ci(release): support patch releases from release/* branches

- prepare-release: add `branch` input; validate branch/bump combination; skip Weblate merge, mobile build, and APK asset when not on main; point checkout, release target, and tag at the selected branch; backport the archived-versions.json entry to main via PR. - build-mobile: gate Android release build and iOS TestFlight upload on `environment == production` instead of the branch name, so patch releases still produce production artifacts if ever re-enabled. - docker: build on pushes to release/**; restrict retag-from-main jobs to PRs and main-branch pushes. - docs-build: build on pushes to release/**; include release/** in the pre-job force-branches list.
2026-05-14 03:22:13 -04:00 · 2026-04-24 17:57:29 +01:00
842 changed files with 8046 additions and 41510 deletions
@@ -75,7 +75,7 @@
            {
              "label": "Build Immich CLI",
              "type": "shell",
-              "command": "pnpm --filter @immich/cli build:dev"
+              "command": "pnpm --filter cli build:dev"
            }
          ]
        }
@@ -30,7 +30,9 @@ machine-learning/
 misc/
 mobile/

-packages/sdk/build/
+open-api/typescript-sdk/build/
+!open-api/typescript-sdk/package.json
+!open-api/typescript-sdk/package-lock.json

 server/upload/
 server/src/queries
@@ -24,7 +24,7 @@ mobile/lib/infrastructure/repositories/db.repository.steps.dart linguist-generat
 mobile/test/drift/main/generated/** -diff -merge
 mobile/test/drift/main/generated/** linguist-generated=true

-packages/sdk/fetch-client.ts -diff -merge
-packages/sdk/fetch-client.ts linguist-generated=true
+open-api/typescript-sdk/fetch-client.ts -diff -merge
+open-api/typescript-sdk/fetch-client.ts linguist-generated=true

 *.sh text eol=lf
@@ -1,7 +1,7 @@
 cli:
  - changed-files:
      - any-glob-to-any-file:
-          - packages/cli/src/**
+          - cli/src/**

 documentation:
  - changed-files:
@@ -51,14 +51,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -73,25 +73,24 @@ jobs:
    needs: pre-job
    permissions:
      contents: read
-      pull-requests: write
-    if: ${{ github.actor != 'dependabot[bot]' && fromJSON(needs.pre-job.outputs.should_run).mobile == true }}
+    # Skip when PR from a fork
+    if: ${{ !github.event.pull_request.head.repo.fork && github.actor != 'dependabot[bot]' && fromJSON(needs.pre-job.outputs.should_run).mobile == true }}
    runs-on: mich

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          ref: ${{ inputs.ref }}
+          ref: ${{ inputs.ref || github.sha }}
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

      - name: Create the Keystore
-        if: ${{ !github.event.pull_request.head.repo.fork }}
        env:
          KEY_JKS: ${{ secrets.KEY_JKS }}
        working-directory: ./mobile
@@ -144,44 +143,21 @@ jobs:
          ALIAS: ${{ secrets.ALIAS }}
          ANDROID_KEY_PASSWORD: ${{ secrets.ANDROID_KEY_PASSWORD }}
          ANDROID_STORE_PASSWORD: ${{ secrets.ANDROID_STORE_PASSWORD }}
-          IS_MAIN: ${{ github.ref == 'refs/heads/main' }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
+          IS_RELEASE: ${{ inputs.environment == 'production' || github.ref == 'refs/heads/main' }}
        run: |
-          if [[ $IS_MAIN == 'true' ]]; then
+          if [[ $IS_RELEASE == 'true' ]]; then
            flutter build apk --release
            flutter build apk --release --split-per-abi --target-platform android-arm,android-arm64,android-x64
          else
-            flutter build apk --release
+            flutter build apk --debug --split-per-abi --target-platform android-arm64
          fi

      - name: Publish Android Artifact
-        id: upload-apk
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: release-apk-signed
          path: mobile/build/app/outputs/flutter-apk/*.apk

-      - name: Comment APK download link on PR
-        if: ${{ github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork }}
-        uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
-        env:
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-          APK_URL: ${{ steps.upload-apk.outputs.artifact-url }}
-        with:
-          github-token: ${{ steps.token.outputs.token }}
-          message-id: 'mobile-android-apk'
-          message: |
-            📱 **Android release APK (universal)** — `${{ env.HEAD_SHA }}`
-
-            Download: ${{ env.APK_URL }}
-
-            <details>
-              <summary>QR code</summary>
-              <img src="https://api.qrserver.com/v1/create-qr-code/?size=240x240&data=${{ env.APK_URL }}" alt="QR code" />
-            </details>
-
-            Installs as a separate app (applicationId `app.alextran.immich.pr${{ github.event.pull_request.number }}`), so it coexists with the Play Store version and any other PR builds.
-
      - name: Save Gradle Cache
        id: cache-gradle-save
        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -234,7 +210,7 @@ jobs:
        working-directory: ./mobile

      - name: Setup Ruby
-        uses: ruby/setup-ruby@c4e5b1316158f92e3d49443a9d58b31d25ac0f8f # v1.306.0
+        uses: ruby/setup-ruby@7372622e62b60b3cb750dcd2b9e32c247ffec26a # v1.302.0
        with:
          ruby-version: '3.3'
          bundler-cache: true
@@ -292,20 +268,20 @@ jobs:
          APP_STORE_CONNECT_API_KEY_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ISSUER_ID }}
          ENVIRONMENT: ${{ inputs.environment || 'development' }}
          BUNDLE_ID_SUFFIX: ${{ inputs.environment == 'production' && '' || 'development' }}
-          GITHUB_REF: ${{ github.ref }}
+          IS_RELEASE: ${{ inputs.environment == 'production' || github.ref == 'refs/heads/main' }}
          FASTLANE_XCODEBUILD_SETTINGS_TIMEOUT: 120
          FASTLANE_XCODEBUILD_SETTINGS_RETRIES: 6
        working-directory: ./mobile/ios
        run: |
-          # Only upload to TestFlight on main branch
-          if [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
+          # Upload to TestFlight on main or when explicitly invoked as a production release.
+          if [[ "$IS_RELEASE" == "true" ]]; then
            if [[ "$ENVIRONMENT" == "development" ]]; then
              bundle exec fastlane gha_testflight_dev
            else
              bundle exec fastlane gha_release_prod
            fi
          else
-            # Build only, no TestFlight upload for non-main branches
+            # Build only, no TestFlight upload
            bundle exec fastlane gha_build_only
          fi

@@ -19,9 +19,9 @@ jobs:
      actions: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check out code
@@ -24,7 +24,7 @@ jobs:
          persist-credentials: false

      - name: Check for breaking API changes
-        uses: oasdiff/oasdiff-action/breaking@26ccb332c67a45ca649de9faf60552ef1b8260d9 # v0.0.46
+        uses: oasdiff/oasdiff-action/breaking@f8cb9308b42121e793f835bd14c0b8090420430c # v0.0.39
        with:
          base: https://raw.githubusercontent.com/${{ github.repository }}/main/open-api/immich-openapi-specs.json
          revision: open-api/immich-openapi-specs.json
@@ -3,11 +3,11 @@ on:
  push:
    branches: [main]
    paths:
-      - 'packages/cli/**'
+      - 'cli/**'
      - '.github/workflows/cli.yml'
  pull_request:
    paths:
-      - 'packages/cli/**'
+      - 'cli/**'
      - '.github/workflows/cli.yml'
  release:
    types: [published]
@@ -28,28 +28,38 @@ jobs:
      packages: write
    defaults:
      run:
-        working-directory: ./packages/cli
+        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
-        with:
-          github_token: ${{ steps.token.outputs.token }}
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

-      - name: Publish
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version-file: './cli/.nvmrc'
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+
+      - name: Setup typescript-sdk
+        run: pnpm install && pnpm run build
+        working-directory: ./open-api/typescript-sdk
+
+      - run: pnpm install --frozen-lockfile
+      - run: pnpm build
+      - run: pnpm publish --provenance --no-git-checks
        if: ${{ github.event_name == 'release' }}
-        run: mise run ci-publish

  docker:
    name: Docker
@@ -61,9 +71,9 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
@@ -89,7 +99,7 @@ jobs:
      - name: Get package version
        id: package-version
        run: |
-          version=$(jq -r '.version' packages/cli/package.json)
+          version=$(jq -r '.version' cli/package.json)
          echo "version=$version" >> "$GITHUB_OUTPUT"

      - name: Generate docker image tags
@@ -107,7 +117,7 @@ jobs:
      - name: Build and push image
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
-          file: packages/cli/Dockerfile
+          file: cli/Dockerfile
          platforms: linux/amd64,linux/arm64
          push: ${{ github.event_name == 'release' }}
          cache-from: type=gha
@@ -35,7 +35,7 @@ jobs:
    needs: [get_body, should_run]
    if: ${{ needs.should_run.outputs.should_run == 'true' }}
    container:
-      image: ghcr.io/immich-app/mdq:main@sha256:0a8b8867773a0f8368061f47578603f438349f8f1f28b0e16105f481e5c794e0
+      image: ghcr.io/immich-app/mdq:main@sha256:557cca601891b8b7d78b940071d35aaf7aaeb9b327d19b22cf282118edbc5272
    outputs:
      checked: ${{ steps.get_checkbox.outputs.checked }}
    steps:
@@ -44,9 +44,9 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout repository
@@ -57,7 +57,7 @@ jobs:

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -70,7 +70,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
-        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -83,6 +83,6 @@ jobs:
      #   ./location_of_script_within_repo/buildscript.sh

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
        with:
          category: '/language:${{matrix.language}}'
@@ -3,7 +3,7 @@ name: Docker
 on:
  workflow_dispatch:
  push:
-    branches: [main]
+    branches: [main, 'release/**']
  pull_request:
  release:
    types: [published]
@@ -23,14 +23,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -53,7 +53,8 @@ jobs:
    permissions:
      contents: read
      packages: write
-    if: ${{ fromJSON(needs.pre-job.outputs.should_run).machine-learning == false && !github.event.pull_request.head.repo.fork }}
+    # Retag sources from the :main image, so only retag for PRs and main-branch pushes.
+    if: ${{ fromJSON(needs.pre-job.outputs.should_run).machine-learning == false && !github.event.pull_request.head.repo.fork && (github.event_name == 'pull_request' || github.ref == 'refs/heads/main') }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
@@ -83,7 +84,8 @@ jobs:
    permissions:
      contents: read
      packages: write
-    if: ${{ fromJSON(needs.pre-job.outputs.should_run).server == false && !github.event.pull_request.head.repo.fork }}
+    # Retag sources from the :main image, so only retag for PRs and main-branch pushes.
+    if: ${{ fromJSON(needs.pre-job.outputs.should_run).server == false && !github.event.pull_request.head.repo.fork && (github.event_name == 'pull_request' || github.ref == 'refs/heads/main') }}
    runs-on: ubuntu-latest
    strategy:
      matrix:
@@ -132,7 +134,7 @@ jobs:
            suffixes: '-rocm'
            platforms: linux/amd64
            runner-mapping: '{"linux/amd64": "pokedex-large"}'
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@5813c7c4f7016c748ae7ac5d5f684846649d4d20 # multi-runner-build-workflow-v2.4.0
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@61a0fc2b41524edcc7c9fffb8bb178e6b0ccf21d # multi-runner-build-workflow-v2.3.0
    permissions:
      contents: read
      actions: read
@@ -155,7 +157,7 @@ jobs:
    name: Build and Push Server
    needs: pre-job
    if: ${{ fromJSON(needs.pre-job.outputs.should_run).server == true }}
-    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@5813c7c4f7016c748ae7ac5d5f684846649d4d20 # multi-runner-build-workflow-v2.4.0
+    uses: immich-app/devtools/.github/workflows/multi-runner-build.yml@61a0fc2b41524edcc7c9fffb8bb178e6b0ccf21d # multi-runner-build-workflow-v2.3.0
    permissions:
      contents: read
      actions: read
@@ -178,7 +180,7 @@ jobs:
    runs-on: ubuntu-latest
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
        with:
          needs: ${{ toJSON(needs) }}

@@ -189,6 +191,6 @@ jobs:
    runs-on: ubuntu-latest
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
        with:
          needs: ${{ toJSON(needs) }}
@@ -1,7 +1,7 @@
 name: Docs build
 on:
  push:
-    branches: [main]
+    branches: [main, 'release/**']
  pull_request:
  release:
    types: [published]
@@ -21,14 +21,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -39,7 +39,7 @@ jobs:
          force-filters: |
            - '.github/workflows/docs-build.yml'
          force-events: 'release'
-          force-branches: 'main'
+          force-branches: 'main,release/**'

  build:
    name: Docs Build
@@ -54,9 +54,9 @@ jobs:

    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -64,11 +64,17 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
+          fetch-depth: 0

-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './docs/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'

      - name: Run install
        run: pnpm install
@@ -20,9 +20,9 @@ jobs:
      artifact: ${{ steps.get-artifact.outputs.result }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - if: ${{ github.event.workflow_run.conclusion != 'success' }}
@@ -119,9 +119,9 @@ jobs:
    if: ${{ fromJson(needs.checks.outputs.artifact).found && fromJson(needs.checks.outputs.parameters).shouldDeploy }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -131,9 +131,7 @@ jobs:
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
-        with:
-          github_token: ${{ steps.token.outputs.token }}
+        uses: immich-app/devtools/actions/use-mise@035e80a7d4355d5f087ffb95db9e4a0944c04e56 # use-mise-action-v1.1.3

      - name: Load parameters
        id: parameters
@@ -17,9 +17,9 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -29,9 +29,7 @@ jobs:
          token: ${{ steps.token.outputs.token }}

      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
-        with:
-          github_token: ${{ steps.token.outputs.token }}
+        uses: immich-app/devtools/actions/use-mise@035e80a7d4355d5f087ffb95db9e4a0944c04e56 # use-mise-action-v1.1.3

      - name: Destroy Docs Subdomain
        env:
@@ -14,23 +14,29 @@ jobs:
      contents: write
      pull-requests: write
    steps:
-      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - name: Checkout code
+      - name: 'Checkout'
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.ref }}
+          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
-          token: ${{ steps.token.outputs.token }}

-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0
+
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
+          node-version-file: './server/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'

      - name: Fix formatting
        run: pnpm --recursive install && pnpm run --recursive --if-present --parallel format:fix
@@ -4,7 +4,7 @@ on:
  workflow_dispatch:
  workflow_call:
    secrets:
-      PUSH_O_MATIC_APP_CLIENT_ID:
+      PUSH_O_MATIC_APP_ID:
        required: true
      PUSH_O_MATIC_APP_KEY:
        required: true
@@ -33,7 +33,7 @@ jobs:
        if: ${{ inputs.skip != true }}
        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Find translation PR
@@ -14,9 +14,9 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Require PR to have a changelog label
@@ -12,11 +12,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
        with:
          repo-token: ${{ steps.token.outputs.token }}
@@ -3,8 +3,13 @@ name: Prepare new release
 on:
  workflow_dispatch:
    inputs:
+      branch:
+        description: 'Branch to release from (must be main or release/*)'
+        required: true
+        default: 'main'
+        type: string
      serverBump:
-        description: 'Bump server version'
+        description: 'Bump server version (only patch allowed on release/* branches)'
        required: true
        default: 'false'
        type: choice
@@ -29,14 +34,35 @@ concurrency:
 permissions: {}

 jobs:
+  validate_inputs:
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+      - name: Validate branch and bump combination
+        env:
+          BRANCH: ${{ inputs.branch }}
+          SERVER_BUMP: ${{ inputs.serverBump }}
+        run: |
+          set -euo pipefail
+          if [[ "$BRANCH" != "main" && "$BRANCH" != release/* ]]; then
+            echo "::error::branch must be 'main' or start with 'release/' (got '$BRANCH')"
+            exit 1
+          fi
+          if [[ "$BRANCH" != "main" && "$SERVER_BUMP" != "false" && "$SERVER_BUMP" != "patch" ]]; then
+            echo "::error::only 'patch' (or 'false') serverBump is allowed on '$BRANCH'"
+            exit 1
+          fi
+
  merge_translations:
+    needs: [validate_inputs]
    uses: ./.github/workflows/merge-translations.yml
    with:
-      skip: ${{ inputs.skipTranslations }}
+      # Weblate tracks main only, so skip translations when releasing from a release/* branch.
+      skip: ${{ inputs.skipTranslations || inputs.branch != 'main' }}
    permissions:
      pull-requests: write
    secrets:
-      PUSH_O_MATIC_APP_CLIENT_ID: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+      PUSH_O_MATIC_APP_ID: ${{ secrets.PUSH_O_MATIC_APP_ID }}
      PUSH_O_MATIC_APP_KEY: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
      WEBLATE_TOKEN: ${{ secrets.WEBLATE_TOKEN }}

@@ -48,27 +74,32 @@ jobs:
      version: ${{ steps.output.outputs.version }}
    permissions: {} # No job-level permissions are needed because it uses the app-token
    steps:
-      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - name: Checkout code
+      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
-          token: ${{ steps.token.outputs.token }}
+          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: true
-          ref: main
+          ref: ${{ inputs.branch }}

-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
-        with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      # TODO move to mise
      - name: Install uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0
+
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version-file: './server/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'

      - name: Bump version
        env:
@@ -89,6 +120,10 @@ jobs:
          push: true

  build_mobile:
+    # Mobile build numbers are monotonic per store; releasing from a release/* branch
+    # would collide with build numbers already shipped from main. Skip mobile on patch
+    # releases — handle mobile patches on main instead.
+    if: ${{ inputs.branch == 'main' }}
    uses: ./.github/workflows/build-mobile.yml
    needs: bump_version
    permissions:
@@ -113,6 +148,8 @@ jobs:
  prepare_release:
    runs-on: ubuntu-latest
    needs: [build_mobile, bump_version]
+    # Run even when build_mobile is skipped (patch release from release/* branch).
+    if: ${{ always() && needs.bump_version.result == 'success' && (needs.build_mobile.result == 'success' || needs.build_mobile.result == 'skipped') }}
    permissions:
      actions: read # To download the app artifact
      # No content permissions are needed because it uses the app-token
@@ -121,7 +158,7 @@ jobs:
        id: generate-token
        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout
@@ -129,26 +166,83 @@ jobs:
        with:
          token: ${{ steps.generate-token.outputs.token }}
          persist-credentials: false
+          ref: ${{ needs.bump_version.outputs.ref }}

      - name: Download APK
+        if: ${{ needs.build_mobile.result == 'success' }}
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: release-apk-signed
          github-token: ${{ steps.generate-token.outputs.token }}

+      - name: Assemble release assets
+        id: assets
+        env:
+          HAS_APK: ${{ needs.build_mobile.result == 'success' }}
+        run: |
+          {
+            echo 'files<<EOF'
+            echo 'docker/docker-compose.yml'
+            echo 'docker/docker-compose.rootless.yml'
+            echo 'docker/example.env'
+            echo 'docker/hwaccel.ml.yml'
+            echo 'docker/hwaccel.transcoding.yml'
+            echo 'docker/prometheus.yml'
+            if [[ "$HAS_APK" == "true" ]]; then
+              echo '*.apk'
+            fi
+            echo 'EOF'
+          } >> "$GITHUB_OUTPUT"
+
      - name: Create draft release
        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
        with:
          draft: true
          tag_name: ${{ needs.bump_version.outputs.version }}
+          target_commitish: ${{ inputs.branch }}
          token: ${{ steps.generate-token.outputs.token }}
          generate_release_notes: true
          body_path: misc/release/notes.tmpl
-          files: |
-            docker/docker-compose.yml
-            docker/docker-compose.rootless.yml
-            docker/example.env
-            docker/hwaccel.ml.yml
-            docker/hwaccel.transcoding.yml
-            docker/prometheus.yml
-            *.apk
+          files: ${{ steps.assets.outputs.files }}
+
+  backport_archived_versions:
+    # When releasing from a release/* branch, the archived-versions.json update
+    # lives on that branch only. Open a PR to mirror the new entry onto main so
+    # main's docs keep a complete archive list.
+    if: ${{ inputs.branch != 'main' && needs.bump_version.result == 'success' }}
+    runs-on: ubuntu-latest
+    needs: [bump_version, prepare_release]
+    permissions: {} # uses the app token
+    steps:
+      - name: Generate a token
+        id: generate-token
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        with:
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
+          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}
+
+      - name: Checkout main
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          persist-credentials: false
+          ref: main
+
+      - name: Update archived versions on main
+        env:
+          VERSION: ${{ needs.bump_version.outputs.version }}
+        run: ./misc/release/archive-version.js "${VERSION#v}"
+
+      - name: Open backport PR
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        with:
+          token: ${{ steps.generate-token.outputs.token }}
+          branch: backport/archived-versions-${{ needs.bump_version.outputs.version }}
+          base: main
+          commit-message: 'chore(docs): archive ${{ needs.bump_version.outputs.version }}'
+          title: 'chore(docs): archive ${{ needs.bump_version.outputs.version }}'
+          body: |
+            Backports the `archived-versions.json` entry for ${{ needs.bump_version.outputs.version }},
+            released from `${{ inputs.branch }}`, so main's docs archive list stays complete.
+          add-paths: docs/static/archived-versions.json
+          delete-branch: true
@@ -14,12 +14,12 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+      - uses: mshick/add-pr-comment@64b8e914979889d746c99dea15a76e77ef64580a # v3.10.0
        with:
          github-token: ${{ steps.token.outputs.token }}
          message-id: 'preview-status'
@@ -32,9 +32,9 @@ jobs:
      pull-requests: write
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
@@ -48,14 +48,14 @@ jobs:
              name: 'preview'
            })

-      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+      - uses: mshick/add-pr-comment@64b8e914979889d746c99dea15a76e77ef64580a # v3.10.0
        if: ${{ github.event.pull_request.head.repo.fork }}
        with:
          github-token: ${{ steps.token.outputs.token }}
          message-id: 'preview-status'
          message: 'PRs from forks cannot have preview environments.'

-      - uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0
+      - uses: mshick/add-pr-comment@64b8e914979889d746c99dea15a76e77ef64580a # v3.10.0
        if: ${{ !github.event.pull_request.head.repo.fork }}
        with:
          github-token: ${{ steps.token.outputs.token }}
@@ -14,29 +14,34 @@ jobs:
      contents: read
      id-token: write
      packages: write
+    defaults:
+      run:
+        working-directory: ./open-api/typescript-sdk
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+
+      # Setup .npmrc file to publish to npm
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
+          node-version-file: './open-api/typescript-sdk/.nvmrc'
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Install deps
-        run: pnpm --filter @immich/sdk install --frozen-lockfile
-
+        run: pnpm install --frozen-lockfile
      - name: Build
-        run: pnpm --filter @immich/sdk build
-
+        run: pnpm build
      - name: Publish
-        run: pnpm --filter @immich/sdk publish --provenance --no-git-checks
+        run: pnpm publish --provenance --no-git-checks
@@ -20,14 +20,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -49,9 +49,9 @@ jobs:
        working-directory: ./mobile
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -17,14 +17,14 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
@@ -33,18 +33,14 @@ jobs:
            web:
              - 'web/**'
              - 'i18n/**'
-              - 'packages/sdk/**'
-              - 'pnpm-lock.yaml'
+              - 'open-api/typescript-sdk/**'
            server:
              - 'server/**'
-              - 'pnpm-lock.yaml'
            cli:
-              - 'packages/cli/**'
-              - 'packages/sdk/**'
-              - 'pnpm-lock.yaml'
+              - 'cli/**'
+              - 'open-api/typescript-sdk/**'
            e2e:
              - 'e2e/**'
-              - 'pnpm-lock.yaml'
            mobile:
              - 'mobile/**'
            machine-learning:
@@ -67,9 +63,9 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -78,14 +74,28 @@ jobs:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}

-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run ci-unit
-        run: mise run ci-unit
-
+          node-version-file: './server/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Run package manager install
+        run: pnpm install
+      - name: Run linter
+        run: pnpm lint
+        if: ${{ !cancelled() }}
+      - name: Run formatter
+        run: pnpm format
+        if: ${{ !cancelled() }}
+      - name: Run tsc
+        run: pnpm check
+        if: ${{ !cancelled() }}
+      - name: Run small tests & coverage
+        run: pnpm test
+        if: ${{ !cancelled() }}
  cli-unit-tests:
    name: Unit Test CLI
    needs: pre-job
@@ -95,12 +105,12 @@ jobs:
      contents: read
    defaults:
      run:
-        working-directory: ./packages/cli
+        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -108,15 +118,31 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run ci-unit
-        run: mise run ci-unit
-
+          node-version-file: './cli/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Setup typescript-sdk
+        run: pnpm install && pnpm run build
+        working-directory: ./open-api/typescript-sdk
+      - name: Install deps
+        run: pnpm install
+      - name: Run linter
+        run: pnpm lint
+        if: ${{ !cancelled() }}
+      - name: Run formatter
+        run: pnpm format
+        if: ${{ !cancelled() }}
+      - name: Run tsc
+        run: pnpm check
+        if: ${{ !cancelled() }}
+      - name: Run unit tests & coverage
+        run: pnpm test
+        if: ${{ !cancelled() }}
  cli-unit-tests-win:
    name: Unit Test CLI (Windows)
    needs: pre-job
@@ -126,12 +152,12 @@ jobs:
      contents: read
    defaults:
      run:
-        working-directory: ./packages/cli
+        working-directory: ./cli
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -139,28 +165,26 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run setup @immich/sdk
-        run: mise run //:sdk:install && mise run //:sdk:build
-
-      - name: Run pnpm install
+          node-version-file: './cli/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Setup typescript-sdk
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./open-api/typescript-sdk
+      - name: Install deps
        run: pnpm install --frozen-lockfile
-
      # Skip linter & formatter in Windows test.
-
      - name: Run tsc
        run: pnpm check
        if: ${{ !cancelled() }}
-
      - name: Run unit tests & coverage
        run: pnpm test
        if: ${{ !cancelled() }}
-
  web-lint:
    name: Lint Web
    needs: pre-job
@@ -173,9 +197,9 @@ jobs:
        working-directory: ./web
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -183,22 +207,28 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run setup @immich/sdk
-        run: mise run //:sdk:install && mise run //:sdk:build
-
+          node-version-file: './web/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Run setup typescript-sdk
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./open-api/typescript-sdk
      - name: Run pnpm install
-        run: pnpm install --frozen-lockfile
-
+        run: pnpm rebuild && pnpm install --frozen-lockfile
      - name: Run linter
        run: pnpm lint
        if: ${{ !cancelled() }}
-
+      - name: Run formatter
+        run: pnpm format
+        if: ${{ !cancelled() }}
+      - name: Run svelte checks
+        run: pnpm check:svelte
+        if: ${{ !cancelled() }}
  web-unit-tests:
    name: Test Web
    needs: pre-job
@@ -211,9 +241,9 @@ jobs:
        working-directory: ./web
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -221,15 +251,25 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run ci-unit
-        run: mise run ci-unit
-
+          node-version-file: './web/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Run setup typescript-sdk
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./open-api/typescript-sdk
+      - name: Run npm install
+        run: pnpm install --frozen-lockfile
+      - name: Run tsc
+        run: pnpm check:typescript
+        if: ${{ !cancelled() }}
+      - name: Run unit tests & coverage
+        run: pnpm test
+        if: ${{ !cancelled() }}
  i18n-tests:
    name: Test i18n
    needs: pre-job
@@ -239,9 +279,9 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -249,25 +289,24 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
+          node-version-file: './web/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Install dependencies
-        run: pnpm -w install --frozen-lockfile
-
+        run: pnpm --filter=immich-i18n install --frozen-lockfile
      - name: Format
-        run: pnpm format:fix
-
+        run: pnpm --filter=immich-i18n format:fix
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
        with:
          files: |
            i18n/**
-
      - name: Verify files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
        env:
@@ -276,7 +315,6 @@ jobs:
          echo "ERROR: i18n files not up to date!"
          echo "Changed files: ${CHANGED_FILES}"
          exit 1
-
  e2e-tests-lint:
    name: End-to-End Lint
    needs: pre-job
@@ -289,9 +327,9 @@ jobs:
        working-directory: ./e2e
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -299,16 +337,30 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run ci-unit
-        run: mise run ci-unit
+          node-version-file: './e2e/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Run setup typescript-sdk
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./open-api/typescript-sdk
+        if: ${{ !cancelled() }}
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+        if: ${{ !cancelled() }}
+      - name: Run linter
+        run: pnpm lint
+        if: ${{ !cancelled() }}
+      - name: Run formatter
+        run: pnpm format
+        if: ${{ !cancelled() }}
+      - name: Run tsc
+        run: pnpm check
        if: ${{ !cancelled() }}
-
  server-medium-tests:
    name: Medium Tests (Server)
    needs: pre-job
@@ -321,9 +373,9 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -332,16 +384,19 @@ jobs:
          persist-credentials: false
          submodules: 'recursive'
          token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run ci-medium
-        run: mise run ci-medium
+          node-version-file: './server/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
+      - name: Run pnpm install
+        run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm install --frozen-lockfile
+      - name: Run medium tests
+        run: pnpm test:medium
        if: ${{ !cancelled() }}
-
  e2e-tests-server-cli:
    name: End-to-End Tests (Server & CLI)
    needs: pre-job
@@ -357,9 +412,9 @@ jobs:
        runner: [ubuntu-latest, ubuntu-24.04-arm]
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -368,57 +423,52 @@ jobs:
          persist-credentials: false
          submodules: 'recursive'
          token: ${{ steps.token.outputs.token }}
-
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version-file: '.nvmrc'
+          node-version-file: './e2e/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
-
-      - name: Setup packages
-        run: pnpm --filter "@immich/*" install --frozen-lockfile && pnpm --filter "@immich/*" build
-
+      - name: Run setup typescript-sdk
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./open-api/typescript-sdk
+        if: ${{ !cancelled() }}
      - name: Run setup web
        run: pnpm install --frozen-lockfile && pnpm exec svelte-kit sync
        working-directory: ./web
        if: ${{ !cancelled() }}
-
+      - name: Run setup cli
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./cli
+        if: ${{ !cancelled() }}
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
        if: ${{ !cancelled() }}
-
      - name: Start Docker Compose
        run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
        if: ${{ !cancelled() }}
-
      - name: Run e2e tests (api & cli)
        env:
          VITEST_DISABLE_DOCKER_SETUP: true
        run: pnpm test
        if: ${{ !cancelled() }}
-
      - name: Run e2e tests (maintenance)
        env:
          VITEST_DISABLE_DOCKER_SETUP: true
        run: pnpm test:maintenance
        if: ${{ !cancelled() }}
-
      - name: Capture Docker logs
        if: always()
        run: docker compose logs --no-color > docker-compose-logs.txt
        working-directory: ./e2e
-
      - name: Archive Docker logs
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: always()
        with:
          name: e2e-server-docker-logs-${{ matrix.runner }}
          path: e2e/docker-compose-logs.txt
-
  e2e-tests-web:
    name: End-to-End Tests (Web)
    needs: pre-job
@@ -434,9 +484,9 @@ jobs:
        runner: [ubuntu-latest, ubuntu-24.04-arm]
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -445,84 +495,70 @@ jobs:
          persist-credentials: false
          submodules: 'recursive'
          token: ${{ steps.token.outputs.token }}
-
      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-
      - name: Setup Node
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          node-version-file: '.nvmrc'
+          node-version-file: './e2e/.nvmrc'
          cache: 'pnpm'
          cache-dependency-path: '**/pnpm-lock.yaml'
-
-      - name: Run setup @immich/sdk
-        run: pnpm --filter @immich/sdk install --frozen-lockfile && pnpm --filter @immich/sdk build
-
+      - name: Run setup typescript-sdk
+        run: pnpm install --frozen-lockfile && pnpm build
+        working-directory: ./open-api/typescript-sdk
        if: ${{ !cancelled() }}
      - name: Install dependencies
        run: pnpm install --frozen-lockfile
        if: ${{ !cancelled() }}
-
      - name: Install Playwright Browsers
        run: pnpm exec playwright install chromium --only-shell
        if: ${{ !cancelled() }}
-
      - name: Docker build
        run: docker compose up -d --build --renew-anon-volumes --force-recreate --remove-orphans --wait --wait-timeout 300
        if: ${{ !cancelled() }}
-
      - name: Run e2e tests (web)
        env:
          PLAYWRIGHT_DISABLE_WEBSERVER: true
        run: pnpm test:web
        if: ${{ !cancelled() }}
-
      - name: Archive e2e test (web) results
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: success() || failure()
        with:
          name: e2e-web-test-results-${{ matrix.runner }}
          path: e2e/playwright-report/
-
      - name: Run ui tests (web)
        env:
          PLAYWRIGHT_DISABLE_WEBSERVER: true
        run: pnpm test:web:ui
        if: ${{ !cancelled() }}
-
      - name: Archive ui test (web) results
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: success() || failure()
        with:
          name: e2e-ui-test-results-${{ matrix.runner }}
          path: e2e/playwright-report/
-
      - name: Run maintenance tests
        env:
          PLAYWRIGHT_DISABLE_WEBSERVER: true
        run: pnpm test:web:maintenance
        if: ${{ !cancelled() }}
-
      - name: Archive maintenance tests (web) results
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: success() || failure()
        with:
          name: e2e-maintenance-isolated-test-results-${{ matrix.runner }}
          path: e2e/playwright-report/
-
      - name: Capture Docker logs
        if: always()
        run: docker compose logs --no-color > docker-compose-logs.txt
        working-directory: ./e2e
-
      - name: Archive Docker logs
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        if: always()
        with:
          name: e2e-web-docker-logs-${{ matrix.runner }}
          path: e2e/docker-compose-logs.txt
-
  success-check-e2e:
    name: End-to-End Tests Success
    needs: [e2e-tests-server-cli, e2e-tests-web]
@@ -530,7 +566,7 @@ jobs:
    runs-on: ubuntu-latest
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
        with:
          needs: ${{ toJSON(needs) }}
  mobile-unit-tests:
@@ -542,9 +578,9 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -574,24 +610,34 @@ jobs:
        working-directory: ./machine-learning
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Install uv
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
-      - name: Run ci-unit
-        run: mise run ci-unit
-
+          python-version: 3.11
+      - name: Install dependencies
+        run: |
+          uv sync --extra cpu
+      - name: Lint with ruff
+        run: |
+          uv run ruff check --output-format=github immich_ml
+      - name: Format with ruff
+        run: |
+          uv run ruff format --check immich_ml
+      - name: Run mypy type checking
+        run: |
+          uv run mypy --strict immich_ml/
+      - name: Run tests and coverage
+        run: |
+          uv run pytest --cov=immich_ml --cov-report term-missing
  github-files-formatting:
    name: .github Files Formatting
    needs: pre-job
@@ -604,9 +650,9 @@ jobs:
        working-directory: ./.github
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -614,19 +660,19 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
+          node-version-file: './.github/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Run pnpm install
        run: pnpm install --frozen-lockfile
-
      - name: Run formatter
        run: pnpm format
        if: ${{ !cancelled() }}
-
  shellcheck:
    name: ShellCheck
    runs-on: ubuntu-latest
@@ -634,9 +680,9 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -655,9 +701,9 @@ jobs:
      contents: read
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -665,28 +711,29 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
+          node-version-file: './server/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Install server dependencies
        run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm --filter immich install --frozen-lockfile
-
+      - name: Build the app
+        run: pnpm --filter immich build
      - name: Run API generation
-        run: mise //:open-api
+        run: ./bin/generate-open-api.sh
        working-directory: open-api
-
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
        with:
          files: |
            mobile/openapi
-            packages/sdk
+            open-api/typescript-sdk
            open-api/immich-openapi-specs.json
-
      - name: Verify files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
        env:
@@ -695,7 +742,6 @@ jobs:
          echo "ERROR: Generated files not up to date!"
          echo "Changed files: ${CHANGED_FILES}"
          exit 1
-
  sql-schema-up-to-date:
    name: SQL Schema Checks
    runs-on: ubuntu-latest
@@ -717,9 +763,9 @@ jobs:
        working-directory: ./server
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Checkout code
@@ -727,35 +773,31 @@ jobs:
        with:
          persist-credentials: false
          token: ${{ steps.token.outputs.token }}
-
-      - name: Setup Mise
-        uses: immich-app/devtools/actions/use-mise@cf6e190bacde3d7bda59372a786b36ac7d01536a # use-mise-action-v2.0.1
+      - name: Setup pnpm
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
+      - name: Setup Node
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
-          github_token: ${{ steps.token.outputs.token }}
-
+          node-version-file: './server/.nvmrc'
+          cache: 'pnpm'
+          cache-dependency-path: '**/pnpm-lock.yaml'
      - name: Install server dependencies
        run: SHARP_IGNORE_GLOBAL_LIBVIPS=true pnpm install --frozen-lockfile
-
      - name: Build the app
        run: pnpm build
-
      - name: Run existing migrations
        run: pnpm migrations:run
-
      - name: Test npm run schema:reset command works
        run: pnpm schema:reset
-
      - name: Generate new migrations
        continue-on-error: true
        run: pnpm migrations:generate src/TestMigration
-
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-files
        with:
          files: |
            server/src
-
      - name: Verify migration files have not changed
        if: steps.verify-changed-files.outputs.files_changed == 'true'
        env:
@@ -765,19 +807,16 @@ jobs:
          echo "Changed files: ${CHANGED_FILES}"
          cat ./src/*-TestMigration.ts
          exit 1
-
      - name: Run SQL generation
-        run: mise //:sql
+        run: pnpm sync:sql
        env:
          DB_URL: postgres://postgres:postgres@localhost:5432/immich
-
      - name: Find file changes
        uses: tj-actions/verify-changed-files@a1c6acee9df209257a246f2cc6ae8cb6581c1edf # v20.0.4
        id: verify-changed-sql-files
        with:
          files: |
            server/src/queries
-
      - name: Verify SQL files have not changed
        if: steps.verify-changed-sql-files.outputs.files_changed == 'true'
        env:
@@ -24,19 +24,19 @@ jobs:
      should_run: ${{ steps.check.outputs.should_run }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Check what should run
        id: check
-        uses: immich-app/devtools/actions/pre-job@91f342bb4477c4bc10c576ae739da875d85aa164 # pre-job-action-v2.0.4
+        uses: immich-app/devtools/actions/pre-job@f50e3b600b6ac1763ddb8f3dfc69093512b967a1 # pre-job-action-v2.0.3
        with:
          github-token: ${{ steps.token.outputs.token }}
          filters: |
            i18n:
-              - modified: 'i18n/!(en)**\.json'
+              - modified: 'i18n/!(en|package)**\.json'
          skip-force-logic: 'true'

  enforce-lock:
@@ -47,9 +47,9 @@ jobs:
    if: ${{ fromJSON(needs.pre-job.outputs.should_run).i18n == true }}
    steps:
      - id: token
-        uses: immich-app/devtools/actions/create-workflow-token@caa599d954228439ea3e8ce1c3328f41ab120ee6 # create-workflow-token-action-v2.0.0
+        uses: immich-app/devtools/actions/create-workflow-token@57ff6ebfd507b045514442683ff06ff1b2f6efbd # create-workflow-token-action-v1.0.2
        with:
-          client-id: ${{ secrets.PUSH_O_MATIC_APP_CLIENT_ID }}
+          app-id: ${{ secrets.PUSH_O_MATIC_APP_ID }}
          private-key: ${{ secrets.PUSH_O_MATIC_APP_KEY }}

      - name: Bot review status
@@ -68,6 +68,6 @@ jobs:
    permissions: {}
    if: always()
    steps:
-      - uses: immich-app/devtools/actions/success-check@81113db03f6d743efee81e0058c0b43f6cd6f36d # success-check-action-v0.0.6
+      - uses: immich-app/devtools/actions/success-check@53bb77345ee9f953f93bd6fd9980f07a2f24965e # success-check-action-v0.0.5
        with:
          needs: ${{ toJSON(needs) }}
@@ -20,7 +20,7 @@ mobile/openapi/doc
 mobile/openapi/.openapi-generator/FILES
 mobile/ios/build

-packages/**/build
+open-api/typescript-sdk/build
 mobile/android/fastlane/report.xml
 mobile/ios/fastlane/report.xml

@@ -23,17 +23,15 @@
      "type": "node",
      "request": "launch",
      "name": "Immich CLI",
-      "program": "${workspaceFolder}/packages/cli/dist/index.js",
+      "program": "${workspaceFolder}/cli/dist/index.js",
      "args": ["upload", "--help"],
      "runtimeArgs": ["--enable-source-maps"],
      "console": "integratedTerminal",
-      "resolveSourceMapLocations": [
-        "${workspaceFolder}/packages/cli/dist/**/*.js.map"
-      ],
+      "resolveSourceMapLocations": ["${workspaceFolder}/cli/dist/**/*.js.map"],
      "sourceMaps": true,
-      "outFiles": ["${workspaceFolder}/packages/cli/dist/**/*.js"],
+      "outFiles": ["${workspaceFolder}/cli/dist/**/*.js"],
      "skipFiles": ["<node_internals>/**"],
-      "preLaunchTask": "Build @immich/cli"
+      "preLaunchTask": "Build Immich CLI"
    }
  ]
 }
@@ -26,11 +26,7 @@
  },
  "[svelte]": {
    "editor.defaultFormatter": "svelte.svelte-vscode",
-    "editor.formatOnSave": true,
-    "tailwindCSS.lint.suggestCanonicalClasses": "ignore"
-  },
-  "svelte.plugin.svelte.compilerWarnings": {
-    "state_referenced_locally": "ignore"
+    "editor.formatOnSave": true
  },
  "[typescript]": {
    "editor.defaultFormatter": "esbenp.prettier-vscode",
@@ -37,24 +37,105 @@ prod-scale:

 .PHONY: open-api
 open-api:
-	@printf "This command has been removed. Please use:\n\n    mise open-api          # or mise //:open-api from another directory\n\n"\n\n >&2 && exit 1
+	cd ./open-api && bash ./bin/generate-open-api.sh
+
+open-api-dart:
+	cd ./open-api && bash ./bin/generate-open-api.sh dart
+
+open-api-typescript:
+	cd ./open-api && bash ./bin/generate-open-api.sh typescript

 sql:
-	@printf "This command has been removed. Please use:\n\n    mise sql               # or mise //:sql from another directory\n\n"\n\n >&2 && exit 1
+	pnpm --filter immich run sync:sql

+attach-server:
+	docker exec -it docker_immich-server_1 sh

 renovate:
  LOG_LEVEL=debug pnpm exec renovate --platform=local --repository-cache=reset

+# Directories that need to be created for volumes or build output
+VOLUME_DIRS = \
+	./.pnpm-store \
+	./web/.svelte-kit \
+	./web/node_modules \
+	./web/coverage \
+	./e2e/node_modules \
+	./docs/node_modules \
+	./server/node_modules \
+	./open-api/typescript-sdk/node_modules \
+	./.github/node_modules \
+	./node_modules \
+	./cli/node_modules
+
 # Include .env file if it exists
 -include docker/.env

 MODULES = e2e server web cli sdk docs .github

+# directory to package name mapping function
+#   cli     = @immich/cli
+#   docs    = documentation
+#   e2e     = immich-e2e
+#   open-api/typescript-sdk = @immich/sdk
+#   server  = immich
+#   web     = immich-web
+map-package = $(subst sdk,@immich/sdk,$(subst cli,@immich/cli,$(subst docs,documentation,$(subst e2e,immich-e2e,$(subst server,immich,$(subst web,immich-web,$1))))))
+
+audit-%:
+	pnpm --filter $(call map-package,$*) audit fix
+install-%:
+	pnpm --filter $(call map-package,$*) install $(if $(FROZEN),--frozen-lockfile) $(if $(OFFLINE),--offline)
+build-cli: build-sdk
+build-web: build-sdk
+build-%: install-%
+	pnpm --filter $(call map-package,$*) run build
+format-%:
+	pnpm --filter $(call map-package,$*) run format:fix
+lint-%:
+	pnpm --filter $(call map-package,$*) run lint:fix
+check-%:
+	pnpm --filter $(call map-package,$*) run check
+check-web:
+	pnpm --filter immich-web run check:typescript
+	pnpm --filter immich-web run check:svelte
+test-%:
+	pnpm --filter $(call map-package,$*) run test
 test-e2e:
 	docker compose -f ./e2e/docker-compose.yml build
 	pnpm --filter immich-e2e run test
 	pnpm --filter immich-e2e run test:web
+test-medium:
+	docker run \
+    --rm \
+    -v ./server/src:/usr/src/app/src \
+    -v ./server/test:/usr/src/app/test \
+    -v ./server/vitest.config.medium.mjs:/usr/src/app/vitest.config.medium.mjs \
+    -v ./server/tsconfig.json:/usr/src/app/tsconfig.json \
+    -e NODE_ENV=development \
+    immich-server:latest \
+    -c "pnpm test:medium -- --run"
+test-medium-dev:
+	docker exec -it immich_server /bin/sh -c "pnpm run test:medium"
+
+install-all:
+	pnpm -r --filter '!documentation' install
+
+build-all: $(foreach M,$(filter-out e2e docs .github,$(MODULES)),build-$M) ;
+
+check-all:
+	pnpm -r --filter '!documentation' run "/^(check|check\:svelte|check\:typescript)$/"
+lint-all:
+	pnpm -r --filter '!documentation' run lint:fix
+format-all:
+	pnpm -r --filter '!documentation' run format:fix
+audit-all:
+	pnpm -r --filter '!documentation' audit fix
+hygiene-all: audit-all
+	pnpm -r --filter '!documentation' run "/(format:fix|check|check:svelte|check:typescript|sql)/"
+
+test-all:
+	pnpm -r --filter '!documentation' run "/^test/"

 clean:
 	find . -name "node_modules" -type d -prune -exec rm -rf {} +
@@ -65,3 +146,7 @@ clean:
 	find . -name ".pnpm-store" -type d -prune -exec rm -rf '{}' +
 	command -v docker >/dev/null 2>&1 && docker compose -f ./docker/docker-compose.dev.yml down -v --remove-orphans || true
 	command -v docker >/dev/null 2>&1 && docker compose -f ./e2e/docker-compose.yml down -v --remove-orphans || true
+
+
+setup-server-dev: install-server
+setup-web-dev: install-sdk build-sdk install-web
@@ -0,0 +1 @@
+24.15.0
@@ -0,0 +1,14 @@
+FROM node:24.1.0-alpine3.20@sha256:8fe019e0d57dbdce5f5c27c0b63d2775cf34b00e3755a7dea969802d7e0c2b25 AS core
+
+WORKDIR /usr/src/app
+COPY package* pnpm* .pnpmfile.cjs ./
+COPY ./cli ./cli/
+COPY ./open-api/typescript-sdk ./open-api/typescript-sdk/
+RUN corepack enable pnpm && \
+  pnpm install --filter @immich/sdk --filter @immich/cli --frozen-lockfile && \
+  pnpm --filter @immich/sdk build && \
+  pnpm --filter @immich/cli build
+
+WORKDIR /import
+
+ENTRYPOINT ["node", "/usr/src/app/cli/dist"]
@@ -4,9 +4,14 @@ Please see the [Immich CLI documentation](https://docs.immich.app/features/comma

 # For developers

-Before building the CLI, you must build the immich server and the open-api client. You can use the following command:
+Before building the CLI, you must build the immich server and the open-api client. To build the server run the following in the server folder:

-    $ mise //:open-api
+    $ pnpm install
+    $ pnpm run build
+
+Then, to build the open-api client run the following in the open-api folder:
+
+    $ ./bin/generate-open-api.sh

 ## Run from build

@@ -7,7 +7,7 @@ run = "vite build"

 [tasks.test]
 env._.path = "./node_modules/.bin"
-run = "vitest"
+run = "vite"

 [tasks.lint]
 env._.path = "./node_modules/.bin"
@@ -27,26 +27,3 @@ run = "prettier --write ."
 [tasks.check]
 env._.path = "./node_modules/.bin"
 run = "tsc --noEmit"
-
-[tasks.ci-publish]
-depends = ["//:sdk:install", "//:sdk:build"]
-run = [
-  { task = ":install" },
-  { task = ":build" },
-  "pnpm publish --provenance --no-git-checks",
-]
-
-[tasks.ci-unit]
-depends = ["//:sdk:install", "//:sdk:build"]
-run = [
-  { task = ":install" },
-  { task = ":format" },
-  { task = ":lint" },
-  { task = ":check" },
-  { task = ":test --run" },
-]
-
-[tasks.checklist]
-run = [
- { task = ":ci-unit" },
-]
@@ -2,11 +2,6 @@
  "name": "@immich/cli",
  "version": "2.7.5",
  "description": "Command Line Interface (CLI) for Immich",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/immich-app/immich.git",
-    "directory": "packages/cli"
-  },
  "type": "module",
  "exports": "./dist/index.js",
  "bin": {
@@ -57,6 +52,11 @@
    "format:fix": "prettier --cache --write --list-different .",
    "check": "tsc --noEmit"
  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/immich-app/immich.git",
+    "directory": "cli"
+  },
  "engines": {
    "node": ">=20.0.0"
  },
@@ -66,5 +66,8 @@
    "fastq": "^1.17.1",
    "lodash-es": "^4.17.21",
    "micromatch": "^4.0.8"
+  },
+  "volta": {
+    "node": "24.15.0"
  }
 }
@@ -1,5 +1,5 @@
 [tools]
-terragrunt = "1.0.3"
+terragrunt = "1.0.1"
 opentofu = "1.11.6"

 [tasks."tg:fmt"]
@@ -25,10 +25,10 @@ services:
      - server_node_modules:/usr/src/app/server/node_modules
      - web_node_modules:/usr/src/app/web/node_modules
      - github_node_modules:/usr/src/app/.github/node_modules
-      - cli_node_modules:/usr/src/app/packages/cli/node_modules
+      - cli_node_modules:/usr/src/app/cli/node_modules
      - docs_node_modules:/usr/src/app/docs/node_modules
      - e2e_node_modules:/usr/src/app/e2e/node_modules
-      - sdk_node_modules:/usr/src/app/packages/sdk/node_modules
+      - sdk_node_modules:/usr/src/app/open-api/typescript-sdk/node_modules
      - app_node_modules:/usr/src/app/node_modules
      - sveltekit:/usr/src/app/web/.svelte-kit
      - coverage:/usr/src/app/web/coverage
@@ -157,7 +157,7 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
    healthcheck:
      test: redis-cli ping || exit 1

@@ -56,7 +56,7 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
@@ -85,7 +85,7 @@ services:
    container_name: immich_prometheus
    ports:
      - 9090:9090
-    image: prom/prometheus@sha256:e4254400b85610324913f0dc4acf92603d9984e7519414c5a12811aa6146acc3
+    image: prom/prometheus@sha256:5550dc63da361dc30f6fe02ac0e4dfc736ededfef3c8d12a634db04a67824d78
    volumes:
      - ./prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus-data:/prometheus
@@ -97,7 +97,7 @@ services:
    command: ['./run.sh', '-disable-reporting']
    ports:
      - 3000:3000
-    image: grafana/grafana:12.4.3-ubuntu@sha256:ca3f764fdc48cebdf22dd206f33ecb0795a9a7210eacd1b5c02204aebd78b223
+    image: grafana/grafana:12.4.2-ubuntu@sha256:78839fe49e1425c02416fa8072591533a72bd9598e563b54a07d78f9e27fb5d3
    volumes:
      - grafana-data:/var/lib/grafana

@@ -61,7 +61,7 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
    user: '1000:1000'
    security_opt:
      - no-new-privileges:true
@@ -95,3 +95,6 @@ services:
    restart: always
    healthcheck:
      disable: false
+
+volumes:
+  model-cache:
@@ -49,7 +49,7 @@ services:

  redis:
    container_name: immich_redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always
@@ -0,0 +1 @@
+24.15.0
@@ -81,7 +81,7 @@ VectorChord is the successor extension to pgvecto.rs, allowing for higher perfor

 ### Migrating from pgvecto.rs

-Support for pgvecto.rs has been dropped as of 3.0, hence all users currently using pgvecto.rs should migrate to VectorChord. There are two primary approaches to do so.
+Support for pgvecto.rs will be dropped in a later release, hence we recommend all users currently using pgvecto.rs to migrate to VectorChord at their convenience. There are two primary approaches to do so.

 The easiest option is to have both extensions installed during the migration:

@@ -10,4 +10,4 @@ OpenAPI is used to generate the client (Typescript, Dart) SDK. `openapi-generato
 make open-api
 ```

-You can find the generated client SDK in the `packages/sdk/client` for Typescript SDK and `mobile/openapi` for Dart SDK.
+You can find the generated client SDK in the `open-api/typescript-sdk/client` for Typescript SDK and `mobile/openapi` for Dart SDK.
@@ -205,7 +205,7 @@ When the Dev Container starts, it automatically:
 1. **Runs post-create script** (`container-server-post-create.sh`):
   - Adjusts file permissions for the `node` user
   - Installs dependencies: `pnpm install` in all packages
-   - Builds TypeScript SDK: `pnpm --filter @immich/sdk build`
+   - Builds TypeScript SDK: `pnpm run build` in `open-api/typescript-sdk`

 2. **Starts development servers** via VS Code tasks:
   - `Immich API Server (Nest)` - API server with hot-reloading on port 2283
@@ -243,8 +243,8 @@ To connect the mobile app to your Dev Container:

 - **Server code** (`/server`): Changes trigger automatic restart
 - **Web code** (`/web`): Changes trigger hot module replacement
- **Database migrations**: Run `mise //:sql`
- **API changes**: Regenerate TypeScript SDK with `mise //:open-api`
+- **Database migrations**: Run `pnpm run sync:sql` in the server directory
+- **API changes**: Regenerate TypeScript SDK with `make open-api`

 ## Testing

@@ -252,11 +252,20 @@ To connect the mobile app to your Dev Container:

 The Dev Container supports multiple ways to run tests:

-#### Using Mise Commands (Recommended)
+#### Using Make Commands (Recommended)

 ```bash
 # Run tests for specific components
-mise run checklist      # in `server/`, `web/`, `packages/cli`
+make test-server        # Server unit tests
+make test-web           # Web unit tests
+make test-e2e           # End-to-end tests
+make test-cli           # CLI tests
+
+# Run all tests
+make test-all           # Runs tests for all components
+
+# Medium tests (integration tests)
+make test-medium-dev    # End-to-end tests
 ```

 #### Using PNPM Directly
@@ -280,16 +289,48 @@ pnpm run test           # Run API tests
 pnpm run test:web       # Run web UI tests
 ```

+### Code Quality Commands
+
+```bash
+# Linting
+make lint-server        # Lint server code
+make lint-web           # Lint web code
+make lint-all           # Lint all components
+
+# Formatting
+make format-server      # Format server code
+make format-web         # Format web code
+make format-all         # Format all code
+
+# Type checking
+make check-server       # Type check server
+make check-web          # Type check web
+make check-all          # Check all components
+
+# Complete hygiene check
+make hygiene-all        # Run lint, format, check, SQL sync, and audit
+```
+
 ### Additional Make Commands

 ```bash
+# Build commands
+make build-server       # Build server
+make build-web          # Build web app
+make build-all          # Build everything
+
 # API generation
 make open-api           # Generate OpenAPI specs
 make open-api-typescript # Generate TypeScript SDK
 make open-api-dart      # Generate Dart SDK

 # Database
-mise sql                # Sync database schema
+make sql                # Sync database schema
+
+# Dependencies
+make install-server     # Install server dependencies
+make install-web        # Install web dependencies
+make install-all        # Install all dependencies
 ```

 ### Debugging
@@ -10,8 +10,7 @@ Our [GitHub Repository](https://github.com/immich-app/immich) is a [monorepo](ht
 | :------------------ | :------------------------------------------------------------------- |
 | `.github/`          | Github templates and action workflows                                |
 | `.vscode/`          | VSCode debug launch profiles                                         |
-| `packages/cli`      | Source code for the CLI                                              |
-| `packages/sdk`      | Source code for the generated OpenAPI SDK                            |
+| `cli/`              | Source code for the work-in-progress CLI rewrite                     |
 | `docker/`           | Docker compose resources for dev, test, production                   |
 | `design/`           | Screenshots and logos for the README                                 |
 | `docs/`             | Source code for the [https://immich.app](https://immich.app) website |
@@ -58,7 +58,7 @@ You can access the web from `http://your-machine-ip:3000` or `http://localhost:3

 If you only want to do web development connected to an existing, remote backend, follow these steps:

-1. Build the Immich SDK - `pnpm --filter @immich/sdk install && pnpm --filter @immich/sdk build`
+1. Build the Immich SDK - `cd open-api/typescript-sdk && pnpm i && pnpm run build && cd -`
 2. Enter the web directory - `cd web/`
 3. Install web dependencies - `pnpm i`
 4. Start the web development server
@@ -50,8 +50,6 @@ Some basic examples:
 - `**/Raw/**` will exclude all files in any directory named `Raw`
 - `**/*.{tif,jpg}` will exclude all files with the extension `.tif` or `.jpg`

-Note that `*` is a wildcard matching zero or more characters (i.e., withinin a filename or single directory name). `**` matches zero or more subdirectories, recursively. It also includes any/all files within a subdirectory, i.e., when used at the end of a pattern. For example, `**/exclude_me/**` will exclude all files in any directory named `exclude_me`, as well as all files in any subdirectories of `exclude_me`, recursively.
-
 Special characters such as @ should be escaped, for instance:

 - `**/\@eaDir/**` will exclude all files in any directory named `@eaDir`
@@ -47,7 +47,6 @@ You do not need to redo any machine learning jobs after enabling hardware accele

 #### ROCm

- On Linux, The [AMDGPU driver module](https://rocm.docs.amd.com/projects/install-on-linux/en/latest/how-to/docker.html) needs to be installed on the server and, if secure boot is used, the signing key of DKMS [needs to be enrolled in UEFI BIOS](https://wiki.debian.org/SecureBoot)
 - The GPU must be supported by ROCm. If it isn't officially supported, you can attempt to use the `HSA_OVERRIDE_GFX_VERSION` environmental variable: `HSA_OVERRIDE_GFX_VERSION=<a supported version, e.g. 10.3.0>`. If this doesn't work, you might need to also set `HSA_USE_SVM=0`.
 - The ROCm image is quite large and requires at least 35GiB of free disk space. However, pulling later updates to the service through Docker will generally only amount to a few hundred megabytes as the rest will be cached.
 - This backend is new and may experience some issues. For example, GPU power consumption can be higher than usual after running inference, even if the machine learning service is idle. In this case, it will only go back to normal after being idle for 5 minutes (configurable with the [MACHINE_LEARNING_MODEL_TTL](/install/environment-variables) setting).
@@ -18,7 +18,6 @@ You can search the following types of content:
 | People                              | Faces that are recognized in your photos/videos.      |
 | Contextual                          | Content of the photos and videos.                     |
 | File name or extension              | Full or partial file's name, or file's extension      |
-| Full path or folder                 | Full or partial folder names from the original path.  |
 | Description                         | Description added to assets.                          |
 | Optical Character Recognition (OCR) | Text in images                                        |
 | Locations                           | Cities, states, and countries from reverse geocoding. |
@@ -31,12 +30,6 @@ You can search the following types of content:

 <img src={require('./img/advanced-search-filters.webp').default} width="70%" title='Advanced search filters' />

-### Full path or folder
-
-Use this mode when you know a folder name or part of the original asset path.
-
-Example: for /John/Projects/3D_Printing/2026-07-01/IMG_0001.jpg, searches like Projects, 3D, Printing, or 2026 match the asset.
-
 ## Configuration

 Navigating to `Administration > Settings > Machine Learning Settings > Smart Search` will show the options available.
@@ -39,7 +39,7 @@ You can learn how to set up Tailscale together with Immich with the [tutorial vi
 ### Cons

 - The Tailscale client usually needs to run as root on your devices and it increases the attack surface slightly compared to a minimal Wireguard server. e.g., an [RCE vulnerability](https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp) was discovered in the Windows Tailscale client in November 2022.
- Tailscale is a paid service. However, there is a generous [free tier](https://tailscale.com/pricing/) suitable for personal use.
+- Tailscale is a paid service. However, there is a generous [free tier](https://tailscale.com/pricing/) that permits up to 3 users and up to 100 devices.
 - Tailscale needs to be installed and running on both server-side and client-side.

 ## Option 3: Reverse Proxy
@@ -26,7 +26,7 @@ The default configuration looks like this:
  },
  "ffmpeg": {
    "accel": "disabled",
-    "accelDecode": true,
+    "accelDecode": false,
    "acceptedAudioCodecs": ["aac", "mp3", "opus"],
    "acceptedContainers": ["mov", "ogg", "webm"],
    "acceptedVideoCodecs": ["h264"],
@@ -264,4 +264,4 @@ volumes:
  - ./configuration.yml:${IMMICH_CONFIG_FILE}
 ```

-:::
+::
@@ -29,31 +29,29 @@ These environment variables are used by the `docker-compose.yml` file and do **N

 ## General

-| Variable                            | Description                                                                                                                                                          |           Default            | Containers               | Workers            |
-| :---------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------: | :----------------------- | :----------------- |
-| `TZ`                                | Timezone                                                                                                                                                             |        <sup>\*1</sup>        | server                   | microservices      |
-| `IMMICH_ENV`                        | Environment (production, development)                                                                                                                                |         `production`         | server, machine learning | api, microservices |
-| `IMMICH_LOG_LEVEL`                  | Log level (verbose, debug, log, warn, error)                                                                                                                         |            `log`             | server, machine learning | api, microservices |
-| `IMMICH_LOG_FORMAT`                 | Log output format (`console`, `json`)                                                                                                                                |          `console`           | server                   | api, microservices |
-| `IMMICH_MEDIA_LOCATION`             | Media location inside the container ⚠️**You probably shouldn't set this**<sup>\*2</sup>⚠️                                                                            |           `/data`            | server                   | api, microservices |
-| `IMMICH_CONFIG_FILE`                | Path to config file                                                                                                                                                  |                              | server                   | api, microservices |
-| `IMMICH_HELMET_FILE`                | Path to a json file with [helmet](https://www.npmjs.com/package/helmet) options. Set to `false` to disable. Set to `true` to use `server/helmet.json`<sup>\*3</sup>. |           `false`            | server                   | api                |
-| `NO_COLOR`                          | Set to `true` to disable color-coded log output                                                                                                                      |           `false`            | server, machine learning |                    |
-| `CPU_CORES`                         | Number of cores available to the Immich server                                                                                                                       | auto-detected CPU core count | server                   |                    |
-| `IMMICH_API_METRICS_PORT`           | Port for the OTEL metrics                                                                                                                                            |            `8081`            | server                   | api                |
-| `IMMICH_MICROSERVICES_METRICS_PORT` | Port for the OTEL metrics                                                                                                                                            |            `8082`            | server                   | microservices      |
-| `IMMICH_PROCESS_INVALID_IMAGES`     | When `true`, generate thumbnails for invalid images                                                                                                                  |                              | server                   | microservices      |
-| `IMMICH_TRUSTED_PROXIES`            | List of comma-separated IPs set as trusted proxies                                                                                                                   |                              | server                   | api                |
-| `IMMICH_IGNORE_MOUNT_CHECK_ERRORS`  | See [System Integrity](/administration/system-integrity)                                                                                                             |                              | server                   | api, microservices |
-| `IMMICH_ALLOW_SETUP`                | When `false` disables the `/auth/admin-sign-up` endpoint                                                                                                             |            `true`            | server                   | api                |
+| Variable                            | Description                                                                                                                                            |           Default            | Containers               | Workers            |
+| :---------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------- | :--------------------------: | :----------------------- | :----------------- |
+| `TZ`                                | Timezone                                                                                                                                               |        <sup>\*1</sup>        | server                   | microservices      |
+| `IMMICH_ENV`                        | Environment (production, development)                                                                                                                  |         `production`         | server, machine learning | api, microservices |
+| `IMMICH_LOG_LEVEL`                  | Log level (verbose, debug, log, warn, error)                                                                                                           |            `log`             | server, machine learning | api, microservices |
+| `IMMICH_LOG_FORMAT`                 | Log output format (`console`, `json`)                                                                                                                  |          `console`           | server                   | api, microservices |
+| `IMMICH_MEDIA_LOCATION`             | Media location inside the container ⚠️**You probably shouldn't set this**<sup>\*2</sup>⚠️                                                              |           `/data`            | server                   | api, microservices |
+| `IMMICH_CONFIG_FILE`                | Path to config file                                                                                                                                    |                              | server                   | api, microservices |
+| `IMMICH_HELMET_FILE`                | Path to a json file with [helmet](https://www.npmjs.com/package/helmet) options. Set to `false` to disable. Set to `true` to use `server/helmet.json`. |           `false`            | server                   | api                |
+| `NO_COLOR`                          | Set to `true` to disable color-coded log output                                                                                                        |           `false`            | server, machine learning |                    |
+| `CPU_CORES`                         | Number of cores available to the Immich server                                                                                                         | auto-detected CPU core count | server                   |                    |
+| `IMMICH_API_METRICS_PORT`           | Port for the OTEL metrics                                                                                                                              |            `8081`            | server                   | api                |
+| `IMMICH_MICROSERVICES_METRICS_PORT` | Port for the OTEL metrics                                                                                                                              |            `8082`            | server                   | microservices      |
+| `IMMICH_PROCESS_INVALID_IMAGES`     | When `true`, generate thumbnails for invalid images                                                                                                    |                              | server                   | microservices      |
+| `IMMICH_TRUSTED_PROXIES`            | List of comma-separated IPs set as trusted proxies                                                                                                     |                              | server                   | api                |
+| `IMMICH_IGNORE_MOUNT_CHECK_ERRORS`  | See [System Integrity](/administration/system-integrity)                                                                                               |                              | server                   | api, microservices |
+| `IMMICH_ALLOW_SETUP`                | When `false` disables the `/auth/admin-sign-up` endpoint                                                                                               |            `true`            | server                   | api                |

 \*1: `TZ` should be set to a `TZ identifier` from [this list][tz-list]. For example, `TZ="Etc/UTC"`.
 `TZ` is used by `exiftool` as a fallback in case the timezone cannot be determined from the image metadata. It is also used for logfile timestamps and cron job execution.

 \*2: This path is where the Immich code looks for the files, which is internal to the docker container. Setting it to a path on your host will certainly break things, you should use the `UPLOAD_LOCATION` variable instead.

-\*3: The [default configuration](https://helmetjs.github.io/#content-security-policy) sets `upgrade-insecure-requests`, which tells the browser to upgrade all requests to HTTPS. This breaks on HTTP-only deployments. If you cannot use HTTPS, you should use a custom helmet config file with `"upgrade-insecure-requests": null`.
-
 ## Workers

 | Variable                 | Description                                                                                          | Default | Containers |
@@ -83,7 +81,7 @@ Information on the current workers can be found [here](/administration/jobs-work
 | `DB_PASSWORD`                       | Database password                                                                      | `postgres` | server, database<sup>\*1</sup> |
 | `DB_DATABASE_NAME`                  | Database name                                                                          |  `immich`  | server, database<sup>\*1</sup> |
 | `DB_SSL_MODE`                       | Database SSL mode                                                                      |            | server                         |
-| `DB_VECTOR_EXTENSION`<sup>\*2</sup> | Database vector extension (one of [`vectorchord`, `pgvector`])                         |            | server                         |
+| `DB_VECTOR_EXTENSION`<sup>\*2</sup> | Database vector extension (one of [`vectorchord`, `pgvector`, `pgvecto.rs`])           |            | server                         |
 | `DB_SKIP_MIGRATIONS`                | Whether to skip running migrations on startup (one of [`true`, `false`])               |  `false`   | server                         |
 | `DB_STORAGE_TYPE`                   | Optimize concurrent IO on SSDs or sequential IO on HDDs ([`SSD`, `HDD`])<sup>\*3</sup> |   `SSD`    | database                       |

@@ -130,3 +130,7 @@ These storage mediums have different performance characteristics. As a result, t
 #### Can I use the new database image as a general PostgreSQL image outside of Immich?

 It’s a standard PostgreSQL container image that additionally contains the VectorChord, pgvector, and (optionally) pgvecto.rs extensions. If you were using the previous pgvecto.rs image for other purposes, you can similarly do so with this image.
+
+#### If pgvecto.rs and pgvector still work, why should I switch to VectorChord?
+
+VectorChord is faster, more stable, uses less RAM, and (with the settings Immich uses) offers higher-quality results than pgvector and pgvecto.rs. This translates to better search and facial recognition experiences. In addition, pgvecto.rs support will be dropped in the future, so changing it sooner will avoid disruption.
@@ -56,5 +56,8 @@
  },
  "engines": {
    "node": ">=20"
+  },
+  "volta": {
+    "node": "24.15.0"
  }
 }
@@ -1,7 +1,6 @@
 {
  "name": "@immich/e2e-auth-server",
  "version": "0.1.0",
-  "private": true,
  "type": "module",
  "main": "auth-server.ts",
  "scripts": {
@@ -12,6 +11,5 @@
    "@types/oidc-provider": "^9.0.0",
    "oidc-provider": "^9.0.0",
    "tsx": "^4.20.6"
-  },
-  "packageManager": "pnpm@10.33.1"
+  }
 }
@@ -0,0 +1 @@
+24.15.0
@@ -4,7 +4,7 @@ services:
  e2e-auth-server:
    container_name: immich-e2e-auth-server
    build:
-      context: ../packages/e2e-auth-server
+      context: ../e2e-auth-server
    ports:
      - 2286:2286

@@ -44,7 +44,7 @@ services:

  redis:
    container_name: immich-e2e-redis
-    image: docker.io/valkey/valkey:9@sha256:8436e10bc65c94886a91d4415b6a6dfa9cb5a306fb3b996e5bb67cd2b4854193
+    image: docker.io/valkey/valkey:9@sha256:3b55fbaa0cd93cf0d9d961f405e4dfcc70efe325e2d84da207a0a8e6d8fde4f9
    healthcheck:
      test: redis-cli ping || exit 1

@@ -27,18 +27,3 @@ run = { task = "lint --fix" }
 [tasks.check]
 env._.path = "./node_modules/.bin"
 run = "tsc --noEmit"
-
-
-[tasks.ci-setup]
-depends = ["//:sdk:install", "//:sdk:build", "//cli:install", "//cli:build"]
-run = { task = ":install" }
-
-
-[tasks.ci-unit]
-depends = ["//:sdk:install", "//:sdk:build"]
-run = [
-  { task = ":install" },
-  { task = ":format" },
-  { task = ":lint" },
-  { task = ":check" },
-]
@@ -56,5 +56,8 @@
    "utimes": "^5.2.1",
    "vite-tsconfig-paths": "^6.1.1",
    "vitest": "^4.0.0"
+  },
+  "volta": {
+    "node": "24.15.0"
  }
 }
@@ -2,44 +2,82 @@ import { expect } from 'vitest';

 export const errorDto = {
  unauthorized: {
+    error: 'Unauthorized',
+    statusCode: 401,
    message: 'Authentication required',
+    correlationId: expect.any(String),
  },
  unauthorizedWithMessage: (message: string) => ({
+    error: 'Unauthorized',
+    statusCode: 401,
    message,
+    correlationId: expect.any(String),
  }),
  forbidden: {
+    error: 'Forbidden',
+    statusCode: 403,
    message: expect.any(String),
+    correlationId: expect.any(String),
  },
  missingPermission: (permission: string) => ({
+    error: 'Forbidden',
+    statusCode: 403,
    message: `Missing required permission: ${permission}`,
+    correlationId: expect.any(String),
  }),
  wrongPassword: {
+    error: 'Bad Request',
+    statusCode: 400,
    message: 'Wrong password',
+    correlationId: expect.any(String),
  },
  invalidToken: {
+    error: 'Unauthorized',
+    statusCode: 401,
    message: 'Invalid user token',
+    correlationId: expect.any(String),
  },
  invalidShareKey: {
+    error: 'Unauthorized',
+    statusCode: 401,
    message: 'Invalid share key',
+    correlationId: expect.any(String),
  },
  passwordRequired: {
+    error: 'Unauthorized',
+    statusCode: 401,
    message: 'Password required',
+    correlationId: expect.any(String),
  },
  badRequest: (message: any = null) => ({
+    error: 'Bad Request',
+    statusCode: 400,
    message: message ?? expect.anything(),
-  }),
-  validationError: (errors?: ReadonlyArray<{ path: ReadonlyArray<string | number>; message: string }>) => ({
-    message: 'Validation failed',
-    errors: errors ? expect.arrayContaining(errors.map((e) => expect.objectContaining(e))) : expect.any(Array),
+    correlationId: expect.any(String),
  }),
  noPermission: {
+    error: 'Bad Request',
+    statusCode: 400,
    message: expect.stringContaining('Not found or no'),
+    correlationId: expect.any(String),
  },
  incorrectLogin: {
+    error: 'Unauthorized',
+    statusCode: 401,
    message: 'Incorrect email or password',
+    correlationId: expect.any(String),
  },
  alreadyHasAdmin: {
+    error: 'Bad Request',
+    statusCode: 400,
    message: 'The server already has an admin',
+    correlationId: expect.any(String),
+  },
+  invalidEmail: {
+    error: 'Bad Request',
+    statusCode: 400,
+    message: ['email must be an email'],
+    correlationId: expect.any(String),
  },
 };

@@ -146,7 +146,7 @@ describe('/albums', () => {

    it('should not return shared albums with a deleted owner', async () => {
      const { status, body } = await request(app)
-        .get('/albums?isShared=true')
+        .get('/albums?shared=true')
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(200);
@@ -188,7 +188,7 @@ describe('/albums', () => {
    it('should return the album collection including owned and shared', async () => {
      const { status, body } = await request(app).get('/albums').set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
-      expect(body).toHaveLength(5);
+      expect(body).toHaveLength(4);
      expect(body).toEqual(
        expect.arrayContaining([
          expect.objectContaining({
@@ -219,20 +219,13 @@ describe('/albums', () => {
            ]),
            shared: false,
          }),
-          expect.objectContaining({
-            albumName: user2SharedUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user2.userId }) },
-            ]),
-            shared: true,
-          }),
        ]),
      );
    });

-    it('should return the album collection filtered by isShared', async () => {
+    it('should return the album collection filtered by shared', async () => {
      const { status, body } = await request(app)
-        .get('/albums?isShared=true')
+        .get('/albums?shared=true')
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
      expect(body).toHaveLength(4);
@@ -270,9 +263,9 @@ describe('/albums', () => {
      );
    });

-    it('should return the album collection filtered by NOT isShared', async () => {
+    it('should return the album collection filtered by NOT shared', async () => {
      const { status, body } = await request(app)
-        .get('/albums?isShared=false')
+        .get('/albums?shared=false')
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
      expect(body).toHaveLength(1);
@@ -289,63 +282,6 @@ describe('/albums', () => {
      );
    });

-    it('should return only owned albums when filtered by isOwned=true', async () => {
-      const { status, body } = await request(app)
-        .get('/albums?isOwned=true')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      expect(status).toBe(200);
-      expect(body).toHaveLength(4);
-      expect(body).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({ albumName: user1SharedEditorUser }),
-          expect.objectContaining({ albumName: user1SharedViewerUser }),
-          expect.objectContaining({ albumName: user1SharedLink }),
-          expect.objectContaining({ albumName: user1NotShared }),
-        ]),
-      );
-    });
-
-    it('should return only shared-with-me albums when filtered by isOwned=false', async () => {
-      const { status, body } = await request(app)
-        .get('/albums?isOwned=false')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      expect(status).toBe(200);
-      expect(body).toHaveLength(1);
-      expect(body).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({
-            albumName: user2SharedUser,
-            albumUsers: expect.arrayContaining([
-              { role: AlbumUserRole.Owner, user: expect.objectContaining({ id: user2.userId }) },
-            ]),
-          }),
-        ]),
-      );
-    });
-
-    it('should return owned shared-out albums when filtered by isOwned=true&ishared=true', async () => {
-      const { status, body } = await request(app)
-        .get('/albums?isOwned=true&isShared=true')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      expect(status).toBe(200);
-      expect(body).toHaveLength(3);
-      expect(body).toEqual(
-        expect.arrayContaining([
-          expect.objectContaining({ albumName: user1SharedEditorUser }),
-          expect.objectContaining({ albumName: user1SharedViewerUser }),
-          expect.objectContaining({ albumName: user1SharedLink }),
-        ]),
-      );
-    });
-
-    it('should return empty list when filtered by isOwned=false&isShared=false', async () => {
-      const { status, body } = await request(app)
-        .get('/albums?isOwned=false&isShared=false')
-        .set('Authorization', `Bearer ${user1.accessToken}`);
-      expect(status).toBe(200);
-      expect(body).toHaveLength(0);
-    });
-
    it('should return the album collection filtered by assetId', async () => {
      const { status, body } = await request(app)
        .get(`/albums?assetId=${user1Asset2.id}`)
@@ -354,17 +290,17 @@ describe('/albums', () => {
      expect(body).toHaveLength(2);
    });

-    it('should return the album collection filtered by assetId and ignores isShared=true', async () => {
+    it('should return the album collection filtered by assetId and ignores shared=true', async () => {
      const { status, body } = await request(app)
-        .get(`/albums?isShared=true&assetId=${user1Asset1.id}`)
+        .get(`/albums?shared=true&assetId=${user1Asset1.id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
      expect(body).toHaveLength(5);
    });

-    it('should return the album collection filtered by assetId and ignores isShared=false', async () => {
+    it('should return the album collection filtered by assetId and ignores shared=false', async () => {
      const { status, body } = await request(app)
-        .get(`/albums?isShared=false&assetId=${user1Asset1.id}`)
+        .get(`/albums?shared=false&assetId=${user1Asset1.id}`)
        .set('Authorization', `Bearer ${user1.accessToken}`);
      expect(status).toBe(200);
      expect(body).toHaveLength(5);
@@ -7,6 +7,7 @@ import {
  getMyUser,
  LoginResponseDto,
  SharedLinkType,
+  updateConfig,
 } from '@immich/sdk';
 import { exiftool } from 'exiftool-vendored';
 import { DateTime } from 'luxon';
@@ -23,6 +24,7 @@ import { afterAll, beforeAll, describe, expect, it } from 'vitest';

 const locationAssetFilepath = `${testAssetDir}/metadata/gps-position/thompson-springs.jpg`;
 const ratingAssetFilepath = `${testAssetDir}/metadata/rating/mongolels.jpg`;
+const facesAssetDir = `${testAssetDir}/metadata/faces`;

 const readTags = async (bytes: Buffer, filename: string) => {
  const filepath = join(tempDir, filename);
@@ -183,6 +185,78 @@ describe('/asset', () => {
      });
    });

+    describe('faces', () => {
+      const metadataFaceTests = [
+        {
+          description: 'without orientation',
+          filename: 'portrait.jpg',
+        },
+        {
+          description: 'adjusting face regions to orientation',
+          filename: 'portrait-orientation-6.jpg',
+        },
+      ];
+      // should produce same resulting face region coordinates for any orientation
+      const expectedFaces = [
+        {
+          name: 'Marie Curie',
+          birthDate: null,
+          isHidden: false,
+          faces: [
+            {
+              imageHeight: 700,
+              imageWidth: 840,
+              boundingBoxX1: 261,
+              boundingBoxX2: 356,
+              boundingBoxY1: 146,
+              boundingBoxY2: 284,
+              sourceType: 'exif',
+            },
+          ],
+        },
+        {
+          name: 'Pierre Curie',
+          birthDate: null,
+          isHidden: false,
+          faces: [
+            {
+              imageHeight: 700,
+              imageWidth: 840,
+              boundingBoxX1: 536,
+              boundingBoxX2: 618,
+              boundingBoxY1: 83,
+              boundingBoxY2: 252,
+              sourceType: 'exif',
+            },
+          ],
+        },
+      ];
+
+      it.each(metadataFaceTests)('should get the asset faces from $filename $description', async ({ filename }) => {
+        const config = await utils.getSystemConfig(admin.accessToken);
+        config.metadata.faces.import = true;
+        await updateConfig({ systemConfigDto: config }, { headers: asBearerAuth(admin.accessToken) });
+
+        const facesAsset = await utils.createAsset(admin.accessToken, {
+          assetData: {
+            filename,
+            bytes: await readFile(`${facesAssetDir}/${filename}`),
+          },
+        });
+
+        await utils.waitForWebsocketEvent({ event: 'assetUpload', id: facesAsset.id });
+
+        const { status, body } = await request(app)
+          .get(`/assets/${facesAsset.id}`)
+          .set('Authorization', `Bearer ${admin.accessToken}`);
+
+        expect(status).toBe(200);
+        expect(body.id).toEqual(facesAsset.id);
+        const sortedPeople = body.people.toSorted((a: any, b: any) => a.name.localeCompare(b.name));
+        expect(sortedPeople).toMatchObject(expectedFaces);
+      });
+    });
+
    it('should work with a shared link', async () => {
      const sharedLink = await utils.createSharedLink(user1.accessToken, {
        type: SharedLinkType.Individual,
@@ -110,9 +110,7 @@ describe('/libraries', () => {
        });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['importPaths'], message: 'Array must have unique items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[importPaths] Array must have unique items']));
    });

    it('should not create an external library with duplicate exclusion patterns', async () => {
@@ -127,9 +125,7 @@ describe('/libraries', () => {
        });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['exclusionPatterns'], message: 'Array must have unique items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[exclusionPatterns] Array must have unique items']));
    });
  });

@@ -161,9 +157,7 @@ describe('/libraries', () => {
        .send({ name: '' });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['name'], message: 'Too small: expected string to have >=1 characters' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[name] Too small: expected string to have >=1 characters']));
    });

    it('should change the import paths', async () => {
@@ -187,9 +181,7 @@ describe('/libraries', () => {
        .send({ importPaths: [''] });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['importPaths'], message: 'Array items must not be empty' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[importPaths] Array items must not be empty']));
    });

    it('should reject duplicate import paths', async () => {
@@ -199,9 +191,7 @@ describe('/libraries', () => {
        .send({ importPaths: ['/path', '/path'] });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['importPaths'], message: 'Array must have unique items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[importPaths] Array must have unique items']));
    });

    it('should change the exclusion pattern', async () => {
@@ -225,9 +215,7 @@ describe('/libraries', () => {
        .send({ exclusionPatterns: ['**/*.jpg', '**/*.jpg'] });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['exclusionPatterns'], message: 'Array must have unique items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[exclusionPatterns] Array must have unique items']));
    });

    it('should reject an empty exclusion pattern', async () => {
@@ -237,9 +225,7 @@ describe('/libraries', () => {
        .send({ exclusionPatterns: [''] });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['exclusionPatterns'], message: 'Array items must not be empty' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[exclusionPatterns] Array items must not be empty']));
    });
  });

@@ -109,9 +109,7 @@ describe('/map', () => {
        .get('/map/reverse-geocode?lon=123')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['lat'], message: 'Invalid input: expected number, received NaN' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[lat] Invalid input: expected number, received NaN']));
    });

    it('should throw an error if a lat is not a number', async () => {
@@ -119,9 +117,7 @@ describe('/map', () => {
        .get('/map/reverse-geocode?lat=abc&lon=123.456')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['lat'], message: 'Invalid input: expected number, received NaN' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[lat] Invalid input: expected number, received NaN']));
    });

    it('should throw an error if a lat is out of range', async () => {
@@ -129,9 +125,7 @@ describe('/map', () => {
        .get('/map/reverse-geocode?lat=91&lon=123.456')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['lat'], message: 'Too big: expected number to be <=90' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[lat] Too big: expected number to be <=90']));
    });

    it('should throw an error if a lon is not provided', async () => {
@@ -139,9 +133,7 @@ describe('/map', () => {
        .get('/map/reverse-geocode?lat=75')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['lon'], message: 'Invalid input: expected number, received NaN' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[lon] Invalid input: expected number, received NaN']));
    });

    const reverseGeocodeTestCases = [
@@ -105,11 +105,7 @@ describe(`/oauth`, () => {
    it(`should throw an error if a redirect uri is not provided`, async () => {
      const { status, body } = await request(app).post('/oauth/authorize').send({});
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([
-          { path: ['redirectUri'], message: 'Invalid input: expected string, received undefined' },
-        ]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[redirectUri] Invalid input: expected string, received undefined']));
    });

    it('should return a redirect uri', async () => {
@@ -168,17 +164,13 @@ describe(`/oauth`, () => {
    it(`should throw an error if a url is not provided`, async () => {
      const { status, body } = await request(app).post('/oauth/callback').send({});
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['url'], message: 'Invalid input: expected string, received undefined' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[url] Invalid input: expected string, received undefined']));
    });

    it(`should throw an error if the url is empty`, async () => {
      const { status, body } = await request(app).post('/oauth/callback').send({ url: '' });
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['url'], message: 'Too small: expected string to have >=1 characters' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[url] Too small: expected string to have >=1 characters']));
    });

    it(`should throw an error if the state is not provided`, async () => {
@@ -340,7 +332,9 @@ describe(`/oauth`, () => {
      const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
      expect(status).toBe(500);
      expect(body).toMatchObject({
+        error: 'Internal Server Error',
        message: 'Failed to finish oauth',
+        statusCode: 500,
      });
    });

@@ -359,7 +353,7 @@ describe(`/oauth`, () => {
        const callbackParams = await loginWithOAuth('oauth-no-auto-register');
        const { status, body } = await request(app).post('/oauth/callback').send(callbackParams);
        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.badRequest('OAuth authentication failed'));
+        expect(body).toEqual(errorDto.badRequest('User does not exist and auto registering is disabled.'));
      });

      it('should link to an existing user by email', async () => {
@@ -383,11 +377,7 @@ describe(`/oauth`, () => {
    it(`should throw an error if the logout_token is not provided`, async () => {
      const { status, body } = await request(app).post('/oauth/backchannel-logout').send({});
      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([
-          { path: ['logout_token'], message: 'Invalid input: expected string, received undefined' },
-        ]),
-      );
+      expect(body).toEqual(errorDto.badRequest(['[logout_token] Invalid input: expected string, received undefined']));
    });

    it(`should throw an error if an invalid logout token is provided`, async () => {
@@ -505,10 +495,11 @@ describe(`/oauth`, () => {
    });

    it('should reject OAuth discovery over HTTP', async () => {
-      const { status } = await request(app)
+      const { status, body } = await request(app)
        .post('/oauth/authorize')
        .send({ redirectUri: 'http://127.0.0.1:2285/auth/login' });
      expect(status).toBe(500);
+      expect(body).toMatchObject({ statusCode: 500 });
    });
  });
 });
@@ -441,18 +441,7 @@ describe('/search', () => {
        .get('/search/explore')
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(200);
-      expect(Array.isArray(body)).toBe(true);
-      expect(body).toEqual(expect.arrayContaining([{ fieldName: 'exifInfo.city', items: [] }]));
-      expect(body).toEqual(
-        expect.arrayContaining([
-          {
-            fieldName: 'createdAt',
-            items: expect.arrayContaining([
-              expect.objectContaining({ data: expect.objectContaining({ id: assetLast.id }) }),
-            ]),
-          },
-        ]),
-      );
+      expect(body).toEqual([{ fieldName: 'exifInfo.city', items: [] }]);
    });
  });

@@ -341,9 +341,7 @@ describe('/shared-links', () => {
        .set('Authorization', `Bearer ${user1.accessToken}`);

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: [], message: 'Invalid input: expected object, received undefined' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest());
    });

    it('should require an asset/album id', async () => {
@@ -41,9 +41,7 @@ describe('/stacks', () => {
        .send({ assetIds: [asset.id] });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([{ path: ['assetIds'], message: 'Too small: expected array to have >=2 items' }]),
-      );
+      expect(body).toEqual(errorDto.badRequest());
    });

    it('should require a valid id', async () => {
@@ -53,12 +51,7 @@ describe('/stacks', () => {
        .send({ assetIds: [uuidDto.invalid, uuidDto.invalid] });

      expect(status).toBe(400);
-      expect(body).toEqual(
-        errorDto.validationError([
-          { path: ['assetIds', 0], message: 'Invalid UUID' },
-          { path: ['assetIds', 1], message: 'Invalid UUID' },
-        ]),
-      );
+      expect(body).toEqual(errorDto.badRequest());
    });

    it('should require access', async () => {
@@ -309,7 +309,7 @@ describe('/tags', () => {
        .get(`/tags/${uuidDto.invalid}`)
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.validationError([{ path: ['id'], message: 'Invalid UUID' }]));
+      expect(body).toEqual(errorDto.badRequest(['[id] Invalid UUID']));
    });

    it('should get tag details', async () => {
@@ -427,7 +427,7 @@ describe('/tags', () => {
        .delete(`/tags/${uuidDto.invalid}`)
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(status).toBe(400);
-      expect(body).toEqual(errorDto.validationError([{ path: ['id'], message: 'Invalid UUID' }]));
+      expect(body).toEqual(errorDto.badRequest(['[id] Invalid UUID']));
    });

    it('should delete a tag', async () => {
@@ -108,20 +108,14 @@ describe('/admin/users', () => {
      expect(body).toEqual(errorDto.forbidden);
    });

-    for (const [key, message] of [
-      ['password', 'Invalid input: expected string, received null'],
-      ['email', 'Invalid input: expected email, received object'],
-      ['name', 'Invalid input: expected string, received null'],
-      ['shouldChangePassword', 'Invalid input: expected boolean, received null'],
-      ['notify', 'Invalid input: expected boolean, received null'],
-    ] as const) {
+    for (const key of ['password', 'email', 'name', 'quotaSizeInBytes', 'shouldChangePassword', 'notify']) {
      it(`should not allow null ${key}`, async () => {
        const { status, body } = await request(app)
          .post(`/admin/users`)
          .set('Authorization', `Bearer ${admin.accessToken}`)
          .send({ ...createUserDto.user1, [key]: null });
        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.validationError([{ path: [key], message }]));
+        expect(body).toEqual(errorDto.badRequest());
      });
    }

@@ -159,19 +153,14 @@ describe('/admin/users', () => {
      expect(body).toEqual(errorDto.forbidden);
    });

-    for (const [key, message] of [
-      ['password', 'Invalid input: expected string, received null'],
-      ['email', 'Invalid input: expected email, received object'],
-      ['name', 'Invalid input: expected string, received null'],
-      ['shouldChangePassword', 'Invalid input: expected boolean, received null'],
-    ] as const) {
+    for (const key of ['password', 'email', 'name', 'shouldChangePassword']) {
      it(`should not allow null ${key}`, async () => {
        const { status, body } = await request(app)
          .put(`/admin/users/${uuidDto.notFound}`)
          .set('Authorization', `Bearer ${admin.accessToken}`)
          .send({ [key]: null });
        expect(status).toBe(400);
-        expect(body).toEqual(errorDto.validationError([{ path: [key], message }]));
+        expect(body).toEqual(errorDto.badRequest());
      });
    }

@@ -120,7 +120,7 @@ describe('/users', () => {
        .set('Authorization', `Bearer ${nonAdmin.accessToken}`);

      expect(status).toBe(400);
-      expect(body).toMatchObject(errorDto.badRequest('Email is not available'));
+      expect(body).toMatchObject(errorDto.badRequest('Email already in use by another account'));
    });

    it('should update my email', async () => {
@@ -179,9 +179,7 @@ describe('/users', () => {

      expect(status).toBe(400);
      expect(body).toEqual(
-        errorDto.validationError([
-          { path: ['download', 'archiveSize'], message: 'Invalid input: expected int, received number' },
-        ]),
+        errorDto.badRequest(['[download.archiveSize] Invalid input: expected int, received number']),
      );
    });

@@ -209,9 +207,7 @@ describe('/users', () => {

      expect(status).toBe(400);
      expect(body).toEqual(
-        errorDto.validationError([
-          { path: ['download', 'includeEmbeddedVideos'], message: 'Invalid input: expected boolean, received number' },
-        ]),
+        errorDto.badRequest(['[download.includeEmbeddedVideos] Invalid input: expected boolean, received number']),
      );
    });

@@ -2,7 +2,7 @@ import { readFileSync } from 'node:fs';
 import { immichCli } from 'src/utils';
 import { describe, expect, it } from 'vitest';

-const pkg = JSON.parse(readFileSync('../packages/cli/package.json', 'utf8'));
+const pkg = JSON.parse(readFileSync('../cli/package.json', 'utf8'));

 describe(`immich --version`, () => {
  describe('immich --version', () => {
@@ -32,12 +32,8 @@ export function generateThumbhash(rng: SeededRandom): string {
  return Array.from({ length: 10 }, () => rng.nextInt(0, 256).toString(16).padStart(2, '0')).join('');
 }

-export function generateDuration(rng: SeededRandom): number {
-  return (
-    rng.nextInt(GENERATION_CONSTANTS.MIN_VIDEO_DURATION_SECONDS, GENERATION_CONSTANTS.MAX_VIDEO_DURATION_SECONDS) *
-      1000 +
-    rng.nextInt(0, 1000)
-  );
+export function generateDuration(rng: SeededRandom): string {
+  return `${rng.nextInt(GENERATION_CONSTANTS.MIN_VIDEO_DURATION_SECONDS, GENERATION_CONSTANTS.MAX_VIDEO_DURATION_SECONDS)}.${rng.nextInt(0, 1000).toString().padStart(3, '0')}`;
 }

 export function generateUUID(): string {
@@ -28,7 +28,6 @@ export function toColumnarFormat(assets: MockTimelineAsset[]): TimeBucketAssetRe
    ownerId: [],
    ratio: [],
    thumbhash: [],
-    createdAt: [],
    fileCreatedAt: [],
    localOffsetHours: [],
    isFavorite: [],
@@ -339,6 +338,7 @@ export function toAssetResponseDto(asset: MockTimelineAsset, owner?: UserRespons
    livePhotoVideoId: asset.livePhotoVideoId,
    tags: [],
    people: [],
+    unassignedFaces: [],
    stack: asset.stack,
    isOffline: false,
    hasMetadata: true,
@@ -43,7 +43,7 @@ export type MockTimelineAsset = {
  isTrashed: boolean;
  isVideo: boolean;
  isImage: boolean;
-  duration: number | null;
+  duration: string | null;
  projectionType: string | null;
  livePhotoVideoId: string | null;
  city: string | null;
@@ -240,8 +240,7 @@ export const setupBaseMockApiRoutes = async (context: BrowserContext, adminUserI
    });
  });
  await context.route('**/api/albums*', async (route, request) => {
-    const url = request.url();
-    if (url.endsWith('albums?isShared=true') || url.endsWith('albums?isOwned=true') || url.endsWith('albums')) {
+    if (request.url().endsWith('albums?shared=true') || request.url().endsWith('albums')) {
      return route.fulfill({
        status: 200,
        contentType: 'application/json',
@@ -66,6 +66,7 @@ export const createMockStackAsset = (ownerId: string): AssetResponseDto => {
    livePhotoVideoId: null,
    tags: [],
    people: [],
+    unassignedFaces: [],
    stack: undefined,
    isOffline: false,
    hasMetadata: true,
@@ -304,7 +304,7 @@ test.describe('Timeline', () => {
      await page.keyboard.down('Shift');
      await thumbnailUtils.withAssetId(page, assets[2].id).hover();
      await expect(
-        thumbnailUtils.locator(page).locator('.absolute.top-0.size-full.bg-immich-primary.opacity-40'),
+        thumbnailUtils.locator(page).locator('.absolute.top-0.h-full.w-full.bg-immich-primary.opacity-40'),
      ).toHaveCount(3);
      await thumbnailUtils.selectButton(page, assets[2].id).click();
      await page.keyboard.up('Shift');
@@ -90,7 +90,7 @@ export const tempDir = tmpdir();
 export const asBearerAuth = (accessToken: string) => ({ Authorization: `Bearer ${accessToken}` });
 export const asKeyAuth = (key: string) => ({ 'x-api-key': key });
 export const immichCli = (args: string[]) =>
-  executeCommand('pnpm', ['exec', 'immich', '-d', `/${tempDir}/immich/`, ...args], { cwd: '../packages/cli' }).promise;
+  executeCommand('pnpm', ['exec', 'immich', '-d', `/${tempDir}/immich/`, ...args], { cwd: '../cli' }).promise;
 export const dockerExec = (args: string[]) =>
  executeCommand('docker', ['exec', '-i', 'immich-e2e-server', '/bin/bash', '-c', args.join(' ')]);
 export const immichAdmin = (args: string[]) => dockerExec([`immich-admin ${args.join(' ')}`]);
--- a/Show More
+++ b/Show More