isArray(body)) {
         expect(body.length).toBeGreaterThan(10);
-        expect(body[0].name).toEqual(expect.stringContaining(name));
+        expect(body[0].name).toEqual(name);
         expect(body[0].admin2name).toEqual(name);
       }
     });